A Distributed Model for Privacy Preserving V2I Communication with Strong Unframeability and Efﬁcient Revocation

: Although Vehicle to Infrastructure (V2I) communications greatly improve the efﬁciency of early warning systems for car safety, communication privacy is an important concern. Although solutions exist in the literature for privacy preserving VANET communications, they usually require high trust assumptions for a single authority. In this paper we propose a distributed trust model for privacy preserving V2I communications. Trust is distributed among a certiﬁcation authority that issues the vehicles’ credentials, and a signing authority that anonymously authenticates V2I messages in a zero knowledge manner. Anonymity is based on bilinear pairings and partially blind signatures. In addition, our system supports enhanced conditional privacy since both authorities and the relevant RSU need to collaborate to trace a message back to a vehicle, while efﬁcient certiﬁcateless revocation is supported. Moreover, our scheme provides strong unframeability for honest vehicles. Even if all the entities collude, it is not possible to frame a honest vehicle, by tracing a forged message back to an honest vehicle. The proposed scheme concurrently achieves conditional privacy and strong unframeabilty for vehicles, without assuming a fully trusted authority. Our evaluation results show that the system allows RSUs to efﬁciently handle multiple messages per second, which sufﬁces for real world implementations.


Introduction
Governmental organizations, academia and car industry are focusing on the improvement of safety and efficiency of transport systems. Safety systems such as the Antilock Braking System (ABS) and the Electronic Stability Program (ESP) have become mainstream technologies in the car industry for a couple of decades. More recently, Advanced Driver-Assistance Systems (ADAS) can combine car connectivity systems to improve road safety, by taking advantage of the Vehicle to Vechicle (V2V) and Vehicle to Infrastructure (V2I) communications [1]. Vehicular Adhoc Networks (VANET) are a special instance of Mobile Ad hoc Networks (MANET). Nodes in VANET may be mobile or static. The mobile nodes are essentially the vehicles, which are equipped with an on-board unit (OBU). The static nodes include the Road Side Units (RSU), which are network elements installed as roadside infrastructures, that may receive and/or transmit messages to vehicles, such as emergency messages related with accidents, warnings or other safety information, or traffic related data such as congestion avoidance suggestions.
Within a VANET messages are exchanged spontaneously between the nodes that are members of the ad hoc network in that specific time frame. ETSI [2,3] defines the type of messages that are exchanged via the communication channels that are allocated at 5.9 GHz frequency. These types of messages are called Cooperative Awareness Messages (CAM) and are broadcast periodically containing information about the sender, such as position, speed, heading etc. Messages can be exchanged from Vehicle to Vehicle (V2V) or from a Vehicle to Infrastructure (V2I) such as RSU.
As V2V communications are based on beacon messages and have relatively short range, RSUs may act as relays of information gathered by vehicles. For example, in case of an incident causing traffic congestion, the affected vehicles may transfer information related to their current speed to the nearby RSUs. The RSUs will verify the information (e.g., check that similar data are confirmed from various vehicles) and then transmit congestion avoidance suggestions to other vehicles that are nearby.
Finally, another static entity within MANET is the Traffic Management Authority (TMA), which is considered as a trusted authority. The role of the TMA is to manage the network nodes, e.g., adding new nodes in the VANET. In addition, the TMA may assist privacy related functions, such as hiding the identity of vehicles acting as senders of messages. Actually in conditional privacy-preserving authentication schemes, it is required that no one except the TMA, will be able to link a message to a sender.
Although the advances in wireless communication technologies, such as 5G, enable VANETs to contribute on road safety and traffic management, they also increase the exposure of vehicles to security and privacy threats. Furthermore, due to the unique characteristics of a VANET such as mobility, scalability, limited resources and delay constraints, VANETs are vulnerable, not only to highly sophisticated attacks, but also to simpler attacks since traditional countermeasures may not be easy to apply. Therefore typical security controls should be implemented at first to support confidentiality, integrity, availability and non-repudiation. For example, vehicle authentication, and message confidentiality & integrity are necessary to prevent message spoofing or injection attacks [4,5].
In addition to security requirements, privacy requirements are also very important. Anonymity is the most important privacy requirement in VANET communications; the driver's (or vehicle's) identity should not be disclosed, not only because an attacker may impersonate honest users to avoid getting traced, but also because anonymity should be preserved in terms of privacy whenever a vehicle becomes an active node of a vehicular network. Data privacy includes driver-related data (e.g., the identity of the driver) and vehicle-related data (e.g., vehicle id, current location, itinerary, trip routes or any other kind of information that may lead to driver/vehicle profiling [5]. Besides anonymity, unlinkability and untraceability are additional privacy concerns. Although it is possible to hide the identity of a node using pseudonyms, if an adversary is able to link different messages with a single pseudonym, then it is relatively easy to trace the itinerary of a unique vehicle and ultimately reveal the actual identity, using other out-of-band information. Researchers have examined a wide variety of attacks in the past that proved to have an effect both on the vehicle/driver privacy and on road safety [6]. Examples of such attacks are Denial of Service (DoS) [7], sybil attacks [8,9], wormhole attacks [10,11], illusion attacks [12] and purposeful attacks [13]. In the case of sybil attacks, malicious nodes may using fake identities in order to send false information multiple times, thus misleading RSUs on accepting this information as valid. In other cases, malicious nodes may attempt to abuse anonymity in order to mislead RSUs to accept information from forged nodes. Obviously vehicle privacy and VANET security are orthogonal issues, since privacy may be abused to violate VANET communication security and vise versa. Thus, achieving both security and privacy in VANET is still a challenging problem.
Contribution. We propose a distributed model that provides strong privacy and security guarantees for all nodes in V2I communications. Our main contributions involve:

1.
Trust distribution. To avoid strong trust assumptions for a single TMA authority, our model assumes two independent honest but curious authorities: a Credential Authority (CA) who is responsible for issuing/revoking credentials for vehicles; and a Signing Authority (SA) who is responsible to anonymously authenticating messages of authorized vehicles.

2.
Enhanced conditional privacy preserving authentication, since all the involved entities (CA, SA and the relevant RSUs) need to collaborate, to trace a message back to a vehicle.

3.
Vehicle unforgeability and unframeability. Even if all the entities (CA, SA and RSUs) collude, it is not possible to forge messages and/or frame a honest vehicle, by tracing a forged message back to an honest vehicle. 4.
Efficient Revocation. Revocation will be equivalent to the deletion of an encrypted credential, stored in an anonymous credential list. Revocation management is significantly more efficient in comparison with the use of certificate revocation lists.
Our scheme makes use of crypto building blocks like bilinear pairings, All-or-Nothing Public Key Encryption with Equality Tests (AoN-PKEET), Non-Interative Zero Knowledge Proofs (NIZKP) and partially blind signatures. However, the communication protocol does not require heavy crypto operations for the vehicles. To achieve unframeability and impersonation protection, each vehicle selects a random number upon registration, while for each V2I communication a zero knowledge proof of knowledge is used. The computational intensive operations like pairings are performed by the SA, which can be equipped with advanced computing capabilities. Security is formally analyzed and is based on the security of the underlying primitives used such as bilinear pairings, partially blind signatures and NIZKP.
Paper Structure. The remainder of this paper is organized as follows. In Section 2 we discuss the related work. In Section 3 we describe the proposed model. In Sections 4 and 5 we thoroughly analyze the security and the efficiency of our model respectively. Finally, in Section 6 we conclude the paper and we discuss the advantages, limitations and possible future extensions.

Related Work
Security in vehicular networks was initially discussed in [5,14]. Since then, reducing the confidence level on trusted authorities is an open and challenging problem. Various schemes have been proposed in the literature, attempting to weaken the trust assumption for the authorities, either by distributing the trust among different authorities or by considering semi-trusted authorities. In various schemes vehicles are equipped with Event Data Recorders (EDR) that keep a copy of the communication. Unframeability is assured under the assumption that EDRs are trusted hardware devices. However, impersonating a vehicle is still in question, since VANET schemes offer conditional traceability and only misleading messages are the object of investigation.
In the literature, various group signature schemes have been proposed [15,16], to allow users to anonymously sign messages on behalf of a group. These schemes provide strong unframeability properties, even in the presence of corrupted authorities. Although group signatures have been widely used in VANETs for anonymous authentication (e.g., [17,18]), they require maintaining a Certificate Revocation List (CRL), which leads to long computation delay and consequently high message loss [19]. In addition, re-issuing of keys may be required, when users diverge from honest protocol execution.
Location privacy is the capability of preventing a third party from knowing the present and past location of the vehicle in the network [20]. Thus not only the current location is private (location point privacy protection) but also the trajectory of the vehicle is kept secret (trajectory privacy protection). In the following paragraphs we will briefly review existing privacy preserving communication protocols aiming at location privacy for vehicles, with an emphasis on their security level against vehicle impersonation and framing attacks.
A V2I communication protocol is presented in [21]. Trust is divided in two trusted authorities, the tracing authority (TRA) and the private key generator (PKG). However a collusion of TRA and PKG may impersonate a vehicle.
A scheme based on a semi-trusted authority is presented in [22]. Trust is divided in two authorities; the trusted data center (TDC) who is responsible for managing the real identities of the vehicles and is fully trusted and the semi-trusted management center (STA), who is responsible for managing RSUs and vehicles. To generate a partial key the current and previous location of the vehicle is revealed to the STA. All the IDs and the partial keys of the vehicles are known to the STA. Thus if corrupted, the STA may impersonate a vehicle, create new vehicle identifiers and sign messages on their behalf.
In the scheme of [23], a fully trusted authority TA assigns a real identity RID and a password PWD for each vehicle and pre-loads {RID, PWD} into its tamper-proof device. TA may impersonate any vehicle by simulating the function of the tamper-proof device.
In [24] a certificateless signature scheme for VANET is presented. The scheme is based on two authorities that are considered as fully trusted: the regional transport authority (RTA) and the key generation center (KGC). An RSU j takes as input the Q ID of the vehicle and generates a corresponding pseudonym PS j . Although the network is divided in autonomous sub-networks, consecutive RSUs may reveal vehicle's trajectory. In addition, if the authorities are compromised they may forge and/or frame any vehicle. A compromised KGC may impersonate any vehicle and request from any RSU j a pseudonym PS j , while a compromised RTA may impersonate any vehicle and request a partial private key from KGC using vehicle's ID.
In [25] a hierarchical privacy preserving pseudonymous authentication protocol for VANET is presented. The scheme is based on two honest-but-curious authorities, the certification authority CA and the revocation authority RA. Authentication of the vehicles is based on long and short term credentials. However the scheme does not address collusion between the authorities. In addition, a collusion of consecutive RSUs may reveal a vehicle's trajectory since primary pseudonym is always revealed when requesting for short term credentials. Finally, a corrupted CA may refrain from deleting users' VIDs (vehicle ID) and is able to impersonate any vehicle.
Various protocols in the literature are based on the assumption of a fully trusted authority (TA). In [26] KMC is a trust authority and is fully trusted by all the other entities. Each vehicle is equipped with a tamper proof device. Again the KMC is aware of all sensitive vehicle and driver information and may impersonate any vehicle.
In [27] trust is distributed among a fully trusted authority TA and the RSUs which are considered semi-trusted, lower level authorities. A corrupted TA may impersonate a vehicle and request temporary signing keys from an RSU. Location of the vehicle is periodically revealed to TA.
The ECPP protocol presented in [28] can efficiently deal with the growing revocation list, while achieving conditional traceability. Location of the vehicle is revealed to the RSU when requesting for a short time anonymous key. Obviously, the TA may impersonate any vehicle and acquire a short-time anonymous key. Vehicle impersonation by the TA is also possible in PACP [29], where the TA may impersonate any vehicle in the communication protocol between the OBU and an RSU. Consequently it may also sign messages on behalf of any vehicle. Location of the vehicle is revealed to RSU. SPECS [30] and b-SPECS+ [31] are also vulnerable to impersonation attacks by the TA.
In NECPPA [32] the location and the ID of a vehicle are revealed to the RSUs. In addition, the TA may again impersonate any vehicle in the OBU joining RSU phase. Similarly, in EAAP ( [33]) and CL-CPPA [34] the TA may use the relevant information from the registration phase and impersonate any vehicle. In [35] a two-factor lightweight privacy preserving authentication scheme for VANET is presented. It relies on a fully trusted certificate authority CA that distributes trust in tamper-proof devices. The scheme depends on the correct use of tamper-proof devices, while the CA is aware of all sensitive vehicle and driver information and may impersonate any vehicle by simulating the function of the tamper-proof device.
Batch verification schemes like [36][37][38][39][40] either allow authorities to impersonate any vehicle or reveal the current location of the vehicle to the corresponding RSU. Impersonation and framing attacks by dishonest or compromised authorities against vehicles is also possible in the schemes presented in [41][42][43][44][45].
Various recent schemes are subject to impersonation and framing attacks during the registration phase. For example, in [46][47][48] the TA acquires all relevant information of vehicles during registration and can impersonate or frame a vehicle. In [47] it is also assumed that RSUs will not collude with each other. In [49] consecutive RSUs may reveal the driver's path since a pseudo identity of a vehicle is known to the RSU. Although the real identity of the vehicle is not revealed during registration, impersonation attacks against vehicles are possible if the registration authority colludes with the RSUs.
Very few works, like [50,51] provide security from framing attacks against vehicles. However in both these works the TA may impersonate any vehicle and request pseudo ID from the KGC. Then by creating a pseudo key (x i , P i ) the TA may sign valid messages using the target vehicle's credentials.
Paper positioning and comparison with the related work. To the best of our knowledge, the proposed scheme is the first protocol that may protect vehicles from both framing and impersonation attacks by misbehaving authorities, without requiring the maintenance and distribution of revocation lists. Even a collusion of corrupted authorities will not be able to impersonate a vehicle. Thus security from such attacks is assured even for corrupted or compromised authorities. In addition, the location of a vehicle is not revealed. Location privacy however still relies on the assumption of honest-but-curious authorities. In addition to the security and privacy properties, the protocol supports an efficient and privacypreserving revocation mechanism. Instead of storing and managing large revocation lists, misbehaving drivers are removed by simply deleting their credential from a list of encrypted credentials. The driver is unable to further communicate with other nodes of the VANET. As no essential information is stored in the drivers' OBUs, relevant attacks will reveal only the encrypted credentials. In the following paragraphs of this paper, a new privacy aware and bulletproof trust model is going to be introduced that aims to solve such issues as the ones described in the previous paragraph.

The Proposed Solution
As discussed above, our main design goal is to concurrently achieve security and privacy in V2I communications. In particular the proposed solution will support the following properties: • Security. Only authenticated nodes (vehicles) will be allowed to communicate with RSUs (unforgeability). In addition, no adversary, even as strong as the collusion of all the authorities, should be able to impersonate a legitimate node (unframeability). • Privacy. Vehicle anonymity must be assured, meaning that the identity of the vehicle should not be disclosed to RSUs or any external entity. In addition no single entity should not be able to trace the transmitted messages send to one or more RSUs with a particular sender (message-vehicle untraceability). Traceability should only be possible for a collusion of the CA, the SA and the relevant RSUs. Finally, an RSU (or any other external entity) should not be able to link together different messages coming from a single sender, even if the identity of the sender is not revealed (message unlinkability). • Efficiency. The system must be efficient enough in terms of communication and computation overhead. The RSUs must be able to process multiple messages per second. For example, 100-200 messages/second are sufficient for RSUs to receive informed decisions about the current traffic conditions and unexpected events, even if some messages will be eventually lost in case of bursts. Vehicles must not require to be able to perform crypto operations that are not 'mainstream' in terms of computational cost. For example although public key crypto is feasible, bilinear pairings are not within the current state of the art. • Privacy-preserving and efficient revocation. Finally revocation should be both efficient and privacy preserving. The system should not require CRLs for revocation, as they can become a system bottleneck. At the same time, revocation of a node must not disclose the identity of the node as this would violate the privacy of previous communications.

Trust Assumptions
We are adopting a scenario involving two trusted authorities. Concerning the privacy properties, we assume that the Credential Authority CA and the Signing Authority SA are honest but curious. An interesting observation might be that although the CA is considered honest, its involvement is reduced in providing an appropriate AoN-PKEET scheme and inspect the behaviour of SA by checking the validity of the NIZKP provided. On the other hand, SA practically has the burden of correct protocol execution without knowing the real identity of the drivers. For the security properties (i.e., vehicle unforgeability and unframeabilty) we assume that all authorities may be compromised. Finally, to protect from outsiders we assume that all the communication is encrypted and integrity protected, using standard security mechanisms such as TLS.

Building Blocks
The proposed system uses the following primitives as building blocks: Bilinear map Let G 1 = g , G 2 = ĝ and G T be groups of prime order p. A bilinear map e : G 1 × G 2 → G T is an efficiently computable map which satisfies the following conditions: 1.
Bilinear: For all (u,v) ∈ G 1 × G 2 and all a, b ∈ Z p that e(au, bv) = e(u,v) ab .

All or Nothing Public Key Encryption with Equality Tests (AoN-PKEET)
AoN-PKEET schemes ( [52][53][54][55]) allow entities to perform equality tests between cipher texts without knowing the secret key or the randomness used to encrypt. An additional trapdoor information is provided. While one can tell if two ciphertexts correspond to the same plaintext, no additional information is leaked. Thus, an AoN-PKEET Encryption scheme (KeyGen, AEnc, Dec, Aut, Com) is an at least IND-CPA secure public key encryption scheme which is compatible with efficient zero-knowledge proofs. In our system we will employ the practical ElGamal based AoN-PKEET of [56], whose security relies on the (S)XDH assumption. Encryption is performed in G 1 . The private key is an element ξ ∈ R Z p and the corresponding public key is h = g ξ . We will describe the AoN encryption (AEnc) and the additional algorithms Aut and Com. In both cases appropriate NIZKP can be provided. We refer to [56] for more details. • AEnc(h, r, m) → C : On input the public encryption key, a random r ∈ R Z p and a message m, it outputs the encryption C = (K 1 , K 2 ) = (g r , mh r ). • Aut(ξ) → tk : On input the secret key, it returns the trapdoor information tk = (ρ,φ = ρ ξ ) ∈ G 2 2 forρ ∈ R G 2 , allowing equality tests for ciphertexts. • Com(C, C , tk) → {0|1} : On input two ciphertexts C = (K 1 , K 2 ) = (g a , mh a ) and C = (K 1 , K 2 ) = (g a , m h a ) and the trapdoor tk = (ρ,φ =ρ ξ ), it outputs 1, if e(K 2 ,ρ) · e(K 1 ,φ) −1 = e(K 2 ,ρ) · e(K 1 ,φ) −1 holds and 0 otherwise. If the output is 1 then m = m .

Non Interactive Zero Knowldge Proofs (NIZKP)
NIZKP are essentially protocols used by a prover, in order to prove knowledge of some information to a verifier, without revealing anything about the information itself. In our protocol, a custom NIZKP is used by vehicles to prove knowledge of the nonce chosen for credential generation, during registration. In addition, in the communication protocol, the NIZKP of [56] may be used, to force the SA to honest protocol execution. This however will imply an additional computational cost.

Partially Blind Digital Signature Scheme
Partially blind signatures are a special type of blind signatures consisting of two messages: a message to be blinded and a non-blinded messages having a predefined structure. We utilize the Partially Blind Signature scheme of [57], which is based on Schnorr Signatures. Essentially, the message consists of two parts: M = {m, m }. Here m is the actual message that will be blinded using a random b as a blinding factor: m = H(m|b). The part m is a cleartext, non-blinded message whose form is mutually predefined.

High Level Description
Let V = {V} and I = {RSU} represent the set of VANET nodes (vehicles) and infrastructures (RSUs) respectively. We assume two independent honest-but-curious authorities. Let CA denote a certification authority for managing the long term credentials for the vehicles and for providing an AoN-PKEET. Let SA denote a Signing Authority, whose main role is to authenticate (by blindly signing) messages of anonymously authenticated vehicles. The RSUs will only accept messages sent by vehicles, only if the messages have been previously authenticated by the SA. Vehicles may send/receive messages from RSUs within range (e.g., traffic information, emergency events etc). The proposed scheme will achieve the security, privacy and efficiency properties described above for V2I communication. The protocol consists of the following four phases/protocols. Phase 1 (Set Up): During this phase the Credential Authority (CA) will publish all the system parameters, including the public encryption key of an AoN-PKEET scheme. In addition, the CA will securely transfer to the Signing Authority (SA) the trapdoor information tk, to allow the SA to perform equality tests on messages encrypted with the AoN-PKEET scheme.
It is important to note that although in our set up we assume a single CA, extending the CA to a threshold setting is straightforward. The underlying AoN-PKEET scheme can be easily extended to a threshold scenario, where the role of the CA is distributed to multiple entities and a majority of CAs is needed for decryption.
Phase 2 (Registration): Registration is an ongoing phase and allows new vehicles to dynamically join. For each new vehicle V generates a unique identified ID, is chosen by the CA and it is AoN-PKEET encrypted by V, using the AoN public key of the CA. The randomness used for the encryption is not revealed to the CA and will be later used by the vehicle, to provide a NIZKP of the assigned ID. The vehicle also receives from the CA signed proofs on the registration parameters. The CA will forward the encrypted credential to the SA, who will append this to a private list BB SA containing the encrypted credentials of all registered users.
The scheme allows SA to perform tests on encrypted messages and determine if they origin from the same original message. Thus SA can determine if a user is indeed a member of the authorized users of the protocol by blindly checking if the users' encrypted credential belongs to a list of encrypted credentials of all authorized users.

Phase 3 (Secure communication):
During the secure communication phase, a registered vehicle V will communicate with the SA in order to authorize the message to be send to the RSU via a partially blind signature.
As described in Section 3.1, messages in partially blind signatures schemes, an input message M = (m, m ) has two parts: the message to be blinded and an unblinded part with a predefined structure. In our scheme the structure of the unblinded part is defined as m = t cur ||rand, consisting of the current time, concatenated with a randomness that is computed in a predefined way and will serve as the challenge of the NIZKP. Efficiency of the scheme is improved by applying methods presented in [58].
The vehicle will first provide to the SA a fresh AoN-PKEET encryption and an NIZKP of its credential. The SA will use the private list BB SA of the encrypted credentials, to check if a match is found with a freshly encrypted credential provided by V. In that case, the SA will blindly sign the message that V wants to send to the RSU.
Phase 4 (Revocation): When needed, the revocation phase will be executed, to anonymously revoke a counterfeit, misused or compromised credential. According to a predefined policy, revocation will be equivalent to the deletion of the encrypted credential stored in the private list BB SA maintained by the SA. Therefore, revocation in our scheme is very efficient, as it does not require maintaining and managing revocation lists. Detection of misbehaving vehicles is possible from the timestamps.

Detailed Protocol Description
We will use the notation shown in Table 1 to describe the cryptographic building blocks employed, which have been briefly described in Section 3.1. Table 1. Notation and cryptographic functions used. The protocol is described in Figure 1. On input a security parameter n, the Credential Authority CA generates the bilinear groups (G 1 , G 2 , g,ĝ, p), the private/public AoN-PKEET encryption pair ξ, g ξ mod p and the trapdoor information tk = (ρ,φ =ρ ξ ), as described in Section 3.1. The CA will securely transfer to the SA the trapdoor information. The SA cannot decrypt messages since it has no access to the secret key or the randomness used for message encryption. It may use the trapdoor information to check only for the equality of messages encrypted with the AoN-PKEET scheme of the CA.

CA SA
Bilinear Groups G 1 , G 2 , g,ĝ, p Private/Public AON-PKEET pair: ξ, h = g ξ Trapdoorρ,φ =ρ ξ Signature Keys PK CA , SK CA SK SA : x PK SA : y = g x mod p ρ,φ =ρ ξ Finally, each authority possesses a public/private key pair, say PK CA , SK CA (resp. PK SA , SK SA ) to be used for signing and/or communication encryption (In practice each authority may use different key pair for each operation).
For the digital signatures, an algorithm that supports a partially blinded setting can be used. We implement the scheme presented in [57]. Let SK SA = x and PK SA = y (= g x mod p) denote the private/public key pair of SA, using a typical ElGamal setting, where p = 2 q + 1, for sufficiently long primes p, q.

Registration
We assume that all the communications are encrypted and integrity protected, e.g., using the public keys of the relevant authorities CA and SA. New vehicles can be dynamically added as follows (see Figure 2). Initially V will sent a join-request to the CA. The CA will choose a unique identifier ID and send this to V along with the current registration time t 0 . Then V chooses r 0 ∈ R Z p , computes AEnc(h, r 0 , ID) → (C 1 , C 2 ) = (g r 0 , IDh r 0 ) and also the signature σ V = sig V (ID, t 0 ). It will then forward (C 1 , C 2 ), t 0 , σ V to the CA.

V CA SA
Join -Request Figure 2. The Registration protocol.
The CA decrypts C 1 , C 2 to obtain ID and then verifies σ V . On successful verification, the CA sends to V a signature σ = sig CA (C 1 , C 2 , t 0 ). In addition, the CA forwards to the SA (C 1 , C 2 ), t 0 , σ. Both V and SA will verify σ and the SA will also publish all information (encrypted credentials, time and signature) in a public bulletin board in increasing order wrt the encrypted credentials, i.e., BB SA = [D α 1 , · · · , D α N ], so that searching for an encrypted credential can be performed in log N time.

V2I Communication
Registered vehicles will first authenticate their (partially blinded) messages via the SA and then anonymously send the authenticated messages to RSUs as follows (see Figure 3). Again we assume that all communications are encrypted and integrity protected using the public keys of the SA and/or RSU respectively.
Initially V prepares a fresh encryption of its identifier using a new random value r i as follows. It chooses r i ∈ R Z p and AoN-Encrypts the credential ID with r i : AEnc(h, r i , ID) → (K 1 , K 2 ) = (g r i , IDh r i ). Then V uses the partially blinded signature scheme [57] to blind the message M = {m, m }, where m is the actual message to be send blinded. The non-blinded part is predefined as m = t cur ||rand, where t cur is the current time to ensure message freshness and rand is a randomness that ensures message uniqueness. Then V blinds m using randomness b as: m = H(m||b).
In addition, V computes a Non Interactive Zero Knowledge Proof of knowledge for its identifier ID. This will essentially be a proof that V knows the randomness r 0 used to AoN-Encrypt ID at the registration phase, by using the randomness r i chosen for the new AoN-Encryption of ID [59]. V computes a challenge for the NIZKP using the fresh AoN Encryption, the blinded message m, and the non-blinded message m = t cur ||rand, i.e.,: C = H(K 1 , K 2 , m, m ).The response is computed as: R = r 0 − r i · C. Finally, V forwards (K 1 , K 2 ), (m, m ) and R to the SA.
Verify NIKZP as : The SA will first check the freshness and uniqueness of the non-blinded message m = t cur ||rand. Then, it uses the trapdoor tk = (ρ,φ =ρ ξ ) to compute e(K 2 ,ρ) · e(K 1 ,φ) −1 → (X 1 , X 2 ) and to check if there is a match in the BB SA , i.e., some entry D j ∈ BB SA is identical to (X 1 , X 2 ). Search is performed in log N time where N is the number of registered vehicles. This assures the SA that (K 1 , K 2 ) is a re-encryption of a valid credential. If the AoN-PKEET test fails, abort. Else let D j = (C 1 , C 2 ) = (g r 0 , IDh r 0 ) be the initial encryption of ID found in BB SA . Now the SA will verify the NIZKP as follows: it computes the challenge C = H(K 1 , K 2 , m, m ) (in the same way as V presumably did) and then the checks whether g R K 1 C = C 1 , (i.e., g r 0 −r i ·C · g r i C = g r 0 ). If the verification fails, it aborts. If the NIZKP verification succeeds then the SA is assured in zero knowledge that V knows the exponent used in C 1 (and therefore a valid ID). In addition, notice that C also binds the fresh AoN-Encryption of the credential with the blinded message m to be signed. If the verification succeeds, then the SA updates BB SA by adding the time of request. The non-blinded part m = t cur ||rand is appended in the appropriate line D j = e(C 2 ,ρ) · e(C 1 ,φ) −1 containing (C 1 , C 2 ). This part of the table is kept private. Multiple requests from the same user can be detected on request.
Finally, the SA will sign the blinded message m, by selecting k ∈ R Z p and computing l = g k , e = H(l||m ||m) and s = k − xe mod q. The signature (l, s) is send to V. To verify the signature (l, s, b), (m, m ), send by V to an RSU, the receiver must compute again e = H(l||m ||m) and check if e = H(g s y e ||m ||H(m||b)).
V forwards to RSU [(l, s, b), (m, m )]. The RSU will verify the signature and the current time t cur included in m to accept a message.
Notice that even if SA is corrupted it can gain no additional information if the RSU is honest. In addition, a corrupted RSU will learn nothing of a vehicle's identity since it only checks the validity of SA's signatures.

Revoking
Revocation is a necessary process of the protocol so as to administer misbehaviour of authorized vehicles. Supposing that a vehicle V is misbehaving, e.g., the message m is false or repeated multiple times etc. The RSU can forward the tuple to the SA which can locate the corresponding line of the misbehaving driver by using the timestamp t cur ||rand. Then all information can be forwarded to the CA requesting for further instructions. According to a predefined policy actions can be taken. If necessary the CA can instruct the SA to simply delete the appropriate line from BB SA , thus removing V from the list of authorized users. No revocation list is needed for the expired, deleted credentials.

Security Analysis
We examine the security and privacy properties of the protocol, based on the relevant requirements set in Section 3. As already stated we assume that CA and SA are honest but curious entities. However, we will show that unframeability holds even if the authorities are corrupted. Adversaries are modeled by probabilistic polynomial time Turing machines (PPT). A negligible function negl, is a function negl : N → R such that for every positive integer c there exists an integer n c such that for all x > n c we have |negl(x)| < 1 x c .

Unforgeability
Let Π 1 , Π 2 and Π 3 be the set up, the registration and the secure communication protocol respectively, as described in Section 3.3. Let A f be a PPT forging adversary, i.e., an external adversary who monitors the communications between all honest entities and whose goal is to forge the secure communication protocol Π 3 . In other words, the goal of the adversary is to send a valid looking message to an RSU, without having first issued valid credentials by running Π 2 , with the authorities that have already run Π 1 . We assume that A f is having oracle access to Π 1 , Π 2 and Π 3 but has no access to the randomness used to encrypt or the credentials IDs of the users. We will construct an algorithm B that attacks the DLOG problem by using an adversary A f that produces valid R.
We will prove that if A f can successfully forge Π 3 with non-negligible probability, then B can use A f as a subroutine to successfully attack the DLOG problem with non-negligible probability. We assume that C DLOG is a challenger for the discrete logarithm problem. We denote as O Π the oracle access of the adversary on a protocol Π.
• Setup. C DLOG provides a challenge g, g ρ to B, which forwards the challenge to A f . Then A f uses its oracle access to Π 1 with input the challenge g, g ρ , to receive the corresponding output of the set up protocol, i.e., O Π 1 : g, g ρ → ξ, (g, h = g ξ ). Thus, an AON-PKEET is set up with ξ and (g, h = g ξ ) the private and public keys respectively. • A f uses its oracle access to Π 2 , to receive the encryptions of valid credentials ID 1 , . . . , ID N . For the encryption of ID i , O Π 2 outputs (g ρ ) ξ = (g ξ ) ρ = h ρ end sets AEnc(h, r i , 1) · (g ρ , h ρ ID i ) = (g ρ+r i , h ρ+r i ID i ) = AEnc(h, ρ + r i , ID i ) re randomizing encryptions. Thus, BB SA is formed. • Attack. A f requests oracle access to O Π 3 for polynomially many executions of Π 3 . Then, the challenge AEnc(h, r, ID i ) = (K 1 , K 2 ) is given to A f for forgery. The adversary chooses a message m and computes C = H(K 1 , K 2 , m, t cur ||rand). It outputs a valid NIZKP R such that g R K C 1 = g ρ+r i . • Guess. B receives from A f the values R, r, C, r i and outputs its guess ρ = R + rC − r i . If ρ = ρ then B wins.
Since, R ∈ Z p the probability to randomly select a valid R equals to 1 p . We define the advantage of A f to break Π 3 as: We also define the advantage of B to break DLOG as: ADV B = |Prob[ρ = valid] − 1 p |. Then it holds that: Since all values r, r i , C are known to B, it holds that if an adversary A f can produce valid R with non-negligible advantage, then it can be used by B as a subroutine to break the DLOG problem also with non-negligible advantage.

Unframeability
For unframeability, we assume that, in addition to the previous case, the authorities CA and SA collide with the adversary. Thus the framing adversary A f , has access to all the secret keys of CA and SA and it is able to decrypt the credentials chosen by valid vehicles upon registration, but has not access to the randomness r 0 used by a vehicle during the registration protocol.
The proof is essentially the same as in the previous case, with the difference that now the adversary has full access, and not oracle access, to Π 1 and Π 2 during the Setup phase. In addition, in the Attack phase, since the adversary has the ability to decrypt and knows all the credentials, a target ID i is selected (in the previous case a random ID was chosen for forgery). The adversary encrypts AEnc(h, r, ID i ) = (K 1 , K 2 ) by a randomness r of its choice and computes C = H(K 1 , K 2 , m, t||rand) for a chosen message m. It outputs a valid NIZKP R such that g R K C 1 = g ρ+r i .

Anonymity and Message-Vehicle Untraceability
Let A t be a PPT tracing adversary, whose goal is to trace the identity ID related with one or more messages send to one or more RSUs. We allow the adversary to collude with authorities in various scenarios. We denote as Corrupted the set of authorities colluding with adversary in each scenario. Let Π 3 be the communication protocol. We formalize the notion of message-vehicle untraceability by an experiment Priv A t ,Π 3 (n) in which A t has access to an Oracle O Π 3 that on input a security parameter n (which defines the billinear group setting along with an AoN-PKEET) simulates executions of Π 3 . A t has access to all public keys used for encrypting, to a history of simulated executions of Π 3 that includes the transmitted messages. In addition A t has access to all secret keying material of all entities that belong to the set Corrupted of all colluding entities. A t attempts to relate any of the posted messages m with the encryption of the identifier ID, AEnc(h, r, ID). We say that A t succeeds if it relates any message with the corresponding encrypted identifier AEnc(h, r, ID). If A t succeeds then Priv A t ,Π 3 (n) outputs 1 and zero otherwise.
Suppose there is some statistical noise and k messages are sent for signatures every second. The signature of these messages remain valid for a time frame say t f . Then P b (m, ID) is the probability to successfully bind message m submitted on a specific time t with the correct encrypted identifier AEnc(h, r, ID). The message m remains valid until t + t f . Assuming that all messages signed by the SA are forwarded from the vehicles to RSUs at a random time within the valid time frame, then P b (m, ID) ≤ 1 k . In the worst case scenario only the k messages submitted on t are published within the time frame. Definition 1. Π 3 provides message-vehicle untraceability if for all PPT adversary A t there exists a negligible function negl such that: Claim 1. Π 3 provides vehicle anonymity and message-vehicle untraceability, provided that at least one of system entities (CA, SA or RSU) does not belong to the Corrupted set.
Proof. Recall that the proposed protocol consist of the following exchanges: (a) The vehicle requests from the CA an anonymous ID.
The CA sends to the vehicle the anonymous ID and the relevant proofs to the SA. (c) The vehicle requests a signature from the SA.
The SA responds to the vehicle. (e) The vehicle sends the blindly signed message to an RSU.
The RSU posts the transmitted message.
To win the game, the adversary should be able to relate the identity of the vehicle (a ↔ b) with the signature request send by the vehicle to the SA (c ↔ d) and finally with the blindly signed message send to an RSU (e ↔ f ). We will show that the adversary will always fail, provided that at least one of the entities is not corrupted.
The real identity ID assigned to a vehicle can not be revealed if the CA / ∈ Corrupted and the encryption scheme used in Π 1 is secure.
Proof. Clearly if the CA is not corrupted the entities belonging to the Corrupted set cannot learn the real identity of the vehicle, since the communication is encrypted using the public key of the CA. The adversary has knowledge of all pairs (m i , m i ), (l i , s i , b i ) since RSUs collude. The SA will respond using the public key of the vehicle enc V (l||s) (The public key of the driver can be stored in BB SA or can be included in each request). The adversary will attempt to identify which of the (l i , s i ) is the encryption enc V (l||s) and relate (m i , m i ) with the enc SA (m, m ). Assuming the public key cryptosystem of the user and the SA is IND-CPA secure this is not possible. Messages must be shuffled before exported. A linear computation of incoming messages results to linkability. Signatures on random strings can be inserted to further decrease probability.

Case 3.
(e ↔ f ) Blindly singed messages sent by a vehicle and received by an RSU are untraceable by A t , provided that the RSU / ∈Corrupted.
Proof. Straightforward since the encryption scheme of the RSUs is IND-CPA secure.

Lemma 1.
By combining Cases 1, 2 and 3 is is easy to see that the adversary A t will fail, if at least one of the entities CA, SA and RSU is honest.

Message Unlinkability
As defined in Section 3, message unlinkability requires that an RSU, (or any other authority) should not be able to link together different messages that come from a single sender (vehicle), even if the identity of the sender is not known. Let A u denote an PPT adversary aiming to break the unlinkability property, who captures the capabilities of honest-but-curious authorities (CA and SA) and RSUs. A u monitors all the communications of the SA. Let Π 3 be the communication protocol. We formalize the notion of unlinkability by an experiment Priv A u ,Π 3 (n) in which A u has Oracle access to Π 3 . On input a security parameter n (which defines the billinear group setting along with an AoN-PKEET) simulates executions of Π 3 . A u has access to the public key used for encrypting and to the history of simulated executions of Π 3 that includes the transmitted messages. A u is also allowed to have access to the list of the valid identifiers of all vehicles ID 1 , ID 2 , . . . , ID N (although in real life adversary has no knowledge of the list of the identifiers!). A u attempts to relate any of the messages sent with a valid identified ID i . We say that A u succeeds if it successfully relates a message with the correct identifier. If A u succeeds then Priv A u ,Π 3 (n) outputs 1 and zero otherwise.
Definition 2. Π 3 provides message unlinkability if for all PPT adversary A u there exists a negligible function negl such that: Where N is the number of different credentials. That is A u is no better than picking at random. We say that Π 3 provides unlinkability. It is obvious that if all three entities collude, traceability is possible. A message is forwarded to RSU, then the encrypted credential can be related to the message sent. The timestamp can be forwarded from the RSU to the SA. This however is a desired protocol function that allows us to address the issue of misbehaving drivers, but only if all the entities collide (e.g., after a legal claim has been issued).

Scenario-Based Analysis
In addition to the formal security analysis presented above, we informally analyze the security of our protocol for various attack scenarios.
Man-in-The-Middle Attack. In this attack scenario, the adversary intercepts messages and performs data tampering in the communication between a vehicle and an RSU or the SA. However a MiTM attack will not succeed, since it requires from the adversary to forge the actual data sent be the vehicle, which are bind to the certificate of the vehicle via the use of a hash function.
Replay Attack. In this attack scenario, the adversary replays the previously obtained legitimate signature to the receiver. Such attacks will not succeed, since the use of time stamps ensures message freshness.
Identity Revealing Attack. The adversary attempts to reveal the real identity of a target vehicle. Then the adversary can illegally gather the personal data about the vehicle, which will threaten the privacy of the driver. That requires to win the IND-CPA property of the underlying cryptosystem.
Authority Abuse Attack. In this scenario the CA attempts to arbitrarily issue certificates to illegal vehicles or revoke certificates of legal vehicles. Such attacks can be thwarted by employing a threshold CA scenario. In addition, revoking a legal vehicle must be accompanied by a transaction proving misbehaviour. That is equivalent to framing a vehicle which was proven impossible.
In Table 2 we compare our scheme with the related work, in terms of their security and privacy characteristics. Our scheme is one of the few in the literature that provides unframeability and impersonation protection against corrupted authorities. At the same time it does not require maintaining revocation lists or expensive key-re-issuing after each revocation, while it maintains location privacy from honest but curious authorities.  [61] NO NO NO YES YES DKM [62] NO NO NO YES NO BUA [63] NO NO NO YES NO PACM [46] NO NO NO NO NO Our Scheme YES YES YES NO NO

Efficiency Analysis
All tests were carried out on an Ubuntu 20.04 system with AMD Athlon 5350 APU with Radeon R3 2.05GHz and 8GB of memory. The implementation is based on the Python 3.8.5 programming language. For the simulation we used Simulink from Matlab.

Efficiency of the Cryptographic Primitives
For our simulation model, we first computed the required time for all the cryptographic primitives utilized in our protocol, summarized in Table 3. For all the experiments, the presented times are the average of 1000 executions. For our tests, we assumed messages of fixed length (50 characters). For the Partially Blind Digital Signature Scheme we used an implementation of the scheme presented in [57]. Blinding requires a computation of a random integer and a hash function (SHA-256 was used). Signing of a message requires 1 random integer generation, 1 exponentiation, 1 multiplication, 1 modular addition and 1 hash function execution. To verify the signature, 2 hash functions, 2 exponentiations and 1 modular multiplication is required. According to [58] with the help of precomputed values exponentiation can be approximated by 120 modular multiplications.

Encryption Schemes
The following times represent the encryption and decryption of a 50 characters random text with an IND-CPA secure version of RSA and ElGamal. We use RSA for the public key encryption schemes implemented by the SA, the drivers and the RSUs.

Billinear Pairing
Our scheme requires a pairing that can be efficiently computed. During the secure communication protocol we compute the image of a hash function on group elements of G 1 . Thus, group elements of G 1 are ideally required to have short representations. According to [64], type 3 pairings offer short representation. We implement a type 3 pairing of 256 order in 10.376 ms using the bplib python library. Again the average time of 1000 executions on random elements is used.

Signing Authority (SA) Performance
We examine the performance for the Signing Authority SA, since SA is involved in each message exchanged via the secure communication protocol. For the simulation Simulink from Matlab was used, were message requests follow a Poisson distribution. A FIFO queue is implemented. For each requested signature, the SA must repeat the following computations.
Computing e(K 1 ,ρ) · e(K 2 ,t) −1 requires 2 pairings (20.752 ms) , a multiplication (4.1 × 10 −3 ms) and computing the inverse of an element (0.151 ms). To verify R, the SA must compute an exponent g R which according to [58] can be approximated with 120 multiplications (0.473 ms), a hash function (6.3 × 10 −3 ms) and an exponent K C 1 (9.036 ms). To verify t cur ||rand one subtraction current time − t cur (1 × 10 −3 ms) to ensure message freshness and a hash function on some information relevant with time t cur to acquire randomness rand. The overall computation cost for a single message equals to 31.618 ms, as summarized in Table 4. We assume that the server processes messages at a constant time of 32 ms per message. Since authorities are equipped with sufficient computational power we assume a scenario where 10 servers are available in parallel. In Table 5 we summarize the performance of the SA for 50 up to 250 incoming messages per second. AM stands for Average Messages per second, PDM stands for Poisson Distribution Mean, AQL stands for Average Queue Length, AW for Average Wait time in seconds and MP for the total amount of Messages Processed in 1 h. From our results it is shown that for the examined setup, the SA server can handle 200 messages per second with less than 1 sec delay. Figure 4a,b demonstrate the average wait time and the average queue length for the SA.

RSU Performance
Again we implement a FIFO waiting queue. For the RSUs we have implemented a single server scenario, were messages are processed at a constant time of 1.6 ms per message (0.615 ms for decrypting and 0.897 ms for signature verification). Again we use the same notation as in the SA analysis. As shown in Table 6 an RSU server can handle up to 400 messages per second with almost 1 s delay time. Figure 5a,b demonstrate the average wait time and the average queue length for the RSU.

End-to-End Cost
In order to assess the overall (computation and communication) end-to-end cost of the secure communication protocol, we simulated 50 RSUs, each equipped with a single CPU, while the SA is equipped with 10 CPUs working in parallel. This is a reasonable assumption since the SA will be equipped in practice with much higher processing power than RSUs. We assume all messages are pending on infinite capacity FIFO queues before they are processed. For the end-to-end cost we add the average wait in queues (for the SA and the RSUs) and the computational cost for each processing step (composition of a message, signature etc)-see Figure 6a,b. We omit the the average waiting time of the RSU FIFO queues since it is zero in all cases. The computational cost of each vehicle is roughly the cost of encryption 1.05 ms. As expected, the processing costs related with the SA is the potential bottleneck of our scheme, which however can be easily avoided by assigning proportionally higher parallel processing power to the SA, with respect to the number of covered RSUs.

Qualitative Efficiency Comparison
In Table 7 we compare the efficiency of our scheme with other similar schemes in the literature. Similarly to [46] let, T ge denote the time required for an exponentiation in G, T gm for a multiplication in G, T em , T ea for scalar multiplication and point addition in the relevant elliptic curve, T bp for a billinear pairing, T me , T mm , T ma for modular exponentiation, multiplication and addition respectively, T bpe for exponentiation in billinear pairing, T h for computing a hash function and T bs for performing binary search. Table 7. Qualitative efficiency comparison with existing schemes.

Scheme
Vehicle Server BPPA [60] T em + T h 2T em + T ea + 25T h EMAP [61] T em + 2T h 4T em + 2T ea + 3T h DKM [62] 3T bp + 3T bpe + 5T em + T ea + T h 5T bp + 4T bpe + 4T em + 2T ea + 3T h BUA [63] 8T me + 4T mm + T h 3T me + 3T mm + T h PACM [46] 3T ge + 5T h 2T ge + 9T h Our Scheme T ge + T gm + 2T h + T mm + T ma 2T bp + 1T bpe + 2T gm + 2T h + 3T ge + T mm + T ma + T bs From the vehicle side, our scheme requires 3 modular exponentiations, making it more efficient than [46,63] but less efficient than [60,61] which only require scalar multiplications. The scheme of [62] is the least efficient as it requires pairing functions for the vehicle. From the server side, our scheme requires two pairings and three exponentiations. Although lighter schemes without pairings exist like [60,61], the extra computation cost allows our scheme to provide enhanced security against corrupted colluding authorities and at the same time strong privacy against honest but curious entities. Given that the extra computation burden is at the server and not at the vehicle side, and based on the performance analysis presented above, the proposed scheme can be efficiently implemented in realistic scenarios.

Conclusions
We have proposed a secure, privacy-preserving and efficient V2I communication protocol, based on various crypto primitives such as AoN-PKEET, NIZKP and partially blind signatures. Our scheme provides strong security guarantees both from insiders and outsiders, even under the presence of untrusted authorities. Indeed, framing and impersonating trusted vehicles is not possible, even in the case where all authorities are compromised. In addition our scheme provides privacy against honest-but-curious authorities. We formally analyzed the security and privacy properties. Finally, through simulations we measure the efficiency of the proposed scheme for realistic scenarios.
In its current form, our scheme is suitable only for V2I communication. As future work, we intend explore possible extensions of the proposed scheme for V2V communication. We also intend to explore ways to minimize the required trust for the SA, possibly with the use of tamper proof devices.

Conflicts of Interest:
The authors declare no conflict of interest.