Robust Conditional Privacy-Preserving Authentication based on Pseudonym Root with Cuckoo Filter in Vehicular Ad Hoc Networks

Abstract

Numerous privacy-preserving authentication schemes have been proposed but vehicular ad hoc networks (VANETs) still suffer from security and privacy issues as well as computation and communication overheads. In this paper, we proposed a robust conditional privacy-preserving authentication scheme based on pseudonym root with cuckoo filter to meet security and privacy requirements and reduce computation and communication overheads. In our proposed scheme, we used a new idea to generate pseudonyms for vehicles where each on-board unit (OBU) saves one pseudonym, named as "pseudonym root," and generates all pseudonyms from the same pseudonym. Therefore, OBU does not need to enlarge its storage. In addition, the scheme does not use bilinear pairing operation that causes computation overhead and has no certification revocation list that leads to computation and communication overheads. The proposed scheme has lightweight mutual authentication among all parties and just for once. Moreover, it provides strong anonymity to preserve privacy and resists ordinary attacks. We analyzed our proposed scheme and showed that it meets security and privacy requirements of VANETs and is more efficient than traditional schemes. The communication and computation overheads were also discussed to show the cost-effectiveness of the proposed scheme.

1. Introduction

 Over the recent years, new network technologies have been presented. One of them is known as vehicular ad hoc network (VANET), which is a subset of mobile ad hoc network and aims to provide intelligent transportation systems [1]. In VANETs, vehicles are considered mobile nodes, and each one has an on-board unit (OBU) that communicates with other OBUs through vehicle-to-vehicle communication and to a roadside unit (RSU) through vehicle-to-infrastructure communication [2]. The IEEE 802.11p technology is specially designed for VANETs and denoted as dedicated short-range communication (DSRC) [3]. By using the DSRC protocol, OBU periodically broadcasts beacons, including the vehicle’s current information, such as location, velocity, heading, and traffic events [4]. Beacons broadcasting in an open-access network may make the system susceptible to security and privacy threats. Mismanagement on these beacons may lead to traffic accidents and loss of human lives. Security and privacy issues are challenging areas that impede the progress of VANETs. Therefore, these issues must be satisfied to facilitate the deployment of VANET technology.

 According to VANETs nature, adversaries can launch several types of attacks by replaying, intercepting, altering, deleting, or forging beacons transmitted among participants. For example, an adversary wants to trouble a vehicle driver, so he/she may eavesdrop communication and collect information about the driver through beacon-based vehicle tracking. Another adversary may also broadcast fake information on a traffic jam or road accident to mislead other drivers for malicious purposes. The solution for the above problems is the provision of important security requirements, such as authentication, message integrity, non-repudiation, un-likability, traceability, and resistance to attacks. The authentication requirement involves some identification information that may threaten the privacy of users. Therefore, achieving a privacy-preserving authentication scheme has become an essential requirement for securing VANETs. To handle privacy issues, VANETs must provide anonymity and a trusted authority (TA) should be the only component which knows the real identity based on the sender’s beacons. For example, when a malicious vehicle is detected, the TA should identify the malicious vehicle driver and revoke him.

 Many academic studies have been proposed to handle problems in VANETs, but each has its own flaws. In the present paper, we used privacy-preserving authentication schemes to provide conditional privacy with authentication in VANETs without depending on the certification revocation list (CRL) that cause communication and computation overheads. The main contributions of this paper are as follows:

 1. We proposed a new idea that deriving other pseudonyms based on a pseudonym root, in which each vehicle saves just one pseudonym (pseudonym root) to conceal its real identity. Therefore, a vehicle does not need to store thousands of pseudonyms within their certificates, thus mitigating the storage capacity of the TA and OBU.

 2. Our scheme has no CRL that is used to check revoked vehicles. Rather, it uses a cuckoo filter to save authentic information of vehicles within the RSU’s range. Therefore, we mitigate communication overhead.

 3. The vehicles in our scheme need to perform mutual authentication just once when they have already reached the first RSU.

 4. RSU cannot reveal the real identity of vehicles; it only knows the pseudonym root. Therefore, in the case of RSU compromise, an adversary cannot reveal valuable information.

 5. Our proposed scheme uses a cryptographic hash function to produce the beacons by the OBU. Therefore, we mitigate the communication and computation overhead.

 The rest of this paper is organized as follows. Section 2 presents some of the existing related works along with their limitations. Section 3 illustrates the preliminaries of the proposed scheme. In section 4, we describe the proposed scheme in detail that is followed by security analysis in section 5. Section 6 presents the performance analysis, including communication overhead and computation overhead comparisons. The proposed scheme is concluded in Section 7.

 

2. Related Work

 Several schemes have been suggested to meet the security and privacy requirements of VANETs. These schemes include group signature-based, pseudonym-based, ID-based, and symmetric cryptography-based schemes [5]. All proposed schemes aim to resolve several security and privacy issues in VANETs. Raya et al. [6] used public/private key pairs and corresponding certificates to design conditional privacy-preserving authentication (CPPA) model based on public key infrastructure (PKI). However, each OBU requires storing a big number of key pairs and corresponding certificates. These keys are changed each period so that the tracker cannot track a vehicle. This work considers one of the early pseudonym-based schemes, and other authors have followed this work and provided a lot of new schemes. The previous work has some drawbacks. First, the OBU of each vehicle needs large storage to save public/private key pairs and corresponding certificates. Second, this work used CRL. Thus, when revoking a vehicle, all certificates supplied to a vehicle must be included in the CRL. As a result, the size of CRL will exponentially grow. Accordingly, this case causes an OBU to check CRL before checking a beacon, communication overhead to publish CRL, and large storage to save CRL on an OBU. Sun et al. [7] proposed a new scheme, named PASS, which is different from traditional pseudonym schemes as it uses hash chains to reduce the size of CRL. In addition, they proposed proxy re-signature schemes to reduce the time of updating certificates. Lu et al. [8] proposed a scheme that depends on the RSU to provide a short-time pseudonym for each OBU, so the pervasive deployment of RSU is significant in this scheme. Wasef et al. [9] proposed a scheme, called EMAP, to adopt PKI to provide more comfort to VANETs. The traditional PKI uses a revocation checking process, which takes a long time due to the large size of CRL. EMAP scheme overcomes this limitation by using a keyed-hash message authentication code instead of the CRL checking process. This scheme decreases the message loss ratio caused by traditional authentication schemes. Rajput et al. [10] suggest scheme-based pseudonym without using CRL. However, in this scheme, a vehicle acquires two pseudonyms: primary pseudonym from the Certification Authority (CA) that is used for a long time and secondary pseudonyms from the RSU that is used for a short time. This scheme does not meet the unlink ability requirement as the adversary can link two beacons for the same vehicle.

 Lin et al., Calandriello et al., and Zhang et al. [11-13] proposed group signature(GS)-based schemes that define a set of vehicles to provide privacy preservation by hiding the real identity of the vehicle among other group members. However, this scheme has some flaws [10]. A group manager can track the members because he/she has full knowledge of the group members, the choice of group manager is also complicated, and a vehicle may connect or leave the group at any time in a dynamic environment. In addition, the verification process between the signature and identity needs to use a pairing operation, which leads to a significant computation overhead on an OBU.

 Shim [14] proposed a scheme to provide CPPA named CPAS based on pseudo identity-based signature, which uses batch authentication of beacons on RSU to mitigate the computation overhead of RSU whenever the number of beacons is larger. However, when TA retrieves a complete revocation list, it consumes additional time. TA cannot also process additional authentication overheads produced by the illegitimate part. Zhang et al. [15] proposed another CPPA scheme based on pseudo identity-based signature. This scheme supports batch authentication to increase the throughput of identity authentication and enhances computation overheads in the message signature. However, this scheme cannot provide the non-repudiation requirement as pointed out by Lee et al. [16]. It cannot also resist a modification attack as pointed by Liu et al. [17]. He et al. and Zhong et al. [18-19] proposed an ID-based CPPA scheme that does not use bilinear pairing operation to improve the computation process and mitigate the significant computation overhead in previous schemes. However, Zhong et al. [20] pointed out a flaw in [18-19]. In the case of an attack, TA can track the real identity of an attacker but cannot block it from continuously sending malicious messages. Zhong et al. [20] proposed a CPPA scheme that depends on a registration list by using a bloom filter rather than a CRL to mitigate communication overheads. This scheme meets most security and privacy requirements, but it has some limitations. For instance, in the case of RSU compromise, the adversary will acquire all information of all vehicles in RSU’s range because RSU has the real identity of vehicles. Moreover, the verification of beacons in OBU depends on the bloom filter that is issued by RSU and it should be updated in each notification message. This process consumes a lot of time. In addition, an OBU repeats the mutual authentication with each new RSU. This process also needs a TA to verify the identity of a vehicle, leading to computation overhead on TA.

 Recently, some works proposed to treat the previous problems. Yang et al [21] and Ismaila et al [22] propose schemes based the certificateless cryptography [23] with the elliptic curve cryptography (ECC). These schemes do not need the certificate management found in the traditional public key cryptography (PKC). In a certificateless scheme, a secret key is generated by the vehicle itself depending on the partial secret key produced by a trusted party named the key generator center (KGC). Thus, the KGC does not know the secret key of all vehicles. Besides, in the certificateless scheme, public key certificates are not required to assure the validity of public keys. The schemes in [21,22] satisfy the security and privacy requirements in VANET but still suffer the computation and communication cost inefficiency. To mitigate the computation cost, Jie et al [24] suggest a new scheme using the Chinese remainder theory to share the symmetric cryptography key. This scheme is prone to insider attackers and do not meet the non-repudiation requirement. Using the attribute-based signature (ABS), Hui et al [25] proposed a scheme to address the security in VANET. Since ABS has a similar property to that of GS-based schemes but without needing group administrator to manage the members in the group. In ABS scheme, the TA issues a secret attribute key related with a set of attributes (vehicle’s type, color, city, ...) for every vehicle. The validity of the ABS message’s signature is achieved by a claim-predicate over these attributes. Moreover, Hui et al [25]’s scheme used the binary structure tree to satisfy the traceability and revocation requirements because the ABS does not support these requirements. In this paper, we propose a new scheme based on CPPA, which uses a new idea to generate pseudonyms for vehicles. Here, each OBU saves one pseudonym (pseudonym root) and generates all pseudonyms from pseudonym root. Therefore, OBU does not need large storage. It also uses the cuckoo filter in the authentication and verification processes, and the proposed scheme has no CRL that causes computation and communication overheads. Moreover, the proposed scheme satisfies the security and privacy requirements of VANETs.

 

3. Preliminaries

 In this section, we present the system model of the proposed scheme, design objectives, desired requirements, and auxiliary tools.

 

3.1. System model

 VANET structure generally comprises three components, namely, TA, RSU and OBU which are installed in each vehicle as shown in Fig. 1. The connection among OBUs or between OBU and RSU uses a wireless channel, and that between TA and RSU uses a wired channel [26].

 1. TA is a third party that is accountable for generating essential system parameters for the OBU and RSUs. Furthermore, TA is supposed to know the presence of all RSUs and has a secure connection to them.

 2. RSU is a stationary device located beside the roads and at signal crossroads. It is used to manage the communication of all vehicles inside its range and broadcast notification traffic messages. It also communicates with other RSUs and the TA to send and receive information related to road traffic over a secure channel of the wired network. Furthermore, each RSU has a unique real identity. We refer to this real identity as 〖ID〗_R in the rest of the paper.

 3. OBU is a device installed in each vehicle and is used to connect other vehicles and periodically publish beacons. Furthermore, each OBU has a tamper-proof device (TPD) that is used to save secure information. Each vehicle also has a unique real identity, which is referred as 〖ID〗_v in the rest of the paper

Fig. 1. System model

 

3.2. Design objectives

 The design objectives of the proposed scheme are as follows:

 1.  Authentication: The most important aim is to guarantee the legitimacy of the user. The beacon receiver should be able to authenticate the beacon sender.

 2. Identity and privacy preservation: Privacy preservation of vehicle information and its owner is also an important aim in VANETs. If this technology is used the people, the adversary will not be able to acquire the real identity of vehicles according to beacons sent by the vehicles. Only the TA will know the real identity of the beacon sender.

 3. Message integrity: Message integrity should be ensured, where,  the content of the beacon will be transported unaltered to the receiver.

 4. Non-repudiation: It is one of the significant requirements in VANETs, it means, the sender will not deny sending the beacon.

 5. Traceability and revocability: TA will trace the real identity of any vehicle and revoke this vehicle from continue sending authentic beacons in VANETs.

 6. Un-linkability: The adversary will not be able to detect the two beacons sent by the same vehicle.

 7. Resistance to attacks: A good privacy-preserving authentication scheme in VANETs should be able to resist ordinary attacks, such as:

 • Replay attack which is illegal or malicious users attempt to impersonate an authentic node by using previously generated messages in new connections.

 • Modification attack which is illegal or malicious users attempt to alter or modify messages among all participants in VANETs.

 • Impersonation attack which is illegal or malicious users attempt to impersonate an authentic node, either to disturb the normal working of the network or to use network resources that might not be accessible to it.

 8. Self-verification: OBU should make a mutual authentication with an RSU without the need for TA intervention. This feature mitigates the time consumed in the communication between RSU and TA.

 9. prediction: RSU should predict a new pseudonym for any vehicle in its range to make the scheme more secure and cancel the time consumed in the process of exchanging pseudonyms.

 

3.3. Auxiliary tools

 In this paper, we used the following auxiliary tools to complete the proposed scheme:

 1. Cryptographic hash function h: It is a one-way function that uses to produce fixed length data from arbitrary length data. The following properties should be satisfied to make h secured [27]:

 • Given x, y=h(x) can be easily calculated, whereas the inverse of function x=h^-1(y) can be hardly calculated.

 • Given x and y, finding h(x)=h(y) can be computationally infeasible. This property is named as a strong collision resistance.

 2. Cuckoo filter: It is a new form of probabilistic data structure that is used to test a membership of an item among the set. It gives good search accuracy and time than bloom filters corresponding in a storage size [28]. It is involved in an array of buckets where each bucket comprises several entries. It reduces its space by only computing a fingerprint f of the item’s value to be stored in the array. It uses a small f bit fingerprint to symbolize data. Cuckoo filter is used as a cuckoo hashing function to get rid of collisions and is basically a compact cuckoo hash table. Cuckoo hashing function is a form of collision management in hash-based data structures. In cuckoo hashing function, each data item is hashed by two dissimilar hash functions to calculate the indices of two candidate buckets i₁ and i₂ as i1 =h(item)mod M and i₂ = i⨁h(f(item))mod M, where M is the size of cuckoo filter. Value f can be allocated to one of the two candidate buckets where candidate bucket i₁ is tried first. If the bucket i₁ is empty, then the value is located in i₁. If it is allocated, then bucket i₂ is tried. If the bucket i₂ is empty, then the value is located there. If i₂ is allocated, then the occupant of i₂ is evicted and the value of f is located there. Fig. 2 illustrates how item w is inserted to cuckoo filter, where the two hashed values i₁,i₂ are mapped to place that are already allocated. To test the membership of any item in the cuckoo filter, we first compute the fingerprint of item f(item) and compute i₁,i₂. Then, if f(item) can be found i₁ or i₂, then the cuckoo filter is proven true; otherwise, the cuckoo filter is proven false

Fig. 2. Insertion operation in cuckoo filter

 3. Homomorphic encryption: It is defined as a method of encryption that performs a specific algebraic operation on ciphertext and generates an encrypted result that matches the result of the same algebraic operation performed on its plaintext. In mathematics, this method is called mappings or functions [29].

 

3.4. Assumptions

The following are some assumptions in the proposed scheme:

 1. The clock of all participants is synchronized.

 2. TA is wholly trustworthy and will not be compromised.

 3. Storage capacity and computing power of TA are higher than those of RSU, and those in RSU are higher than those in OBUs.

Table 1. Notations used in the proposed scheme

 

4. Proposed scheme

 The proposed scheme is comprised of five phases, namely, initialization, registration, mutual authentication, broadcast and verification, and vehicle revocation phases. The main notations used in our scheme and their descriptions are illustrated in Table 1.

 

4.1. Initialization phase

 In this phase, the TA works in producing the essential system parameters. These parameters are published to the participants of VANETs to facilitate the registration and other processes for OBU and RSU:

 1- Key generation: By using homomorphic encryption, TA generates public key Pk and private key Sk:

  • First step: TA randomly selects two big prime numbers p and q. These numbers should be independent of each other, such that gcd⁡(pq,(p-1)(q-1))=1.

 • Second step: TA computes n=pq and λ=lcm(p-1,q-1). lcm means least common multiple.

 • Third step: TA selects random integer g, where \(g \in Z_{n^{2}}^{*}\)

 • Last step: n divides the order of g by checking the existence of the following modular multiplicative inverse  \(\mu=\left(L\left(g^{\lambda} \bmod n^{2}\right)\right)^{-1}\) mod n, where function L is defined as\(L(x)=\frac{x-1}{n}\) .

 2- Public key Pk is (n,g) and private key Sk is (λ,μ)

 3- TA selects the cryptographic hash function h.

 4- TA generates big integer number s∈Z^*. TA periodically updates s each time period.

 5- All vehicles can get {Pk ,h}, and all RSUs can get {s ,h} from TA

 

4.2. Registration phase

 The new participant should undergo a registration process to be verified as authentic. This phase comprises two registration processes, one for RSU registration and the other for vehicle registration:

 1- RSU registration: TA chooses the real identity of RSU ID_R according to its position. Then, it generates random integer number \(m_{R} \in Z^{*}\) and finds corresponding registration time \(T_{R e g_{R}}\). Finally, TA saves < ID_R,m_r,T_RegR >to registration list \(\operatorname{Reg} L_{R}\) and sends the same information with number s to RSU.

 2- OBU registration: In this process, OBU will use 4G/5G communication to send registration request to TA. First, vehicle’s driver chooses password PW, and then OBU will send message \(\left\{e n c_{P k}\left(I D_{v}, P W\right)\right\}\). TA decrypts receiving message \(\left\{\operatorname{dec}_{S k}\left(I D_{v}, P W\right)\right\}\), and then it will validate real identity ID_v, generate random integer number \(m_{v} \in Z^{*}\), find corresponding registration time T_RegR, and compute \(m_{v}^{*}=m_{v} \oplus h(P W)\) and \(\sigma_{T A}=h\left(T_{R e g_{v}}\left\|I D_{v}\right\| m_{v}\right)\). Finally, it will save \(<I D_{R}, P W,m_{R}, T_{R e g_{R}}>\) to registration list  \(\operatorname{Reg} L_{v}\) and sends \(<m_{v}^{*}, T_{R e g_{v}}, \sigma_{T A}>\) to OBU. After receiving the message, OBU computes \(m_{v}=m_{v}^{*} \oplus h(P W)\) and checks if \(\sigma_{T A}= ? h\left(T_{R e g_{v}}\left\|I D_{v}\right\| m_{v}\right)\). If equivalent, then it saves \(<I D_{R}, P W, m_{R}, T_{R e g_{R}}>\) to its TPD. Fig. 3 illustrates this process.

Fig. 3. OBU registeration process

 

4.3. Mutual authentication phase

 This important phase creates a robust authentication among all parts of VANETs (TA, RSU, and OBU). A vehicle driver must input ID_v and PW to TPD to start OBU, and then TPD checks whether { ID_v  ,PW} are matching to the stored ones. If not matching, then OBU does not work; otherwise, it generates random integer number \(y \in Z^{*}\) and compute PID_v=\(I D_{v} \oplus h(y), x=y \oplus h\left(m_{v}\right)\), and \(P_{\text {root}}=h\left(I D_{v} \| y\right)\). The previous calculation can be completed before a vehicle enters to RSU’s range. When the vehicle reaches to the first RSU’s range, it performs steps (1–5). When it reaches to other RSUs, it only performs steps (6–8) to mitigate the computation and communication overheads on TA and RSU.

 1- OBU computes hash function \(\sigma_{O B U}=h\left(T_{R e g_{y}}\left\|T_{1}\right\| P I D_{v}\|x\| y\left\|I D_{v}\right\| I D_{R}\right)\). Finally, it sends \(\left\{T_{R e g_{v}}, T_{1}, P I D_{v}, x, \sigma_{O B U}\right\}\) to the RSU.

 2- After receiving message \(\left\{T_{R e g_{v}}, T_{1}, P I D_{v}, x, \sigma_{O B U}\right\}\), RSU first checks timestamp T₁ if it is the latest or not. (All the timestamps are confirmed in the following method: Suppose T_rec is the receiving time of message, and △T is the predefined time delay value. If (△T>T_rec-T), then the timestamp is valid. Otherwise, the message will drop). If so, then RSU generates random integer number z∈Z^* and computes PID_R=\(I D_{R} \oplus h(z), w=z \oplus h\left(m_{R}\right)\), and  \(\sigma_{R S U}=h\left(T_{R e g_{R}}\left\|T_{2}\right\| w\left\|m_{R}\right\| I D_{R}\left\|\sigma_{O B U}\right\| P I D_{v}\right)\) and then saves information\(\left\{T_{2}, T_{R e g_{v}}, P I D_{v}, z\right\}\) to temporary handshaking list TL. Finally, RSU sends \(\left\{T_{R e g_{R}}, T_{2}, w, P I D_{R}, \sigma_{R S U}, T_{R e g_{v}}, T_{1}, x, P I D_{v}, \sigma_{O B U}\right\}\) to TA.

 3- After receiving message \(\left\{T_{R e g_{R}}, T_{2}, w, P I D_{R}, \sigma_{R S U}, T_{R e g_{v}}, T_{1}, x, P I D_{v}, \sigma_{O B U}\right\}\), TA first checks timestamp T₂ if it is the latest or not. If so, then TA retrieves information\(\left\{m_{R}, I D_{R}\right\}\) and \(\left\{m_{v}, I D_{v}\right\}\) from \(\operatorname{Reg} L_{R}\)and \(\operatorname{Reg} L_{v}\) according to \(T_{R e g_{R}}\) and \(T_{R e g_{v}}\), respectively. Then, TA computes \(z^{\prime}=w \oplus h\left(m_{R}\right)\) and \(I D_{R}^{\prime}=P I D_{R} \oplus h\left(z^{\prime}\right)\) and then checks if \(\left(I D_{R}=? I D_{R}^{\prime}\right)\). If equivalent, then TA checks if \(\sigma_{R S U}=? h\left(T_{R e g_{R}}\left\|T_{2}\right\| w \|\right. \left.m_{R}\left\|I D_{R}\right\| \sigma_{O B U} \| P I D_{v}\right)\). If yes, then TA computes \(y^{\prime}=x \oplus h\left(m_{v}\right)\) and \(I D_{v}^{\prime}=P I D_{v} \oplus h\left(y^{\prime}\right)\) and checks if \(\text { if }\left(I D_{v}=? I D_{v}^{\prime}\right)\). If equivalent, then TA ensures the integrity of OBU message by checking if \(\sigma_{O B U}=? h\left(T_{R e g_{v}}\left\|T_{1}\right\| P I D_{v}\|x\| y^{\prime}\left\|I D_{v}\right\| I D_{R}\right)\). If equivalent, then it produces \(P_{\text {root}}=h\left(I D_{v} \| y\right)\). TA saves P_root to RegL_v by using it later in the revocation process and hiding it by computing \(P_{\text {root}}^{*}=P_{\text {root}} \oplus h\left(m_{R}\right)\). Before TA sends the responding message, it should calculate two hash functions, one for RSU and the other for OBU, to prove its validity. The functions are \(\sigma_{T A_{v}}=h\left(P_{\text {root}} \|\right. \left.I D_{v} \| m_{v}\right)\)and \(\sigma_{T A_{R}}=h\left(T_{3}\left\|T_{2}\right\| P_{\text {root}}\left\|\sigma_{T A_{p}}\right\| m_{R}\right)\). Lastly, TA sends \(\left\{T_{3}, T_{2}, P_{\text {root}}^{*}, \sigma_{T A_{R}}, \sigma_{T A_{v}}\right\}\) to RSU.

 4- After receiving message \(\left\{T_{3}, T_{2}, P_{\text {root}}^{*}, \sigma_{T A_{R}}, \sigma_{T A_{v}}\right\}\), RSU first checks timestamp T₃ if it is the latest or not. If so, then RSU retrieves the information in TL according to T₂. Then, it computes \(P_{\text {root}}=P_{\text {root}}^{*} \oplus h\left(m_{R}\right)\) and checks if \(\sigma_{T A_{R}}=? h\left(T_{3}\left\|T_{2}\right\| P_{\text {root}}\left\|\sigma_{T A_{v}}\right\|\right. \left.m_{R}\right)\). If equivalent, then RSU derives the first pseudonym level Ps when Lev=1 (we will explain Ps ,lev in the next phase). Then, it saves the information of vehicle \(<P_{\text {root}}, T_{R e g_{v}}, P s, L e v>\) with the pseudonym list PsL that contains information of all vehicles in its range. Then, RSU computes \(\sigma_{R S U}=h\left(T_{4}\|S\| P_{\text {root}} \| \sigma_{T A_{v}}\right)\) and \(s^{*}=s \oplus h\left(P_{\text {root}}\right)\). Finally, it sends \(\left\{T_{4}, S^{*}, \sigma_{R S U}, \sigma_{T A_{v}}\right\}\) to OBU.

 

Fig. 4. Mutual authentication process with first RSU

 5- After receiving message \(\left\{T_{4}, S^{*}, \sigma_{R S U}, \sigma_{T A_{v}}\right\}\), OBU first checks timestamp T₄ if it is the latest or not. If yes, OBU computes \(s=s^{*} \oplus h\left(P_{\text {root}}\right)\), it checks if \(\sigma_{R S U}=? h\left(T_{4}\|S\|\right.\left.P_{\text {root}} \| \sigma_{T A_{v}}\right)\) and \(\sigma_{T A_{v}}=? h\left(P_{\text {root}}\left\|I D_{v}\right\| m_{v}\right)\). If they are equivalent, that means all the three parts have completed the mutual authentication process. Moreover, RSU and OBU have agreement to use the same P_root to generate all other pseudonyms. Fig. 4 illustrates all the processes in this phase. After the end of this step, an OBU acquires number s. Number s is a shared secure number among all RSUs in VANETs that is randomly generated by TA and periodically updated. An OBU acquires this number after finishing the five steps with the first RSU, and OBU will use the number to create mutual authentication with the rest of the RSUs. Therefore, it only needs to perform steps (6–8) to create the mutual authentication with the rest of the RSUs. In addition, OBU uses number s with each beacon to facilitate the verification process on the beacon receiver. (When TA updates number s, all OBUs should send a request message to the nearest RSU to acquire the new number s).

 6- When OBU gets out from the first RSU’s range and gets into the new RSU’s range, it sends a joint request message to the new RSU. This message is \(\left\{T_{5}, T_{R e g_{v}}, P_{r o o t}^{*}, L e v\right., \left.\sigma_{O B U}\right\}\) , where \(\sigma_{O B U}=h\left(T_{5}\left\|T_{R e g_{v}}\right\| P_{\text {root}}^{*}\|L e v\| s\right)\) and \(P_{\text {root}}^{*}=P_{\text {root}} \oplus h(s)\).

 7- After receiving message\(\left\{T_{5}, T_{R e g_{v}}, P_{r o o t}^{*}, L e v, \sigma_{O B U}\right\}\), RSU first checks timestamp T₅ if it is the latest or not. If so, then it checks if \(\sigma_{O B U}=? h\left(T_{5}\left\|T_{R e g_{v}}\right\| P_{r o o t}^{*}\|L e v\| s\right)\). If not equivalent, then the message will drop and assign check=0. Otherwise, RSU computes \(P_{\text {root}}=P_{\text {root}}^{*} \oplus h(s)\), increases Lev+1, derives new Ps, inserts f(Ps) to the cuckoo filter, saves all the information of OBU to PsL, and assigns check=1. Finally, it computes \(\sigma_{R S U}=h\left(T_{6} \| \text { check } \| P_{\text {root}}\right)\) and sends the message \(\left\{T_{6}, \text { check, } \sigma_{R S U}\right\}\) to OBU.

 8- After receiving message \(\left\{T_{6}, \text { check, } \sigma_{R S U}\right\}\), OBU first checks timestamp T₆ if it is the latest or not. If so, then it checks if \(\sigma_{R S U}=? h\left(T_{6} \| \text { check } \| P_{\text {root}}\right)\). If equivalent, then it checks if the value of check is equal to one, and then it starts broadcasting beacons. Otherwise, it should perform the first five steps Fig. 5 illustrates the mutual authentication with the rest RSUs after getting out from the first RSU’s range.

Fig. 5. Mutual authentication process with the rest RSUs

 

4.4. Broadcasting and verification phase

 RSU periodically broadcasts notification messages that are contained on the cuckoo filter. The filter is used to store the fingerprint of legitimate pseudonym f(Ps). RSU also updates the cuckoo filter after the time period or when a vehicle leaves or joins.

 1. Broadcasting process: After the mutual authentication process is completed, OBU starts broadcasting the beacons. Prior to that, RSU and OBU perform the following:

 • RSU derives the first pseudonym level for the new vehicle from its P_root as Ps=〖\(h\left(P_{\text {root}} \| L e v\right)\), where Lev=1.

 • RSU inserts {Ps ,Lev} to PsL.

 • RSU inserts f(Ps) to the cuckoo filter by cuckoo hashing that is explained in section (3.4), and publishes it with a notification message. (After this step, all vehicles in RSU’s range acquires the cuckoo, so the beacons for the new vehicle will be proven authentic.)

 • OBU derives the first pseudonym level Ps from P_root and Lev=1. Therefore, the beacon will be known to all participants and the beacon’s sender will be confirmed as an authentic sender. The beacon is derived from \(\left\{T, m s g, \sigma_{m s g}\right\}\), where \(\sigma_{m s g}=P s \oplus h(T\|m s g\| s)\). (RSU increases Lev by one for all OBUs in its range to derive the new Ps with each updating process for the cuckoo filter. After updating the cuckoo filter, OBU also increases Lev by one and derives the same new Ps.)

 2. Verification process: When a vehicle receives beacon {T,msg ,σ_msg}, it performs the following steps:

 • First step: Check timestamp T if it is the latest or not. If so, then it continues the verification process. Otherwise, it drops the beacon.

 • Second step: Compute \(P s=\sigma_{m s g} \oplus h(T\|m s g\| s)\).

 • Third step: Check f(Ps) in the two hashed i₁,i₂ in the cuckoo filter. If unoccupied, then it drops the beacon.

 

4.5. Vehicle revocation phase

 This phase explains how a TA revokes any vehicle that broadcasts false information. However, each RSU has all the information about OBUs inside its range in PsL, so if a culprit vehicle is found, the RSU acquires the information of this vehicle from its beacon. Then, it sends the information \(\left\{P_{\text {root}}, T_{R e g_{v}}\right\}\) to TA. TA retrieves real identity ID_v from RegL_v according to the information in the received message. Next, it removes the vehicle from RegL_v, inserts it to the revocation list, and updates number s. Lastly, TA notices RSU to remove the vehicle from its PsL and revoke it from continuous broadcasting. Fig. 6 illustrates this phase.

Fig. 6. Revocation process

 

5. Analysis of the proposed scheme

 In this section, we analyze the proposed scheme to confirm that the requirements of security and privacy in VANETs have been met in this paper. In addition, we analyze the resistance of our scheme to some ordinary attacks. Table 2 explains the comparisons between our scheme and other related schemes in terms of the security and privacy requirements and ordinary attacks.

 

5.1. Security and privacy requirements

 1. Authentication: In the proposed scheme, all vehicles broadcast safety beacons, where the content of each beacon is \(\left\{T, m s g, \sigma_{m s g}\right\}\). The vehicle must have number s to compute\(\sigma_{m s g}=P s \oplus h(T\|m s g\| s)\), and only the authentic vehicle that completed the mutual authentication phase has this number. Therefore, the adversary cannot easily broadcast authentic beacons without number s. Moreover, the receiver vehicle must have the same number to implement \(P s=\sigma_{m s g} \oplus h(T\|m s g\| s)\) and acquire the true pseudonym of sender Ps to check it in the cuckoo filter. Thus, our scheme has met the authentication requirement.

Table 2. Security comparisons our proposed scheme and previous schemes

 2. Identity and privacy preservation: The content of the beacon \(\left\{T, m s g, \sigma_{m s g}\right\}\) has no information about the vehicle’s real identity. Therefore, no adversary can acquire real identity ID_v. Thus, our scheme has met the identity and privacy preservation requirement.

 3. Message integrity: In our proposed scheme, we use hash function to check message integrity, in which each beacon has \(\sigma_{m s g}=P s \oplus h(T\|m s g\| s)\) that ensures that the beacon is received without alterations. Thus, our scheme has met the message integrity requirement.

 4. Non-repudiation: According to the value of σ_msg in the beacon \(\left\{T, m s g, \sigma_{m s g}\right\}\), which is computed as \(\sigma_{m s g}=P s \oplus h(T\|m s g\| s)\), where \(P s=h\left(P_{\text {root}} \| L e v\right)\), vehicles cannot broadcast the same beacon because each vehicle has unique P_root. Therefore, any vehicle cannot deny sending its beacons. Thus, our scheme has met the non-repudiation requirement.

 5. Traceability and revocability: RSU can trace OBU in accordance with σ_msg in the beacon, where \(\sigma_{m s g}=P s \oplus h(T\|m s g\| s)\), and RSU has number s, so it can compute \(P s=\sigma_{m s g} \oplus h(T\|m s g\| s)\) and acquire all vehicle’s information in PsL in accordance with Ps. Then, it sends \(\left\{P_{\text {root}}, T_{R e g_{v}}\right\}\) to TA to reveal the real identity of OBU in accordance with \(\left\{P_{\text {root}}, T_{R e g_{v}}\right\}\) in  RegL_R. Finally, it revokes the vehicle from continuously broadcasting beacons by sending a notice message to RSU to remove it from the cuckoo filter and update number s to all RSUs. Thus, our scheme has met the traceability and revocability requirement.

 6. Un-linkability: The format of beacon in our scheme is \(\left\{T, m s g, \sigma_{m s g}\right\}\), where \(\sigma_{m s g}= P s \oplus h(T\|m s g\| s)\). Therefore, all beacons for the same vehicle are different and the adversary cannot determine whether the two given beacons are generated by the same OBU. Thus, our scheme has met the Un-linkability requirement.

 7. Self-verification: In our proposed scheme, the mutual authentication needs TA intervention just for once with the first RSU. After that, the mutual authentication process with other RSUs does not need the TA. The OBU sends a request message to the new RSU. The content of request message is\(\left\{T_{5}, T_{R e g_{y}}, P_{\text {root}}^{*}, L e v, \sigma_{O B U}\right\}\), where\(\sigma_{O B U}=h\left(T_{5}\left\|T_{R e g_{v}}\right\| P_{\text {root}}^{*}\|L e v\| s\right)\) and \(P_{\text {root}}^{*}=P_{\text {root}} \oplus h(s)\). Therefore, if number s in the request message matches to that saved in the RSU, then an RSU will accept the request message and an OBU will become a legitimate node. This procedure continues until TA updates number s. Thus, after each updating process for number s, OBU needs to renew the mutual authentication from the first.

 8. Pseudonym prediction: In the proposed scheme, OBU uses the pseudonym root to derive any new Ps by \(P s=h\left(P_{\text {root}} \| L e v\right)\), where \(P_{\text {root}}=h\left(I D_{v} \| y\right)\) and \(y \in Z^{*}\) random integer number. Through the mutual authentication phase, TA computes the same \(P_{\text {root}}\) and sends it to RSU, so RSU has the ability to predict the new pseudonym for any vehicle by computing \(P s=h\left(P_{\text {root}} \| L e v\right)\). Thus, our scheme has met the pseudonym prediction requirement.

5.2. Attack scenarios

 Theorem 1. The proposed scheme resists the replay attack.

 Proof Theorem 1. In accordance with the content of beacon \(\left\{T, m s g, \sigma_{m s g}\right\}\), where \(\sigma_{m s g}=P s \oplus h(T\|m s g\| s)\), the attack cannot possibly use another timestamp because it leads to different values of \(\sigma_{m s g}\). In addition, the beacon receiver first checks the timestamp. If it is not the latest, then it drops the beacon, so the replay attack fails in our scheme.

 Theorem 2. The proposed scheme resists the modification attack.

 Proof Theorem 2. In accordance with \(\sigma_{m s g}\) that is embedded in each beacon, the modification attack cannot fully modify a beacon because \(\sigma_{m s g}=P s \oplus h(T\|m s g\| s)\)and the attacker has no Ps,s. Thus, the modification attack fails in our scheme.

 Theorem 3. The proposed scheme resists the impersonation attacks.

 Proof Theorem 3. The attacker must acquire \(P_{\text {root}}\) of the vehicle if it desires to broadcast an authorized beacon by impersonating the legal vehicle. In accordance with \(P_{\text {root}}=h\left(I D_{v} \| y\right)\), where\(y \in Z^{*}\) is a random integer number, the attacker cannot easily acquire ID_v and y to compute \(P_{\text {root}}\) of the vehicle. Thus, the impersonation attack fails in our scheme.

 Theorem 4. In the proposed scheme, if an adversary succeeds in compromising RSU, then it cannot reveal the real identity of any vehicle.

 Proof Theorem 4. In the proposed scheme, RSU only has P_root that is acquired from the TA through the mutual authentication phase, where \(P_{\text {root}}=h\left(I D_{v} \| y\right)\)and\(y \in Z^{*}\) is a random integer number. Therefore, an adversary cannot compute ID_v from P_root or acquire valuable information by compromising any RSU.

 Theorem 5. In the proposed scheme, an adversary cannot acquire the secure random numbers m_v  ,s.

 Proof Theorem 5. An adversary cannot acquire number m_v because TA computes \(m_{v}^{*}= m_{v} \oplus h(P W)\) and sends \(m_{v}^{*}\) to OBU. OBU retrieves m_v by implementing \(m_{v}=m_{v}^{*} \oplus h(P W)\), so an adversary should know PW to get m_v. In addition, OBU uses x=y⨁h(m_v) to send a request message to the first RSU, where y∈Z^* is a random integer number. Similarly, an adversary cannot acquire number s because RSU computes \(s^{*}=s \oplus h\left(P_{\text {root}}\right)\) and sends s* to an OBU. OBU retrieves s by implementing \(s^{*}=s \oplus h\left(P_{\text {root}}\right)\). Thus, an adversary cannot easily acquire number s unless it has P_root. OBU also uses the value of hashed number s in beacons and request joint messages with the rest of RSUs:

 1. The beacon message is \(\left\{T, m s g, \sigma_{m s g}\right\}\), where \(\sigma_{m s g}=P s \oplus h(T\|m s g\| s)\).

 2. The request join message is \(\left\{T_{5}, T_{R e g_{v}}, P_{r o o t}^{*}, L e v, \sigma_{O B U}\right\}\), where \(\sigma_{O B U}=h\left(T_{5} \|\right. \left.T_{R e g_{v}}\left\|P_{\text {root}}^{*}\right\| L e v \| s\right)\) and \(P_{\text {root}}^{*}=P_{\text {root}} \oplus h(s)\).

 Furthermore, the TA will update number s periodically. Therefore, the adversary cannot easily acquire secure random numbers m_v  ,s.

 

6. Performance analysis

 In this section, we discuss the performance of our proposed scheme in terms of communication and computation overheads. We also compare the performance of our proposed scheme with Shim et al. [14], Zhang et al. [15], He et al. [18], Zhong et al. [19], Zhong et al. [20], Yang et al. [25], and Ismaila et al.’s [26] schemes.

Table 3. The execution time and definition of related operations [20].

 

6.1. Computation overhead

 Shim et al.’s [14] and Zhang et al.’s [15] schemes are based on bilinear pairing. In the bilinear pairing, the the additive group G ̅ is generated based on elliptic curve \(y^{2}=x^{3}+x mod p\), where P is a 512-bit prime number. He et al. [18], Zhong et al. [19], and Zhong et al. [20],  Yang et al [21], and Ismaila et al.’s [22] scheme are based on ECC. In the ECC, the additive group G is generated based on elliptic curvev \(y^{2}=x^{3}+a x+b \bmod p\), where p is a 160-bit prime number. Our proposed scheme generates and verifies beacons based on the hash function. The cryptography operations that adopted in our paper present in Table 3 according to Zhong et al. [20]. Where Zhong et al. used the MIRACL library in their experiment, which MIRACL is widely utilized in computing different cryptography operations.

 We compare our proposed scheme with the above-mentioned schemes in terms of computation costs, in two processes, namely, authentication beacon generation and authentication beacon verification. Table 4 and Fig. 7 lists the comparison results of the beacon generation process, and Table 5 and Fig. 8 lists the comparison results of the beacon verification process.

Table 4. The comparison of the execution time for beacon generation

Fig. 7. The comparison of the execution time for beacon generation

 In Shim’s scheme [14], the execution time for generating a single beacon is \(3 T_{S m-b p}+ 2 T_{p a-b p}+1 T_{h} \approx 2.0866 \mathrm{ms}\)2T_(pa-bp)+1T_h≈2.0866 ms.

 In Zhang et al.’s scheme [15], the execution time for generating a single beacon is \(6 T_{S m-b p}+2 T_{p a-b p}+1 T_{m t p}+4 T_{h} \approx 4.2708 \mathrm{ms}\).

 In He et al.’s scheme [18], the execution time for generating a single beacon is \(3 T_{s m-e c c}+3 T_{h} \approx 0.9684 \mathrm{ms}\)

 In Zhong et al.’s scheme [19], the execution time for generating a single beacon is \(2 T_{S m-e c c}+2 T_{h} \approx 0.6456 \mathrm{ms}\).

 In Zhong et al.’s scheme [20], the execution time for generating a single beacon is \(1 T_{s m-e c c}+6 T_{h} \approx 0.3278 \mathrm{ms}\).

 In Yang et al.’s scheme [21], the execution time for generating a single beacon is \(1 T_{s m-e c c} \approx 0.3218 \mathrm{ms}\).

 In Ismaila et al.’s scheme [22], the execution time for generating a single beacon is \(3 T_{s m-e c c}+2 T_{p a-e c c}+3 T_{h} \approx 0.9732 m s\).

 In our proposed scheme, when the vehicle joins the new RSU’s range, it needs to perform mutual authentication by sending a request message to RSU. Through the mutual authentication process, OBU consumes 7T_h with the first RSU and 3T_h with the rest of RSUs. After that, it only consumes 1T_h with each beacon generation process in the broadcasting process. Therefore, the execution time for generating a single beacon in our proposed scheme is 8T_h=0.008 ms with the first RSU and 4T_h=0.004 ms with the rest of RSUs. For broadcasting n beacons, the execution time with the first RSU is nT_h+7T_h=0.001n+0.007 and the execution time with the rest of RSUs is nT_h+3T_h=0.001n+0.003.

Table 5. The comparison of the execution time for beacon verification

Fig. 8. The comparison of the execution time for single beacon verification

 In Shim’s scheme [14], the execution time for verifying a single beacon is \(3 T_{b p}+2 T_{s m-b p}+1 T_{p a-b p}+2 T_{h} \approx 16.6498 \mathrm{ms}\) and that for verifying n beacons is \(3 T_{b p}+(1+ \text { n) } T_{s m-b p}+(3 n-3) T_{p a-b p}+2 n T_{h} \approx 0.7014 n+15.9466 \mathrm{ms}\)

 In Zhang et al.’s scheme [15], the execution time for verifying a single beacon is \(3 T_{b p}+2 T_{s m-b p}+1 T_{p a-b p}+3 T_{h} \approx 16.6508 \mathrm{ms}\) and that for verifying n beacons is 3\(3 T_{b p}+(n+1) T_{s m-b p}+(2 n) T_{s m-b p-s}+(3 n-2) T_{p a-b p}+(3 n) T_{h} \approx 0.8496 n+ 15.9484 m S\)

 In He et al.’s scheme [18], the execution time for verifying a single beacon is \(3 T_{s m-e c c}+2 T_{h}+2 T_{p a-e c c} \approx 0.9722 m s\) and that for verifying n beacons is \((n+ \text { 2) } T_{s m-e c c}+(2 n) T_{s m-e c c-s}+(3 n-1) T_{p a-e c c}+(2 n) T_{h} \approx 0.3802 n+0.6412 m s\)

 In Zhong et al.’s scheme [19], the execution time for verifying a single beacon is \(3 T_{S m-e c c}+2 T_{h}+1 T_{p a-e c c} \approx 0.9698 \mathrm{ms}\) and that for verifying n beacons is \((n+ \text { 2) } T_{s m-e c c}+(2 n) T_{s m-e c c-s}+(2 n-1) T_{p a-e c c}+(2 n) T_{h} \approx 0.3778 n+0.6412 m s\)

 In Zhong et al.’s scheme [20], the execution time for verifying a single beacon is \(500 \mathrm{T}_{\mathrm{h}} \approx 0.5 \mathrm{ms}\) and that for verifying n beacons is \((500 \mathrm{n}) \mathrm{T}_{\mathrm{h}} \approx 0.5 \mathrm{n} \mathrm{ms}\)

 In Yang et al.’s scheme [21], the execution time for verifying a single beacon is \(4 T_{s m-e c c} \approx 1.2872 m s\) and that for verifying n beacons is \((4 n) T_{s m-e c c} \approx 1.2872 n m s\).

 In Ismaila et al.’s scheme [22], the execution time for verifying a single beacon is \(2 T_{s m-e c c}+1 T_{p a-e c c}+T_{h} \approx 0.6470 \mathrm{ms}\) and that for verifying n beacons is \(2 T_{s m-e c c}+ (3 n) T_{s m-e c c-s}+n T_{p a-e c c} \pm n T_{h} \approx 0.0772 n+0.6436 \mathrm{ms}\)

 In our proposed scheme, the execution time for verifying a single beacon is 4T_h≈0.004 ms and that for verifying n beacons is \((4 \mathrm{n}) \mathrm{T}_{\mathrm{h}} \approx 0.004 \mathrm{n} \mathrm{ms}\)

Fig. 9. Verification delay versus a number of received beacons

 Fig. 9 presents the verification delay according to the number of beacons that is received by any trusted vehicle. The vehicle in VANET requites 100-300 ms to broadcast one beacon [3]. In case of high density, each vehicle will receive beacons from about 180 vehicles every 100-300 ms, that means, the vehicle should verify 600-2000 beacons per one second [14]. To verify 2000 beacons, the vehicle in our scheme only needs to 8.00 ms, whereas the schemes in [14,15,18,19,20,21,22] need to 1418,74 ms, 1715.14 ms, 761.04 ms, 756.24 ms, 1000 ms, 2574.40 ms, and 155.04 ms Respectively.

 Consequently, we can deduce that our proposed scheme is more efficient compared with other related schemes in terms of reducing computation overhead and thus can be effectively used in VANETs.

 

6.2. Communication overhead

 In the elliptic curve \(y^{2}=x^{3}+x \bmod p\), where p is a 512-bit prime number, the size of each element in the bilinear pairing-based group G ̅ is 128 bytes. Whereas in the elliptic curve \(y^{2}=x^{3}+a x+b \bmod p\), where p is a 160-bit prime number, the size of each element in the ECC-based group G is 40 bytes [30]. The size of timestamp is 4 bytes and the size of output of the secure hash function is 20 bytes [31]. The size of element in integer group Z_q^* is also 20 bytes. The length of the traffic information message is not computed in the comparisons listed in Table 6 and Fig. 10.

Table 6. Communication cost of different schemes

Fig. 10. Communication cost of different schemes

In Shim’s scheme [14], the content of the broadcasted message is \(\left\{A I D_{i}, T_{i}, U_{i}, V_{i}, W_{i}\right\}\), where 〖\(A I D_{1}=\left\{A I D_{i}^{1}, A I D_{i}^{2}\right\}, A I D_{i}^{1}, A I D_{i}^{2}, U_{i}, V_{i}, W_{i} \in \bar{G}\) ̅ and T_i is the timestamp. Therefore, the communication cost for Shim’s scheme [14] is 128×5+4=644 bytes.

 In Zhang et al.’s scheme [15], the content of the broadcasted message is \(\{I D, M, \sigma, T\}\), where \(I D=\left\{I D_{1}, I D_{2}\right\}\) ,\(I D_{1}, I D_{2}, \sigma \in \bar{G}\) and T is the timestamp. Therefore, the communication cost for Zhang et al.’s scheme [15] is 128×3+4=388 bytes.

 In He et al.’s scheme [18], the content of the broadcasted message is \(\{M, A I D, T, R, \sigma\}\), where \(A I D=\left\{A I D_{1}, A I D_{2}\right\}, A I D_{1}, R \in G\) and \(A I D_{2}, \sigma \in Z_{q}^{*}\) and T is the timestamp. Therefore, the communication cost for He et al.’s scheme [18] is 40×2+20×2+4=124 bytes.

 In Zhong et al.’s scheme [19], the content of the broadcasted message is \(\{A I D, M, \sigma, T\}\), where \(A I D=\left\{A I D_{1}, A I D_{2}\right\}, A I D_{1} \in G\) and \(A I D_{2}, \sigma \in Z_{q}^{*}\) and T is the timestamp. Therefore, the communication cost for Zhong et al.’s scheme [19] is 40+20×2+4=84 bytes.

 In Zhong et al.’s scheme [20], the content of the broadcasted message is { T ,m ,σ}, where \(\sigma \in Z_{q}^{*}\) and T is the timestamp. Therefore, the communication cost for Zhong et al.’s scheme [20] is 20+4=24 bytes.

 In Yang et al.’s scheme [21], the content of the broadcasted message is \(\left\{P I D_{i}, P K_{i}, c t_{i}\right.\left.u_{i}, v_{i}\right\}\), where \(P I D_{i}=\left\{P I D_{i, 1}, P I D_{i, 2}, T_{i}\right\}, P I D_{i, 1}, P K_{i} \in G, P I D_{i, 2}, u_{i}, v_{i} \in Z_{q}^{*}\) and \(T_{i}, c t_{i}\) are timestamps. Therefore, the communication cost for Yang et al.’s scheme [21] is 40×2+20×3+4×2=148 bytes.

 In Ismaila et al.’s scheme [22], the content of the broadcasted message is \(\left\{P I D_{y, k}, P K_{k}, \omega_{k}, \sigma_{k}=\left(R_{k}, \vartheta_{k}\right), T_{k}\right\}\), where \(P K_{k}, R_{k} \in G, P I D_{y, k}, \omega_{k}, \vartheta_{k} \in Z_{q}^{*}\) and T is the timestamp. Therefore, the communication cost for Ismaila et al.’s scheme [22] is 40×2+20×3+4=144 bytes.

 In our proposed scheme, the content of the broadcasted message is { T ,msg ,σ}, where \(\sigma \in Z_{q}^{*}\) and T is the timestamp. Therefore, the communication cost for our proposed scheme is 20+4=24 bytes.

 In accordance with the comparative evaluations of our proposed scheme with previous schemes in terms of reducing the communication overhead, we can deduce that the proposed scheme can be efficiently used in VANETs.

 

7. Conclusions

 This paper proposed a robust CPPA scheme in VANETs that depends on a new idea of acquiring pseudonym by using a pseudonym root. It utilizes the cuckoo filter to mitigate the verification process. The proposed scheme does not use bilinear pairing and has no CRL. Therefore, the proposed scheme can effectively mitigate the computation and communication overheads in VANETs. Furthermore, the proposed scheme can ensure the security and privacy requirements such as privacy-preserving authentication, integrity, non-repudiation, traceability, revocability, Un-linkability, self-verification, pseudonym prediction and resistance to the ordinary attacks. Moreover, the proposed scheme can provide conditional anonymity to participants in a network thereby preventing malicious vehicles from disrupting VANETs. In future works, we plan to mitigate the dependence of vehicles on the RSU to resolve authentication problems in non-RSU.