Research on Identity-based Batch Anonymous Authentication Scheme for VANET

Abstract

To slove the security and efficiency problem of anonymous authentication in vehicular ad-hoc network (VANET), we adopt the bilinear pairing theory to propose an identity-based batch anonymous authentication scheme for VANET. The tamper-proof device in the on-board unit and the trusted authority jointly realize the anonymity of vehicle identity and the signature of messages, which further enhances the security of this scheme, as well as reduces the overhead of trusted authority. Batch authentication can improve the efficiency of anonymous authentication for VANET. Security and efficiency analyses demonstrate that this scheme not only satisfies such security properties as anonymity, non-forgeability and non-repudiation, but also has advantage in time and space complexity. Simulation results show that this scheme can achieve good performance in real-time VANET communication.

1. Introduction

 With the rapid development of science and technology, the number of vehicles has been increasing explosively, and vehicles are used more and more widely and frequently. However, the traffic situation is not satisfactory, and a series of transportation problems keeps emerging, like parking difficulty, traffic jam, traffic accidents, etc. As communication safety and security of vehicles are brought into focus, consequently, Intelligent Transport System (ITS) management is drawing more attention in particular. As its core, VANET [1-2] is a mobile network with vehicles as nodes, which is not only able to effectively solve or alleviate the present traffic problems, but also bring convenience to people in navigation, information entertainment and vehicle security. This enriches people's lifestyles and improves the intelligent and safe environment of the transportation system.

 Nevertheless, due to the operation scenes and the wireless communication mode of VANET, attackers can easily manipulate the communication channel to intercept, revise, replay and delete the transmitted messages, thus making VANET vulnerable in terms of privacy, conspiracy and forgery [3-5]. Under real circumstances, the vehicle or RSU should verify that the received message is valid and intact prior to the next step. What’s worse, the attacker may tamper with the original information, give the receiver a wrong message, and then tempt other vehicles to perform illegal operation, thus disrupting the traffic order. For example, an opponent may pretend to be a fire truck to broadcast a traffic signal in order to make others give way. Therefore, the messages received need to be authenticated to defend their integrity, while vehicle users’ identities must be anonymized to guarantee the security of individual privacy [6-8].

 To be specific, Our contributions in the paper are as follows:

 1. Considering the security problem of avoiding error information and the conflict between privacy and trusted authorities, we propose an identity-based batch authentication scheme to ensure the vehicle is capable of anonymous authentication, maintaining message integrity together with privacy and traceability. The solution can communicate in different scenarios of the vehicle network.

 2. The proposed batch anonymous authentication scheme based on bilinear pairings satisfies these security properties like anonymity, non-forgeability and non-repudiation etc.

 3. Since the proposed scheme requires a small constant number of pairings and point multiplication computations in the batch verification process, the speed can be accelerated while the calculation cost can be reduced in the authentication process.

 The overall structure of the paper is as follows: In Section 2, we introduce the necessary basic knowledge; in Section 3，we describe the batch anonymous authentication scheme for VANETs; the correctness, security and efficiency of the scheme is analyzed in Section 4; Section 5 draws a conclusion of the paper.

 

2. Related Work

 In recent years, Security and privacy issues in the vehicle network have been a hot topic of research, scholars home and abroad have done massive research, and have achieved a series of results. For example, Raya and Hubaux[9] devised an appropriate security architecture to hide the user's true identity with an anonymous certificate. In this scheme, vehicles on the road are pre-installed with a public key certificate and an anonymous public/private key pairs to avoid mobile tracking. A set of security protocols were provided to protect the privacy, so that once malicious messages are detected, trusted authorities must spend a lot of time and energy in huge databases to find the real identity associated with the leaked anonymous public key. Lin et al. [10] proposed a scheme based on group signature. In this scheme, the identical group public key is stored together with unique private key in each vehicle. Vehicles receiving information can only confirm the authenticity of the message signature via group public key, while the vehicle transmitting the message has no flag information to be recognized by the receiver, which reduces the overhead of anonymous keys. However, the scheme increases the computational cost, and the calculation cost of the verifying group signature is higher than other schemes. Zhang et al. [11], proposed an IBV scheme in VANETs for V2I and V2V communications. This scheme uses one-time identity-based signature in order to effectively reduce the cost of authentication and transmission of public key certificates, as well as the total delay of message signature verification and it functions to solve the traffic accident disputes and realize the security of conditional privacy in vehicular networks.

 Sun et al. [12] devised an identity-based security system for user’s privacy in VANET, which could only conduct authentication on a one-by-one basis, but attackers would disavow when tracing identities; Lee et al. [13] devised a batch authentication scheme for VANET based on bilinear pairing, which improves the efficiency, but still fails to satisfy these two security properties: non-repudiation and non-forgeability, and may cause vehicle’s genuine identity to be easily leaked; Bayat et al. [14] put forward a batch authentication scheme for VANET based on elliptic curve in order to improve the security, in which, however, the complex algorithms lead to excessive computational cost, thus affecting the timeliness of vehicular communication. Liu et al. [15] proposed an efficient anonymous authentication protocol using batch operations for VANETs, but this scheme is unable to resist conspiracy attack; Azees et al. [16] suggested an efficient anonymous authentication with conditional privacy-preserving scheme for VANET, in which the signature procedure requires excessive complexity in space and communications. Vijayakumar et al. [17] proposed a computationally efficient privacy preserving anonymous mutual authentication scheme for VANETs (CPAV) to verify the authenticity of OBUs without revealing their real identities for V2V communications in IoT.Islam et al. [18] presents a password-based conditional privacy preserving authentication and group-key generation (PW-CPPA-GKA) protocol for VANETs. Nevertheless, neither of the above two schemes is simulated in a specific scenario.

 In view of the shortcomings of the existing schemes, this paper proposes an identity-based batch anonymous authentication scheme for VANET based on the bilinear pairing theory, aiming to effectively solve the problems of privacy and time efficiency that exist in previous schemes, reduce the communication overhead, and resist multiple attacks. Finally, a comparative analysis of the efficiency of the existing programs shows that the newly-proposed program has higher authtication efficiency. Simulation is conducted to compare this scheme to previous schemes, and the results prove that this scheme is possessed with better security and authentication efficiency.

 

3. Preliminaries

3.1  VANET Model

 As is shown in Fig 1, the VANET model consists of three parts: Trust Authority, Roadside Unit  and On-Board Unit. The specific function of each part is as follows:

Fig. 1. VANET model                                                    

 1) TA is the trusted authority management center of VANET, responsible for generating and publicizing security parameters, registering, managing and tracing vehicles. In general, TA is deployed in government agencies to manage traffic conditions.

 2) RSU is the communication equipment installed on road sides, communicating with vehicles via DSRC protocol. It is responsible for network access of vehicles, information release of the management center, as well as sending and receiving the exchange messages of vehicles.

 3) OBU is the wireless communication unit equipped for each vehicle in VANET, responsible for storing keys, and encrypting /decrypting messages. It communicates with RSU by DSRC protocol.

 

3.2 Bilinear pairing

 Let G₁  and G₂  respectively be the addition and multiplication cyclic group of prime order  q ( q is a big prime number), then the bilinear pairing [19] \(e: G_{1} \times G_{1} \rightarrow G_{2}\) satisfies the following properties:

 1) Bilinearity:\(\forall P, R, Q \in G_{1}, \quad \forall a, b \in Z_{q}\) satisfies \(e\left(a P_{1}, b P_{1}\right)=e\left(P_{1}, P_{2}\right)^{a b}\) .

 2) Non-degeneracy: \(\exists P_{1}, \quad P_{2} \in G_{1}\), and  \(e\left(P_{1}, P_{2}\right) \neq 1\)  .

 3) Computability: \(\forall P_{1}, P_{2} \in G_{1}\) , there is efficient algorithm to compute \(e\left(P_{1}, P_{2}\right)\) .

 4) Symmetry:  \(\forall P_{1}, \quad P_{2} \in G_{1}\)，satisfies  \(e\left(P_{1}, P_{2}\right)=e\left(P_{2}, P_{1}\right)\).

 

3.3 Identity-based Cryptosystem

 Firstly proposed by Shamir [20] in 1984, the identity-based encryption scheme attempts to use the unique identity of each user as the public key. This cryptosystem not only simplifies the key management in traditional public key cryptosystems, but also is more secure and efficient. In 2002, Malone-Lee [21] firstly adopted bilinear pairing to construct security model based on identity cryptosystem, and formalized the following definitions:

 System initialization: input security parameter params , and the Trusted Authority (TA) outputs system parameter params as well as master key r , then TA maintains the secrecy of master key r , and publicises system parameter params .

 Key generation: input user’s identiy ID , TA adopts master key r  to compute user’s private key SK , then transmit it to other users by a secure channel.

 Signcryption: Signcryption is a cryptographic primitive that combines both the functions of digital signature and public key encryption in a logical single step , at lower computational costs and communication overheads than the traditional signature encryption approach. if ID_a signs and encrypts message M  and send it to  ID_b, SK_da , ID_b  and M  are input, then output signcryption message \(\zeta=\operatorname{sig}\left(M, S K_{a}, I D_{b}\right)\).

 Decryption authentication: when receiving the signcryption message \(\zeta\)  sent by \(IDa\) , \(I D_{b}\) decrypts and verifies this message; then input \(S K_{b}, I D_{a}\) ,   and signcryption \(\zeta\) , output  \(M=u n \operatorname{sig}\left(\zeta, S K_{b}, I D_{a}\right)\) .

 

3.4 Elliptic curve cryptography algorithm

 Elliptic Curve Cryptography (ECC) [22] is a public key cryptosystem based on algebraic curves, its security basis relying on point multiplication operation and Elliptic Curve Discrete Logarithm Problem (ECDLP).

 Theorem 1 The elliptic curve in finite field: let p  be a big prime number, F_b  be the finite field of mode p , the elliptic curve equation in F_p  is demonstrated as

\(y^{2}=x^{3}+a x+b\)       (1)

 In which  \(a, b \in F_{p}\), and satisfies \(\text { satisfies } 4 a^{2}+27 b^{3} \neq 0 \bmod p\) ; assume \(x, y \in F_{p}, \text { if }(x, y)\) , satisfies equation (1), then (x,y)  is the point of curve E , and E(F_p)  signifies the infinite point \(\infty\)  as well as all point sets in curve E , or is signified as E_p(a,b) .

 Theorem 2 ECDLP: given a fixed point  p with q  as its order and the other point Q  in elliptic curve, determine integer  \(x \in Z_{q}^{*}, 0 \leq x \leq q-1\), make   difficult.

 Theorem 3 Computational Diffie- Hellman Problem (CDHP): given  , in which   is unknown integer, then computing  \(Q=x P \in G_{1}\) is diffcult.

 

4. Identity-Based Batch Anonymous Authentication Scheme

 The scheme proposed in this paper is composed of three phases: system initialization, anonymous identity generation and message signing, and message authentication.

4.1 System Initialization

 In this phase, TA distributes system parameters for vehicle and RSU. The detatil is as follows:

 Step 1: TA generates two cyclic groups G₁  and G₂ (order being q  ), in which G₁ is the addition cyclic group,G₂  the multiplication group, P  and Q  two generators of  G₁ ; then randomly selects  \(r \in Z_{q}^{*}\) as the system’s private key, and generates public key \(P_{p u b}=r P\) .

 Step 2: TA randomly selects three secure hash functions \(h:\{0,1\}^{*} \rightarrow G_{1}, h_{1}:\{0,1\}^{*} \rightarrow Z_{q}^{*}\) ,\(h_{2}:\{0,1\} \rightarrow Z_{q}^{*}\).

 Step 3: TA secretly keeps r  as the system’s private key, and publishes \(\left\{G_{1}, G_{2}, P, Q, q, e, P_{p u b}, h(), h_{1} O, h_{2} O\right\}\)  as system parameter.

 

4.2 Anonymous identity generation and message signing

 In this phase, user registers and generates anonymous identity. The detail is as follows:

 Step 1: Vehicle user submits to TA some identity information like UserName, E-mail, IDNumber, etc, to request registration.

 Step 2: TA checks vehicle user’s information to register, and distributes username   \(R_{i d}^{i}\) and password \(P_{\mathrm{ud}}^{i}\)  to this user, in which \(R_{i d}^{i} \in G_{1}\) . Then \(R_{i d}^{i}, P_{n d}^{i}\) and system’s private key r  are safely installed in the tamper-proofing device (TPD) of the vehicle.

 Step 3: User inputs username \(R_{i d}^{i}\)  and password \(P_{\mathrm{wd}}^{i}\) , TPD verifies the validity of user’s information. If valid, the authentication succeeds; if not, cease the anonymous operation.

 Step 4: TPD randomly selects \(\sigma_{i} \in Z_{q}^{*}\) , calculates vehicle’s anonymous identity \(I D=\left\{I D_{1}^{i}, I D_{2}^{i}\right\}\) , and stores  \(\left\{\sigma_{i}, I D_{i}\right\}\) in TPD, in which, \(I D_{1}^{i}=\sigma_{i} P, I D_{2}^{i}=R_{i d}^{i}+h\left(\sigma_{i} P_{p u b}\right)\).

 Step 5: TPD extracts system’s private key r  , calculates vehicle’s private key \(S K_{i}=r h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right)\) , and stores it together with \(\left\{\sigma_{i}, I D_{i}\right\}\) in TPD. Vehicle user inputs M_i in TPD (M_i  is the message that needs signature).

 Step 6: After receiving message  M_i, TPD calculates:

\(S_{i}=\left(S K_{i}+\sigma_{i} h_{2}\left(M_{i} \| T_{i}\right)\right) Q\)       (2)

 T_i  is the time stamp of message signing. TPD delivers \(\left\{I D_{i}, M_{i}, S_{i}, T_{i}\right\}\)  as the signature of message M_i  to vehicle.

4.3 Message authentication

 In this phase, vehicle or RSU verifies the signature message it receives. It is divided into single vehicle authentication and batch authentication according to different amount of vehicle messages.

 1) Single Vehicle Authentication

 Step 1: Due to the timeliness of the message, when vehicle or RSU receives authentication message  \(\left\{I D_{i}, M_{i}, S_{i}, T_{i}\right\}\), inequality  \(\Delta \mathrm{T} \geq \mathrm{T}_{\mathrm{r}}-\mathrm{T}_{i}\) needs to be introduced, in which  \(\Delta \mathrm{T}\) is the predicted time delay error,   the time point of receiving the message.

 Step 2: Verify whether the inequality holds or not. If it holds, the signture message is valid; otherwise, the signature message is invalid, then ceases the authentication and discards the message.

 Step 3: Verify the equation:

\(e\left(S_{i}, P\right)\overset{?}=e\left(h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right) P_{p u b}+h_{2}\left(M_{i} \| T_{i}\right) I D_{1}^{i}, Q\right)\)       (3)

If tenable，then the signature message is legal, and receive message m ; if not, reject this message.

 2) Batch Vehicle Authentication

 In view of the authentication efficiency of signature messages in areas with large vehicle density and flow, this scheme realizes batch authentication of signature messages.

 Step 1: Similar to single vehicle authentication, when receiving a signature message \(\left\{I D_{i}, M_{i}, S_{i}, T_{i}\right\}\) , firstly conduct timeliness authentication, i.e., verify whether \(\Delta \mathrm{T} \geq \mathrm{T}_{\mathrm{r}}-\mathrm{T}_{i}\)  holds or not. If it holds, the signature is valid; otherwise, discard this message.

 Step 2: Based on small index testing method, RSU randomly selects n  vectors  \(\left\{V_{1}, V_{2} \cdots V_{n}\right\}\)  for n  signature messages that needs authentication in groups, so as to prevernt malicious user from replacing the signcryption value of the signature messages [8], in which \(V_{i} \in\left[1-2^{t}\right]\) , the value of t  being a small integer.

 Step 3: RSU computes:

\(A=e\left(\sum_{i=1}^{n} V_{i} S_{i}, P\right)\)       (4)

\(B=e\left(\left(\left(\sum_{i=1}^{n} V_{i} h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right)\right) P_{p u b}+\sum_{i=1}^{n} V_{i} h_{2}\left(M_{i} \| T_{i}\right) I D_{1}^{i}\right), Q\right)\)       (5)

then verify \(A^{2}=B\) , if tenable, accepts the signature.

 

5. Analyses and Simulation

 In this section the scheme is analysed in terms of three aspects: correctness, security and efficiency.

 

5.1 Correctness Analysis

 The correctness of this scheme is proved in single vehicle authentication and batch authentication.

 In single vehicle authentication, on the premise of legal signature, the scheme’s correctness depends on whether equation (3) is tenable or not, i.e., whether 

  \(e\left(S_{i}, P\right)=e\left(S K_{i}+\sigma_{i} h_{2}\left(M_{i} \| T_{i}\right) Q, P\right)\) is tenable. Proof:

\(\begin{array}{l}e\left(S_{i}, P\right) \\=e\left(S K_{i}+\sigma_{i} h_{2}\left(M_{i} \| T_{i}\right) Q, P\right) \\=e\left(\left(r h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right)+\sigma_{i} h_{2}\left(M_{i} \| T_{i}\right) Q\right), P\right) \\=e\left(Q,\left(r h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right) P+\sigma_{i} h_{2}\left(M_{i} \| T_{i}\right) P\right)\right) \\=e\left(Q, h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right) P_{p u b}+h_{2}\left(M_{i} \| T_{i}\right) I D_{1}\right) \\=e\left(h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right) P_{p u b}+h_{2}\left(M_{i} \| T_{i}\right) I D_{1}^{i}, Q\right)\end{array}\)

then the correctness is proved.

 In batch authentication, on the premise of legal signature, the scheme’s correctness depends on whether the equation   is tenable, i.e., verify the equation

\(e\left(\sum_{i=1}^{n} V_{i} S_{i}, P\right)\overset{?}{=}e\left(\left(\left(\sum_{i=1}^{n} V_{i} h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right)\right) P_{p u b}+\sum_{i=1}^{n} V_{i} h_{2}\left(M_{i} \| T_{i}\right) I D_{1}^{i}\right), Q\right)\)

Proof:

\(\begin{array}{l}e\left(\sum_{i=1}^{n} V_{i} S_{i}, P\right) \\=e\left(\left(\sum_{i=1}^{n} V_{i} r_{i} h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right)+\sum_{i=1}^{n} V_{i} \sigma_{i} h_{2}\left(M_{i} \| T_{i}\right)\right) Q, P\right) \\=e\left(Q,\left(\sum_{i=1}^{n} V_{i} r_{i} h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right)+\sum_{i=1}^{n} V_{i} \sigma_{i} h_{2}\left(M_{i} \| T_{i}\right)\right) P\right) \\=e\left(Q, \sum_{i=1}^{n} V_{i} r_{i} P h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right)+\sum_{i=1}^{n} V_{i} \sigma_{i} P h_{2}\left(M_{i} \| T_{i}\right)\right) \\=e\left(Q,\left(\sum_{i=1}^{n} V_{i} h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right)\right) P_{p u b}+\sum_{i=1}^{n} V_{i} h_{2}\left(M_{i} \| T_{i}\right) I D_{1}^{i}\right)\\=e\left(\left(\sum_{i=1}^{n} V_{i} h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right)\right) P_{p u b}+\sum_{i=1}^{n} V_{i} h_{2}\left(M_{i} \| T_{i}\right) I D_{1}^{i}, Q\right)\end{array}\)

Then, the correctness is proved.

 

5.2 Security Analysis

5.2.1 Non-forgeability

 Theorem 1: If it is difficult to solve CDHP problem in polynomial time, this scheme is able to resist chosen-message attack in random oracle model, i.e., satisfies non-forgeability.

 Proof: Let attacker be A , challenger be C.  \(\forall x, y \in Z_{q}^{*}, x, y\)   is unknown, and \(P \in G_{1}\),\((P, x P, y P)\) is known, then challenger   solves xyP , i.e., challenges CDHP problem. Assume attacker   is able to counterfeit the valid signature message \(\left\{I D_{i}, M_{i}, S_{i}, T_{i}\right\}\) ,  C performs the following steps:

 Initialization: C  resets system public parameter: \(P_{p u b}=x P, Q=y P\) , then sends  \(\left(P_{p u b}, Q\right)\) to attacker A ; meanwhile, construct and store three lists:\(L_{h}, L_{h 1}\) and \(L_{h 2}\).

  h-Oracle:  C constructs list L_h   of a tuple  \(\left\langle\alpha, \beta_{h}\right\rangle\) , the initial stage being null. When   receives from A  the query about message \(\alpha , C\)  checks whether record \(\left\langle\alpha, \beta_{h}\right\rangle\)  exists in the list L_h . If does, C  replies to \(\beta_{h}\) ; otherwise, C  randomly selects \(\beta_{h}^{\prime} \in Z_{q}^{*}\) , and adds \(\left\langle\alpha, \beta_{h}\right\rangle\)  to the list, then replies to \(\beta_{h}^{\prime} \) .

  h₁-Oracle: challenger C  keeps and maintains list L_h2  of tuple \(\left\langle I D_{1}^{i}, I D_{2}^{i}, \beta_{h 2}\right\rangle\) , with initial stage being null. When C  receives from A  query about message \(\left(I D_{1}^{i}, I D_{2}^{i}\right)\) , C checks whether tuple \(\left\langle I D_{1}^{i}, I D_{2}^{i}, \beta_{n 1}\right\rangle\)  exists in list L_h1 . If does, C  replies  \(\beta_{h1} \); otherwise, C  randomly selects \(\beta_{h 1} \in Z_{q}^{*}\) , and adds \(\left\langle I D_{1}^{i}, I D_{2}^{i}, \beta_{h 1}\right\rangle\)   into the list, then replies to \(\beta_{h1} \) .

 h₂-Oracle: challenger C  keeps and maintains list L_h2 of tuple  \(\left\langle I D_{1}^{i}, I D_{2}^{i}, \beta_{h 1}\right\rangle\), with initial stage being null. When  C receives from A query about message \(\left(M_{i}, T_{i}\right), C\)  checks whether tuple \(\left\langle M_{i}, T_{i}, \beta_{h 2}\right\rangle\)  exists in the list. If does, answers \(\beta_{h2} \) ; otherwise,  C randomly selects  \(\beta_{h 2} \in Z_{q}^{*}\), and adds  \(\left\langle M_{i}, T_{i}, \beta_{h 2}\right\rangle\) into the list, then answers \(\beta_{h2} \) .

 Signature-Oracle: challenger  CW randomly generates \(\gamma_{i}, h_{i, 1}, h_{i, 2} \in Z_{q}^{*}\), calculate \(I D_{2}^{i} \in G_{1}\) ; \(S_{i}=\gamma_{i} Q, I D_{1}^{i}=\left(\gamma_{i} P-h_{i, 1} P_{p u b}\right) / h_{i, 2}\) add \(\left\langle I D_{1}^{i}, I D_{2}^{i}, h_{i, 1}\right\rangle\)  and \(L_{h 1}\)  to lists  \(L_{h 2}\) and  to check whether \(\mathrm{e}\left(S_{i}, P\right)=e\left(h_{1}\left(I D_{1}^{\prime} \| I D_{2}^{\prime}\right) P_{p n b}+h_{2}\left(M_{i} \| T_{i}\right) I D_{1}^{\prime}, Q\right)\) holds. If holds, the signature is valid; if not, the signature is invalid.

 Output: A  conducts two different queries, and in polynomial time C  will get two valid signatures \(\left\{I D_{i}, M_{i}^{*}, S_{i}, T_{i}\right\}\)  and \(\left\{I D_{i}, M_{i}^{*}, S_{i}^{*}, T_{i}^{*}\right\}\) , while \(S_{i}=\left(\gamma_{i} h_{i, 1}+x h_{i, 2}\right) Q\)  and \(S_{i}^{*}=\left(\gamma_{i} h_{i, 1}+x h_{i, 2}^{*}\right) Q\)  can be satisfied. Thus  computes to get  \(\left(h_{i, 2}-h_{i, 2}^{*}\right)^{-1}\left(S_{i}-S_{i}^{*}\right)=x Q=x y P\), then CDHP problem is solved. However, this contradicts with the fact that CDHP problem is difficult, i.e., the scheme satisfies non-forgeability.

 

5.2.2 Non-repudiation

 Non-repudiation is also called undeniability, i.e., in case of traffic accidents, proof can be obtained to verify and solve disputes as well as to ascertain the responsibility. When a certain vehicle has malicious acts, TA in this scheme is able to discover the true identity of this vehicle. The anonymous identity of the vehicle is  \(I D_{i}=\left(I D_{1}^{i}, I D_{2}^{\prime}\right)\), in which\(I D_{1}^{i}=\sigma_{i} P\),\(I D_{2}^{i}=R_{i d}^{i}+h\left(\sigma_{i} P_{p u b}\right)\), TA adopts private key   to calculate \(I D_{2}^{i} \oplus h\left(r \cdot I D_{1}^{i}\right)\)  so as to discover the vehicle’s tue identity  \(R_{i d}^{i}\), i.e.:

\(\begin{aligned}&I D_{2}^{i} \oplus h\left(r \cdot I D_{1}^{i}\right)\\&=I D_{2}^{i} \oplus h\left(\sigma_{i} \cdot r \cdot P\right)\\&=I D_{2}^{i} \oplus h\left(\sigma_{i} \cdot P_{p u b}\right)\\&=R_{i d}^{i}\end{aligned}\)

 If the vehicle (with its identity discovered) denies its acts, this scheme introduces random vector V  on the basis of small index testing method. When vehicles communicate with one another, a unique vector V  is embedded in each signature. By means of batch authentication of signature messages, the malicious vehicle can not deny. Therefore, non-repudiation is satisfied.

 

5.2.3 Anonymity

 The authentication scheme in this paper is recorded as  ，the attacker as  ,   and   denote two faithful vehicle users in the game.

 Definition 1 Anonymity Game

 Step 1: Attacker employs the key- generating algorithm to obtain public and private key pairs  , and system’s public parameter  .

 Step 2: Attacker selects two different messages   and  .Select the random bit  , then send   and   to   and  . Plus,   is kept secret.  and   perform the proposed signature scheme   respectively.

 Step 3: If   and   output two valid signatures   and  which are correspondent respectively with the message   and  , then send   and   to attacker   in random order; otherwise,  return invalid symbol   to the attacker.

 Step 4: Attacker   analyzes signature  , outputs the guess   of  ,  . When  = , attacker   wins the game.

 This article defines the advantage of attacker  winning the game as:  ，then   represents the probability of  .

 Theorem 1: If attacker A  is unable to use the signature scheme to win the anonymity game in polynomial time with a non-negligible probability, then the scheme satisfies anonymity.

A   is the attacker in the anonymity game in Definition 1. If \(\perp\)  is received in step 5, then the message that A  gets is invalid, and the probability of obtaining correct  b is \(\frac{1}{2}\) . This is equivalent to the random guess of  b.

 Consider the other case: assume that attacker A  completes the signature of the scheme and gets two signatures: \(\left(S_{0}, T_{0}, I D_{0}, M_{0}\right),\left(S_{1}, T_{1}, I D_{1}, M_{1}\right)\) . Let \(j \in\{0,1\}\) ,  j as an instance of the signature scheme, \(\left(\sigma_{j}, P, S K_{j}\right)\)  represents the parameter in the interaction process. To prove the anonymity of the scheme, for \(\{(S, T, I D, M)\} \in\left\{\left(S_{0}, T_{0}, I D_{0}, M_{0}\right),\left(S_{1}, T_{1}, I D_{1}, M_{1}\right)\right\}\)  and arbitrary parameter \(\left(\sigma_{j}, S K_{j}\right), I D_{1}^{i}=\sigma_{j} P, I D_{2}^{i}=R_{i d}^{i}+h\left(\sigma_{j} P_{p u b}\right), S K_{j}=r h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right), j \in\{0,1\}\) Finally, get

\(\begin{aligned}S_{i} &=\left(S K_{j}+\sigma_{j} h_{2}\left(M_{i} \| T_{i}\right)\right) Q \\&=r h_{1}\left(\sigma_{j} P \| R_{i d}^{i} \oplus h\left(\sigma_{j} P_{p u b}\right)\right)+\sigma_{j} h_{2}\left(M_{i} \| T_{i}\right) Q \\&=r h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right)+\sigma_{j} h_{2}\left(M_{i} \| T_{i}\right) Q\end{aligned}\)

So

\(\begin{array}{l}e(S, P) \\=e\left(S K_{j}+\sigma_{j} h_{2}\left(M_{i} \| T_{i}\right) Q, P\right) \\=e\left(\left(r h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right)+\sigma_{j} h_{2}\left(M_{i} \| T_{i}\right) Q\right), P\right) \\=e\left(h_{1}\left(I D_{1}^{i} \| I D_{2}^{i}\right) P_{p u b}+h_{2}\left(M_{i} \| T_{i}\right) I D_{1}^{i}, Q\right)\end{array}\)

 

5.3 Efficiency Analysis

5.3.1 Computation Complexity

 The computation complexity is compared with that of the representative schemes. Define T_p  as the time for executing a single operation of bilinear pairing; \(T_{m p-b p}\)  as the time for performing a single point multiplication operation in bilinear pairing; \(T_{m p-e c}\)  as the time for performing a single point multiplication operation on elliptic curve; T_j  as the time for conducting a hash computation; the time required to perform the exponentiation operation in G₁  is denoted as T_ep . The computational complexity in each scheme is shown in Table 1 and Table 2. The operating system of this article is Windows 7, processor being intel i7 4GHz, and MIRACL encrypted database is applied to running a safe subgroup of 80-bit elliptic curves. The operation time: T_p is 4.21ms,  \(T_{m p-b p}\) 1.71ms, \(T_{m p-ec}\)  0.44ms,  T_h 4.41ms, and T_ep  is 0.3ms.

Table 1. Execution time of single message authentication phase

Table 2. Execution time of batch message authentication phase

 As is shown in the Table 1 and Table 2. In single signature authentication , the proposed scheme is obviously better than Ref.[13] Ref.[14] and Ref.[14], has similar time costs as Ref.[15], and is only slightly inferior to Ref. [16]. When it comes to batch signature authentication, the time costs in Ref.[14], Ref.[15],Ref.[16] and Ref.[17] increase with the increase of the quantity n  of batch signature messages, while the time costs in this scheme and Ref.[13] is irrelevant to n, thus is apparently better than other schemes.

 

5.3.2 Communication complexity

 Communication complexity refers to the traffic in communication, i.e., storage space, which is usually measured by byte. A single anonymous authentication scheme for VANET consists of signature message, pseudonym and other additional information. For example, in Ref.[13], signature message is 21 bytes, pseudonym 42 bytes, and timestamp 4 bytes; in Ref.[14], signature message is 42 bytes, pseudonym 234 bytes, timestamp 4 bytes; in Ref.[15], signature message is 53 bytes, pseudonym 42 bytes; in Ref.[16], signature message 60 bytes, pseudonym 40 bytes, timestamp 4 bytes; in Ref.[18], the size of the authentication message is 64 × 5 + 4 + 4 = 328 bytes; in the proposed scheme, signature message is 20 bytes, pseudonym 40 bytes, and timestamp 4 bytes. As is shown in Table 4, the proposed scheme has better communication complexity than other schemes.

Table 4. communication complexity comparison

5.3.3 Simulation Analysis

 The environment of simulation experiment in this scheme is as follows: operation system: Windows 10 (64 bit); CPU: Intel i5 processor; RAM: 4G; simulation software: NS-2.35, and wireless protocl is 802.11a. Assume the size of the simulation area as 1200m*1200m, the number of vehicular nodes is between 20-100, driving speed of vehicles is between 0-108km/h, and vehicular nodes are randomly distributed on the roads in the simulation area.

 This simulation experiment verifies the scheme’s efficiency and feasibility based on the rate of average message delay and lost. The rate of average message delay and loss message is denoted as AD  and AL  respectively.

\(A D=\frac{\sum_{i=1}^{N_{V}} \sum_{m=1}^{N_{m}^{i}}\left(T_{s \rightarrow m}^{i}+T_{t \rightarrow m \rightarrow r}^{i}+T_{r \rightarrow v \rightarrow m}^{i}\right)}{\sum_{i=1}^{N_{v}} N_{m}^{i}}\)

 In which  N_v is the number of vehicles in simulation area, Nⁱ_m  the amount of messages sent by vehicle i ,  \(T_{s \rightarrow m}^{i}\)  the signature time of vehicle i  to message  m,    \(T_{t \rightarrow m \rightarrow r}^{i}\) the time of sending message m  to RSU from vehicle i, and  \(T_{r \rightarrow v \rightarrow m}^{i}\) is the time of RSU authenticating vehicle  .

\(A L=\frac{\sum_{i=1}^{N_{V}} N_{m}^{i}-\sum_{j=1}^{R_{n}} N_{r}^{j}}{R_{n} * \sum_{i=1}^{N_{V}} N_{m}^{i}}\)

 In which R_n  is the number of RSU, N_r^j  the amount of messages received by the j th RSU. The simulation results are shown in Fig. 2 and Fig. 3. In terms of average message delay, when the nodes is between 0-60, the proposed scheme is similar to other schemes; as the number of vehicular nodes increases, this scheme is apparently better than other schemes. When it comes to the rate of average messages loss, if nodes are between 0-20, this scheme is better than Ref.[14], Ref.[15], Ref.[16]and Ref.[18] and is similar to Ref.[13]; as the number of vehicular nodes increases, this scheme has advantage over other schemes.

Fig. 2. The relationship between average message delay and vehicle nodes

Fig. 3. The relationship between average message loss rate and vehicle nodes

 

6. Conclusions

 Aiming at the problem of privacy protection and anonymous authentication efficiency in VANET, this paper proposes an identity-based batch anonymous authentication scheme based on the bilinear pairing property in elliptic curves and relevant problem assumptions. In this scheme, the anonymity of vehicle identity and the signature of messages are realized jointly by TPD in vehicular unit and TA, which not only enhances the security, but also reduces the computational overhead of TA. Random oracle model is employed to prove the scheme’s anonymity and the non- forgeability of signature. Besides, the complexity of time and space of this scheme is also analysed, and simulation is also conducted to compare this scheme with the existing schemes based on the rate of average message delay and loss. The results demonstrate that the proposed scheme has certain advantage in terms of security, efficiency and feasibility.which makes it more suitable for deployment in VANET services and applications.