10
1874 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO. 4, MAY 2012 CPAS : An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Sensor Networks Kyung-Ah Shim Abstract—In this paper, we propose a conditional privacy- preserving authentication scheme, called CPAS, using pseudo- identity-based signatures for secure vehicle-to-infrastructure communications in vehicular ad hoc networks. The scheme achieves conditional privacy preservation, in which each message launched by a vehicle is mapped to a distinct pseudo-identity, and a trust authority can always retrieve the real identity of a vehicle from any pseudo-identity. In the scheme, a roadside unit (RSU) can simultaneously verify multiple received signatures, thus considerably reducing the total verification time; an RSU can simultaneously verify 2540 signed-messages/s. The time for simultaneously verifying 800 signatures in our scheme can be reduced by 18%, compared with the previous scheme. Index Terms—Anonymity, batch verification, bilinear pairing, computational Diffie–Hellman (CDH) problem, digital signature, ID-based system, privacy preservation, traceability, unlinkability. I. I NTRODUCTION W ITH THE advancement and wide deployment of wire- less communication technologies, car manufactures and telecommunication industries have recently started to equip vehicles with wireless devices that allow the vehicles to com- municate with each other and with the roadside infrastructure to enhance driving safety and improve the driving experience [17]. These types of vehicular communication networks, which are also referred to as vehicular ad hoc networks (VANETs), inherently provide an ideal means of collecting dynamic traffic information and sensing various physical quantities related to traffic distributions at a very low cost with a high level of accu- racy. Such functionalities simply turn a VANET into a vehicular sensor network (VSN) [12], which is considered essential for achieving automatic and dynamic information collection and fusion in an intelligent transportation system [31]. VSNs have the potential to revolutionize the driving experience and create a new metropolitan-area traffic flow control framework. They Manuscript received April 12, 2011; revised August 4, 2011, October 25, 2011, and December 15, 2011; accepted January 20, 2012. Date of publication February 6, 2012; date of current version May 9, 2012. This work was supported by the National Institute for Mathematical Sciences Grant B21203 funded by the government of Korea. The review of this paper was coordinated by Prof. J. Misic. The author is with the Division of Fusion and Convergence of Mathematical Sciences, National Institute for Mathematical Sciences, Daejeon 305-390, Korea (e-mail: [email protected]). Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identifier 10.1109/TVT.2012.2186992 will undoubtedly play an important role in future wireless metropolitan-area networks. VANETs are a subgroup of mobile ad hoc networks (MANETs) with the distinguishing property that the nodes are vehicles such as cars, trucks, buses, and motorcycles. However, vehicles are not subject to strict energy, space, and computing capability restrictions normally adopted for MANETs. More challenging is the potentially very high speed of the nodes (up to 250 km/h) and the large dimensions of the VANETs. Due to the high-speed mobility of a VANET, timely communications and strict time constraints should be enforced. A VANET consists of onboard units (OBUs) installed on vehicles, roadside units (RSUs) along the roads, and trusted authorities (TAs). In VANETs, OBUs frequently broadcast routine traffic-related messages with information about such factors as traffic events, current time, and the position, direction, and speed of vehicles and whether they are accelerating or decelerating. By frequently broadcasting and receiving traffic- related messages, drivers can gain better awareness of their driving environment. They can take early action to respond to an abnormal situation to avoid possible damage, or they can follow a better route that circumvents traffic bottleneck. In addition, with a VANET connected to the backbone Internet, passengers sitting in vehicles can go online to enjoy various entertainment-related Internet services with their laptops. These services include downloading/uploading data from the Inter- net, obtaining local information (e.g., road maps and hotel information), and viewing electronic advertisements. Intervehi- cle (vehicle-to-vehicle; V-to-V) communications or communi- cations with roadside infrastructure (vehicle-to-infrastructure; V-to-I) bring the promise of improved road safety and opti- mized road traffic through cooperative system applications. Our main contributions in this paper are given as follows: 1) We first propose an identity (ID)-based signature (IBS) scheme KIBS secure in the random oracle model under the computational Diffie–Hellman (CDH) assumption. The KIBS scheme uses general hash functions, instead of an inefficient special function known as the MapToPoint function. 2) We construct a secure conditional privacy-preserving authentica- tion scheme CPAS for secure V-to-I communications using a pseudo-IBS scheme based on the KIBS scheme to keep a balance between privacy and traceability achieving anonymous authentication, message integrity, traceability, and unlinkabil- ity. 3) The CPAS scheme supports the fastest batch verification process at the RSUs, where the time for verifying 750 signa- tures simultaneously is less than 300 ms. 0018-9545/$31.00 © 2012 IEEE

: An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Sensor Networks

Embed Size (px)

Citation preview

Page 1: : An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Sensor Networks

1874 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO. 4, MAY 2012

CPAS: An Efficient Conditional Privacy-PreservingAuthentication Scheme for Vehicular

Sensor NetworksKyung-Ah Shim

Abstract—In this paper, we propose a conditional privacy-preserving authentication scheme, called CPAS, using pseudo-identity-based signatures for secure vehicle-to-infrastructurecommunications in vehicular ad hoc networks. The schemeachieves conditional privacy preservation, in which each messagelaunched by a vehicle is mapped to a distinct pseudo-identity,and a trust authority can always retrieve the real identity ofa vehicle from any pseudo-identity. In the scheme, a roadsideunit (RSU) can simultaneously verify multiple received signatures,thus considerably reducing the total verification time; an RSUcan simultaneously verify 2540 signed-messages/s. The time forsimultaneously verifying 800 signatures in our scheme can bereduced by 18%, compared with the previous scheme.

Index Terms—Anonymity, batch verification, bilinear pairing,computational Diffie–Hellman (CDH) problem, digital signature,ID-based system, privacy preservation, traceability, unlinkability.

I. INTRODUCTION

W ITH THE advancement and wide deployment of wire-less communication technologies, car manufactures and

telecommunication industries have recently started to equipvehicles with wireless devices that allow the vehicles to com-municate with each other and with the roadside infrastructureto enhance driving safety and improve the driving experience[17]. These types of vehicular communication networks, whichare also referred to as vehicular ad hoc networks (VANETs),inherently provide an ideal means of collecting dynamic trafficinformation and sensing various physical quantities related totraffic distributions at a very low cost with a high level of accu-racy. Such functionalities simply turn a VANET into a vehicularsensor network (VSN) [12], which is considered essential forachieving automatic and dynamic information collection andfusion in an intelligent transportation system [31]. VSNs havethe potential to revolutionize the driving experience and createa new metropolitan-area traffic flow control framework. They

Manuscript received April 12, 2011; revised August 4, 2011, October 25,2011, and December 15, 2011; accepted January 20, 2012. Date of publicationFebruary 6, 2012; date of current version May 9, 2012. This work wassupported by the National Institute for Mathematical Sciences Grant B21203funded by the government of Korea. The review of this paper was coordinatedby Prof. J. Misic.

The author is with the Division of Fusion and Convergence of MathematicalSciences, National Institute for Mathematical Sciences, Daejeon 305-390,Korea (e-mail: [email protected]).

Color versions of one or more of the figures in this paper are available onlineat http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TVT.2012.2186992

will undoubtedly play an important role in future wirelessmetropolitan-area networks. VANETs are a subgroup of mobilead hoc networks (MANETs) with the distinguishing propertythat the nodes are vehicles such as cars, trucks, buses, andmotorcycles. However, vehicles are not subject to strict energy,space, and computing capability restrictions normally adoptedfor MANETs. More challenging is the potentially very highspeed of the nodes (up to 250 km/h) and the large dimensionsof the VANETs. Due to the high-speed mobility of a VANET,timely communications and strict time constraints should beenforced. A VANET consists of onboard units (OBUs) installedon vehicles, roadside units (RSUs) along the roads, and trustedauthorities (TAs). In VANETs, OBUs frequently broadcastroutine traffic-related messages with information about suchfactors as traffic events, current time, and the position, direction,and speed of vehicles and whether they are accelerating ordecelerating. By frequently broadcasting and receiving traffic-related messages, drivers can gain better awareness of theirdriving environment. They can take early action to respondto an abnormal situation to avoid possible damage, or theycan follow a better route that circumvents traffic bottleneck. Inaddition, with a VANET connected to the backbone Internet,passengers sitting in vehicles can go online to enjoy variousentertainment-related Internet services with their laptops. Theseservices include downloading/uploading data from the Inter-net, obtaining local information (e.g., road maps and hotelinformation), and viewing electronic advertisements. Intervehi-cle (vehicle-to-vehicle; V-to-V) communications or communi-cations with roadside infrastructure (vehicle-to-infrastructure;V-to-I) bring the promise of improved road safety and opti-mized road traffic through cooperative system applications.

Our main contributions in this paper are given as follows:1) We first propose an identity (ID)-based signature (IBS)scheme KIBS secure in the random oracle model under thecomputational Diffie–Hellman (CDH) assumption. The KIBSscheme uses general hash functions, instead of an inefficientspecial function known as the MapToPoint function. 2) Weconstruct a secure conditional privacy-preserving authentica-tion scheme CPAS for secure V-to-I communications usinga pseudo-IBS scheme based on the KIBS scheme to keep abalance between privacy and traceability achieving anonymousauthentication, message integrity, traceability, and unlinkabil-ity. 3) The CPAS scheme supports the fastest batch verificationprocess at the RSUs, where the time for verifying 750 signa-tures simultaneously is less than 300 ms.

0018-9545/$31.00 © 2012 IEEE

Page 2: : An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Sensor Networks

SHIM: CPAS: CONDITIONAL PRIVACY-PRESERVING AUTHENTICATION SCHEME FOR VSNs 1875

The rest of this paper is organized as follows: A survey ofrelated works is provided in Section II. In Section III, we pro-pose a new IBS scheme that does not rely on the MapToPointfunction and give its security proof in the random oracle modelunder the CDH assumption. In Section IV, we construct aprivacy-preserving pseudo-ID-based authentication scheme forsecure V-to-I communications. We then give security analysisof our scheme and conduct a performance evaluation. Conclud-ing remarks are given in Section V.

II. RELATED WORKS

VANETs are formed by mobile nodes embedded in vehicles,which are connected in a self-organized manner without anunderlying hierarchical infrastructure. Messages from an OBUhave to be checked for integrity and authenticated before theycan be deemed reliable. Otherwise, an attacker can replace thesafety message from a vehicle or even impersonate a vehicleto transmit a fake safety message. Advanced cryptography canbe used to make such messages secure and trustworthy. Beforeputting the aforementioned attractive applications into practicein VANETs, we must resolve security and privacy issues.The V-to-I communication scenario is subject to the followingsecurity requirements: source authentication, message integrity,identity privacy preservation, traceability, and unlinkability. Atthe time of authentication, the identities of claimants must behidden from a vehicle, and on the other hand, the authorityshould be able to trace the claimant or the sender of a messageby revealing its identity when required. Thus, privacy mustbe preserved and conditional. Unlinkability is stronger thananonymity and refers to the fact that different interactions ofthe same user cannot be related. Unlinkability prevents usertracking and profiling. To ensure both source authenticationand message integrity in VANETs, one appealing solution is tosign each message with a digital signature before the messageis sent. However, traditional public key infrastructure (PKI)-based signature schemes that verify the received messages mayfail to satisfy the stringent time requirement of the vehicularcommunication applications. In this scenario, according to theDedicated Short-Range Communications (DSRC) protocol [4],an RSU can communicate with hundreds of OBUs [30], eachsending a safety-related message to the RSU every 100–300 ms.In this case, sequentially verifying a large number of signaturescan become a time-consuming process and can therefore createa processing bottleneck at the RSU. For instance, in a high-density traffic scenario, there may be roughly 180 vehicleswithin the communication range of an RSU, and each vehicleis sending a message every 300 ms. This implies that a verifier(such as an RSU) must verify around 600–2000 messages/s,which is clearly a challenge for any current digital signa-ture scheme. The maintenance of public key certificates un-der the PKI incurs considerable communication/computationoverhead, so ID-based cryptography [26] may particularlybe suitable for VANETs as the work required for certificatemanagement and transmission overhead can be significantlyreduced. Thus, ID-based cryptography and an efficient meansof verifying a batch of signatures within a short period of timeare desirable.

Raya and Hubaux [22] and Lu et al. [15] proposed PKI-based schemes, in which each vehicle is preloaded with a largenumber of anonymous public/private key pairs, together withthe corresponding public key certificates. To achieve privacy,it requires a public/private key pair with a short lifetime, witha pseudo-ID used in each public key certificate. Therefore, itrequires a large storage capacity and incurs high verificationcosts. Moreover, its certificate revocation list (CRL), which isproduced by a TA, is typically bulky, rendering the revocationprotocols highly inefficient. Gamage et al. [6] adopted an ID-based ring signature scheme to achieve signer ambiguity andhence fulfill the privacy requirement in VANET applications.However, it does not provide conditional privacy, meaningthat traceability cannot be achieved. To achieve conditionalprivacy, group-signature-based authentication schemes wereproposed in [13], [14], [24], [28], and [29], where a groupmanager who possesses the group master key can reveal thereal identity of any group member. A secure privacy-preservingprotocol, GSIS, for VANETs [15] uses group signatures forV-to-V communications and IBSs for V-to-I communications.Its group-signature-based V-to-V communications reduce thestorage cost of the public/private key pairs and the bandwidthconsumption used to transmit the CRL. The size of the CRLand the checking costs are two important performance metricsfor revocation mechanism. Unfortunately, pseudonym-basedauthentication schemes in the PKI are prone to generate ahuge CRL, whereas the checking cost in group-signature-basedschemes is unacceptable for vehicles with limited computa-tion power. Recently, Zhang et al. [34] proposed an ID-basedbatch verification scheme based on bilinear pairings for secureV-to-I communications. They used a pseudo-ID-based one-timesignature scheme, which removes the transmission and verifica-tion cost of certificates for public keys. It reduces the overallverification delay of a batch of message signatures, and itsbatch verification process for signatures from multiple vehiclesis much faster than that of other PKI-based schemes, suchas the Elliptic Curve Digital Signature Algorithm (ECDSA),despite the heavy pairing computation. However, Zhang et al.assumed that a long-term system master secret s is preloadedinto all tamper-proof devices, and all security functions relyon it. In fact, tamper-proof devices are popular for protectingsensitive data such as cryptographic keys in these embeddeddevices. However, recent studies [1], [21] have shown that ad-versaries can effectively extract the sensitive data from tamper-proof devices by launching side-channel attacks, such as poweranalysis and laser scanning. Thus, their security assumption istoo strong to be accepted. Because once one of the tamper-proofdevices is cracked by the side channel attacks and the systemmaster secret is leaked to an adversary, the whole system willbe compromised. Our scheme still makes use of tamper-proofdevices, but the strong assumption that a long-term systemmaster secret is preloaded into all tamper-proof devices isremoved. Furthermore, Zhang et al.’s scheme requires a specialhash function known as the MapToPoint function in signaturegeneration/verification, which is used to map (pseudo-)identityinformation into a point on an elliptic curve. The function isinefficient and probabilistic, and while there has been muchdiscussion regarding the construction of such a hash algorithm,

Page 3: : An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Sensor Networks

1876 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO. 4, MAY 2012

there has been no efficient deterministic polynomial time algo-rithm proposed for it thus far. A key challenge in this paper isto reduce the verification cost. To do this, we use a new pseudo-IBS scheme without using the MapToPoint function, thusproviding the fastest batch verification process. We propose aconditional privacy-preserving authentication scheme CPASbased on our pseudo-IBS scheme for secure V-to-I communica-tions, which still makes use tamper-proof devices, but the strongassumption that a long-term system master secret is preloadedinto all tamper-proof devices is removed. It supports the fastestbatch verification process at the RSUs and achieves anonymousauthentication, message integrity, traceability, and unlinkabil-ity. The time for simultaneously verifying 800 signatures inour scheme can be reduced by up to 18% compared with theZhang et al. scheme. In addition, an RSU in our scheme cansimultaneously verify 2540 signed-messages/s.

III. PRELIMINARIES

We first describe mathematical tools and cryptographic prim-itives used as building blocks in our authentication scheme.

A. Definitions and Computational Assumptions

We briefly review the necessary facts about bilinear maps andgroups [2], [3].

1) (G1, ∗), (G2, ∗), and (GT , ∗) are three cyclic groups of aprime order q.

2) g1 is a generator of G1, and g2 is a generator of G2.3) e : G1 × G2 → GT is a bilinear map, i.e., a map satisfy-

ing the following properties:a) Bilinearity: e(ua, vb) = e(u, v)ab for all u ∈ G1, v ∈

G2, and a, b ∈ Z.b) Nondegeneracy: e(g1, g2) �= 1 and is, thus, a genera-

tor of GT .Formally, one defines a bilinear group generation algorithm

G that takes as input a security parameter k ∈ Z+ and outputs

the description of groups G1, G2, and GT and a bilinear mape : G1 × G2 → GT . There exist probabilistic polynomial timealgorithms (in k) for computing the group operations in G1, G2,GT , and the bilinear map e.

We define the general notion of bilinear groups as follows:Definition 3.1: We say that (G1, G2) are a bilinear group

pair if there exists a group GT and a nondegenerate bilinearmap e : G1 × G2 → GT , such that the group order q = |G1| =|G2| = |GT | is prime, and the pairing e and the group opera-tions in G1, G2, and GT are all efficiently computable.

We consider the problem and assumption that will be usedfor the security proof of our signature schemes.

Definition 3.2. [CDH Problem]: Given (g, gx, gy) to com-pute gxy , where x, y ∈R Z

∗q, and g is a generator of G1.

Definition 3.3. [CDH Assumption]: Let G be a CDH parame-ter generator. We say that an algorithm A has advantage ε(k) insolving the CDH problem for G if, for a sufficiently large k

AdvG,A(t)

= Pr[

A(q, G1, g, gx, gy) = gxy|(q, G1) ← G(1k), g ← G1, x, y ← Z

∗q

]≥ ε(k).

We say that G satisfies the CDH assumption if, for anyrandomized polynomial time in t algorithm A, we have thatAdvG,A(t) is a negligible function. When G satisfies the CDHassumption, we say that the CDH problem is hard in G1

generated by G. We say that an algorithm A(t, ε)-breaks theCDH problem in G if A solves the CDH problem in time t andAdvG,A is at least ε. We say that the CDH problem is (t, ε)-hardif there is no algorithm that (t, ε)-breaks the CDH problem.

B. Signature Scheme: KSSTo construct an IBS scheme without using the MapToPoint

function, we first propose a new standard signature (SS) schemeKSS. Let (G1, G2) be a bilinear group pair, where |G1| =|G2| = q for some prime q. We set G1 = G2. We adopt thedefinition and formal security model of SS schemes in [9]. TheKSS scheme is given as follows:

1) Setup. Run the parameter generator G on input a securityparameter k ∈ Z

+ to generate a prime q, two groups G1

and GT of order q, a generator P in G1, and a bilinearpairing e : G1 × G1 → GT . Choose a cryptographic hashfunction H1 : {0, 1}∗ → Zq.

2) KeyGen. Pick a random x ∈ Z∗q and Q ∈R G1, compute

Y = xP , and set PK = (Y,Q) as a public key andSK = x as a secret key.

3) Sign. For a given m ∈ {0, 1}∗, choose a random numberk ∈ Z

∗q, and compute T = kP , h = H1(m,T ) ∈ Zq and

S = (x + h · k) · Q. Output σ = (T, S) as a signature onm under PK.

4) Vfy. Given a signature σ = (T, S) of m under PK =(Y,Q), compute h = H1(m,T ), and verify whethere(S, P ) = e(Y + h · T, Q) holds or not. If it holds,accept the signature.

We show that the KSS scheme is existentially unforgeableunder an adaptive chosen-message attack in the random oraclemodel.

Theorem 3.1: Suppose that the (t′, ε′)-CDH assumptionholds in G1. Then, the KSS scheme is (t, qS , ε) − euf− cmafor all t and ε satisfying ε ≥ 4qS(nm + 1) · ε′, and t′ = t +O(qS).

Proof: Suppose that A is a forger who breaks the KSSscheme. Algorithm B is given a CDH instance (P, xP, yP ) forx, y ∈R Zq. By using A, we will construct an algorithm Bthat outputs a CDH solution xyP . Algorithm B performs thefollowing simulation by interacting with A.

Setup: Algorithm B sets Y = xP and Q = yP and startsby giving A the system parameters Params and the public key(Y,Q).

H1-Queries: To respond to H1 queries, B maintains a listof tuples (M,T, h), as explained here. We refer to this list asthe H1 − list. When A queries the oracle H1 at (M,T ), Bresponds as follows.

1) If the query (M,T ) already appears on the H1 − listin a tuple (M,T, h), then B responds with H1(M,T ) =h ∈ Zq.

Page 4: : An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Sensor Networks

SHIM: CPAS: CONDITIONAL PRIVACY-PRESERVING AUTHENTICATION SCHEME FOR VSNs 1877

2) Otherwise, B picks a random h ∈ Zq and adds the tuple(M,T, h) to the H1 − list and responds to A withH1(M,T ) = h.

At any time, A can query the signing oracle. To answer thesequeries, B does the following:

Sign Queries: When A makes a Sign-query on M underthe public key, B chooses k, h ∈R Zq, and computes T =h−1(kP − Y ), S = kQ. Then, σ = (T, S) is a valid signa-ture on m under (Y,Q) since it satisfies e(Y + h · T,Q) =e(kP,Q) = e(S, P ). If the tuple (M,T, h) already appears onthe H1 − list, B chooses another r, h ∈ Z

∗q, and tries again.

Then, B responds to A with σ = (T, S) and stores (M,T, h) inthe H1 − list.

Note that A’s view is identical to its view in the real attack.Output: By the Forking Lemma [20], after replaying A with

the same random tape, B obtains two valid signatures σ =(M ∗, h, T, S) and σ′ = (M ∗, h∗, T, S∗) within a polynomialtime, where

S = (x + hk) · Q, S∗ = (x + h∗k) · Q.

Then, B computes[h−1 − (h∗)−1

]−1 [h−1S − (h∗)−1S∗] = x · Q = xyP.

Finally, B outputs xyP as a solution to the CDH instance. �

C. New IBS Scheme: KIBSThe ID-based infrastructure allows a user’s public key to be

easily derivable from her known identity information such as anemail address [26]. The ID-based infrastructure involves usersand a private key generator (PKG) having a master public/secretkey pair, and the PKG is responsible for generating private keysfor users. Such cryptosystems alleviate the certificate overheadand solve the problems of PKI technology. Now, we propose anew IBS scheme KIBS based on the KSS scheme. We adoptthe definition and formal security model of the IBS schemesin [27].KIBS Scheme:

• Setup. Given a security parameter k ∈ Z+, the algorithm

works as follows.

1) Run the parameter generator G on input k to generatea prime q; two groups G1 and GT of order q; threedistinct generators P , Q, and Q′ in G1; and a bilinearpairing e : G1 × G1 → GT . Pick a random s ∈ Z

∗q,

and set PPub = sP .2) Choose two cryptographic hash functions H1 :{0, 1}∗ → Zq and H2 : {0, 1}∗ → Zq. The systemparameters are Params = 〈q, G1, GT , e, P, PPub, Q,Q′,H1,H2〉.

• Extract. For a given string ID ∈ {0, 1}∗, the followingsteps are taken:

1) Choose k ∈R Z∗q, and compute TID = kP .

2) Compute h = H1(ID, TID) ∈ Zq and SID = (s +h · k) · Q, and set a private key (TID, SID) correspond-ing to ID, where s is a master secret.

• IB− Sign. Given a private key (TID, SID) and a messageM ∈ {0, 1}∗, two steps occur.

1) Choose r ∈R Z∗q, and compute U = r · P ∈ G1.

2) Compute h′ = H2(ID,M, TID, U) ∈ Zq and V =h′ · SID + r · Q′. Then, τ = (TID, U, V ) is a signatureon M for ID.

• IB− Vfy. Given a signature τ = (TID, U, V ) of M foran identity ID, compute h = H1(ID, TID) and h′ =H2(ID,M, TID, U) ∈ Zq, and verify whether

e(V, P ) = e (h′ · [PPub + h · T ], Q) · e(U,Q′)

holds or not. If it holds, accept the signature.

Now, we prove the security of the KIBS scheme in therandom oracle model. We deal with H1 and H2 as randomoracles. Let an adversary A be a probabilistic polynomial timealgorithm whose input is Params = 〈q, G1, GT , e, P,H1,H2〉,where q ≥ 2k. The adversary A can make qH1 queries to the H1

hash, qH2 queries to the H2 hash, qE queries to the Extract,and qIS queries to the IB− Sign.

Theorem 3.2: If the KSS scheme is (t, qS , ε) − euf− cma,the KIBS scheme is (t, qH1 , qH2 , qE , qIS, ε)-secure againstexistential forgery under an adaptive chosen-message and anadaptive chosen-ID attack, for any t and ε satisfying ε ≈ ε′ andt′ = t + O(qS).

Proof: Suppose that A is a forger who breaks the KIBSscheme. A public key PK = (Y,Q) is given for x ∈R Z

∗q,

where Y = xP . By using the forgery algorithm A, we willconstruct an algorithm B that outputs a forgery of the KSSscheme. Algorithm B performs the following simulation byinteracting with A.

Setup: Algorithm B sets PPub = Y = xP , chooses μ ∈R

Z∗q, computes Q′ = μP ∈ G1, and starts by giving A system

parameters Params, including 〈P, Ppub, Q,Q′〉.At any time, A can query the random oracles H1 and H2 and

Extract and IB− Sign oracles. To answer these queries, Bdoes the following:

H1 and H2 Queries: To respond to H1 queries (H2 queries),B maintains a list of tuples (ID, T, h) ((ID,M, T, U, h′)),as explained here. We refer to this list as the H1 − list(H2 − list). When A queries the oracle H1 (H2) at (ID, T )((ID,M, T, U)), B responds as follows.

1) If the query (ID, T ) ((ID,M, T, U)) already appearson the H1 − list (H2 − list) in a tuple (ID, T, h)((ID,M, T, U, h′)), then B responds with H1(ID, T ) =h ∈ Zq (H2(ID,M, T, U) = h′).

2) Otherwise, B picks a random h ∈ Zq (h′ ∈ Zq), adds thetuple (ID, T, h) ((ID,M, T, U, h′)) to the H1 − list(H2 − list), and responds to A, with H1(ID, T ) = h(H2(ID,M, T, U) = h′).

Extract Queries: When A queries a private key correspond-ing to IDi, B requests a signature Si ← Sign(x, IDi) on IDi

under (Y,Q) to the signing oracle of the KSS scheme. Then, Bresponds to A with Si and stores (IDi, Si) to the Ext− list.

IB-Sign Queries: When A makes a IB− Sign-query on Mfor IDi, B finds the corresponding pair (IDi, Si) from theExt− list.

Page 5: : An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Sensor Networks

1878 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO. 4, MAY 2012

• If (IDi, Si) already appears on the Ext− list, then Bcan compute a signature σi by performing the signingalgorithm.

• Otherwise, B requests an Extract-query to obtain the cor-responding private key Si. Then, B computes a signatureσi on M for IDi using Si, responds to A with σi, andstores (IDi, Si) to the Ext− list.

Note that A’s view is identical to its view in the real attack.Output: Eventually, A outputs a forgery τ ∗ = (T ∗, U ∗, V ∗)

on m∗ for ID∗ such that ID∗ has never requested to theprivate key extraction oracle and the pair (m∗, ID∗) has neverrequested to the IB− Sign oracle, where T ∗ = kP , U ∗ = rP ,V ∗ = h′SID∗ + r · Q′. Algorithm B computes (h′)−1(V ∗ −μU) = SID∗ . Then, (T ∗, SID∗) is a valid signature on ID∗

under PK of the KSS scheme. Finally, B outputs (T ∗, SID∗)as a forgery of the KSS scheme. �

IV. CPAS : A CONDITIONAL PRIVACY-PRESERVING

AUTHENTICATION SCHEME FOR SECURE

VEHICLE-TO-INFRASTRUCTURE COMMUNICATIONS

Here, we propose a secure conditional privacy-preservingauthentication scheme CPAS based on the KIBS scheme forsecure V-to-I communications.

A. System Model and Security Requirements

The system consists of four network entities, i.e., two TAs,a trace authority (TRA) and a PKG, immobile RSUs at theroadside, and mobile OBUs equipped on the vehicles. The TRAwho is in charge of the registration of RSUs and OBUs canreveal the actual identity of a signed message from an OBU.The PKG is responsible for generating and assigning privatekeys for OBUs and RSUs. We assume the following: 1) TheTRA and PKG are always trusted and can never be compro-mised. Of course, we assume that two TAs do not collude.They are also powered with sufficient computation and stor-age capability. The OBUs have limited computational power,whereas the RSUs have greater computation power than theOBUs. 2) Each vehicle has a reliable positioning [e.g., globalposition system (GPS)] and can get accurate time information.Based on this system, vehicles compare the physical location ofthe message sender with the location information in the RSU’sidentity string. 3) Each vehicle is equipped with a tamper-proofdevice, which prevents an adversary from extracting any datastored in the device, including the private key, the data, andthe code [10], [22]. Vehicles will also store their own privatekeys corresponding to the pseudo-IDs in the device, which isresponsible for signing outgoing messages. The device shouldhave its own battery (which can be recharged from the vehicle)and clock (which can be securely resynchronized while passingby a trusted roadside base station). The cryptographic keys ofthe vehicle can be renewed during periodic technical checkups.These features are currently available on several commercialproducts [32].

We introduce a two-layer vehicular network model, as pre-sented in [34]. The lower layer is composed of OBUs andRSUs. According to [4], the medium used for communications

between OBUs and RSUs is 5.9-GHz DSRC identified asIEEE 802.11p. Each vehicle has its own real identity, pseudo-ID, and a private key, with which all messages are signed andthen sent to a nearby RSU. Each RSU that receives traffic-related information is responsible for verifying the digital sig-natures of the messages. In general, the top layer is comprisedof application servers (such as a traffic control analysis center)and TAs. The RSUs communicate with an application serverand the TAs using a secure transmission protocol, such asthe wired Transport Layer Security protocol. The RSUs areresponsible for forwarding the valid messages received fromOBUs to the application server. The application server is incharge of making further analysis and/or giving feedback tothe RSUs after collecting traffic-related information such asthe current time, location, instances of traffic accidents, thetraffic distribution, and the road weather information [23] fromthe RSUs. As the secure vehicular communications are mainlymeant for civilian applications, in most highway scenarios,RSUs are assumed to connect with the TAs by wired links or viaany other link utilizing high bandwidth, low delay, and low biterror rates. RSUs also communicate with each other either viathe TAs or through a secure and reliable peer-to-peer channel.

We aim to design a scheme that satisfies the followingsecurity requirements: 1) Authentication and message integrity:Messages from vehicles have to be authenticated to confirm thatthey were indeed sent by legitimate entities for the RSUs with-out being modified or forged. 2) Identity privacy preserving:The real identity of a vehicle should be kept anonymous withregard to other vehicles, and a third party should not be able toreveal a vehicle’s real identity by analyzing multiple messagessent by it. 3) Traceability: Although a vehicle’s real identityshould be hidden from other vehicles, if necessary, the TRAshould have the ability to obtain a vehicle’s real identity. TheTRA should have the ability to retrieve a vehicle’s real identityfrom its pseudo-ID when the signature is in dispute or when thecontent of a message is not genuine.

B. Our Construction: CPASOur conditional privacy-preserving authentication scheme

CPAS consists of four phases, i.e., System ParametersSetup, Pseudo− Identity Generation/Private KeyExtraction, Message Signing, and Batch Verificationof Traffic Information Messages. In the System Pa−rameters Setup, the TAs generate the system param-eters. In the Pseudo− Identity Generation/Private KeyExtraction phase, the TRA generates pseudo-IDs for vehiclesafter verifying their real identities, and the PKG then computesprivate keys corresponding to the pseudo-IDs. Unlike sensorsand some mobile nodes, storage is not a stringent requirementfor vehicles, rendering the preloading of a large pool of pseudo-IDs feasible. Raya and Hubaux [22] quantitatively studiedthe storage space requirement for preloading anonymous keys(pseudonyms) and associated certificates. Their results wereobtained based on quantifying the upper and lower bounds ofthe pseudonym change interval to maintain a satisfactory degreeof privacy. We use this preloading method based on our IBSscheme, in which a pool of pseudo-IDs with short expiration

Page 6: : An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Sensor Networks

SHIM: CPAS: CONDITIONAL PRIVACY-PRESERVING AUTHENTICATION SCHEME FOR VSNs 1879

times/private keys is loaded into the vehicle by the TAs at thePseudo−Identity Generation/Private Key Extractionphase. When the network is accessible and less busy atsome time close to an update, the pseudo-ID pool willbe replenished via a secure channel between the vehicleand TAs after proper authentication. Through these twophases for initialization, all vehicles are registered with theTAs and preloaded with system parameters and their ownpseudo-IDs and private keys. In the Message Signing andBatch Verification of Traffic Information Messagesphases, each vehicle sends signed messages to a nearby RSU,and the RSU verifies multiple signatures from the vehicles.The notations throughout this paper are listed in Table I.CPAS Scheme: Vehicle to RSU:

[System parameters setup]: Prior to the deployment of thenetwork, the TRA and the PKG generate the system parametersas follows.

1) Given a security parameter k ∈ Z+, the TAs generate a

prime q; two groups G1 and GT of order q; three distinctgenerators P,Q and Q′ in G1; and a bilinear pairing e :G1 × G1 → GT . The PKG picks a random s ∈ Z

∗q and

set PPub = sP , where s is a master secret for private keyextraction, which is known to only the PKG.

2) The TRA chooses a random α ∈ Z∗q and sets TPub = αP ,

where α is a master secret for traceability, which is knownto only the TRA.

3) They choose two cryptographic hash functions H1 : {0,1}∗ → Zq and H2 : {0, 1}∗ → Zq. Then, the systemparameters are Params = 〈q, G1, G2, e,P,TPub,PPub,Q,Q′,H1,H2〉.

The tamper-proof devices of all vehicles are preloaded withthis public system parameters Params.

[Pseudo-identity generation/private key extraction]: Con-ditional privacy-preserving authentication in our scheme canbe achieved by using pseudo-IDs that are intimately linkedto real identities. In this phase, a vehicle sends informationcontaining its real identity RID to the TRA, where the realidentity uniquely identifies the vehicle such as its license platenumber. Pseudo-IDs from real identities are generated by themethod used in [34].

1) A vehicle Vi computes PIDi,1 = kiP for ki ∈ Z∗q and

sends (RIDi, P IDi,1) to the TRA in a secure way, wherethe RIDi uniquely identifies the vehicle Vi.

2) After confirming RIDi, the TRA computes

PIDi,2 = RIDi ⊕ H(αPIDi,1, P IDi,1, ETi, TPub)

where ETi defines the valid period of this pseudo-ID,PIDi, and α is the master secret of the TRA. Then, apseudo-ID PIDi = (PIDi,1, P IDi,2, ETi) is deliveredto the PKG via a secure way.

3) For a given pseudo-ID PIDi, the PKG chooses arandom number ti ∈ Z

∗q and computes Ti = tiP , hi =

H1(PIDi, Ti) ∈ Zq, and Si = (s + hi · ti) · Q. Then,the PKG sets the private key as SKi = (Ti, Si), wheres is the master secret of the PKG.

4) They send pseudo-IDs/private keys 〈PIDi/SKi〉 to thevehicle via a secure channel.

Pseudo-IDs for privacy preservation are generated as a com-bination of some contribution of the TRA and some user-chosensecret. Accordingly, only the TRA who knows the master secretα can recover the real identity RIDi from PIDi. The pseudo-IDs/private keys are then stored in the tamper-proof device ofthe vehicle.

[Message signing]: To ensure message integrity and au-thentication, each message sent by a vehicle should be signedand verified when it is received. A vehicle Vi randomly selectsa pseudo-ID PIDi from its storage and chooses a currenttimestamp tti, where tti provides freshness of a signed messageagainst replay attacks. The vehicle Vi, with the private keySKi = (Ti, Si), signs a traffic-related message Mi.

1) Choose ri ∈R Z∗q, and compute Ui = ri · P ∈ G1.

2) Compute h′i = H2(PIDi,Mi, tti, Ti, Ui) ∈ Zq and Vi =

h′i · Si + ri · Q′. Then, τi = (Ti, Ui, Vi) is a signature on

Mi‖tti for PIDi.3) Subsequently, Vi sends the final message 〈PIDi,Mi,

tti, τi〉 to a nearby RSU. These steps are repeated every100–300 ms according to the DSRC.

[Batch verification of traffic information messages]:Once an RSU receives a traffic-related message signed by avehicle, the RSU has to verify the signature of the messageto ensure that the corresponding vehicle is not attemptingto impersonate any other legitimate vehicle or disseminatefalse messages. Given n distinct message-signature tuples〈PID1,M1, tt1, τ1〉, . . . , 〈PIDn,Mn, ttn, τn〉, which aresigned by n distinct vehicles V1, . . . ,Vn, respectively, whereτi = (Ti, Ui, Vi), if tti (i = 1, . . . , n) is in a valid time intervaland ETi (i = 1, . . . , n) in PIDi is valid, then the RSUperforms the following procedures.

1) Compute hi = H1(PIDi, Ti) and h′i = H2(PIDi,Mi,

tti, Ti, Ui) ∈ Zq for i = 1, . . . , n.2) Verify whether

e

(n∑

i=1

Vi, P

)= e

([n∑

i=1

hi

]· Ppub +

n∑i=1

h′ihiTi, Q

)

· e(

n∑i=1

Ui, Q′

)

holds or not. If it holds, accept the signatures.

Efficiency: From the aforementioned batch verificationequation, the computation cost for an RSU to verify n sig-natures dominantly comprises (n + 1) scalar multiplicationsin G1 and three pairing computations. Thus, compared withprevious schemes that use IBS schemes with batch verification,the time for an RSU to verify a large number of signatures sentby surrounding vehicles can be considerably reduced. Thus, itreduces the message loss ratio caused by the potential signatureverification bottleneck at the RSU.

Unlike vehicle-to-RSU communication, in RSU-to-vehiclecommunication, the messages sent by RSUs are not subjectto privacy requirements. Therefore, we directly use our IBSscheme to sign the messages launched from RSUs for RSUauthentication and message integrity. The CPAS scheme for

Page 7: : An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Sensor Networks

1880 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO. 4, MAY 2012

TABLE INOTATIONS

TABLE IIFORMAT OF RSU’s IDENTITY

RSU to vehicle is the same as that for vehicle to RSU, exceptfor removing the Pseudo− Identity Generation part.CPAS Scheme: RSU to Vehicle:

[Private key extraction]: For a given string IDR ∈{0, 1}∗, which is an RSU’s identity information, the PKGgenerates a private key as follows.

1) Choose a random number k ∈ Z∗q, and compute TR =

kP .2) Compute hR = H1(IDR, TR) ∈ Zq and SR = (s + h ·

k) · Q, and set the private key as SKR = (TR, SR),where s is the master secret.

The PKG sends the private key to the RSU via a securechannel. Then, the private key SKR = (TR, SR) correspondingto the identity IDR is stored in the RSU. The format of RSU’sidentity follows that in [14] (see Table II).

[RSU message signing]: When an RSU broadcasts atraffic-related message to vehicles, the RSU with the private key(TR, SR) chooses a current timestamp tti and signs the traffic-related message Mi as follows.

1) Choose ri ∈R Z∗q, and compute UR

i = ri · P ∈ G1.2) Compute h′

i = H2(IDR,Mi, TR, tti, URi ) ∈ Zq and

V Ri = h′

i · SR + ri · Q′. Then, τRi = (TR, UR

i , V Ri ) is a

signature on Mi‖tti for IDR.3) Subsequently, the RSU sends the final message

〈IDR,Mi, ttR, τRi 〉 to the vehicles.

[Verification of traffic information messages]: A vehiclereceiving a signed message from an RSU with the locationinformation in the RSU’s identifier string must take steps toprevent an attacker from taking the device off of one RSUand putting it elsewhere. The receiver compares the identityinformation in the received message with the property con-tained in the identifier string. If the received identity infor-mation does not match this property, the message is ignored.Otherwise, given a signature τR

i = (TR, URi , V R

i ) of Mi‖tti

for an identity IDR, it computes hR = H1(IDR, TR) and h′i =

H2(IDR,Mi, tti, TR, URi ) ∈ Zq and verifies whether

e(V R

i , P)

= e (h′i · [PPub + hR · TR], Q) · e

(UR

i , Q′)holds or not. If it holds, accept the signature. If multiple signedmessages from the same RSU in a time interval are given,for l distinct message-signature tuples 〈IDR,M1, tt1, τ

R1 〉,

· · · , 〈IDR,Mn, ttl, τRl 〉, which are signed by the same RSU,

where τRi = (TR, UR

i , V Ri ), the vehicle performs the follow-

ing.1) Compute hR = H1(IDR, TR) and h′

i = H2(IDR,Mi,TR, tti, U

Ri ) ∈ Zq for i = 1, . . . , l.

2) Verify whether

e

(l∑

i=1

V Ri , P

)= e

(l · hR · Ppub +

[l∑

i=1

h′i

]hRTR, Q

)

· e(

l∑i=1

URi , Q′

)

holds or not. If it holds, accept the signatures.In this case, batch verification of l signatures from the same

RSU requires mainly three pairing computations and two scalarmultiplications in G1. Thus, the time required for a vehicle toverify multiple signatures sent by the same RSU can be sharplyreduced, compared with that needed for sequential verificationsof l individual signatures.

C. Security Analysis

Source Authentication and Message Integrity: InSection III-C, we prove that the KIBS scheme is secureagainst existential forgery under an adaptive chosen-messageand an adaptive chosen-ID attack in the random oracle modelunder the CDH assumption. The security of our pseudo-IBSscheme is reduced to that of the KIBS scheme. Thus, pseudo-ID authentication, message integrity, and nonrepudiation areachieved.

Identity Privacy-Preserving: In our scheme, a user’s pseudo-ID is a combination of the TRA’s master secret key α and someuser-chosen secret ki such that only one who knows ki or α can

Page 8: : An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Sensor Networks

SHIM: CPAS: CONDITIONAL PRIVACY-PRESERVING AUTHENTICATION SCHEME FOR VSNs 1881

compute αPIDi,1. In other words, its security depends on theintractability of the CDH problem, i.e., given PIDi,1 = kiPand TPub = αP , compute αPIDi,1 = αkiP . Therefore, ourscheme does not leak any information related to real identities.

Traceability: Given a pseudo-ID PIDi = (PIDi,1,P IDi,2, ETi) in a signed message, the TRA with the mastersecret α for traceability can trace the real identity of a vehicleby computing

PIDi,2 ⊕ H(αPIDi,1, P IDi,1, ETi, TPub) = RIDi

because αPIDi,1 = kiTPub = kiαP , and PIDi,1 = kiP .Therefore, once a signature is in dispute, the TRA who hadassigned pseudo-IDs to the real identity of the vehicles has theability to trace the vehicle from the disputed message.

Security Against Sybil Attacks—Short-Term Linkability:When the same vehicle sends two or more messages within asmall time frame �t, a recipient should be able to verify thatthese messages came from the same sender. We would like toenforce short-term linkability in order that a malicious vehiclecannot launch Sybil attacks [5], [28], where a single vehicleimpersonates multiple vehicles. Short-term linkability does nothurt drivers’ privacy, but a vehicle can identify messages sentby the same sender within a short time in the communicationrange of the same RSU. In our scheme, one can detect theSybil attack by checking the linkability of pseudo-IDs in theshort-time periods appointed in the pseudo-IDs. It is easy todistinguish the signatures produced by the same signer althoughthe signer is anonymous. Thus, our scheme with short-termlinkability can thwart the Sybil attacks, as well as achieve long-term unlinkability.

Long-Term Unlinkability: A basic privacy requirement isthat an observer cannot link messages sent by a vehicle tothe driver’s name, license plate number, or other personallyidentifying information. More specifically, if the same vehiclesends two messages m and m′ more than Δt time apart, thenan adversary should not be able to determine whether m and m′

originate from the same sender or not. In the CPAS scheme,given all the messages are signed with different pseudo-IDs,if the short expiration times ETi in the pseudo-IDs satisfyΔt > ETi, then neither of the messages can be connected toa single vehicle.

Role Separation: In our scheme, there are two TAs: one isa TRA, which is in charge of generating vehicles’ pseudo-IDsand tracing the real identities from signed messages. The otheris a PKG, which is responsible for generating vehicles’ pri-vate keys corresponding to their pseudo-IDs. Therefore, unlikeZhang et al.’s scheme, even the PKG cannot trace the realidentity of a vehicle from the signed message. The tracing secretkey α stored at the TRA and the master secret key s stored at thePKG must be strongly protected in the same way that the privatekey of a certification authority (CA) in the PKI is protected.One way of protecting this key is by distributing it amongdifferent sites using techniques of threshold cryptography [7],[8]: The master secret key s (α) can easily be distributed in ak-out-of-n fashion by giving each of the n PKGs (TRAs) oneshare si (αi) of a Shamir secret sharing of s (α) mod q [25].Applying the (k, n)-threshold secret sharing schemes to our

TABLE IIICOMPUTATIONAL COMPLEXITY OF THE IBS SCHEMES

IN THE NUMBER n OF SIGNATURES

Fig. 1. Verification delay versus traffic density.

system, the number of authorities for sharing the secret andfor revealing the identity can be adjusted by setting differentn and k values, respectively. Threshold schemes are used ascryptographic means to distribute secret information to multipleentities to eliminate power centralization and a single point offailure. A benefit in doing so is that corrupted authorities (thenumber being less than the threshold) cannot arbitrarily tracevehicle users to compromise their privacy. More precisely, anyk or more TRAs must cooperate to trace the real identities ofthe vehicles, i.e., if the number of the colluding TRAs is lessthan k, then the TRAs cannot trace the vehicles.

D. Performance Evaluation

In this section, we evaluate the performance of our schemein terms of verification delay. A comparison of the efficiency ofour scheme with the scheme of Zhang et al. (ZLLHS [34]) andschemes based on known IBS schemes with batch verification,including those of Yoon et al. (Yoon− Cheon− Kim [33]) andShim (EIBS [27]) is given in Table III. In this table, P, SMand MTP represent the time to perform a pairing computation,a scalar multiplication in G1, and a MapToPoint operation.To improve efficiency, our scheme uses general hash functionsH1 and H2 such as SHA-1 or SHA-2 [18], [19], instead ofthe MapToPoint function. The schemes in Table III, with theexception of our scheme, require n pairing computations or nMapToPoint operations, where n is the number of signatures.

As our scheme focuses on reducing the signature verificationcost at an RSU, we assume that all of the vehicles can directly

Page 9: : An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Sensor Networks

1882 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO. 4, MAY 2012

TABLE IVFORMAT OF THE SIGNED MESSAGE

TABLE VFORMAT OF THE SIGNED MESSAGE FOR OBUs (RSUs)

communicate with the RSU. We also assume that the commu-nication coverage of an RSU is 1 km2 and that each vehicleperiodically broadcasts a traffic-related message every 300 ms.The traffic density is taken as the number of vehicles within anRSU’s radiation range. In Fig. 1, the traffic density is equal tothe number of signatures. The figure illustrates the performanceresults (in milliseconds) of two schemes on a 3.07-GHz Intel i7central processing unit. We used the MIRACL cryptographiclibrary [16] by choosing the Tate pairing on a 159-bit subgroupof an MNT curve with an embedding degree 6 at an 80-bit se-curity level. The most time-consuming operation in our schemeis a scalar multiplication: The computational complexity of ourscheme is dominant to the number of scalar multiplications. Thestate-of-the-art timing of a scalar multiplication is 0.39 ms, i.e.,it is known that the time for performing a scalar multiplicationon an MNT curve with an embedding degree of 6 is the fastestat an 80-bit security level. In this curve, the time for performinga MapToPoint function takes 0.09 ms, whereas the time forperforming a SHA-1 hash function is negligible. As shown inFig. 1, the time for simultaneously verifying 2000 signaturesin our scheme can be reduced by 18% compared with theZhang et al. scheme. If each vehicle periodically broadcasts atraffic-related message every 300 ms, i.e., its time gap is lessthan 300 ms, then the time for verifying signatures gatheredin a time interval must be less than 300 ms. Fig. 1 shows that,in our scheme, the time for verifying 750 signatures gathered ina time interval is less than 300 ms. In addition, an RSU in ourscheme can simultaneously verify 2540 signed-messages/s.

Communication overhead: We analyze communicationoverhead of our scheme. The current IEEE Trial-Use stan-dard for VANET security provides detailed documentation,including the choice of cryptosystems in the PKI. To authen-ticate a message sender and guarantee the message integrity,OBUs or RSUs should sign messages with their private keysbefore the messages are sent. Table IV shows the formatof a signed message, where a 125-B certificate and a 56-BECDSA signature [11] have to be attached for each 69-Bintervehicle communications message. Obviously, the crypto-graphic overhead (the certificate and the signature) takes upa significant portion of the total packet size (250 B). In ourscheme based on the ID-based infrastructure, the total packetsize can be reduced by 209 B. We follow the format of safetymessages between OBUs and RSUs as in [14]. The first fourparts in Table V are signed by the OBUs, which derives the“Signature” part. To reduce the signature length, it is suitableto use a 159-bit subgroup of the MNT curve with an embed-ding degree of 6. When one sends a point Q = (x, y) of thecurve, it sends only the x-coordinate of Q, and a verifier can

obtain the y-coordinate by computing the square root to reducethe communication overhead. Then, the total signature sizeis 159 + 159 + 159 + 3 = 480 bits, as each element in G1 is159 bits. Then, the total pseudo-ID size is 159 + 159 + 2 + 4 =324 bits, where ETi is taken as 4 B. The CPAS scheme forRSU to vehicle uses a real identity, instead of a pseudo-ID, sothat 10 B are enough to represent the real identity information.The total packet length from vehicle to RSU (RSU to vehicle)in our scheme is 209 (178) B. If we take 1, 1, and 67 B asType ID, Message ID, and Payload(Message) as in Table V,then the total packet length is 174 (143) B.

V. CONCLUSION

We have proposed a secure conditional privacy-preservingauthentication scheme, called CPAS, using a new IBS schemewith the fastest batch verification process for secure V-to-I com-munications in VANETs. The scheme achieves conditional pri-vacy preservation in which each message launched by a vehiclehas been mapped to a distinct pseudo-ID and a TRA can alwaysretrieve the real identity of a vehicle from any pseudo-ID. Inthe CPAS scheme, an RSU can simultaneously verify multiplereceived signatures such that the total verification time can beconsiderably reduced. The time for simultaneously verifying800 signatures in our scheme can be reduced by 18% comparedwith Zhang et al.’s scheme. To the best of our knowledge, theCPAS is the fastest conditional privacy-preserving authentica-tion scheme for secure V-to-I communications. However, ourpseudo-IBS scheme designed for efficient batch verification ismore suitable for the V-to-I communications than the V-to-Vcommunications. The basic IBS scheme requires three pairingcomputations to verify a signature, and therefore, verifying anumber of signatures sequentially transmitted from multiplevehicles causes a processing bottleneck at each vehicle withlimited computational power. Therefore, a pairing-free pseudo-IBS scheme is suitable for such an environment. In our futurework, we will extend our challenge to V-to-V communicationand conduct more performance evaluation on message end-to-end delay and message loss ratio in V-to-V communication,as well as the evaluation of CPAS on a large-scale VANETtestbed with varying vehicle mobility models.

REFERENCES

[1] R. Anderson and M. G. Kuhn, “Tamper resistance—A cautionary note,”in Proc. USENIX Workshop Electron. Commerce, 1996, pp. 1–11.

[2] D. Boneh and M. Franklin, “Identity-based encryption from the Weil pair-ing,” in Advances in Cryptology-Crypto. New York: Springer-Verlag,2001, pp. 213–229.

Page 10: : An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Sensor Networks

SHIM: CPAS: CONDITIONAL PRIVACY-PRESERVING AUTHENTICATION SCHEME FOR VSNs 1883

[3] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the Weilpairing,” in Advances in Cryptology-Asiacrypt. New York: Springer-Verlag, 2002, pp. 514–532.

[4] Dedicated Short Range Communications (DSRC). [Online]. Available:http://www.standards.its.dot.gov/Documents/advisories/dsrc_advisory.htm

[5] J. R. Douceur, “The sybil attack,” in Proc. IPTPS, Mar. 2002, pp. 251–260.

[6] C. Gamage, B. Gras, B. Crispo, and A. S. Tanenbaum, “An identity-basedring signature scheme with enhanced privacy,” in Proc. SecureComm,2006, pp. 1–5.

[7] P. Gemmell, “An introduction to threshold cryptography,” CryptoBytes, ATechn. Newsl. RSA Lab., vol. 2, no. 3, pp. 7–12, 1997.

[8] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Secure distributedkey generation for discrete-log based cryptosystems,” in Advances inCryptology-Eurocrypt. New York: Springer-Verlag, 1999, pp. 295–310.

[9] S. Goldwasser, S. Micali, and R. L. Rivest, “Digital signature scheme se-cure against adaptive chosen-message attacks,” SIAM J. Comput., vol. 17,no. 2, pp. 281–308, Apr. 1988.

[10] J. P. Hubaux, S. Capkun, and J. Luo, “The security and privacy of smartvehicles,” IEEE Security Privacy, vol. 2, no. 3, pp. 49–55, May/Jun. 2004.

[11] IEEE Trial-Use Standard for Wireless Access in VehicularEnvironments—Security Services for Applications and ManagementMessages, IEEE Std. 1609.2, Jul. 2006.

[12] U. Lee, E. Magistretti, B. Zhou, M. Gerla, P. Bellavista, and A. Corradi,“Mobeyes: Smart mobs for urban monitoring with a vehicular sensornetwork,” IEEE Wireless Commun., vol. 13, no. 5, pp. 52–57, Oct. 2006.

[13] X. Lin, R. Lu, C. Zhang, H. Zhu, P.-H. Ho, and X. Shen, “Security invehicular ad hoc networks,” IEEE Commun. Mag., vol. 46, no. 4, pp. 88–95, Apr. 2008.

[14] X. Lin, X. Sun, P. H. Ho, and X. Shen, “GSIS: A secure and privacy-preserving protocol for vehicular communications,” IEEE Trans. Veh.Technol., vol. 56, no. 6, pp. 3442–3456, Nov. 2007.

[15] R. Lu, X. Lin, H. Zhu, P.-H. Ho, and X. Shen, “ECPP: Effi-cient conditional privacy-preservation protocol for secure vehicularcommunications,” in Proc. IEEE Conf. Comput. Commun., Apr. 2008,pp. 1229–1237.

[16] MIRACL Cryptographic Library: Multiprecision Integer and RationalArithmetic C/C++ Library. [Online]. Available: http://indigo.ie/~mscott/

[17] J. A. Misener, “Vehicle-infrastructure integration (VII) and satety: Rubberand radio meets the road in California,” Intellimotion, vol. 11, no. 2, pp. 1–3, 2005.

[18] Nat. Inst. Stand. Technol., Secure Hash Standard. Federal InformationProcessing Standard, FIPS-180-1, Apr. 1995.

[19] Nat. Inst. Stand. Technol., Secure Hash Standard. Federal InformationProcessing Standard, FIPS-180-1, Aug. 2002.

[20] D. Pointcheval and J. Stern, “Security arguments for digital signatures andblind signatures,” J. Cryptol., vol. 13, no. 3, pp. 361–396, 2000.

[21] S. Ravi, A. Raghunathan, and S. Chakradhar, “Tamper resistance mech-anisms for secure embedded systems,” in Proc. Int. Conf. VLSID, 2006,pp. 605–611.

[22] M. Raya and J. P. Hubaux, “Securing vehicular ad hoc networks,”J. Comput. Security—Special Issue Security Ad Hoc Sensor Netw., vol. 15,no. 1, pp. 39–68, Jan. 2007.

[23] Road Weather Management. [Online]. Available:http://ops.fhwa.dot.gov/weather/

[24] K. Sampigethaya, L. Huang, M. Li, R. Poovendran, K. Matsuura, andK. Sezaki, “Caravan, Providing location privacy for vanet,” in Proc.ESCAR, 2005, pp. 1–15.

[25] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11,pp. 612–613, Nov. 1979.

[26] A. Shamir, “Identity-based cryptosystems and signature schemes,” inAdvances in Cryptology-Crypto. New York: Springer-Verlag, 1984,pp. 47–53.

[27] K. A. Shim, “An ID-based aggregate signature scheme with constantpairing computations,” J. Syst. Softw., vol. 83, no. 10, pp. 1873–1880,Oct. 2010.

[28] A. Studer, E. Shi, F. Bai, and A. Perrig, “TACKing together efficient au-thentication, revocation, and privacy in VANETs,” in Proc. IEEE SECONConf., 2009, pp. 1–9.

[29] J. Sun, C. Zhang, Y. Zhang, and Y. Fang, “An identity-based security sys-tem for user privacy in vehicular ad hoc networks,” IEEE Trans. ParallelDistrib. Syst., vol. 21, no. 9, pp. 1227–1239, Sep. 2010.

[30] “Vehicle safety communications project,” U.S. Dept. Transp., Nat. High-way Traffic Safety Admin., Washington, DC, 2006.

[31] F. Wang, D. Zeng, and L. Yang, “Smart cars on smart roads: An IEEE in-telligent transportation systems society update,” IEEE Pervasive Comput.,vol. 5, no. 4, pp. 68–69, Oct.–Dec. 2006.

[32] Wave Syst. Corp. EMBASSY 2100 cryptographic controller. [Online].Available: http://www.wave.com/about/datasheets/03-000139MBASSY2100.pdf

[33] H. J. Yoon, J. H. Cheon, and Y. Kim, “Batch verification with ID-basedsignatures,” in Proc. ICISC, vol. 3506, LNCS, 2005, pp. 233–248.

[34] C. Zhang, R. Lu, X. Lin, P. H. Ho, and X. Shen, “An efficient identity-based batch verification scheme for vehicular sensor networks,” in Proc.IEEE INFOCOM, 2008, pp. 246–250.

Kyung-Ah Shim received the Ph.D. degree inmathematics from Ewha Womans University, Seoul,Korea.

From 2000 to 2008, she was a Senior Re-searcher with the Korea Information SecurityAgency and then a Research Professor with theDepartment of Mathematics, Ewha Womans Uni-versity. In September 2008, she joined the Divisionof Fusion and Convergence of Mathematical Sci-ences, National Institute for Mathematical Sciences,Daejeon, Korea, as a Senior Researcher. Her research

interest is cryptography.