An Identity-Based Security System for

8/7/2019 An Identity-Based Security System for

http://slidepdf.com/reader/full/an-identity-based-security-system-for 1/13

An Identity-Based Security System forUser Privacy in Vehicular Ad Hoc Networks

Jinyuan Sun, Chi Zhang, Yanchao Zhang, and Yuguang Fang, Fellow , IEEE

Abstract—Vehicular ad hoc network (VANET) can offer various services and benefits to users and thus deserves deployment effort.Attacking and misusing such network could cause destructive consequences. It is therefore necessary to integrate securityrequirements into the design of VANETs and defend VANET systems against misbehavior, in order to ensure correct and smoothoperations of the network. In this paper, we propose a security system for VANETs to achieve privacy desired by vehicles andtraceability required by law enforcement authorities, in addition to satisfying fundamental security requirements includingauthentication, nonrepudiation, message integrity, and confidentiality. Moreover, we propose a privacy-preserving defense techniquefor network authorities to handle misbehavior in VANET access, considering the challenge that privacy provides avenue formisbehavior. The proposed system employs an identity-based cryptosystem where certificates are not needed for authentication. Weshow the fulfillment and feasibility of our system with respect to the security goals and efficiency.

Index Terms—Privacy, traceability, pseudonym, misbehavior, revocation, identity-based cryptography, vehicular ad hoc network.

Ç

1 INTRODUCTION

VEHICULAR ad hoc networks (VANETs) are receivingincreasing attentions from academia and deployment

efforts from industry, due to the various applications andpotential tremendous benefits they offer for future VANETusers. Safety information exchange enables life-criticalapplications, such as the alerting functionality duringintersection traversing and lane merging, and thus, playsa key role in VANET applications [1], [2], [3], [4], [5]. Value-added services can enhance drivers’ traveling experience byproviding convenient Internet access, navigation, tollpayment services, etc. [1], [3], [4], [5]. Other applicationsare also possible including different warning messages for

congestion avoidance, detour notification, road conditions(e.g., slippery), etc., and alarm signals disseminated byemergency vehicles (e.g., ambulance) for road clearance [1],[2], [3], [5], [6]. The attractive features of VANETs inevitablyincur higher risks if such networks do not take security intoaccount prior to deployment. For instance, if the safetymessages are modified, discarded, or delayed eitherintentionally or due to hardware malfunctioning, seriousconsequences such as injuries and even deaths may occur.This necessitates and urges the development of a functional,reliable, and efficient security architecture before all otherimplementation aspects of VANETs.

Fundamentally,VANETsecurity design shouldguaranteeauthentication, nonrepudiation, integrity, and in somespecific application scenarios, confidentiality, to protectthe network against attackers. Besides the fundamentalsecurity requirements, sensitive information such as identityand location privacy should be preserved from the vehicleowner’s perspective, against unlawful tracing and userprofiling, since otherwise it is difficult to attract vehicles tojoin the network. On the contrary, traceability is requiredwhere the identity information need be revealed by lawenforcement authorities for liability issues, once accidents orcrimes occur. In addition, privilege revocation is required bynetwork authorities (e.g., network administrator) once mis-behavior is detected during network access. It is less difficultto prevent misbehaviorof unauthorized users (i.e., outsiders)since legitimate users and roadside units (RSUs) can simplydisregard communication requests from outsiders by meansof authentication. Nevertheless, misbehavior of legitimateusers of VANETs (i.e., insiders) is more difficult and complexto prevent, the reason being that insiders possess credentialsissued by the authority to perform authentication with peervehicles or RSUs who can be easily tricked into trusting theinsiders. Consequently, the insiders’ misbehavior will havemuchlargerimpactonthenetworkandwillbethefocusofthispaper. Our proposed system in this paper and many recentproposals on VANET security [3], [7], [8], [9] provide theoption of using anonymous credentials in authentication,rendering it even more complex to handle misbehavior inVANETs, since the user identity is hidden and cannot belinked arbitrarily which curbs the punishment of misbehav-ing users.

Our contributions. Given the conflicting goals of privacyand traceability, and the challenges in designing a privacy-preserving defense scheme for VANETs, we are motivatedto propose a security system that can effectively andefficiently solve the conflicts and challenges. Specifically,our main contributions in this paper include:

1. We propose a pseudonym-based scheme to assure

vehicle user privacy and traceability.

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 21, NO. 9, SEPTEMBER 2010 1227

. J. Sun is with the Department of Electrical Engineering and ComputerScience, University of Tennessee, Knoxville, TN 37996.E-mail: [email protected]

. C. Zhang and Y. Fang are with the Department of Electrical and ComputerEngineering, University of Florida, 435 New Engineering Building, POBox 116130, Gainesville, FL 32611.E-mail: [email protected], [email protected].

. Y. Zhang is with the Department of Electrical and Computer Engineering,213 Electrical & Computer Engineering Center (ECEC), New JerseyInstitute of Technology University Heights, Newark, NJ 07102.E-mail: [email protected].

Manuscript received 19 Aug. 2009; revised 24 Nov. 2009; accepted 25 Nov.2009; published online 8 Jan. 2010.Recommended for acceptance by Y.C. Tseng.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log Number TPDS-2009-08-0376.

Digital Object Identifier no. 10.1109/TPDS.2010.14.1045-9219/10/$26.00 ß 2010 IEEE Published by the IEEE Computer Society



2. We design a threshold signature-based scheme toachieve nonframeability in tracing law violators. Inthis scheme, an innocent vehicle cannot be framedby a corrupted law enforcement authority due to ourrole-splitting mechanism.

3. A novel privacy-preserving defense scheme isproposed leveraging threshold authentication. It

guarantees that any additional authentication be-yond the threshold will result in the revocation of the misbehaving users. Our defense scheme differsfrom others mainly in that it yields flexibility in therevocation (i.e., not all types of misbehavior shouldbe punished). Moreover, the dynamic accumulatorsin the threshold authentication technique [10] facil-itates each user to place further restrictions (besidesthe threshold) on other communicating users, whichis an attractive feature to service providers.

4. Our design incorporates mechanisms that guaranteeauthentication, nonrepudiation, message integrity,and confidentiality.

5. We provide comprehensive analysis to show thefulfillment of the security objectives and the effi-ciency of the proposed system.

In what follows, we use law violators (or violators) andmisbehaving users to describe VANET users who misbe-have in the law enforcement scenario and the infrastructureaccess scenario, respectively.

Organization. The rest of this paper is organized asfollows: A survey of related work is provided in Section 2.Section 3 introduces some preliminaries relevantto ourwork.Section 4 describes the system model including the entitiesand procedures involved in our schemes, and the securityrequirements. Section 5 elaborates on the schemes for

achieving privacy and traceability, and nonframeability intracing, as well as the privacy-preserving defense scheme.Security and efficiency analysis of the proposed system arethefocus of Sections 6 and7, respectively. Section 8 concludesthe paper.

2 RELATED WORK

There is a large body of research work related to the securityand privacy in VANETs. The most related works are on thedesign of privacy-preserving schemes. Raya and Hubaux [3]investigated the privacy issue by proposing a pseudonym-based approach using anonymous public keys and thepublickey infrastructure (PKI), where the public key certificate is

needed, giving rise to extra communication and storageoverhead. The authors also proposed three credentialrevocation protocols tailored for VANETs, namely RTPD,RC 2RL, and DRP [11], considering that the certificaterevocation list (CRL) needs to be distributed across theentire network in a timely manner. All the three protocolsseem to work well under conventional public key infra-structure (PKI). However, the authors also proposed to usefrequently updated anonymous public keys to fulfill users’requirement on identity and location privacy. If this privacypreservingtechniqueis used in conjunction with RC 2RL andDRP, the CRL produced by thetrusted authority will becomehuge in size, rendering the revocation protocols highly

inefficient. A lightweight symmetric-key-based security

scheme for balancing auditability and privacy in VANETsis proposed in [4]. It bears the drawback that peer vehiclesauthenticate each other via a base station, which is unsuitablefor intervehicle communications. Gamage et al. [12] adoptedan identity-based (ID-based) ring signature scheme toachieve signer ambiguity and hence fulfill the privacyrequirement in VANET applications. The disadvantage of

the ring signature scheme in the context of VANETapplications, is the unconditional privacy, resulting in thetraceability requirement unattainable. Group signature-based schemes are proposed in [8], [13], [14], where signerprivacy is conditional on the group manager. As a result, allthese schemes have the problem of identity escrow, as agroup manager who possesses the group master key canarbitrarily reveal the identity of any group member. Inaddition, due to the limitation of group formation inVANETs (e.g., too few cars in the vicinity to establish thegroup), the group-based schemes [8], [13], [14], [15] may notbe applied appropriately. The election of group leader willsometimes encounter difficulties since a trusted entity cannotbe found amongst peer vehicles. Kamat et al. [16], [17]

proposed an ID-based security framework for VANETs toprovide authentication, nonrepudiation, and pseudonymity.However, their framework is limited by the strong depen-dence on the infrastructure for short-lived pseudonymgeneration, which renders the signaling overhead over-whelming. The proposed nonrepudiation scheme enables asingle authority to retrieve the identity which may raise theconcern on potential abuse. Schemes leveraging pseudo-nyms in VANETs can also be found in [7], [18] with therevocation feasible in limited settings, and in [19] where thecertificate authority maintains mapping from an identity tothe set of vehicle-generated pseudonyms.

There are also a number of defense techniques againstmisbehavior in VANET literature besides those in [3]. An

indirect approach via the aid of infrastructure is used in [8]and [16]. The TA distributes the CRL to the infrastructurepointswhich then take over theTA’s responsibility to executethe revocation protocol. The advantage of this approach isthat vehicles never need to download the entire CRL.Unfortunately, the conditional anonymity claimed in [8]and [16] only applies to amongst peer vehicles, under theassumption that the infrastructure points (group manager in[8] and base station in [16]) are trusted. The infrastructurepointscan revealthe identity of anyvehicle at anytime even if the vehicle is honest. The scheme in [9] leverages a single TAto recover the identity of a (possibly honest) vehicle, whererevocation issuesare notdiscussed. Recently, Tsang et al. [20]

proposed a blacklistable anonymous credential system forblocking misbehavior without the trusted third party (TTP).TheblacklistingtechniquecanbeappliedtoVANETsas:ifthevehiclefailstoprovethatitisnotontheblacklistofthecurrentauthenticator, the authenticator will ignore the messages orrequests sent by this vehicle. Although not proposedspecifically for VANETs, the proposal in [20] has a similarclaim as ours that the capability of a TTP (network authorityin our paper) to recover a user’s identity in any case is toostrong a punishment and highly undesirable in somescenarios. The downside of this technique is the lack of options to trace misbehaving users, since any user in thesystem(misbehavingornot)willbynomeansbeidentifiedby

any entity including the authorities.

1228 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 21, NO. 9, SEPTEMBER 2010



We proposed a privacy-preserving defense schemeagainst misbehavior in [21] leveraging threshold authenti-cation technique. This scheme and the scheme in [7] bothpreserve user privacy, and simultaneously provide trace-ability (i.e., tracing law violators by enforcement authoritiesin [7] and tracing misbehaving users by network authoritiesin [21]). The major differences between these schemes are

the different technical realizations of the privacy andtraceability schemes, due to the different applicationscenarios and detailed security requirements. In this paper,we incorporate the schemes in [7] and [21] to propose asecurity system that aims at achieving user privacy andtraceability, taking into account different types of autho-rities in VANETs, and their requirements for traceability.Furthermore, we extend the previous works by offeringdetailed efficiency analysis in terms of storage, computa-tion, and communication in the proposed system.

3 PRELIMINARIES

This section comprises basic introduction to the crypto-

graphic system and primitives used as building blocks in oursecurity system.

3.1 ID-Based Cryptography (IBC)

Identity-based or ID-based cryptosystem allows the publickey of an entity to be derived from its public identityinformation such as name, email address, etc., which avoidsthe use of certificates for public key verification in theconventional PKI. Boneh and Franklin [22] introduced thefirst functional and efficient ID-based encryption schemebased on bilinear pairings on elliptic curves. Specifically, letG1 and G2 be an additive group and a multiplicative group,respectively, of the same prime order q . Discrete logarithmproblem (DLP) is assumed to be hard in both G1 and G2. LetP denote a random generator of G1 and e : G1 Â G1 G2

denote a bilinear map constructed by modified Weil or Tatepairing with properties:

1. Bilinear: eðaP;bQÞ ¼ eðP ; QÞab, 8P ; Q 2 G1 and 8a;

b 2 Z Ãq .

2. Nondegenerate: 9P ; Q 2 G1 such that eðP ; QÞ 6¼ 1.3. Computable: there exists an efficient algorithm to

compute eðP ; QÞ; 8P ; Q 2 G1.

IBC schemes are used mainly for encryption, authentica-tion, and nonrepudiation in our VANET system. Comparedto the conventional PKI (public key infrastructure), IBCinfrastructure avoids the use of certificates for public key

verification and the exchange of public keys (and associatedcertificates), greatly improving the computation and com-munication efficiency.

3.2 Threshold Schemes Based on Secret Sharing

Threshold schemes are used as cryptographic means todistribute secret information to multiple entities to eliminatepower centralization and a single point of failure. In [23],Shamir consideredthe problem of dividing someinformationI into n pieces I 1; . . . ; I n,suchthatknowledgeofany k ormoreof these I iði 2 ½1; n�Þ pieces can recover I while knowledge of k À 1 or fewer pieces keeps I completely undetermined [23].Such a scheme is referred to as a ðk; nÞ threshold scheme

which is computed based on polynomial interpolation.

Define a k À 1 degree polynomial yðxÞ ¼ a0 þPkÀ1

i¼1aixi with

a0 ¼ I 2 G1,where a1; . . . ; akÀ1 are randomly chosen from G1.Let I i ¼ yðiÞ; i 2 ½1; n� and È fI 1; . . . ; I ng with jÈj ! k,where j Á j denotes the cardinality of the given set. The I ivalues in È and the indices i can be used to reconstruct theoriginal information I ¼ yð0Þ ¼ a0 by computing yðxÞ ¼P

j2ÉÉ

xjI j, where É

xj ¼Q

l2É;l6¼jxÀljÀl

2 Z q is the Lagrange

coefficient for a set É f1; . . . ; ng with jÉj ! k. Thistechniqueis used in thedesign of thenonframeability schemefor law enforcement authorities.

3.3 Proof of Knowledge

A proof of knowledge is an interactive proof where theprover convinces the verifier of the validity of a statement.In the case of a zero knowledge proof of knowledge, theabove interactive proof is carried out without the proverrevealing any information used to prove the statement. LetG be a cyclic group with generator g where solving thediscrete logarithm is intractable. G is of prime order p. Onecan prove the knowledge of the discrete logarithm x 2 Z p

with respect to y in base g as P K fðxÞ:

y ¼ g

x

g, which is theso-called Æ-protocol of three move structure: commitment,challenge, and response. Schnorr [24] first provided aconstruction for the Æ-protocol. The threshold authentica-tion technique used in this paper as the defense againstmisbehavior is based on the Æ-protocol for zero knowledgeproof. The proof of knowledge techniques are mainly usedfor the threshold-authentication-based defense scheme.

4 SYSTEM MODEL

We describe the functionalities of our security system anddefine security requirements in this section.

4.1 OverviewMajor entities in a VANET environment aredepictedin Fig. 1.As mentioned before, traceability is needed by law enforce-ment authorities (LEAs) who require the identity of aviolating vehicle to be disclosed for investigating the causeof accidents or crimes. Due to the seriousness of liabilityissues, if a single authority (e.g., the police) is fully capable of revealingthe vehicleidentity, this privilege maybe abused. Itis desirable if two or more authorities (e.g., the police, judge,special agents, and other possible law enforcement autho-rities) are granted distributed control over the identityretrieval process. One benefit in doing so is that corruptedauthorities (the number being less than the threshold) cannot

arbitrarily trace vehicle users to compromise their privacy.Another benefit is that malicious authorities cannot falselyaccuse (or frame) honest users. Such role-splitting is notrequired for network authorities since the threshold authen-tication technique in our defense scheme prevents a networkauthority from falsely accusing honest users. The proposedsecurity system primarily consists of techniques addressingthe privacy, traceability, nonframeability, and revocation(only by network authorities) issues.

The logic diagram of the entities’ interactions is depictedin Fig. 2, where the arrowed lines indicate the direction of packet flow or physical communications, the bracketednumbers near each line index the major events or procedures

between the connected entities. The vehicle users are further

SUN ET AL.: AN I DENTI TY-BASED SECURI TY SYSTEM FOR USER PRI VAC Y I N VEHI CULAR AD HOC NETWORKS 1229





more than k times. Alice relies on the AUTH log and publicinformation, and obtains M n’s credential n as the procedureoutput which is reported to the RTA.

Revocation/recovery: Upon receiving the complaints fromother entities in the system as the output of Tracing, the RTA

decides if the misbehaving member’s credential needs to berevoked. The RTA then performs the identity recovery by

looking up the same pseudonym lookup table PLT (cf.System setup above) which also records the correspondencebetween the credential n and identity IDn.

Note that for the ease of presentation, we assume theRTAs to act as network authorities for the defense schemein this paper. In reality, when the roles of RTA and networkauthority are separate, the network authority can simplytake charge as the RTA in the above subprocedures.Nonetheless, in the execution of Revocation/recovery, thenetwork authority needs to establish trust with or bedelegated by the RTA in order to access the PLT. When wemention network authorities in what follows, we implicitlyrefer to RTAs in the network authority role.

4.3 Security Requirements

We define the security requirements for our VANETsecurity system, and will show the fulfillment of theserequirements after presenting the design details.

1. Privacy: The privacy requirement states that privateinformation such as vehicle owner’s identity andlocation privacyis preserved against unlawful tracingand user profiling.

2. Traceability: It is required where the identityinformation of violators need be revealed by lawenforcement authorities for liability purposes. Thetraceability requirement also indicates that a mis-

behaving user will be identified and the correspond-ing credential revoked, if necessary, by networkauthorities, to prevent this user from furtherdisrupting system operations. Certain criteria haveto be met for the traceability of a misbehaving useras explained in the next section.

3. Nonframeability: Nonframeability requires that noentity in the system can accuse an honest user forhaving violated the law or misbehaved.

4. Other requirements: A secure VANET system shouldsatisfy several fundamental requirements, namely,authentication, nonrepudiation, message integrity,and confidentiality where sensitive information is

being exchanged, to protect the system againstunauthorized-message injection, denial of messagedisseminations, message alteration, and eavesdrop-ping, respectively. Nonrepudiation also requires thatviolators or misbehaving users cannot deny the factthat they have violated the law or misbehaved.

5 THE PROPOSED SECURITY SYSTEM

This section elaborates on the technical design of the

proposed security system.

5.1 System Setup

In our system, a trust domain is managed by a regional

transportation authority (RTA). Different among countries,

the region can be a state, province, etc. On input of 1, theunary representation of the security parameter , the keygenerator outputs a tuple (G1,G2,e,P ,q ) as defined inSection 3.1. The RTA randomly selects a domain mastersecret s 2R Z Ãq to generate private keys associated with theID-based public keys for each entity (i.e., vehicles, RSUs,other authorities) involved in VANET communications

within the trust domain. The RTA then publishes its certifieddomain parameters ðq; G1; G2; e ; P ; P pb; H 1Þ, where P pb ¼ sP

and H 1: f0; 1gÃ G1 is a cryptographic hash function. Forthe defense scheme, the RTA chooses P 0; P 1; P 2; H 2 G1, 2R Z Ãq , and computes P pub ¼ P , A ¼ eðP ; P Þ. The RTAsets the group public and private keys as gpk ¼ ðP ; P pub; P 0;

P 1; P 2; H ; AÞ and gsk ¼ , respectively. Furthermore, theRTA maintains and publishes ID list which can be accessedby any user of the system.

A vehicle V ’s public/private key pair in this domain isassigned by the RTA as P K v/Àv, with P K v ¼ H 1ðP S vÞ andÀv ¼ s Á P K v. Each RSU for network access in the RTA’sdomain will be assigned a key pair in a similar fashion,

except that the RSU just uses the real identity as the publickey. For privacy preserving purpose, vehicles always usetheir pseudonyms for VANET communications instead of real identities. The pseudonym plays the same role as thereal identity in authentication and secure communications,which in our system is of the form:

P S v :¼ ðP seudonym; ExpiryDateÞ@RGH ; ð1Þ

where ExpiryDate defines the valid period of this P S v, andRGH denotes the home region where the vehicle isregistered. As a result, the vehicles with public/private keypairs assigned by a same RTA (i.e., using the same mastersecret s) are capable of mutual authentication. Furthermore,

the RTA will maintain a PLT (pseudonym lookup table) foreach registered vehicle in its domain which consists of thecorrespondence of the real identity and the assignedpseudonyms, and can be accessed by theRTA’s border RSUs.

The home region is assumed to be the most likely activityregion of a vehicle. As the vehicle travels across regions, itneeds public/private key pairs assigned by foreign regions(RGF ) typically with different master secrets, to remainauthenticated in these regions in order to continue enjoyingVANET services. This can be done by border RSUs ownedby RTAs. In particular, each border RSU is operated by oneRTA and will have multiple public/private key pairs, eachissued by an adjacent RTA. The border RSU will be able to

authenticate visiting vehicles based on the region informa-tion (i.e., RGH , RGF ) carried in their pseudonyms, if theborder RSU possesses a proper key pair. Upon successfulauthentication with the vehicle, the border RSU will issuepseudonym key pairs that can be used in the foreign region.There are several ways for the border RSU to issue valid keypairs. First, it can be configured with its RTA’s master secrets which will be used to generate private keys correspondingto arbitrarily chosen public keys. This approach offersflexibility at the cost of higher risks in terms of compromis-ing the domain master secret. Alternatives would be that theRTA configures the border RSU with pregenerated key pairsfor future assignment without releasing s, or the adoption of

the pseudonym self-generation technique proposed in [25]




at the border RSU so that the above configuration can beskipped. A common drawback of these alternatives is thelimitation of the pseudonym selection, i.e., the regionalinformation that is imperative in our proposed securitysystem cannot be arbitrarily incorporated into the pseudo-nym. We argue that since using tamper proof device at theborder RSU will reduce the risk of the master secret

disclosure, we will employ the first approach in our system.Specifically, a border RSU assigns key pairs in one of thefollowing two ways:

1. The vehicle submits its pseudonym P S v currently inuse to the border RSU, which updates PPLT, aforeign lookup table maintained by the foreign RTA,to record the correspondence between P S v and thenewly assigned pseudonyms. Or,

2. after authenticating with the border RSU using theabove P S v, the vehicle submits its real identity IDv

(bearing the same form as (1)) in ciphertext to theborder RSU, which updates the home RTA-main-tained PLT to record the correspondence betweenIDv and the newly assigned pseudonyms.

Let the pseudonym assigned for RGF by the border RSUbe of the form:

P S f v :¼ ðP seudonym; ExpiryDateÞ@RGH @RGF : ð2Þ

The generation of the pseudonym key pair is analogous tothat for RGH . When the vehicle enters a region where theborder RSU has no proper key pairs to authenticate thisvehicle, theborder RSUwill contact thehome RTAfor furtheractions (e.g., requesting a valid key pair from the home RTAto authenticate with the vehicle). We will omit furtherdiscussion on this issue since it is not a key design issue in

our system. We assume pre-established trust relationshipand secure channel between RTAs, which can be achieved byany public keycryptosystems. We will primarily focus on theauthentication and possible secure communications duringintervehicle message exchange and infrastructure access.

5.2 Pseudonym-Based Techniques for Privacy

Since ring signature and group signature techniques forensuring user privacy are unsuitable for our VANETsystem as mentioned in Section 2, we adopt the privacypreserving technique based on pseudonyms. In this paper,we do not assume the existence of pervasive VANETinfrastructure and will rely on available wireless networkswhenever possible.

5.2.1 Pseudonym Generation

Unlike sensors and some mobile nodes, storage is not astringent requirement for vehicles, rendering the preloadingof a large pool of pseudonyms feasible. Raya and Hubaux[3] quantitatively studied the storage space requirement forpreloading anonymous keys (i.e., pseudonyms) and asso-ciated certificates for long term use (i.e., one year). Theirresults are obtained based on quantifying the upper andlower bounds on the pseudonym change interval formaintaining a satisfactory degree of privacy. We adoptthe preloading method in our ID-based VANET systemwhere a pool of shorter-lived pseudonyms is loaded into

the vehicle by the RTA at the time of registration. The pool

will be replenished in a shorter period which may be amonth, week, or even a day. The merit of our approach isthat considering the unavailability of the dedicated infra-structure for VANETs, the preload-and-replenish mechan-ism can be realized through the existing wirelessinfrastructure, such as Wi-Fi networks, wireless meshnetworks (WMNs), etc. For instance, when the network is

accessible and less busy some time close to an update, thepseudonym pool will be replenish via the secure channelbetween the vehicle and RTA or border RSUs after properauthentication. If the vehicle is requesting pseudonymupdate in the home region, the real identity IDv will beindicated in ciphertext to the home RTA, which will thenupdate the PLT. When the vehicle is requesting thepseudonym update in a foreign region, the obsoletepseudonym at the time of entering P S v ob (used forrecording the correspondence with the newly assignedpseudonyms) will be indicated in ciphertext to the foreignRTA, which will update the PPLT accordingly. Thepseudonym revocation list which will be much smaller in

size than the credential revocation list (CRL) in [3], can alsobe downloaded using the available wireless infrastructurewhen the dedicated infrastructure is not yet pervasive. Inaddition to the preload-and-replenish mechanism, we baseour system on the ID-based cryptosystem so that the vehicleneed only store the pseudonym (public key), which savesthe storage space required for certificates as in theconventional PKI-based systems [3].

5.2.2 Pseudonym Authentication

Equipped with sufficient pseudonyms, a vehicle can updateits credential frequently enough to preserve privacy (cf. [3]).An important feature of VANET security is the digital

signature as a building block. Whether in intervehiclecommunications or infrastructure access, authentication isthe basic requirement since only messages from legitimateusers should be considered. Message confidentiality re-mains an option in VANETs depending on the specificapplication scenario. For instance, safety-related messagesdo not contain sensitive information and thus encryption isnot needed [3]. In some other applications such as tollpaying where vehicles obtain Internet services from RSUs,message confidentiality via encryption schemes may bedesired. When a vehicle V attempts to broadcast a messagem to peers or to request network access from RSUs, itsimply sends out:

V Ã: P S v; m; SI G Àvðm k tÞ;

where Ã denotes all peer vehicles in the communicationrange or any RSU, SI G Àv

denotes the ID-based signatureusing V ’s private key Àv, and t is the current system time toprevent message replay attack [26]. Upon receiving themessage, a peer vehicle or RSU is able to authenticate thesender by verifying the signature which also ensuresmessage integrity.

Afterwards, a shared key can be derived locally at V

and another vehicle or RSU, U , if further communicationsare desired (e.g., the two vehicles remain in each other’s

transmission range for a while).




K vÀu ¼ eðP K u; ÀvÞ

¼ eðP K u; P K vÞs

¼ eðÀu; P K vÞ ¼ K uÀv:

ð3Þ

This shared key will then be used in further authentica-tion or secure communications where encryption isneeded as follows:

V U : P S v; SKE K vÀuðmÞ; HMAC K vÀu

ðSKE k tÞ;

where SKE K vÀudenotes the symmetric key encryption using

the shared secret key K vÀu, and HMAC K vÀudenotes the

keyed-hash message authentication code leveraging thesame shared key.

In the conventional PKI, the communicating vehiclesneed first exchange their public keys and certificates forauthentication, during which the verifier has to verify thesender’s signature on the message, as well as the certificateauthority’s signature on the sender’s public key. Afterauthentication, a shared key will be established mutually if desired for secure communications, where additional

communication overhead is induced. In our ID-basedsystem presented above, the sender merely sends onemessage (i.e., P S v, m, SI G ), and the subsequent verificationand symmetric key establishment can be performed withoutfurther interactions. Therefore, our system bears desirablefeatures for satisfying security and efficiency requirementsin VANETs.

5.3 Threshold Signature Techniques forNonframeability

Applying the threshold-based secret sharing schemes to oursystem, the number of authorities for sharing the secret andfor revealing the identity can be adjusted by settingdifferent n and k values, respectively (cf. Section 3.2). These

schemes offer great flexibility in several ways as stated in[23]. In this paper, we adopt ID-based threshold signaturesto distribute the secret shares among designated authorities.The shares can be distributed by a trusted dealer (TD)which is the owner of the original secret. The TD takes oneof its publicly known identifications (or the derived publickey) QT D to be the user ID required as the input of the ID-based threshold signature scheme, and obtains the asso-ciated private key ÀT D ¼ sQT D from the private keygenerator (PKG) as the original secret for sharing. We let ¼ ÀT D for the description of the following thresholdsignature scheme. In our systme, the TD can be the RTA(i.e., PKG) or any other trusted entity who can run the secret

distribution algorithm [27].

5.3.1 Corruption-Resistant Threshold Signing

Threshold signature schemes can be used in the scenariowhere the TD owns the secret and computes the shares ( i)to distribute among n designated authorities (e.g., thejudge, police, other law enforcement authorities, etc.).When accidents or crimes occur, relevant messages ex-changed can be extracted by the cooperating k or moreauthorities from the black-box-like device in vehicles whichrecords pseudonyms used for the message exchanges. Theparticipating authorities will jointly generate a secret

without the TD, and will individually sign the pseudonym

using their associated shares i and i. The resulting

signatures from all other participants will be verified by

individual participants. When at least k valid signatures are

gathered, any participating authority can construct the

threshold signature based on the k partial threshold

signatures and submit it to the TD. The TD verifies the

threshold signature on the pseudonym and will return the

real identity corresponding to the pseudonym requested if

the verification succeeds.The procedure described above is demonstrated as

follows where relevant notations are listed in Fig. 3, using

the ID-based threshold signature in [27]:

1. T D uses SD1ð; k;n; OtherÞ to generate secret shares i, 8i 2 ½1; n�, where Other denotes some publishedparameters in the TD’s domain.

2. T D sends P K i, IDE PK i ð iÞ, SI G ÀTDðP K i k IDE PK i k

tÞ to AU i, 8i 2 ½1; n�, where P K i is AU i’s public key.3. All participants AU i, 8i 2 ½1; n�, run SD2ðk;n;G1; P Þ

to jointly generate .4. Each participating AU i generates partial threshold

signatures IT HS i ðP S Þ using i and i, where

i 2 ½1; n�, and P S is the pseudonym requested forlookup.

5. Each participating AU i broadcasts P S , IT HS i ,SI G ÀAU i

ðP S k IT HS i k tÞ.6. Each participating AU i verifies the received signa-

tures from all other participants AU j usingIT HVðIT HS j Þ, j 2 ½1; n�; j 6¼ i.

7. Any participating AU i calculates T HSðP S Þ based onIT HS i , 8i 2 , w he re f1; 2; . . . ; ng w i t hjj ! k.

8. The above AU i sends P S , T HS , HMAC i ðP S kT HS k tÞ to T D.

9. T D verifies the thresholdsignature using T HVðT HSÞ

and if successful, returns the real identity from the


Fig. 3. List of notations in threshold signing procedure.



pseudonym lookup table to participating AU i withP K i, SKE i ðP S k IDvÞ, HMAC i ðP K i k SKE i k tÞ.

ID-based threshold signature schemes proposed in theliterature [27], [28], [29] can be applied in our system toperform SD; IT HS i ; IT HV ; T HS , and T HV indicated inthe above procedure.

5.3.2 Tracing Law Violators Threshold signing is a prerequisite for tracing law violators,which involves authority collaboration and the RTA’sassistance in pseudonym lookup in Step 9 above, if the TDis not the home RTA (e.g., the accident occurred and thus isinvestigated at a foreign region), the pseudonym lookupprocedure may involve a single-step or a multistep lookup. If a PLT is looked up,the TD will retrieve the real identityof thevehicle based on the submitted pseudonym. On the otherhand, if a PPLT is looked up, the TD will only retrieve thevehicle’s obsolete pseudonym P S v ob at the time of enteringand will transfer P S v ob, T HS , QT D to the vehicle’spreviously visited RTA according to the region information

contained in P S v ob. Note that if the previous RTA is not thehome RTA (i.e., the vehicle has entered from another foreignregion), the previous RTA will follow a similar lookupprocedure until the information P S vh

, T HS , QTD reaches thehome RTA, where P S vh

denotes the obsolete pseudonymoriginally assigned by the home RTA. The additionalinformation T HS , QT D is included for the home RTA toverify the threshold signature. As a simple illustration, if thepolice and the judge are the designated authorities whosesignatures are required to access the PLT (or PPLT), a ð2; 2Þthreshold signature scheme will suit.

5.4 Threshold Authentication-Based DefenseScheme

When misbehavior occurs during network access, networkauthorities require the revocation of misbehaving users andshould not be able to arbitrarily trace honest users. It can beachieved only by defense schemes that offer privacy-preserving and traceability features. Furthermore, the keyreason for adopting the threshold authentication techniqueis the capability to tolerate certain misbehavior due to theflexible threshold, in addition to the privacy and traceabilityguarantees. This functionality cannot be provided by thepseudonym-based approach. Consider malfunctioning ve-hicles as an example of nonmalicious misbehavior thatshould be tolerated to certain extent. Malfunctioning andintentional (or malicious) misbehavior are difficult todistinguish, which would require additional softwareinstalled in vehicles and RSUs to analyze the behavior of the message sender and to reach a decision. As a result, it isnot an easy task to apply defense schemes differently formalfunctioning and “real” misbehavior. This is the reasonthat threshold authentication is employed in our defensescheme, where misbehavior can be tolerated as long as thenumber of times it occurs is less than the specifiedthreshold. It is similar in purpose to the glitch protectionproposed in [30]. In our example, within the threshold, if the malfunctioning vehicle finds out and recovers from theproblem (e.g., via the automatic error warnings generatedby the vehicle’s on-board unit), this incidental misbehaviorcan be ignored (i.e., undetected) by the access group owner.

Only when the vehicle cannot detect the malfunctioning,

i.e., the vehicle constantly misbehaves, will the tracing andrevocation be initiated by the access group owner. Themalfunctioning vehicle’s identity will be revealed with theaid from the RTA, and the vehicle will be informed aboutthe malfunctioning system by the access group owner.

The technical details of the defense scheme will bepresented below, followed by discussions on fine-grained

defense leveraging access groups.

5.4.1 Membership Registration

After the initial system setup, each legitimate user isrequired to register (i.e., membership registration) withthe RTA and become a member of the defense system,which is required for the threshold-authentication-baseddefense scheme. The registration is carried out by the userM n randomly selecting x0; r 2R Z Ãq and engaging in thefollowing interactions with the RTA:

1. M n RT A: P S M n ; C 0 ¼ x0P þrH;t1, HMAC ðC 0 k t1Þ;2. RT A M n: y; y0 2R Z Ãq , t2, HMAC ðy k y0 k t2Þ;

3. M n RT A: ðC; Þ ¼ ðx P ; AxÞ, ZKP 1, t3, HMAC ðC k k ZK P 1 k t3Þ;

4. RT A M n: a 2R Z Ãq , S ¼ 1

þaðC þ P 0Þ, t4, HMAC

ða k S k t4Þ,

where C 0 is a commitment that will later be used in ZK P 1. Atthe end of this procedure, M n checks if eðS;aP þ P pubÞ ¼eðC þ P 0; P Þ holds to ensure that his member public andprivate keys, mpk ¼ ða ; S ; C; Þ and msk ¼ x, respectively,are correctly formed. In Step 2, the RTA first authenticatesM n using M n’s pseudonym P S M n to ensure the legitimacy of M n in the VANET system. In Step 3, M n computes x ¼y þ x0y0 and adds ðn; Þ to ID list. Before Step 4, the RTAverifies the presence of ðn; Þ in ID list, the validity of ¼eðC; P Þ and proof of knowledge ZK P 1 (refer to [10] for proof

details). If the verification succeeds, the RTA will issue themember public key to M n as shown in Step 4. The RTA willalso link M n’s member credential n to his real identity IDn

by adding a column of n to the PLT, an exemplary entry inwhich will be (P S M n ; IDn; n). This linkage will be used forRevocation/recovery described later in this section.

5.4.2 Access Group Setup

A user opting for his own access group to place furtherrestriction on other users acts as an access group owner. Theaccess group owner selects Q 2 G1, Q1; Q2 2 G2, s 2R Z Ãq andsets his public/private key pair as (apk ¼ ðQ; Qpub; Q1; Q2Þ,ask ¼ s), where Qpub ¼ sQ. The access group owner main-

tains the following information: the AUTH log , the accumu-lated value D [31] for automatically revoking access rights of the group members, and a public archive ARC of the form(a;b;D), where b ¼ 1; 0 indicates the grant, revocation of anaccess group member, respectively. Initially, D is set toD0 2 G1, AUTH log and ARC are empty. A user M n joins theaccess group owner’s group as follows to further commu-nicate with the access group owner (AGO):

1. M n AGO: P S 0M n, mpk ¼ ða ; S ; C; Þ, t5, SI G $0

M n

ðmpk k t5Þ;2. AGO M n:P S AGO, k, j, Dj, t6, SI G $AGO

ðk k j k Dj k t6Þ.

Note that we have used P S 0M nhere (serving the same

purpose as P S M n in Membership registration) to indicate a




possibly different pseudonym M n is currently using.Suppose there are j tuples in ARC and accumulated valueis Dj. After M n joins the access group successfully, theaccess group owner updates the accumulated value toDjþ1 ¼ ðs þ aÞDj and adds (a; 1; Djþ1) to ARC . M n updateshis/her access key to mak ¼ ðj þ 1; W Þ, where W ¼ Dj, andinitiates a running counter d which is compared with the

threshold k to ensure that k is not exceeded each time thethreshold authentication procedure is executed.

5.4.3 Access Group Revoking

The access group owner revokes M n’s access right whendetecting misbehavior, which can be performed either at thetime of M n’s joining (so M n will not be granted access at all),or after the joining via the threshold authentication. Theaccess group owner simply updates the accumulated valueto Djþ1 ¼ 1

sþaDj and adds (a; 0; Djþ1) to ARC . Group

members must update the access key W based on a andthe up-to-date accumulated value Djþ1, which ensures thata revoked member will be unable to obtain a valid W that

passes the following threshold authentication.

5.4.4 Threshold Authentication

If M n is an access group member of an access group owner(AGO), the threshold authentication takes place as follows:

M n AGO : P S 00M n;d;TAG;l 2R Z Ãq ;ZKP 2; t7;

SI G $00M n

ðd k T AG k l k ZK P 2 k t7Þ:

M n computes T AG as T AG ¼ ðÀd ; Àd Þ ¼ ðÂxd ; ðAl Âd Þ

xÞ,

where (Âd ; Âd ) is the d th tag base. In general, M n computes

the jth tag base by using a random oracle as ðÂj; ÂjÞ ¼

HG2 ÂG2ðP S AGO; k ; jÞ for j ¼ 1; . . . ; k. The access group owner

aborts the procedure if d > k

, which ensures that the usercannot authenticate more than k times unless he/she reuses

one or more of the k tag bases. Otherwise, the access group

owner checks if T AG is different from all other entries in

AUTH log . If different and ZK P 2 is valid, the access group

owner adds (TAG;l) and the proof of knowledge ZK P 2 (refer

to [10] for proof details) to AUTH log . In ZK P 2, the member

proves possession or correct formation of (x;a;S;d;W )

without revealing these parameters. If T AG already exists

and ZK P 2 is valid, the access group owner proceeds to the

tracing procedure below to detect the misbehaving user. If

ZK P 2 is invalid, M n is ignored and the procedure is aborted.

5.4.5 Tracing In case t he re e xist t wo e nt ries (TAG;l;ZKP 2) a nd(T AG0; l0;ZKP 0

2) in the AUTH log that À ¼ À

0 and l 6¼ l0, theaccess group owner can trace a misbehaving user bycomputing ¼ ð

ÀÀ0Þ

1

lÀl0 ¼ Ax. The ID list maintained by theRTA can then be looked up to find the entry (n; ). M n’scredential n will eventually be recovered and reported to theRTA. The access group owner can also broadcast a warningmessage containing M n’s mpk (i.e., ) and the two entriesshown above (for verification purpose) in his vicinity toinform the neighbors who will most likely be affected by themisbehavior. The neighbors may choose to ignore thiswarning message, or revoke M n’s access right to their access

groups (if any). Note that the access group owner and his

neighbors who noticed the misbehavior of M n can lower thethreshold on future authentications with M n, when this M nattempts to perform authentication using his member publickey mpk, alleviating the effect of potential attacks launchedby M n during the vulnerable period.

5.4.6 Revocation/Recovery

Since n does not reveal any information on M n’s realidentity, other users in the VANET system (except the RTA)cannot identify M n as a misbehaving user. It is left to theRTA to decide wether to revoke M n based on multiplecriteria. One criterion may be to accumulate a certainnumber of reports against a same user. When the decisionis reached to revoke a misbehaving user, the RTA checks thePLT for the entry (IDn; n) and the user with identity IDn willbe restrained from future communications in the VANETsystem. Note that we have assumed the RTA is trustworthyand will only execute this procedure when a user trulymisbehaves. However, this assumption may be too strong inrealistic applications where the RTA can be corrupted. We

can use a similar method as in [7] to split the role of the RTA(e.g., to include vehicle manufacturer) by leveraging thesecret sharing technique to avoid the consequence of powercentralization and a single point of failure.

5.4.7 Discussion

The access group setup and revoking procedures in thedefense scheme enable the group owner to employ fine-grained defense against misbehaving group members,besides the threshold k not being exceeded. Specifically,the access group owner restricts his access group membersin two cases: 1) the access group owner needs to control theactivity duration of an access group member in addition tothe number of times k, and 2) the access group owner

decides to revoke an access group member’s access right atany time during the threshold authentication after thethreshold k has been announced to the member, possiblydue to the severity of the member’s misbehavior. Anexample of 1) can be when the access group owner isan RSU who provides services (e.g., infotainment) bearingan expiration time. In this case, the RSU may initiate a timerat the time a user joins the access group and deny themember’s access by updating Djþ1 based on a and theexpired timer, even if k has not been reached. In the case of 2), the access group owner has more control over groupmembers such as public vehicles that tend to impact greatlyon victims [32]. The owner may revoke these members’access as soon as the severity of their misbehavior is raised

above the tolerable level which is design specific and willnot be elaborated here. However, Case 2) requires an extraproof of knowledge that the misbehavior is not up to theowner-specified severity level, which will not be furtherdiscussed in this paper due to space limitations.

6 SECURITY ANALYSIS

Our secure VANET system, which primarily strives toresolve the conflicts of privacy and traceability, also satisfiesthe requirements of authentication, message integrity, andconfidentiality.

Privacy: Privacy is achieved by the pseudonym-based

technique, as detailed in Section 5.2. The adoption of




pseudonyms in VANET communications conceals the realidentity of vehicles such that peer vehicles and RSUs cannotidentify the sender of a specific message while are still ableto authenticate the sender. By frequently updating thepseudonyms during communications, our system success-fully defends legitimate vehicles against tracing and userprofiling, assuming an underlying Tor-like anonymous

network layer [33] which ensures location privacy.To elaborate on the the achievable privacy, when a

vehicle applies for pseudonyms using its real identity fromeither the RTA or border RSUs, its privacy cannot beguaranteed because the real identity must be revealed atthese moments. However, after the pseudonym issuance,the vehicle will interact primarily with the service providerowned RSUs for Internet access, or with peer vehicles usingthe assigned pseudonyms. Since interactions using thesepseudonyms with the RTA or border RSUs are minimal inour schemes, we can safely claim that the RTA cannotarbitrarily link pseudonyms with the identity to compro-mise the privacy of an honest vehicle user. The minimal

interactions include: 1) the vehicle authenticates with theRTA in Membership registration which occurs only once if thevehicle is not traced or revoked, and 2) the vehicleauthenticates with the border RSUs to obtain new pseudo-nym key pairs while in the specific region, which happensonce every user-specified update period as mentioned inSection 5.2.1. By adjusting the length of the update period,the vehicle users can control the achievable privacy bylimiting the border RSUs’ chances to view the assignedpseudonyms. For example, a user can choose to preload andreplenish pseudonym key pairs for a longer time (i.e., onceevery month), where the frequency of linking a pseudonymto an identity is lower and the achievable privacy level will

be higher. On the other hand, if the user sacrifices privacyfor storage efficiency, he/she can choose to update keypairs once every day. In this case, the border RSUs will beable to learn the identity of the user every day at the time of key updates. This is a common issue in the design of security schemes where tradeoff between security andefficiency will be involved. Note that due to the anonymousnetwork layer, the border RSUs are unable to learn thelocation (i.e., network address) of this user.

Furthermore, in the defense scheme, a vehicle member’sfixed member public key mpk is needed in the access groupsetup and revoking, and in the actual threshold authentica-tion. Although mpk is not updated as pseudonyms, it will

not be shown to the group owner in the authentication (cf.Section 5.4.4) where only the knowledge proof of the mpk isneeded. Therefore, this fixed key will not enable theattackers to link multiple authentication events to a samevehicle user. Except for the cases where identities must berevealed to the authorities, no entity in our system cancompromise the privacy of honest vehicle users.

Traceability: The pseudonym lookup tables PLT andPPLT enable the eventual tracing of law violators in theenforcement scenario, with the participation of law enforce-ment authorities and involvement of the RTA. The tracingprocedure in the thresholdauthentication scheme guaranteesthe traceability of a misbehaving user who has authenticated

more than k times during network access.

Nonframeability: The secret sharing technique in thethreshold signature scheme ensures nonframeability in thecase of corrupted authorities, who attempts to illegallyrecover an innocent user’s identity. Moreover, it is notpossible for any other entity in the system, especially thenetwork authorities, to accuse an honest user for havingmisbehaved simply because an evidence (i.e., authentica-

tion transcripts) cannot be produced for verification by athird-party arbiter, in case disputes occur.

Authentication, Nonrepudiation, Integrity and Con-fidentiality: Authentication, nonrepudiation, and integrityare guaranteed by digital signatures (as shown inSection 5.2.2) which bound a message to a pseudonymand consequently the corresponding identity. If furtherinteractions are needed and hence a symmetric key isestablished between interacting entities, integrity can beprotected by utilizing the message authentication code(e.g., HMAC i ). Confidentiality is attained by using publicor symmetric key encryptions, for the initial and sub-sequent secure communications, respectively.

Miscellaneous: Some other requirements pertinent toVANET security include data consistency, availability,position verification, efficiency, and scalability, and arediscussed in [34], [35], [5], [36], [37] and [1], respectively.These requirements are not the security goals of ourVANET system but can be fulfilled by applying the abovetechniques accordingly.

7 EFFICIENCY ANALYSIS

We carry out efficiency analysis in this section in terms of storage, computation, and communication efficiency for oursecurity system.

7.1 StorageIn our system, the storage requirements on RTAs, otherauthorities, and RSUs are not stringent since these entitiesare distributed and resource-abundant in nature (e.g., thereare many RTAs across the country, each of which mayconsist of several powerful servers). We are mainlyconcerned with the storage cost in vehicles due to thepreloading of pseudonyms for privacy, and the informationnecessary for the defense scheme. Note that in ThresholdSignature Techniques for Nonframeability, only law enforce-ment authorities are involved to split the authority role andno vehicle needs to participate in this procedure. Moreover,this procedure is invoked once for every accident or crime

in which the guilty vehicle escapes from the scene. Thisevent is expected to happen infrequently assuming amajority of vehicles are honest and responsible. Our systememploys the combination of pseudonym preloading andreplenishing, striving to reduce the storage cost at thevehicles compared to the preloading method alone. How-ever, we assume the worst case (i.e., only preloading isavailable) for the following analysis. As shown in [3], thenumber of required pseudonyms per year is approximately43,800, calculated based on the average driving time perday and the pseudonym update frequency for desiredprivacy. We adopt the parameters specified in [25] for ourID-based cryptosystem and a pseudonym/private key pair

takes around 43 bytes using point compression (2

Â jG1

j




element) for storage. Each vehicle will be preloaded 1.88 Mbytes per year, which is an acceptable size and outperformsthe storage efficiency (3.5 M bytes per vehicle per year with80 bytes per key/certificate) in [3]. The parameters (i.e.,100 bytes per key/certificate) chosen by [3] result in asecurity level similar to 2,048-bit RSA and a total storagespace of 4.2 M bytes. In order to perform a fair comparison

with our system, we derived the above 3.5 M bytes based onparameters yielding a security level equivalent to 1,024-bitRSA. Note that elliptic curve cryptography (ECC) based PKIwas adopted by [3] and is well-known for its very efficientstorage and communication performance due to small keysizes, compared to RSA-based PKI. If RSA-based PKI hadbeen adopted, the total required storage space in the abovescenario would be around 48.2 M bytes, assuming 1,024-bitRSA public key. Our ID-based cryptosystem shows advan-tage in terms of storage efficiency over ECC-based PKI in[3], let alone RSA-based PKI.

Furthermore, in our system, each vehicle needs to store apublic/private key pair, roughly 214 bytes, for the defensescheme against misbehavior. When acting as an accessgroup owner, the vehicle also stores AUTH log and publicarchive ARC containing records for each access groupmember. However, these two pieces of information will notgrow in size over time due to the communicationcharacteristics of VANETs, that is, vehicles have limitedinteraction time and interact only when staying in eachother’s vicinity. The likelihood of two vehicles encounteringagain in a short period (once they have been out of reach) isexpected to be low. Additionally, the communicatingvehicles during a reasonable time interval can be assumedof minimal change (e.g., a vehicle will most frequentlyexchange messages with neighboring vehicles in the samedriving direction with similar driving speed). Therefore,

the number of entries inAUTH

log andARC

is maximallythe largest possible number of vehicles in the transmissionrange in a given time interval. It is worth noting that thestorage costs of PLT and PPLT at an RTA will not increaseover time either, the reason being that each vehicle in theRTA’s domain has exactly one entry in the PLT or PPLT.The RTA need not record all pseudonyms used by a vehiclebut the effective one or those recently expired ones, basedon the ExpiryDate field in the pseudonym. These recordedpseudonyms serve mainly for recovering a guilty vehicle’sreal identity, and thus, previously expired pseudonyms areuseless assuming the accident or crime will be investigatedshortly after its occurrence.

7.2 Computation

Similar to the argument in the storage analysis, we areinterested in the computation costs at vehicles which areleast powerful in our system. Bilinear pairings are the mostexpensive operations when the ID-based cryptosystem isemployed. Specifically, a vehicle needs to compute pairingsfor SI G $v

ðm k tÞ and K vÀu when exchange messages withother vehicles. The vehicle also needs to compute pairingsfor the defense scheme, where the zero knowledge proof (ZKP) construction and verification contribute to the high-est cost since they must be performed each time an accessgroup owner authenticates an access group member. Somepairing operations involved in Registration and Access groupsetup can be neglected due to the infrequent invocation of

these procedures. For SI G $v ðm k tÞ, ID-based signature

schemes such as [38] can be utilized for the signing andverification procedures. Using the techniques in [38],computation efficiency can be achieved by precomputingcertain pairing operations and leaving a minimal number of pairings on-the-fly at the verification phase. One pairingoperation is required for computing K vÀu, and only whenthe two vehicles remain in each other’s transmission range.

Regarding the ZKP-induced computation, the proofs can beconstructed by access group members in advance and henceall pairings involved can be precomputed. In contrast,certain number of pairings must be computed in real-timewhile others can be precomputed for the verificationperformed by the access group owner. Employing theconstruction and verification shown in [10], four pairingsneed be computed by the access group owner in real time.

Although the computationally intensive pairing opera-tions are not involved in conventional PKI (ECC-based PKIand RSA-based PKI), we argue that the ID-based crypto-system based on pairings is still highly suitable, especiallyin our VANET environment. If Tate pairing is used for thebasic pairing operation, it is shown in [39] that the time

taken for computing a Tate pairing is 20 ms, 23 ms, and26 ms, in the underlying base field of F p (where jpj ¼512 bit), F 2271 , and F 397 , respectively. The first two fields havesimilar levels of security to 1,024-bit RSA while the last fieldhas effective 922-bit security. Recent progress [40] showsthat the computation time of Tate pairing on elliptic curvesin characteristic 2 and 3 has been significantly improved,rendering pairing-based cryptosystems more realistic insecurity applications. Though vehicles are less powerfulthan other entities in our system (e.g., RTAs, RSUs, etc.),they have relatively high computation power (i.e., can beequipped with high-power processors) as a mobile device,in comparison with most other mobile devices such as cellphones, PDAs, or even laptops. Recent results show thefeasibility of pairings on power-constrained smartcards [41],

[42], which we believe strengthens our above argument. Weconclude from the analysis that the real-time computationintensity in our system is highly acceptable even on the low-end mobile device.

7.3 Communication

Communication costs in our systems are mainly inducedby broadcasts. Each message broadcast by vehicles (cf.Section 5.2.2) consists of a pseudonym (22 bytes), aplaintext message (disregarded in the comparisons), anda signature. The signature generated by the scheme in [38]is equivalent in size to an element in G1 and an element inZ Ãq , which sum to roughly 43 bytes. As a result, eachbroadcasted message in our ID-based cryptosystem yields

65 bytes. If ECC-based PKI is adopted as in [3], eachbroadcasted message will consist of a signature and acertificate (one public key plus one signature), totaling 100bytes. If the RSA-based PKI is adopted, each broadcastedmessage will induce up to 1.1 K bytes communicationoverhead (assuming the RSA key for signing is 1,024 bit or128 byte, and a standard certificate comprising an RSApublic key and the certificate authority’s signature isroughly 1 K bytes). Apparently, our ID-based solutionoutperforms ECC-based PKI and has significant improve-ment compared to RSA-based PKI. The broadcast of partialthreshold signatures by participating authorities for non-frameability takes place infrequently due to the rare case of escaping from the crime scene, as argued in the storage

analysis. Another broadcast event in our system occurs at




Tracing in the defense scheme. Analogous to the broadcastof messages, this broadcast event, introducing roughly1.2 K bytes, also takes place only in a vehicle’s transmis-sion range. As described in Section 5.4.5, this broadcast of the misbehaving vehicle’s public key and the two entriesis optional, in that the access group owner can trace themisbehaving vehicle and report to the RTA without

warning other vehicles in the vicinity. However, suchwarning is highly desirable in order to diminish the impactof misbehavior, sacrificing system performance for secur-ity. Improvement can be carried out by the access groupowner only broadcasting the 128-byte . Neighboringvehicles may choose to trust the access group owner fromprevious interactions and thus the two entries (of 1.1 Kbytes) for verification purpose need not be broadcasted.

As a final remark, we point out that the characteristics of VANET systems determine that communication efficiencyis the foremost performance indicator, among all theefficiency concerns. The reason is that vehicles, as themobile devices in VANETs, are capable of intensive datastorage and complex computation tasks, rendering therequirements for storage and computation efficiency lessstringent. On the other hand, communication overhead willbe overwhelming if inefficient design is carried out, due topotentially large user base (i.e., vehicles) in VANETs.Through the analysis of our system and those based onconventional PKI, we particularly demonstrate the promis-ing performance regarding communication efficiency of ourdesign built on ID-based cryptosystem. Moreover, limitingmost communications to local interactions and not relyingon pervasive infrastructure give rise to more affordablecommunication costs in our VANET system.

8 CONCLUSION AND FUTURE WORK

We have presented the VANET security system mainlyachieving privacy, traceability, nonframeability,and privacy-preserving defense against misbehavior. These functional-ities are realized by the pseudonym-based technique, thethreshold signature, and the threshold authentication baseddefense scheme. The ID-based cryptosystem facilitates us todesign communication and storage efficient schemes.Through security and efficiency analysis, our system isshown to satisfy the predefined security objectives anddesirable efficiencies. Our future work consists of simulatingthe proposed security system and experimenting it in realVANET settings.

ACKNOWLEDGMENTS

This work was partially supported by the US NationalScience Foundation (NSF) under grants CNS-0916391, CNS-0716450, CNS-0721744, and CNS-0626881, and China 111Project under grant B08038. The work of Yanchao Zhangwas also partially supported by the NSF under grants CNS-0716302 and CNS-0844972 (CAREER).

REFERENCES

[1] K. Ploßl, T. Nowey, and C. Mletzko, “Towards a SecurityArchitecture for Vehicular Ad Hoc Networks,” Proc. First Int’lConf. Availability, Reliability and Security (ARES ’06), Apr. 2006.

[2] B. Parno and A. Perrig, “Challenges in Securing VehicularNetworks,” Proc. Fourth Workshop Hot Topics in Networks (HotNets

IV), Nov. 2005.

[3] M. Raya and J-P. Hubaux, “Securing Vehicular Ad Hoc Net-works,” J. Computer Security, special issue on security of ad hocand sensor networks, vol. 15, no. 1, pp. 39-68, 2007.

[4] J.Y. Choi, M. Jakobsson, and S. Wetzel, “Balancing Auditabilityand Privacy in Vehicular Networks,” Proc. First ACM Int’lWorkshop QoS and Security for Wireless and Mobile Networks(Q2SWinet ’05), pp. 79-87, Oct. 2005.

[5] T. Leinmuller, C. Maihofer, E. Schoch, and F. Kargl, “ImprovedSecurity in Geographic Ad Hoc Routing through Autonomous

Position Verification,” Proc. Third ACM Int’l Workshop Vehicular AdHoc Networks (VANET ’06), Sept. 2006.

[6] M.E. Zarki, S. Mehrotra, G. Tsudik, and N. Venkatasubramanian,“Security Issues in a Future Vehicular Network,” Proc. EuropeanWireless Conf. ’02, Feb. 2002.

[7] J. Sun, C. Zhang, and Y. Fang, “An Id-Based FrameworkAchieving Privacy and Non-Repudiation in Vehicular Ad HocNetworks,” Proc. IEEE Military Comm. Conf., pp. 1-7, Oct. 2007.

[8] X. Lin, X. Sun, P.-H. Ho, and X. Shen, “GSIS: A Secure andPrivacy-Preserving Protocol for Vehicular Communications,”IEEE Trans. Vehicular Technology, vol. 56, no. 6, pp. 3442-3456,Nov. 2007.

[9] C. Zhang, R. Lu, X. Lin, P.-H. Ho, and X. Shen, “An EfficientIdentity-Based Batch Verification Scheme for Vehicular SensorNetworks,” Proc. IEEE INFOCOM, pp. 816-824, Apr. 2008.

[10] L. Nguyen and R. Safavi-Naini, “Dynamic K-Times AnonymousAuthentication,” Proc. Applied Cryptography and Network SecurityConf., vol. 3531, pp. 318-333, 2005.

[11] M. Raya, P. Papadimitratos, I. Aad, D. Jungels, and J.-P. Hubaux,“Eviction of Misbehaving and Faulty Nodes in Vehicular Net-works,” IEEE J. Selected Areas Comm., vol. 25, no. 8, pp. 1557-1568,Oct. 2007.

[12] C. Gamage, B. Gras, B. Crispo, and A.S. Tanenbaum, “An Identity-Based Ring Signature Scheme with Enhanced Privacy,” Proc.Second Int’l Conf. Security and Privacy in Comm. Networks(SecureComm ’06), Aug. 2006.

[13] R. Lu, X. Lin, H. Zhu, P.-H. Ho, and X. Shen, “ECPP: EfficientConditional Privacy Preservation Protocol for Secure VehicularCommunications,” Proc. IEEE INFOCOM, Apr. 2008.

[14] A. Studer, E. Shi, F. Bai, and A. Perrig, “TACKing TogetherEfficient Authentication, Revocation, and Privacy in VANETs,”Proc. Sixth Ann. IEEE SECON Conf. (SECON ’09), 2009.

[15] K. Sampigethaya, L. Huang, M. Li, R. Poovendran, K. Matsuura,

and K. Sezaki, “Caravan: Providing Location Privacy for Vanet,”Proc. Embedded Security in Cars (ESCAR), 2005.[16] P. Kamat, A. Baliga, and W. Trappe, “An Identity-Based Security

Framework for VANETs,” Proc. Third ACM Int’l WorkshopVehicular Ad Hoc Networks (VANET ’06), pp. 94-95, Sept. 2006.

[17] P. Kamat, A. Baliga, and W. Trappe, “Secure, Pseudonymous, andAuditable Communication in Vehicular Ad Hoc Networks,”J. Security and Comm. Networks, vol. 1, no. 3, pp. 233-244, June 2008.

[18] J. Sun and Y. Fang, “Defense Against Misbehavior in AnonymousVehicular Ad Hoc Networks,” Ad Hoc Networks, vol. 7, no. 8,pp. 1515-1525, Nov. 2009.

[19] G. Calandriello, P. Papadimitratos, J.-P. Hubaux, and A. Lioy,“Efficient and Robust Pseudonymous Authentication in VANET,”Proc. Fourth ACM Int’l Workshop Vehicular Ad Hoc Networks(VANET ’07), pp. 19-28, 2007.

[20] P. Tsang, M.H. Au, A. Kapadia, and S.W. Smith, “BlacklistableAnonymous Credentials: Blocking Misbehaving Users without

TTPs,” Proc. ACM Conf. Computer and Comm. Security (CCS),pp. 72-81, 2007.

[21] J. Sun and Y. Fang, “A Defense Technique Against Misbehavior inVANETs Based on Threshold Authentication,” Proc. IEEE MilitaryComm. Conf., Nov. 2008.

[22] D. Boneh and M. Franklin, “Identity-Based Encryption from theWeil Pairings,” Advances in Cryptology-Asiacrypt, Springer-Verlag,pp. 514-532, 2001.

[23] A. Shamir, “How to Share a Secret,” Comm. ACM, vol. 22, pp. 612-613, 1979.

[24] C.-P. Schnorr, “Efficient Signature Generation by Smart Cards,”vol. 4, no. 3, pp. 161-174, Jan. 1991.

[25] J. Sun, C. Zhang, and Y. Fang, “A Security Architecture AchievingAnonymity and Traceability in Wireless Mesh Networks,” Proc.IEEE INFOCOM, pp. 1687-1695, Apr. 2008.

[26] A. Menezes, P.V. Oorschot, and S. Vanston, Handbook of Applied

Cryptography. CRC Press, 1996.




[27] J. Baek and Y. Zheng, “Identity-Based Threshold SignatureScheme from the Bilinear Pairings,” Proc. Int’l Conf. InformationTechnology (ITCC ’04), Information Assurance and Security Track (IAS’04), pp. 124-128, 2004.

[28] X. Chen, F. Zhang, D.M. Konidala, and K. Kim, “New ID-BasedThreshold Signature Scheme from Bilinear Pairings,” Proc. FifthInt’l Conf. Cryptology in India (INDOCRYPT ’04), 2004.

[29] J. Shao, Z. Cao, and L. Wang, Efficient ID-Based Threshold SignatureSchemes without Pairings, Cryptology ePrint Archive, Report 2006/

308, http://eprint.iacr.org/2006/308.pdf, 2006.[30] J. Camenisch et al., “How to Win the Clonewars: Efficient Periodicn-Times Anonymous Authentication,” Proc. ACM Conf. Computerand Comm. Security (CCS), pp. 201-210, 2006.

[31] J. Camenisch and A. Lysyanskaya, “Dynamic Accumulators andApplication to Efficient Revocation of Anonymous Credentials,”Proc. 22ndAnn. Int’l Cryptology Conf. (CRYPTO ’02), pp. 61-76, 2002.

[32] IEEE Std 1609.2-2006, IEEE Trial-Use Standard for Wireless Access inVehicular Environmentsł Security Services for Applications andManagement Messages, http://ieeexplore.ieee.org/servlet/opac?punumber=11000, 2006.

[33] R. Dingledine, N. Mathewson, and P. Syverson, “Tor: The Second-Generation Onion Router,” Proc. USENIX Security Symp., pp. 303-320, Aug. 2004.

[34] P. Golle, D. Greene, and J. Staddon, “Detecting and CorrectingMalicious Data in VANETs,” Proc. First ACM Int’l WorkshopVehicular Ad Hoc Networks (VANET ’04), pp. 29-37, Oct. 2004.

[35] J. Yin, T. Elbatt, G. Yeung, B. Ryu, S. Habermas, H. Krishnan, andT. Talty, “Performance Evaluation of Safety Applications overDSRC Vehicular Ad Hoc Networks,” Proc. First ACM Int’lWorkshop Vehicular Ad Hoc Networks (VANET ’04), Oct. 2004.

[36] T. Leinmuller, E. Schoch, and F. Kargl, “Position VerificationApproaches for Vehicular Ad Hoc Networks,” Proc. IEEE WirelessComm., pp. 16-21, Oct. 2006.

[37] M. Raya, A. Aziz, and J.P. Hubaux, “Efficient Secure Aggregationin VANETs,” Proc. Third ACM Int’l Workshop Vehicular Ad HocNetworks (VANET ’06), pp. 67-75, Sept. 2006.

[38] F. Hess, “Efficient Identity-Based Signature Schemes Based onPairings,” Selected Areas in Cryptography, Springer-Verlag, pp. 310-324, 2002.

[39] P.S.L.M. Barreto, H.Y. Kim, B. Lynn, and M. Scott, “EfficientAlgorithms for Pairing-Based Cryptosystems,” Proc. 22nd Ann.Int’l Cryptology Conf. (CRYPTO ’02), pp. 354-368, 2002.

[40] P.S.L.M. Barreto, S.D. Galbraith, C. OhEigeartaigh, and M. Scott,

Efficient Pairing Computation on Supersingular Abelian Varieties,Cryptology ePrint Archive, Report 2004/375, http://eprint.iacr.org/2004/375.pdf, Sept. 2005.

[41] M. Scott, N. Costigan, and W. Abdulwahab, ImplementingCryptographic Pairings on Smartcards, L. Goubin and M. Matsui,eds. Springer-Verlag, 2006.

[42] G.M. Bertoni, L. Chen, P. Fragneto, K.A. Harrison, and G. Pelosi,“Computing Tate Pairing on Smartcards,” http://www.st.com/stonline/products/families/smartcard/ches2005_v4.pdf, 2005.

Jinyuan Sun received the BSc degree incomputer information systems from Beijing In-formation Technology Institute, China, in 2003,the MASc degree in computer networks fromRyerson University, Canada, in 2005, and thePhD degree in electrical and computer engineer-ing from the University of Florida, in 2010. She

was a Network Test Developer at RuggedComInc., Ontario, Canada, 2005-2006. She has beenan assistant professor in the Department of

Electrical Engineering and Computer Science at University of TennesseeKnoxville since August 2010. Her research interests include the securityprotocol and architecture design of wireless networks.

Chi Zhang received the BE and ME degrees inelectrical engineering from Huazhong Universityof Science and Technology, Wuhan, China, inJuly 1999 and January 2002, respectively. SinceSeptember 2004, he has been working towardthe PhD degree in the Department of Electricaland Computer Engineering at the University ofFlorida, Gainesville. His research interests in-clude network and distributed system security,

wireless networking, and mobile computing.

Yanchao Zhang received the BE degree incomputer communications from Nanjing Univer-sity of Posts & Telecom, China, in 1999, the MEdegree in computer applications from BeijingUniversity of Posts & Telecom, China, in 2002,and the PhD degree in electrical and computerengineering from the University of Florida,Gainesville, in 2006. He has been an assistantprofessor in the Department of Electrical andComputer Engineering at New Jersey Institute of

Technology since August 2006. His primary research interests includenetwork and distributed system security, wireless networking, andmobile computing. He is an associate editor of the IEEE Transactions on Vehicular Technology , a feature editor of the IEEE Wireless Commu-

nications , and a guest editor of the IEEE Wireless Communications Special Issue on Security and Privacy in Emerging Wireless Networks.He is a TPC cochair of Communication and Information System SecuritySymposium, IEEE GLOBECOM ’10. He is a winner of the US NationalScience Foundation (NSF) CAREER Award in 2009.

Yuguang Fang (S’92-M’97-SM’99-F’08) re-ceived the PhD degree in systems engineeringfrom Case Western Reserve University in Jan-uary 1994 and the PhD degree in electricalengineering from Boston University in May1997. He was an assistant professor in theDepartment of Electrical and Computer Engi-neering at New Jersey Institute of Technologyfrom July 1998 to May 2000. He then joined theDepartment of Electrical and Computer Engi-

neering at theUniversityof Florida in May2000as an assistant professor,

got an early promotion to an associate professor with tenure in August2003 and to a full professor in August 2005. He holds a University ofFlorida Research Foundation (UFRF) professorship from 2006 to 2009, aChangjiang scholar chair professorship with Xidian University, Xi’an,China, from 2008 to 2011, and a guest chair professorship with TsinghuaUniversity, China, from 2009 to 2012. He has published more than250 papers in refereed professional journals and conferences. Hereceivedthe US NationalScienceFoundation (NSF) Faculty Early CareerAward in 2001 and the Office of Naval Research Young InvestigatorAward in 2002 and is the recipient of the Best Paper Award in IEEEInternational Conference on Network Protocols (ICNP) in 2006 and therecipient of the IEEE TCGN Best Paper Award in the IEEE High-SpeedNetworks Symposium, IEEE Globecom in 2002. He is also active inprofessional activities. He is a fellow of the IEEE and the IEEE ComputerSociety, and a member of the ACM. He is currently serving as an editor-in-chief for the IEEE Wireless Communications and serving/served onseveral editorial boards of technical journals including the IEEE

Transactions on Communications , the IEEE Transactions on Wireless Communications , the IEEE Wireless Communications Magazine , and theACM Wireless Networks . He was an editor for the IEEE Transactions on Mobile Computing and currently serves on its Steering Committee. Hehas been actively participating in professional conference organizationssuch as serving as theSteering Committee cochair forQShine from 2004to 2008, the Technical Program vice-chair for IEEE INFOCOM ’05,Technical Program Symposium cochair for IEEE Globecom ’04, and amember of Technical Program Committee for IEEE INFOCOM (1998,2000, 2003-2010), and ACM Mobihoc (2008-2009).

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


Documents

An Identity-Based Security System for