Volume 2022, Issue 1 3372489

Research Article

Open Access

[Retracted] Provable Secure and Lightweight Vehicle Message Broadcasting Authentication Protocol with Privacy Protection for VANETs

Retraction(s) for this article

Qi Xie,

Corresponding Author

Qi Xie

[email protected]

orcid.org/0000-0002-8808-3124

Key Laboratory of Cryptography of Zhejiang Province, Hangzhou Normal University, Hangzhou 311121, China hznu.edu.cn

Search for more papers by this author

Panpan Zheng,

Panpan Zheng

Key Laboratory of Cryptography of Zhejiang Province, Hangzhou Normal University, Hangzhou 311121, China hznu.edu.cn

Search for more papers by this author

Zixuan Ding,

Zixuan Ding

orcid.org/0000-0002-0103-3782

Key Laboratory of Cryptography of Zhejiang Province, Hangzhou Normal University, Hangzhou 311121, China hznu.edu.cn

Search for more papers by this author

Xiao Tan,

Xiao Tan

Key Laboratory of Cryptography of Zhejiang Province, Hangzhou Normal University, Hangzhou 311121, China hznu.edu.cn

Search for more papers by this author

Bin Hu,

Bin Hu

orcid.org/0000-0002-7149-7005

Key Laboratory of Cryptography of Zhejiang Province, Hangzhou Normal University, Hangzhou 311121, China hznu.edu.cn

Search for more papers by this author

Qi Xie,

Corresponding Author

Qi Xie

[email protected]

orcid.org/0000-0002-8808-3124

Key Laboratory of Cryptography of Zhejiang Province, Hangzhou Normal University, Hangzhou 311121, China hznu.edu.cn

Search for more papers by this author

Panpan Zheng,

Panpan Zheng

Key Laboratory of Cryptography of Zhejiang Province, Hangzhou Normal University, Hangzhou 311121, China hznu.edu.cn

Search for more papers by this author

Zixuan Ding,

Zixuan Ding

orcid.org/0000-0002-0103-3782

Key Laboratory of Cryptography of Zhejiang Province, Hangzhou Normal University, Hangzhou 311121, China hznu.edu.cn

Search for more papers by this author

Xiao Tan,

Xiao Tan

Key Laboratory of Cryptography of Zhejiang Province, Hangzhou Normal University, Hangzhou 311121, China hznu.edu.cn

Search for more papers by this author

Bin Hu,

Bin Hu

orcid.org/0000-0002-7149-7005

Key Laboratory of Cryptography of Zhejiang Province, Hangzhou Normal University, Hangzhou 311121, China hznu.edu.cn

Search for more papers by this author

First published: 06 May 2022

https://doi.org/10.1155/2022/3372489

Citations: 7

Academic Editor: Irshad Azeem

Share a link

Email
Wechat
Bluesky

Abstract

With the emergence of intelligent transportation and the widespread use of vehicle network equipment, the vehicle ad hoc network (VANET) is widely used in the communication among participating entities to obtain traffic information, such as speed, traffic congestion, road conditions, and accident. In VANET, the secure and efficient message broadcasting protocol can effectively reduce the message transmission delay, to meet the requirements of openness, real-time, and high-speed mobility in the VANET environment. However, most related researches mainly rely on third parties, such as TA and RSU, to ensure the identity authentication of vehicles and the security of message transmission, which are not suitable for infrastructure-less scenario. Therefore, designing a protocol for decentralized message broadcasting, identity authentication without a third party, and the safe message transmission is meaningful. In this study, we propose a lightweight vehicle message broadcasting authentication protocol, which realizes the identity authentication of the message broadcasting vehicle and vehicle-to-vehicle (V2V) key agreement without the need of a trusted third party. In our protocol, the vehicle can verify the identity of the sending vehicle to identify the reliability of the message source and prevent malicious messages. Meanwhile, the vehicle can update its pseudonym identity to resist tracking attacks, but the trusted authority can always track the real identity of the malicious message sending vehicle according to the sent messages. The proposed protocol is proved secure by formal security proof. In addition, our scheme provides better security and computational efficiency over others by comparing with related schemes.

1. Introduction

With the help of advanced information and communication technology, wireless sensor networks, and Internet of things, the interconnection of all things has gradually become a reality, and the citizens’ lives have been greatly enhanced due to advanced equipment and infrastructure [1]. Specific to the transportation field, the concepts of intelligent transportation and vehicle ad hoc network (VANET) come into being. VANET is considered as a variant of a mobile ad hoc network, which is a mobile device network with continuous self-configuration, wireless connection, and no infrastructure [2]. It uses a hierarchical system structure to systematically monitor, schedule, and manage vehicles in cities, which can bring people a better driving experience and improve traffic safety and efficiency. Several studies have shown that approximately 60% of accidents can be avoided if warning messages from legitimate vehicles are provided a few seconds before the accident [3].

Communication modes in VANETs can be divided into two categories: vehicle-to-vehicle (V2V) communication that vehicles within a certain range can directly communicate with each other and vehicle-to-infrastructure (V2I) communication that information from vehicles should be transmitted to the nearest RSU first, and both employ the dedicated short-range communication (DSRC) protocol [4]. Upon receiving those messages including location, speed, and traffic conditions, vehicles would take reasonable actions immediately such as rerouting and braking to avoid possible traffic emergency. It can effectively solve the traffic management problems caused by the increase in the number of vehicles, realize the update and release of road information, secure real-time communication among the entities in VANET, privacy protection, and so on to enhance the driving experience of users.

Due to the mobility and variability of the vehicle itself and the wireless transmission characteristics, VANET communication has the characteristics of the limited mobile area, rapid change in network topology, frequent network access and interruption, complex communication environment, and security threats. Based on the above features, a large number of authentication schemes based on cryptography have been proposed to improve the security and efficiency of VANET. In 2007, Raya and Hubaux [5] proposed a PKI-based scheme to hide the real identities of users by anonymous certificates. Each vehicle is preloaded with a large number of anonymous public/private key pairs and the corresponding public key certificates to achieve the authentication and integrity of messages, which requires a large storage capacity to save and incur the high cost of message verification. Sun et al. [6] proposed an authentication protocol based on a pseudonym, which allows RSU to distribute certificate services and vehicles to update their certificate on the way. Bayat et al. [7] proposed an authentication scheme, which preloads the list of pseudonym IDs into the registered vehicle and uses them to sign and verify messages.

To protect the trajectory and privacy information of OBU and improve the driving security of users, the concept of conditional privacy protection is put forward by Lu et al. [8], in which vehicles use a pseudonym to authenticate and transmit information in the VANET environment, and TA can obtain the real identity of vehicles and realize the tracking and revocation of malicious vehicles. Then, they proposed a conditional privacy protection protocol based on short-time anonymous certificates to realize the anonymous authentication and identity tracking in VANET. Nevertheless, frequently applying for such certificates from RSU reduces the efficiency. In the scheme based on PKI, the trusted authority needs to store all public key certificates of vehicles, which causes inefficiency for certificate management and is expensive for deployment. Meanwhile, due to the storage of the certificate revocation list (CRL) being linear, its length will increase with the increasing number of malicious vehicles, which will reduce the speed and efficiency of searching malicious vehicles in the CRL and delay the message transmitted on the public channels.

To solve the problem of certificate management, Shamir [9] proposed identity-based cryptography (IBC) in 1984. It takes the user’s telephone number or ID card number as the public key, and then, the public key is directly associated with the user. However, it requires a trusted private key generator (PKG) to generate the corresponding private key for the user, which brings about the problem of key escrow. Zhang et al. [10] proposed an identity-based batch verification (IBV) scheme for VANETs. It was based on bilinear pairing for secure communication from vehicles to RSUs. Multiple received messages were simultaneously verified by the RSUs that the total authentication overhead was significantly reduced and faster compared with the PKI-based systems. Tsai et al. [11] proposed an efficient authentication scheme for distributed mobile cloud computing services that can provide security and convenience for mobile users to access multiple mobile cloud computing services from multiple service providers using only a single private key. However, it suffers from impersonation attacks and man-in-the-middle attacks and does not realize anonymity and mutual authentication. Meanwhile, the bilinear pairing operation has a high computational cost, which is not suitable for the VANET environment. Lin et al. [12] proposed a scheme based on group signature using group signature technology. In this scheme, the vehicle’s OBUs are not required to store a large number of anonymous keys and the TA can efficiently trace the targeted vehicle in the case of disputes. However, in this scheme, the vehicles are required to store the revocation list to avoid the communication with revoked vehicles, and a large amount of computational overhead is increased. Cui et al. [13] proposed a message authentication scheme based on ECC. In this scheme, a few vehicles are selected as edge nodes to support RSU for message authentication, which reduces the computational burden of RSU and improves the efficiency of message authentication. However, as an edge node, vehicles are more threatened by malicious nodes and choosing a reliable vehicle as an edge node is an important challenge. In 2019, Zhang et al. [14] proposed a conditional privacy-preserving authentication scheme based on the Chinese remainder theorem (CRT) for VANETs. In their scheme, they eliminated the requirement for preloading the master key of the system into the tamper-proof device (TPD) of the vehicle to ensure communication security. This scheme ensures that a fingerprint from a corrupted vehicle will not be authenticated. Wei et al. [15] suggested a conditional privacy-preserving authentication scheme based on the elliptic curve discrete logarithm hypothesis and system secret key update algorithm authentication, which can recover messages and resist side-channel attacks by updating system keys. To improve road safety and traffic efficiency, Ying et al. [16] proposed a privacy-preserving broadcast message authentication (PPBMA) scheme, which uses a two-level key hash chain and message authentication code (MAC) functionality to assist in avoiding message losses to authenticate messages, instead of performing asymmetric verification. Chen et al. [17] designed a fully aggregated conditional privacy-preserving certificate aggregate signature scheme for VANETs, which uses the elliptic curve cryptosystem (ECC) and general hash functions instead of using the expensive bilinear pairings and map-to-point hash function operations. To address the issues in the PKI-based authentication scheme, Othman et al. [18] proposed a physically secure privacy-preserving message authentication protocol using the physical unclonable function (PUF) and secret sharing to guarantee security, privacy against passive, active attacks even if the stored information is leaked. To address issues in pseudonym-based and group-based message signing and verifying scheme, Wang and Liu [19] proposed a secure and efficient message authentication protocol, which aims to achieve mutual authentication among vehicles and roadside units (RSUs) in VANETs by combining the advantages of pseudonym-based and group-based methods.

In the existing scheme, if a vehicle receives a message or communication request broadcast by other vehicles without the participation of a trusted third party, it is difficult for the vehicle to verify the reliability of the message and the sender. In addition, if the vehicle receives a malicious message, it is difficult to track the real identity of the sender. Therefore, it is essential to authenticate vehicles and establish a safe and efficient communication environment to realize legal information exchange. Based on the above problems and security requirements in the VANET, we designed an ECC-based message broadcasting authentication and key agreement scheme. In the proposed scheme, when a moving vehicle broadcasts a message to other vehicles or requests to establish communication, other vehicles ensure that the received message is credible by verifying the legitimacy of the vehicle’s identity. Each vehicle can update its temporary identity to prevent tracking attacks. In addition, if the vehicle receives a malicious message, although the sender updates the temporary identity, the registration center can still track the real identity of the vehicle according to the malicious message, which can realize conditional privacy preservation. Our scheme has high practicability and application value. The main contributions of this study are summarized as follows:

(1)
We designed a provable secure ECC-based decentralized vehicle broadcast authentication protocol to realize secure message transmission without the help of third party (e.g., TA or RSU) to authenticate the identity of vehicle and reduce the delay of message transmission.
(2)
In this protocol, except TA, no entity can reveal the real identity of the vehicle and track the vehicle, which can realize the privacy protection of vehicle.
(3)
We prove the security of the proposed protocol through formal security proof, which can not only resist various known attacks but also meet the security requirements.
(4)
By comparing the performance with other related schemes, we show that our scheme provides better security and computational efficiency.

The rest of this study is as follows. In Section 2, we present the system model, the design goals, and the threat model of the proposed protocol. The proposed protocol is introduced in Section 3. The formal security proof in the random oracle model and performance analysis are given in Sections 4 and 5. Finally, the study concludes in Section 6.

2. Preliminaries

In this section, the system model, the design goals, and the threat model of this scheme are introduced.

2.1. System Model

The system model is shown in Figure 1, which contains the trusted authority (TA), roadside units (RSUs), and the vehicles (OBU).

Trusted Authority (TA): TA can generate all system parameters, and all RSUs and vehicles can register onto it. TA is the only entity that can reveal the real identity of a vehicle once a dispute happens.
Roadside Units (RSUs): the RSU is a roadside infrastructure, which is used to forward messages from vehicles to TA.
Vehicles (OBU): each vehicle equips with OBU, which is responsible for information storage, computation, and communication.

Details are in the caption following the image — Open in figure viewer PowerPoint

2.2. Design Goals

We briefly demonstrate the design goals of the proposed protocol for VANET as follows:

(1)
Message Authentication and Integrity: a receiver must be able to verify the authenticity of received messages and prove they are indeed sent by authorized entities without being modified or forged.
(2)
Conditional Privacy Preserving: except TA, no entity (i.e., RSUs, vehicles, and other third participants) can track or extract the real identity of vehicle through messages sent by specific vehicles. The TA can track the vehicle’s real identity by analyzing the messages.
(3)
Physical Protection: to resist physical attacks on vehicles or RSUs, which may enable an adversary to extract the secret information from their memory but cannot launch other attacks such as impersonation attacks.
(4)
Broadcast Authentication: vehicles have the ability to verify the legality of the received messages and the identity of the broadcasting vehicle.
(5)
Resistance Various Known Attacks: the protocol can withstand various known passive and active attacks, such as impersonation, replay, and man-in-the-middle attacks.

2.3. Threat Model

We will use the widely accepted Dolev and Yao model [20] to simulate the insecure communication between nodes and analyze the security of the proposed protocol:

(1)
Attacker A can control the public channel and is considered to have the ability to eavesdrop, modify, delete, and interfere with messages transmitted between entities.
(2)
Vehicles and other entities cannot be trusted, which means that any communication agency or entity can try to disguise itself on behalf of the other party.
(3)
Attacker A can extract and analyze the parameters stored in the vehicle memory.
(4)
All parameters of all entities including TA, such as identity and public key, can be easily accessed by other systems and unauthorized users.
(5)
The private keys of participating entities including TA are secure.

3. The Proposed Scheme

In VANET, it is meaningful to realize a secure message transmission protocol between vehicles, which can effectively reduce the message transmission delay. However, at present, most related researches mainly rely on third parties, such as TA and RSU, to realize the authentication between vehicles.

In this section, we propose a message broadcasting authentication protocol, without the help of third party, which consists of five phases: (1) initialization phase, (2) registration phase, (3) authentication and key agreement phase, (4) tracking phase, and (5) application of different pseudonym identities. In the initialization phase, TA generates its secret and public keys, and all system parameters then publish all public parameters. In the registration phase, a vehicle obtains a signature of its real identity from TA, and the vehicle can convert the signature of real identity into the signature of its pseudonym identity, which can be authenticated by other vehicles, and it establishes the session keys in the authentication and key agreement phase. In case of dispute, other vehicles can send the converted signature with its pseudonym identity to TA directly, or sends them to RSU, and RSU forwards them to TA, and TA has the ability to track the real identity in the tracking phase. For security consideration, any registered vehicle can use different pseudonym identities to be authenticated by other vehicles and broadcast messages in the application of different pseudonym identities. Notations used in the proposed protocol are listed in Table 1.

1. Notations and descriptions.

Notations	Descriptions
TA	Trusted authority
Vehicle_i	The i^th vehicle
ID_vi, BIO_vi	Real identity and biometricinformation of Vehicle_i
PID_vi	Pseudonym identity of Vehicle_i
SK_TA, PK_TA	Private and public key of TA
a_vi1, a_vi2, l, n_vi, n_vj	Random integers
T₁, T₂, T₃	Timestamps
SK_vivj, SK_vjvi	The session key between vehicles
h()	Secure one-way hash functions
∥	Concatenation
⊕	XOR operation
E_SK()/D_SK()	The symmetric encryption/decryption function

3.1. Initialization Phase

The initialization phase is executed offline by the trusted authority (TA). Let G be a cyclic group with prime order q over a finite field F_q, and the point P is its generator. TA selects its own private key and calculates PK_TA = SK_TA · P as its public key. TA selects the symmetric encryption/decryption function E_SK()/D_SK() and a secure one-way hash function h(), where h() is mapped to the 256-bit strings. Finally, TA stores the public key PK_TA and private key SK_TA and publishes the system parameters params = {q, G, P, E_SK(), D_SK(), PK_TA, h()}.

3.2. Registration Phase

In this phase, each vehicle can obtain a signature of its real identity from TA and convert the signature of real identity into the signature of its pseudonym identity, which is described in Figure 2.

(1)
Let ID_vi be the i^th user (Vehicle_i)’s identity, and it wants to register onto the TA, and it sends ID_vi and registration request to TA.
(2)
After receiving {ID_vi, Request} from Vehicle_i, TA selects a random number a_vi1 and computes A_vi1 = a_vi1P and . Then, it stores {ID_vi, a_vi1} in its vehicle’s identity mapping (VIM) table and sends {A_vi1, b_vi} to Vehicle_i.
(3)
After receiving the message {A_vi1, b_vi}, Vehicle_i first verifies the verification of , then inputs its biometric information BIO_vi into the vehicle sensing equipment, computes (α_i, β_i) = Gen(BIO_vi), v_vi1 = h(α_i), and g_vi1 = b_vi ⊕ h(α_i‖ID_vi), and stores {h, P, β_i, v_vi1, g_vi1, ID_vi, A_vi1} in its memory.

3.3. Authentication and Key Agreement Phase

If Vehicle_i wants to broadcast a message to other vehicles, other vehicles should authenticate the identity of Vehicle_i and establish the session keys between Vehicle_i and other vehicles, and the steps are described in Figure 3.

(1)
Firstly, the i^th user inputs its biometric into Vehicle_i sensing equipment, and then, Vehicle_i computes and verifies whether h(α_i) = v_vi1; if it holds, then it continues to compute b_vi = g_vi1 ⊕ h(α_i‖ID_vi); otherwise, it repeats again. Vehicle_i selects a pseudonym identity PID_vi and three random numbers l, a_vi2, and n_vi to calculate E_vi = h(α_i‖T₁) · P, t = h(E_vi‖PID_vi‖T₁)∗h(ID_vi‖A_vi1), j_vi = t∗b_vi + ta_vi2 + n_vi = h(E_vi‖PID_vi‖T₁)∗SK_TA + t∗a_vi1 + l∗a_vi2 + (t − l)∗a_vi2 + n_vi, C_vi = t · A_vi1 + l∗a_vi2 · P, N_vi = ((t − l)∗a_vi2 + n_vi) · P, v_vi2 = h(j_vi‖PID_vi‖C_vi‖N_vi‖E_vi‖T₁), and e_vi = h(C_vi‖N_vi‖PID_vi‖T₁)∗((t − l)∗a_vi2 + n_vi) + h(E_vi‖j_vi‖v_vi2‖T₁)∗h(α_i‖T₁). Finally, Vehicle_i sends {j_vi, PID_vi, T₁, C_vi, N_vi, E_vi, e_vi} to Vehicle_j, where T₁ is the current timestamp.
(2)
After receiving the message {j_vi, PID_vi, T₁, C_vi, N_vi, E_vi, e_vi}, Vehicle_j first verifies the freshness of T₁ and then verifies whether j_vi · P = h(E_vi‖PID_vi‖T₁) · PK_TA + C_vi + N_vi, v_vi2 = h(j_vi‖PID_vi‖C_vi‖N_vi‖E_vi‖T₁), and e_viP = h(C_vi‖N_vi‖PID_vi‖T₁) · N_vi + h(E_vi‖j_vi‖v_vi2‖T₁) · E_vi. If not, it rejects it. Otherwise, Vehicle_j selects a random number n_vj to calculate N_vj = n_vj · P, SK_vjvi = h(n_vjN_vi‖PID_vi‖PID_vj), andv_vj2 = h(SK_vjvi‖T₂‖N_vj‖j_vi‖PID_vi‖PID_vj), where T₂ is the current timestamp. Then, Vehicle_j sends the message {T₂, N_vj, v_vj2, PID_vj} to Vehicle_i.
(3)
After receiving the message {T₂, N_vj, v_vj2, PID_vj}, Vehicle_i first verifies the freshness of T₂, calculates SK_vivj = h(((t − l)∗a_vi2 + n_vi) · N_vj‖PID_vi‖PID_vj), and verifies whether h(SK_vivj‖T₂‖N_vj‖j_vi‖PID_vi‖PID_vj) = ?v_vj2. If not, it rejects it. Otherwise, Vehicle_i shares a session key SK_vivj with Vehicle_j, which can encrypt or decrypt the subsequent messages between Vehicle_i and Vehicle_j.
(4)
If Vehicle_i wants to send the message MSG to Vehicle_j, then Vehicle_i encrypts the message MSG with the session key SK_vivj as , where T₃ is the current timestamp. Then, it sends the message {PID_vi, M₁, T₃} to Vehicle_j.
(5)
After receiving the message {PID_vi, M₁, T₃}, Vehicle_j first verifies the freshness of T₃ and decrypts the message MSG with the corresponding session key SK_vjvi as . Only when the session key is correct, the obtained message is correct, and it is proved that it was transmitted by Vehicle_i.

3.4. Tracking Phase

In our protocol, the vehicles use pseudonyms to realize privacy protection. In case of dispute, Vehicle_j sends {j_vi, E_vi, PID_vi, T₁, C_vi,N_vi} to TA directly, or sends {j_vi, E_vi, PID_vi, T₁, C_vi,N_vi} to RSU, and RSU forwards the message to TA. TA has the ability to track Vehicle_i. TA checks whether (j_vi − h(E_vi‖PID_vi‖T₁)∗SK_TA − h(E_vi‖PID_vi‖T₁)∗h(ID_vi‖a_vi1P)a_vi1)P = C_vi + N_vi − h(E_vi‖PID_vi‖T₁)∗h(ID_vi‖a_vi1P)a_vi1P is correct or not, where {ID_vi, a_vi1} is stored in its VIM table. If the equation is correct, then TA finds that the ID_vi is the identity of Vehicle_i.

3.5. Application of Different Pseudonym Identities

For security consideration, a legal user should be allowed to update the temporary identity, which can realize the unlinkability feature. If Vehicle_i wants to update its temporary identity, it chooses a new pseudonym identity and calculates , , , and . Then, Vehicle_i can send new authentication message, which replaces PID_vi, t, j_vi, C_vi, and N_vi with , t^new, , , and , to be authenticated by other vehicles with the new temporary identity .

4. Security Analysis

In this section, we will present the formal security proof and informal security analysis to show that the proposed scheme is secure against various attacks.

4.1. Formal Security Proof

In this section, we use the formal security proof in the random oracle model to prove the security of the proposed protocol P. The relevant definitions are as follows:

Participants: the participants of the scheme are composed of trusted authority (TA), Vehicle i (V_i), and Vehicle j (V_j). In the ith instance, the participants are denoted as , , and , respectively.
States: the state of the oracle is Accept if it receives a correct request.
Partnering: if the oracles and are in Accept and the session key () has been agreed, the oracle () gets its session identity () and participant identity (). The oracles and can be considered partners if the following conditions are satisfied:
- (1)
  The session key .
- (2)
  The session identity .
- (3)
  The participant identities and .
Queries: to intercept all the messages, the queries are defined to simulate real attacks.
- : all the messages exchanged between and are intercepted by the adversary.
- : A sends a message m to , and if the message is correct, responses A.
- : A can get the agreed session key through this query.
- : it is allowed to be executed at most once. This query generates a random bit r; if r = 1, the real session key is returned, else a random number is returned.
- : it returns the stored information {h, P, β_i, v_vi1, g_vi1, ID_vi, A_vi1} of vehicle.
Freshness: an instance can be regarded as fresh if it satisfies the following conditions: (1) the query Reveal has not been executed and (2) the states of and are Accept.
Semantic Security: after executing , A guesses the generated random bit r. The possibility of success is ; if , the protocol is not secure, where η is sufficiently small.

Theorem 1. the advantage of obtaining the session key in polynomial time by A is as follows:

(1)

where q_HA, q_SE, and q_EX represent the times of executing hash, send, and execute, respectively. l_HA, n, and l_bio are the length of hash, transcripts, and biological key, respectively. The advantage of breaking elliptic curve discrete logarithm problem (ECDLP) by A is

Proof. The games Game_i(0 ≤ i ≤ 4) are defined to simulate the attacks launched by A. Win_i(0 ≤ i ≤ 4) means A guesses the random bit r in the Game_i. The games are defined as follows:

Game₀: this game simulates the real attack first launched by A. According to the definition, we get the following:
(2)
Game₁: this game simulates the eavesdropping attack. A gets all the messages transmitted between and by executing . Then, A executes and guesses whether the return is the session key. However, because of the random number and ECDLP, the attacker cannot calculate the session key from the transmission message. Therefore, we get the following:
(3)
Game₂: this game simulates the collision attack on the transcripts and hash results, and according to the definition of birthday paradox, we have the following:
(4)
Game₃: this game simulates A that executes to obtain the stored information {h, P, β_i, v_vi1, g_vi1, ID_vi, A_vi1}, where v_vi1 = h(α_i) and g_vi1 = b_vi ⊕ h(α_i‖ID_vi). Because of the biological key α_i, the attacker cannot recover any useful information about the user. Therefore, we have the following:
(5)
Game₄: the parameters N_vi2 and N_vj are transmitted publicly, which are used for session key agreement based on ECDLP. This game simulates that A calculates the session according to the transcripts. We have the following:
(6)

The session keys are generated independently and randomly. Hence, the advantage of guessing r is equal to guessing the session key. We have the following:

(7)

Combining the above, we have the following:

(8)

4.2. Informal Security Analysis

In this phase, we use informal security analysis to show that our proposed scheme is secure against various known attacks.

4.2.1. Anonymity and Unlinkability

In the proposed scheme, all parameters in the message {j_vi, PID_vi, T₁, C_vi, N_vi, E_vi, e_vi} transmitted in public channel are different in each session, and PID_vi is pseudonym identity, and only TA can track the real identity of the vehicle, so our scheme achieves anonymity and unlinkability.

4.2.2. Message Modification Attack

Suppose the adversary impersonates Vehicle_i, intercepts and modifies the message {j_vi, PID_vi, T₁, C_vi, N_vi, E_vi, e_vi}, and sends it to Vehicle_j. Even if the message can be authenticated by the Vehicle_j, the adversary cannot know (t − l)∗a_vi2 + n_vi and can also not share a session key SK_vivj with Vehicle_j due to the intractability of the computational Diffie–Hellman (CDH) problem, so the adversary cannot generate a valid ciphertext for fake message MSG′ without knowing the correct SK_vivj.

4.2.3. Broadcast Authentication

In the proposed scheme, only the legitimate user has the correct identity ID_vi and biometric information BIO_vi and can successfully login into the Vehiclei and obtain b_vi and generate {j_vi, PID_vi, T₁, C_vi, N_vi, E_vi, e_vi}, Vehicle_j can be authenticated by according to verify whether j_vi · P = h(E_vi‖PID_vi‖T₁) · PK_TA + C_vi + N_vi is correct or not, and share a session key SK_vjvi = h(n_vjN_vi‖PID_vi‖PID_vj) = h(((t − l)∗a_vi2 + n_vi) · N_vj‖PID_vi‖PID_vj) between Vehicle_i and Vehicle_j. Therefore, our proposed scheme can achieve broadcast authentication.

4.2.4. Conditional Privacy Protection

In our protocol, any one can obtain {j_vi, E_vi, PID_vi, T₁, C_vi,N_vi} from public channel, because these parameters are different in each session, and no one except TA has VIM table stored {ID_vi, a_vi1}, so no one except TA can check whether (j_vi − h(E_vi‖PID_vi‖T₁)∗SK_TA − h(E_vi‖PID_vi‖T₁)∗h(ID_vi‖a_vi1P)a_vi1)P = C_vi + N_vi − h(E_vi‖PID_vi‖T₁)∗h(ID_vi‖a_vi1P)a_vi1P is correct or not. Therefore, our scheme achieves conditional privacy protection.

4.2.5. Impersonation Attack

In the proposed scheme, only the legitimate user has the correct biometric information BIO_vi and can obtain b_vi and generate the valid authentication message {j_vi, PID_vi, T₁, C_vi, N_vi, E_vi, e_vi} and can share session keys with other vehicles. Therefore, our proposed scheme can resist impersonation attack.

4.2.6. Replay Attack

In the proposed scheme, we use timestamps and random numbers to resist replay attack. In each session of our scheme, the freshness of timestamps should be first verified. Meanwhile, the session key is established using the random numbers n_vi and n_vj. Therefore, our scheme can resist replay attacks.

4.2.7. Perfect Forward Security

Perfect forward security means that the leakage of the long-term keys will not lead to the leakage of the past session keys. In the proposed scheme, when the long-term private key in the VANET environment is leaked to the adversary, it cannot help the adversary to reveal the past session keys, because the generation of the session key SK_vjvi = h(n_vjN_vi‖PID_vi‖PID_vj) = h(((t − l)∗a_vi2 + n_vi) · N_vj‖PID_vi‖PID_vj) is based on the nonce n_vi and n_vj. Under the assumption of the CDH problem, no one can compute (t − l)∗a_vi2 + n_vi) · N_vj from (t − l)∗a_vi2 + n_vi) · P and n_vjP. Therefore, our scheme can achieve perfect forward security.

4.2.8. Physical Attack

In the proposed scheme, the data stored in the vehicle are protected by biometric information, which makes the adversary unable to obtain the parameters b_vi, which are needed for identity verification and session key agreement. Therefore, our protocol can resist physical attacks.

5. Performance Analysis

In this section, we will analyze the security properties and computation cost between our protocol and other related existing schemes [11, 21–24] for VANET.

5.1. Security Comparison

Table 2 provides a detailed overview of the security comparison of our scheme with other related schemes. The scheme designed by Wu et al. obtained the pre-shared key psk between LE and AS through the authentication with the law executor, which was used for the next secret key negotiation between vehicles. In their scheme, only registered legal vehicles can obtain the parameter psk. However, this scheme cannot resist the attack of selfish nodes. Assuming that a legitimate vehicle announced the parameter psk, any vehicle in the VANET can negotiate the session key. In the scheme designed by Nandy et al., the choice of pseudonym identity PID_va has no meaning, and the effective anonymity and conditional privacy preservation of vehicles cannot be realized. Assuming that a malicious vehicle is a registered vehicle and can obtain the parameters , he can distribute the parameters to other malicious vehicles instead of VIS, where l is a random number. Through the generated parameters, any vehicle can complete the session key agreement with the surrounding vehicles, and no entity can obtain the real identity of the vehicle. The schemes designed by Meng et al. and Li et al. use the public and private keys generated in the registration phase to realize the session key agreement between vehicles. However, in these schemes, the real identity of the vehicle is transmitted on the public channel, and anonymity, conditional privacy preservation, and unlinkability cannot be realized. Tsai et al.’s scheme suffers from impersonation attack and man-in-the-middle attack and does not realize anonymity and mutual authentication. Therefore, our scheme provides high security properties over others.

2. Security comparison.

Functionality features	Tsai et al. [11]	Wu et al. [21]	Nandy et al. [22]	Meng et al. [23]	Li et al. [24]	Ours
Resist impersonation attack	No	No	No	Yes	Yes	Yes
Resist message modification	Yes	Yes	Yes	Yes	Yes	Yes
Conditional privacy preservation	Yes	No	No	No	No	Yes
Resist replay attack	Yes	Yes	No	Yes	No	Yes
Man-in-the-middle attack	No	Yes	No	Yes	Yes	Yes
Mutual authentication	No	No	Yes	No	Yes	Yes
Unlinkability	Yes	Yes	No	No	No	Yes
Perfect forward security	Yes	Yes	Yes	Yes	Yes	Yes
Resist physical attack	Yes	No	No	No	No	Yes
Anonymity	No	Yes	Yes	No	No	Yes

5.2. Computational Cost Comparison

We have compared the computation cost of our protocol with the related works, and Table 3 portrays the result of the estimation costs for different protocols. Assume that time consumption for one-way hash (T_h), ECC scalar multiplication (T_mul), ECC point addition (T_add), bilinear pairing operation (T_bp), and symmetric-key cryptography (T_s) is 0.021 ms, 2.579 ms, 0.019 ms, 5.611 ms, and 0.013 ms, respectively [25, 26]. Compared with other execution times, the execution time of logical XOR operation is very short, which can be ignored. Although the computation cost of Nandy et al.’s scheme is lower than that of ours, it cannot achieve anonymity, vehicle identity authentication, and conditional privacy preservation. The scheme of Wu et al. only uses hash operation and XOR operations, so the computation cost is lower than other schemes; however, there are some security problems. Therefore, we have seen that our scheme is low computational complexity.

3. Computational cost comparison.

Protocol	Authentication phase (ms)				Communication phase
Protocol	Vehicle_i	RSU	Vehicle_j	Time cost	Communication phase
Tsai et al. [11]	5T_h + 4T_mul + 2T_add + T_bp		3T_h + 2T_mul + 2T_add + 3T_bp	38.162	2T_s
Wu et al. [21]	8T_h	16T_h	8T_h	0.672	16T_h + 2T_mul
Nandy et al. [22]	2T_h + 3T_mul + 2T_add	—	2T_h + 3T_mul + 2T_add	15.634	2T_s
Meng et al. [23]	T_h + 7T_mul + 2T_add	—	T_h + 7T_mul + 2T_add	36.224	2T_s
Li et al. [24]	3T_h + 6T_mul + T_add	—	3T_h + 6T_mul + T_add	31.188	2T_s
Ours	8T_h + 5T_mul + T_add	—	6T_h + 7T_mul + 3T_add	31.318	2T_s

6. Conclusion

In the VANET environment, it is of great significance to realize safe and efficient communication between vehicles. At present, most related researches mainly rely on third parties, such as TA and RSU, to realize the authentication and the safe transmission of messages between vehicles. Therefore, we have designed a provable secure ECC-based decentralized vehicle broadcast authentication protocol to realize direct and secure communication between vehicles without a third party. Vehicles realize identity authentication by obtaining corresponding signatures from TA at the registration phase, to realize security features of anonymity and privacy protection through the reasonable design of signatures. The receiving vehicle can verify the identity of the sender and establish the session key for broadcasting messages. We use formal security proof to prove the security of our protocol. Compared with other related protocols, our scheme provides better security and computational efficiency over others.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research was supported by the National Natural Science Foundation of China (grant no. U21A20466) and the National Key R&D Program of China (grant no. 2017YFB0802000).

Open Research

Data Availability

All data are included in this article.

References

1 Li X., Liu T., Obaidat M. S., Wu F., Vijayakumar P., and Kumar N., A lightweight privacy-preserving authentication protocol for VANETs, IEEE Systems Journal. (2020) 14, no. 3, 3547–3557, https://doi.org/10.1109/jsyst.2020.2991168.
10.1109/JSYST.2020.2991168
Web of Science® Google Scholar
2 Zhou Y., Liu S., Xiao M., Deng S., and Wang X., An efficient V2I authentication scheme for VANETs, Mobile Information Systems. (2018) 2018, 1–11, https://doi.org/10.1155/2018/4070283, 2-s2.0-85044150700.
10.1155/2018/4070283
Web of Science® Google Scholar
3 Eze E. C., Zhang S., and Liu E., Vehicular ad hoc networks (VANETs): current state, challenges, potentials and way forward, Proceedings of the 2014 20th International Conference on Automation and Computing, September, 2014, Cranfield, UK, IEEE, 176–181, https://doi.org/10.1109/iconac.2014.6935482, 2-s2.0-84912127678.
10.1109/iconac.2014.6935482
Google Scholar
4 Kenney J. B., Dedicated short-range communications (DSRC) standards in the United States, Proceedings of the IEEE. (2011) 99, no. 7, 1162–1182, https://doi.org/10.1109/jproc.2011.2132790, 2-s2.0-79959374774.
10.1109/JPROC.2011.2132790
Web of Science® Google Scholar
5 Raya M. and Hubaux J.-P., Securing vehicular ad hoc networks, Journal of Computer Security. (2007) 15, no. 1, 39–68, https://doi.org/10.3233/jcs-2007-15103, 2-s2.0-33845726678.
10.3233/JCS-2007-15103
Google Scholar
6 Sun Y., Lu R., Lin X., Shen X., and Su J., An efficient pseudonymous authentication scheme with strong privacy preservation for vehicular communications, IEEE Transactions on Vehicular Technology. (2010) 59, no. 7, 3589–3603, https://doi.org/10.1109/tvt.2010.2051468, 2-s2.0-77956735087.
10.1109/TVT.2010.2051468
Web of Science® Google Scholar
7 Bayat M., Barmshoory M., Rahimi M., and Aref M. R., A secure authentication scheme for VANETs with batch verification, Wireless Networks. (2015) 21, no. 5, 1733–1743, https://doi.org/10.1007/s11276-014-0881-0, 2-s2.0-84930872000.
10.1007/s11276-014-0881-0
Web of Science® Google Scholar
8 Lu R., Lin X., Zhu H., Ho P.-H., and Shen X., ECPP: efficient conditional privacy preservation protocol for secure vehicular communications, Proceedings of the IEEE INFOCOM 2008-The 27th Conference on Computer Communications, April, 2008, Phoenix, AZ, USA, IEEE, 1229–1237, https://doi.org/10.1109/infocom.2008.179.
10.1109/infocom.2008.179
Google Scholar
9 Shamir A., Identity-based cryptosystems and signature schemes Workshop on the Theory and Application of Cryptographic Techniques, 1984, Springer, Berlin/Heidelberg, Germany, 47–53.
Google Scholar
10 Zhang C., Lu R., Lin X., Ho P.-H., and Shen X., An efficient identity-based batch verification scheme for vehicular sensor networks, Proceedings of the IEEE INFOCOM 2008-The 27th Conference on Computer Communications, April, 2008, Phoenix, AZ, USA, IEEE, 246–250, https://doi.org/10.1109/infocom.2008.58.
10.1109/infocom.2008.58
Google Scholar
11 Tsai J.-L. and Lo N.-W., A privacy-aware authentication scheme for distributed mobile cloud computing services, IEEE Systems Journal. (2015) 9, no. 3, 805–815, https://doi.org/10.1109/jsyst.2014.2322973, 2-s2.0-85027942960.
10.1109/JSYST.2014.2322973
Web of Science® Google Scholar
12 Xiaodong Lin X., Xiaoting Sun X., Pin-Han Ho P.-H., and Xuemin Shen X., GSIS: a secure and privacy-preserving protocol for vehicular communications, IEEE Transactions on Vehicular Technology. (2007) 56, no. 6, 3442–3456, https://doi.org/10.1109/tvt.2007.906878, 2-s2.0-36749076982.
10.1109/TVT.2007.906878
Web of Science® Google Scholar
13 Cui J., Wei L., Zhang J., Xu Y., and Zhong H., An efficient message-authentication scheme based on edge computing for vehicular ad hoc networks, IEEE Transactions on Intelligent Transportation Systems. (2019) 20, no. 5, 1621–1632, https://doi.org/10.1109/tits.2018.2827460, 2-s2.0-85046996202.
10.1109/TITS.2018.2827460
Web of Science® Google Scholar
14 Zhang J., Cui J., Zhong H., Chen Z., and Liu L., PA-CRT: Chinese remainder theorem based conditional privacy-preserving authentication scheme in vehicular ad-hoc networks, IEEE Transactions on Dependable and Secure Computing. (2021) 18, no. 2, 722–735, https://doi.org/10.1109/tdsc.2019.2904274, 2-s2.0-85062998145.
10.1109/TDSC.2019.2904274
Web of Science® Google Scholar
15 Wei L., Cui J., Xu Y., Cheng J., and Zhong H., Secure and lightweight conditional privacy-preserving authentication for securing traffic emergency messages in VANETs, IEEE Transactions on Information Forensics and Security. (2021) 16, 1681–1695, https://doi.org/10.1109/tifs.2020.3040876.
10.1109/TIFS.2020.3040876
Web of Science® Google Scholar
16 Ying B., Makrakis D., and Mouftah H. T., Privacy preserving broadcast message authentication protocol for VANETs, Journal of Network and Computer Applications. (2013) 36, no. 5, 1352–1364, https://doi.org/10.1016/j.jnca.2012.05.013, 2-s2.0-84883614755.
10.1016/j.jnca.2012.05.013
Web of Science® Google Scholar
17 Chen Y. and Chen J., CPP-CLAS: efficient and conditional privacy-preserving certificateless aggregate signature scheme for VANETs, IEEE Internet of Things Journal. (2021) https://doi.org/10.1109/jiot.2021.3121552.
10.1109/jiot.2021.3121552
Google Scholar
18 Othman W., Fuyou M., Xue K., and Hawbani A., Physically secure lightweight and privacy-preserving message authentication protocol for VANET in smart city, IEEE Transactions on Vehicular Technology. (2021) 70, no. 12, 12902–12917, https://doi.org/10.1109/tvt.2021.3121449.
10.1109/TVT.2021.3121449
Web of Science® Google Scholar
19 Wang P. and Liu Y., SEMA: secure and efficient message authentication protocol for VANETs, IEEE Systems Journal. (2021) 15, no. 1, 846–855, https://doi.org/10.1109/jsyst.2021.3051435.
10.1109/JSYST.2021.3051435
Web of Science® Google Scholar
20 Dolev D. and Yao A., On the security of public key protocols, IEEE Transactions on Information Theory. (1983) 29, no. 2, 198–208, https://doi.org/10.1109/tit.1983.1056650, 2-s2.0-0020720357.
10.1109/TIT.1983.1056650
Web of Science® Google Scholar
21 Wu L., Sun Q., Wang X., Wang J., Yu S., Zou Y., Liu B., and Zhu Z., An efficient privacy-preserving mutual authentication scheme for secure V2V communication in vehicular ad hoc network, IEEE Access. (2019) 7, 55050, https://doi.org/10.1109/access.2019.2911924, 2-s2.0-85066839593.
10.1109/ACCESS.2019.2911924
Web of Science® Google Scholar
22 Nandy T., Idris M. Y. I., Noor R. M., Wahab A. W. A., Bhattacharyya S., Kolandaisamy R., and Yahuza M., A secure, privacy-preserving, and lightweight Authentication scheme for VANETs, IEEE Sensors Journal. (2021) 21, no. 18, 20998, https://doi.org/10.1109/jsen.2021.3097172.
10.1109/JSEN.2021.3097172
Web of Science® Google Scholar
23 Meng L., Xu H., Xiong H., Zhang X., Zhou X., and Han Z., An efficient certificateless authenticated key exchange protocol resistant to ephemeral key leakage attack for V2V communication in IoV, IEEE Transactions on Vehicular Technology. (2021) 70, no. 11, 11736, https://doi.org/10.1109/tvt.2021.3113652.
10.1109/TVT.2021.3113652
Web of Science® Google Scholar
24 Li Q., Hsu C.-F., Raymond Choo K.-K., and He D., A provably secure and lightweight identity-based two-party authenticated key agreement protocol for vehicular ad hoc networks, Security and Communication Networks. (2019) 2019, 13, 7871067, https://doi.org/10.1155/2019/7871067.
10.1155/2019/7871067
Web of Science® Google Scholar
25 Son S., Lee J., Park Y., Park Y., and Das A. K., Design of blockchain-based lightweight V2I handover authentication protocol for VANET, IEEE Transactions on Network Science and Engineering. (2022) https://doi.org/10.1109/tnse.2022.3142287.
10.1109/TNSE.2022.3142287
Web of Science® Google Scholar
26 Umar M., Islam S. H., Mahmood K., Ahmed S., Ghaffar Z., and Saleem M. A., Provable secure identity-based anonymous and privacy-preserving inter-vehicular authentication protocol for VANETS using PUF, IEEE Transactions on Vehicular Technology. (2021) 70, no. 11, 12158, https://doi.org/10.1109/tvt.2021.3118892.
10.1109/TVT.2021.3118892
Web of Science® Google Scholar

Citing Literature

All articles

[Retracted] Provable Secure and Lightweight Vehicle Message Broadcasting Authentication Protocol with Privacy Protection for VANETs

Retraction(s) for this article

Retracted: Provable Secure and Lightweight Vehicle Message Broadcasting Authentication Protocol with Privacy Protection for VANETs

Abstract

1. Introduction

2. Preliminaries

2.1. System Model

2.2. Design Goals

2.3. Threat Model

3. The Proposed Scheme

3.1. Initialization Phase

3.2. Registration Phase

3.3. Authentication and Key Agreement Phase

3.4. Tracking Phase

3.5. Application of Different Pseudonym Identities

4. Security Analysis

4.1. Formal Security Proof

4.2. Informal Security Analysis

4.2.1. Anonymity and Unlinkability

4.2.2. Message Modification Attack

4.2.3. Broadcast Authentication

4.2.4. Conditional Privacy Protection

4.2.5. Impersonation Attack

4.2.6. Replay Attack

4.2.7. Perfect Forward Security

4.2.8. Physical Attack

5. Performance Analysis

5.1. Security Comparison

5.2. Computational Cost Comparison

6. Conclusion

Conflicts of Interest

Acknowledgments

Open Research

Data Availability

References

Citing Literature

Figures

References

Related

Information