ArticlePDF Available

LPTM: Lightweight and Privacy-preserving Traffic Monitoring scheme

Authors:
Article

LPTM: Lightweight and Privacy-preserving Traffic Monitoring scheme

Abstract and Figures

In the traffic monitoring system, the transportation department generates the traffic map to report the real-time traffic conditions, so as to provide more efficient service for drivers. However, if the vehicle obtains the local traffic conditions that the driver is more concerned about from the remote server, it will consume a heavy bandwidth and incurs an increased response delay. Generating and broadcasting local traffic conditions through fog computation is a feasible method to reduce communication costs, and most existing traffic monitoring systems based on fog computation are implemented using Bilinear Pairing operations. In this paper, we propose LPTM scheme with Elliptic Curve Cryptosystem (ECC), an optimized Timed Efficient Stream Loss-tolerant Authentication (TESLA) protocol is adopted to achieve efficient and secure communication, and we also use an identity-based signature scheme with partial message recovery (PMR-IBS) to effectively shorten the length of the fog node broadcast message. Detailed security proofs show that the requirements of security and privacy are all achieved, and better simulation performance is presented in both computation and communication overhead.
This content is subject to copyright. Terms and conditions apply.
Received: Added at production Revised: Added at production Accepted: Added at production
DOI: xxx/xxxx
ARTICLE TYPE
LPTM: Lightweight and Privacy-preserving Traffic Monitoring
scheme
Sheng Jiang1,2 | Hongyuan Cheng1,2 | Yining Liu1,2
1School of Computer Science and
Information Security, Guilin University of
Electronic Technology, Guilin 541004,
China
2Henan Key Laboratory of Network
Cryptography Technology, Zhengzhou
450000, China
Correspondence
Yining Liu, School of Computer Science and
Information Security, Guilin University of
Electronic Technology, Guilin 541004,
China.
Email: lyn7311@sina.com
Funding Information
This research was supported by the National
Natural Science Foundation of China,
(62072133); Key projects of Guangxi
Natural Science Foundation,
(2018GXNSFDA281040); Henan Key
Laboratory of Network Cryptography
Technology, (LNCT2021-A11); Innovation
Project of Guangxi Graduate Education,
(YCBZ2022107)
Summary
In the traffic monitoring system, the transportation department generates the traffic
map to report the real-time traffic conditions, so as to provide more efficient service
for drivers. However, if the vehicle obtains the local traffic conditions that the driver
is more concerned about from the remote server, it will consume a heavy bandwidth
and incurs an increased response delay. Generating and broadcasting local traffic con-
ditions through fog computation is a feasible method to reduce communication costs,
and most existing traffic monitoring systems based on fog computation are imple-
mented using Bilinear Pairing operations. In this paper, we propose LPTM scheme
with Elliptic Curve Cryptosystem (ECC), an optimized Timed Efficient Stream Loss-
tolerant Authentication (TESLA) protocol is adopted to achieve efficient and secure
communication, and we also use an identity-based signature scheme with partial mes-
sage recovery (PMR-IBS) to effectively shorten the length of the fog node broadcast
message. Detailed security proofs show that the requirements of security and privacy
are all achieved, and better simulation performance is presented in both computation
and communication overhead.
KEYWORDS:
Traffic monitoring, Traffic conditions, Communication bandwidth, Communication delay, Fog computa-
tion.
1 INTRODUCTION
With the development of intelligent transportation and communication technology, Vehicular Ad-hoc Network (VANET) has
been paid more and more attention, and gradually from academia research to industrial application. In VANETs, vehicles share
driving information, traffic status and other information to other vehicles, which greatly facilitates driving and reduces the
accident rate1,2.
Traffic real-time monitoring system is a practical application of VANETs (such as Google Maps3). In this system, the location
and speed information of vehicle is collected by the nearby roadside infrastructure and transmitted to the transportation depart-
ment through the backbone network4,5 . Then, the transportation department generates and publishes a traffic map marked with
different colors for different traffic conditions, so that drivers choose their travel routes in advance. A real-time traffic monitoring
system usually consists of three entities: Key Generation Center (KGC), Roadside Unit (RSU), and vehicle6,7 . KGC is respon-
sible for the security of whole system, and RSU broadcasts KGC service information to vehicles in the communication area and
receives driving information from vehicles1. In this system, vehicle equipped with On-Board Units (OBU) communicates with
other vehicle (V2V) and RSU (V2I)8,9,10.
2AUTHOR ONE ET AL
Meantime, traffic monitoring system brings many challenges. First, the correctness of the collected data needs to be ensured.
Malicious vehicles maybe launch tampering, impersonation, replay and other attack ways11 , for example, when a malicious
vehicle in the intersection sends data to KGC by impersonating other vehicles, KGC mistakenly thinks that there is a traffic jam
on the road section and changes the state of traffic lights that enables the malicious vehicle to pass immediately. Therefore, the
correctness of the collected data must be verified. In addition, privacy concern is also vital since driver’s private information
(identity information, home address, working place, etc.) should not be disclosed. In order to solve this problem, on the premise
that KGC can reveal the true identity of malicious vehicle, many schemes 7,12,13 adopt Conditional Privacy-Preserving Authen-
tication (CPPA) to protect the real identity. However, schemes14,15 only consider protecting the driver’s privacy information in
the communication process, but lack consideration of protecting the driver’s privacy information when KGC processes the vehi-
cle driving information16. Recently, schemes17,18 try to improve this weakness, but their computation and communication costs
is heavy. Our scheme also pays attention to this problem, especially in the traffic monitoring system, KGC can easily obtain the
driver’s privacy information by processing the vehicle’s driving information. Therefore, in our scheme, KGC is assumed to be
semi-honest, i.e., it is trustworthy but curious.
Due to the high speed of vehicle, the traffic information data will decline rapidly over time 5, therefore the efficiency is very
important. In addition, drivers are more concerned about the traffic conditions nearby and the planning road. If the vehicle
obtains the local traffic conditions from the remote KGC19, it will consume a heavy bandwidth and increase the communication
delay18 . Recently, fog computation has been applied to VANET20,21,22 . Fog computation is a platform for a large number of
heterogeneous and distributed devices to communicate and cooperate through the network, which solves the limitations of cloud
computation location awareness. Fog computation provides localization services by deploying devices to specific locations. For
example, when a tourist comes to a new city and wants to navigate and query the local weather and news, fog computation
is more suitable for these applications23,24. If fog computation is applied in the traffic monitoring system to process different
driving information, which not only generates the local traffic condition map quickly25, but also effectively protects the privacy
of vehicle’s planning route. Moreover, the identity-based CPPA scheme with non-bilinear pairings15,26 is more suitable than the
identity-based CPPA scheme with bilinear pairings 27 in terms of computation and communication cost.
In order to guarantee the efficiency and privacy, a Lightweight and Privacy-preserving Traffic Monitoring (LPTM) scheme
is proposed, in which the fog node processes local vehicle’s information and generates local traffic conditions. The main
contributions include:
We designed a low delay fog-assisted traffic monitoring scheme, and an optimized TESLA authentication protocol28 is
used to realize the rapid verification by the fog node. PMR-IBS 29 is used to reduce the communication overhead since
the fog node only sends part of the original message and a short signature. Thus, the total length of sending message is
effectively reduced and the communication bandwidth is saved.
In order to enhance vehicle’s privacy and solve the key escrow problem, KGC only generates partial private keys for
vehicles and fog nodes, and encrypts the vehicle driving information using the key negotiated between vehicle and fog
node.
The rest of this paper is organized as follows: Related works is introduced in Section 2. In Section 3, the system model and
design objectives are described, and the preliminaries and our LPTM scheme are presented in Section 4. The security analysis
and performance are in Section 5 and Section 6, finally, the paper is concluded in Section 7.
2RELATED WORK
There are two categories for the related work: anonymous communication and traffic service system.
Anonymous communication. In order to realize secure communication and protect vehicle privacy in VANETs, many schemes
have been proposed. Scheme 30 designs an anonymous certificate communication scheme based on public key infrastructure
(PKI), in which many public/private key pairs and corresponding certificates are pre-loaded to vehicle’s OBU. However, this
scheme has some disadvantages. For example, vehicle and certificate authority (CA) need to bear a lot of storage overhead,
when CA wants to obtain vehicle’s real identity, it needs to perform operations on all stored certificates. In order to solve these
problems, scheme15 proposes an identity-based certificateless signature scheme, in which the trusted authority (TA) pre-loads
its private key in vehicle’s tamper proof device (TPD), and vehicle uses TA’s private key to generate a pseudonym and sign the
message, which effectively solves the problem of excessive storage burden. However, this scheme assume that TPD is completely
AUTHOR ONE ET AL 3
reliable. In addition, TA can view vehicle messages at any time. Recently, scheme31 proposes an identity based anonymous
communication scheme, in which KGC assigns partial private keys to user, then user generates the private key, which reduces
the hypothetical trust of KGC and strengthens user’s privacy.
Traffic service system. In order to ensure the driver’s safety and improve driving experience, many schemes about traffic
service system have been proposed. In scheme 14 , vehicle submits the driving route to TA before traveling, and TA realizes
the rapid authentication between vehicle and RSUs by assigning keys to the vehicle and the RSUs that the vehicle will pass
through. Although the efficiency of RSU providing services to vehicles is improved, it makes it easy for TA to obtain the privacy
of vehicles. Later, scheme17 , CA uses homomorphic encryption to send RSU’s key to vehicle, so that vehicle can obtain the
required RSU’s key from CA without disclosing the driving route, which realizes rapid authentication with RSU. However, in
this scheme, the vehicle needs to consume a lot of computing and storage burden to obtain RSU’s key. Scheme32 proposes a
cloud-based privacy traffic monitoring system, and cloud server classifies the traffic reports submitted by different vehicles, so
as to obtain real-time traffic status. Because the cloud server operates the ciphertext from vehicle, it effectively protects the
privacy of vehicle. Scheme18 proposes a traffic monitoring scheme based on fog assistance, RSU (or fog node) uses range query
technology to obtain driving information without leaking the privacy. The comparison of the security features is shown in Table
1.
TABLE 1 Security features comparison
LVAP14 PLVA17 PAM18 RCoM 32 LPTM
E1 YES YES YES YES YES
E2 NO YES YES YES YES
E3 YES NO NO NO YES
E4 YES YES YES NO YES
E1: Message authentication.
E2: Strong privacy protection.
E3: Low computation and communication overhead.
E4: Conditional tracking.
3 PROBLEM STATEMENT
In this section, we illustrate the system model, security and privacy requirements.
3.1 System Model
The system model of the proposed scheme consists of three entities: KGC, RSUs, and vehicles, as shown in Figure 1. The details
and assumptions of these network entities are described as follows:
KGC: KGC is assumed to be trusted but curious entity with sufficient computing and storage power. KGC is responsible
for generating parameters for whole system and generating and publishing a real-time traffic map. In addition, KGC is also
responsible for RSU’s registration and vehicle’s registration, generating partial private keys and information parameters
for RSU and partial private keys and pseudonyms for vehicle. KGC tracks the real identity of malicious vehicle.
RSUs: RSU is deployed on the roadsides, is considered as fog node, which receives and processes real-time beacons from
vehicle, and broadcasts local traffic conditions. RSU may be compromised by adversaries.
Vehicle: Vehicle is equipped with OBU, which provides V2I and V2V communication. OBU with limited computing and
storage capacity uses a tamper-proof device (TPD) to save important information such as vehicle pseudonyms and private
keys.
4AUTHOR ONE ET AL
a traffic map
Local traffic conditions
Upload local
traffic conditions
Generating and publishing
Communications Technology
Wired Connection
IEEE 802.11p
Communications Technology
Wired Connection
IEEE 802.11p
location,
speed, etc.
KGC
RSU
Vehicle
KGC
RSU
Vehicle
KGC
RSU
Vehicle
KGC
RSU
Vehicle
KGC
RSU
Vehicle
OBU
KGC
RSU
Vehicle
OBU
KGC
RSU
Vehicle
OBU
KGC
RSU
Vehicle
OBU
KGC
RSU
Vehicle
OBU
KGC
RSU
Vehicle
OBU
location,
speed, etc.
KGC
RSU
Vehicle
OBU
Fig. 1. The system model of LPTM scheme
3.2 Security and Privacy Requirements
The security and privacy requirements include the integrity, traceability, non-repudiation, route privacy and resistance to various
attacks.
Integrity. The receiver needs to verify each received message to determine whether the message has been modified or forged.
Traceability. Although the vehicle uses a pseudonym, KGC can track the real identity through the pseudonym in case of
traffic accidents and disputes.
Non-repudiation. In the event of a security incident or dispute, KGC traces the true identity of the sender of the message,
and the sender cannot deny sending the message.
Route privacy. RSU processes the driving information of the vehicle within its communication range, and the driving
information of the vehicle should be confidential to other RSU, other vehicle and KGC.
Resistance to various attacks. The attacks that the system needs to resist include impersonation attacks, replay attacks,
man-in-the-middle attack, and so on.
4 OUR LPTM
In this paper, a Lightweight and Privacy-preserving Traffic Monitoring (LPTM) scheme is proposed, the frame composition is
shown in Figure 2. LPTM achieves the following advantages:
(1) TESLA authentication protocol is used between RSU and vehicle to reduce communication delay.
(2) Merkle Mountain Ranges is used to optimize the communication burden of TESLA authentication protocol.
(3) PMR-IBS is used to reduce the communication burden of RSUs broadcasting and uploading local traffic conditions map.
4.1 Preliminaries
In this subsection, we introduce basic knowledges, including TESLA authentication protocol, Merkle Mountain Ranges and
PMR-IBS signature.
AUTHOR ONE ET AL 5
Begin
System Setup
Vehicles and RSUs Registration
The vehicle uses TESLA protocol to
authenticate with RSU and sends
driving messages to RSU periodically
RSU builds local traffic conditions
map according to driving reports of
different vehicles
RSU broadcast and upload local
traffic conditions map
End
Fig. 2. The framework of LPTM scheme
4.1.1 TESLA Authentication Protocol
TESLA authentication protocol33 is an efficient broadcast authentication protocol base on symmetric cryptography, the sender
first selects a random number 𝐾𝑛, and uses one-way hash function to generate a hash chain, 𝐾𝑢−1 =𝐻𝐾𝑢∀u∈{1,2,,n}. Then, the
sender divides the timeline into time intervals, denoted as 𝐼0, 𝐼1,, 𝐼𝑢−1,, 𝐼𝑛−1 , 𝐼𝑛and each time interval 𝐼𝑢−1 corresponds
to 𝐾𝑢−1. Moreover, the sender uses a second hash function 𝐻to derive the key 𝐾
𝑢−1 =𝐻𝐾𝑢−1, which is used to compute
the message authentication code, as shown in Figure 3.
time
1u
I
1n
I
1
I
0
I
'
0
K
'
1
K
'1u
K
'1n
K
'
n
K
0
K
1
K
1u
K
1n
K
n
K
'0
()HK
'1
()HK
'1
()
u
HK
'1
()
n
HK
'()
n
HK
1
()HK
2
()HK
()
u
HK
()
n
HK
Fig. 3. Keychain generation
Because in the time interval 𝐼𝑢−1, the sender uses the key 𝐾
𝑢−1 to generate a Message Authentication Code (MAC) for the
message and 𝐾
𝑢−1 remains secret for 𝑑(𝑑1) time intervals in the future. Therefore, to authenticate the message sent at 𝐼𝑢−1 ,
the receiver needs to wait for 𝑑time intervals to obtain 𝐾
𝑢−1, and calculates the corresponding MAC to verify the message
received at 𝐼𝑢−1.
6AUTHOR ONE ET AL
Although TESLA is an efficient authentication protocol, TESLA does not support instant authentication and non-repudiation
of messages. We predict the messages sent in the subsequent time interval, generate the Merkle Tree, and put the root node into
the message to realize instant authentication28. To support non-repudiation, we use the public key digital signature to sign 𝐾0.
4.1.2 Merkle Mountain Ranges
Merkle Mountain Ranges (MMR) is a novel Merkle Tree 34,35. When the number of leaf nodes 𝑧does not equal to 2i(𝑖0),
MMR takes up less storage space than traditional Merkle tree, and reduces the length of Merkle proof for a part of the leaf nodes.
Unlike Merkle tree, if the total number of leaf nodes does not divide up into one perfect tree, more than one tree exists. Then
merge these trees into a Merkle tree, which is called bagging the peaks.
The construction method of MMR is through the insertion of leaf nodes. Every time a leaf node is inserted, it is necessary to
judge whether the height of the subtree where the current leaf node is located is the same as that of the previous subtree. If it is
the same, two subtrees will be merged. For an MMR with a leaf node of 5, the construction composition is shown in Figure 4.
Node
1Node
1Node
2
Node
3
Node
1Node
2
Node
3
Node
4
Node
1Node
2
Node
3
Node
4Node
5
Node
6
Node
8
Node
7
Node
1Node
2
Node
3
Node
4Node
5
Node
6
Node
7
Node
9
Step 1 Step 2 Step 3
Step 4 Step 5
Node
1Node
1Node
2
Node
3
Node
1Node
2
Node
3
Node
4
Node
1Node
2
Node
3
Node
4Node
5
Node
6
Node
8
Node
7
Node
1Node
2
Node
3
Node
4Node
5
Node
6
Node
7
Node
9
Step 1 Step 2 Step 3
Step 4 Step 5
Fig. 4. Construction of MMR with 𝑧= 5 leaf nodes
4.1.3 PMR-IBS Signature
PMR-IBS29 is a pairing-free ID-based signature scheme with partial message recovery, which includes four steps:
Setup. Assuming that the public key of KGC is 𝑃 𝐾𝐾 𝐺𝐶 , and the private key is 𝑠, KGC selects two secure hash functions
1∶ {0,1}{0,1}𝑘1and 2∶ {0,1}𝑘1{0,1}𝑘2, where 𝑝=𝑘1+𝑘2,𝑝is a prime;
Extract. KGC selects a random number 𝑟, and generates a private key (𝑅, 𝛼)for the user based on the identity 𝐼𝐷, where
𝛼=𝑟+𝑠𝐻(𝐼𝐷𝑅) mod 𝑝;
Sign. The sender selects a random number 𝑑, and divides the message 𝑚into two parts, 𝑚=𝑚1, 𝑚2, 𝑚2∈ {0,1}𝑘2.
Then, the sender computes 𝑚=1(𝑚1)(2(1(𝑚1)) ⊕ 𝑚2),𝜓= (𝐷)𝑥⊕ 𝑚, where (𝐷)𝑥represents the 𝑥coordinate of
𝐷. Finally, the sender computes 𝛿=𝑑+𝛼𝐻𝑚1𝐼 𝐷𝑅𝜓mod 𝑝, and sends the message (𝑚1, 𝐼 𝐷, 𝑅, 𝜓, 𝛿 ).
AUTHOR ONE ET AL 7
Verify. The receiver computes 𝑚=𝜓(𝛿𝑃− (𝑅+𝐻(𝐼𝐷𝑅)𝑃 𝐾𝐾 𝐺𝐶 )𝐻(𝑚1𝐼𝐷𝑅𝜓))𝑥, recovers the message
𝑚=𝑚12𝑘1𝑚𝑚𝑘2, where 𝑘1𝑚represents the first 𝑘1bits of 𝑚and 𝑚𝑘2represents the last 𝑘2bits of
𝑚. To verify the correctness of the message, the receiver checks whether 1(𝑚1)=𝑘1𝑚holds or not.
4.2 LPTM Protocol
Our LPTM scheme consists of six stages: the system initialization phase, the registration phase, the beacon generation phase,
the beacon verification phase, the local traffic conditions broadcast and upload, and the traffic conditions message recovery and
verification.
4.2.1 System Initialization Phase
For the safety of the whole system, KGC performs the following steps:
1) KGC selects a prime number 𝑞, and generates an elliptic curve Eover finite field 𝐹𝑞. KGC selects points on the elliptic curve
Eto form an additive group 𝐺, the order of 𝐺is a prime number 𝑝,𝑃𝐺is a generator and order is 𝑝;
2) KGC chooses a random number 𝑠𝑍
𝑝as its private key, and calculates public key 𝑃 𝐾𝐾𝐺𝐶 =𝑠𝑃;
3) KGC selects six secure hash functions: 𝐻1𝐺𝑍
𝑝,𝐻2∶ {0,1}𝑍
𝑝,𝐻3𝐺×𝐺× {0,1}𝑍
𝑝,𝐻4∶ {0,1}
{0,1}𝑘1,𝐻5∶ {0,1}𝑘1{0,1}𝑘2, 𝐻𝑍
𝑝𝑍
𝑝. Where 𝑝=𝑘1+𝑘2,𝑝denotes the bit length of 𝑝;
4) Finally, KGC keeps private key 𝑠secret, and publishes system parameters 𝐺, 𝑃 , 𝑃 𝐾𝐾𝐺𝐶 , 𝐻1∼5 , 𝐻 , 𝑘1, 𝑘2.
4.2.2 Registration Phase
RSUs registration: KGC generates partial private keys for RSUs, then generates the complete private key by RSU itself.
1) RSU selects a random number 𝜃𝑗𝑍
𝑝, and calculates 𝑅𝑗=𝜃𝑗𝑃;
2) RSU sends the real identities 𝐼𝐷𝑟𝑠𝑢𝑗and 𝑅𝑗to KGC. After verifying the validity of 𝐼𝐷𝑟𝑠𝑢𝑗, KGC selects a random number
𝑤𝑗𝑍
𝑝, and calculates the public key 𝑃 𝐾𝑟𝑠𝑢𝑗=𝑤𝑗𝑃+𝑅𝑗for RSU, then generates the information parameter inf 𝑜𝑟𝑠𝑢𝑗=
𝑃 𝐾𝑟𝑠𝑢𝑗, 𝐼𝐷𝑟𝑠𝑢𝑗, 𝑇𝑗for RSU, where 𝑇𝑗represents the validity period;
3) KGC calculates the partial private key 𝜏𝑗=𝑤𝑗+𝑠𝐻2(inf 𝑜𝑟𝑠𝑢𝑗),𝜏
𝑗=𝜏𝑗⊕ 𝐻1(𝑠𝑅𝑗)for RSU, then sends (inf 𝑜𝑟𝑠𝑢𝑗, 𝜏
𝑗)to
the fog node through secure channel;
4) RSU calculates 𝜏𝑗=𝜏
𝑗⊕𝐻1(𝜃𝑗𝑃 𝐾𝐾 𝐺𝐶 ), the correctness of 𝜏𝑗can be verified by 𝜏𝑗𝑃=𝑃 𝐾𝑟𝑠𝑢𝑗𝑅𝑗+𝐻2(inf 𝑜𝑟𝑠𝑢𝑗)𝑃 𝐾𝐾𝐺𝐶 ,
then RSU generates private key 𝛼𝑗=𝜃𝑗+𝜏𝑗. RSU stores (inf 𝑜𝑟𝑠𝑢𝑗, 𝛼𝑗).
Vehicles registration: Similar to RSU’s registration, KGC performs the following steps to complete vehicle’s registration,
generates partial private keys and pseudonyms for vehicle. The scheme assumes that TPD obtains some pseudonyms and private
keys in the same way to protect vehicle’s privacy. Before these pseudonyms reach the expiration date, vehicle communicates
with KGC and updates the pseudonyms and private keys.
1) TPD selects a random number 𝜃𝑖𝑍
𝑝, calculates 𝑅𝑖=𝜃𝑖𝑃, then sends the calculated 𝑅𝑖and identity 𝐼𝐷𝑣𝑖to KGC;
2) KGC verifies vehicle’s identity, selects a random number 𝑤𝑖𝑍
𝑝and calculates part of the pseudonym 𝐴𝐼𝐷𝑖,1=𝑤𝑖𝑃+𝑅𝑖,
𝐴𝐼𝐷𝑖,2=𝐼𝐷𝑣𝑖⊕ 𝐻1𝑠𝐴𝐼𝐷𝑖,1for vehicle. KGC generates a complete pseudonym 𝐴𝐼𝐷𝑖=𝐴𝐼 𝐷𝑖,1, 𝐴𝐼 𝐷𝑖,2, 𝑇𝑖for
vehicle, where 𝑇𝑖is the validity period;
3) KGC calculates the partial private key 𝜏𝑖=𝑤𝑖+𝑠𝐻2(𝐴𝐼𝐷𝑖),𝜏
𝑖=𝜏𝑖𝐻1(𝑠𝑅𝑖)for the vehicle, and then sends (𝐴𝐼𝐷𝑖, 𝜏
𝑖)
to vehicle through e secure channel;
4) The vehicle calculates 𝜏𝑖, verifies the correctness of 𝜏𝑖, and generates private key 𝛼𝑖=𝜃𝑖+𝜏𝑖, and stores (𝐴𝐼𝐷𝑖, 𝛼𝑖).
8AUTHOR ONE ET AL
4.2.3 Beacon Generation Phase
Before entering the communication range of a new RSU, vehicle firstly selects a random number 𝐾𝑛, use one-way hash function
to generate a hash chain 𝐾𝑢−1 =𝐻2𝐾𝑢∀u∈{1,2,,n}. Moreover, vehicle divides the timeline into corresponding time intervals,
marked as 𝐼0, 𝐼1,, 𝐼𝑢−1,, 𝐼𝑛−1 , 𝐼𝑛.
When the vehicle sends the first beacon to RSU at 𝐼0, it takes the current position 𝑃0as the origin to construct a pair of
orthogonal vectors, i.e.
𝑥and
𝑦. So the movement of vehicle between the next two intervals 𝐼𝑢−1 and 𝐼𝑢can be expressed
as ⃖⃖⃖⃖
M𝑢=⃖⃖⃖
𝑃𝑢⃖⃖⃖⃖⃖⃖⃖
𝑃𝑢−1 = (𝑥𝑢𝑥𝑢−1)
𝑥+ (𝑦𝑢𝑦𝑢−1)
𝑦. In addition, before each beacon construction, the vehicle predicts all
possible positions 𝑃𝑢𝑧 in the next time interval according to the current position 𝑃𝑢−1, where 𝑧represents the number of predicted
positions. After that, vehicle calculates 𝑃𝑢−1 and 𝑃𝑢𝑧 of each predicted position, and output a prediction table 𝑃 𝑇 𝑢. As shown in
Figure 5 and Table 2, 𝑃 𝑇 1is calculated for vehicle at 𝐼0.
X axisX axis
Y axisY axis
X axis
Y axis
11
P
12
P
13
P
14
P
15
P
0
P
Fig. 5. At 𝐼0, the vehicle predicts its possible positions at 𝐼1
TABLE 2 The prediction table 𝑃 𝑇 1
Predicted position Result
𝑃11(0,1) 𝑀11 (0,1)
𝑃12(1,1) 𝑀12 (1,1)
𝑃13(1,0) 𝑀13 (1,0)
𝑃14(1,−1) 𝑀14 (1,−1)
𝑃15(0,−1) 𝑀15 (0,−1)
Since TESLA does not support non-repudiation, the vehicle needs to use the public key digital signature when it sends its
first beacon to provide non-repudiation. When entering the communication range of a RSU, the vehicle first obtains information
parameters inf 𝑜𝑟𝑠𝑢𝑗from the message 𝑀𝑗broadcast by the RSU, then the vehicle selects a random number 𝑏𝑖𝑍
𝑝to calculate
𝐵𝑖,1=𝑏𝑖𝑃and 𝐵𝑖,2=𝑏𝑖𝑃 𝐾𝑟𝑠𝑢𝑗. To protect location privacy, the vehicle uses 𝑘𝑒𝑦𝑖=𝐻1(𝐵𝑖,2)to encrypt the location
information in the beacons it sends. At the time interval 𝐼0, vehicles to predict the next time interval 𝐼1likely to reach and
constructs 𝑃 𝑇 1. After that, a hash 𝐿1𝑧=𝐻2(𝐼1𝑡1⃖⃖⃖⃖⃖⃖
𝑀1𝑧𝑟𝑎𝑛𝑑1𝑧)is calculated for each prediction result, where 𝑡1epresents
the time stamp of beacons sent at 𝐼1and 𝑟𝑎𝑛𝑑1𝑧represents a random number selected by the vehicle for each prediction result
to prevent tamper with the message. The vehicle uses 𝐿1𝑧to construct MMR and calculates the 𝑟𝑜𝑜𝑡1, this is shown in Figure 6,
and then chooses a random number 𝑐𝑖𝑍
𝑝to calculate 𝐶𝑖=𝑐𝑖𝑃,𝑚
0=𝑘𝑒𝑦𝑖⊕ 𝑚0,𝛽𝑖=𝐻3(𝐵𝑖,1𝐶𝑖𝐴𝐼𝐷𝑖𝑚
0𝐼0𝑡0)and
signature 𝛿𝑖=𝑐𝑖+𝛼𝑖𝛽𝑖, where 𝑚0= (𝑃0,
𝑥,
𝑦, 𝐻𝑀𝐴𝐶𝐾
0
(𝑟𝑜𝑜𝑡1), 𝐾0). Finally, at the time interval 𝐼0, the vehicle sends the first
beacon 𝑏𝑒𝑎𝑐𝑜𝑛0= (𝐵𝑖,1, 𝐶𝑖, 𝐴𝐼 𝐷𝑖, 𝑚
0, 𝐼0, 𝑡0, 𝛿𝑖).
AUTHOR ONE ET AL 9
11
L
12
L
13
L
14
L
15
L
11 2 1 1 11 11
L H ( || || || )I t M rand=
12 2 1 1 12 12
L H ( || || || )I t M rand=
13 2 1 1 13 13
L H ( || || || )I t M rand=
14 2 1 1 14 14
L H ( || || || )I t M rand=
15 2 1 1 15 15
L H ( || || || )I t M rand=
12
h
34
h
1234
h
1
root
Fig. 6. The vehicle calculates 𝐿1𝑧and builds the MMR
At time interval 𝐼1, the vehicle calculates 𝑃 𝑇2and 𝑟𝑜𝑜𝑡2, then generates Merkle proof 𝑝𝑟𝑜𝑜𝑓1for the position information in
𝑏𝑒𝑎𝑐𝑜𝑛1, the vehicle encrypts the position information 𝑚
1=𝑘𝑒𝑦𝑖⊕ 𝑚1, where 𝑚1= (𝑃1, 𝑟𝑎𝑛𝑑1𝑧, 𝑝𝑟𝑜𝑜𝑓1, 𝐻𝑀𝐴𝐶𝐾
1
(𝑟𝑜𝑜𝑡2)),
and then sends 𝑏𝑒𝑎𝑐𝑜𝑛1= (𝑚
1, 𝐼1, 𝑡1, 𝐾0)to the RSU.
For 𝐼𝑢−1 after the time interval 𝐼1, the vehicle needs to calculate 𝑃 𝑇 𝑢and 𝐻𝑀𝐴𝐶𝐾
𝑢−1
(𝑟𝑜𝑜𝑡𝑢)before sending the 𝑏𝑒𝑎𝑐𝑜𝑛𝑢−1,
and use 𝑘𝑒𝑦𝑖to encrypt 𝑚𝑢−1, and then sends 𝑏𝑒𝑎𝑐𝑜𝑛𝑢−1 =𝑚
𝑢−1, 𝐼𝑢−1 , 𝑡𝑢−1, 𝐾𝑢−2 to the RSU. Figure 7 shows the beacons sent
by the vehicle during the previous three time intervals.
Vehicle
RSU
0
I
'
0
'
0 ,1 0 0 0
'
0 0 1 0
( , , , , , , )
( , , , ( ), )
i i i i
iK
beacon B C AID m I t
m key P x y HMAC root K
=
=
1
I
2
I
'
1
'
1 1 1 1 0
'
1 1 11 1 2
1 12 34 15
( , , , )
( , , , ( ))
( , , )
iK
beacon m I t K
m key P rand proof HMAC root
proof L h L
=
=
=
'
2
'
2 2 2 2 2
'
2 2 25 2 3
2 1234
( , , , )
( , , , ( ))
()
iK
beacon m I t K
m key P rand proof HMAC root
proof h
=
=
=
Fig. 7. Beacons sent by vehicles at 𝐼0∼2
4.2.4 Beacon Verification Phase
After RSU receives 𝑏𝑒𝑎𝑐𝑜𝑛0, it first verifies the correctness of the timestamp 𝑡0and the validity of the pseudonym, then cal-
culates 𝛽
𝑖=𝐻3(𝐵𝑖,1𝐶𝑖𝐴𝐼𝐷𝑖𝑚
0𝐼0𝑡0)and verifies that 𝛿𝑖𝑃=𝐶𝑖+𝐴𝐼𝐷𝑖,1+𝐻2𝐴𝐼𝐷𝑖𝑃 𝐾𝐾𝐺𝐶 𝛽
𝑖holds. For
10 AUTHOR ONE ET AL
𝑏𝑒𝑎𝑐𝑜𝑛0sent by multiple vehicles received at the same time, the RSU can carry out batch authentication to improve the effi-
ciency of authentication. If the verified 𝑏𝑒𝑎𝑐𝑜𝑛0is correct, the RSU computes 𝐵𝑖,2=𝛼𝑗𝐵𝑖,1,𝑚0=𝑚
0⊕ 𝐻1(𝐵𝑖,2)and stores
𝐴𝐼𝐷𝑖, 𝑃0, 𝐻𝑀𝐴𝐶𝐾
0root1, 𝑥, 𝑦, 𝑘𝑒𝑦𝑖, 𝐾0.
𝛿𝑖𝑃=𝑐𝑖𝑃+𝛼𝑖𝛽𝑖𝑃
=𝐶𝑖+𝜃𝑖+𝜏𝑖𝛽𝑖𝑃
=𝐶𝑖+𝜃𝑖+𝑤𝑖+𝑠𝐻2𝐴𝐼𝐷𝑖𝛽𝑖𝑃
=𝐶𝑖+𝐴𝐼𝐷𝑖,1+𝐻2𝐴𝐼𝐷𝑖𝑃 𝐾𝐾𝐺𝐶 𝛽𝑖
(1)
After receiving 𝑏𝑒𝑎𝑐𝑜𝑛1, the RSU first verifies the timestamp 𝑡1and finds whether 𝐾0exists. After successful search, the
RSU decrypts 𝑚1using the corresponding 𝑘𝑒𝑦𝑖and calculates 𝐿1𝑧=𝐻2(𝐼1𝑡1⃖⃖⃖⃖⃖⃖⃗
𝑀1𝑧𝑟𝑎𝑛𝑑1𝑧). Using the received 𝑝𝑟𝑜𝑜𝑓1
and the stored 𝐾0,𝐻𝑀𝐴𝐶𝐾
0root1, the RSU verifies the correctness of the message in 𝑏𝑒𝑎𝑐𝑜𝑛1. Finally, the RSU replaces
𝐻𝑀𝐴𝐶𝐾
0root1with 𝐻𝑀𝐴𝐶𝐾
1root2and updates 𝑃0with 𝑃1.
For the later received 𝑏𝑒𝑎𝑐𝑜𝑛𝑢−1 , the RSU verifies the time stamp, calculates and finds out whether 𝐻2(𝐾𝑢−2)exists, decrypts
the beacon message with 𝑘𝑒𝑦𝑖, calculates 𝐿(𝑢−1)𝑧, and uses 𝑝𝑟𝑜𝑜𝑓𝑢−1,𝐾𝑢−2 and the stored 𝐻 𝑀 𝐴𝐶𝐾
𝑢−2
(𝑟𝑜𝑜𝑡𝑢−1)to verify the
correctness of the message. Finally, the RSU updates the corresponding stored content with 𝑃𝑢−1,𝐻𝑀𝐴𝐶𝐾
𝑢−1
(𝑟𝑜𝑜𝑡𝑢),𝐾𝑢−2 in
the received 𝑏𝑒𝑎𝑐𝑜𝑛𝑢−1 .
4.2.5 Local Traffic Conditions Broadcast and Upload
The RSU generates the local traffic conditions according to vehicles beacons acquired in real-time, constructs the message 𝑚𝑗,
then uses PMR-IBS to sign the traffic conditions message.
1) The RSU first selects a random number 𝑑𝑗𝑍
𝑝, calculates 𝐷𝑗=𝑑𝑗𝑃, then divides 𝑚𝑗into two parts, 𝑚𝑗= (𝑚𝑗,1, 𝑚𝑗 ,2),
where the length of 𝑚𝑗,2is 𝑘2;
2) The RSU calculates 𝑚
𝑗=𝐻4𝑚𝑗,1𝐻5𝐻4𝑚𝑗 ,1⊕ 𝑚𝑗,2,𝜓𝑗=𝐷𝑗𝑥⊕ 𝑚
𝑗, where (𝐷𝑗)𝑥represents the 𝑥coordinate
of 𝐷𝑗;
3) The RSU calculates 𝛽𝑗=𝐻2(𝑚𝑗,1𝑡𝑗inf 𝑜𝑟𝑠𝑢𝑗𝜓𝑗)and the message signature 𝛿𝑗=𝑑𝑗+𝛼𝑗𝛽𝑗, where 𝑡𝑗represents the
timestamp, then broadcasts the message 𝑀𝑗to local vehicles and uploads 𝑀𝑗to KGC, 𝑀𝑗= (𝑚𝑗,1, 𝑡𝑗,inf 𝑜𝑟𝑠𝑢𝑗, 𝜓𝑗, 𝛿𝑗).
4.2.6 The Traffic Conditions Message Recovery and Verification
After the vehicle and KGC receive the message 𝑀𝑗from the RSU, they need to recover and verify the message.
1) The vehicle and KGC first verify that the timestamp 𝑡𝑗and the validity period of inf 𝑜𝑟𝑠𝑢𝑗are correct, then calculate 𝛽
𝑗=
𝐻2(𝑚𝑗,1𝑡𝑗inf 𝑜𝑟𝑠𝑢𝑗𝜓𝑗),(𝐷
𝑗)𝑥= (𝛿𝑗𝑃− (𝑃 𝐾𝑟𝑠𝑢𝑗+𝐻2(inf 𝑜𝑟𝑠𝑢𝑗)𝑃 𝐾𝐾𝐺𝐶 )𝛽
𝑗)𝑥;
2) Calculate 𝑚′′
𝑗= (𝐷
𝑗)𝑥⊕ 𝜓𝑗and recover the message 𝑚
𝑗=𝑚𝑗,1(𝐻5(𝑘1𝑚′′
𝑗)𝑚′′
𝑗𝑘2);
3) Finally, the vehicle and KGC determine the correctness of the message by verifying 𝑘1𝑚′′
𝑗=𝐻4(𝑚𝑗,1).
5SECURITY ANALYSIS
In this section, we analyze the proposed scheme achieves the security requirements.
Theorem 1: The proposed scheme is secure ensures the integrity of the sent message.
Proof: First of all, if the integrity of 𝑏𝑒𝑎𝑐𝑜𝑛0= (𝐵𝑖,1, 𝐶𝑖, 𝐴𝐼 𝐷𝑖, 𝑚
0, 𝐼0, 𝑡0, 𝛿𝑖)sent by the vehicle is damaged, the 𝛽
𝑖=
𝐻3(𝐵𝑖,1𝐶𝑖𝐴𝐼𝐷𝑖𝑚
0𝐼0𝑡0)calculated by the RSU during the verification process or the 𝛿iobtained from 𝑏𝑒𝑎𝑐𝑜𝑛0will
be incorrect. This will cause 𝛿𝑖𝑃=𝐶𝑖+𝐴𝐼𝐷𝑖,1+𝐻2𝐴𝐼𝐷𝑖𝑃 𝐾𝐾𝐺 𝐶 𝛽
𝑖to not hold, indicating that the integrity of
the 𝑏𝑒𝑎𝑐𝑜𝑛0is destroyed. Second, if the integrity of 𝑏𝑒𝑎𝑐𝑜𝑛1or 𝑏𝑒𝑎𝑐𝑜𝑛𝑢−1 sent by the vehicle later is compromised, the value
calculated by RSU through Merkle proof will not be consistent with the stored 𝐻𝑀 𝐴𝐶𝐾
0root1and 𝐻𝑀𝐴𝐶𝐾
𝑢−2
(𝑟𝑜𝑜𝑡𝑢−1).
Finally, if the integrity of the traffic status message broadcast by RSU is damaged, the 𝑚′′
𝑗recovered by the receiver will be
incorrect, resulting in 𝑘1𝑚′′
𝑗=𝐻4(𝑚𝑗,1)not hold.
AUTHOR ONE ET AL 11
Theorem 2: Except for KGC, no entity is able to reveal the true identity of the target vehicle according to the message, and
the disclosed malicious vehicle isn’t denied that it has sent the message.
Proof: When a dispute occurs, KGC calculates 𝐼𝐷𝑣𝑖=𝐴𝐼 𝐷𝑖,2⊕ 𝐻1𝑠𝐴𝐼 𝐷𝑖,1according to the pseudonym 𝐴𝐼𝐷𝑖in the
message, so as to trace the real identity of the malicious vehicle. Without KGC’s private key 𝑠, it is impossible for an adversary
to decipher 𝐻1𝑠𝐴𝐼𝐷𝑖,1to reveal the real identity 𝐼𝐷𝑣𝑖. Because the private key 𝛼𝑖is stored in the TPD, the adversary isn’t
obtained 𝛼𝑖and generated a false 𝑏𝑒𝑎𝑐𝑜𝑛0satisfies Equation (1), so the malicious vehicle isn’t denied sending the message.
Theorem 3: The proposed scheme protects the route privacy of vehicles.
Proof: Firstly, the vehicle uses the 𝑘𝑒𝑦𝑖to encrypt the location information before sending the beacon, so that even if the
adversary invades the RSU and obtains the information stored in it, he only gets the route of the vehicle in the RSU area.
Theorem 4: The proposed scheme resists the impersonation attack, replay attack, and man-in-the-middle attack.
Proof:
Impersonation attack: If an adversary attempts to impersonate a legal vehicle to send 𝑏𝑒𝑎𝑐𝑜𝑛0to RSU, the adversary
needs to generate 𝑏𝑒𝑎𝑐𝑜𝑛0and satisfy 𝛿𝑖𝑃=𝐶𝑖+𝐴𝐼 𝐷𝑖,1+𝐻2𝐴𝐼𝐷𝑖𝑃 𝐾𝐾𝐺 𝐶 𝛽
𝑖, but the adversary does not
know the private key 𝛼𝑖of the impersonated vehicle, so the generated false 𝑏𝑒𝑎𝑐𝑜𝑛0cannot satisfy the previous equation.
Secondly, if the adversary attempts to impersonate a legal vehicle to send 𝑏𝑒𝑎𝑐𝑜𝑛𝑢−1 to RSU, the adversary needs to infer
𝐾𝑢−1 according to 𝐾𝑢−2, and also needs to generate 𝑝𝑟𝑜𝑜𝑓𝑢−1 and select a random number 𝑟𝑎𝑛𝑑𝑢𝑧 to realize Merkle proof
of 𝐻𝑀𝐴𝐶𝐾
𝑢−1
(𝑟𝑜𝑜𝑡𝑢), which is not feasible in the calculation. So the proposed scheme resists the impersonation attack.
Replay attacks: Both the vehicle and RSU contain the timestamp 𝑡in the message. The receiver verifies the validity of
the message by judging whether the timestamp is fresh or not. If the adversary tries to modify the timestamp, the integrity
of the message will be destroyed.
Man-in-the-middle attack: Based on the previous analysis of integrity, the proposed scheme provides the receiver with
authentication to the sender. Therefore, the proposed scheme resists the man-in-the-middle attack.
6 PERFORMANCE ANALYSIS
In this section, the performance including computation cost and communication cost are presented by comparing with two traffic
monitoring schemes18,32.
In the analysis, for bilinear pairing 𝑒𝐺1×𝐺1𝐺2, where 𝐺1is a multiplicative group generated by a point ̂
𝑃with the
order ̂𝑝, we use curve ̂
𝐸𝑦2=𝑥3+𝑥mod ̂𝑞 and ̂𝑞 is a 512 bits prime number and ̂𝑝 is a 160 bits prime number. For ECC, we
use an additive group 𝐺,𝑃𝐺is a generator and order is 𝑝on an elliptic curve 𝐸𝑦2=𝑥3+𝑎𝑥 +𝑏mod 𝑞, and 𝑝,𝑞are 160
bits prime numbers.
6.1 Computation Cost Analysis
In this subsection, we use different notations to define different cryptographic operations, and use the JPBC library 36 and
https://github.com/simonbernard/java-elliptic-curve-library37 to test the time taken by different cryptographic operations, as
shown in Table 3. The execution platform uses a laptop with an Intel i5-10200H with 2.4 GHz CPU, 16G RAM on it. Then we
analyze the computation cost of LPTM and compare it with schemes18,32 .
We only compare the computation cost of our LPTM with schemes 18,32 on message signature generation and signature ver-
ification. Schemes18,32 uses bilinear pairing to realize signature generation and verification. The scheme we proposed uses
asymmetric cryptography and symmetric cryptography to realize signature generation and verification, in which the asymmetric
cryptography uses ECC and the symmetric cryptography uses MMR. In the experiment, we set the predicted position num-
ber of vehicles 𝑧= 5. The computation cost comparison of the schemes is shown in Table 4. Figure 8 shows the computation
cost comparison of the signature generation of each scheme, and Figure 9, Figure 10 respectively show the comparison of the
computation cost of each scheme for verifying one and 𝑛signatures.
12 AUTHOR ONE ET AL
TABLE 3 The execution time of different cryptographic operation
Cryptographic Operation Time (millisecond)
𝑇0.0001
𝑇𝑠𝑝𝑏𝑝 8.768
𝑇𝑝𝑚𝑏𝑝 0.046
𝑇𝑏𝑝 4.652
𝑇𝑚𝑡𝑝 19.442
𝑇𝑠𝑚𝑒𝑐𝑐 0.744
𝑇𝑝𝑎𝑒𝑐𝑐 0.004
𝑇: The time taken for a one-way hash operation.
𝑇𝑠𝑝𝑏𝑝: The execution time of a scale power operation related to the bilinear pairing.
𝑇𝑝𝑚𝑏𝑝: The execution time of a point multiplication operation related to the bilinear pairing.
𝑇𝑏𝑝: The time taken for a pairing operation 𝑒𝐺1×𝐺1𝐺2.
𝑇𝑚𝑡𝑝: The time taken for a hash-to-point operation related to the bilinear pairing.
𝑇𝑠𝑚𝑒𝑐𝑐 : The execution time of a scale multiplication operation related to the ECC.
𝑇𝑝𝑎𝑒𝑐𝑐 : The execution time of a point addition operation related to the ECC.
TABLE 4 Computation cost comparison
Scheme Signature Generation Signature Verification 𝑛Signatures Verification
RCoM32 4𝑇𝑠𝑝𝑏𝑝 +𝑇𝑚𝑡𝑝 +𝑇𝑝𝑚𝑏𝑝 +𝑇2𝑇𝑏𝑝 + 3𝑇𝑠𝑝𝑏𝑝 + 3𝑇𝑝𝑚𝑏𝑝 + 3𝑇
𝑛(2𝑇𝑏𝑝 + 3𝑇𝑠𝑝𝑏𝑝 + 3𝑇𝑝𝑚𝑏𝑝
+3𝑇)
PAM18 12𝑇𝑠𝑝𝑏𝑝 + 3𝑇𝑏𝑝 + 5𝑇𝑝𝑚𝑏𝑝 +𝑇12𝑇𝑠𝑝𝑏𝑝 + 5𝑇𝑏𝑝 + 8𝑇𝑝𝑚𝑏𝑝 +𝑇
3𝑇𝑏𝑝 +𝑛(12𝑇𝑠𝑝𝑏𝑝 + 2𝑇𝑏𝑝+
8𝑇𝑝𝑚𝑏𝑝 +𝑇)
LPTM(𝑏𝑒𝑎𝑐𝑜𝑛0)3𝑇𝑠𝑚𝑒𝑐 𝑐 + 13𝑇4𝑇𝑠𝑚𝑒𝑐𝑐 + 2𝑇𝑝𝑎𝑒𝑐𝑐 + 3𝑇
(3𝑛+ 1)𝑇𝑠𝑚𝑒𝑐𝑐 + (3𝑛− 1)𝑇𝑝𝑎𝑒𝑐𝑐
+3𝑛𝑇
LPTM(𝑏𝑒𝑎𝑐𝑜𝑛𝑢−1 )11𝑇6𝑇6𝑛𝑇
6.2 Communication Cost Analysis
In this subsection, we analyze the communication cost of our proposed scheme and compare it with schemes18,32 . Due to the
curves ̂
𝐸and 𝐸set above, it can be known that the size of point of 𝐺1and 𝐺2is 128 bytes, and the size of midpoint of 𝐺is
40 bytes. Second, we set the hash function output size to 20 bytes and the timestamp size to 4 bytes. In comparison, we only
consider the size of the signature.
In LPTM, the vehicle sends an anonymous report 𝐴𝑀𝑖𝑗 = (𝑝𝑖𝑑𝑖𝑗, 𝑚𝑖𝑗 , 𝜎𝑖𝑗 )to the RSU, where 𝜎𝑖𝑗 =
(𝑇1, 𝑇2, 𝑇3, 𝐶𝑖𝑗 , 𝑠1, 𝑠2, 𝑠3, 𝑠4, 𝑠5),𝑇1, 𝑇2, 𝑇3𝐺1, so the communication overhead here is 𝑝𝑖𝑑𝑖𝑗+𝜎𝑖𝑗 = 7 × 20 + 3 × 128 = 524
bytes. In the RCoM scheme, the vehicle submits the road condition report (𝑈, 𝑊 )to the RSU, where 𝑈is the ciphertext about
AUTHOR ONE ET AL 13
Fig. 8. Execution time for generating a message signature Fig. 9. Execution time for verifying a message signature
Fig. 10. Execution time for verifying 𝑛message signature Fig. 11. A comparison of the communication cost of messages
sent by vehicles
the road condition and 𝑊= (𝑆𝐴𝑖, 𝑆 𝐴𝓁, 𝑉𝑗, 𝑣𝑠𝑘𝑗,1, 𝑣𝑠𝑘𝑗,2, 𝑡𝑙, 𝑡𝑗, 𝑇𝑑, 𝜃𝑙, 𝑇 𝑖𝑚𝑒),𝜃𝑙= (𝜃𝑙,1, 𝜃𝑙,2),𝜃𝑙,1, 𝜃𝑙,2, 𝑣𝑠𝑘𝑗,1, 𝑣𝑠𝑘𝑗 ,2𝐺1, so
the communication cost of this scheme is 𝑊= 3 × 20 + 4 × 128 + 4 × 4 = 588 bytes. In addition, in the token distribution
stage of the RCoM scheme, the message sent by the RSU to the vehicle is 𝑇𝑙= (𝑆𝐴𝓁, 𝑟𝑠𝑘𝑙,1, 𝑟𝑠𝑘𝑙,2, 𝑡𝑙, 𝑇𝑑, 𝜃𝑙), where the com-
munication cost is 𝑇𝑙= 20 + 4 × 128 + 2 × 4 = 540 bytes. In our proposed scheme, the communication cost of the vehicle
sending 𝑏𝑒𝑎𝑐𝑜𝑛0= (𝐵𝑖,1, 𝐶𝑖, 𝐴𝐼 𝐷𝑖, 𝑚
0, 𝐼0, 𝑡0, 𝛿𝑖)is 3 × 40 + 2 × 20 + 3 × 4 = 172𝑏𝑦𝑡𝑒𝑠, and the communication overhead of the
vehicle sending 𝑏𝑒𝑎𝑐𝑜𝑛𝑢−1 =𝑚
𝑢−1, 𝐼𝑢−1 , 𝑡𝑢−1, 𝐾𝑢−2 is 5 × 20 + 2 × 4 = 108𝑏𝑦𝑡𝑒𝑠 (𝑧= 5). The communication cost of the RSU
broadcasting the message 𝑀𝑗= (𝑚𝑗,1, 𝑡𝑗,inf 𝑜𝑟𝑠𝑢𝑗, 𝜓𝑗, 𝛿𝑗)to the vehicle is 40 + 3 × 20 + 2 × 4 = 108 bytes. Figure 11 shows the
comparison between our proposed scheme and schemes18,32 in terms of the communication cost of vehicle sending messages.
7 CONCLUSION
In this paper, we propose an efficient traffic monitoring scheme based on fog assistance, among which, the adoption of opti-
mized TESLA authentication technology28 and PMR-IBS technology29 makes LPTM more efficient. At the same time, since
KGC only distributes partial private key to vehicles and RSUs, the vehicle negotiates the key with RSU when entering RSU’s
14 AUTHOR ONE ET AL
communication range, the driving information submitted by vehicle could be effectively protected, thus ensuring the privacy
security. Therefore, LPTM scheme is in line with the actual application environment.
ACKNOWLEDGMENTS
This work was supported by National Natural Science Foundation of China, 62072133; Key projects of Guangxi Natural Sci-
ence Foundation, 2018GXNSFDA281040; Henan Key Laboratory of Network Cryptography Technology, LNCT2021-A11;
Innovation Project of Guangxi Graduate Education, YCBZ2022107.
References
1. Liu YN, Lv SZ, Xie M, Chen ZB, Wang P. Dynamic anonymous identity authentication (DAIA) scheme for VANET.
International Journal of Communication Systems 2019; 32(5): e3892.
2. Chen L. Road vehicle recognition algorithm in safety assistant driving based on artificial intelligence. Soft Computing 2021:
1–10.
3. Stenovec T. Google has gotten incredibly good at predicting traffic — here’s how. https://www.businessinsider.com/
how-google-maps-knows-about-traffic-2015-11; . accessed June 5, 2021.
4. Lo CH, Peng WC, Chen CW, Lin TY, Lin CS. Carweb: A traffic data collection platform. In: IEEE. ; 2008: 221–222.
5. He Z, Zhang D. Cost-efficient traffic-aware data collection protocol in VANET. Ad Hoc Networks 2017; 55: 28–39.
6. Cui J, Zhang J, Zhong H, Shi R, Xu Y. An efficient certificateless aggregate signature without pairings for vehicular ad hoc
networks. Information Sciences 2018; 451: 1–15.
7. Ali I, Chen Y, Ullah N, Kumar R, He W. An Efficient and Provably Secure ECC-Based Conditional Privacy-Preserving
Authentication for Vehicle-to-Vehicle Communication in VANETs. IEEE Transactions on Vehicular Technology 2021;
70(2): 1278–1291.
8. Cheng H, Liu Y. An improved RSU-based authentication scheme for VANET. Journal of Internet Technology 2020; 21(4):
1137–1150.
9. Cui J, Zhang X, Zhong H, Ying Z, Liu L. RSMA: Reputation system-based lightweight message authentication framework
and protocol for 5G-enabled vehicular networks. IEEE Internet of Things Journal 2019; 6(4): 6417–6428.
10. Liu J, Wang X, Yue G, Shen S. Data sharing in VANETs based on evolutionary fuzzy game. Future Generation Computer
Systems 2018; 81: 141–155.
11. Raya M, Papadimitratos P, Hubaux JP. Securing vehicular communications. IEEE wireless communications 2006; 13(5):
8–15.
12. Lu R, Lin X, Zhu H, Ho PH, Shen X. ECPP: Efficient conditional privacy preservation protocol for secure vehicular
communications. In: IEEE. ; 2008: 1229–1237.
13. Lu Z, Wang Q, Qu G, Zhang H, Liu Z. A blockchain-based privacy-preserving authentication scheme for vanets. IEEE
Transactions on Very Large Scale Integration (VLSI) Systems 2019; 27(12): 2792–2801.
14. Liu Y, Guo W, Zhong Q, Yao G. LVAP: Lightweight V2I authentication protocol using group communication in VANET
s. International Journal of Communication Systems 2017; 30(16): e3317.
15. He D, Zeadally S, Xu B, Huang X. An efficient identity-based conditional privacy-preserving authentication scheme for
vehicular ad hoc networks. IEEE Transactions on Information Forensics and Security 2015; 10(12): 2681–2691.
AUTHOR ONE ET AL 15
16. Li H, Liu J, Liu RW, Xiong N, Wu K, Kim Th. A dimensionality reduction-based multi-step clustering method for robust
vessel trajectory analysis. Sensors 2017; 17(8): 1792.
17. Lv S, Liu Y. PLVA: privacy-preserving and lightweight V2I authentication protocol. IEEE Transactions on Intelligent
Transportation Systems 2021.
18. Li M, Zhu L, Lin X. Privacy-preserving traffic monitoring with false report filtering via fog-assisted vehicular crowdsensing.
IEEE Transactions on Services Computing 2019.
19. Zhu L, Li M, Zhang Z, Qin Z. ASAP: An anonymous smart-parking and payment scheme in vehicular networks. IEEE
Transactions on Dependable and Secure Computing 2018; 17(4): 703–715.
20. Ma M, He D, Wang H, Kumar N, Choo KKR. An efficient and provably secure authenticated key agreement protocol for
fog-based vehicular ad-hoc networks. IEEE Internet of Things Journal 2019; 6(5): 8065–8075.
21. Soleymani SA, Goudarzi S, Anisi MH, Zareei M, Abdullah AH, Kama N. A security and privacy scheme based on node
and message authentication and trust in fog-enabled VANET. Vehicular Communications 2021; 29: 100335.
22. Shen S, Huang L, Zhou H, Yu S, Fan E, Cao Q. Multistage signaling game-based optimal detection strategies for suppressing
malware diffusion in fog-cloud-based IoT networks. IEEE Internet of Things Journal 2018; 5(2): 1043–1054.
23. Grover J, Jain A, Singhal S, Yadav A. Real-time vanet applications using fog computing. In: Springer. ; 2018: 683–691.
24. Yin J, Lo W, Deng S, Li Y, Wu Z, Xiong N. Colbar: A collaborative location-based regularization framework for QoS
prediction. Information Sciences 2014; 265: 68–84.
25. Fang W, Yao X, Zhao X, Yin J, Xiong N. A stochastic control approach to maximize profit on service provisioning for
mobile cloudlet platforms. IEEE Transactions on Systems, Man, and Cybernetics: Systems 2016; 48(4): 522–534.
26. Cui J, Wu D, Zhang J, Xu Y, Zhong H. An efficient authentication scheme based on semi-trusted authority in VANETs.
IEEE Transactions on Vehicular Technology 2019; 68(3): 2972–2986.
27. Al-Riyami SS, Paterson KG. Certificateless public key cryptography. In: Springer. ; 2003: 452–473.
28. Lyu C, Gu D, Zeng Y, Mohapatra P. PBA: Prediction-based authentication for vehicle-to-vehicle communications. IEEE
transactions on dependable and secure computing 2015; 13(1): 71–83.
29. Shim KA. BASIS: a practical multi-user broadcast authentication scheme in wireless sensor networks. IEEE Transactions
on Information Forensics and Security 2017; 12(7): 1545–1554.
30. Raya M, Hubaux JP. Securing vehicular ad hoc networks. Journal of computer security 2007; 15(1): 39–68.
31. Jia X, He D, Liu Q, Choo KKR. An efficient provably-secure certificateless signature scheme for Internet-of-Things
deployment. Ad Hoc Networks 2018; 71: 78–87.
32. Wang Y, Ding Y, Wu Q, Wei Y, Qin B, Wang H. Privacy-preserving cloud-based road condition monitoring with source
authentication in vanets. IEEE Transactions on Information Forensics and Security 2018; 14(7): 1779–1790.
33. Perrig A, Canetti R, Tygar JD, Song D. The TESLA broadcast authentication protocol. Rsa Cryptobytes 2002; 5(2): 2–13.
34. P.Todd . Merkle mountain range. https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/
merkle-mountain-range.md; . accessed June 5, 2021.
35. Bünz B, Kiffer L, Luu L, Zamani M. Flyclient: Super-light clients for cryptocurrencies. In: IEEE. ; 2020: 928–946.
36. Lynn B. Java Pairing-Based Cryptography Library (JPBC). http://gas.dia.unisa.it/projects/jpbc/index.html; . accessed June
5, 2021.
37. Bernard S. Elliptic curve crypto library on Java MicroEdition. https://github.com/simonbernard/java-elliptic-curve-library#
readme; . accessed June 5, 2021.
ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
Transportation has always been an indispensable part of people’s lives. With the growth of the total population, the number of trips continues to increase, traffic pressure continues to increase, and road traffic accidents are increasing every year. With the continuous development of artificial intelligence technology, the emergence of intelligent transportation systems has greatly promoted the development and commercialization of irreversible intelligent transportation systems. This paper aims to study the road vehicle recognition algorithm in safety-assisted driving based on artificial intelligence. The research topic of this paper is the research of road vehicle recognition algorithm in safety-assisted driving. The research focus is on lane detection algorithm and vehicle detection algorithm. The concept of lane line detection is proposed, and the image preprocessing method is introduced. The experimental results in this paper show that when the road environment is complex, the vehicle itself will cause misjudgments, but the overall correct rate is over 92.5%.
Article
Full-text available
Vehicular ad hoc networks (VANETs) significantly improves the efficiency and safety of driving since it reduces traffic jams and avoiding accidents, in which the necessary security goals are guaranteed using cryptographic method. In reality, the computation efficiency is very important in implementing the protocol in VANETs. When a vehicle with high speed enters in the coverage of a roadside unit (RSU), the computation overhead of authentication not only affects the communication experience, but also downgrades the driving safety. The feasible solution is to share a message in advance between vehicle and RSU with the help of certification authority (CA), however, CA can deduce the vehicle's route that should be privacy. In this paper, a privacy-preserving and lightweight V2I authentication (PLVA) protocol is proposed. Specifically, in the beginning phase, all roadside units in a region are converted to a vector using the Moore curve technique, then, a vehicle deduces the RSUs' information on its planning route using BGN homomorphic encryption before the vehicle begins its trip, meanwhile, CA knows nothing about the route plan although it assists the above process. With the deduced RSUs' information, fast authentication is achieved between vehicle and each RSU on its route. Moreover, performance evaluation illustrates that our PLVA is efficient in practical VANETs environment.
Article
Full-text available
Traditional public key infrastructure-based authentication schemes provide vehicular networks with identity authentication and conditional privacy protection, which are not sufficient for assessing the credibility of messages. Additionally, although the new generation of cellular networks (5G) can dramatically improve the transmission efficiency of the messages, many existing authentication schemes are based on complex bilinear pairing operations, and the calculation time is too long to be suitable for delay-sensitive 5G-enabled vehicular networks. To address these issues, we propose a reputation system-based lightweight message authentication framework and protocol for 5G-enabled vehicular networks (RSMA). The trusted authority (TA) is in charge of reputation management. A vehicle with a reputation score below the given threshold cannot obtain a credit reference from the TA for participating in the communication; therefore, the number of untrusted messages in vehicular networks is reduced from the source. Security analysis shows that our scheme is secure against an adaptively chosen-message attack, and also satisfies a series of requirements of vehicular networks. The scheme is based on the elliptic curve cryptosystem and supports batch authentication; therefore, it shows better performance in terms of time consumption when compared with related schemes.
Article
Security and privacy are the most important concerns related to vehicular ad hoc network (VANET), as it is an open-access and self-organized network. The presence of ‘selfish’ nodes distributed in the network are taken into account as an important challenge and as a security threat in VANET. A selfish node is a legitimate vehicle node which tries to achieve the most benefit from the network by broadcasting wrong information. An efficient and proper security model can be useful to tackle advances from attackers, as well as selfish nodes. In this study, a privacy-preserving node and message authentication scheme, along with a trust model was developed. The proposed node authentication ensures the legitimacy of the vehicle nodes, whereas the message authentication was developed to ensure the message's integrity. To deal with selfish nodes, an experience-based trust model was also designed. Additionally, to fulfill the privacy-preserving aspect, the mapping of each vehicle was performed using a different pseudo-identity. In this paper, fog nodes instead of road-side units (RSUs), were distributed along the roadside. This was mainly because of the fact that fog computing reduces latency, and results in increased throughput. Security analysis indicated that our scheme met the VANETs' security requirements. In addition, the performance analysis showed that the proposed scheme had a lower communication and computation overhead, compared to the other related works. Monte-Carlo simulation results were applied to estimate the false-positive rates (FPR), which also proved the validity of the proposed security scheme.
Article
In vehicular ad-hoc networks (VANETs), safety messages are exchanged among vehicles and between vehicles and infrastructure to ensure passengers safety and efficiency in traffic. The source authentication as well as integrity checking of these messages are very necessary for a receiver. Based on certificateless cryptography (CLC), some state-of-the-art signature schemes have been proposed to address these. Although they fulfill the requirements of authentication and privacy, they are not efficient with respect to performance. Bilinear pairings and map-to-point hash functions are used in these schemes. These require a huge amount of time to process. The computational power and storing capacity of an on-board unit (OBU) in each vehicle are limited. Therefore, computational overhead is induced on vehicles that need to authenticate messages in areas of high traffic density. In this paper, a provably secure and efficient certificateless short signature-based conditional privacy-preserving authentication (CLSS-CPPA) scheme for V2V communication is designed. This scheme does not use bilinear parings and is based on the elliptic curve cryptosystem (ECC). In addition, instead of map-to-point hash functions, general hash functions are used. Furthermore, the CLSS-CPPA scheme supports the batch signature verification method which allows multiple signatures to be verified simultaneously and efficiently. The CLSS-CPPA scheme ensures security against type-I and type-II attackers with respect to existential unforgeability against adaptively chosen message attacks (EUF-CMA) under a hardness assumption of the elliptic curve discrete logarithm problem (ECDLP) in the random oracle model (ROM). The proposed scheme significantly improves performance in terms of computational and communication costs in comparison with state-of-the-art schemes.
Article
The privacy-preserving authentication is considered as the first line of defense against the attacks in addition to preserving the identity privacy of the vehicles in the vehicular ad hoc networks (VANETs). However, the existing authentication schemes suffer from drawbacks such as nontransparency of the trusted authorities (TAs), heavy workload to revoke certificates, and high computation overhead to authenticate identities and messages. In this paper, we propose a blockchain-based privacy-preserving authentication (BPPA) scheme for VANETs. In BPPA, all the certificates and transactions are recorded permanently and immutably in the blockchain to make the activities of the semi-TAs transparent and verifiable. However, it remains a challenge how to use such blockchain effectively for authentication in real driving scenarios (e.g., high speed or large amount of messages during congestion). With a novel data structure named the Merkle Patricia tree (MPT), we extend the conventional blockchain structure to provide a distributed authentication scheme without the revocation list. To achieve conditional privacy, we allow a vehicle to use multiple certificates. The linkability between the certificates and real identity is encrypted and stored in the blockchain and can only be revealed in case of disputes. We evaluate the validity and performance of BPPA on the Hyperledger Fabric (HLF) platform for each entity. The experimental results show that the distributed authentication can be processed by individual vehicles within 1 ms, which meets the real-time requirement and is much more efficient, in terms of the processing time and storage requirement, than existing approaches.
Article
Recently, the maturity of cloud computing, the internet of things (IoT) technology and intelligent transportation system (ITS) has promoted the rapid development of vehicular ad-hoc networks (VANETs). To keep pace with real-world demands (i.e., mobility, low latency, etc.) in a practical VANETs deployment, there have been attempts to integrate fog computing into the VANETs. To facilitate secure interaction in a fog-based VANETs, we design a new authenticated key agreement (AKA) protocol without bilinear pairing. This protocol achieves mutual authentication, generates a securely agreed session key for secret communication, and supports privacy protection. We also give a strict formal security proof and demonstrate how the proposed protocol meets the security requirements in the fog-based VANETs. We then evaluate the efficiency of the proposed protocol, and it shows the practicality of the protocol.
Article
Traffic monitoring system empowers cloud server and drivers to collect real-time driving information and acquire traffic conditions. However, drivers are more interested in local traffic, and sending driving reports to a remote cloud server consumes a heavy bandwidth and incurs an increased response delay. Recently, fog computing is introduced to provide location-sensitive and latency-aware local data management in vehicular crowdsensing, but it also raises new privacy concerns because drivers' information could be disclosed. Although these messages are encrypted before transmission, malicious drivers can upload false reports to sabotage the systems, and filtering out false encrypted reports remains a challenging issue. To address the problems, we define a new security model and propose a privacy preserving traffic monitoring scheme. Specifically, we utilize short group signature to authenticate drivers in a conditionally anonymous way, adopt a range query technique to acquire driving information in a privacy-preserving way, and integrate it to the construction of a weighted proximity graph at each fog node through a WiFi challenge handshake to filter out false reports. Moreover, we use variant Bloom filters to achieve fast traffic conditions storage and retrieval. Finally, we prove the security and privacy, evaluate the performance with real-world cloud servers.
Article
With the development of intelligent transportation systems, vehicular ad hoc networks (VANETs) are widely used in safety driving and so on. However, existing signature schemes, such as pseudonym- and group-based schemes, have certain problems such as the need for a certificate distribution and certificate revocation lists (CRLs). With such schemes, the vehicle needs to store a valid certificate generated by the management center. Simultaneously, the receiver needs to check the CRLs prior to message authentication. CRLs require large amounts of storage space and computational and communication resources. In addition, many such schemes are based on a trusted authority and do not meet real-world needs. Thus, we propose an efficient authentication scheme based on semi-trusted authority in VANETs. In this scheme, we combine the self-healing key distribution method with a certificateless signature in a semi-trusted authority environment such that the receivers do not require querying the CRLs. Therefore, the vehicles do not need to store the CRLs, thereby saving storage space and communication resources. This also reduces the computational costs and improves the efficiency of the message authentication. Moreover, because the proposed scheme is based on a semi-trusted authority, it is a more realistic approach.