An Efficient Anonymous Authentication Scheme with Secure Communication in Intelligent Vehicular Ad-hoc Networks

Abstract

Vehicular ad-hoc networks (VANETs) have become increasingly significant in intelligent transportation systems, they play a great role in improving traffic safety and efficiency. In the deployment of intelligent VANETs, intelligent vehicles can efficiently exchange important or urgent traffic information and make driving decisions. Meanwhile, secure data communication and vehicle's identity privacy have been highlighted. To cope with these security issues, in this paper, we construct an efficient anonymous authentication scheme with secure communication in intelligent VANETs. Combing the ElGamal encryption technique with a modified Schnorr signature technique, the proposed scheme provides secure anonymous authentication process for encrypted message in the vehicle-to-infrastructure communication model, and achieves identity privacy, forward security, and reply attack resistance simultaneously. Moreover, except the trusted authority (TA), any outside entity cannot trace the real identity of an intelligent vehicle. The proposed scheme is designed on an identity-based system, which can remove the costs of establishing public key infrastructure (PKI) and certificates management. Compared with existing authentication schemes, the proposed scheme is much more practical in intelligent VANETs.

1. Introduction

 With the rapid development of wireless communication and network technologies [1-3], the vehicular ad-hoc network (VANET) is a continuously self-configuring, infrastructure-less network, which has upgraded the traditional transportation systems to the intelligent transportation systems. In the deployment of intelligent VANETs [4], there are various types of vehicles equipped with on-board units (OBUs), in which the wireless communication modules are installed, they contribute to message transmission and reception through Wi-Max or Wi-Fi. Moreover, in the intelligent transportation systems, roadside units (RSUs) are established to take responsibility for distributing emergent events efficiently.

 In general, the typical structure of a VANET is depicted in Fig. 1. Particularly, the short-range wireless communication protocol, termed the Dedicated Short Range Communication (DSRC) protocol, plays a great role in the VANET. The vehicle equipped with an OBU can communicate with other vehicles under the DSRC protocol in the VANET, which is a vehicle-to-vehicle (V2V) communication model [5-6]. In such model, each vehicle can exchange the traffic conditions, including weather conditions, road defects, each vehicle’s location and speed, so that they can quickly avoid possible traffic congestion, or traffic accidents. On the other hand, the vehicle equipped with an OBU can communicate with roadside units (RSUs) under the DSRC protocol, which is a vehicle-to-RSU (V2R) communication model [5-6]. This communication model enables the VANET to offer many safety services, RSUs can send information about traffic conditions to the traffic control center. Thus, the traffic control center can also promptly take action to broadcast emergency and traffic sign violation warnings, thereby improving traffic safety and efficiency.

Fig. 1. The Structure of the VANET

 Despite the promising features of VANETs have brought many benefits to the intelligent transportation systems, the open-medium nature of these communications may intrigue VANETs to be vulnerable to various kinds of active attacks [7]. More specifically, the identity privacy, message integrity, and authentication are the most significant security concerns [8-9]. A malicious vehicle may impersonate as an emergency vehicle to exceed speed limits without being permitted. Worse still, if the real identity of a vehicle is revealed, the location privacy of the vehicle would be disclosed. Furthermore, if message integrity is not provided, a malicious vehicle could change the content of a message that is sent by a legitimate vehicle. Thus, the other vehicles and the RSUs cannot estimate the traffic situation according to the received message. Simultaneously, to improve the efficiency in the intelligent transportation systems, an intelligent VANET is also constructed to support batch verification of safety messages in the vehicle-to-infrastructure communication model.

 Up to date, many existing anonymous authentication schemes based on public key infrastructure (PKI) have been proposed [10-15]. However, these schemes need the complex certificate management, which might hinder the deployment of anonymous authentication for intelligent VANETs in practice. While an identity-based cryptographic system, first introduced by Shamir [16], can avoid establishing the Public key Infrastructure (PKI). In such a system, a trusted Key Generation Centre (KGC) can generate an entity’s private key according to any known information of an entity’s identity. Consequently, anonymous identity-based authentication schemes for intelligent VANETs have more advantages, especially in the mobile intelligent VANETs. In the literature [17-21], some identity-based anonymous authentication schemes for intelligent VANETs have been proposed.

 Although some of these schemes mentioned above can achieve identity privacy, message integrity and authentication, message confidentiality is also important in some intelligent VANETs. Especially in some sensitive geographic regions, a vehicle needs to send some authenticated encrypted message to nearby RSUs for secure communication. Moreover, traceability is also very essential in secure intelligent VANETs, if an anonymous vehicle in the intelligent VANET turns malicious, its identity privacy should be revoked by the trusted authority (TA) and revealed to other vehicles.

 To fill the aforementioned gap, in this paper, we propose an efficient anonymous authentication scheme with secure communication in intelligent VANETs. In particular, we focus on constructing the anonymous authentication scheme from vehicles equipped with the OBUs to nearby RSUs, the contributions of this work are specified as follows.

 (1) We take advantage of the ElGamal encryption technique [22] to achieve message confidentiality, and employs the modified Schnorr signature technique [23] to ensure the authentication of an encrypted message.

 (2) In the vehicle-to-RSU (V2R) communication model, we set a fully trusted authority (TA), which generates an anonymous identity of a legitimate vehicle according to its registered real identity and login password. Simultaneously, as the role of the KGC, the TA can generate the private key of the anonymous identity. Once a nearby RSU succeeds in decrypting and verifying the authenticated encrypted message from the anonymous intelligent vehicle, the RSU can accept the legal anonymous identity and the transmitted message. In addition, when a dispute appears, the TA can efficiently trace the real identity of the anonymous intelligent vehicle.

 (3) The proposed scheme is designed on an identity-based system, which can remove the costs of establishing public key infrastructure (PKI) and certificates management. In comparison with existing authentication schemes, the proposed scheme owns much lower communication overhead, without time-consuming bilinear pairing operations, the proposed scheme has better efficiency, which is much more practical in intelligent VANETs.

2. Related Work

 In order to cope with the security and privacy issues in intelligent VANETs, the conditional privacy-preserving authentication (CPPA) scheme is a good candidate. Raya et al. [10] firstly modified PKI to guarantee message authentication, integrity, and identity privacy. However, in Raya et al’s scheme, to achieve identity privacy, each intelligent vehicle needs to have a large storage space to keep key pairs and corresponding certificates. To validate their identities and trace them in case of any disputes, the trusted authority (TA) is also required to have a large storage space to save vehicles’ certificates. Moreover, a malicious vehicle’s real identity will be hard to be found by the TA due to the exhaustive search of all stored certificates. Lu et al. [11] proposed another authentication scheme with temporary anonymous certificates generated from the RSUs, but it needs frequent interactions of vehicles with RSUs to get corresponding anonymous certificates. Subsequently, some feasible techniques [12-13] have been proposed to overcome the weakness of [11]. More specifically, Freudiger et al. [12] leveraged the idea of mix-zones technique to propose a modified CPPA scheme, while the RSUs and the vehicles also need a large storage space for those anonymous certificates. Zhang et al. [13] combined a message authentication code and a key agreement protocol to construct an efficient CPPA scheme for VANETs, which can avoid malicious vehicles entering into the VANETs. After that, some group/ring signature-based authentication schemes [24–26] have been proposed.

 To simplify the complex certificate management in above PKI-based CPPA schemes, Zhang et al. [17] pioneered an identity-based CPPA scheme. However, the schemes in [27-28] pointed out that the scheme in [17] is vulnerable to the replay attack and cannot satisfy the property of non-repudiation. Chim et al. [28] further proposed an improved identity-based CPPA scheme for VANETs. Zhang et al. [29] pointed that the scheme in [27] cannot resist impersonation attack or cannot provide non-repudiation, they also proposed the improved model to address these security threats. Moreover, the integrity verification scheme in [30] has succeeded in achieving forward security, in which, the key update technique can also be well applied in post-quantum secure intelligent VANETs. Biswas et al. [31] integrated an ID-based proxy signature scheme with the standard ECDSA to generate a new authentication scheme. Shim [32] proposed another identity-based CPPA scheme for vehicle-to-infrastructure communication model. More recently, He et al. [20] proposed a new ID-based CPPA scheme, which could be used for both V2V communication model and V2R communication model in VANETs. To improve performance, the function of batch verification of multiple messages is included in the proposed ID-based CPPA scheme. Recently, the small exponent test technology has been exploited [33], to enable perform batch verification. Lo et al. [21] proposed a new identity-based signature based on the elliptic curve cryptosystem and further proposed a novel CPPA. Asaar et al. [34] proposed a proxy signature protocol with batch verification function, and integrated it into construct a secure authentication for VANETs. To aviod key escrow and complex certificate management, a practical certificateless conditional privacy-preserving authentication scheme for VANETs has also been given in [35].

3. Preliminaries

3.1 System Network Model of A VANET

 Now we introduce the system network model of a VANET in Fig. 2. It mainly consists of three entities, vehicle, RSU, and trusted authority (TA).

 Vehicle: The intelligent vehicle in the VANET is equipped with an OBU, which enables the vehicle to communicate with a nearby RSU through the DSRC protocol. Each OBU has a tamper-proof device (TPD) to store the sensitive information, such as a private key, a global positioning system (GPS) for providing the location and time information, and an event data recorder (EDR) for recording related information about vehicle crashes.

 RSU: The RSU is a fixed infrastructure, it is deployed on the roadside and can communicate with vehicles under the DSRC protocol. It can validate received messages and send them to the traffic management center or process them locally.

 Trusted Authority: The TA is responsible for maintaining the whole VANET systems. It is considered to be a fully trusted third party with high computation and communication capabilities. The TA is responsible for the registration of RSUs and vehicles, it generates system security parameters and preloads them in the OBU embedded in the vehicles. In addition, as the role of a Key Generator Centre (KGC) of an identity-based system, the TA can produce the anonymous identity of an intelligent vehicle and its corresponding private key. In the system network model of a VANET, only the TA can trace the real identity of the vehicle.

Fig. 2. The System Network Model of A VANET

3.2 Security Requirements

 The system network model of a VANET is confronted with various kinds of active attacks, such as denial of service attack, replay attack, impersonation attack and location spoofing. More importantly, an anonymous authentication scheme with secure communication in intelligent VANETs should satisfy the following security requirements.

 Message authentication and integrity: The nearby RSU is able to check the validity of the message sent by an intelligent vehicle. In addition, the RSU can detect any modifications of the received message, any outside adversary cannot successfully generate a forged authenticated message to convince the RSU.

 Message confidentiality: For the transmission of message, an intelligent vehicle equipped with the OBU needs to generate the authenticated encrypted message, and send it to the RSU. Thus, without the private key of the RSU, any outside adversary cannot decrypt the encrypted message.

 Identity privacy preservation: The RSU and any other vehicle are not able to extract the original intelligent vehicle’s real identity by analyzing the intercepted messages.

 Traceability: The TA has the ability to trace the real identity of an intelligent vehicle, when a target vehicle disputes its signature associated with corresponding encrypted message.

4. Our Anonymous Authentication Scheme with Secure Communication

4.1 Our Construction

 In this section, we focus on constructing an anonymous authentication scheme with secure communication in intelligent VANETs from a vehicle equipped with an OBU to a nearby RSU in some sensitive geographic region. There are four phases in the proposed scheme: the system initialization phase, anonymous identity private key generation phase, authenticated encrypted message generation phase, decryption and verification phase. The process of anonymous authentication with secure communication protocol is depicted in Fig. 3.

 System initialization phase: The TA generates system parameters, and pre-loads them into each vehicle’s tamper-proof device and pre-loads them into the RSU as follows.

 (1) The TA chooses two large prime numbers p , q , where q is the large prime number factor of p −1. The TA chooses a generator α with the prime order q , \(1 \leq q \leq p-1\), such that \(\alpha^{q} \equiv 1 \bmod p, \alpha \neq 1\). The TA sets three secure collision-resistance hash functions, \(H_{1}: Z_{p} \times Z_{p} \times\{0,1\}^{*} \rightarrow\{0,1\}^{\kappa}, H_{2}: Z_{p} \times\{0,1\}^{\kappa} \rightarrow Z_{q}, h: Z_{p} \times\{0,1\}^{\kappa} \times\{0,1\}^{*} \times Z_{p} \rightarrow Z_{q}\).

 (2) The TA chooses a random number \(x \leftarrow Z_{q}^{*}\) as the master secret key, and computes its public key \(P_{p u b}=\alpha^{x} \mod \ p\). Meanwhile, the RSU chooses a random number \(x_{R S U} \leftarrow Z_{q}^{*}\) as the private key, and computes its public key \(y_{R S U} \equiv \alpha^{x_{R S U}} \bmod p\).

 (3) In order to reduce the computational costs of each intelligent vehicle, the TA provides two pre-computing data sets: \(V S_{i 1}=\left\{\mu_{0}, \mu_{1}, \ldots \mu_{l_{q}-1}\right\}\), where \(\mu_{j} \equiv \alpha^{2^{j}} \bmod p, 0 \leq j \leq l_{q}-1\), l_q is the bit length of \(q ; V S_{i 2}=\left\{v_{0}, v_{1}, \ldots v_{l_{q}-1}\right\}\), where \(v_{j} \equiv y_{R S U}^{2^{j}} \bmod p, 0 \leq j \leq l_{q}-1\).

 (4) The TA assigns an identity \(v R I D_{i}\) and a corresponding login password \(v P W D_{i}\) to each registered intelligent vehicle and pre-loads them into its tamper-proof device.

 Finally, the TA broadcasts system public parameters \(\left\{p, q, \alpha, P_{p u b}, y_{R S U}\right\}\) and pre-computing data sets \(V S_{i 1}, V S_{i 2}\) to the RSUs and each intelligent vehicle.

 Anonymous identity private key generation phase: In this phase, the TA firstly needs to validate the real identity \(v R I D_{i} \in\{0,1\}^{\kappa}\) and login password \(v P W D_{i}\), which are sent from the intelligent vehicle. Then the TA creates an anonymous identity for \(v R I D_{i}\), and generates the corresponding private key as follows.

 (1) The TA selects a random number \(r_{i} \leftarrow Z_{q}^{*}\), and employs the master secret key x to generate the anonymous identity \(v A I D_{i}=\left\{v A I D_{i 1}, v A I D_{i 2}\right\}\), where:

\(v A I D_{i 1}=\alpha^{r_i} \mathrm { mod } \ p, v A I D_{i 2}=v R I D_{i} \oplus H_{1}\left({v A I D_{i 1}}^{x}, P_{p u b}, T_{i}\right)\).

 Here T_i is the term of validity of an anonymous identity.

 (2) With the master secret key x , the TA computes the private key of anonymous identity as follows:

\(S K_{v AI D_{i}}=\left(r_{i}+x\right) H_{2}\left(v A I D_{i}\right) \bmod q\).

 Finally, the TA returns the anonymous identity and corresponding private key \(\left\{v A I D_{i}, S K_{v A I D_{i}}, T_{i}\right\}\) to the intelligent vehicle via a secure channel.

 Authenticated encrypted message generation phase: In this phase, when an intelligent vehicle arrives at some sensitive geographic region, the intelligent vehicle equipped with an OBU_i generates the authenticated encrypted message to a nearby RSU as follows.

 (1) With the pre-computing data sets \(V S_{i 1}, V S_{i 2}\), the intelligent vehicle equipped with an OBU_i selects a random number \(k_{i} \leftarrow Z_{q}^{*}\), and combines the ElGamal encryption technique with the fast square-multiply algorithm to encrypt \(M \leftarrow Z_{p}\) as:

\(C_{i 1}=\alpha^{k_{i}} \bmod p, C_{i 2}={y_{R S U}}^{k_{i}} M \bmod p\).

 (2) The intelligent vehicle equipped with an OBU_i computes \(C_{i 1}^{\prime}=C_{i 1} \bmod q\), and utilizes the private key \(S K_{v A I D_{i}}\) to compute:

\(\sigma_{i}=h_{i}\left(v A I D_{i}\left\|t_{i}\right\| M\right) k_{i}-S K_{v A I D_{i}} {C_{i 1}}^{\prime} \bmod q\).

 Here t_i is the current timestamp.

 Finally, the intelligent vehicle sends the authenticated encrypted message \(\left\{C_{i 1}, C_{i 2}, \sigma_{i}, v A I D_{i}, t_{i}\right\}\) to the nearby RSU.

 Decryption and verification phase: Once receiving the authenticated encrypted message \(\left\{C_{i 1}, C_{i 2}, \sigma_{i}, v A I D_{i}, t_{i}\right\}\) from the intelligent OBU_i, the RSU first validates its timestamp t_i and then utilizes its private key x_RSU to decrypt the ciphertext \(C_{i 1}, C_{i 2}\) as follows:

\(M=\frac{C_{i 2}}{{C_{i 1}}^{x_{R S U}}} \bmod p\)

 With the message M and the authenticated encrypted message \(\left\{C_{i 1}, C_{i 2}, \sigma_{i}, v A I D_{i}, t_{i}\right\}\), the RSU computes \(C_{i 1}^{\prime}=C_{i 1} \bmod q\) and can further verify the validity of signature in the following verification equation:

\({C_{i 1}}^{h_{i}\left(v A I D_i \|t_i\|M\right)}=\alpha^{\sigma_{i}}\left(v A I D_{i} P_{p u b}\right)^{H_{2}\left(v A I D_{i}\right) {C_{i 1}}'} \bmod p\).

 If the above equation holds, it means that the signature is valid, the message M can be accepted by the RSU. Otherwise, the message M will be rejected.

4.2 Correctness

 For the authenticated encrypted message \(\left\{C_{i 1}, C_{i 2}, \sigma_{i}, v A I D_{i}, t_{i}\right\}\), with the private key x_RSU , the RSU computes as follows:

\(\frac{C_{i 2}}{{C_{i 1} }^{x_{R S U}}} \bmod p=\frac{{\mathrm y_{R S U}}^{k_{i}} M}{\left(\alpha^{k_{i}}\right)^{x_{RS U}}} \bmod p=\frac{{\mathrm y_{R S U}}^{k_{i}} M}{{\mathrm y_{R S U}} ^{k_{i}}} \bmod p=M\)

The correctness of the verification equation is elaborated as follows:

\(\begin{aligned} \alpha^{\sigma_{i}} &=\alpha^{h_{i}\left(v A I D_{i}\left\|t_{i}\right\| M\right) k_{i}-S K_{v AID_{i}} {C_{i 1}}^{\prime} \bmod q} \bmod p \\ \alpha^{\sigma_{i}} &=\alpha^{h_{i}\left(v A ID_{i}\left\|t_{i}\right\| M\right) k_{i}} \alpha^{-S K_{v AI D_{i}} {C_{i 1}}'} \bmod p \\ \alpha^{\sigma_{i}} \alpha^{\left(r_{i}+x\right) H_{2}\left(v A I D_{i}\right) {C_{i 1}}'} &=\alpha^{h_{i}\left(v A I D_{i}\left\|t_{i}\right\| M\right) k_{i}} \bmod p \\ \alpha^{\sigma_{i}}\left(v A I D_{i 1} P_{p u b}\right)^{H_{2}\left(v AI D_{i}\right){ C_{i 1}}'} &={C_{i 1}}^{h_{i}\left(v A I D_{i}\left\| t_{i}\right\| M\right)} \bmod p \end{aligned}\)

 Thus, the equation \(C_{i 1}^{h_{i}\left(v A I D_{i}\left\|t_{i}\right\| M\right)}=\alpha^{\sigma_{i}}\left(v A I D_{i} P_{p u b}\right)^{H_{2}\left(v A I D_{i}\right) C'_{i 1}} \bmod p\) holds.

Fig. 3. The Process of Anonymous Authentication with Secure Communication

4.3 Batch Verification of Multiple Authenticated Encrypted Messages

 Upon receiving n authenticated encrypted messages \(\left\{C_{11}, C_{12}, \sigma_{1}, v A I D_{1}, t_{1}\right\}, \ldots\left\{C_{n 1}, C_{n 2}, \sigma_{n}, v A I D_{n}, t_{n}\right\}\) from n different \(O B D_{1}, \ldots, O B D_{n}\) simultaneously, the RSU employs the private key x_RSU and the system public parameters to verify the validity of those authenticated encrypted messages in the following steps.

 (1) The RSU first validates each timestamp t_i , where i =1, 2,...,n . If it is not fresh, the RSU rejects corresponding authenticated encrypted message.

 (2) The RSU decrypts each message as \(M_{i}=C_{i 2}\left(C_{i 1}^{x_{R S U}}\right)^{-1}\), i =1, 2,...,n .

 (3) The RSU randomly choose a vector \(\beta=\left\{\beta_{1}, \beta_{2}, \dots, \beta_{n}\right\}\), where β_i is a small random integer in [1,2^λ] and λ is a small integer and has very little computation overhead. Afterwards, the RSU checks whether the following equation holds:

\(\alpha^{\sum_{\alpha^{i=1}}^{n} \beta_{i} \sigma_{i}}\prod_{i=1}^{n}\left(v A I D_{i 1} P_{p u b}\right)^{\beta_{i} H_{2}\left(v A I D_{i}\right) {C_{i1}}'}=\prod_{i=1}^{n} {C_{i 1}}^{\beta_{i} h_{i}\left(v AID_{i}\left\|t_{i}\right\| M\right)} \bmod p\)

 If the verification equation holds, the RSU accepts n authenticated encrypted messages. Otherwise, the RSU rejects them.

 Correctness:

 For n authenticated encrypted messages \(\left\{C_{11}, C_{12}, \sigma_{1}, v A I D_{1}, t_{1}\right\}, \cdots,\left\{C_{n 1}, C_{n 2}, \sigma_{n}, v A I D_{n}, t_{n}\right\}\), the RSU utilizes private key x_RSU to decrypt each message as follows:

\(\frac{C_{i 2}}{{C_{i 1}}^{x_{R S U}}} \bmod p=\frac{{\mathrm y_{R S U}}^{k_{i}} M}{\left(\alpha^{k_{i}}\right)^{x_{R S U}}} \bmod p=\frac{{\mathrm y_{R S U}}^{k_{i}} M}{{\mathrm y_{R S U}}^{k_{i}}} \bmod p=M_{i}\)

 The correctness of the verification equation is elaborated as follows:

\(\begin{array}{l} \alpha^{\sum_{i=1}^{n} \beta_{i} \sigma_{i}}=\alpha^{\sum_{i=1}^{n} \beta_{i} h_{i}\left(v A ID_{i}\left\|t_{i}\right\| M\right) k_{i}-\sum_{i=1}^{n} \beta_{i} S K_{vAID_i} {C_{i1}}^{\prime}} \bmod p \\ \alpha^{\sum_{i=1}^{n} \beta_{i} \sigma_{i}}\alpha^{\sum_{i=1}^{n} \beta_{i} S K_{v A I D_{i}} {{C_{i 1}}'}}=\alpha^{\sum_{i=1}^{n} \beta_{i} h_{i}\left(v A I D_{i}\left\|t_{i}\right\| M\right) k_{i}} \bmod p \\ \alpha^{\sum_{i=1}^{n} \beta_{i} \sigma_{i}}\prod_{i=1}^{n} \boldsymbol{\alpha}^{\beta_{i}\left(r_{i}+x\right) H_{2}\left(v A I D_{i}\right) {C_{i 1}}'}=\prod_{i=1}^{n} C_{i 1}^{\beta_{i} h_{i}\left(v A I D_{i}\left\|t_{i}\right\| M\right)} \bmod p \\ \alpha^{\sum_{i=1}^{n} \beta_{i} \sigma_{i}}\prod_{i=1}^{n}\left(v A I D_{i 1} P_{p u b}\right)^{\beta_{i} H_{2}\left(v A I D_{i}\right) {C_{i 1}}'}=\prod_{i=1}^{n} C_{i 1}^{\beta_{i} h_{i}\left(v A I D_{i}\left\|t_{i}\right\| M\right)} \bmod p \end{array}\)

5. Security of the Proposed Scheme

5.1.Security Analysis

 In this section, we will provide the security analysis of the proposed scheme, and show that it can achieve message confidentiality, message authentication and integrity, identity privacy and traceability, forward security, replay attack and impersonation attack resistance.

 Theorem 1. The proposed anonymous authentication scheme with secure communication in intelligent VANETs can achieve message confidentiality.

 Proof. In the proposed scheme, the vehicle generates \(\left\{C_{i 1}, C_{i 2}, \sigma_{i}, v A I D_{i}, t_{i}\right\}\) as the authenticated encrypted message, where \(C_{i 1}=\alpha^{k_{i}} \bmod p, C_{i 2}=y_{R S U}^{k_{i}} M \bmod p\) generated under the public key y_RSU of the RSU , the message M is transmitted as ciphertext. Thus, any outside adversary wants to recover the primitive message M , it must need to know the private key of the RSU , such that \(M=C_{i 2} / C_{i 1}^{x_{R S U}}\), this is infeasible. Therefore, the proposed scheme can achieve message confidentiality.

 Theorem 2. The proposed scheme achieves message authentication and integrity, provided that the hardness of DL (Discrete Logarithm) problem holds.

 Proof. In the proposed scheme, since the authenticated encrypted message is \(\left\{C_{i 1}, C_{i 2}, \sigma_{i}, v A I D_{i}, t_{i}\right\}\), where the signature \(\sigma_{i}=h_{i}\left(v A I D_{i}\left\|t_{i}\right\| M\right) k_{i}-S K_{v A I D_{i}} C_{i 1}^{\prime} \bmod q\), which is generated under the private key \(S K_{v A I D_{i}}\) of the anonymity identity \(v A I D_{i}\). By using Forking Lemma [36], here we assume an outside adversary can forge another valid authenticated encrypted message \(\left\{C_{i 1}, C_{i 2}, \sigma_{i}^{*}, v A I D_{i}, t_{i}\right\}\) if we repeat the process with a different choice of \(h_{i}\left(v A I D_{i}\left\|t_{i}\right\| M\right) \neq h_{i}^{*}\left(v A I D_{i}\left\|t_{i}\right\| M\right)\), the forged signature \(\sigma_{i}^{*}=h_{i}^{*} k_{i}-S K_{v A I D_{i}} C_{i 1}^{\prime} \bmod q, h_{i}^{*}=h_{i}^{*}\left(v A I D_{i}\left\|t_{i}\right\| M\right)\). In this case, we get the following equation \(\alpha^{\sigma_{i}^{*}}\left(v A I D_{i 1} P_{p u b}\right)^{H_{2}\left(v A I D_{i}\right) C_{i 1}}=C_{i 1}^{h_{i}^{*}} \mod p\) holds. Since the verification equation \(\alpha^{\sigma_{i}}\left(v A I D_{i 1} P_{p u b}\right)^{H_{2}\left(v A I D_{1}\right) C'_{i 1}}=C_{i 1}^{h^{*}} \bmod p\) holds. According to the two equations, we get that:

\(\alpha^{\sigma_{i}-\sigma_{i}^{*}}={C_{i 1}}^{h_{i}-h_{i}^{*}} \bmod p\)

 Thus \(\alpha^{\sigma_{i}-\sigma_{i}^{*}}=\alpha^{k_{i}\left(h_{i}-h_{i}^{*}\right)}\) holds. Thereby the adversary can output \(\left(h_{i}-h_{i}^{*}\right)^{-1}\left(\sigma_{i}-\sigma_{i}^{*}\right)\) as the solution of DL problem between α and C_i1 , it contradicts to the hardness of DL problem. Therefore, the proposed scheme in intelligent VANETs can achieve message authentication and integrity.

 Moreover, by applying Forking Lemma [36], we can also prove the message authentication and integrity for batch authenticated encrypted messages. In the same approach, for n authenticated encrypted messages \(\left\{C_{11}, C_{12}, \sigma_{1}, v A I D_{1}, t_{1}\right\}, \ldots,\left\{C_{n 1}, C_{n 2}, \sigma_{n}, v A I D_{n}, t_{n}\right\}\), we also assume an outside adversary can forge at least a valid authenticated encrypted message. For simplicity, here we assume \(\left\{C_{n 1}, C_{n 2}, \sigma_{n}^{*}, v A I D_{n}, t_{n}\right\}\) is forged by the outside adversary, if we repeat the process with a different choice of \(h_{n} \neq h_{n}^{*}, \quad i=1, \ldots, n\), the forged signature \(\sigma_{n}^{*}=h_{n}^{*} k_{i}-S K_{v A I D_{n}} C'_{n 1} \bmod q\). In this case, we get the following equation:

\(\alpha^{\sum^n_{i=1}\beta_i\sigma_i} \prod_{i=1}^{n}\left(v A I D_{i 1} P_{p u b}\right)^{\beta_{i} H_{2}\left(v A ID_{i}\right) {C_{i 1}}^{\prime}}=\prod_{i=1}^{n} {C_{i 1}}^{\beta_{i} h_{i}}\)

 Since the following verification equation holds:

\(\alpha^{\sum_{i=1}^{n-1} \beta_{i} \sigma_{i}+\beta_{n} \sigma_{n}^{*}}\prod_{i=1}^{n}\left(v A I D_{i 1} P_{p u b}\right)^{\beta_{i} H_{2}\left(v A ID_{i}\right) {C_{i 1}}'}={C_{n 1}}^{\beta_{n} h_{n}^{*}} \prod_{i=1}^{n-1} {C_{i 1}}^{\beta_{i} h_{i}}\)

 According to the two equations, we get that \(\alpha^{\beta_{n}\left(\sigma_{n}^{*}-\sigma_{n}\right)}=\alpha^{k_{n} \beta_{n}\left(h_{n}^{*}-h_{n}\right)} \bmod\).

 Therefore the adversary can output \(\left(h_{n}^{*}-h_{n}\right)^{-1}\left(\sigma_{n}^{*}-\sigma_{n}\right)\) as the solution of DL problem between α and C_n1 , it contradicts to the hardness of DL problem. Therefore, the proposed scheme in intelligent VANETs can also achieve message authentication and integrity for batch authenticated encrypted messages.

 Theorem 3. The proposed scheme achieves identity privacy, provided that the hardness of CDH (Computational Differ Hellman) problem holds.

 Proof. In the proposed scheme, according to the anonymity identity \(v A I D_{i}=\left\{v A I D_{i 1}, v A I D_{i 2}\right\}\), Here \(v A I D_{i 1}=\alpha^{r_{i}} \bmod p\) includes a random secret number r_i which is selected by TA, and \(v A I D_{i 2}=v R I D_{i} \oplus H_{1}\left(v A I D_{i 1}^{x}, P_{p u b}, T_{i}\right)\) includes the master secret key x of the TA. Thus, without mastering r_i or x , it is infeasible for any malicious adversary to compute \(v A I D_{i1}^{x}\) due to the hardness of CDH problem. Therefore, even if an adversary can identify an anonymity identity \(v A I D_{i}\), it will not be able to retrieve the real identity information of the intelligent vehicle.

 Theorem 4. The proposed anonymous authentication scheme with secure communication in intelligent VANETs can achieve traceability.

 Proof. In the proposed scheme, the TA with its master key x can reveal the real identity \(v R I D_{i}\) from the anonymity identity \(v A I D_{i}=\left\{v A I D_{i 1}, v A I D_{i 2}\right\}\), since it can compute \(v R I D_{i}=v A I D_{i 2} \oplus H_{1}\left(v A I D_{i 1}^{x}, P_{p u b}, T_{i}\right)\). Thus, if a target intelligent vehicle disputes its signature associated with corresponding authenticated encrypted message, the TA can trace the intelligent vehicle from the dispute signature.

 Theorem 5. The proposed anonymous authentication scheme with secure communication in intelligent VANETs can achieve forward security, replay attack and impersonation attack resistance.

 Proof. In the proposed scheme, here we consider the key exposure occurs, it means that the adversary can get the private key \(S K_{v A I D_{i}}\) of the anonymity identity \(v A I D_{i}\), which is valid in term of validity T_i . We also assume that the outside adversary could intercept the authenticated encrypted message \(\left\{C_{i 1}, C_{i 2}, \sigma_{i}, v A I D_{i}, t_{i}\right\}\), where \(C_{i 1}^{\prime}=C_{i 1} \bmod q, C_{i 2}=y_{R S U}^{k_{i}} M \bmod p,\sigma_{i}=h\left(v A I D_{i}\left\|t_{i}\right\| M\right) k_{i}-S K_{v A I D_{i}} C_{i 1}^{\prime} \bmod q\),and t_i is a valid timestamp. However, an outside adversary cannot determine whether these messages \(C_{i 1}, C_{i 2}, \sigma_{i}\) are transmitted between the intelligent vehicle and the RSU, since it cannot master the random number k_i , or it cannot generate a forged signature σ_i* in the short timestamp t_i to pass the verification executed by the RSU. Thus the proposed scheme can achieve forward security, the replay attack.

 Moreover, without mastering the secret key x of the TA, the adversary cannot recover the real identity \(v R I D_{i}\) by computing \(v R I D_{i}=v A I D_{i 2} \oplus H_{1}\left(v A I D_{i 1}^{x}, P_{p u b}, T_{i}\right)\), it cannot get the real private key i \(S K_{v A I D_{i}}\) of the \(v A I D_{i}\) by interacting with the TA in the register process. Thus, the adversary cannot generate the authenticated encrypted message \(\left\{C_{i 1}, C_{i 2}, \sigma_{i}, v A I D_{i}, t_{i}\right\}\) by personating a real intelligent vehicle \(v R I D_{i}\) . Therefore, the proposed scheme can resist impersonation attack.

5.2 Security Comparison

 Now we evaluate the security level in terms of message confidentiality, message authentication, message integrity, impersonation attack resistance, identity privacy, traceability, reply attack resistance, and forward security. The detailed security comparison is listed in Table 1. In particular, we get that Maria’s scheme [15] cannot achieve message confidentiality, reply attack resistance, or forward security. Neither He’s scheme [20] nor Lo’s scheme [21] can achieve message confidentiality. While the proposed scheme can achieve all of these security properties simultaneously.

Table 1. Security Comparison

6. Performance Comparison

 In this section, we provide an elaborate performance comparison among our anonymous authentication scheme with secure communication in intelligent VANETs and existing schemes [15, 20, 21]. For convenience, we firstly define some notations about the execution time of some cryptographic operations in Table 2. In the implementations, the cryptographic operations are run using C programming language on MIRACL of library version is 5.6.1. Our hardware platform consists of an Intel Core (TM) i5-2320 processor with 3.00GHz clock frequency, 8GB memory (7.04GB available) and a Window 10 operating system.

Table 2. Notations

6.1 Computational Costs Comparison

 We firstly evaluate the comparison of the computational costs, including the signature generation, signature verification, and the computational costs of batch signature verification in Table 3. We give the implementation about the execution time for the single signature generation and verification in Fig. 4. It can be observed that the proposed scheme takes the lowest computational costs among those schemes to perform signature generation and verification process. Furthermore, we also give the implementation about the execution time for batch verification of multiple messages in Fig. 5. The implementation comparison result shows that with the growth of the number of messages, the proposed scheme is much more efficient and takes the lowest verification time compared with existing the schemes. This is mainly because the proposed scheme does not need time-consuming bilinear pairing operations.

Table 3. Computational Costs Comparison

Fig. 4. Execution Time for the Single Generation and Verification

Fig. 5. Execution Time for Batch Verification of Multiple Messages

6.2 Communication Overhead Comparison

 Now we compare the proposed scheme with existing schemes [15, 20, 21] in terms of communication overhead. We denote |G| by the length of an element in a cyclic group G based on an elliptic curve, denote |p| , |q| by the length of an element in Z_p, Z_q, respectively. We also denote ξ by the fixed length of a general hash function value, denote ζ by the fixed length of a timestamp. The detailed communication overhead comparison is listed in Table 4. Furthermore, we implement the communication overhead of sending a single authenticated message in Fig. 6. To ensure the security of all the schemes, we set |p| and |q| to be 128bytes and 20bytes, respectively, we also set the length of an element in G to be 128bytes. For simplicity, we set the fixed length of a general hash function value and a timestamp to be 16bytes and 4bytes, respectively. Fig 6 shows that the proposed scheme owns much lower communication overhead compared with existing schemes.

Table 4. Communication Overhead Comparison

Fig. 6. The Comparison of Communication Overhead

7. Conclusions

 In this paper, we have proposed an efficient anonymous authentication scheme with secure communication in intelligent VANETs. The proposed scheme enables a legitimate vehicle to anonymously send an authenticated message to a nearby RSU, and it achieves message confidentiality, forward security, and reply attack resistance simultaneously. In particular, except the trusted authority (TA), any outside entity cannot trace the real identity of an intelligent vehicle in case of disputes. Moreover, the proposed scheme is designed on an identity-based cryptographic system, which can remove the costs of establishing public key infrastructure (PKI) and certificates management. Compared with existing schemes, the proposed scheme is much more efficient, since it does not need time-consuming bilinear pairing operations, and it also owns much lower communication overhead. Thus, the proposed scheme is much more practical in intelligent VANETs. In our future work, we will further investigate how to construct a new anonymous authentication scheme with secure communication, which can be well deployed both in vehicle-to-RSU (V2R) and vehicle-to vehicle (V2V) communication model of intelligent VANETs.