A Traceable Concurrent Data Anonymous Transmission Scheme for Heterogeneous VANETs
Abstract
Vehicular Ad Hoc Networks (VANETs) are attractive scenarios that can improve the traffic situation and provide convenient services for drivers and passengers via vehicletovehicle (V2V) and vehicletoinfrastructure (V2I) communication. However, there are still many security challenges in the traffic information transmission, especially in the intense traffic case. For ensuring the privacy of users and traceability of vehicles, we propose a traceable concurrent data anonymous transmission scheme for heterogeneous VANETs. The scheme is based on certificateless aggregate signcryption, so it supports batch verification. Moreover, conditional anonymity is also achieved due to the involving of the pseudoID technique. Furthermore, it is a pairingfree scheme for the merit of multitrapdoor hash functions. As a result, the total computation overhead is greatly reduced.
I Introduction
Nowadays, VANETs have become more and more widely used [1] in smart traffic. As a part of the intelligent transportation system, it can be integrated into IoT and play an important role to improve traffic conditions in smart city. The entities in VANETs can exchange information via Dedicated Short Range Communication (DSRC) or Transport Layer Security (TLS) protocols in three communication modes including VehicletoVehicle (V2V), VehicletoInfrastructure (V2I) and hybrid mode.
A typical architecture of VANETs, as shown in Fig. 1, consists of OnBoard Units (OBUs), Roadside Units (RSUs) and trusted authorities (TAs). OBUs embedded with sensors can identify static information (size, weight, etc. ) and collect dynamic information of vehicles (speed, direction, etc.). In addition, as both sources and routers, OBUs are able to send, receive and forward all kinds of information in VANETs at any time. RSUs, a kind of infrastructures, are deployed at roadsides or crossroads. They can communicate with OBUs via wireless channel, as well as with other RSUs and TAs via wired channel. TAs are responsible for registering RSUs and OBUs, tracing vehicles involved in accidents and maintaining other services in VANETs. Aiming at the issue of the authentication of big data, there have been many batch authentication schemes specially designed for VANETs [2, 3, 4, 5, 6, 7, 8, 9, 10].
In 2003, the concept of aggregate signature was first introduced by D. Boneh et al. in [11]. By taking the advantages of certificateless public key cryptosystem (CLC), many certificateless aggregate signature schemes were proposed [12, 13]. An identity based aggregate signature scheme without pairing was then proposed for V2I communication [8]. In 1997, signcryption was first proposed by Y. Zheng in [14], which provided both public key encryption and digital signature in a single logic step. In 2010, Sun et al. proposed two heterogeneous signcryption schemes [15] that achieved mutual secure communication between PKI and IBC. It was the first work on heterogeneous cryptosystem. In 2009, the first aggregate signcryption was proposed by Selvi et al. in [16] that reduced computation overhead greatly. It allowed distinct signcryption cipertexts sent to the same recipient to be validated only once with the same security level. In recent years, many aggregate signcryptions have been raised [17, 18, 19, 20, 21]. However, the number of aggregate signcryption schemes is relatively small, in which some issues on security and efficiency still exist that remain to be solved. In 2015, Chandrasekhar et al. proposed an aggregate signcrytion scheme [22] based on a multitrapdoor hash function [23].
In this paper, we mainly focus on two types of traffic data: unencrypted data and encrypted data. The unencrypted data is usually for vehicles to quickly obtain feedback from RSUs. The encrypted data is for the IoT data center to prevent opponents from eavesdropping or abusing these sensitive information. Unlike the first type of data, the second type of data often exists in the case of high traffic density. Therefore, based on an aggregate signcryption scheme with multitrapdoor hash function, a secure data transmission scheme was proposed for V2I scenes. Our contributions are summarized as follows.

Our scheme not only achieves batch verification of vehicles from OBUs to RSUs, but also accomplishes confidentiality and authentication in a single logic step.

Based on multitrapdoor hash functions, our scheme only involves scalar multiplications of fixed number without any bilinear pairing operations.

The aggregate verification information could be validated without the plaintexts and the intended receiver. Therefore, it wouldn’t take extra computation on decryption, once the batch verification is invalid.
This paper is organized as follows. In section II, we briefly introduce some preliminaries. In section III, a traceable concurrent anonymous transmission scheme is constructed for VANETs. In section IV, we show the superiority of the proposed scheme by evaluating performance. Finally, the conclusion is given in section V.
Ii Preliminaries
Iia Multitrapdoor hash functions
Let denote a set of parameters and (), denote , but the th pair is updated by a new one. The concept of multitrapdoor hash function [22] is described as follows:
Assuming that there exist participants , each of them have their own key pair . is the public key (or hash key) for generating the multitrapdoor hash value, and is the private key (or trapdoor key) that is kept securely to generate the multitrapdoor hash function collision by its owner. Concretely, each takes a message , a random value and its public key as the input, then calculates a multitrapdoor hash value as the output. In addition, with the corresponding trapdoor key , another chosen message and a random value , each can construct an ephemeral hash key such that . When all of the participates generate their collision parameters respectively, a multitrapdoor hash collision value can be calculated, namely .
IiB Security Assumptions
Let be a set of points on an elliptic curve over a finite field . The security of the proposed scheme is dependent on the following security assumptions:
Definition 1. Elliptic Curve Discrete Logarithm Problem (ECDLP): Let be a point on an elliptic curve over a finite field. Given a random instance for any , it is difficult to compute .
Definition 2. Computational DiffieHellman Problem (CDHP): Let be a generator of . Given a random instance for any , it is difficult to compute .
Iii The Traceable Concurrent Data Anonymous Transmission Scheme for VANETs
Iiia System Architecture
Fig. 2 shows the overview of the VANETs system architecture, including four entities: the OBUs equipped on the vehicles, the RSUs at the roadside, a trace authority (TRA) and a key management center (KMC).
The OBUs with constrained computing ability are responsible for transmitting the trafficrelated data to the RSUs. The data should be signcrypted with the parameters stored in a tamperproof device (TPD) that ensures the OBUs cannot be compromised. GPS equipped in OBUs can provide the precise localization. The RSUs with more computing power collect the sigcrypted traffic information from vehicles and unsigncrypt them in an aggregate manner. If the verification is valid, the RSUs will send feedback to vehicles and forward the traffic information to the traffic data center. The KMC is an honest but curious authority that is responsible for issuing certificates for the RSUs in PKI and generating partial private keys for vehicles in CLC. Different works [24, 25, 26, 27] have studied on the relevant security issues of key management. Furthermore, in order to achieve conditional anonymity in smart traffic, the TRA plays the role of a trusted authority who is in charge of generating the pseudoID and tracing malicious vehicles. Different from OBUs and RSUs that are online, the KMC and the TRA are offline in the registration stage and the trace stage respectively. According to the IEEE 802.11p standard, the OBUs and RSUs communicate with each other via a wireless communication protocol–DSRC, while the RSUs interact with the traffic data center via a wired protocol–TLS.
IiiB Design Goals
To meet the security demands in VANETs, the proposed scheme can provide the following properties:

Confidentiality. Before sent to the nearby RSUs, the traffic information from OBUs should be encrypted to keep the opponents from eavesdropping and analyzing the further attacks. So, we deploy the aggregate signcryption scheme as the cryptographic essential for confidentiality.

Conditional anonymity. The identities of OBUs, such as the plate number, are often involved in the secure communication between OBUs and RSUs, which might lead to privacy issues. So it is necessary for OBUs to adopt the pseudoIDs of participators instead of the real identities in the whole protocol.

Key escrow freeness. Our scheme adopts the certificateless technique to manage vehicles so that they can generate their own secret keys, avoiding key escrow problem.

Low computational overhead. In general, bilinear pairings are the most timecost cryptographic operations in a security protocol. Based on an improved multitrapdoor hash function, the proposed scheme achieves batch verification on the OBUs’ report without pairing operations, so the performance of the new scheme is improved greatly.
IiiC The Protocol
In this section, the traceable concurrent anonymous transmission scheme for heterogeneous VANETs will be introduced in detail. It consists of the following seven phases: system initialization, pseudoID generation, vehicle registration, RSU registration, RSU broadcast, traffic information uploading, batch verification and decryption. The detailed processes are described as follows.
IiiC1 System Initialization

Both and choose a same elliptic curve over a finite field . Let be an additive group that consists of the points on , be a generator of , denote infinity, where .

randomly chooses as its master secret key and computes as the master public key.

randomly chooses as its secret key and computes as its public key.

Both and choose two oneway cryptographic hash functions: , , where denotes the bit length of the messages.

publishes the system parameter . Note that will be stored by and RSUs before their registration.
IiiC2 PseudoID Generation

randomly chooses and computes as one part of the pseudoID of .

sends to via a secure channel, where is the real identity of .

computes
where is the period of validity of the pseudoID. Then it sends to via a secure channel, where is the other part of the pseudoID of .

sets as its pseudoID.
The scheme  Cryptosystem  Application  Signcryption  Verification  Decryption 

J. Kar [18]  IBC  Theory  1P+2M+3H  2H+4nM  nP+nH 
Ziba Eslami et al. [19]  CLC  Theory  1P+3M+2MH+1H  (n+3)P+(n+1)MH  nP+nM+nH 
Y. Han et al. [20]  PKI  VANETs  3M+1MH+1H  (n+1)P+nMH  nM+nH 
S. Basudan et al. [21]  CLC  VANETs  7M+3H  (n+4)P+nM+(n+1)H  2nM+nH 
Ours  Heterogeneous  VANETs  3M+3H  5M+(3n+1)H  nM+nH 
IiiC3 Vehicle registration

randomly chooses as its secret value and computes .

randomly chooses , computes as ’s partial public key, where , and computes as ’s partial private key. Finally, sends and to via a secure channel.

sets as its full private key, as its full public key.
IiiC4 RSU registration

randomly chooses and computes its public key . Then, sends its identity and to via a secure channel.

generates a certificate for , where is a signature signed by ’s master secret key.

sends to via a secure channel.
IiiC5 RSU broadcast
chooses a public random number and generates a digital signature with its private key , where denotes the timestamp. Then, constructs a packet and broadcasts it periodically.
IiiC6 Traffic Information Uploading

When enters into the communication zone of , it firstly checks the broadcasted by . If illegal, it aborts. Otherwise, continues to verify if the signature in the broadcast packet is valid. If not, it aborts. Otherwise, extracts and from and goes to the next step.

Choose randomly and compute .

Collect traffic information and compute .

Compute the ephemeral trapdoor key
, where denotes the timestamp. 
Compute .

Send the signcrypted information
to .
IiiC7 Batch verification and decryption
On receiving signcrypted messages from , does as follows:

Compute , and for each .

Compute , , , where denotes the number of vehicles.

Compute the ephemeral hash key

Compute the multitrapdoor hash function value

Compute the multitrapdoor collision value

Check if the equation holds. If not, it aborts. Otherwise, it goes to the next step.

Calculate the message of .
IiiD Correctness
We can validate the correctness of the proposed scheme through formula derivation below.
IiiE Security analysis
In this section, we will discuss the security properties of the proposed scheme.
IiiE1 Message authentication
In the signcrytion stage, only the vehicle with the corresponding trapdoor key can generate an ephemeral trapdoor key, so the adversary cannot forge a valid signcryption unless he can solve the ECDLP. Furthermore, if the adversary attempts to recover the plaintexts from an aggregate signcryption, he has to encounter the CDHP obviously. Hence, our scheme achieves confidentiality, authentication, integrity and nonrepudiation simultaneously.
IiiE2 Internal security
None of OBU can impersonate any other OBUs to forge signcrypted messages, while a RSU can decrypt the signcrypted messages that are sent to other RSUs. Furthermore, even the cannot forge a valid message of other entities in VANETs yet, since the certificateless cryptosystem is adopted in the registration stage. Hence, internal security is ensured in the proposed scheme.
IiiE3 Conditional anonymity
Because the pseudoID is deployed for each , the adversary cannot obtain any information about the actual identity of without the secret key of that is used to generate the pseudoID during the data transmission process. If the adversary still attempts to reveal ’s real identity, it has to encounter the ECDLP that is assumed to be intractable.
IiiE4 Traceability
When a dispute on happens, only can extract the information of the real identity of by calculating
which can make the traceability available.
IiiE5 Unlinkability
We claim that a secure protocol possesses unlinkability when there is no adversary that can judge if two different messages are from the same vehicle. Obviously, the proposed scheme can cover distinct messages by diverse pseudoIDs and the corresponding private keys, because vehicles will update pseudoIDs over a period of time. Therefore, the adversary cannot link different messages at different times to a specific vehicle, so that our scheme achieves unlinkability to a certain extent.
Iv Performance Evaluation
In this section, we compare the proposed scheme with other existing relevant schemes in terms of the computation overhead. Firstly, for theoretical analysis of computation complexity, let denote the pairing operation, denote the scalar multiplication operation in , denote the MapToPoint hash operation, denote the general hash operation. Note that other mathematical operations such as additive operations in are omitted here since their influence is tiny in the performance evaluation.
As shown in Table I, the proposed scheme does not involve any pairing operations in all stages and only has five scalar multiplication operations in the verification stage that are independent on the number of vehicles, so it achieves the least cryptographic complexity on the whole compared with the other four existing schemes, although the number of scalar multiplication operations in signcryption stage of ours is 2 more than that in Y. Han et al. [20].
In addition, in order to quantitatively analyze the computational efficiency of the proposed scheme, the simulation tests are performed over the type A elliptic curve in Java Pairing Based Cryptography 2.0.0 with an Intel G640 2.80 GHz processor. According to the results of the execution, the computational efficiency could be further analyzed. Fig. 3 demonstrates that the proposed scheme has a comparative advantage over other aggregate signcryption schemes on timeconsumption in the signcryption stage. In Fig. 4, the growing trend of the computation overhead in our scheme is the lowest in contrast to other schemes in the verification stage, because only lowcomplexity hash operations are associated with the number of the vehicles in our scheme. Although, in Fig. 5, the time overhead on decryption is a little more than that in J. Kar [18], our scheme still achieves better performance than other schemes at the whole unsigncryption stage, as shown in Fig. 6.The results show that our scheme is much more practical in VANETs application scenarios.
V Conclusion
In this paper, based on an improved aggregate signcryption scheme with multitrapdoor hash functions, a traceable concurrent anonymous transmission scheme for heterogeneous VANETs was constructed. The confidentiality, integrity, authentication and nonrepudiation are all achieved in a single logic step due to the merits of the aggregate signcryption algorithm. A pseudonym authority guaranteed the conditional anonymity of vehicles. Because of CLC cryptosystem is involved in the registration of vehicles, the heavy burden of certificate management of the KMC center is lightened. Most of all, it greatly decreases the computational overhead in batch verification stage by deploying multitrapdoor hash functions instead of bilinear pairings. The proposed scheme vastly improves the flexibility and practicability of VANETs.
Acknowledgements
This work is supported by the Key Program of NSFCTongyong Union Foundation under Grant U1636209, the 111 Project (B08038) and Collaborative Innovation Center of Information Sensing and Understanding at Xidian University.
References
 [1] S. Zeadally, R. Hunt, Y. S. Chen, A. Irwin, and A. Hassan, “Vehicular ad hoc networks (vanets): status, results, and challenges,” Telecommunication Systems, vol. 50, no. 4, pp. 217–241, 2012.
 [2] X. Du, Y. Xiao, M. Guizani, and H.H. Chen, “An effective key management scheme for heterogeneous sensor networks,” Ad Hoc Networks, vol. 5, no. 1, pp. 24–34, 2007.
 [3] C. Zhang, R. Lu, X. Lin, P. H. Ho, and X. Shen, “An efficient identitybased batch verification scheme for vehicular sensor networks,” in Proc. of IEEE INFOCOM’08, 2008, pp. 246–250.
 [4] X. Du and H. H. Chen, “Security in wireless sensor networks,” IEEE Wireless Communications Magazine, vol. 15, no. 4, pp. 60–66, 2008.
 [5] K. A. Shim, “CPAS: An efficient conditional privacypreserving authentication scheme for vehicular sensor networks,” IEEE Transactions on Vehicular Technology, vol. 61, no. 4, pp. 1874–1883, 2012.
 [6] S. J. Horng, S. F. Tzeng, P. H. Huang, X. Wang, T. Li, and M. K. Khan, “An efficient certificateless aggregate signature with conditional privacypreserving for vehicular sensor networks,” Information Sciences, vol. 317, no. C, pp. 48–66, 2015.
 [7] H. Zhang, Q. Zhang, and X. Du, “Toward vehicleassisted cloud computing for smartphones,” IEEE Transactions on Vehicular Technology, vol. 64, no. 12, pp. 5610–5618, 2015.
 [8] N. W. Lo and J. L. Tsai, “An efficient conditional privacypreserving authentication scheme for vehicular sensor networks without pairings,” IEEE Transactions on Intelligent Transportation Systems, vol. 17, no. 5, pp. 1319–1328, 2016.
 [9] S. Jiang, X. Zhu, and L. Wang, “An efficient anonymous batch authentication scheme based on hmac for vanets,” IEEE Transactions on Intelligent Transportation Systems, vol. 17, no. 8, pp. 2193–2204, 2016.
 [10] L. Zhang, Q. Wu, J. DomingoFerrer, B. Qin, and C. Hu, “Distributed aggregate privacypreserving authentication in vanets,” IEEE Transactions on Intelligent Transportation Systems, vol. 18, no. 3, pp. 516–526, 2017.
 [11] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate and verifiably encrypted signatures from bilinear maps,” in Proc. of Eurocrypt’03, 2003, pp. 416–432.
 [12] H. Xiong, Z. Guan, Z. Chen, and F. Li, “An efficient certificateless aggregate signature with constant pairing computations,” Information Sciences, vol. 219, pp. 225–235, 2013.
 [13] H. Nie, Y. Li, W. Chen, and Y. Ding, “Nclas: a novel and efficient certificateless aggregate signature scheme,” Security and Communication Networks, vol. 9, no. 16, pp. 3141–3151, 2016.
 [14] Y. Zheng, “Digital signcryption or how to achieve cost (signature & encryption) <<cost (signature)+ cost (encryption),” in Proc. of Annual International Cryptology Conference, 1997, pp. 165–179.
 [15] Y. Sun and H. Li, “Efficient signcryption between tpkc and idpkc and its multireceiver construction,” Science China Information Sciences, vol. 53, no. 3, pp. 557–566, 2010.
 [16] S. S. D. Selvi, S. S. Vivek, J. Shriram, S. Kalaivani, and C. P. Rangan, “Identity based aggregate signcryption schemes,” in Proc. of International Conference on Cryptology in India, 2009, pp. 378–397.
 [17] F. S. Babamir and Z. Eslami, “Data security in unattended wireless sensor networks through aggregate signcryption,” KSII Transactions on Internet And Information Systems, vol. 6, no. 11, pp. 2940–2955, 2012.
 [18] J. Kar, “Provably secure identitybased aggregate signcryption scheme in random oracles,” IACR Cryptology ePrint Archive, vol. 2013, p. 37, 2013.
 [19] Z. Eslami and N. Pakniat, “Certificateless aggregate signcryption: Security model and a concrete construction secure in the random oracle model,” Journal of King Saud University  Computer and Information Sciences, vol. 26, no. 3, pp. 276–286, 2014.
 [20] Y. Han, D. Fang, Z. Yue, and J. Zhang, “Schap: The aggregate signcryption based hybrid authentication protocol for vanet,” in Proc. of International Conference on Internet of Vehicles, 2014, pp. 218–226.
 [21] S. Basudan, X. Lin, and K. Sankaranarayanan, “A privacypreserving vehicular crowdsensing based road surface condition monitoring system using fog computing,” IEEE Internet of Things Journal, vol. 4, no. 3, pp. 772–782, 2017.
 [22] S. Chandrasekhar and M. Singhal, “Efficient and scalable aggregate signcryption scheme based on multitrapdoor hash functions,” in Proc. of 2015 IEEE Conference on Communications and Network Security (CNS), 2015, pp. 610–618.
 [23] S. Chandrasekhar, “Multitrapdoor hash functions and their applications in network security,” in Proc. of 2014 IEEE Conference on Communications and Network Security, 2014, pp. 463–471.
 [24] X. Du, M. Guizani, Y. Xiao, and H. H. Chen, “A routingdriven elliptic curve cryptography based key management scheme for heterogeneous sensor networks,” International Journal of Computer Technology & Applications, vol. 8, no. 3, pp. 1223–1229, 2009.
 [25] Y. Xiao, V. K. Rayi, B. Sun, X. Du, F. Hu, and M. Galloway, “A survey of key management schemes in wireless sensor networks,” Computer Communications, vol. 30, no. 1112, pp. 2314–2341, 2007.
 [26] X. Du and F. Lin, “Designing efficient routing protocol for heterogeneous sensor networks,” in Proc. of 24th IEEE International Performance, Computing, and Communications Conference, 2005, pp. 51–58.
 [27] H. Zhang, S. Chen, X. Li, H. Ji, and X. Du, “Interference management for heterogeneous networks with spectral efficiency improvement,” IEEE Wireless Communications, vol. 22, no. 2, pp. 101–107, 2015.