A Traceable Concurrent Data Anonymous Transmission Scheme for Heterogeneous VANETs
Vehicular Ad Hoc Networks (VANETs) are attractive scenarios that can improve the traffic situation and provide convenient services for drivers and passengers via vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communication. However, there are still many security challenges in the traffic information transmission, especially in the intense traffic case. For ensuring the privacy of users and traceability of vehicles, we propose a traceable concurrent data anonymous transmission scheme for heterogeneous VANETs. The scheme is based on certificateless aggregate signcryption, so it supports batch verification. Moreover, conditional anonymity is also achieved due to the involving of the pseudo-ID technique. Furthermore, it is a pairing-free scheme for the merit of multi-trapdoor hash functions. As a result, the total computation overhead is greatly reduced.
Nowadays, VANETs have become more and more widely used  in smart traffic. As a part of the intelligent transportation system, it can be integrated into IoT and play an important role to improve traffic conditions in smart city. The entities in VANETs can exchange information via Dedicated Short Range Communication (DSRC) or Transport Layer Security (TLS) protocols in three communication modes including Vehicle-to-Vehicle (V2V), Vehicle-to-Infrastructure (V2I) and hybrid mode.
A typical architecture of VANETs, as shown in Fig. 1, consists of On-Board Units (OBUs), Roadside Units (RSUs) and trusted authorities (TAs). OBUs embedded with sensors can identify static information (size, weight, etc. ) and collect dynamic information of vehicles (speed, direction, etc.). In addition, as both sources and routers, OBUs are able to send, receive and forward all kinds of information in VANETs at any time. RSUs, a kind of infrastructures, are deployed at roadsides or crossroads. They can communicate with OBUs via wireless channel, as well as with other RSUs and TAs via wired channel. TAs are responsible for registering RSUs and OBUs, tracing vehicles involved in accidents and maintaining other services in VANETs. Aiming at the issue of the authentication of big data, there have been many batch authentication schemes specially designed for VANETs [2, 3, 4, 5, 6, 7, 8, 9, 10].
In 2003, the concept of aggregate signature was first introduced by D. Boneh et al. in . By taking the advantages of certificateless public key cryptosystem (CLC), many certificateless aggregate signature schemes were proposed [12, 13]. An identity based aggregate signature scheme without pairing was then proposed for V2I communication . In 1997, signcryption was first proposed by Y. Zheng in , which provided both public key encryption and digital signature in a single logic step. In 2010, Sun et al. proposed two heterogeneous signcryption schemes  that achieved mutual secure communication between PKI and IBC. It was the first work on heterogeneous cryptosystem. In 2009, the first aggregate signcryption was proposed by Selvi et al. in  that reduced computation overhead greatly. It allowed distinct signcryption cipertexts sent to the same recipient to be validated only once with the same security level. In recent years, many aggregate signcryptions have been raised [17, 18, 19, 20, 21]. However, the number of aggregate signcryption schemes is relatively small, in which some issues on security and efficiency still exist that remain to be solved. In 2015, Chandrasekhar et al. proposed an aggregate signcrytion scheme  based on a multi-trapdoor hash function .
In this paper, we mainly focus on two types of traffic data: unencrypted data and encrypted data. The unencrypted data is usually for vehicles to quickly obtain feedback from RSUs. The encrypted data is for the IoT data center to prevent opponents from eavesdropping or abusing these sensitive information. Unlike the first type of data, the second type of data often exists in the case of high traffic density. Therefore, based on an aggregate signcryption scheme with multi-trapdoor hash function, a secure data transmission scheme was proposed for V2I scenes. Our contributions are summarized as follows.
Our scheme not only achieves batch verification of vehicles from OBUs to RSUs, but also accomplishes confidentiality and authentication in a single logic step.
Based on multi-trapdoor hash functions, our scheme only involves scalar multiplications of fixed number without any bilinear pairing operations.
The aggregate verification information could be validated without the plaintexts and the intended receiver. Therefore, it wouldn’t take extra computation on decryption, once the batch verification is invalid.
This paper is organized as follows. In section II, we briefly introduce some preliminaries. In section III, a traceable concurrent anonymous transmission scheme is constructed for VANETs. In section IV, we show the superiority of the proposed scheme by evaluating performance. Finally, the conclusion is given in section V.
Ii-a Multi-trapdoor hash functions
Let denote a set of parameters and (), denote , but the th pair is updated by a new one. The concept of multi-trapdoor hash function  is described as follows:
Assuming that there exist participants , each of them have their own key pair . is the public key (or hash key) for generating the multi-trapdoor hash value, and is the private key (or trapdoor key) that is kept securely to generate the multi-trapdoor hash function collision by its owner. Concretely, each takes a message , a random value and its public key as the input, then calculates a multi-trapdoor hash value as the output. In addition, with the corresponding trapdoor key , another chosen message and a random value , each can construct an ephemeral hash key such that . When all of the participates generate their collision parameters respectively, a multi-trapdoor hash collision value can be calculated, namely .
Ii-B Security Assumptions
Let be a set of points on an elliptic curve over a finite field . The security of the proposed scheme is dependent on the following security assumptions:
Definition 1. Elliptic Curve Discrete Logarithm Problem (ECDLP): Let be a point on an elliptic curve over a finite field. Given a random instance for any , it is difficult to compute .
Definition 2. Computational Diffie-Hellman Problem (CDHP): Let be a generator of . Given a random instance for any , it is difficult to compute .
Iii The Traceable Concurrent Data Anonymous Transmission Scheme for VANETs
Iii-a System Architecture
Fig. 2 shows the overview of the VANETs system architecture, including four entities: the OBUs equipped on the vehicles, the RSUs at the roadside, a trace authority (TRA) and a key management center (KMC).
The OBUs with constrained computing ability are responsible for transmitting the traffic-related data to the RSUs. The data should be signcrypted with the parameters stored in a tamper-proof device (TPD) that ensures the OBUs cannot be compromised. GPS equipped in OBUs can provide the precise localization. The RSUs with more computing power collect the sigcrypted traffic information from vehicles and unsigncrypt them in an aggregate manner. If the verification is valid, the RSUs will send feedback to vehicles and forward the traffic information to the traffic data center. The KMC is an honest but curious authority that is responsible for issuing certificates for the RSUs in PKI and generating partial private keys for vehicles in CLC. Different works [24, 25, 26, 27] have studied on the relevant security issues of key management. Furthermore, in order to achieve conditional anonymity in smart traffic, the TRA plays the role of a trusted authority who is in charge of generating the pseudo-ID and tracing malicious vehicles. Different from OBUs and RSUs that are online, the KMC and the TRA are offline in the registration stage and the trace stage respectively. According to the IEEE 802.11p standard, the OBUs and RSUs communicate with each other via a wireless communication protocol–DSRC, while the RSUs interact with the traffic data center via a wired protocol–TLS.
Iii-B Design Goals
To meet the security demands in VANETs, the proposed scheme can provide the following properties:
Confidentiality. Before sent to the nearby RSUs, the traffic information from OBUs should be encrypted to keep the opponents from eavesdropping and analyzing the further attacks. So, we deploy the aggregate signcryption scheme as the cryptographic essential for confidentiality.
Conditional anonymity. The identities of OBUs, such as the plate number, are often involved in the secure communication between OBUs and RSUs, which might lead to privacy issues. So it is necessary for OBUs to adopt the pseudo-IDs of participators instead of the real identities in the whole protocol.
Key escrow freeness. Our scheme adopts the certificateless technique to manage vehicles so that they can generate their own secret keys, avoiding key escrow problem.
Low computational overhead. In general, bilinear pairings are the most time-cost cryptographic operations in a security protocol. Based on an improved multi-trapdoor hash function, the proposed scheme achieves batch verification on the OBUs’ report without pairing operations, so the performance of the new scheme is improved greatly.
Iii-C The Protocol
In this section, the traceable concurrent anonymous transmission scheme for heterogeneous VANETs will be introduced in detail. It consists of the following seven phases: system initialization, pseudo-ID generation, vehicle registration, RSU registration, RSU broadcast, traffic information uploading, batch verification and decryption. The detailed processes are described as follows.
Iii-C1 System Initialization
Both and choose a same elliptic curve over a finite field . Let be an additive group that consists of the points on , be a generator of , denote infinity, where .
randomly chooses as its master secret key and computes as the master public key.
randomly chooses as its secret key and computes as its public key.
Both and choose two one-way cryptographic hash functions: , , where denotes the bit length of the messages.
publishes the system parameter . Note that will be stored by and RSUs before their registration.
Iii-C2 Pseudo-ID Generation
randomly chooses and computes as one part of the pseudo-ID of .
sends to via a secure channel, where is the real identity of .
where is the period of validity of the pseudo-ID. Then it sends to via a secure channel, where is the other part of the pseudo-ID of .
sets as its pseudo-ID.
|J. Kar ||IBC||Theory||1P+2M+3H||2H+4nM||nP+nH|
|Ziba Eslami et al. ||CLC||Theory||1P+3M+2MH+1H||(n+3)P+(n+1)MH||nP+nM+nH|
|Y. Han et al. ||PKI||VANETs||3M+1MH+1H||(n+1)P+nMH||nM+nH|
|S. Basudan et al. ||CLC||VANETs||7M+3H||(n+4)P+nM+(n+1)H||2nM+nH|
Iii-C3 Vehicle registration
randomly chooses as its secret value and computes .
randomly chooses , computes as ’s partial public key, where , and computes as ’s partial private key. Finally, sends and to via a secure channel.
sets as its full private key, as its full public key.
Iii-C4 RSU registration
randomly chooses and computes its public key . Then, sends its identity and to via a secure channel.
generates a certificate for , where is a signature signed by ’s master secret key.
sends to via a secure channel.
Iii-C5 RSU broadcast
chooses a public random number and generates a digital signature with its private key , where denotes the timestamp. Then, constructs a packet and broadcasts it periodically.
Iii-C6 Traffic Information Uploading
When enters into the communication zone of , it firstly checks the broadcasted by . If illegal, it aborts. Otherwise, continues to verify if the signature in the broadcast packet is valid. If not, it aborts. Otherwise, extracts and from and goes to the next step.
Choose randomly and compute .
Collect traffic information and compute .
Compute the ephemeral trapdoor key
, where denotes the timestamp.
Send the signcrypted information
Iii-C7 Batch verification and decryption
On receiving signcrypted messages from , does as follows:
Compute , and for each .
Compute , , , where denotes the number of vehicles.
Compute the ephemeral hash key
Compute the multi-trapdoor hash function value
Compute the multi-trapdoor collision value
Check if the equation holds. If not, it aborts. Otherwise, it goes to the next step.
Calculate the message of .
We can validate the correctness of the proposed scheme through formula derivation below.
Iii-E Security analysis
In this section, we will discuss the security properties of the proposed scheme.
Iii-E1 Message authentication
In the signcrytion stage, only the vehicle with the corresponding trapdoor key can generate an ephemeral trapdoor key, so the adversary cannot forge a valid signcryption unless he can solve the ECDLP. Furthermore, if the adversary attempts to recover the plaintexts from an aggregate signcryption, he has to encounter the CDHP obviously. Hence, our scheme achieves confidentiality, authentication, integrity and non-repudiation simultaneously.
Iii-E2 Internal security
None of OBU can impersonate any other OBUs to forge signcrypted messages, while a RSU can decrypt the signcrypted messages that are sent to other RSUs. Furthermore, even the cannot forge a valid message of other entities in VANETs yet, since the certificateless cryptosystem is adopted in the registration stage. Hence, internal security is ensured in the proposed scheme.
Iii-E3 Conditional anonymity
Because the pseudo-ID is deployed for each , the adversary cannot obtain any information about the actual identity of without the secret key of that is used to generate the pseudo-ID during the data transmission process. If the adversary still attempts to reveal ’s real identity, it has to encounter the ECDLP that is assumed to be intractable.
When a dispute on happens, only can extract the information of the real identity of by calculating
which can make the traceability available.
We claim that a secure protocol possesses unlinkability when there is no adversary that can judge if two different messages are from the same vehicle. Obviously, the proposed scheme can cover distinct messages by diverse pseudo-IDs and the corresponding private keys, because vehicles will update pseudo-IDs over a period of time. Therefore, the adversary cannot link different messages at different times to a specific vehicle, so that our scheme achieves unlinkability to a certain extent.
Iv Performance Evaluation
In this section, we compare the proposed scheme with other existing relevant schemes in terms of the computation overhead. Firstly, for theoretical analysis of computation complexity, let denote the pairing operation, denote the scalar multiplication operation in , denote the MapToPoint hash operation, denote the general hash operation. Note that other mathematical operations such as additive operations in are omitted here since their influence is tiny in the performance evaluation.
As shown in Table I, the proposed scheme does not involve any pairing operations in all stages and only has five scalar multiplication operations in the verification stage that are independent on the number of vehicles, so it achieves the least cryptographic complexity on the whole compared with the other four existing schemes, although the number of scalar multiplication operations in signcryption stage of ours is 2 more than that in Y. Han et al. .
In addition, in order to quantitatively analyze the computational efficiency of the proposed scheme, the simulation tests are performed over the type A elliptic curve in Java Pairing Based Cryptography 2.0.0 with an Intel G640 2.80 GHz processor. According to the results of the execution, the computational efficiency could be further analyzed. Fig. 3 demonstrates that the proposed scheme has a comparative advantage over other aggregate signcryption schemes on time-consumption in the signcryption stage. In Fig. 4, the growing trend of the computation overhead in our scheme is the lowest in contrast to other schemes in the verification stage, because only low-complexity hash operations are associated with the number of the vehicles in our scheme. Although, in Fig. 5, the time overhead on decryption is a little more than that in J. Kar , our scheme still achieves better performance than other schemes at the whole unsigncryption stage, as shown in Fig. 6.The results show that our scheme is much more practical in VANETs application scenarios.
In this paper, based on an improved aggregate signcryption scheme with multi-trapdoor hash functions, a traceable concurrent anonymous transmission scheme for heterogeneous VANETs was constructed. The confidentiality, integrity, authentication and non-repudiation are all achieved in a single logic step due to the merits of the aggregate signcryption algorithm. A pseudonym authority guaranteed the conditional anonymity of vehicles. Because of CLC cryptosystem is involved in the registration of vehicles, the heavy burden of certificate management of the KMC center is lightened. Most of all, it greatly decreases the computational overhead in batch verification stage by deploying multi-trapdoor hash functions instead of bilinear pairings. The proposed scheme vastly improves the flexibility and practicability of VANETs.
This work is supported by the Key Program of NSFC-Tongyong Union Foundation under Grant U1636209, the 111 Project (B08038) and Collaborative Innovation Center of Information Sensing and Understanding at Xidian University.
-  S. Zeadally, R. Hunt, Y. S. Chen, A. Irwin, and A. Hassan, “Vehicular ad hoc networks (vanets): status, results, and challenges,” Telecommunication Systems, vol. 50, no. 4, pp. 217–241, 2012.
-  X. Du, Y. Xiao, M. Guizani, and H.-H. Chen, “An effective key management scheme for heterogeneous sensor networks,” Ad Hoc Networks, vol. 5, no. 1, pp. 24–34, 2007.
-  C. Zhang, R. Lu, X. Lin, P. H. Ho, and X. Shen, “An efficient identity-based batch verification scheme for vehicular sensor networks,” in Proc. of IEEE INFOCOM’08, 2008, pp. 246–250.
-  X. Du and H. H. Chen, “Security in wireless sensor networks,” IEEE Wireless Communications Magazine, vol. 15, no. 4, pp. 60–66, 2008.
-  K. A. Shim, “CPAS: An efficient conditional privacy-preserving authentication scheme for vehicular sensor networks,” IEEE Transactions on Vehicular Technology, vol. 61, no. 4, pp. 1874–1883, 2012.
-  S. J. Horng, S. F. Tzeng, P. H. Huang, X. Wang, T. Li, and M. K. Khan, “An efficient certificateless aggregate signature with conditional privacy-preserving for vehicular sensor networks,” Information Sciences, vol. 317, no. C, pp. 48–66, 2015.
-  H. Zhang, Q. Zhang, and X. Du, “Toward vehicle-assisted cloud computing for smartphones,” IEEE Transactions on Vehicular Technology, vol. 64, no. 12, pp. 5610–5618, 2015.
-  N. W. Lo and J. L. Tsai, “An efficient conditional privacy-preserving authentication scheme for vehicular sensor networks without pairings,” IEEE Transactions on Intelligent Transportation Systems, vol. 17, no. 5, pp. 1319–1328, 2016.
-  S. Jiang, X. Zhu, and L. Wang, “An efficient anonymous batch authentication scheme based on hmac for vanets,” IEEE Transactions on Intelligent Transportation Systems, vol. 17, no. 8, pp. 2193–2204, 2016.
-  L. Zhang, Q. Wu, J. Domingo-Ferrer, B. Qin, and C. Hu, “Distributed aggregate privacy-preserving authentication in vanets,” IEEE Transactions on Intelligent Transportation Systems, vol. 18, no. 3, pp. 516–526, 2017.
-  D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate and verifiably encrypted signatures from bilinear maps,” in Proc. of Eurocrypt’03, 2003, pp. 416–432.
-  H. Xiong, Z. Guan, Z. Chen, and F. Li, “An efficient certificateless aggregate signature with constant pairing computations,” Information Sciences, vol. 219, pp. 225–235, 2013.
-  H. Nie, Y. Li, W. Chen, and Y. Ding, “Nclas: a novel and efficient certificateless aggregate signature scheme,” Security and Communication Networks, vol. 9, no. 16, pp. 3141–3151, 2016.
-  Y. Zheng, “Digital signcryption or how to achieve cost (signature & encryption) <<cost (signature)+ cost (encryption),” in Proc. of Annual International Cryptology Conference, 1997, pp. 165–179.
-  Y. Sun and H. Li, “Efficient signcryption between tpkc and idpkc and its multi-receiver construction,” Science China Information Sciences, vol. 53, no. 3, pp. 557–566, 2010.
-  S. S. D. Selvi, S. S. Vivek, J. Shriram, S. Kalaivani, and C. P. Rangan, “Identity based aggregate signcryption schemes,” in Proc. of International Conference on Cryptology in India, 2009, pp. 378–397.
-  F. S. Babamir and Z. Eslami, “Data security in unattended wireless sensor networks through aggregate signcryption,” KSII Transactions on Internet And Information Systems, vol. 6, no. 11, pp. 2940–2955, 2012.
-  J. Kar, “Provably secure identity-based aggregate signcryption scheme in random oracles,” IACR Cryptology ePrint Archive, vol. 2013, p. 37, 2013.
-  Z. Eslami and N. Pakniat, “Certificateless aggregate signcryption: Security model and a concrete construction secure in the random oracle model,” Journal of King Saud University - Computer and Information Sciences, vol. 26, no. 3, pp. 276–286, 2014.
-  Y. Han, D. Fang, Z. Yue, and J. Zhang, “Schap: The aggregate signcryption based hybrid authentication protocol for vanet,” in Proc. of International Conference on Internet of Vehicles, 2014, pp. 218–226.
-  S. Basudan, X. Lin, and K. Sankaranarayanan, “A privacy-preserving vehicular crowdsensing based road surface condition monitoring system using fog computing,” IEEE Internet of Things Journal, vol. 4, no. 3, pp. 772–782, 2017.
-  S. Chandrasekhar and M. Singhal, “Efficient and scalable aggregate signcryption scheme based on multi-trapdoor hash functions,” in Proc. of 2015 IEEE Conference on Communications and Network Security (CNS), 2015, pp. 610–618.
-  S. Chandrasekhar, “Multi-trapdoor hash functions and their applications in network security,” in Proc. of 2014 IEEE Conference on Communications and Network Security, 2014, pp. 463–471.
-  X. Du, M. Guizani, Y. Xiao, and H. H. Chen, “A routing-driven elliptic curve cryptography based key management scheme for heterogeneous sensor networks,” International Journal of Computer Technology & Applications, vol. 8, no. 3, pp. 1223–1229, 2009.
-  Y. Xiao, V. K. Rayi, B. Sun, X. Du, F. Hu, and M. Galloway, “A survey of key management schemes in wireless sensor networks,” Computer Communications, vol. 30, no. 11-12, pp. 2314–2341, 2007.
-  X. Du and F. Lin, “Designing efficient routing protocol for heterogeneous sensor networks,” in Proc. of 24th IEEE International Performance, Computing, and Communications Conference, 2005, pp. 51–58.
-  H. Zhang, S. Chen, X. Li, H. Ji, and X. Du, “Interference management for heterogeneous networks with spectral efficiency improvement,” IEEE Wireless Communications, vol. 22, no. 2, pp. 101–107, 2015.