An Efficient Cross-Layer Authentication Scheme for Secure Communication in Vehicular Ad-Hoc Networks

Intelligent transportation systems contribute to improved traffic safety by facilitating real-time communication between vehicles and infrastructures. In this context, message authentication is crucial to safeguard vehicular ad-hoc networks (VANETs) from malicious attacks. The current state-of-the-art for authentication in VANETs relies on conventional cryptographic primitives, introducing significant computation and communication overheads. This paper presents a cross-layer authentication scheme for vehicular communication, incorporating the short-term reciprocal features of the wireless channel for re-authenticating the corresponding terminal, reducing the overall complexity and computation and communication overheads. The proposed scheme comprises four steps: S1. Upper-layer authentication is used to determine the legitimacy of the corresponding terminal at the first time slot; S2. Upon the verification result, a location-dependent shared key with a minimum number of mismatched bits is extracted between both terminals; S3. Using the extracted key and under binary hypothesis testing, a PHY challenge-response algorithm for multicarrier communication is proposed for re-authentication; S4. In the case of false detection, the key extraction step (S2) is re-executed after adapting the quantisation levels at different conditions of channel non-reciprocity based on the feedback from the re-authentication step (S3). Simulation results show the effectiveness of the proposed scheme even at small signal-to-noise ratios. In addition, the immunity of the proposed scheme is proved against active and passive attacks, including signatures' unforgeability against adaptive chosen message attacks in the random oracle model. Finally, a comprehensive comparison in terms of computation and communication overheads demonstrates the superiority of the proposed scheme over its best rivals.


I. INTRODUCTION
G LOBALLY, road traffic injuries and fatalities reach about 1.3 million annually and are expected to become the fifth leading cause of death by 2030, according to the "2 nd global status report on road safety" [1]. In 2020, the European Commission reported a decrease in fatal road crashes by about 23% compared to 2010 [2], and it aims to reach zero fatalities by 2050. For the next decade, a safety framework plan is published in [3] to enhance safety and efficiency in transportation, adapting technology to develop and implement intelligent road systems based on sensors' data distributed via VANETs.
A typical VANET architecture consists of trusted/certificate authority (TA/CA), multiple fixed roadside units (RSUs), and onboard units. The latter is a vehicle-mounted wireless communication device that enables a vehicle to communicate with adjacent vehicles and surrounding RSUs via the dedicated shortrange communication (DSRC) protocol [4]. In DSRC protocol, each vehicle sends a safety-related message every 100-300 msec. These messages support many road traffic applications, e.g., on-road services, and urban sensing [5]. For ease of understanding, the acronyms used in this paper are listed in Table I. In VANETs, the wireless communication channel is an open access shared medium that makes it susceptible to many adversarial active and passive attacks. For instance, a malicious vehicle can frame an emergency to mislead other drivers into slowing down, and braking; impersonate a legitimate vehicle; replay a significant number of bogus messages, which creates an unrealistic traffic situation. These attacks can cause serious problems, e.g., traffic jams or accidents. Therefore, message authentication must be established to identify the sender's legitimacy. Until now, many of the existing authentication schemes are based on the conventional public key infrastructure (PKI) [6], [7], [8]. In these schemes, a digital certificate is used to prove the ownership of the public key attached to a particular user in the network. These certificates are issued, revoked, and stored by the CA. A digital public key certificate must be attached to each transmitted message which occupies 30% of the available bandwidth [9], degrading the communication performance. Moreover, a large storage area is needed to store these certificates [10]. Furthermore, revoking a malicious terminal by distributing its issued certificates among vehicles as a part of the certificate revocation list (CRL) creates an additional significant communication load.  Different techniques have been developed to ease the heavy burden of managing CRLs. Online certificate status protocol (OCSP) is an alternative revocation mechanism in which OCSP servers reply to the terminal's certificate queries with signed responses, indicating the validation status of these certificates [11]. However, the TA's master key must be distributed among servers to manage the heavy load of these queries, degrading VANET's security strength against compromised servers. An intruder with a compromised server's master key can abuse that key to create fake responses.
To tackle PKI limitations, Shamir introduced an identitybased security and privacy scheme (ID-SPS) in [12]. In this scheme, the recipient authenticates the received signatures based on the sender's public key while signing messages using its private key. However, such a scheme suffers from high computation and communication overheads of the large-scale mathematical cryptographic operations executed at the protocol stack's upper layers (link and application layers) that cannot support high scalability and low latency. Scalable networks can add extra terminals without degradation in performance, which is the main objective of many studies [13], [14], [15]. Reference [13] proposed an identity-based message authentication scheme using proxy vehicles, in which n signatures are distributed between n d proxy vehicles for the signature verification process, where d 0.1n. The choice of the proxy vehicles depends on calculating the vehicles' additional computational resources. However, if no vehicles existed with this criterion, all the transmitted signatures must be verified by the RSUs. In [14], the computational Diffie-Hellman problem of the elliptic curve cryptosystem is conducted for singular verification to avoid the high computational overhead of bilinear pairing operations. Batch verification is another way of identifying a set of received signatures at once. Reference [15] presented a new and efficient RSU based authentication scheme that uses bilinear pairing to verify signatures in batches. However, such a scheme will fail once a single invalid signature exists, and all the received signatures will be singularly verified.
In their study, Chaum et al. presented a different solution by introducing the group signature-based scheme that allows every group member to sign messages on behalf of the rest of the group without exposing their real identity [16]. Nevertheless, the group key must be updated and distributed by the TA for each vehicle getting in/out from the group region which makes such a scheme hard to support forward and backward secrecy, especially in the case of high-speed group members. In [17], RSUs are assigned as group managers to improve the transmission and computation overheads. However, compromised RSU makes vehicles' private information vulnerable to exposure. In reference [18], regional trusted authorities are distributed and used to provide vehicles with authentication services. Unfortunately, the significant overhead of the bilinear pairing verification process limits the authentication rate, accordingly the number of terminals to be added to the network. Furthermore, the high computation overhead of signing and verifying crypto-based signatures limits communication availability, thereby decreasing the scheme's resistance to denial-of-service attacks [19]. The term "communication overhead" in the context refers to the bandwidth and storage capacity needed to transmit data between vehicles [10]. While the term "computation overhead" refers to the processing power and computations required to perform various tasks within the network [10]. Therefore, an efficient authentication scheme must maintain a balance between low computation and communication overheads to support network scalability [20]. Table II classifies the overheads required for transmitting and verifying a single authentication request in VANETs [20].
In this challenging scenario, PHY-layer authentication has emerged as a lightweight distinguishing technique to address the shortcomings of conventional cryptographic approaches. The discrimination process is performed based on the spatial decorrelation of the wireless channel responses between different terminals in different geographic locations [21], [22], [23], [24], [25]. The inherent idea is to determine whether or not features observed from the same source are highly correlated within the channel coherence time T c , known as the "feature tracking" technique. However, this technique suffers from a low probability of detection at significant channel variations and small signal-to-noise ratios (SNRs), making it impractical in resource-constrained and long-range applications [26]. Furthermore, all the corresponding terminals must be extensively observed to capture their wireless channel attributes within T c , which is not feasible for dynamic and high-density applications [26]. To improve the authentication performance and the security strength, Machine/Deep learning-based multiple channel-attributes authentication schemes have been presented in [27], [28] by extracting a unique radio frequency fingerprint for each network terminal. However, the high complexity of these schemes constitutes a significant performance limitation due to the need for large data sets for training kernels/neurons, which is not applicable in VANETs. Furthermore, each terminal in the network must be pre-registered to extract its distinctive features for the supervised authentication approach.
Besides feature tracking techniques, hardware impairment attributes such as carrier frequency offset and analogue frontend imperfection are device-dependent distinguishing features between terminals [29], [30], [31]. This approach has a significant weakness in that features extracted from different devices vary slightly, leading to false decision-making. Additionally, these features are also characterised by their instabilities due to voltage supply, temperature variations, and electromagnetic interference. A tag-based authentication scheme is introduced as a signal watermarking technique to address these issues. In this technique, a pre-agreed secret modulated signal is superimposed on the transmitted signal [32], [33], [34]. However, the tradeoff between decoding performance and security is a non-negligible issue under different signal-to-tag power allocation ratios. In summary, PHY-layer-based schemes cannot provide a completely alternative solution since an initial identity verification of the corresponding terminal is still needed based on the existing cryptographic protocols to identify its legitimacy and extract its distinctive features. Nevertheless, it can be a promising complementary solution for the re-authentication problem in VANETs, introducing what is known as "cross-layer authentication [26]." The existing cross-layer authentication schemes are developed by integrating the physical layer (non-cryptographic) with the upper layer (cryptographic) operations [35]. This integration should be rational and practical to support the application nature in terms of dynamicity, resources availability, and channel conditions. Consequently, selecting the appropriate technique for re-authentication is essential. Since VANETs are close in nature to mobile communications, the rest of our review focuses on the existing cross-layer authentication schemes of VANETs and mobile applications. In references [9], [36], [37], authors integrated a PKI-based algorithm for entity authentication with feature tracking for re-authentication. Unfortunately, an extensive observation is still needed for successful authentication, which is not feasible in high-density traffic scenarios, along with the high vulnerability to the impersonation attack if the attacker is close enough (≤ half of the wavelength λ/2) to one of the communicating terminals and succeeded in obtaining partial information about the pre-extracted feature. Reference [38] introduced another cross-layer approach for mobile communications. In this work, the PHY response is not transmitted in the bit form but is masked by the channel frequency response between the user terminal and the base station using a fault-tolerant hashing technique. However, the time taken to generate the response signal is not evaluated and compared to the minimum coherence time to ensure the short-term channel reciprocity between the communicating terminals.
Even though the cross-layer methods described above can provide enhanced authentication, they cannot be applied to VANETs applications due to vehicular channels' high mobility and temporal variability, a matter that deserves further investigation. We developed a key-based PHY-layer challenge-response algorithm for re-authentication to fill this gap. In this algorithm, the preliminary key is mapped and masked by the channelphase response to generate the response signal that can only be equalized at the side of the intended receiver, employing the short-term channel reciprocity and the same encapsulated key. To guarantee the channel reciprocity between high-speed terminals, we estimated the time required to generate the response signal and compared it to an indicative minimum coherence time of vehicle-to-vehicle (V2V) communication, as a worstcase scenario. Furthermore, our study examined the detection probability of re-authentication at small SNRs for an acceptable false alarm probability. In addition, we proved the scheme's security strength against typical adversarial attacks, including replaying, impersonation, and denial-of-services.
Besides authentication, the spatial and temporal variations of the wireless channel can also be exploited to extract a unique location-dependent shared key between the communicating terminals, supporting forward and backward secrecy in VANETs (an adversary cannot predict the previous or upcoming shared key based on the current one [39]). A dynamic message authentication scheme is presented in [40], in which the message authentication code related to the original frame symbol is computed based on an extracted shared key. However, the whole scheme's communication overhead is not evaluated, including the secret key extraction process and the session key obtained from the key distribution algorithm. In reference [41], a channel-based secret key is extracted and used for PHY-layer authentication, whereas in reference [42], the extracted key is used for upper layers' cryptographic operations. The keys extracted are usually not identical due to the channel being probed in the half-duplex mode [43]. Consequently, the significant communication overhead of reconciling the discrepancies in the extracted key constitutes a significant challenge for such algorithms. In existing reconciliation approaches, such as the Cascade algorithm, around 60% of the extracted bits are exposed for reconciling 10% of mismatched bits [44]. Therefore, this stage is excluded in this study since the decision rule of the re-authentication process depends on the circular variance of the equalized received response, which gives the proposed scheme an advantage of successfully re-authenticating the corresponding terminal with a sufficient key-mutuality percentage not less than 70%.
The contributions of this paper are summarised as follows: 1) We propose a low-complexity cross-layer authentication scheme for VANETs applications, employing the short-term channel reciprocity and randomness for reauthentication to address some of the performance limitation issues, particularly those related to the significant overheads of signatures generation and verification. 2) A lightweight pseudo-identity-based algorithm is proposed to initially verify the legitimacy of the corresponding terminals at the first time slot, which increases the scheme's availability and mitigates the effect of the flooding type of DoS attacks on the network. For re-authentication, a location-dependent-based PHY-layer re-authentication step is proposed for the identity reverification process, which helps in detecting and preventing Sybil types of attacks. 3) Furthermore, we present how the proposed scheme can fulfil the security and privacy requirements of VANETs. In this way, the unforgeability of signatures is proven against adaptive chosen message attacks in the random oracle model (for background, see [45]), ensuring the resistance of the proposed scheme to impersonation and modification attacks. 4) Besides theoretical analysis, we conducted an extensive simulation to examine the detection probability of the PHY-layer re-authentication process at small SNRs ≥ 5 dB. In addition, we investigated the timing analysis of the challenge-response process to ensure that the wireless channel exhibits short-term reciprocity under conditions of high-speed terminals of up to ≈ 30 m/s. Finally, the computation and communication comparison and security analysis show that the proposed scheme offers security and cost-saving advantages over crypto-based signatures. The rest of this paper is organised as follows. The structure of the proposed cross-layer authentication scheme is presented in Section II, while Section III discusses the adopted threat model. Section IV presents extensive performance analysis and comparisons regarding computation and communication overheads. Finally, Section V concludes this paper.

II. CROSS-LAYER AUTHENTICATION SCHEME
In this section, the system model for the proposed cross-layer scheme is presented first. Next, we describe in detail each step in the following subsections.

A. System Model for the Proposed Cross-Layer Scheme
The novelty of the proposed scheme relies on exploiting the short-term channel reciprocity between two communicating terminals for re-authentication. The corresponding terminal is re-authenticated at the PHY-layer in a challenge-response process, providing an efficient and secure verification in a low processing time. Fig. 1 presents the flowchart of the proposed approach, which can be described through the following steps. r S1. Initial Authentication: A conditional privacy preservation authentication algorithm (ACPPA) is proposed for the key extraction algorithm in [43] is employed to extract a location-dependent shared key between both terminals. Otherwise, the authentication process is ended. r S3. PHY-Layer Re-authentication: Under binary hypothesis testing [46], the re-authentication step is performed at the physical layer using a PHY challenge-response algorithm based on the extracted key with a sufficient number of matched bits. r S4. Thresholding Optimisation Feedback: In the case of failure, the key extraction step (S2) is re-executed after adapting the thresholding values based on the feedback from the re-authentication step (S3). The low complexity of the proposed scheme, i.e., our 1 st contribution, stems from the integration of the re-authentication step S3 into S1. In doing so, the computation and communication overheads associated with signing and distributing signatures are drastically reduced for each transmission. For the 2 nd contribution, we ensure scheme availability by designing a lightweight initial identity verification step represented in S1, mitigating the effect of DoS attacks. As for Sybil attacks detection, we integrated S2 into S3 to provide location-dependent-based reauthentication at the PHY layer. At last, the thresholding optimisation feedback step S4 is used to adjust the key extraction parameters of S2 based on the re-authentication feedback from S3. All network terminals are assumed to be working in the time-division duplex mode with a single antenna and separated by more than λ/2 distance. The channel responses between legitimate and wiretap channels are uncorrelated. RSUs and vehicles' OBUs are supposed to be synchronised with the TA.

B. Overview of the Initial Authentication Step (S1)
The proposed ACPPA algorithm is presented in this subsection for V2V as a case study for vehicular communication in VANETs. This process aims to identify the legitimacy of the corresponding terminal initially. A locationdependent shared key will be extracted according to the signature verification result. A pseudo-identity-based algorithm is proposed to identify the corresponding terminal's legitimacy based on ECC scalar multiplications, avoiding using map-topoint hash functions and bilinear pairing time-consumed operations. The proposed algorithm consists of five phasesi.e., system initialisation, registration, identity authentication, reporting, and real identity tracking. The notations used in this subsection are listed in Table III. Fig. 2 presents the top-level description of the S1 algorithm's sub-steps detailed below. S1.1: System initialisation phase: TA generates the system's public parameters via the following processes.
r Choosing two large prime numbers p andp q, and 160bits elliptic curve E for 80-bits security defined by y 2 = r Construction of the cyclic additive group G of order q based on the generator P , so that G consists of all the points on E and the infinity point O.
r Randomly choosing the system master key β ∈ Z * q .
r Selecting the hash function H 1 : G → {0, 1} N 1 and the hash message authentication code HM AC key (x) : (key : r Finally, the algorithm's public parameters are P P s : a, b, P, p, q, G, H 1 , HMAC . S1.2: Registration phase: Before joining the network, each vehicle V i must register with the TA to obtain the algorithm's public parameters according to the following sub-steps. r S1.2.1: V i transmits its unique RID V i (e.g., license number) to TA to check the validation status of the RID V i . r S1.2.2: Ta prepares V i 's secret parameters as follows.
-TA checks the RID V i , selects a random private number r V i ∈ Z * q of V i , and calculates its relevant public keys as -TA prepares the general revocation list GRL, which is a list of public keys of revoked vehicles is distributed between vehicles and RSUs and equals GRL: S1.3: Identity authentication phase: Mutual identity authentication between V 1 (Alice) and V 2 (Bob) is conducted when V 2 is in the transmission range of V 1 . Without loss of generality, the one-way authentication process consists of three main stages. r S1.3.1: Communication request stage: In this stage, a vehicle V 1 randomly selects a 1 ∈ Z * q , computes its corresponding public parameter A 1 = a 1 · P , then prepares its revocation list by estimating the list of temporary identities T IDs of revoked vehicles based on the general revocation list GRL as T ID GRL r S1.3.2: Signature generation stage: In this stage, a vehicle V 2 checks the freshness of the received timestamp T 1 by testing whether T r − T 1 ≤ T Δ holds or not, hides its real identity by computing its temporary identity Then, V 2 calculates its signature σ V 2 by selecting at random a 2 ∈ Z * q , calculating its relevant public parameter A 2 = a 2 .P and the key SK r S1.3.3: Signature verification stage: In this stage, V 1 checks the freshness of the timestamp T 2 , verifies the legitimacy of V 2 by finding out if T ID V 2 ∈ T ID GRL (V 1 ), then checks the integrity of the received message by computing SK = σ V 2 holds or not. The same process is reversed between the communicating terminals for mutual authentication. S1.4: Reporting phase: Misbehaving vehicles can be reported, let us consider V 1 wants to report V 2 . In that case, V 1 randomly selects α 1 ∈ Z * q , generates vehicle's pseudo-identity by computing P ID 1 1 = α 1 · P K V 1 and P ID 2 Finally, V 1 reports V 2 by sending the tuple P ID V 1 , P ID V 2 to TA through the RSU in the same region, in which P ID V 1 and P ID V 2 are the pseudo-identities of the reporter and misbehaving vehicles, respectively. S1.5: Real identity tracking phase: The RIDs of the reporter and misbehaving vehicles can be revealed by the TA based on the received tuple P ID V 1 , P ID V 2 and TA's master key β by computing The proof of correction is verified as follows: Review of the Secret Key Extraction Algorithm in [43]

(S2)
Channel randomness is a natural-correlated resource for extracting a high entropy shared key between terminals. Generally, the key generation process consists of four stages -i.e., channel probing, quantisation/thresholding, information reconciliation, and privacy amplification. In our proposed scheme, we evoked the key extraction algorithm in [43] to obtain a symmetric shared key with equiprobabilities of 0 s and 1 s and a sufficient rate of secret bit generation, defined by the ratio of the number of matching bits to the total number of channel samples. In order to avoid the high communication overhead of reconciling the discrepancies in the extracted key, we excluded the information reconciliation and privacy amplification stages from the secret key generation process.
In high-density V2V channel conditions with many fixed and moving scatterers (e.g., other vehicles), the received signal is the superposition of L multipath components of different paths with different phase delays φ l and fading coefficients |a l | [43]. The channel estimations at each side Ch A←B (t)| A for Alice and Ch A→B (t)| B for Bob can be formulated at instance time t as where v l is the Doppler shift of each multipath component l which is the sum of that of Alice v A,l , Bob v B,l , and scatterers v S,l [48] as Note that, the scatterers' speed can follow the Weibull distribution (with shape and scale parameters a and ω, respectively) [49].
Since the channel probing stage is performed in the halfduplex mode, channel gain complement method is utilized to compensate the channel non-reciprocity. However, zero-mean complex Gaussian noise CN (0, 2σ 2 C ) still exists and is considered to be the difference between the uplink Ch A→B (t)| B and the downlink Ch A←B (t + Δt)| A channel responses at each side of the communicating terminals [43] as where Δt ≤ T c . In [43], the perturb-observe algorithm is used to optimize the quantisation levels at different estimated nonreciprocity values σ c based on the feedback from the information reconciliation stage, as shown in Fig. 3(a). In this paper, we excluded the information reconciliation stage. As a result, the PHY-layer re-authentication is used as alternative feedback for the thresholds optimisation engine, as illustrated in Fig. 3(b). This feedback indicates the level of mismatching resulting from different non-reciprocity values between the communicating terminals. Step (S2) comprises three sub-steps as follows.
r S2.1: Channel Probing: Probing signals are exchanged between the communicating terminals to obtain highly correlated estimates within the coherence interval T c . r S2.2: Quantisation thresholding: Two thresholds quantisers (q + , q − ) are used to convert the estimated channel observations into bits. r S2.3: Thresholds optimisation engine: Applying a perturbobserve algorithm [43] to adapt the quantization levels in response to the feedback from the re-authentication step (S3). Eventually, the extracted key k {a,b} is used for the mutual re-authentication process that is discussed in the following subsection (for more information about the secret key extraction algorithm, see reference [43]).

D. Overview of the PHY-Layer Re-Authentication Step (S3)
After identity verification and the extraction of the shared key k {a,b} between legitimate parties, Alice and Bob, the generated key is partitioned into two equal-length preliminary keys k {a,b} = (k a k b ) used for the two-way re-authentication process. Alice transmits a challenge signal to Bob. The latter responds by encapsulating the mapped key k b into the response signal that can be equalized at the side of Alice by exploiting the short-term channel reciprocity and the same encapsulated key. We considered a one-way re-authentication process for N subcarriers OFDM system as illustrated in Fig. 4. For mutual re-authentication, the process is reversed and repeated between terminals based on the second part of the extracted key k a .
The detailed sub-steps are as follows: S3.1: PHY communication request: Bob transmits a communication request to Alice. This request contains the pseudoidentity P ID 1 1 of Alice and T i timestamp. S3.2: PHY challenge: Alice infers from the communication request that a pre-authenticated vehicle is trying to communicate with him. Then Alice initiates a PHY challenge frame for N subcarriers OFDM communication system and sends an initial challenge modulated sinusoidal signal to Bob with random phases θ i uniformly distributed over [0, 2π) with frequencies f 1 , . . . , f N so that the transmitted signal at instance time t 0 can be expressed as At the receiver's terminal, the received signal by Bob at time t 1 is formulated in a noiseless channel as where ψ i = θ i + ξ i , h i for i = 1, 2, . . . , N are independent and identically distributed (i.i.d.) random variables with zero mean and variance V ar(h i ) = 2σ 2 , and ∠(h i ) = ξ i ∼ U [0, 2π) which is the i th subchannel-phase response of parallel Rayleigh fading channel of N subcarriers with probability density function p(ξ i ) = 1/2π. After that, Bob estimates the phase difference of the received signal Δψ in = ψ i − ψ n = Δθ in + Δξ in , in which n is a randomly selected subcarrier index that ranges from 1 to N and can be altered by Bob at each iteration. The phase difference estimation can be expressed as S3.3: PHY response: A gray code mapping operation M(.) of order 2 bits is used to map the preliminary key k b = {κ 1 κ 2 , κ 3 κ 4 , . . . , κ 2N −1 κ 2N } of length 2N -bits at the side of Bob as below: for i = 1, 2, . . . , N. After that, Bob responds to Alice's challenge by encapsulating the mapped key φ i and the estimated Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.
phase difference Δ ψ in into the response signal and transmitting it to Alice at time t 1 as The received signal by Alice at time t 2 is formulated in a noiseless channel as Equalizing r a (t 2 ) by estimating the phase θ i of the initial signal s a (t 0 ), mapping the preliminary key k b at the side of Aliceφ i = M(k b,i ), and computing r a (t 2 )e j(−φ i +θ i ) so that the estimated signal by Alice at time t 2 can be simplified as where φ e,i is an estimated phase difference error resulting from the i th subcarrier that holds mismatched bits and can be expressed as S3.4: Verification process: Alice checks the legitimacy of Bob by verifying the encapsulated key. Suppose the PHY response is sent from a third party (Eve impersonates the legitimate party, Bob). In that case, it is assumed that Eve generated a random binary key vector k e for authentication, which can be represented as a hypothesis testing problem as indicated: where T is the threshold value, and V ar( N i=1 ∠(c i )) is the circular variance of ∠(c i ) which calculated as in [50] as In binary hypothesis testing, the authentication judgment of the received signal r a from the corresponding terminal is performed based on v = (r a , φ i ). The decision rule is taken according to the estimated measurement v, if the received response is sent from Bob r a←b , then v is estimated according to the joint distribution of p(r a←b , φ i = M(k b,i )), while, the received response from Eve r a←e obeys the distribution p(r a←e | φ i = M(k e,i )) · Pr( φ i = M(k e,i )). As long as Eve possesses zero information about k b , the hypothesis testing can be formulated a The authentication judgment is further made by comparing v to the threshold value T . The proposed algorithm is an extension of the work introduced in [51]. Since the decision rule depends on the circular variance v = V ar( N i=1 ∠(c i )), the remaining phase constant (θ n + ξ n ) in (10) will not affect the final estimation result of v, giving the privilege of randomly selecting the subcarrier index n of the phase difference operation in (6).  For successful PHY-layer re-authentication process of n vehicles, the session key at time slot T S L is periodically updated C times for all the corresponding vehicles in the List as shown in Fig. 5 and can be formulated as where SD x and SD y are the seed numbers and the x and y coordinates of the point SK V i−j = {SD x , SD y } ∈ G, and H x 2 (y) is the hash function {0, 1} * → {0, 1} N 1 of the input variable y for x iterations. The computed SK V i−j (T S L ) of length N 1 = 160 bits for SHA-1 hash function and the safety-related message m are concatenated with the transmitted PHY response for OFDM system of N subcarriers. The corresponding vehicle V i verifies the received frame by searching in the List for k {a,b} related to the received session key SK V i−j (T S L ) from vehicle V j . In other words, the received SK V i−j (T S L ) can be treated as an address to k {a,b} related to vehicle V j . After that, V i verifies the response signal by executing the verification process.

E. The Thresholding Optimisation Feedback Step (S4)
In this step, the feedback value v denotes the level of mismatching between the mapped keys φ e,i = φ i − φ i , indicating the degree of channel non-reciprocity between both terminals. This feedback is an input to the thresholds optimisation engine S2.3. In the case of false decision-making due to a high mismatching percentage, the key extraction step (S2) is re-executed after adjusting the quantisation region (q + − q − ). Increasing the quantization region reduces the mismatching percentage, improving the detection probability of the re-authentication step at subsequent time slots.

III. THREAT MODEL OF THE PROPOSED SCHEME
In this section, design goals in terms of security and privacy objectives are introduced, and then, we discuss in detail how the proposed scheme satisfies these goals.

A. Design Goals for the Proposed Scheme
To achieve the 3 rd contribution, the proposed scheme must satisfy the following security and privacy objectives [10], [47].
1) Privacy preservation: Semi-trusted terminals (RSUs) or distrusted terminals (surrounding vehicles) cannot extract identifiable data about the sender from message contents. 2) Non-Repudiation: The transmitter cannot deny the authorship of the transmitted signatures. 3) Traceability: In the proposed scheme, vehicles communicate with each other using their temporary identities to preserve users' real identities, providing conditional privacy. Only TA has the privilege to trace the real identities of vehicles and prevent malicious vehicles from participating in the network. 4) Unlinkability: Distrusted terminals cannot track the transmitter behaviors by determining the origins of two different signatures. 5) Resistance to attacks: The attacker's priority is to disrupt the network by applying the following common attacks: r Replay attack: The attacker retransmits previously captured data from the network after a period, which confuses the targeted terminal.
r Impersonation attack: The attacker is trying to frame as a legitimate terminal and making the transmitted data appears as a normal flow of data.  r Denial-of-service (DoS) attack: This paper considers the flooding type of DoS attack [52] in which the attacker tries to deteriorate the network's performance by overwhelming the targeted terminal with fake requests.

B. Security and Privacy Evaluation of the ACPPA Algorithm
In this part, we prove the security strength of the ACPPA algorithm in the Random Oracle Model, in which the unforgeability of the signature generation stage is discussed against adversary A who is trying to impersonate , output x ∈ {0, 1} * under key ∈ G. Signature generation stage is (τ Sig.Gen , q ID , q s , Sig.Gen ) existentially unforgeable against identity and adaptive chosen message attacks in the ROM as (16) where T m is the run time of scalar multiplication, q ID and q s are the number of queries to oracles H 1 (.) and HM AC key (.), respectively, and Sig.Gen and τ Sig.Gen are the probability and time for adversary A to generate a non-trivial forgery (the proof of (16) is derived in the Appendix). The following proves that the ACPPA algorithm meets the mentioned design goals. 1) Privacy preservation and identity anonymity: The real identities RID V i of the communicating terminals are preserved from adversary A as the authentication process depends on exchanging the pseudo-identities P Since the tracking phase depends on the knowledge of TA's master key β, A has no chance to track or identify vehicles' real identities, providing conditional privacy preservation. 2) Non-Repudiation: Each side of the communicating terminals cannot deny its authorship of the generated signatures because the T ID V i and P ID V i can only be computed based on the RID V i , P K V i , and P K V i ,T A which are stored in V i 's TPD and only accessible by the vehicle itself. updated. Accordingly, it is hard for A to determine the origins of two randomly captured signatures from the same vehicle. 5) Attacks resistance: The proposed algorithm is shown to be resilient to common types of attacks, e.g., replay, impersonation, modification, MITM, Sybil, and DoS attacks as follows: r Resistance to replay attack: ACPPA algorithm resists replay attack as each terminal checks the freshness of each generated signature σ V i based on the attached timestamp T i by testing whether T r − T i ≤ T Δ holds or not. In addition, the randomly generated variables a j , a i , and α i ∈ Z * q are frequently updated to avoid such attacks as the signature generation process depends on the current parameters. These reasons make the ACPPA algorithm immune to replay attacks.
r Resistance to impersonation attack: In this attack, an adversary A tries to masquerade as a legitimate vehicle V i by creating a valid signature T ID To succeed, A must forge the signature σ V i , which is existentially unforgeable against identity and adaptive chosen message attacks proved in the ROM. Thus, ACPPA is resilient to such attacks.
r Resistance to modification attack: The integrity of the received signature can be easily detected by estimating in which, the session key SK i−j is computed using Diffie-Hellman key exchanging protocol under the difficulty of solving the ECDLP. After that, the verifier checks whether σ V i ? = σ V i holds. If not, such an attack is detected, and the received signature is rejected.
r Resistance to MITM attack: To avoid this attack, the recipient ensures that the message sender is a legitimate party. The proposed ACPPA algorithm uses the temporary identity T ID V j to identify the sender's legitimacy, computed based on the session parameter a i ∈ Z * q . To execute this attack, an adversary A must forge a valid signature, which is existentially unforgeable against identity and adaptive chosen message attacks proved in the ROM. Thus, this attack is prevented.
r Resistance to Sybil attack: An internal attacker (an authenticated user from inside the network who is aware of the network configuration) has multiple-fabricated P IDs that can be used singularly or simultaneously to masquerade multiple vehicles. This type of attack is common in many contributed VANETs' signatures-based techniques. In our scheme, a unique shared key is obtained using a location-dependent channel-based secret key extraction algorithm (S2). This means that there is no opportunity for a single vehicle in the network to extract more than a shared key within T c . In other words, whatever the number of the generated P IDs, there is no chance of generating more than one shared key between two terminals within T c that varies at different terminal speeds, mitigating the effect of such an attack on the network.
r Resistance to DoS attack: Considering communication availability and since this study aims to reduce the computation and communication overheads, this paper examines the common flooding type of DoS attack [53] on S1. In the latter (S1), the recipient verifies the sender's legitimacy and eventually discards fake requests (Fig. 1), preventing A from proceeding to S2. In this attack, an adversary A attempts to flood V j with several requests in the form of A i , T i or flood V i with signatures in the form of T ID V j , P ID V j , A j , T j , σ V j . In both cases, the targeted terminal replies by signing or verifying HM ACbased signatures in which the computation overhead of the HM AC key (x) process is low within a few μsecs, which reduces the effect of DoS attacks on the network compared to the computationally-expensive ECDSA-based signatures.

C. Security Evaluation of the PHY Challenge-Response
In this subsection, the security strength of the PHY challengeresponse algorithm is evaluated under different adversarial scenarios by considering Eve as a passive and active attacker who knows the algorithm's schematic diagram. Eve is a passive attacker who can eavesdrop on the challenge signal and its related response and try to deduce any helpful information about the extracted shared key. However, the key cannot be deduced easily from the PHY response for two main reasons: 1) the High sensitivity of the channel multipath components to the distance between the communicating terminals, which makes it hard to differentiate between the initial signal's random phases θ i and channel-phase response ξ i . 2) According to the Avalanche effect [54]; By considering the PHY response generation process as a separate cryptographic operation R(.) with input I = (θ i , ξ i ) and output O ← R(I); R(.) depends on the phase difference operation Δ ψ in in (6), in which, Bob's random choice of the subcarrier index n ∈ [1, N] denotes different output O under the same input I with probability 1/N . According to these reasons, it is hard for Eve to estimate sensible information about the extracted key. Thus, by considering Eve as an active attacker, three primary potential attacks can be constructed in this scenario: replay, impersonation, and modification attacks.
1) Resistance to impersonation attack: Under this attack, Eve attempts to impersonate Alice or Bob. Suppose Eve is trying to impersonate Bob by generating a valid response. In that case, she possesses zero information about the extracted shared key and the correct session key SK V i−j (T S L ) and has no chance to pass the authentication process successfully. If Eve is trying to impersonate Alice by sending a challenge signal to Bob, she can barely succeed to drive Bob's authentication key k b . However, Eve cannot estimate or predict the upcoming SK V i−j (T S L+1 ) to generate a correct response signal at T S L+1 . In addition, she cannot pass the mutual authentication process as she knows nothing about the other part of the extracted key k a .
2) Resistance to replay attack: Eve can capture the transmitted signal from a legitimate terminal at time t and retransmit it back at time t + Δt. The replayed signal can be the challenge signal as case 1 or the response signal as case 2. In case 1, the challenge signal can be treated as an impersonation attack when Eve is trying to impersonate Alice. She has no opportunity to estimate the subsequent SK V i−j (T S L+1 ) to generate a correct PHY response. In case 2, it depends on Δt. For Δt > T c , the attack can easily be detected as the challenge signal varies over time; and the decision rule depends on the phase of the current challenge signal, while for Δt ≤ T c , Eve has no chance of success due to the small correlation coefficient of channel-phase responses between the legitimate and wiretap channels. 3) Resistance to modification attack: Eve attempts to alter the message contents. In that case, such an attack can easily be detected, and the altered message is rejected due to the lack of reciprocity between the channel-phase response of the forward link Ch A→B (t) and that of the reverse link Ch A←E←B (t + Δt) for Δt ≤ T c .

IV. PERFORMANCE EVALUATION
In this section, satisfying the 4 th contribution, we evaluate the performance of the PHY challenge-response algorithm, as well as the computation and communication overheads, in order to elicit its advantages over existing alternatives.

A. Performance Analysis of the PHY Challenge-Response
As part of this section, the detection probability of the reauthentication process is evaluated. Then, simulation and timing analyses are presented.
1) Detection P D vs. false alarm P F A probabilities: Estimating the probability density function (PDF) is necessary to investigate the probabilities of detection and false alarm under different threshold values. Based on the hypothesis testing problem in (12), at a certain threshold value T , P D is the probability of the corresponding terminal is successfully authenticated as a legitimate party, while P F A is the probability of a third party being authenticated as an authorized terminal. By deriving the cumulative distribution function (CDF) from the PDF of both hypotheses, one can estimate the optimum value of T for an acceptable false alarm probability. According to the central limit theorem (CLT) [55], v in (12) is the circular variance of a specific number of N ∈ {64, 128, 256} subcarriers that can be approximated as a normally distributed random variable with means μ H 0,1 and variances σ 2 H 0,1 for both hypotheses H 0,1 .
Thus, the PDF F(.) for both hypotheses H 0,1 can be formulated as Then, the CDF φ(.) for both hypotheses can be expressed as where the error function erf (z) = 2 √ π z 0 e −t 2 dt. Successful authentication is estimated for v | H 0 ≤ T , in which the threshold value T is obtained for acceptable probability of false alarm Then, Given T , the probability of detection can be estimated as for BGR = no. extracted bits no. channel samples , BM R = no. erroneous bits no. channel samples (25) where BGR and BM R are the bit generation rate and bit mismatch rate, respectively [43]. The independent mapping operation M(.) in (7) is a one-to-one mapping operation (each 2-bits for each subcarrier) which means that a sufficient number of matched bits in the extracted key from S2 is required to discriminate between Bob and Eve, avoiding false decision making. In other words, a sufficient mutuality, indicated by R in (24), must be assured to successfully authenticate the communicating vehicle. mutuality of the shared key for M = 1 and 3, respectively, to achieve a high P D ≥ 0.9 at P F A ≤ 0.1. In case of miss-detection v | H 0 > T , we use v in (12) as a feedback to express the mutuality percentage R of the extracted key from S2. The value of v ∈ [0, 1] in (12) is exploited to indicate the level of channel non-reciprocity, modeled through the standard deviation σ c in (3). In [43], the perturb-observe algorithm is used to adjust the quantisation levels at different σ c values by employing the cumulative distribution function and average fade duration statistics to determine the new threshold levels. Fig. 8 demonstrates the relationship between the expectation E(v | R) at different R = [50, 100]% and SNR = {5, 10} dB. It can be noted that increasing the matching percentage R decreases the expectation E(v | R) and vice versa. This proves the ability of the re-authentication process to be an alternative to the information reconciliation stage for the thresholds optimisation engine S2.3.  3) Timing analysis: In a real environment and the case of high-speed dynamic terminals, the time difference between transmitting the PHY challenge and receiving its related response must be less than the coherence time (t 2 − t 0 ) < T c , which is the sum of the uplink (t 1 − t 0 ) and the downlink (t 2 − t 1 ) propagation time and the processing time of generating the PHY response (t 1 − t 1 ), where t 0 , t 1 , t 1 , and t 2 are the time of the signals in (4), (5), (8), and (9), respectively. For V2V communication, the DSRC bandwidth is assigned from 5.85 to 5.925 GHz [8]; thus, the maximum Doppler shift arising from the vehicles' and scatterers' speeds, u V 1 (2) and 30 m/s at 5.9 GHz carrier frequency. While the minimum coherence time is T c(min) = 1/f d(max) = 0.4237 msec [43]. The propagation time T P is evaluated to be 10 μsec for 3 km distance between both terminals.
Since v's distribution obeys the CLT [55], increasing the number of subcarriers N decreases the variances σ 2 H 0 and σ 2 H 1 of v's distribution in (18), improving the ROCs at small mutuality percentages, as demonstrated in Fig. 9. Table IV presents the processing time of the PHY challenge T P HY chang , response T P HY resp , and verification T P HY verf processes at different numbers of subcarriers N = {64, 128, 256} subcarriers, which evaluated using Intel Core i7 2.7 − GHz processor with 16.0 GB RAM. From Table IV, the estimated T P HY resp is in the order of 0.39 msec at N = 64 subcarriers; thus, the total processing time (2T P + T P HY resp ) is 0.41 msec | N =64 , smaller than T c(min) . In addition, it can be noted from the same table that increasing the number of subcarriers (i.e., N = {128, 256} subcarriers), increases the processing time T P HY resp , limiting the efficiency of the proposed algorithm at high-speed terminal conditions (i.e., (2T P + T P HY resp ) = 0.843 msec | N =128 = 1.74 msec | N =256 > T c(min) ). It is considered a tradeoff between high ROCs at low mutuality percentages and that at high-speed terminals.

B. Comparison of Computation and Communication Overheads
Computation and communication complexities are important aspects to be considered when evaluating system performance. Table V compares computation and communication overheads for verifying and sending n signatures from a single vehicle using the proposed scheme, ID-MAP [13], CPPA [14], and NERA [15]. The following time quantities, T m , T e , T M →P , T HMAC , and T P HY verf , represent the time consumed by scalar multiplication of the ECC, bilinear pairing, map-to-point hashing, hash message authentication code, and PHY-layer verification (S3.4), respectively. Furthermore, Table V classifies the performance metrics of each scheme according to the classification represented in Table II. 1) Computation overhead analysis: This part demonstrates the computational comparison in detail. For an accurate computational evaluation, in Table VI, the execution time of multiple cryptographic operations over different curve parameters is computed in [56] by using Intel Core i7 and the widely used MIRACL cryptographic library [57]. In our scheme, the time consumed for verifying n received signatures from a single vehicle is T m + T HMAC + nT P HY verf , in which T m + T HMAC is the running time for the signature verification stage (S1.3.3) at the first time slot and nT P HY verf for the PHY-layer verification (S3.4) of the subsequent n received PHY-responses. In ID-MAP [13], the verification process at the side of the proxy vehicle costs about (d + 6)T m (for d max = 300 messages as recommended in [58]), while this value at the endpoint terminals is 5 n d T m . Furthermore, it can be noted from Table V that the verification processes in CPPA [14] and NERA [15] require about (n + 2)T m and 3T e + nT m + nT M →P , respectively.
To verify 1000 subsequent signatures sent from a single vehicle, the time required for the verification process at the endpoint in our scheme is 125.  4.4)], respectively. It is proven that the proposed scheme is more computationally efficient than the mentioned signature-based schemes [14], [15], and [13] at the side of the proxy vehicle. Also, applying the proposed approach in V2I authentication using proxy vehicles as a future work can provide better performance than [13] at the RSU as an endpoint terminal. 2) Communication overhead analysis: In this subsection, we evaluate and compare the proposed scheme's communication overhead. For 80 bits security level of the ECC, we assumed |q| and |G| to be 20 and 40 bytes, respectively. In addition, the length of the timestamp is assumed to be 4 bytes. The size of the communication request A 1 , T 1 in (S1.3.1) is 40 + 4 = 44 bytes, where A 1 ∈ G. Also, the size of the generated signature T ID V 2 , P ID V 2 , σ V 2 , A 2 , T 2 in (S1.3.2) is 40 + 60 + 32 + 40 + 4 = 176 bytes long for Hash-SHA-1 and HMAC-SHA256 with 160 and 256 output-bits, respectively, and (T ID V 2 , P ID 1 2 , A 2 ) ∈ G. This part presents a detailed comparison of communication overheads. From Table V, the overall communication overhead of the proposed scheme equals 176 + 58.5n bytes, which is the sum of that of the ACPPA signature at the first time slot (176 bytes), PHY communication request (22.5n bytes), PHY response with key length of 128 bits for 64 subcarriers (16n bytes), and SK V i−j (T S L ) of length (20n bytes) at subsequent n time slots. From Table V, the signature size sent to the proxy vehicles in ID-MAP [13] is 204d, while this value at the endpoint (RSU) is 184 n d + 124n. In CPPA [14] and NERA [15], the lengths of the generated signatures are 107n and 62n, respectively. To transmit 1000 subsequent signatures from a single vehicle, the size of the transmitted signatures in our scheme is 58674 bytes [= 176 + (58.5 × 1000)], while this value in ID-MAP [13] at the proxy vehicle, ID-MAP [13] at the endpoint terminal, CPPA [14], and NERA [15] Fig. 11. Compared to traditional methods, our scheme has the lowest communication overhead. Based on the overall computation and communication analyses, we conclude that the proposed scheme outperforms CPPA [14]. Even though ID-MAP [13] is slightly more computationally efficient under a specific condition of proxy vehicles' existence, it has a significantly higher communication overhead in V2I communication, see Fig. 11. Furthermore, Fig. 10 shows that NERA [15] is significantly more computationally costly than all its competitors since it is bilinear pairing-based, despite having a slightly higher communication overhead than ours in Fig. 11. In this regard, the proposed scheme's lightweight re-authentication at the physical layer maintains a balance and optimises the trade-off between the computation and communication overheads between the computation and communication overheads, thereby enhancing network scalability. Aside from this, considering the channel's physical characteristics, our scheme is more effective in detecting Sybil attacks and reducing the impact of the flooding type of DoS attacks on the network, as demonstrated in Section III. Both of these attacks are common for signature-based authentication.

V. CONCLUSION
In this paper, we introduced a novel cross-layer authentication scheme for secure vehicular communication. In this scheme, a signature-based authentication algorithm is proposed to determine the legitimacy of the corresponding vehicle at the first time slot, employing the secret key generation algorithm in [43] for extracting a high entropy shared key with a minimum number of mismatched bits, avoiding the high communication overhead of the information reconciliation stage. The proposed scheme is the first authentication scheme that uses the PHY-layer challenge-response algorithm in VANETs applications, offering a high and successful authentication rate of up to 8000 signatures/sec. Simulation and implementation results proved the capability of the proposed algorithm to support a high probability of detection ≥ 0.9 at low false alarm probabilities ≤ 0.1 under small SNR values ≥ 5 dB, and key mutuality percentages ≥ 70%. According to the comprehensive comparison, the time required for verifying 1000 signatures in our scheme is improved by 71%, 72%, and 97% compared to ID-MAP [13] at the side of the proxy vehicle, CPPA [14], and NERA [15], respectively. As a further advantage, the proposed scheme can detect and mitigate Sybil and Dos attacks, which are common for crypto-based authentication approaches. In future work, the proposed cross-layer scheme could be applicable in authentication-based proxy vehicles, providing higher performance than traditional proxy vehicle-based techniques. We will also investigate the performance of the scheme in a realistic vehicular wireless channel at different vehicle speeds for VANET applications.
Proof: Considering an adversary A who is trying to forge σ V 2 of the vehicle V 2 by the construction of an algorithm C to solve the defined problems with a probability of success sig.Gen. . Algorithm C initially holds two empty tables T H 1 [.] and T HMAC [.] to simulate random oracles H 1 (.) and HM AC key (.), then answers A's oracle queries as follows: r Identity (ID) queries: For a query (T ID V 2 , P ID 1 2 , A 2 ), C holds A 1 , (a 2 , α 2 ∈ Z * q ) , randomly selects r V 2 and β ∈ Z * q , then computes A 2 = a 2 · P, P ID 1 2 = α 2 · r V 2 · P, P K V 2 ,T A = r V 2 · β · P, = α 2 · P K V 2 ,T A , and T ID V 2 = r V 2 · A 1 . If T H 1 [ ] is defined, then C halts, returns ⊥, and sets false ← true, otherwise, it sets T H 1 ( ) ← H : {0, 1} N 1 , and returns (T ID V 2 , P ID 1 2 , A 2 ) to A under (r V 2 , β). r Sign queries: For a query (P ID 2 2 , σ V 2 , T 2 ), C selects RID V 2 ∈ {0, 1} N 2 at timestamp T 2 , obtains H from ID queries, then computes SK V 1−2 = a 2 · A 1 and P ID 2 2 = RID V 2 ⊕ H. If T HMAC [T ID V 2 P ID V 2 T 2 ] is defined, C halts, returns ⊥, and sets false ← true. Otherwise, it sets HM AC SK V 1−2 (T ID V 2 P ID V 2 T 2 ) ← σ V 2 : {0, 1} N 2 , and returns (P ID 2 2 , σ V 2 , T 2 ) to A under RID V 2 . Finally, it is assumed that A successfully generated a forged signature T ID V 2 , P ID V 2 , σ V 2 , A 2 , T 2 under r V 2 , β, RID V 2 based on q ID and q s queries for ID and Sign oracles with probability Sig.Gen = Pr[E 1 ] Pr[E 2 | E 1 ], in which E 1 and E 2 are defined as: r Event E 1 : Algorithm C did not abort due to signature simulation.
r Event E 2 : Non-trivial forgery is successfully returned by adversary A. The probability Pr[¬false] must be computed, in which false indicates that the algorithm C aborts as a result of ID and Sign queries. The probability is evaluated according to the following claims.
Claim 1.  [.], the probability for a single ID query is at most q ID |N 1 | , and the probability for q ID queries is r Scenario 2. false ← true is obtained in the Sign queries if σ V 2 is occurred by chance in a previous query to the oracle HM AC SK V 1−2 (.) under SK V 1−2 ∈ G and RID V 2 . There are at most q s queries in table T HMAC [.], the probability for a single Sign query is at most q s |N 2 | , and the probability for q s queries is q 2 is the probability that A generates a valid forgery, and C does not halt due to A's ID and Sign queries which means that all responses to these queries are valid. Therefore A will produce a valid forgery with probability .
At last, the probability that A successfully impersonates V 2 by computing a non-trivial forgery under r V 2 , β, RID V 2 is at least