Conditional Privacy-Preserving Authentication Scheme Without Using Point Multiplication Operations Based on Elliptic Curve Cryptography (ECC)

Existing conditional privacy-preserving authentication schemes utilized in Vehicular Ad-hoc Networks (VANETs) to satisfy security and privacy requirements essentially depend on point multiplication operations. Achieving repaid verification method of the message is commonly suffer performance efficiency from resulting overheads. We propose a conditional privacy-preserving authentication scheme to secure communication and perform better performance efficiency in this article. The proposed scheme only depends on an elliptic curve cryptography (ECC) based on a point addition operation instead of a point multiplication operation during signing and verifying messages. In the joining phase of the proposed scheme, the vehicle requires the joining process for the broadcasting traffic-related message to others or nearby RSU within its communication range. After obtaining the pseudonym and secret key from RSU, the vehicle is considered as a registered node in VANET. This article utilizes a Burrows-Abadi-Needham (BAN) logic to evidence that the proposed scheme fulfill successfully mutual authentication. The formal security phase shows that security and privacy requirements are satisfied by the proposed scheme. The performance efficiency shows that our proposed scheme has lower overhead in terms of computation cost compared with other recent schemes since a point multiplication operations based o ECC are not used. Therefore, the computation costs of the message signing, individual-authentication and batch-authentication in our proposed scheme are decreased by 99.3%, 99.7% and 98.1%, respectively.


I. INTRODUCTION
As a promising technology of intelligent transportation system (ITS), the vehicular ad-hoc network (VANET) has gained more and more support from the government sector, and both academia and industry in nowadays [1]- [3]. The major objective of VANET technology is to enhance the driving environment and immediately raise driver's awareness of the road management [4].
Basically, VANET is a subclass of the mobile ad-hoc networks (MANETs), where the vehicle represented as nodes of The associate editor coordinating the review of this manuscript and approving it for publication was Leandros Maglaras . mobile [5], [6]. The structure of VANET contains the main three components, One trusted authority (TA), some roadside units (RSUs) and many vehicles which fitted to onboard units (OBUs), as shown in Figure 1. All the vehicle in VANET can exchange messages in vehicle-to-vehicle (V2V) and communicate directly with RSUs in vehicle-to-infrastructure (V2I) through the dedicated short-range communication (DSRC) technology [7], [8].
Due to inherent feature in openness nature of VANET, an attacker could impersonate any registered vehicle to send false messages. Furthermore, it's no difficult by the attacker to trace the particular vehicle by analyzing the captured message, which could be a dangerous thread in VANET system [9]. Security and privacy in VANET should be carefully considered [10]. Therefore, a conditional privacypreserving authentication scheme should be supported in VANET system to provide security attacks resistance [11].
Many academic studies have been dedicated to conducting a conditional privacy-preserving authentication scheme to satisfy security and privacy requirements in VANETs. However, most of these schemes are high overhead in terms of performance efficiency. Besides, these schemes are not fully and also suffer high storage. Thus, an efficient conditional privacy-preserving authentication scheme is proposed to address these issues in VANET. More precisely, The following contributions of this article can be listed; • A secure VANET communication by improving the conditional privacy-preserving authentication scheme to secure communication and perform better performance efficiency.
• The proposed scheme is only depending on elliptic curve cryptography (ECC) based on a point addition operation instead of a point multiplication operation during the signing and verifying messages.
• A security scheme that has lower computation cost compared with the existing schemes. The remainder of the article is structured as follows. Section II introduced some the related work in this field, followed by Section III, which described the preliminary on the proposed scheme. Section IV describes the proposed scheme, and Section V shows its security analysis. Section VI evaluates the result of the performance efficiency to demonstrate the viability of our proposed scheme. Finally, Section VII is the conclusion of this work.

II. RELATED WORK
To fulfil security and privacy requirements in VANET, several schemes were proposed by researchers. Generally, existing work related to security and privacy is categorized into two main categories.

A. PUBLIC KEY INFRASTRUCTURE (PKI)
The main idea of schemes based on public key infrastructure (PKI) is that vehicles require to preload a large number of pair-keys and their respective anonymous certificates (about 43,800) on each OBU. The TA signs these anonymous certificates before preloading in vehicle.
Rajput et al. [12] introduced a hierarchical authentication scheme based on privacy-preserving pseudonymous which the valid period of their purpose to address several limitations of PKI-based schemes. Cincilla et al. [13] studied the scalability and uniformity of the replicated PKI-based schemes. Therefore, This scheme measures performance and scalability of PKI and emulates on machines hundreds. Joshi et al. [14] introduced an effective scheme utilizing event-triggered which sent messages to study security issues in the V2V communication. This scheme uses the authentication's sender based on the PKI to check the message. Asghar et al. [15] suggested a feasible PKI-based authentication protocol to address the authenticating requests process, which means that the CRL linear size. Therefore, this scheme support nodes to get services in good time and enhance scalability.
However, a large number of pair-keys and their respective anonymous certificates required to be preloaded on each the vehicle's OBU in advance, which will lead to increase huge burden of certification management for TA. Moreover, the vehicle also suffers from the burden of storage management since the storage capacity of the vehicle is limit. In addition, the verifying vehicle requires to check whether the certificate is valid during the authentication phase, which will cause to increase the computational complexity of the VANET system.

B. IDENTITY (ID)
The main idea of schemes based on identity (ID) is that utilizes identity information as the user's public key, while private keys are produced by the TA and then preloaded to users utilizing the same identity information. The receiver verifies the message with the public key of the sender and signs it with the private key of the sender. Therefore, the ID-based schemes tackle the problems arising on PKI-based schemes. The ID-based schemes could be further classified into two groups based on the cryptography used as follows,

1) BILINEAR PAIR
Lee and Lai [16] introduced improved ID-based schemes that support the batch authentication process. Jianhong et al. [17] pointed out various security weakness in scheme of Lee and Lai's [16]; for instance, it fails to fulfil the requirements of traceability and non-repudiation; and it does not withstand replay attacks. Lei Zhang et al. [18] suggested an authentication scheme based on privacy-preserving to cope with security attacks in the system. Zhong et al. [19] highlighted the Lei Zhang et al. scheme [18] that it did not indicate to who in the aggregation phase is the aggregator, and its authentication phase introduced a huge overhead. Pournagh et al. [20] suggested an authentication scheme based on conditional privacy-preserving, which integrates both schemes RSU-based and tamper proof device (TPD)-based for securing communication. Bayat et al. [21] introduced an authentication scheme by relying on RSU which the private key of the system and parameters are stored on the RSU's TPD. VOLUME 8, 2020 However, the bilinear pair operations are one of the extreme time-consuming operations and are highly complicity cryptography. Thus, these operations cause massive computational complexity overheads in terms of performance efficiency during the message signing and authentication process.

2) ELLIPTIC CURVE CRYPTOGRAPHY (ECC)
Zhang et al. [22] design a chinese remainder theorem to propose an authentication scheme based on conditional privacypreserving for V2V and V2I communications in VANET. This scheme utilizes fingerprints rather than original identity and password for the verification process. He et al. [23] design ID-based schemes to support mutual authentication and privacy-preserving, which could be utilized for securing communication in VANETs. The TA stores it's master secret key on OBU of the vehicle to sign message during the broadcasting process. Cui et al. [24] introduced the secure privacy-preserving authentication scheme for VANETs with Cuckoo Filter (SPACF) scheme using software without heavy hardware on a TPD that is fitted with each vehicle for secure communication. In addition, the scheme uses binary search and cuckoo filter methods to improve the process of batch verification. Azees et al. [25] proposed an anonymous authentication scheme for avoiding misbehaving vehicles joining into the system. This scheme provides a conditional tracking scheme for tracing the RSUs or vehicles that abuse the VANETs. Cui et al. [26] suggested a privacy-preserving data downloading scheme for securing cooperative downloading scenario of V2V and V2I communications; thus, they introduced an edge computing-based secure and privacypreserving cooperative downloading scheme by using method of lightweight cryptography instead of time-consuming bilinear pairing. Alazzawi et al. [27] introduced conditional anonymity scheme based on authentication and integrity of message for V2V and V2I communications in VANET. This scheme address the insider attacker by proposed robust scheme utilizing a pseudonym instead of an original identity.
The operations of ECC are more efficient when compared with the operations of bilinear pair. However, in density areas, incremented numbers of ECC operations such as the point multiplication cause delays in the checking message for the receiver. In the scheme of Zhang et al. [22] consists of operations of two point multiplication during message signing, while operations of three point multiplication are included in the authentication process. In the scheme of He et al. [23] needs operations of three-point multiplication during message signing and authentication process. In the scheme of Alazzawi et al. [27] consists of one point multiplication operation during message signing, while two point multiplication operations are included in the authentication process.

A. NETWORK MODEL
The following components of the proposed scheme in VANETs are described.
• TA: is accountable for the storage, issuance and management in the whole system. Its a trusted third party with high capabilities compared with OBUs and RSUs. It is the only component in VANET that could reveal the vehicle's original identity from the suspect messages.
• RSU: The RSU is an infrastructure device deployed on the roadside. It can communicate with vehicles within its coverage range using a protocol of DSRC [28]. It could check the authenticity of received messages and process them locally or transmits them to TA for further use. Each RSU has a Tamper-Proof Device (TPD) for storing master private keys of the system. Thus, it is possible for an attacker to reveal it.
• vehicle: The vehicle is mounted with an OBU which enable the vehicle to receive and send the message within its coverage area. Each OBU has a TPD and its sensitive information is never revealed. The vehicle communicates wirelessly with others and nearby RSU utilizing DSRC protocol.

B. SECURITY OBJECTIVES
The proposed scheme for VANETs should fulfil the security and piracy requirements, as follow; • Identity privacy-preserving: Registered components do not have the ability to reveal the original identity of the vehicle. The malicious vehicle cannot reveal the original identity of the vehicle by analyzing intercepted messages.
• Authentication and integrity: Registered components have the ability to check the authenticity of the received messages in VANET. Moreover, the registered components can detect any modification of the message sent by the vehicles.
• Traceability and revocability: The TA has the ability to reveal and revoke the original identity of the vehicle by analyzing its messages if it is necessary.
• Unlinkability: The malicious vehicle does not have the ability by cross-matching two or more received messages which sends by the same source.
• No storage burden: The proposed scheme should be not suffering from storage burden on OBU of vehicle.

IV. THE PROPOSED SCHEME
This section details the proposed scheme without using point multiplication during message signing and verification process. This section mainly includes four phases consisting of the initialization, joining, message signing and verification. These phases of our proposed scheme are based on the scheme of Bayat et al. [29]. However, the proposed scheme avoids the employ of the bilinear pairing operation and Map-To-Point hash function that are well-known to be time-consuming, unlike Bayat et al. [29].

A. INITIALIZATION
The initialization phase is done by the TA as follows, • The TA selects a non-singular elliptic curve E p (a, b) y 2 ) as an adaptive group G generator with order q.
• The TA chooses a key s ∈ Z * q as it's master private key and computes Pub = sP as its master public key.
• The TA selects some secure hash functions h 1 , h 2 and Pub, h 1 , h 2 , h 3 } as public parameters of the system to each RSU and OBU.
• Finally, the TA saves its master private key s in each TPD on RSU.

B. JOINING
In this phase, vehicle requires the joining process for broadcasting traffic-related message M to others or nearby RSU within its communication range. After obtaining the pseudonym x i and secret key S OID i from RSU, vehicle is considered as a registered node in VANET. Therefore, the vehicle broadcasts traffic-related message M to others or neighbor RSU. The joining process are done as the following steps, • Vehicle − to − RSU vehicle chooses a key z ∈ Z * q and calculates pseudonym PID i,1 = zP and PID i,2 = OID i ⊕ h 1 (zPub), where OID i is original identity of vehicle. Then the vehicle sends the RSU with {PID v , σ OBU −RSU }, RSU first checks weather the timestamp T 1 is the freshness or not. Each timestamps are checked as the follow process: T r is the receiving time, T is the predefined time delay, and judgment that weather T r is less than T . If holds, that mean it is the freshness, than RSU calculates • Vehicle Once receiving the message {x enc i , S enc OID i , T exp T 4 , σ RSU −OBU }, vehicle first checks weather the timestamp T 4 is the freshness or not. If so, by using XOR-operation, it computes Then checks whether σ RSU −OBU =?h 3 (x i S OID i T 4 ). If so, it starts using x i and S OID i within its expiration time T exp to broadcast message. To ensure the security of x i and S OID i in VANETs, we advise a renewing method as introduced in [27] for our scheme. Via this process, the vehicle uses x i and S OID i for a travelling short-time within VANET. Then, they updates freshen request to get new x i and S OID i with new expiration time.

C. MESSAGE SIGNING
After x i and S OID i are received, the vehicle first chooses random value η ∈ Z * q and computes R = w η , T i1 = ηP, T i2 = η 1 x i P, T i3 = ηPub and PID i = ηx i P. The vehicle then executes the following steps for signing message M i , • The vehicle gets a timestamp ts i and calculates u = h 3 (M i , R, T i1 T i2 , T i3 , T exp , ts i ).
• The vehicle generates signature on the message M i as follows, V = 1 η (u + η)S OID i . • Finally, the vehicle broadcasts message-signature tuple {V , M i , R, T i1 T i2 , T i3 , T exp , PID i , ts i } to the recipient.

D. VERIFICATION
Once receiving the message-signature tuple {V , M i , R, T i1 T i2 , T i3 , T exp , PID i , ts i }, the recipient (the RSU or OBU) first checks weather the timestamp ts i and T exp are the freshness or not. If so, it computes u = h 3 (M i , R, T i1 T i2 , T i3 , T exp , ts i ) and it then continues verifying message the following equations, The proof of Equation 1 is as follows Then it uses the following equation, The proof of Equation 2 is as follows IF the Equation 1 and 2 hold, the recipient accepts the message M i .

V. SECURITY ANALYSIS A. FORMAL SECURITY ANALYSIS
To check the validity of OBU and RSU in VANET, the Burrows-Abadi-Needham (BAN) tool is used by the proposed scheme to realize the specific security goals for the process of mutual authentication. [5], [30].
The main notations and meanings used of formal security analysis, as follows, • §, Y : The original participants. • X M : Exchange-messages.
Y has a public key Pub relevant with a private key Pri.
• § ⇒ Y : § has the ability to control Y . • (X M ) K : The message X M is hashing by K . Rules: The essential rules of formal security analysis process are described as follows:

Security goals:
The requirements of authentication for VANET should achieve the following security goals.
Idealize the scheme phase: The proposed transformation is viewed in the following: • The proposed scheme messages are: - • Idealizing the proposed scheme messages are: -

Assumptions:
The proof of the proposed depends on some the following assumptions: Proof: The proof is shown as follow. Based on IPSM 1 , we obtain: S 1 : TA (OID i ) (Pub) Based on S 1 , A 4 , and by using rule of message meaning, we obtain: Based on S 2 TA| ≡ OBU | ∼ (OID i ) Based on S 2 , A 1 , and by using freshness and nonceverification rules, we obtain: S 3 : TA| ≡ OBU | ≡ (OID i ) Therefore, the security goal of (G 1 ) is achieved. Based on S 3 , A 7 , and by using jurisdiction rule, we obtain: S 5 : TA| ≡ (OID i ) Therefore, the security goal of G 2 is achieved. Based on IPSM 2 , we obtain: S 5 TA (OID j ) (Pub) Based on S 5 , A 5 , and by using rule of message meaning, we obtain: Based on S 6 , A 1 , and by using freshness and nonceverification rules, we obtain: Thus, the security goal of G 3 is achieved. Based on S 7 , A 8 , and by using rule of jurisdiction, we obtain: S 8 : TA| ≡ (OID j ) Therefore, the security goal of G 4 is achieved. Based on IPSM 3 , we obtain: S 9 : RSU (σ TA−RSU ) Pub Based on S 9 , A 10 , and by using rule of message meaning, we obtain: Based on S 10 , A 2 , and by using freshness and nonceverification rules, we obtain: Therefore, the security goal of G 5 is achieved. Based on S 11 , A 11 , and by using rule of jurisdiction, we obtain: S 12 : RSU | ≡ (σ TA−RSU ) Thus, the security goal of G 6 is achieved.
Based on IPSM 4 , we obtain: Based on S 13 , A 6 , and by using rule of message meaning, we obtain: Based on S 14 , A 3 and by using freshness and nonceverification rules, we obtain: S 15 : OBU | ≡ RSU | ≡ (x i , S OID i ) Therefore, the security goal of G 6 is achieved.
Based on S 15 , A 9 and by using jurisdiction rule, we obtain: S 16 : OBU | ≡ (x i , S OID i ) Therefore, the security goal of G 8 is achieved.
Thus, the eight security goals collectively ensure that the RSU and OBU of the proposed scheme are mutually authenticated for V2V and V2I communications.

B. INFORMAL SECURITY ANALYSIS
• Identity privacy-preserving: The TA converts the original identity OID i of vehicle to a pseudonym x i . The main aim of this is to support identity privacy-preserving of vehicle concerned. In the proposes scheme, the pseudonym x i is included in message-signature tuple {V , M i , R, T i1 T i2 , T i3 , T exp , PID i , ts i }. Therefore our scheme guarantees identity privacy-preserving requirement in VANET.
• Message integrity and authentication: Based on the signature V = 1 η (u + η)S OID i on the message M i , calculating a legitimate signature requires the secret key S OID i . The attacker does not have the ability to issue a legitimate signature since he/she does not obtain the secret key. In addition, S OID i = 1 x+x i P confirms that computing the secret keys of other vehicles is impossible for a misbehaving vehicle through its own secret key. Therefore, the attacker cannot forge a registered vehicle in the proposed scheme. Besides, a misbehaving vehicle cannot calculate the secret key of other vehicles through its secret key. Therefore, a vehicle cannot issue a legitimate signature rather than the other vehicles.
• Tractability and revocability: The main aim of the harmful vehicle is to disturb the VANET system by sending a false message to others. TA does not only have the ability to trace the harmful vehicle but also has the ability to revoke during travailing. For example, in V2V communication, vehicle V i sends a false message to a recipient V j . Once receiving a false message, vehicle V j sends the report to the TA. The TA seeking all stored value x i in its database and detect the pseudonym x i fulfilling the following equation.
The proof of Equation 3 is as follows After tracing pseudonym x i on message M i for vehicle V i , the TA revokes it from continuing in VANET. The vehicle is no longer able to broadcast false message after the expiration time is expired. Thus, the proposed scheme can fulfil the traceability and revocability requirement in VANET.
• Unlinkability: After expiration time T exp is expired for short time, the vehicle sends renewal request to update x i and S OID i , which leads to compute new parameters as {V , R, T i1 T i2 , T i3 , T exp , PID i } signing message. The vehicle broadcasts different message-signature tuple {V , M i , R, T i1 T i2 , T i3 , T exp , PID i , ts i } during its travel. Therefore, it is no easy for an attacker to cross-link a correlation between the rapid-changing x i and S OID i for the vehicle, and the malicious node cannot get vehicle's location. Therefore, the proposed scheme is satisfied unlinkability requirement.
• No storage burden: The vehicle equipped with OBU has to store public parameter of the system and a large of the number of different pseudonyms in its database, which leads to storage overhead is increased. For example, each pseudo ID includes an element in Z q and G. According to literature, the size of Z q is 20 bytes and G is 40 bytes. Assume there are 100 pseudo IDs, then the storage overhead of only pseudonym pool is 6 MB. The OBU in the proposed scheme only stores x i and S OID i after obtaining from RSU during the mutual authentication process. Therefore, the proposed scheme is satisfied with no storage burden requirement.

VI. PERFORMANCE ANALYSIS AND COMPARISON
In this section, the comparison between the proposed scheme and existing schemes are analyzed in terms of computation and communication cost as follows.

A. COMPUNCTION COST ANALYSIS AND COMPARISON
In procedures of the existing proposed utilizing bilinear pair G * G → G T such as Zhong et al. [19], Pournagh et al. [20] and Bayat et al. [21], the elliptic curve y 2 = x 3 + x modn creates the group G 1 , where the group order and n are the 160 and 512 bits prime, respectively. Nevertheless, in the existing proposal utilizing the elliptic curve such as Zhang et al. [22], He et al. [23] and Alazzawi et al. [27], the elliptic curve y 2 = x 3 + ax + b modn is accountable for creating the group G 2 , where the n and the order of G 2 are the 160 bit prime to realize the same level of secure compared with schemes based on the bilinear pair. For the simplicity of performance efficiency in terms of computation cost, some operations of cryptographic and the respective running time are presented in Table 1.
For simplicity, let MS, SA and BA denote the message signing, individual-verification and batch-verification, respectively.
During the MS, scheme of He et al. [23] needed three scalar point multiplication operations and three secure hash cryptography functions, thus the total cost is 3T SM ECC + 3T h ≈ 2.0184. During the SA, He et al. [23] needed the three scalar point multiplication operations, two secure hash cryptography functions and two point addition operations during SA, therefore the total cost is 3T SM ECC + 2T PA ECC + 2T h ≈ 2.0236. While this scheme needed (n + 2) scalar multiplication operations, (2n) small scalar point multiplication operations, (2n − 1) point addition operations, and (2n) secure hash cryptography functions during the BA, therefore the total cost is (n In the proposed scheme, MS consists a one point addition operation and one secure hash cryptography function, therefore the total cost is 1T PA ECC +1T h ≈ 0.0041. SA and BA of the proposed scheme include only one point addition operation and only n point addition operations, receptively. Therefore the total cost of SA and BA are 1T h + 2T PA ECC ≈ 0.0072 and nT h + nT PA ECC ≈ n0.0072, respectively. The other schemes are also computed their MS, SA and BA in the same above method, as presented in Table 2.
As listed in Table 3    respectively. The performance of the proposed scheme and the other schemes in terms of MS, SA and BA are listed in Table 3.

B. COMMUNICATION COST ANALYSIS AND COMPARISON
For the group G 1 utilizing the bilinear pairing, where the n is 512 bit prime, therefore each element size in G 1 is 128 bytes. Nevertheless, for the group G 2 utilizing the ECC, where n is 160 bit prime, therefore each element size in G 2 is 40 bytes. The output of timestamp, one-way hash and Z q are 4 bytes, 20 bytes and 20 bytes respectively. As for the message size are excluded in our measurement.
The message size in the He et al. scheme [23] is (40 * 3 + 20 + 4) = 144 bytes, where the message comprises three elements in {PID 1 il , PID 2 il , R i ∈ G}, one element {σ m ∈ Z q }, and one timestamp. In our proposed scheme, the vehicle broadcasts a message-signature tuple with size (40*4 + 20 * 2 + 8) = 208 bytes and the message-signature tuple content is four element in {T i1 , T i2 , T i3 , PID i ∈ G}, two elements in {V , R ∈ z q }, and two timestamps {T exp , ts i }. In the same method, the communication cost of other schemes are also computed. The overall communication cost is listed in Table 4.

VII. CONCLUSION
In this article, we propose an authentication scheme based on conditional privacy-preserving without using point multiplication operations of ECC. The main aim of the proposed scheme is to secure V2V and V2I communications and perform better performance efficiency. The proposed scheme only depends on ECC based on a point addition operation instead of a point multiplication operation during the signing and verifying messages. The security analysis shows that the security and privacy requirements for VANETs are fulfilled by the proposed scheme. In addition, the performance analysis proves that the computation cost of the proposed scheme is lower than other existing schemes. Lastly, for large-scale networks, the proposed scheme is more fitting.