An Efficient Conditional Privacy-Preserving Authentication Scheme for the Prevention of Side-Channel Attacks in Vehicular Ad Hoc Networks

Several group signature or identity schemes have been proposed for addressing the issues of security in a vehicular ad hoc network (VANET). Nonetheless, none of these schemes suitably cope with the performance efficient during the signing and verifying safety-messages. Furthermore, adversaries could acquire sensitive data stored in a tamper-proof device (TPD) by utilizing side-channel attacks. An efficient conditional privacy-preserving authentication scheme is proposed for the prevention of side-channel attacks and reducing the performance efficiency of the system in this paper. Moreover, to resist side-channel attacks, critical data stored in the TPD is frequently and periodically updated. Lastly, due to our work employs the one-way hash function and the elliptic curve cryptography, its performance evaluation has lower computation and communication cost compared to other schemes.


I. INTRODUCTION
Each year, more than 1 million person are caused to affect by a road incident. The harm of driving environment is the ninth causing of mortality universally and afford a loss at more than 2% or 1 USD trillion of the Gross Domestic Product (GDP) world [1], [2]. Besides, congestion waste massive fuel and time amount.
Intelligent transport systems (ITSs) play a highly significant role in the movement of the new human being in the digital world recently. To enhance the traffic road of vehicular in the future, ITSs provide innovative and comprehensive applications for controlling these unpleasant events [3]. It is being constructed for building smart vehicle via the fast development of wireless communication technology [4], [5]. New vehicle telcos and manufacturers have introduced the fact that wireless tools will be an integral part of each vehicle, allowing them for communicating with other vehicles and The associate editor coordinating the review of this manuscript and approving it for publication was Gautam Srivastava . with infrastructures of road. This vehicle forms a specific kind of ad hoc network, where the vehicle is considered the network's node. Such networks are known as vehicular ad hoc networks (VANETs) that are a type of the mobile ad hoc networks (MANETs) that utilizes the technology of wireless for proximity and communication of vehicle for fixing infrastructures [6].
Communications of VANET are classified as either Vehicle-to-Infrastructure (V2I) or Vehicle-to-Vehicle (V2V). With these communications, each vehicle broadcasts a periodic safety-messages with their position, traffic events, speed and heading. Any vehicle within the coverage area, whether legal or not, will receive these safety-messages since the broadcasting in an openness communication of VANET. Nonetheless, this will also permit adversaries to change, alter and replay these safety-messages and broadcast them in the system. The broadcast of these changed and forged safety-messages could cause for situations such as road accidents, traffic disruption, etc., and therefore justify the call for modifies to be made for messaging security. Before they become practical, the security issues in VANETs requires to be carefully addressed. In this paper, there are some following contributions for summarizing our proposed scheme, • First, an efficient conditional privacy-preserving authentication scheme for securing vehicle-to-vehicle (V2V) and vehicle to infrastructure (V2I) communications.
Besides, the proposed scheme shows that satisfies the requirements of security of design goal in VANETs.
• Second, a proposed that resists side-channel attacks by regularly updating the critical data stored in the tamperproof device (TPD) of vehicle.
• Finally, a proposed is more efficient than existing schemes and appropriate for an area with high traffic density by using the one-way hash function and the elliptic curve cryptography (ECC).
The remainder of this paper is organized as follows: Section II deals with the security schemes regarding VANETs. Section III introduced preliminaries of the proposed scheme. Section IV shows the five phases included in the proposed scheme. Section V shows security analysis and comparison of our work in details. Section VI presents the performance evaluation. Conclusions of the proposed scheme are shown in Section VII.

II. RELATED WORK
In this section, we review and discuss the related schemes since VANETs have suffered from issues of mutual authentication and conditional privacy-preserving. Existing scheme regarding security and privacy is commonly classified into two main categories as follows,

A. GROUP-SIGNATURE BASED SCHEMES
The core fundamental of group-signature based schemes is that each group member could be able for signing safetymessage anonymously on behalf of the full group. The Chaum and van Heyst were first introduced group-signature [7]. Lin et al. [8] introduced a security scheme based on the group signature for securing V2V communication in vehicular systems. This scheme provides security and privacy without inducing the managing overhead regarding to multiple certificates at sides of the membership manager (MM). Zhang et al. [9] introduced a privacy-preserving scheme relies on a practical secure for applications of value-added. In their scheme, the vehicle only needs a member key for generating verifier-local revocation without violating the drivers' privacy. Shao et al. [10] designed a threshold anonymous authentication approach to address issues of security and privacy in VANETs. This scheme combines between the model of decentralized group and method of threshold authentication for obtaining threshold authentication. Lim et al. [11] introduced a key distribution scheme to propose secure and scalable by utilizing the domain concept with a number of RSUs for group signature-based authentication.
However, the main limitation of group-signature based schemes is growing the Certificate revocation list (CRL) size since the multiple revoked vehicle is increased. In addition, the vehicle uses two bilinear pairing operations for checking on CRL operation, which cause increasing of the verification computation overhead.

B. IDENTITY BASED SCHEMES
In order to address the limitation of group-signature based schemes, many scholars have proposed identity-based schemes. The core fundamental of identity-based schemes is that the identity information extracted by the public key, while TA computes the private key. Shamir has first proposed an identity in 1984 [18]. Zhang et al. [19], [20] conducts a security and privacy scheme based on bilinear pairing by supporting batch authentication process which allowing a large number of safety-messages received by rest of components to be verified simultaneously in VANETs. Lee and Lai [21] and Chim et al. [22] indicated that the proposed schemes by [19], [20] have drawbacks due to an OBU could utilize a false identity for eliminating the requirement of traceability. Besides, [19], [20] cannot withstand impersonation attack and replay attack. Jianhong et al. [23] indicates some limitations of security in the scheme of [21], for example that it cannot satisfy the requirements of non-repudiation and traceability and cannot withstands replay attack. To address the flaws in scheme of [21], a secure identity based scheme was conducted by Jianhong et al. [23]. Bayat et al. [14] pointed out the authentication scheme of Lee and Lai [21] have insecure against the attacks of impersonation. Therefore, they proposed an enhanced authentication scheme. He et al. [15] introduced an identity-based security and privacy scheme for securing communication in vehicular systems. This scheme does not utilization a bilinear pair in the process of signature verification since it is among the finest operations of timeconsuming in cryptography. Instead, in their work, elliptic curve cryptography (ECC) is based on signing and verifying safety-messages. Azees et al. [24] suggested an authentication scheme to avert attackers entering into the V2V and V2I communications. Besides, the proposed scheme supports a conditional tracking scheme to trace the malicious components in the VANETs. Zhang et al. [12] proposed an authentication with conditional Privacy-preserving scheme based on chinese remainder theorem (CRT) in VANETs. This scheme utilizing fingerprints rather than a password and genuine identity for identity verification. Cui et al. [13] proposed an authentication with conditional Privacy-preserving scheme based on the binary search and cuckoo filter methods to satisfy the top success rate in the batch verification method. Bayat et al. [25] suggested an RSU based scheme in which a private key of TA is equipped to the TPD on RSUs since the communication channels between the TAs and RSUs are more faster and secure compared to put a private key to each OBUs. Al-shareeda et al. [16] proposed lightweight security without using batch verification method (LSWBVM) scheme for making single verification has the ability a large number of safety-messages during driving broadcasting. However, this scheme is vulnerable from various security attacks such as impersonation and modification attacks due to the verifying vehicle uses only a one-way hash function for signature verification. Also, its vulnerable to replay attacks since the timestamp is not included on the safety-message tuple. Besides, this scheme is not satisfying authentication and integrity requirements in vehicular systems. Besides, it is suspect from side-channel attack due to the vehicle's identity stored on TPD is not update for a long time. Also, Al-shareeda et al. [17] suggested a new and efficient conditional privacypreserving authentication (NE-CPPA) scheme for securing the V2V and V2I communications in vehicular systems. This scheme computes the private key of the system by TA and preloads in the TPD that assumed not to be compromised with any adversary. Nevertheless, an adversary also could obtain some data saved in the TPD through the attack of side-channel. When the TA's private key is obtained by the adversary, the vehicular system will be disturbed. Table 1 summarizes the recent existing identity based schemes with their techniques applied, advantages, and limitations that proposed a mutual authentication and conditional privacy-preserving in VANETs. To overcome the aforementioned issues arising in the VANETs, we will propose an efficient conditional privacy-preserving authentication scheme for prevention of side-channel attacks, furthermore, by adding update parameter stored phase in our work for periodically changing in the TPD of the vehicle for preventing malicious adversaries from getting critical information via side-channel attacks for collapsing the VANETs system. Besides, the proposed scheme utilizes operations of ECC rather than operations of bilinear pairing; therefore, the proposed has lower performance efficiency regarding computation and communication cost compared others schemes.

III. PRELIMINARIES
In this section, we first define the structure of system model; this is followed by a presentation of the design goals in terms of security requirements and finally, the security attacks specified in this paper are defined. The major notations utilized in the proposed scheme are presented in Table 2.

A. SYSTEM MODEL
The proposed scheme's system model is included of three components, OBU, RSU and TA, as shown in Figure 1.
Vehicles in VANET are equipped with an On-Board Unit (OBU) which allow the vehicles for processing, receiving and broadcasting safety-messages. OBUs are fitted with a tamper-proof device (TPD) that using to save critical data.
• RSU: Roadside unit (RSU) is a wireless device located to the road as an infrastructure node. The RSU links with the TA by wired channel and links with vehicles in the wireless channel.
• TA: Trusted authority (TA) has high computation and communication resources. The responsibility of TA generates the system's public parameters and pseudo-ID for each vehicle.

B. DESIGN GOALS
In order to fulfil the security of V2V and V2I communications in the system, the proposed scheme should be to satisfy requirements of security, as follows.
• Integrity and authentication: The wireless components in VANETs must have the ability to determine any modification of the received safety-messages and must able to validate received safety-messages and authenticate nodes for ensuring the security of communications.
• Identity privacy preservation: An adversary must able to disclose the vehicle's identity by capturing a multiple safety-messages sent by it. Thus, the identity of the vehicle maintains anonymous to other legitimate and illegitimate vehicles for ensuring the driver's privacy.
• Traceability and revocation: The TA must be capable for disclosing the identity of the vehicle from its safetymessages to prevent malicious vehicles from denying their trust for the system's disruption by sending forge safety-messages to other authenticated vehicles.

C. SECURITY ATTACKS
Its easy by adversaries to be lunch certain security attacks since the nature openness of VANETs communication. In this subsection, we briefly present some vulnerabilities with the capabilities of an adversary in the VANETs.
• Replay attacks. The aim of misbehaving vehicles is to replay the old issued valid signature to the receiver for creating the illusion that accidents are happening.
• Modification attacks. The aim of misbehaving vehicles is to change the authentic safety-messages and send to other nodes [26]. For example, a malicious vehicle could feed forge messages to nearby vehicles. Thus, the verifying recipient cannot be executed with changed messages.
• Impersonation attacks. The aim of misbehaving vehicles is to impersonate a registered vehicle and transmit a proper safety-message to other vehicles in which the attacker attempts to masquerade as a registered vehicle.
• Man-In-The-Middle attacks. The aim of misbehaving vehicles is to implement information sniffing and tampering with intercept two communication sides [27], [28].
• Side-channel attacks. The aim of misbehaving vehicles is to obtain sensitive data stored in the TPD by utilizing a side-channel attack. When the misbehaving vehicles get the TA's private key, the structure of the system will collapse.
After the TA calculates the initial public parameters, it preloads them to the RSUs and OBUs in advance. Via the steps of mutual authentication, the vehicle must execute authenticating itself with the system for exchanging safetymessage based on the RSU' parameters. Thus, the attacker does not have the ability to authorize access to the coverage region. After the vehicle is considered as to be registered vehicle, it calculates its signature of the message and the verifier will then check these signature.
We propose an efficient conditional privacy-preserving authentication scheme for prevention of side-channel attacks for ensuring secure communication in VANETs. The five phases included in the proposed scheme is presented as follows: phases of system initialization, mutual authentication, signing safety-message, verifying safety-message and update parameters. The phases of the proposed scheme are visualized in Figure 2.

D. PHASE OF SYSTEM INITIALIZATION
The phase of system initialization is included in the following subsection,

1) TA INITIALIZATION
In order to compute the initial public parameters of the system, the TA should execute the following steps.
• Two numbers of large prime q,p are chosen by TA, the generator P of an additive group G, which includes of each point on the non-singular with the order q by identifying elliptic curve E ( q are chosen by TA as TA's private key and then calculates Pub = kP to be its corresponding public key.
• Lastly, three functions of one-way hash h 1 , h 2 and h 3 are

IV. THE PROPOSED SCHEME 2) RSU AND VEHICLE REGISTRATION
In order to register the RSU and the vehicles at the TA, the following steps should be executed, • Once the TA receives RSU's identity ID RSU j , the TA verifies the RSU's validity.
• The private key k is stored by the TA on the RSU's TPD. • Once the driver submits identity ID i and password PW i via secure communication, the TA checks the driver's validity.
• The TA generates the pseudonym Pdm = h 3 (ID i ||SP vi ) after it verifies the ID i validity, where V vi is a short period.
• The TA preloads <Pdm, V vi > and k via a secure channel into the TPD of the vehicle and each RSU, respectively.
• Initial public parameters of the system ψ = {p, q, a, b, P, Pub, h 1 , h 2 , h 3 } are preloaded by TA in each vehicle's OBU and RSU.

A. PHASE OF MUTUAL AUTHENTICATION
The vehicle reaches in the RSU's communication range and performs the mutual authentication before it sends safetymessages to the nearby RSU or neighbour vehicle. Once the signature key SK received by the vehicle from the RSU, the vehicle's authenticity is considered as a registered, thus, this vehicle could broadcast safety-messages to the nearby RSU or neighbour vehicle. Figure 3 shows the top-level mutual authentication process of the proposed scheme. The following steps are utilized to perform the process of this phase.
• OBU − TO − RSU : Once the vehicle selects random value w ∈ Z * q , it generates its pseudo-ID PsID i = <PsID 1 i , PsID 2 i > as follows: Then, the vehicle transmits Tuple 1 to the RSU, where = h 3 (PsID i ||Pdm||TS 1 ). The RSU rejects the Tuple 1 when it is not ok; otherwise, it selects random value z ∈ Z * q . It generates its pseudo-ID PsID RSU j = <PsID 1 RSU j , PsID 2 RSU j > as bellow: • TA − TO − RSU : Once the Tuple 2 is received by TA from the RSU, it first checks the TS 2 freshness. If TS 2 is fresh, then the TA does not reject the safetymessage. Otherwise, the Tuple 2 is dropped. TA then calculates the from PsID i and PsID RSU j , respectively. Then it verifies for confirming the δ RSU −TA ? = h 3 (Pdm||ID RSU j ||TS 2 ). If is not ok, the TA rejects the Tuple 2 ; otherwise, it checks the identity authenticity of RSU and OBU through saved number ID i , ID RSU j , respectively. If it is ok, then the TA does not reject safetymessage and it chooses random value r ∈ Z * q , TA generates its pseudo-ID PsID TA = <PsID 1 TA , PsID 2 TA > as follows:  = h 2 (Pdm||SK ||TS 4 ) by assisting its Pdm. If it is ok, then the vehicle does not reject the PK as its corresponding signature key. To ensure the pseudo-ID security and its corresponding signature key in the system, we advise a protocol of updating the signature key as demonstrated in [29] for our work. Over this protocol, the vehicle uses pseudo-ID and its corresponding signature key for a few periods of routing in the system.

B. PHASE OF SIGNING SAFETY-MESSAGE
Once the vehicle joins the communication range of the RSU during the mutual authentication process, it starts sending safety-message utilizing Sk as a signature for each safetymessage. Figure 4 shows the process of signing safetymessage phase.
• The vehicle calculates σ = h 3 (m||TS)PsID 1 i . • The vehicle sets δ m and σ are utilized to verifying safetymessage for the recipient.
• Finally, the vehicle sends the tuple of safety-messagesignature {PsID i , m, TS, δ m , σ } to neighbor vehicles and nearby RSUs.

C. PHASE OF VERIFYING SAFETY-MESSAGE
This section presents the single and batch verifying safetymessages, as shown in Figure 4.

1) SINGLE VERIFYING SAFETY-MESSAGE
Each vehicle only verifies the safety-message signature utilizing this process of verification. Once the recipients receive signed safety-message, they should check its validity and authenticity. Ensuring no misbehaving vehicles can be con- sidered to be legal vehicles before accepting the safetymessage for further processing. Therefore, false safetymessages are preventing in the transmission. The single verifying safety-message method is presented in deeply as follows: • Once the verifier received the tuple of safety-messagesignature {PsID i , m, TS, δ m , σ }, it verify the timestamp TS freshness first.
Equation 1 proof is presented as follows: Therefore, Equation 1 is checked to be true.

2) BATCH VERIFYING SAFETY-MESSAGE
Via this batch verifying safety-message process, the recipient checks a multiple safety-messages at the same time. For reducing the time consumed, our work uses a batch verifying safety-message method. For satisfying the non-repudiation requirement in our work, we uses the technique of tiny exponent test [23]. The recipient randomly computes an integer number η = {η 1 , η 2 ,. . . .,η n }, where η = ∈ [1, 2 t ] and t is a tiny value, which the computation overhead is not increased. Besides, consider that a verifier receives a large number of the tuple of safety-message-signature {PsID 1 i , m 1 , TS 1 , δ 1 m , σ 1 }, {PsID 2 i , m 2 , TS 2 , δ 2 m , σ 2 },. . . , {PsID n i , m n , TS n , δ n m , σ n }. Then, the verifier utilizes δ n m of the tuple of safety-messagesignature {PsID n i , m n , TS n , δ n m , σ n } for simultaneously verifying the safety-message by utilizing Equation 1, as follows: Equation 2 proof is presented as follows: Therefore, Equation 2 is checked to be true.

D. PHASE OF UPDATE PARAMETERS
To prevent attacks of side-channel, the sensitive data stored (pseudonym of vehicle) in the TPD must be regularly updated via an online mode and annual inspection. Nonetheless, a few period, without updating the sensitive data stored for waiting for the mode of next annul inspection, the adversary could have enough period for obtaining sensitive data that can collapse the entire VANETs. The vehicle should execute the following specific steps for updating the sensitive data stored in the TPD by utilizing the online mode are as follows: • The vehicle selects a random number r ∈ Z * q and computes

V. SECURITY ANALYSIS AND COMPARISON
In this section, we first present the structure of formal analysis in terms of random oracle model and BAN logic; this is followed by a description of security requirements and finally, the security comparison between the proposed and other schemes.

A. FORMAL ANALYSIS
We use random oracle model and BAN logic to prove formal analysis of the proposed scheme as follows,

1) RANDOM ORACLE MODEL
This subsection lunches a game among adversary AY and challenger CR, where AY is a broker of the proposed scheme security and CR is the robustness of the proposed scheme. Theorem 1: This work against an adaptive chosen message attack under the random oracle model is existentially unforgeable Proof: Suppose CR could forge a legitimate the tuple of safety-message-signature {PsID i , m, TS, δ m , σ } in the proposed scheme. Besides, suppose that an instance of ECDLP (P, Q = k.P) is specified for two points P, Q on E, and k ∈ Z * q . The CR then could overcome the unquestionably of ECDLP with AY like a subroutine.
Setup: CR calculates the private key and public parameters of the system ψ = {p, q, a, b, P, P pub , h 1 , h 2 , h 3 } and then establishes three lists, namely, LIST h 1 with form of (α, τ h 1 ), LIST h 2 with form of (PsID 1 i , PsID 2 i , τ h 2 ) and LIST h 3 with form of (m, TS, τ h 3 ). AY is empty at first. Then, CR forwards ψ to AY .
Oracle of LIST h 1 : After CR receives message request α from AY , it first tests if tuple (α, τ h 1 ) is LIST h 1 exist. If right, then, CR sends τ h 1 = h(α) to AY . Otherwise, CR chooses τ h 1 ∈ Z * q random and attaches ((α, τ h 1 ) into LIST h 1 . Then, Oracle of LIST h 2 : After CR receives message request Sign: When receiving an CR request of sign from AY through message m, it computes Output: CR ends up with the tuple of safety-messagesignature {PsID i , m, TS, δ m , σ }. CR tests this tuple utilizing Equation 4 as follows: CR continues the game when Equation 4 does not hold. Based on the forgery lemma in [21], AY could results another valid the tuple of safety-message-signature {PsID i , m, TS, δ m , σ }. Hence, we obtain Equation 5 the following equation is obtained: From the two 4 and 5, we can obtain Hence, the proposed scheme in the random oracle model is resistant for choosing adaptive message attacks under the supposition that ECDLP is hardness.

2) BAN LOGIC
By using a generally formal logic as known BAN logic, the proposed scheme should achieve specific goals of security among the components in VANETs for mutual verification. The essential definition of the introduction of BAN logic is removed in this paper. We refer the reader for further details [30], [31].

Security goals
The main idea of these operations is to validate the session key among the components in the system. Thus, the proposed scheme requires for achieving the eight major goals as follows, The proposed scheme's goals are as follows. • The messages of proposed are idealized as follows:

Assumptions.
The following assumptions regarding to the initial situation of our work are made: VOLUME 8, 2020 Proof. In this part, the eight security goals included in the proposed scheme are accomplished.

B. SECURITY REQUIREMENTS
This subsection analyses how our work fulfills the requirements of security as follows, If ok, then our work is satisfied requirements of integrity and authentication.
• Identity privacy preservation: In the tuple of safety-message-signature {PsID i , m, TS, δ m , σ } of our work, a pseudo-ID PsID i includes two secret values (i.e., (w, k) ∈ Z * q ), which are chosen at random by the broadcasting TA and vehicle, respectively. Its possible by an adversary to disclose the pseudonym Pdm of vehicle due to an attacker does not have the ability to compute kPsID 1 i and wkP based on the ECCDH and ECDL problems, respectively. As Pub = kP, PsID 1 i = wP and PsID 2 i = Pdm ⊕ h 1 (wPub). The adversary has the ability to compute kPsID 1 i , wkP from Pub = kP and PsID 1 i = wP for obtaining the pseudonym Pdm of vehicle. This process to prevent the attacker from disclosing the vehicle's Pdm from the aforesaid computation due to it is depended on hard problems. Therefore, requirement of identity privacy preservation is satisfied by our work.
• Traceability and revocation: In V2V and V2 communications, traceability and revocation are significant security requirements. If a forge safety-messages are transmitted from a malicious vehicle, the TA then can disclose the vehicle's identity from its pseudo-ID PsID i . The TA's private key k in our work is utilized to disclose the identity ID i via the following computations.
Then, TA research the identity ID i on the registration list of the vehicle which its match with Pdm. Besides, revocation is a serious security requirement for securing V2V and V2I communications. After the process of traceability is done, the TA inserts the identity ID i to the CRL and transmits the modern list of CRL. Thus, the RSU containing malicious vehicle broadcasts and updates the CRLs in the local. Hence, our work satisfies requirements of traceability and revocation due to they provide conditional anonymity • Resistance to replay attacks This proposed scheme uses the current timestamp TS in the tuple of safety-message-signature {PsID i , m, TS, δ m , σ }. During the process of verification by a receiver, an adversary can not alter TS in the tuple of safetymessage-signature {PsID i , m, TS, δ m , σ }. If TS was had expired or invalid, then the safety-message would be dropped. Hence, the proposed scheme successfully resists the replay attacks.
• Resistance to impersonation attacks The attacker should get a vehicle's identity if they want to send a true the tuple of safety-message-signature {PsID i , m, TS, δ m , σ } by impersonating the authenticated vehicle. Furthermore, based to previous knowledge, the attacker cannot discover an identity's vehicle in the proposed scheme. The impersonation attack in our work is therefore ineffective. Hence, the proposed scheme successfully resists the impersonation attacks.
• Resistance to modification attacks The signature δ m is included in the tuple of safetymessage-signature {PsID i , m, TS, δ m , σ } of the proposed scheme and ensures the security of the safetymessage from the modification attacks. During the process of authentication by a receiver, if an adversary modifies or changes the safety-message, then it would be dropped. Therefore, the proposed scheme successfully resists the modification attacks.
• Resistance to man-in-the-middle attacks Mutual authentication among the signer and the receiver is executed in the proposed scheme. If the adversaries attempt a man-in-middle attack, they then should forge the signer message and receiver message for connecting with it. Nonetheless, an attacker cannot generate this attack type, based on the above analysis. Hence, our work successfully resists the man-in-the-middle attacks.
• Resistance to side-channel attacks Several scholars resort to saving the private key of the system in the TPD of OBU due to it is possible by misbehaving vehicle to be compromised. Nonetheless, an adversary can easily get critical data stored in the TPD via a side-channel attack. To cope with this attack, our work regularly update the (Pdm) in the TPD, where Pdm = h 3 (ID i ||SP vi ). It is stated that the pseudonym Psm of vehicle is using frequently and repeatedly; therefore, if the Pdm is not continuously updated, it will offer ample chance for the misbehaving vehicle for disclosing and exploiting the pseudonyms regarding the safety-messages. Nonetheless, in the proposed scheme, the Pdm is already updated before an adversary can be disclosed and exploited. For example, once adversaries reach the vehicle's TPD directly, they disclose the registered pseudonym Pdm utilized for calculating the tuple of safety message-signature {PsID i , m, TS, δ m , σ }. In our work, the pseudonym is frequently and periodically updated (Indicate to Subsection IV-D), therefore making the adversary does not have the ability for exploiting the revealed previous pseudonym. Thus, our work successfully resists the side-channel attack.

C. SECURITY COMPARISON
This section compared the design goal in terms of requirements of security between the other related schemes and proposed scheme. Table 3 indicates the comparison of security requirements. Let SR-1, SR-2, SR-3, SR-4, SR-5, SR-6 and SR-7, refer message integrity and authentication, identity privacy preservation, traceability and revocation, resistance to replay attacks, resistance to impersonation attacks, resistance to modification attacks, and resistance to side-channel attacks, respectively. According to Table 3 [14], Al-shareeda et al. [16] or Alshareeda et al. [17] schemes satisfy all of the security requirements in the system. Nonetheless, the security requirements are completely satisfied in the proposed scheme.

VI. PERFORMANCE EVALUATION
To overcome the issues regarding the system overhead in terms of computation cost and communication cost, we present the analysis and comparison of the performance evaluation between the proposed scheme and the schemes proposed by Jianhong et al. [23], Bayat et al. [14], He et al. [15], Al-shareeda et al. [16] and Al-shareeda et al. [17]. The cost of computation is regarding the multiple operations of cryptographic that have to be executed in the signing and verifying the messages. While the cost of communication regards to the tuple of safety-message-signature size, containing the multiple of elements in the tuple of safety-message-signature. The following subsections, we present the description of the computation cost and communication cost are described in detailed.

A. COMPUTATION COST ANALYSIS
A group G 1 of additive is computed with an 80 bit level of security in a bilinear pairing. Various parameters of the ECC and bilinear pair schemes are indicated in Table 5. In this paper, we use MIRACL [32] that widely used cryptographic  libraries, is utilized in our experiment due to it provides us for measuring the cost of computation regarding executing time of several cryptographic operations. Cryptography operations used in this work [16] employing in this paper-see Table 4. For simplicity, let PSSM , SVSM , and BVSM denote phase of signing safety-message; single verifying safety-message; and batch verifying safety-messages, respectively.
In He et al. [15] scheme, PSSM includes three operations of scalar multiplication and three functions of one-way hash, therefore 3ECC pm T + 3h T is the whole computation overhead for PSSM . SVSM includes three operations of scalar point multiplication and two functions of one-way hash, therefore the total cost is 3ECC pm T + 2h T . BVSM (n + 2) operations of scalar multiplication, and (2n) functions of one-way hash, therefore (n + 2)ECC pm T + (2n)h T . is the whole computation overhead for BVSM . In the same way, we perform the computation cost of other existing schemes. In the proposed scheme [17] scheme, PSSM includes one operation of scalar multiplication and two functions of one-way hash, therefore 1ECC pm T +2h T is the whole computation overhead for PSSM . SVSM includes two operations of scalar multiplications, one operation of point addition and one function of one-way hash, therefore 2ECC pm T + 1h T is the whole computation overhead for SVSM . BVSM (2) operations of scalar multiplication, (n+1) operations of point addition, and (2n) operations of one-way hash function, therefore 2ECC pm T + (n)h T is the whole computation overhead for BVSM . In the same way, we perform the computation cost of other existing schemes.

B. COMMUNICATION COST ANALYSIS
In this section, we present the performance evaluation in terms of the communication cost. In order to fulfil the same   level of security in the proposed scheme and their schemes, we utilize the parameters presented in Table 5. The made of supposition in our work are consistent across the schemes: the size of the result of the timestamp is 4 bytes and the size of the result of the secure hash function is 20 bytes. Table 8 presents the cost of communication between the proposed scheme and other schemes.
The tuple of safety-message-signature in the He et al. scheme [15] is (40 * 3 + 20 + 4) = 144 bytes, where the tuple of safety-message-signature consists of three elements in {PID 1 il , PID 2 il , R i ∈ G}, one element {σ m ∈ Z q }, and one timestamp. In our scheme, the vehicle sends a tuple of safety-message-signature with size (3 * 20 + 40 + 4) = 104 bytes and the content of tuple of safety-messagesignature is one timestamp, one item in {PsID 1 ∈ G} and two items in {PsID 2 , δ m , σ ∈ z q }. In the same way, we perform the communication cost of other existing schemes. Table 8 illustrates the whole cost of communication between the proposed scheme and other schemes, and Figure 5 illustrates the corresponding outcome

VII. CONCLUSION AND FUTURE WORK
In this paper, An efficient conditional privacy-preserving authentication scheme is proposed. Compare with other schemes, and our scheme can resist the side-channel attack by periodically updating the critic data stored on the TPD on OBU of vehicle. Also, the proposed scheme is shown secure during authentication according to the rule of the BAN logic. Security analysis proves that the design goals regarding the security requirements are satisfied in our work. Finally, due to the proposed scheme uses the one-way hash function and ECC, the performance evaluation of our work are the lowest compared to other existing schemes regarding computation cost and communication cost.
In future work, the experiment could be executed utilizing platforms of network simulation, such as SUMO and OMNET++, to simulate road traffic and VANET networks, respectively.