A Lightweight BT-Based Authentication Scheme for Illegal Signatures Identification in VANETs

Research related to vehicular ad hoc networks (VANETs) has received significant attention in recent years. Despite all the advantages, the security and privacy in VANETs still become the main challenge that is widely open to discussion. The authentication scheme plays a substantial role to guarantee the security and privacy of information circulation and verification efficiency in VANETs. In this high-density environment, a scalability issue would emerge when the number of message-signature pairs received by a roadside unit (RSU) or vehicles becomes large. This issue happens because those entities cannot sequentially verify each received signature according to the required time limit. Researchers believe that the symmetric cryptography-based authentication scheme provides a lightweight verification operation, which leads to low computation cost. Combined with the batch verification process, this approach can be beneficial. However, to the best of our knowledge, not many of those related schemes provide a realistic scenario regarding illegal signatures’ appearance. Could the system identify the forged messages? Is it still efficient enough to do such an operation? In this paper, we propose a lightweight binary tree-based (BT-based) authentication scheme with a batch verification mechanism, that could efficiently identify a modest amount of illegal signatures in the sum of messages. To even improve the operation, we combine our BT-based batch verification scheme with our vehicle reputation scoring system. By this approach, we can guarantee the best-case scenario (the most desirable condition) in our BT-based identification appear as much as possible. Hence, the computation cost can be kept low.


I. INTRODUCTION
Vehicular ad hoc networks (VANETs) have been attracting many researchers since their emergence in early 2000. Its capability in providing information dissemination among the vehicles will become the future of our road transportation systems. This approach aims to improve driving safety as its primary goal. Since VANETs are loaded with intelligent transportation system (ITS) properties, it will make all of these smart vehicles could communicate with each other via The associate editor coordinating the review of this manuscript and approving it for publication was Theofanis P. Raptis . vehicle-to-vehicle (V2V) and to the roadside unit (RSU) via vehicle-to-infrastructure (V2I) communications [1], [2], [3].
As depicted in Figure 1, VANETs are composed of three major entities, i.e., trusted authority (TA), RSU, and onboard unit (OBU). TA acts as the trust and security management center of the entire VANETs entities. Its job, including registration and parameters generation for RSUs and OBUs after they join the network. It also revokes nodes in the case of vehicles broadcasting fraud messages or performing malicious behavior [4]. Meanwhile, RSUs are fixed infrastructures located along the road at dedicated locations, such as intersections or parking lots, which are fully controlled by TA [5]. They act as a bridge between TA and vehicles (OBUs). RSUs are connected to TA by wire and OBUs by a wireless channel.
In this new environment, a vehicle could broadcast a traffic-related message with hundreds of other vehicles (V2V) or RSUs (V2I) every 100-300 ms [6]. An OBU is equipped in every vehicle as a transceiver unit. It will broadcast information like position, speed, and direction to improve the road environment, traffic safety, and create mutual awareness of the vehicles around local traffic conditions [7].
Despite all its advantages, security and privacy become significant concerns due to its unique characteristics, e.g., open wireless communication, rapid topology shift, and many message exchange [8]. The most common approach to protecting the confidentiality of substantial message exchange in VANETs is by signing each message with a digital signature. Meanwhile, an efficient anonymous authentication scheme for VANETs is required to meet the strict time requirements in VANETs [9].
On the other hand, a scalability issue would emerge when the number of signatures received by a roadside unit (RSU) or vehicles becomes large. Therefore, a batch verification scheme was introduced to reduce the computational overhead in RSU and OBU in verifying a large number of signatures [10]. Batch verification is a method for verifying large amounts of digital signatures at once. This method can reduce the computational cost compared to one-byone schemes [11]. Without batch verification, a sequentially large number of signatures could take a long time and undeniably cause a bottleneck at the RSUs and OBUs. If roughly 180 vehicles are kept within the communication range of an RSU, and each vehicle is sending a message every 300 ms; this means a verifier (such as an RSU) has to verify 600 messages per second [10].
In this paper, we propose a lightweight symmetric authentication scheme with a binary tree-based (BT-based) batch verification mechanism. Our lightweight authentication scheme is based on Liu et al.'s [12] SEGKA scheme, which has been rectified and improved. In this RSU-centric scheme, RSU has the responsibility to authenticate and compute/update the group key for vehicles in its area. Meanwhile, in our BT-based verification scheme, we apply our reputation scoring mechanism to efficiently reduce the computation cost, particularly in the case when illegal signatures appear in the batch. Illegal signatures produced by adversaries may pose a severe consequence to the recipient. Meanwhile, detecting it in a group of messages can be a difficult and time-consuming process [13]. Therefore, to improve the situation, by implementing our BT-based authentication scheme, RSU will get a substantial assist to speed up the verification process.
For a better understanding, the rest of this paper is organized as follows. In Section II, we review the related work. Section III introduces preliminaries about the system design, security and privacy requirements, concepts of bilinear maps, and a brief explanation about reputation management. Our proposed scheme is conveyed in Section IV. In Section V, we discuss the illegal signature identification scheme with BT-based batch verification. Meanwhile, Section VI discusses the efficiency of the BT-based scheme with our vehicle reputation mechanism is presented. The security and performance analyses of our scheme are in Section VII. Finally, the conclusion is conveyed in Section VIII.

II. RELATED WORK
In 2016, Vijayakumar et al. [14] proposed symmetric keybased dual authentication and dual key group management security protocol to improve security in VANETs. The scheme intends to avoid a malicious vehicle M using the secret key of any legitimate number for participating in VANETs. It relies on the fingerprint and hashes code (HC) for the authentication process. The authors claimed that the mechanism could withstand the replaying attack by appending it with an updated timestamp and the packet's transmission. Another notable authentication scheme based on identity-based cryptography was proposed by Tzeng et al. [15] in 2017. They improved Lee and Lai's [16] scheme by revealing its vulnerability to the identity privacy-preserving attack, the forgery attack, and the antitraceability attack. It has proven that their scheme is survived against security and privacy requirement issues, such as message authentication, identity privacy-preserving, traceability, non-repudiation, unlinkability, and replay attacks. They also gave a more effective computation and communications delay value compared with any equivalent bilinear identity-based batch verification (IBV) schemes [17].
In 2017, Azees et al. [18] proposed a public key infrastructure-based (PKI-based) efficient anonymous authentication scheme with conditional privacy-preserving (EAAP) in VANETs. EAAP provides both V2I and V2V communications. In EAAP, TA doesn't require storing the vehicle's and RSU's certificates. Instead, it is self-generated by itself. EAAP has two authentications processes: in vehicle side and the RSU side. Vehicle must register themselves to TA before getting communicate to another vehicle (V2V). Then vehicles must authenticate themselves to any RSUs in every area, in order to obtain particular location-based safety information (LBSI). The scheme itself was declared secure against impersonation attacks, bogus message attacks, message modification attacks, and providing privacy preservation and anonymity during the authentication of vehicles and RSUs.
However, in 2020, Gu  Meanwhile, related to the idea of the BT-based scheme, in 2009, Jiang et al. [20] proposed an idea of a robust signature scheme in V2I communication called binary authentication tree (BAT). The scheme efficiently diminishes the bottleneck issue in batch verification performance and so significantly reduced computational overhead. In BAT, the RSUs can quickly distinguish bogus messages from all the authentic ones, allowing them to withstand message flooding attacks to a great extent. However, in 2012, Wang et al. [21] discovered that Jiang et al.'s BAT cannot resist the forgery attack. They launch two types of attacks on any message, in which the adversary can counterfeit the batch verification and the signatures of the other vehicles. In the first case, any signer can remove any other user's components from the batch verification process. In 2013, Shim [35] also shows that Jiang et al.'s BAT scheme is insecure against forgery attacks, replay attacks, and Sybil attacks. All of the related works are shown in Table 1.

III. PRELIMINARIES
In this section, we introduce the system design, security and privacy requirements, the concept of a bilinear mapping operation, and a brief explanation about reputation management.

A. SYSTEM DESIGN
The two-layer concept in VANETs, with TA on the top, while RSUs and OBUs on the lower layer, have been introduced by Zhang et al. [10]. The task and function of each entity have been briefly described in Section I. Referring to [15], in our VANETs ecosystem, we assume: 1) TA is uncompromised; 2) Only TA that can reveal the real identity of the other entity; 3) TA -RSU communicate through a secured wireline networks;  4) RSU are semi-trusted (trusted but curious, it may reveal the privacy of the vehicle); 5) TPD is assumed to be credible.

B. SECURITY AND PRIVACY
The following are the description of security and privacy requirements that must hold in VANETs [14], [15], [22].

1) MESSAGE AUTHENTICATION
The implementation of the message authentication method is intended to allow the vehicle or RSU, to differentiate the original message from the bogus message. Furthermore, message authentication is also applied to resist modification and impersonation attacks.

2) NON-REPUDIATION
This requirement will give the message receiver a guarantee about the integrity and authenticity of the information they receive. The sender of the message cannot deny the information they have sent.

3) IDENTITY PRIVACY-PRESERVING
A sender of a message should be anonymous within a set of potential senders. As the user's real identity will be converted to an anonymous identity through TPD assistance. Therefore, without knowing the private master key of the TPD, an adversary cannot reveal the legitimate user's real identity. However, to reach accountability, only conditional anonymity is possible in VANETs, which is also related to traceability.

4) TRACEABILITY
The trusted authority (TA) should be able to reveal the real identities of the anonymous identities of the user in the case of a dispute. Traceability is also called conditional anonymity.

5) REPLAYING ATTACK RESISTANCE
The networks could endure a passive data capture and subsequent retransmission to produce an unauthorized message by the adversaries.

6) UNLINKABILITY
An adversary vehicle (or RSU) should not link two or more subsequent pseudonym messages of the same vehicle.

C. BILINEAR MAP
The bilinear mapê could be obtained from the modified Weil [23] or Tate pairings [24] on elliptic curves. Its security and complexity lie in the computational Diffie-Hellman problem (CDHP), which is believed to be hard to solve [25]. Let G 1 be a cyclic additive group generated by P, and G 2 is a cyclic multiplicative group with the same prime order q. Letê : G 1 × G 1 → G 2 be a bilinear map if it satisfies the following properties: 3) Computable: For any P, Q ∈ G 1 , there is an efficient algorithm to computeê(P, Q).
As G 1 is a cyclic additive group generated by P, given P, aP, bP ∈ G 1 , and a, b ∈ Z * q are unknown values. The CDHP is hard, because there is no polynomial time algorithm that can discover abP ∈ G 1 .

D. REPUTATION MECHANISM
In this paper, we are applying a reputation scoring mechanism for minimizing the computation cost of the BT-based verification scheme. In general, reputation management schemes are used for building trust among entities in VANETs. Based on the reputation values, vehicles may pick trustworthy messages sent by others that are intended for themselves.
In general, the trust models in VANETs can be classified into three categories: (i) entity-centric, (ii) data-centric, and (iii) the combined trust models [26]. Briefly described, entitycentric and data-centric trust management is focused on evaluating the trustworthiness of the vehicles and the received data, respectively. Meanwhile, the combined trust model integrates the entity-centric and data-centric mechanisms to establish trust in VANETs. In this work, we concentrate on the improved entity-based trust management method to aim for faster computation. It would be easier to arrange the signatures sequentially from the highest reputable vehicle to the lowest one by sorting all signature value coming to the batch.
To emphasize our point about reputation management's role in this work, we make assumptions about real-world applications. The first assumption is in VANETs majority of the vehicles are considered honest. So, in the following section, we will work with a small amount number of forged signatures. Second, we argue that vehicles with low-reputation scores tend to be more malicious than the high-reputation ones. Therefore, to increase the efficiency of finding illegal signatures in the batch, the BT-based scheme is used to maximize the opportunity for having the best scenario more often. A detailed explanation of the implemented reputation management system will be discussed in Section VI.

IV. BATCH VERIFICATION FOR TRAFFIC INFORMATION
As mentioned in Section I, our scheme is built based on Liu et al.'s [12] SEGKA scheme. By modifying its vehicle signing, RSU verification, group key generation, group member joining, and group member leaving phases, we made our improvement. Still adapting the full seven phases of the SEGKA, our proposed scheme consists of: parameter initialization, vehicle and RSU registration, vehicle signing, RSU verification, group key generation, group member joining, and group member leaving phases. To comprehend the scheme's procedure, notations throughout this paper are presented in Table 2.

A. PARAMETER INITIALIZATION
In this early phase, TA generates initial system parameters params for vehicles and RSU. First, it selects a cyclic additive group G 1 generated by P, and a cyclic multiplicative group G 2 with the same prime order q, to construct a bilinear mapê : Then, TA selects a secret parameter s ∈ Z * q as its master key and computes P pub = sP as its public key. TA selects a map-to-point hash function H (·) : {0, 1} * → G 1 and a one-way hash function h(·) : {0, 1} * → Z * q . Finally, TA broadcasts params = {G 1 , G 2 ,ê, q, P, P pub , H (·), h(·)} to vehicles and RSU in the network.

B. VEHICLE AND RSU REGISTRATION
Vehicle owners will directly go to the TA during the (offline) registration process. They must provide information such as name, address, email address, phone number, etc. to the TA. Then, TA registers both vehicles V i and RSU for being able to communicate in VANETs. The a i and b i denote a shared secret key of TA -V i and a shared secret key of V i -RSU, respectively. TA computes c i = sH (a i ⊕ RID i ) and sends The process of this phase is shown in Figure 2.

C. VEHICLE SIGNING
In this phase, V i selects a random nonce r i ∈ Z * q to generates its pseudo-identity and T i is the signing time. Finally, V i sends X i = ENC PK RSU (r i PID i σ i T i ) to RSU, with PK RSU = SK RSU P is the public key of RSU. The diference towards [12], they do not encrypt (r i PID i σ i T i ). The process of this phase is shown in Figure 2.

D. RSU VERIFICATION
Upon receiving X i from V i , RSU decrypts X i using its secret key DEC SK RSU (ENC PK RSU (r i PID i σ i T i )) and checks the freshness of T i . In the single verification mode, RSU verifies σ i by checking whether (1) holds or not.
Meanwhile, in the batch verification mode, RSU verifies σ i by checking whether (2) holds or not.
When both of (1) and (2) are hold, so the vehicles are authenticated. The process of this phase is shown in Figure 3.

E. GROUP KEY GENERATION
After σ i is authenticated, the RSU will generate the group key for vehicles in its area. RSU selects a random nonce d RSU ∈ Z * q , and computes D i = d RSU PID i,1 and K RSU = e (D G , d RSU P), with D G = n i=1 D i . In this phase, our modification towards the SEGKA, D G is computed in the RSU rather than in V i . Then, RSU computes its signature · · · D n , and broadcasts Z = σ RSU D to vehicles in its area. After receiving Z , V i verifies σ RSU by checking whetherê(σ RSU , P) =ê(H (D), PK RSU ) holds or not. If yes, V i computes the group key K i =ê D G , r −1 i D i . The process of this phase is shown in Figure 3.

F. GROUP MEMBER JOINING
When a new vehicle V a joins the network, it will selects a random nonce r a ∈ Z * q to generates its pseudo-identity PID a = (PID a,1 , PID a,2 ), where PID a,1 = r a P and PID a,2 = a a ⊕ RID a ⊕ H (b a PID a,1 ). Then, V a calculates its signature σ a = c a + b a c a h(M a ), where M a = PID a T a , and sends X a = ENC PK RSU (r a PID a σ a T a ) to RSU. After receiving X a , RSU decrypts it using its secret key DEC SK RSU (ENC PK RSU (r a PID a σ a T a )) and check the freshness of T a . The RSU verifies whether PID a,2 = VID a ⊕ H (b a PID a,1 ). If holds, RSU verifies σ a by checking whetherê(σ a , P) =ê(H (VID a )(1 + b a h(M a )), P pub ) holds or not. If holds, RSU allows V a for joining the network. When V a joins the network, RSU will update the group key by selects a random nonce d RSU

V. ILLEGAL SIGNATURES IDENTIFICATION WITH BT-BASED BATCH VERIFICATION SCHEME
In 2013, Atanasiu [27] proposed a BT-based batch verification scheme for identifying illegal signatures. When the verifier receives the messages M 1 , σ 1 , M 2 , σ 2 , · · · , M n , σ n from the signer, the verifier will re-order these signatures by a total order relation and perform the following procedures to verify the illegal signature. The representative approach of Atanasiu's work is presented based on work in [13]. A. PRINCIPAL OF THE BT-BASED BATCH VERIFICATION SCHEME For example, there are eight signatures in the batch, r 1 , PID 1 , σ 1 , T 1 , r 2 , PID 2 , σ 2 , T 2 , · · · , r 8 , PID 8 , σ 8 , T 8 that come to the RSU. RSU will re-orders these signatures by a total order relation: Assume there is one illegal signature σ 7 appears in the batch (see Figure 4). The verifier performs one-time batch verification with all eight signatures in (3).

B. ANALYSIS OF BT-BASED ILLEGAL SIGNATURES IDENTIFICATION MECHANISM
In this subsection, we analyze the effectiveness of the BT-based batch verification method in verifying illegal signatures. We divide the discussion into two scenarios, the best-case and the worst-case. In the best-case scenario, all illegal signatures' locations are located consecutively in the same tree. Figure 5 and Figure 6 are two examples of the number of calculations in the best-case scenario with two and four illegal signatures, respectively.
On the other hand, the worst-case scenario is that all illegal signatures' locations are in different trees and scattered everywhere. Figure 7 and Figure 8 are two examples of the number of calculations in the worst-case scenario with two and four illegal signatures, respectively.

1) THE BEST-CASE SCENARIO
If there are b illegal signatures in the n messages, the number of calculations T best in the best-case scenario can be determined using (7) Since we are using a ceiling function, the number of calculation T best for one and two illegal signatures are the same. In the best scenario, if we have two illegal signatures (σ 1 and σ 2 ) in the eight messages, the number of calculations   T best is seven exponential operations (see the numbers of red operation {P 0 , P 1 , P 2 , P 3 , P 4 , σ 1 , σ 2 } in Figure 5 and (8)): If there are three illegal signatures (σ 6 , σ 7 and σ 8 ) in the eight messages (see Figure 9 and (9)), the number of calculations T best is nine exponential operations {P 0 , P 1 , P 2 , P 5 , P 6 , σ 5 , σ 6 , σ 7 , σ 8 }. Those number of calculations is the same as if we have four illegal signatures in eight messages as seen in Figure 6. We still have to compute σ 5 even though it is not illegal.

2) THE WORST-CASE SCENARIO
If there are b illegal signatures in the n messages, the number of calculations T worst in the worst-case is shown in (10).
So, let two illegal signatures (σ 1 and σ 8 ) appear in the eight messages as depicted in Figure 7, the number of calculations T worst is 11 exponential operations (see Figure 10). Even though it is just σ 1 and σ 8 that being illegal, (11) still need to compute σ 2 and σ 7 , because they are located in the same tree.
So, if we have four illegal signatures σ 2 , σ 4 , σ 6 , and σ 8 that located in the different tree, the number of calculations become 15 exponential operations (see Figure 11).

VI. IMPROVING THE EFFICIENCY OF BT-BASED BATCH VERIFICATION SCHEME
As discussed in Section V, to identify the illegal signatures that could appear in the batch, we have applied a BT-based scheme to address the forged signature's location. However, by such implementation, we still have a probability of having a worst-case scenario, in which the forged signatures could be scattered in the tree. By those conditions, we will suffer from a high computational cost.
To improve efficiency, we implement a reputation scoring mechanism for every vehicle in the network. The reputation algorithm used in this work aims to arrange all vehicles' reputation value in the table. By giving every vehicle a reputation score, we can arrange the signatures sequentially from the highest-reputable vehicle to the lowest. Therefore, with avowed assumptions in Section III.D, we try to make the probability of the best scenario appearing in the batch as frequent as possible. To implement those scenarios, we have to ensure the signatures from the low-reputation vehicles are arranged in the same branch of the tree. A message will be considered a trusted one if transmitted by a high-reputation vehicle and vice versa.
In [28], Hussain et al. proposed a hybrid (combined) trust model for vehicular social networks. To calculate trust, each node j calculates the trust value for its neighbor i based on two factors: a direct encounter between i and j, and endorsement by i's neighbors of message broadcasted by i. Relatively similar with [28], Dong et al. [29] also propose a reputation management scheme that involves the neighbors as the whole determinant of its scoring system. However, not like [28], Dong et al. propose their idea to work in a blockchain environment.
Meanwhile, a recent study in the data-centric trust model was proposed by Su et al. [30]. They offer a centralized reputation mechanism for detecting malicious information dissemination among vehicles in 5G networks. It will decide whether to trust a received message or not according to the reputation value of the sender. Meanwhile, the validation process of the collected information would be conducted later.
From all of those mentioned schemes [28], [29], [30], they have a similarity in how they use neighbor's validation and their trust value as part of the assessments. By slightly modifying their idea, we consider the neighboring vehicles as the partial contributor to every user's reputation value. We consider the current reputation value rep (t) i is a mixed between vehicle V i 's previous reputation score rep (t−1) i and the current neighbor's validation value. The scoring mechanism is done by fellow vehicles in a peer-to-peer manner, even though our authentication scheme is V2I-based.   j . However, by considering real-world applications, the majority of vehicles are honest; we assume if the assessment that comes from neighboring vehicles is fair.
To make a substantive approach towards how the neighbor vehicles V j validate the V i , we use a five-star rating concept as the assessment method. This common practice will let users quickly rate other vehicles' information based on their real perception. The five-star reputation rating and its value are represented in Table 3.
Suppose we are given eight vehicles in the networks with RSU receiving messages from the entire neighborhood (see Figure 12). Every reputation score of each vehicle presented in Figure 12 is stated in time t − 1.
To simplify the implementation of our reputation value in this context, we are setting several assumptions. First, we assume if every vehicle broadcasts the same accurate information that is equally correct to RSU. Second, every vehicle will give the same valuation p  8 ) from each vehicle in the network, vehicle RSU as the receiver can sort each sender's reputation score from the highest to the lowest (see Table 4). Each reputation value rep (t) i represents its corresponding signature σ i . By using a common sort tree algorithm, we can arrange the signature from the highest reputation value or vice versa to maximize the best-case scenario probability.

VII. SECURITY AND PERFORMANCE ANALYSIS
In this section, we analyze the security and performance of the proposed scheme, which includes non-repudiation, identity privacy-preserving, message authentication, traceability, resistance to replay attacks, unlinkability, backward secrecy, and forward secrecy, as follows.

A. SECURITY ANALYSIS 1) MESSAGE AUTHENTICATION
Message authentication is the most fundamental security requirement to confirm the legitimacy of a message's source and its integrity in any communication [16]. Our proposed scheme employs a one-way hash function h(·) to protect message M i in signature σ i . Without knowing the shared secret value of a i and b i , that lead to c i , it is inaccessible to forge a valid σ i . Moreover, since we believe that the CDHP in G 1 is hard to solve, it is difficult to derive the c i from s, a i , and RID i . Therefore, M i that is sealed by h(·) is unforgeable, and the message authentication requirement is achieved.

2) NON-REPUDIATION
The vector v i is used to avoid user swap of the M i and σ i [16]. If the adversary A wants to deny the signatures by swapping M i and σ i , his/her signatures will result in the batch message verification failing. We perform the small exponent test that previously conducted in [31] and [32]. Givenly P is a generator in G 1 , we have (σ 1 , y 1 ), (σ 2 , y 2 ) , · · · , (σ n , y n ), with σ i ∈ Z p and y i ∈ G 1 , check if ∀i ∈ {1, 2, · · · , n} :ê(σ i , P) = e(y i , Q), by doing the following steps: • Selects random parameters l 1 , l 2 , · · · , l n ∈ {0, 1} l • Compute A = n i=1 l i y i and B = n i=1 l i σ i • Ifê(B, P) =ê(A, Q), then accept, otherwise reject. The batch instance will be (σ 1 , y 1 ), (σ 2 , y 2 ),· · · , (σ n , y n ), with y i = (H (VID i )(1 + b i h(M i )), P pub ). The verification of the signature consists of checking operation thatê(σ i , P) = e(y i , Q). If A wants to make false multiple digital signatures σ i valid, he/she must make those operation holds. Since A did not know the values of l that leads to the value of v i , it is difficult for A to makeê(σ i , P) =ê(y i , Q) holds.

3) IDENTITY PRIVACY-PRESERVING
To get a PID i = {PID i,1 , PID i,2 }, user must input their RID and PWD, then verified by the TPD. Since PID i,1 = r i P and 1 ). However, since we believe that computational Diffie-Hellman problem (CDHP) used in the bilinear pairing operation is hard, hence we argue that A cannot obtain any vehicle's V i real identity RID i easily [10], [33]. 1 ), since only TA and the particular vehicle V i who know the value of a i , so in the case of dispute, TA can reveal the RID i of all vehicles in the network.

5) RESISTANCE TO REPLAYING ATTACK
In the vehicle signing phase, we employ a timestamp T i in X i = ENC PK RSU (r i PID i σ i T i ) to ensure the freshness of the message. RSU will decrypt the message and receive the latest message from vehicles. Meanwhile, A cannot replay the message since it has been encrypted using RSU's public key, and only the RSU can decrypt it using its private key.

6) UNLINKABILITY
During the vehicle signing phase, a pseudo-identity PID i = {PID i,1 , PID i,2 } is utilized to generate the signature σ i . To create PID i,1 = r i P, we use a different random number Therefore, any A attempting to link two or more consecutive signatures may fail since the message's contents change each time the pseudo-identity and timestamp change.

7) BACKWARD SECRECY
Backward secrecy means any newly joining vehicles cannot obtain the previous group key, even if it has the current one. As a result, they are unable to read the group's previous conversations. When a new vehicle joining the network, RSU will generate a new random nonce d RSU ∈ Z * q , to compute · · · D n D a . RSU then broadcasts Z = σ RSU D to vehicles in its area. After receiving Z and validating σ RSU , all vehicles, including the new one, compute the new group key K i =ê D G , r −1 i D i . Therefore, the newly joining vehicle don't have any opportunity to obtains the old group key K i , and infiltrate any previous communication.

8) FORWARD SECRECY
Forward secrecy means any leaving vehicles cannot obtain the future group's key, even if it has the current one. As a result, they are unable to read the group's future conversations. When a vehicle leaving the network, RSU will generate a new random nonce d RSU ∈ Z * q , to compute RSU then broadcasts Z = σ RSU D to vehicles in its area. After receiving Z and validating σ RSU , all current vehicles compute the new group key K i =ê D G , r −1 i D i . Therefore, the leaving vehicle don't have any opportunity to obtains the new group key K i , and infiltrate any future communication.

B. PERFORMANCE ANALYSIS
This subsection mainly discusses the comparison of computation complexity between ours and the other related schemes, as presented in Table 5. Related to the rapid topology shift in VANETs, verification delay becomes the most critical process to address because it could affect information value.
Let PC is a pairing operation cost, SC is a scalar multiplication cost, HC is a map-to-point hash function cost, and EC is an exponentiation operation cost in G 1 . We adopt an experiment in [34], which observes computation overhead in Python charm cryptographic library, on Intel Core i7-4765T 2.00 GHz and 8 GB RAM machine. The following results are obtained: PC is 1.34 ms, SC is 5.13 µs, HC is 0.0065 ms, EC is 2.03 ms. In Table 4, we only focus on comparing our scheme with the existing schemes proposed by Liu et al. [12], Tzeng et al. [15], Azees et al. [18], Gu et al. [19], Jiang et al. [20], Wang et al. [21], and Shim et al. [35], in batch signatures verification process, with and without b ≥ 1 fake signatures.
In Table 5, we can see both of Liu et al.'s [12] and our improved scheme use the same constant 3PC + SC operation in the batch verification phase. In the n authentic signatures verification process, the number of pairing operation costs is stay constant for 3PC + SC (as well as Tzeng et al.'s [15] scheme for 2PC + SC). Meanwhile, the computation cost of other schemes will linearly increase with the number of signatures. In Figure 13, we can see a substantial gap between Azees et al.'s [18] and Gu et al.'s [19] schemes, towards the other schemes. This happens because the pairing cost PC operation is affected by the increasing number of n received messages. Meanwhile, as seen in Figure 14, Tzeng et al.'s [15] scheme gives the best result in the n authentic signatures verification process among all compared schemes. VOLUME 10, 2022   However, as seen in Table 5, Tzeng et al.'s [15] scheme does not have a mechanism for verifying n signatures with b ≥ 1 fake signatures appearing in the batch. Therefore, their scheme is not supposedly suitable to encounter a situation, that possibly happens in the real world, where the adversary broadcasts forged messages to the network. At this stage, when such a condition happens, from the above-compared schemes, only Jiang et al.'s [20], Wang et al.'s [21], and our schemes, that have an illegal signatures identification property. Based on the discussion in Section I, a verifier (RSU or vehicle) has to verify around 600 messages per second. To simplify the calculation, we assume there are 512 messages (n) that come to an RSU with four messages (b) presumably forged. In Jiang et al.'s scheme, it takes 5.30656 ms to verify 512 authentic signatures. Meanwhile, FIGURE 14. Verification cost of n authentic signatures without [18] and [19].
when there are four fake signatures appear in 512 messages, their scheme takes 49PC + 512SC = 68.28656 ms. For the same case in Wang et al.'s scheme, it takes 10.55968 ms to verify 512 authentic signatures, and 49PC + 4600SC = 89.258 ms for four fake-included signatures verification. Finally, our scheme only needs 4.02513 ms and 29.48513 ms for without and with four fake signatures from 512, respectively. This result indicates that our proposed scheme can endure the fake signature attacks and provide light computation. This thing is guaranteed by our sorting reputation mechanism that allows our BT-based scheme to be in the best-case scenario state for most of the time. Compared to Jiang et al.'s scheme, which is counted in an average evaluation between best-case and worst-case boundaries. The  Table 6 and Figure 15.
To sum up, this paper's idea is to enhance the features of our batch verification scheme. Our scheme can efficiently detect a modest amount of illegal signatures that appear in the batch. By giving b fraudulent signatures, the number of pairing operations is becoming high if they are uniformly distributed throughout the leaf nodes. The number of pairing procedures is reduced when they are distributed in the batch. Combined with the proposed reputation management, a particular user can batch verifying the received signature that comes to them. After assessing the sending vehicles' trustworthiness, the subsequent sorting operation can be used to keep the computation low. By such an improvement, when the receiver has all-legal signatures, then the message authentication protocol can handle it well by default. Meanwhile, if the receiver has illegal signatures in the batch, the proposed BT-based batch verification scheme with a reputation management method can eminently complement it.

VIII. CONCLUSION
In this paper, we have proposed a lightweight, robust, and practical authentication scheme for V2I (that also could be applied in V2V) communications in VANETs. The security analysis shows that our scheme could withstand non-repudiation, identity privacy-preserving, message authentication, traceability, resistance to replaying attacks, unlinkability, and backward-forward secrecy. To significantly improve the system performance and prevent it from losing its efficiency, we include an extension in our BT-based batch verification scheme as our main point. Our reputation mechanism can guarantee the best-case scenario will appear as much as possible, which keeps the number of computations in finding the illegal signature low. This mechanism can be beneficial for applied in VANETs' environment, particularly for a modest amount of illegal signatures. Because in the real world, we argue if there are more honest people than dishonest ones.