An Anonymous Authentication With Received Signal Strength Based Pseudonymous Identities Generation for VANETs

Anonymous authentication system enables mobile users to anonymously authenticate themselves to an authorized entity such as a Group Manager (GM) without revealing any privacy information. It provides unlinkable but accountable communications as well. These features are useful for wireless mobile networks implementation including vehicle ad-hoc networks (VANETs). However, performance of the system has to be sufficient reliable which may be existing systems have not dealt with yet. In this paper, we propose pseudonymous-based anonymous authentication between participating mobile users involved in the communications. We combine shared key generation based on received signal strength (RSS) between two involving entities and unlinkable but accountable pseudonymous-based anonymous authentication with efficient and effective pseudonym self-generation and revocation process. Our proposed shared key generation provides unique pseudonymous identities (PIDs). Based on PID at epoch time and updated revocation list obtained from GM, we achieve an efficient cost computation of revocation check. We show the measurement scenario of system performance by varying the traffic conditions either quiet or crowded to create communication impairment combined with mobile users’ speed varying on 20 km/h, 40 km/h, and 60 km/h respectively and ping time interval settings on 7 ms, 10 ms, and 20 ms, respectively. Here, the result of evaluation shows that PIDs generation works properly by the number of generated PIDs up to 11 with the highest correlation up to 0.99. Meanwhile, quantization algorithm works properly for 3000 or more ICMP packets and achieves zero key disagreement rate (KDR). Total signing and verification times are sufficient practical about 90 ms and 100 ms, respectively.


I. INTRODUCTION
As the advancement of mobile ad-hoc networks (MANETs) including VANETs, security and privacy are now becoming a matter that is very mandatory to be considered [1], [2], [3], [4], [5]. We realize due to such networks are infrastructureless networks accessed freely and wirelessly at anytime and anywhere as long as the device can reach them. Therefore, everyone is able to access the networks without permission of The associate editor coordinating the review of this manuscript and approving it for publication was Zijian Zhang . the network administrator. Here, the adversaries may join to the networks as well as other users do. With this phenomenon, threats and attacks can occur at anytime. This becomes worse if the information exchanged on the network is an information related to the privacy information. This privacy information may be routine traffic information of users, location, driving behaviour, etc. One of security and privacy-preserving solutions is anonymous authentication. However, other security requirements may also be considered. Fundamentally, anonymous authentications have already addressed the anonymity and unlinkability whereas only trusted authorities who have VOLUME 11, 2023 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ ability to reveal them. Meanwhile, other entities involving in the anonymous authentication system are not able to uncover the anonymity and unlinkability. Currently, there are many anonymous authentication schemes and their implementations have been proposed [4], [5], [6], [7], [8], [9], [10], [11], [12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24], [25], [26], [27], [28]. In these schemes, mobile users may utilize some PIDs and change a PID to other PID to meet unlinkability requirement. Mobile users' PIDs may be embedded for the goal to revoke either misbehaving mobile users or perhaps those PIDs have been expired already. Therefore, the requirement of pseudonyms generation and its PIDs distribution for maintaining secure communications should be considered. Based on reported of Lindell et. al. [2], there are two security requirements in the anonymous authentication: (1) secure authentication that allows no unauthorized user should be able to defraud the system for granting him/her an access, (2) anonymity that allows no entity should know and learn which user is communicating and interacting with. One of widely public key infrastructure algorithms to fulfill these security requirements is group signature. In this algorithm, the valid members in the group are able to sign a message on behalf of the group by using their member secret key without disclosing their privacy information. Moreover, any generated signature could be verified by all other members in the group by using group public key. Thus, by adopting group signature scheme, we can achieve and deploy an anonymous authentication and its implementations including for VANETs.
All members in the group signature defaultly trust to GM. Sun et. al. [8] proposed an efficient key management distribution process using group signature based anonymous authentication in VANETs. The scheme employed batch signature verification to support a distributed certificate service (DCS). Moreover, the scheme does not only reduce significantly revocation cost, but also comply security requirements such as authentication, non-repudiation, revocation, anonymity and unlinkability. Here, the authors introduced four entities involved in the system, such as trusted authority (TA), regional group manager (RM), road-side units (RSUs), and vehicles. In addition, Malina et. al. [4], [5] introduced an efficient group signature for privacy-preserving in the vehicular networks. The proposed system is able to minimize the impact of several common attacks such as denial of services (DoS) and reply attacks. There are four entities involved in the system: TA, GM, RSUs, and vehicles. The scheme [4] focused on the practical of registration, join protocol, signing and verification protocol. However, due to conventional asymmetric cryptography usage in the registration and join protocol, the system is less effective because it needs to maintain a key distribution process of membership. In addition, vehicles and RSUs are suffering from secret key and other public key elements. Gao et. al. [10] introduced identity-based signature with pseudonyms instead of public key infrastructure to achieve the efficiency and effectiveness.
However, multiple pseudonyms are presented to preserve the privacy of vehicles may the system be complex when dealing with much more number of RSUs and vehicles. In addition, other implementations of VANETs using group signature have been introduced as well such as in [4], [6], [7], [8], [9], [10], [12], [16], [19], [22], [24], [27], and [28] that focusing on key management and distribution mechanisms, and trying to achieve as effective as anonymous authentication mechanism among vehicles. Meanwhile, the use of pseudonymous for anonymous authentication in the VANETs has been well proposed [1], [3], [16], [24], [27], [28]. Here, privacy-preserving based on pseudonymity is performed by various solutions for VANETs implementation. Adversary model also has been presented by introducing several potential attacks globally, locally, actively, passively, internally or externally. In this case, pseudonym lifecycle is well described and explained regarding its issuing, usage, changing, resolution, dan revocation as well. An anonymous identity authentication based on pseudonym for the implementation of mobile crowdsensing (MCS) [15], [18], [21], [25] has been proposed. The definition of attack model for MCS network is explained as well. Here, the authors combined public key infrastructure and public key to solve the problem of management in large scale and evaluated the proposed anonymous authentication by testing the function and performance.
Throughout an efficient verifier-local revocation (VLR) group signature algorithm, Rahaman et. al. [25] proposed an enabler anonymous but considering the accountability of communications. They introduced a sublinear revocation with backward unlinkability and exculpability (SRBE) scheme to support the implementations such as smartphone-based crowdsensing, citizen science, and vehicular communications. However, it has a drawback when handling a particular scenario that needs more than one pseudonyms within epoch time. Sucasas et.al, [21], [23] introduced an attribute-based credential (privacy-ABC) to support pseudonym-based authentication through embedded attributes in cloud services implementation. Here, a pseudonym-based signature scheme is proposed to enable unlinkable pseudonym by self-generating the embedded attributes. This scheme offered verifiable delegation and enabling users to share attributes to the service provider. In addition, the used of different pseudonyms is guaranteed to unlink for the same user. However, different pseudonyms from the same user are not able to be used for the same task.
In this paper, we propose pseudonymous-based anonymous authentication between participating mobile users involved in the communications. We combine previous scheme [29], [30] of shared key generation based on RSS used for ensuring the similarity of shared-key between two involving entities in the either vehicle-toinfrastructure (V2I) or vehicle-to-vehicle (V2V) communications and unlinkable but accountable pseudonymous-based anonymous authentication with efficient and effective of pseudonym self-generation and revocation process as well as [21], [23], and [25]. In our pseudonymous-based anonymous authentication scheme, throughout secret key generation (SKG)-based join protocol, pseudonym self-generation is able to create T number of pseudonyms (PID ij ) which run on the participating mobile user (i.e., hereinafter it is called as Mobile-i) for interval time j. Meanwhile, our proposed scheme achieves an efficient cost computation of revocation check, since it is able to avoid computation cost linearly grows proportional to the number of revoked users. To do so, each pseudonym PID ij is generated at index k in [1, K ] which embedded into H (k) PID ij together with Mobile-i secret x i , where K is total index of epoch time and H () denotes a hash function operation. Regarding some notations that appear frequently in this paper, we insert the descriptions as briefly described in Table 1.
Moreover, we employ the randomness characteristic parameters generated by physical layer of wireless network [31], [32] when joining mobile users register themselves to GM for pursuing PIDs. Thus, some advantages can be obtained by incorporating SKG process to our proposed anonymous authentication system.
We summarize our technical contributions as follows: • Generated pseudonyms from SKG process, signing process, and verification process are integrated into a system to fulfill communication scenarios in VANETs.
• Anonymity, privacy-preserving, and pseudonymity requirements for security and privacy protection are able to maintain the computation costs efficiently.
can be implemented securely and other components can be also encrypted by any symmetric key cryptosystem. Hence, these components are kept secret during transmission. The evaluation of system performance is carried out by changing the traffic condition either quiet or crowded, varying the speed of mobile users from 20 km/h to 60 km/h and ping time interval from 7 ms to 20 ms. Computation cost requires about 12 seconds in average running on Raspberry Pi to conduct SKG process. Meanwhile, total processing time of signing and verification processes in the proposed anonymous authentication only consumes about 350 ms including communication costs. This shows the practicality of our proposed system. The structure of this paper is started by the above introduction. Furthermore, we describe briefly about the overview of anonymous authentication scheme in Section II whereas PIDs may be involved in the process such as join protocol, signing protocol, signing check algorithm, and revocation check algorithm. In Section III, we give some notes of our motivation and the contribution of our work, detail explanation about our proposed anonymous authentication scheme using PIDs generated from SKG process which includes system setup, key generation, join protocol, revocation protocol, anonymous authentication protocol, and open protocol. Then implementation and evaluation are comprehensively discussed in Section IV. And finally, conclusion and future works are discussed in Section V, respectively.

II. PRELIMINARIES
In this section, we briefly describe the fundamental technologies and algorithms adopted in the proposed system. Here, firstly we shortly describe about the fundamental of bilinear pairing as the basic pairing based cryptography. Secondly, we briefly describe about an overview of pseudonymous-based anonymous authentication system. In addition, we describe the corresponding assumption of our proposed anonymous authentication scheme.

A. BILINEAR MAP OF PAIRING
• let multiplicative cyclic groups, G 1 and G 2 respectively of prime order q.
• let a generator of G 1 , g 1 and a generator of G 2 , g 2 .
• let a computable isomorphism, ϕ from G 2 to G 1 such that an isomorphism function ϕ(g 2 ) = g 1 ; and • let a bilinear map, e whereas e : G 1 × G 2 → G T which has particular characteristic as follows: -Bilinearity: for all U ∈ G 1 , V ∈ G 2 and a, b ∈ Z, where e(U a , V b ) = e(U , V ) ab . -Non-degeneracy: e(g 1 , g 2 ) ̸ = 1.

B. OVERVIEW OF PSEUDONYMOUS BASED ANONYMOUS AUTHENTICATION
As well as [16], [21], [23], [24], [25], and [26], pseudonymous-based anonymous authentication may comprise several algorithms and protocols such as key setup algorithm, user pseudonym generation, user join protocol which may be pseudonym generation as a part of join protocol, user revocation check algorithm based on generated PIDs, signing algorithm, and verification algorithm. Generally, these processes are executed by a trusted authority (i.e., may be represented by a GM that can act as key setup generator, user join manager, user revocation manager, verifier entity, and open manager) and mobile users who are able to act as either signer user or verifier user.
− Key setup generation: on given security parameters, GM executes this algorithm to create group public key gpk and group secret key gsk. The given parameters may be consisted of a specific group order q of a bilinear map. Then, two multiplicative cyclic groups G 1 and G 2 have to be selected as well to create a bilinear map e : G 1 × G 2 → G T . Furthermore, a cryptographic hash function is also selected Then, the output of this algorithm is publishing gpk and gsk. In the some conditions, credentials may also be needed. Here, GM involves gsk to extract public parameters in gpk when creating credential components for a user with respect to the user's PID. Note that, to get its credential, a user has to request it to GM through a secure channel communication.
− User pseudonym generation: this algorithm optionally may be performed to initially create PIDs of users based on user membership index and epoch time T . Based on these generated PIDs, a user is able to sign a message anonymously through signing algorithm. Based on these PIDs, the verifier also verifies whether the signature is valid or not and makes sure that the valid signature is not in the revocation list. In our proposed system, as well as SKG process in [29] and [30], PIDs are represented by generated shared secret keys derived from collected RSS values between joining mobile users and GM. Here, we employ randomness extraction algorithm to fetch reciprocity of collected RSS values on both sides. Later on, a quantization algorithm is utilized to quantize and convert them into binary form to increase the correlation of collected RSS values between joining mobile users and GM. Furthermore, reconciliation and verification are executed to obtain the exact key stream on both sides. These key stream can be represented as PIDs of joining mobile users. In our proposed system, to have a set of shared secret keys represented as PIDs of joining mobile users, four steps are performed sequentially. Firstly, RSS values are collected through channel probing. Then, the values are quantized by particular quantization algorithm. Furthermore, the values must be synchronized through information reconciliation, and finally the result bits are increased their randomness by computing privacy amplification.
− User join protocol: this protocol is done interactively communication between a joining user (i.e., registering mobile user) and GM for pursuing the joining user to join the system. The protocol firstly is started by mobile user to request a particular credential and gpk to GM. After fetching the credential and gpk, sometimes PIDs can be created based on such credential. Sometimes, attributes may be attached in the credential and dispatched to another entity to generate PIDs. Here, some computations have to be executed by mobile user and some secret values are obtained. The epoch time or time slot may also be added in the PIDs which are used when mobile user convinces other entities about its validity in the system due to their transactions or communications done in every time. In addition, this protocol also delivers membership secret key msk of joining user. Meanwhile, GM stores some secret components of the joining user in the registration database.
− User revocation algorithm: based on valid PIDs generated either through pseudonym generation process or join protocol, GM sets a certain equation which correlating between these PIDs of the user and epoch time when some unexpectation acts occur such as misbehaving activities, secret key loss, secret key expiration, etc. The outputs of this algorithm is a revocation list RL which consisting of one or more random components related to the revoked user's PIDs in the list.
− Signing algorithm: a user operates this algorithm to convince his/her legality to a verifier when accessing the system anonymously. The algorithm requires PIDs of signer user, secret key of signer user msk, and public key gpk. The algorithm generates a signature on a message M (i.e., with certain arbitrary length of message). Here, signer user should select some random values, commitment values, and other components for signing process together with PIDs based on epoch time. To do so, signer user computes them together with his/her own msk. This algorithm may yield involving auxiliary public keys and some challenge components. Then, all components are used to sign the message M anonymously.
− Verification algorithm: a verifier runs this algorithm which commonly comprises two steps. Both users in signing and verification algorithms may be mobile users (e.g., one acts as a signer and another acts as the verifier). First step is signature check. Here, verifier has to check the validity of signature generated in the signing process. By executing verification algorithm based on PID with its epoch time and index, verifier verifies whether the signature is valid or not. Then, second step is performed to ensure that user is not in the list of revocation list if and only if the verification of signature is valid. In this revocation check, when PID on particular epoch time is reported as invalid, verification algorithm result should detect it as invalidity because the PID embedded in the revocation component is found in the list. However, when PID attached in the signature generation is valid, the verifier ensures it by comparing a particular equation whether the signer user's signature on a message M is valid or not.

C. ASSUMPTIONS
The traceability and unforgeability requirements of our implemented pseudonymous-based anonymous authentication scheme are based on the q-SDH assumption, DLIN assumption, and DL assumption. Since, in this paper does not address q-SDH assumption, we omit this assumption. The definitions of assumptions are also well described in [25] based on the construction frameworks discussed in [33] as follows. Definition Definition 2 (DL Assumption): On given inputs g 1 , g a 1 ∈ G 1 , where a ∈ R Z * q , then the output is a. Here, it can be said that (t, ϵ)-DL assumption holds in G 1 , if no PPT algorithm A has an advantage at least ϵ to solve DL problem in G 1 .

III. PROPOSED SYSTEM
In this section, we briefly describe a proposed system of pseudonymous-based anonymous authentication which comprises system setup, key generation, join protocol, revocation process, signing protocol, verification protocol, and open protocol. In the join protocol, PID ij of a participating joining mobile user are generated through the contribution of SKG process. The usage of SKG process is also involved in the signing protocol. Whilst, in the verification protocol, there would be two steps. First step, the mobile verifier does signature check. If and only if the check is valid, then second step is executed by checking whether the mobile user is a revoke user or not.

A. OUR MOTIVATION AND CONTRIBUTION
Our main motivation in adopting SKG process is to utilize the advantages of randomness parameters in physical layer of wireless communication [31], [32] generated from collected RSS values between joining mobile user and GM through a join protocol. We employ the SKG process to securely exchange secret components in the authentication protocol as well. In this case, the excavating randomness parameters derived from RSS values are generated by ICMP packet of a communication either between joining mobile user and GM or between signer mobile user and verifier mobile user through ping command. Secondly, instead of a particular equation when generating PIDs, SKG process yields a set of winner keys to represent the PIDs of communicating entities. Hence, by this idea we reduce the complexity of pseudonym identities generation as a part of join protocol. By the assisting SKG process may also securely send secret components from signing user to verifier and the usage of shared secret key with particular symmetric key cryptosystem, such as advanced encryption standard (AES-256) [34] may also provide secure data exchange. Here, as well as [29] and [30], we adopt NIST statistical test suite to test the randomness of pseudorandom number generators [35] and tshark network protocol analyzer [36] to accommodate and analyze network traffic either in PIDs generation process when executing join protocol or shared secret key generation when performing authentication protocol. In addition, Kalman Filter [37] also is adopted to increase reciprocity of measured RSS values when mobile user authenticates him/her self to mobile verifier in authentication protocol. Moreover, other remaining algorithms and techniques are adopted as well from [29] and [30].
The contribution of our proposed scheme to satisfy the requirements of anonymity and privacy-preserving of authentication system can be illustrated in Table 2. GS-TDL scheme [12] allows signer users are linkable temporarily when generating multiple signatures at the same epoch time T . Hence, it has a problem when T is set into longer time duration then the scheme to be a general digital signature where the signer user should be always linkable. Meanwhile, when T is set into shorter time duration, the scheme to be a usual group signature where the signer user should be always unlinkable. The advantage of the scheme is verifier-local revocation that enables no signer user is burdened in the revocation computations. However, the scheme has not yet involved any pseudonym in the authentication process. To improve the efficiency and anonymity in the authentication system, Gao et. al. [10] introduced an identity-based short group signature. The scheme has already involved pseudonyms to achieve privacy-preserving. However, the complexity of the scheme is high when dealing with much more numbers of participating users. Whilst, SRBE scheme [25] offers self-generation of pseudonyms at signer user side eventhough only single pseudonym for every credential in signing process. In this case, signer user is able to generate single, unique and unlinkable pseudonym. However, it has a problem when handling a particular scenario that needs more than one pseudonym within epoch time.
The need of more than one pseudonym is addressed by Sucasas et. al. [21], [23]. In this scheme, signer user is allowed to sign a message with involving unlimited and unlinkable but accountable pseudonyms. Here, the used of different pseudonyms is guaranteed to unlink for the same user. However, different pseudonyms from the same user are not able to be used for the same task. Both SRBE scheme [25] and Sucasas et. al. [21], [23] play the index value of pseudonym based on epoch time of generated pseudonyms, thus effectiveness searching of a pseudonym can be achieved (e.g., when applying in the revocation check process). However, all pseudonyms in the revocation list must be published for every epoch time. Meanwhile, our proposed scheme as well as [21], [23], and [25] focuses on pseudonym generation derived from RSS values of communications between mobile users and GM when joining user registers him/her self in the system. We focus on a single pseudonym self-generation in signing protocol based on the index value of every pseudonym. Thus, effectiveness and efficiency can be achieved as well as [21], [23], and [25] with satisfaction of privacy-preserving requirements. In addition, revocation check process of our proposed scheme provides unlinkability but only one pseudonym in the revocation list published. Moreover, our proposed system satisfies unlinkable but accountable pseudonymity which means that all pseudonyms generated by the same signing user and generally used for different signing the message should not be linkable to each other. In addition, the users should be able to generate several pseudonyms to participate signing the message. In this situation, different pseudonyms generated from a user cannot either be linked to the same user or be used for the same signing process. In this case, given pseudonyms is impossible to reveal which pseudonyms belong to the same user. Given pseudonyms used in signing the message certainly each pseudonym belongs to a different user. Therefore, unlinkable but accountable feature enables users to participate in signing the message without being linked to each other. This also enables VANETs to be ensured that users will not able to participate in the same signing process with two or more different pseudonyms.

B. PROPOSED ANONYMOUS AUTHENTICATION USING PID ij GENERATED FROM SHARED KEY GENERATION
At first, GM sets up several public parameters by selecting two cyclic groups G 1 and G 2 of prime order q. Then, a multiplicative group G T is executed by a bilinear map e : G 1 × G 2 → G T . Later on, GM chooses g 1 ∈ R G 1 and g 2 ∈ R G 2 . In addition, GM sets up a hash function H () : {0, 1} * ∈ Z * q . So far, a group public key is denoted as gpk = ⟨q, G 1 , G 2 , G T , e, g 1 , g 2 , H ⟩, and group secret key is indicated as gsk = ⟨d, s, u⟩, where d, s, u ∈ R Z * q . Furthermore, GM sets up D = g d 1 ∈ G 1 , U = g u 1 ∈ G 1 , S = g s 2 ∈ G 2 , and appends them to the group public key, gpk = ⟨D, S, U ⟩. Finally, GM issues the group public key gpk = ⟨q, G 1 , G 2 , G T , e, g 1 , g 2 , H , D, S, U ⟩ and keeps secret gsk = ⟨d, s, u⟩. Fig. 1 step 5 is SKG process to generate a set of secret keys that represents PID ij of Mobile-i. The detail procedure for SKG process is described in Fig. 2 as well as [29], and [30]. In SKG process extracted from RSS values between Mobile-i and GM communication, firstly we collect RSS values by channel probing through ICMP packets. In this case, we collect about 3000 ICMP packets. Let say h M i is a signal sent from Mobile-i to GM and h GM is signal sent from GM to Mobile-i. In the meantime, an eavesdropper (i.e., Eve) intercepts h M i from Mobile-i and h GM from GM. This can be represented as the following model: where x are zero mean additive Gaussion noise. Then, by using randomness extraction we reach reciprocity of collected RSS values. Here, we improve the correlation of measured RSS values between Mobile-i and GM by employing polynomial interpolation which is represented as the following model: (2) where s(n) is the input of RSS values by the index n, a 0 , · · · , a 3 are polynomial interpolation coefficients, and y(l) denotes the output of correlated RSS values by the index l. Note that correlation is used for quantifying the relationship of collected RSS values between Mobile-i and GM [38]. The next step is employing quantization process to convert every single correlated RSS values into bits stream. In this case, we utilize Multibit M-ary quantization by ordering the correlated RSS values from the smallest to the biggest one. Then, we sort the values into several levels of a block, where the level is determined by the guard level using Equation 4.
Guard level g i is set between two series of quantization q i−1 and q i with assumption of measurement h which is followed by a particular probability distribution fh. Meanwhile, δ denotes the ratio of guard level. Here, the guard level excludes the same RSS values. Let say, the level of quantization is m (i.e., from 0 to m−1), thus the interval of quantization is where q 0 and q m are minimum and maximum of h. Meanwhile, The result bits stream of quantization needs to be filtered the mismatched bits stream remaining in both sides. In this case, we utilize BCH error code correction (i.e., BCH (31,6)). Here, the result bits key stream from Multibit M-ary quantization are encoded into codewords. Every codeword consists of parity for exchanging in both sides such that bits error correction process is properly executed. Hence, finally we get a preliminary bits key stream between Mobile-i and GM. The next step is increasing the randomness of bits key stream. Here, we utilize Universal hash function such that the randomness of bits key stream passing the NIST pseudorandomness test suite. There are up to 11 winner keys that passed the test. Then, to ensure the equality of 11 keys between Mobile-i and GM, SHA-256 hash function is used to verify whether the keys in both sides are really equal or not. If it is valid, then a set of 11 keys is represented as the PID ij ∈ Z q of Mobile-i.

C. SYSTEM SETUP
The system is initiated by performing algorithm ψ with security parameter λ as an input. ψ outcomes 3 groups G 1 , G 2 , and G T of λ-bit of prime order q, and a bilinear map e : G 1 × G 2 → G T . Moreover, a generator g 1 is chosen from G 1 and a generator g 2 is chosen from G 2 at random. The system applies a hash function H () : {0, 1} * → Z q as well. Where, ⟨q, G 1 , G 2 , G T , e, g 1 , g 2 , H ⟩ is public. The secret keys of the group manager, opening manager, and group public respectively can be generated as follows: • Choose two random secrets d, s ∈ R Z * q and assign them as the secret key of group manager gsk = ⟨d, s⟩. Then, choose a random secret u ∈ R Z * q and assign it to the secret key of the opening manager gok = ⟨u⟩.
• Compute D = g d 1 ∈ G 1 , S = g s 2 ∈ G 2 , U = g u 1 ∈ G 1 and assign them to group public key gpk = ⟨q, G 1 , G 2 , G T , e, g 1 , g 2 , H , D, S, U ⟩. Here, only the group manager is able to proceed ⟨d, s⟩ and only opening manager is able to access ⟨u⟩. Fig. 1 indicates our proposed interactive join protocol as a part of pseudonymous-based anonymous authentication system. The protocol comprises nine steps. Again, this protocol is an interactively communication protocol between joining mobile node (i.e., Mobile-i) and GM. Meanwhile, Fig. 2 shows a shared secret key generation process when receiving PIDs of Mobile-i on time duration T (i.e., PID ij ) where j ∈ [1, T ]. This is a part of interactive join protocol in the SKG process. The fifth step of the process is depicted in Fig. 1.

D. JOINING PROTOCOL
Based on gpk and gsk obtained from GM, Mobile-i registers him/her self to GM by doing the following steps: • Select a random secret key x i ∈ R Z * q and compute key agreement components A ′ i = g In this case, VID i can be represented by the  • Send a tuple of ( • Then, GM sends a tuple of (A ′′ i , B) to Mobile-i. Furthermore, SKG process is started.
• SKG process is done interactively between Mobile-i and GM such that PID ij is obtained, where j ∈ [1, T ] and T is the epoch time represented by the number of generated keys in the SKG process. Fig. 3 illustrates scenario of the process.
• Upon obtaining PID ij , Mobile-i executes In this case, PID ij is obtained from SKG process by VOLUME 11, 2023  Mobile-i and GM simultaneously. Then, GM calculates Here, both computed A ij on Mobile-i side and GM side are equal.
• To ensure the equality of A ij , hash function is used to guarantee the integrity of A ij together with Q i . In this case, By sharing the hash value, both Mobile-i and GM make sure that A ij and Q i are kept their integrity. • For revoked Mobile-i ′ , set grt i ′ j * = ⟨H (k * ) x i ′ PID i ′ j * ⟩ and inserts grt i ′ j * into revocation lists RL.
• Output revocation list RL that consists of all r-revoked mobile nodes' tokens, grt i ′ j * . Fig. 4 and Fig. 5 illustrate our proposed secret key generation in the anonymous authentication to secure-exchanging important components when a mobile user signs anonymously a message to the mobile verifier. Then, after exchanging the components, mobile user and mobile verifier perform signing and verification anonymous authentication as shown in Fig. 6

F. ANONYMOUS AUTHENTICATION PROTOCOL
where x are the channel gain estimated by verifier, Eve, and Mobile-i.
x are zero mean additive Gaussion noise. Then, randomness extraction is employed to enhance the reciprocity of measured RSS values.
Here, we adopted Kalman Filter to enhance the correlation of measured RSS values between Mobile-i and verifier. Fig. 7 illustrates the process of Kalman Filter, where z l−1 and P l−1 are the input parameters with noise measurements R and Q which are predicted in every iteration. The time update used in profiling channel prediction isẑ l = Az l−1 and P l = AP l−1 A T + Q. Meanwhile, measurement update used for apriori profiling estimated channel correction is K l = (P l H T )/(HP l H T + R), z l =ẑ l + K (y l − Hẑ l ), and P l = (1 − K l H )P l . Where K l is Kalman Filter gain and z l is the output correlated RSS values by the index l.
The next step is quantization for converting every single correlated RSS values into bits stream. Firstly, we set two values as threshold of the correlated RSS values: q+ and q−, where q+ = µ + α · σ and q− = µ − ζ · σ , where µ denotes the mean of RSS values, σ is its standard deviation, and ζ represents a constant, 0 < ζ < 1. If RSS values are out of the threshold, they will be omitted. Then, levelcrossing is executed to improve the matching bits stream by segmenting RSS values into blocks with particular length (i.e., m-bit), thus the values of each block are either greater than q+ or less than q−. Here, each m-bit stream of RSS values is evaluated by Mobile-i and verifier to determine bits key stream. The main goal utilizing level-crossing is to increase the equality of bits stream in both sides instead of information reconciliation in refining the mismatched bits stream remaining. Hence, as the result, we get a preliminary bits key stream. The next step is utilizing SHA-256 hash function to enhance the randomness of bits key stream in order to pass the NIST pseudorandomness test suite. There are about 3 to 5 winner keys that passed the test. Among the winner keys, the shared secret key is the one that has the highest approximate entropy coefficient. Then, for ensuring the equality of shared secret key between Mobile-i and verifier, again SHA-256 hash function is employed to verify it. If it is valid, then the shared secret key will be used to secure the exchanging components. Here, let say the shared secret key is γ ∈ Z q . Furthermore, shared secret key γ can be involved to secure the secret components in signing and verification processes.
Anonymous authentication protocol is performed by signing mobile node (again, i.e., Mobile-i) to verifier mobile node. It consists of two protocols: signing protocol GSign computed by sender entity and verification protocol GVerify computed by receiver entity to verify the signature of sender   • Perform SKG process to obtain a shared secret key γ as explained above. Where γ ∈ Z q . • Choose α, β ∈ R Z * q and compute: is computed hashing of index k and γ ∈ Z q is derived from SKG process.
• Compute signature of knowledge (SPK) Z denoted as follows: • Pick blinding factors: r x i , r α , r β , r γ , r PID ij , r VID i , and r h i ∈ R Z * q , and compute: , • Compute a challenge c ∈ R Z * q as: • Output a group signature: • Send the signature σ to verifier. The optional process to secure a-tuple of (M , j, k, σ ) through encryption process using shared symmetric key γ obtained from SKG process as shown in Fig. 5, this may offer more secure and resistant from eavesdropping and modifications from other parties. Let say Mobile-i encrypts a-tuple of (M , j, k, σ ) using AES-256 cryptosystem with shared secret key γ , C = E AES−256 ((M , j, k, σ ), γ ) where C denotes ciphertext of a-tuple of (M , j, k, σ ), γ is shared secret key, and E AES−256 is encryption function of AES-256 cryptosystem. Then, C is sent by Mobile-i to the verifier. On the other side, upon receiving ciphertext C and using shared secret key γ obtained from SKG process, verifier decrypts C to get a-tuple of (M , j, k, σ ) by utilizing AES-256 decryption, (M , j, k, σ ) = D AES−256 (C, γ ) where D AES−256 denotes AES-256 decryption function.
GVerify (gpk, j, k, M , σ ): on given public key gpk = ⟨D, S, U ⟩ and a message M , the group signature σ = ⟨T 1 , · · · , T 3 , F 1 , F 2 , c, s x i , s α , s β , s γ , s PID ij , s VID i , s h i ⟩ can be verified as follows: • Check the SPK Z as follows: Re-derivedR 1 ,R 2 ,R 3 , andR 4 as: = c. Accept σ if the check succeeds and rejects otherwise. Again, RL= (grt 1j , · · · , grt rj ) where grt i ′ j = ⟨H (k) x i ′ PID i ′ j ⟩ and γ is shared secret key obtained from SKG process. Here, verifier entity searches the value of grt i ′ j = H (k) x i ′ PID i ′ j based on the epoch time j on index k in the RL. In this case, if it is found, Mobile-i ′ is revoked which means that revocation token of Mobile-i ′ grt i ′ j should be in RL= (grt 1j , · · · , grt rj ).

G. OPENING PROTOCOL
Open (gok, gpk, i, M , σ, REG): this protocol is used for tracing a signature back to the actual signer. The inputs of this protocol are opening manager's private key gok = ⟨u⟩ and a signature σ , then opening manager computes the following steps: • Verify whether σ is a valid signature on a message M or not by executing GVerify algorithm.
• Compute: The opening manager can then disclose the identity of the vehicle by accessing the above equation, because: H. SECURITY ANALYSIS As well as [25] with respect to construction frameworks discussed in [33], our proposed scheme satisfies the signature correctness and indentity correctness, respectively. We also prove the BU-anonymity, traceability, and exculpability properties under DLIN assumption and DL assumption, respectively. The proofs are provided in Appendix A.
In addition, we evaluate the security property of existential unforgeability under chosen-message attacks [39]. It is defined by using the following sequence games. signature σ * is successfully verified using GVerify protocol and ensuring whether the signature σ * is not revoked by using Revocation check algorithm, and -A can not obtain the signature σ * in making a signing query on message M l * . Even if A who wants to break signature scheme is given In this case, A will successfully forge either if really finds PID i * j * equal to PID ij or if x i * is really equal to x i such that A i * j * = g (d−x i * PID i * j * )/sx i * 1 . However, since there exists randomly secret components such as α, β, γ , and blinding factors as well in every signing process, hence this game would be negligible. This is because in GSign protocol, it must compute T 1 = A x i ij U α , T 2 = S α , and T 3 = H (k) x i PID ij +γ . In addition, it also computes F 1 = g VID i +h i +β 1 and F 2 = U β . Here, it needs randomly secret components of α, β, and γ when signing a message M . Moreover, secret key x i and its PID ij are also involved in the computation. Then, blinding factors have also to be randomly selected: In this case, A has already requested the query of hashing H (gpk, j, k, M , T 1 , · · · , T 3 , F 1 , F 2 , R 1 , · · · , R 4 ), then B reports failure and terminates the game. This shows that the resulting signature σ is strongly unforgeable, whereas

IV. IMPLEMENTATION AND EVALUATION
In the implementation, Raspberry Pi acts as an on-board unit (OBU) assembled in every participating user and GM. Fig. 3 illustrates a scenario of interactive join protocol between joining mobile user, let say Mobile-i and GM. Here, we assume GM in stationary position. On the other hand, Fig. 4 represents the scenario when signer user (i.e., Mobilei) anonymously authenticates him/her self to a verifier user. We assume both Mobile-i and verifier user are in mobile. This scenario is performed by Mobile-i to secure secret components sent to verifier user. In addition, Table 3 shows equipment specifications involved in the implementation. Here, we utilize Python language for developing the system and tshark-analyzer [36] for investigating the network traffic.

A. EXPERIMENTAL ENVIRONMENT AND SCENARIO
We start from the scenario of our experiment to evaluate the system performance of join protocol in generating PIDs derived from SKG process. This is an interactive registration process of a joining mobile user let say Mobile-i with speeds vary from 20 km/h to 60 km/h on ping time interval 7 ms, 10 ms, and 20 ms, respectively to a GM as illustrated in Table 4. Here, the measurement setting is performed on the road along about 4 km either on the quiet or crowded traffic condition as shown in Fig. 8. We grab about 3000 ICMP packets in total to generate RSS values between Mobile-i and GM through IEEE802.11a/b/g/n 2.4 GHz wireless network standard. Meanwhile, by the same setting with normal traffic condition, we perform SKG process among mobile users let say between Mobile-i and verifier to secure secret components yield in the signing protocol and send securely the secrets to verifier through wireless network. Here, we pick up about 6000 ICMP packets to generate RSS values from these communications. In this case, we also vary the speed of Mobile-i and verifier from 20 km/h to 60 km/h. Our measurements are done through wireless USB adapter TL-WN722N with the involvement of an adversary, say Eve  to always attempt collecting RSS values from the communications either between Mobile-i and GM or between Mobile-i and verifier. Meanwhile, the display of proposed system application in tracking and monitoring mobile nodes is depicted in Fig. 9.

B. MEASUREMENTS OF INTERACTION BETWEEN MOBILE-i AND GM THROUGH JOIN PROTOCOL
As well as [30], we employ reciprocity technique to get a better correlation between RSS values among participating mobile users. We introduced two types of road traffic condition either crowded or quiet traffic. The average of the lowest correlation is about 0.04 when the speed is on 60 km/h in crowded traffic. Whilst, the average of highest one is 0.91 when the speed is on 40 km/h in crowded traffic. On the other hand, the increasing of correlated RSS values upgrades to 0.4 and 0.99, respectively which are illustrated in Table 5. Therefore, we can say that SKG process in this join protocol is working properly.
In the quantization process, RSS values are tranformed into bits stream as shown in Table 6. In this case, there are about 1792 output bits and tested their KDR and the key generation    rate (KGR). The results are smallest KDR can be achieved up to 46% when the speed is on 40 km/h in crowded traffic. Meanwhile, the highest KDR can be achieved up to 53% when the speed is on 20 km/h in quiet traffic. Furthermore, KGR in this measurement can be achieved up to 238 bit/s. The next step is to increase approximate entropy coefficient such that in satisfying the randomness requirement of shared secret key. To do so, hashing is utilized. In this case, we utilize Universal hash function where measurement result of improving KGR as shown in Table 7. Here, we can show that the hashing is able to contribute to improve the KGR.
A number of generated keys derived from SKG process represents PID ij . These generated keys actually are the winner keys fulfilling randomness requirement as the result of communication between joining Mobile-i and GM. In instant,  the number of generated PID ij for each scenario can be illustrated in Table 8. In this case, we can generate the number of PID ij up to 11. Thus, our setting for the epoch time of PID ij is T = 11, whereas j ∈ [1,11].

C. MEASUREMENTS OF SKG PROCESS BETWEEN MOBILE-i AND VERIFIER
Again, in this scenario, Mobile-i and verifier conduct SKG process to obtain shared secret key γ in both sides to secure important components used for anonymously signing a message M , such as a-tuple of (M , j, k, σ ). Here, to get reciprocally secret key, we employ Kalman Filter [37] for improving the correlation of measured RSS values among two participating entities as well as [29]. Measurement results say the average of smallest correlation can be achieved up to 0.97 when the speed is on 60 km/h. Meanwhile, the highest one can be achieved up to 0.99 when the speed is either on 20 km/h or 40 km/h. As the impact, the correlated of RSS values is increased up to 0.99 as shown in Table 9. Therefore, we can say that SKG process in this scenario is working properly as well.
Meanwhile, measurements of quantization process as shown in Table 10 show that there are about 3656 output bits which are about 40% of them decreased from 6000 RSS values. However, this decreasing number can be improved by implementing Kalman Filter. Thus, it can be increased up to about 4556 bits. Then, the output bits are evaluated based on the KDR and KGR measurements. As the results, smallest KDR can be achieved perfectly to zero. Whilst, KGR can be achieved up to about 25% improvement. Table 11 shows the number of winner keys for each measurement in the scenarios. By using our adopted technique, we can achieve the number of winner keys up to 5. This is sufficient to generate shared secret key among two participating   users when they are authenticating themselves to encrypt the important components such as a-tuple of (M , j, k, σ ). Fig. 10 and Fig. 11 show the computation times of proposed system process. Here, total computation time of join protocol as shown in Fig. 10 consists of group computation cost, correlation computation (i.e., polynomial interpolation), quantization, error code correction using BCH codes, Universal hash function, NIST randomness test, integrity check using SHA-256, and communication cost. Group computation cost may include exponentiations in G 1 , multiplications in G 1 , and hash function. This computation cost consumes about 20 ms. Whilst, communications cost totally takes about 360 ms. Universal hash function computation and error correction through BCH codes take about 3.58 seconds and 3.27 seconds, respectively. Correlation technique and quantization consume about 1.8 seconds and 3.08 seconds, respectively. NIST randomness test takes about 290 ms and shared secret keys verification takes about 80 ms. Therefore, total computation cost is about 12.58 seconds.

D. COMPUTATION TIME MEASUREMENTS
On the other hand, similarly the computation cost of SKG process for authentication process from Mobile-i to verifier shown in Fig. 11 consists of group computation cost, correlation process using Kalman Filter, quantization, levelcrossing, randomness using SHA-256, NIST randomness test, shared secret key verification using SHA-256, encryption, and communication cost. Here, the group computation for signing the message M is about 90 ms, correlation takes about 2.57 seconds, quantization and level-crossing consume 3.57 seconds and 1.82 seconds, randomness with SHA-256 takes about 60 ms, NIST randomness test takes about 1.12 seconds, shared secret key verification using SHA-256 takes about 50 ms, encryption of a-tuple (M , j, k, σ ) consumes about 70 ms, and communication cost is about 120 ms. Hence, total computation cost for this optional SKG process in authentication is about 9.53 seconds. Table 12 shows the complexity comparison of our proposed scheme with existing schemes [11], [12], [21], [23], [25] in term of signing, verification (i.e., signing check and revocation check), and revocation process. Here, signing process VOLUME 11, 2023

V. CONCLUSION
We have presented an anonymous authentication based on pseudonymous using PIDs generation derived from shared key generation process of measurement collected RSS values in join protocol and the authentication protocol. Adopted SKG process is able to raise shared secret keys which represented as PIDs with zero KDR, high KGR, and better reciprocity. Performance evaluation is done with the traffic condition changing from quiet to crowded and varying the speed from 20 km/h to 60 km/h on ping time interval varied from 7 ms to 20 ms. By 3000 ICMP packets are able to generate up to 11 PIDs and varying speed of mobile users from 20 km/h to 60 km/h on ping time interval from 7 ms to 20 ms. Meanwhile, by 6000 ICMP packets are able to generate 3 to 5 winner keys. Here, quantization algorithm works properly for achieving highest correlation 0.99 and the lowest one is about 0.90. Meanwhile, computation cost requires about 12 seconds in average running on Raspberry Pi. Meanwhile, total processing time of signing and verification processes in the anonymous authentication only consumes about 350 ms including communication costs running on Raspberry Pi. Future Works. Our future works include more efficient signing, verification, and revocation algorithms of pseudonymous-based anonymous authentication system with involvement of SKG process where PIDs are derived from wireless channel parameters. The implementation of more various applications is also our future works.

APPENDIX A FORMAL SECURITY OF PROPOSED SCHEME
In this formal security, we consider the definitions and the proofs of features satisfaction of proposed pseudonymousbased anonymous authentication scheme as follows. Proof. Here, the correction of Equation 6 executed by Mobile-i to generate a signature σ on a message M can be proven as follows, whereas T 1 = A x i ij U α , T 2 = S α , and T 3 = H (k) x i PID ij +γ . In addition, F 1 = g VID i +h i +β 1 and F 2 = U β , thus: proves that based on the result Q i which is found in the database GL possessed by GM, the correctness of Mobile-i's identity can be proven.

B. BU-ANONYMITY DEFINITION
Let A be an advantage to break proposed group signature scheme run by an adversary and B be an algorithm to break it run as a challenger. BU-anonymity is the anonymity with backward unlinkability. Where, backward unlinkability means that even after a revocation of a user occurs, the signatures generated by the user are still remain anonymously before the revocation.
Here, Join protocol for exculpability with considering to the following anonymity game.
• Setup: the challenger B runs Setup protocol. A is given gpk, then B runs A and sets interval time j = 0 with index k = 0, revoked users list RL= Ø, and corrected users list CL= Ø. VOLUME   • Restricted Queries: A requests the above queries, but A is not able to query the corruptions of Mobilei 0 and Mobile-i 1 , revocation process of Mobile-i 0 and Mobile-i 1 at interval time j * at index k * , and opening of the challenged signature.
• Output: finally, A outputs a result of bit φ ′ that indicating A's guess of φ. Here, if φ ′ = φ, then A wins. We define the advantage of A as |Pr[φ ′ = φ]−1/2|. BU-anonymity requires that for all PPT A, the advantage of A on this game is negligible.

C. TRACEABILITY DEFINITION
The proposed group signature scheme can be said traceable, if the probability of winning the following game is negligible for all PPT algorithm A. • Output: A outputs a signature σ * on a message M * at interval time j * at index k * . A can be said the winner of this game if only if: signature σ * is successfully verified using GVerify protocol and ensuring whether the signature σ * is not revoked by using Revocation check algorithm, traces to some Mobile-i * outside the CL or Open protocol is failed, and -A can not obtain the signature σ * by making a signing query on message M * . Lemma 1: Again, A be algorithm to break proposed signature scheme is given ⟨g 1 , g a 1 1 , g a 2 1 , g 2 , g a 1 2 , g a 2 2 ⟩ and ⟨A ij , PID i1 , · · · , PID iT ⟩ for all i ∈ [1, n], j ∈ [1, T ] and PID ij ∈ Z q at index k ∈ [1, K ], whereas and PID ij is obtained from SKG process. A wants to forge secret components ⟨A i * j * , x i * , PID i * j * , H (k * ), VID i * , j * , k * ⟩ by picking randomly A i * j * ∈ R G 1 and x i * , PID i * j * , H (k * ), VID i * ∈ R Z * q , for j * ∈ [1, T ] and k * ∈ [1, K ]. Proof: If any values of ⟨A i * j * , x i * , PID i * j * , H (k * ), VID i * , j * , k * ⟩ satisfies the equality of A i * j * = g equality are satisfied as well. Hence, to prove this assumption, A demonstrates 2 types of forgers as follows.
• Type 2 Forger: On given any ⟨A i * j * , x i * , PID i * j * , H (k * ), VID i * , j * , k * ⟩ randomly selected, but PID i * j * ̸ = PID ij for any i ∈ In this case, Type 1 Forger will successfully forge if really finds PID i * j * equal to PID ij . Meanwhile, for Type 2 Forger will successfully forge if x i * = x i such that A i * j * = g (d−x i * PID i * j * )/sx i * 1 , but PID i * j * ̸ = PID ij which means that A can extract PID ij from SKG process. However, since there exists randomly secret components such as α, β, γ , and blinding factors as well in every signing process and they are kept secret by the signer user, hence this game would be negligible.

D. EXCULPABILITY DEFINITION
The proposed group signature scheme can be said satisfying exculpability feature if no PPT algorithm can forge a signature σ generated by an un-corrupted Mobile-i such that Mobile-i can not dispute. Formally, the probability of winning the following game is negligible for all PPT algorithm A. • Challenge: A outputs a signature σ * on a message M * , interval time j * at index k * of Mobile-i * . It can be said that A is the winner of this game if: -A does not obtain signature σ * on message M * from signing query. signature σ * verification returns valid.
-Opening protocol returns the identity of Mobile-i * and it is found in the group list GL. -A does not corrupt Mobile-i * .
-B can not disclose the secret key msk[i * ] of Mobilei * such that A does not obtain it using msk[i * ]. Proof: Let A be an adversary who wants to break the exculpability game as above with non-negligible probability. Then, we can construct another PPT algorithm B to solve DL problem in G 2 with non-negligible probability.