A Novel Pseudonym Changing Scheme for Location Privacy Preservation in Sparse Traffic Areas

A large number of schemes have been proposed to deal with location privacy preservation in Vehicular Ad Hoc Networks (VANETs). One of the most popular ways to preserve location privacy is pseudonym changing, which includes mix-zone, silent zone, mix-context zone and trigger-based schemes. These schemes rely on changing pseudonyms after specific intervals to preserve location privacy of vehicles. Since pseudonym changing schemes are efficient in areas where traffic is dense, most of the pseudonym changing schemes require vehicles to be a part of dense traffic in order to change a pseudonym. Although pseudonym changing schemes are efficient in terms of location privacy preservation, a huge drawback is that these schemes are best suitable in dense traffic areas. Another drawback is that these schemes do not prevent from colluding attacks. In this paper, we propose a scheme, called LPSA (Location Privacy in Sparse Areas) to overcome this limitation. We modify the pseudonym changing scheme so as to preserve location privacy irrespective of the traffic density. This makes LPSA suitable for both dense and sparse traffic areas. For location privacy preservation in dense areas, we utilize pseudonym changing in mix-context zones. To preserve location privacy in sparse areas, we modify pseudonym changing scheme. We use differential privacy to preserve privacy of the data shared by the vehicles. Noise is added in raw beacon message attributes using Local Differential Privacy (LDP) to get perturbed messages. Multiple perturbed messages are transmitted to confuse an adversary in sparse traffic areas. LPSA also provides protection against colluding attacks. Our results show that LPSA provides better traceability, average anonymity set size, pseudonym change per trace and average confusion in both sparse and dense traffic areas as compared to the recent literature.

carried by beacon messages, if received by a malicious user present in the network, can result in disaster consequences for a driver.
Many solutions have been proposed in the literature to deal with the threat of location privacy breach during the time of its trip [5], [8]. One of the most popular ways include pseudonym changing [9]. In pseudonym changing schemes, the vehicles need to change pseudonyms when vehicles gather in a social zone, including mix-zones, mix-context zones and silent zones. A large number of vehicles are connected to an authentication server, a Public Key Infrastructure (PKI) is used for authentication, in a way that every vehicle gets a public and private key pair. These public keys are called pseudonyms. They are used as temporary identities of vehicles instead of real identities. In this way, the real identities are hidden [10]. Pseudonym changing allow authentication and non-repudiation [11], [12] and provides the privacy properties associated with location privacy preservation, namely unlikability and anonymity. This implies that looking at messages from a vehicle using more than one pseudonym does not allow an attacker to link these pseudonyms [13]. There are the following strengths of this method.
• Reduced storage overhead on resource-constrained vehicles.
• Reduced computation overhead on registration authority. • Location privacy preservation However, this method works in mix-zones. A mix-zone is a specific location where vehicles get together during the day, forming a dense traffic area, and change their pseudonyms together. These areas include parking lots, bus stations, road intersections, etc [14]. However, in scenarios when traffic is sparse, let us say a highway trip, vehicles do not form a mixzone. This is also true for times when traffic density is low; for example at night. In such scenarios, mix-zone pseudonym changing techniques do not work. It becomes easier for an attacker to track a vehicle, which goes against the very purpose of using a pseudonym changing scheme. Another challenge in VANETs is colluding attacks [15]. Malicious vehicles can impact honest vehicles greatly by performing colluding attacks. Colluding attacks refer to scenarios where multiple malicious vehicles collaborate or collude with each other to undermine the security or disrupt the functionality of the vehicular network. These colluding attacks pose significant challenges to the trustworthiness and reliability of VANET systems.
We propose a scheme, called LPSA, which ensures location privacy preservation in sparse areas. We utilize pseudonym changing technique in dense traffic areas. For sparse traffic areas, we use LDP [16] to perturb location attributes. When a vehicle is in a sparse area, it sends multiple perturbed beacon messages, so that a malicious vehicle senses that there are multiple vehicles in its communication range. In this way, the vehicle can exchange its pseudonyms with perturbed pseudonyms without an attacker being able to find out. Also, because an attacker is not aware of a vehicle's real identity, colluding attacks are infeasible in LPSA. In order for colluding attacks to be possible, the malicious vehicles must know the identity of a vehicle to collude. A malicious vehicle does not know the correct number of vehicles in a given area. The presence of a single vehicle gives an illusion that there are more than one vehicles.

A. CONTRIBUTIONS
The research contributions of this paper are given below.
• The focus of this paper is to ensure location privacy preservation in both dense and sparse traffic areas. We modify the pseudonym changing scheme to achieve this objective.
• LPSA ensures privacy properties along with location privacy preservation, including unlinkability, reduced traceability and anonymity.
• Because storing pseudonyms on a third party storage can cause a single-point-of-failure, the proposed scheme, LPSA, does not need a trusted third party to ensure location privacy preservation.
• In addition to privacy properties, the proposed scheme ensures security against colluding attacks in VANETs.
• Storage and computation overhead on resourceconstrained vehicles have been reduced as compared to the recent literature.
• Experiments show that the proposed scheme provides better average confusion per trace, pseudonym change per trace, average anonymity set size and traceability as compared to the recent literature.
The organization of this paper is as follows. The recent literature is reviewed in Section II. We present our scheme in Section IV and experiment results are discussed in Section V. We finally conclude our work in Section VI.

II. RELATED WORK
First pseudonym scheme was developed in [17]. In this scheme, the users in the system were able to communicate with each other and other entities involved in the system without getting their identity exposed to adversaries, using pseudonyms or false names. The pseudonyms used could not be used to extract meaningful information about users, but at the same time, users were able to prove to be connected with an organization efficiently. This provided unlinkability and hence resulted in helping with protection of the privacy and anonymity of the entities in the system.
The initial proposal for achieving location privacy in a wireless network was the periodical pseudonym change scheme [18]. This scheme involved assigning each vehicle a pseudonym that could be used for a specific duration. Vehicles would change their pseudonyms either at fixed intervals or randomly. However, the this scheme had a vulnerability to correlation attacks, where the old and new addresses of the same node could be correlated.
In [19], the authors adopt a random silent period (RSP). The RSP scheme involves vehicles entering a silence period for a randomly determined duration when they want to change their pseudonyms. By turning off their radio transmitters and refraining from sending messages during this period, the RSP scheme aims to confuse potential adversaries. It allows vehicles to change pseudonyms after a fixed time interval and remain silent for a randomly chosen duration within a defined range. This randomness adds an extra layer of privacy protection and makes tracking vehicles more challenging for adversaries.
In [20], the authors proposed a scheme designed to maintain location privacy in VANETs called SLOW. Unlike other approaches, SLOW eliminates the need for explicit synchronization among vehicles for pseudonym change. The key concept behind SLOW is that vehicles automatically enter a silent period, refraining from transmitting beacon or warning messages, when their speed drops below a predefined threshold (e.g., 30 km/h). During these silent periods, vehicles change their pseudonyms simultaneously at the same time and location, such as when they come to a stop at traffic lights or encounter slow-moving traffic. This implicit scheme ensures both synchronized pseudonym changes and silent periods in time and space, simplifying the process of preserving location privacy without requiring explicit coordination among vehicles.
The authors of [21] propose the Cooperative Pseudonym Change (CPN) scheme based on the Number of Neighbors. CPN enables vehicles to cooperate by counting their neighboring vehicles using received beacons. When the number of neighbors exceeds a configured threshold, a trigger event occurs, and vehicles set an internal ''Readyflag'' to 1. This flag is inserted into beacons and broadcasted. Upon receiving a beacon with Readyflag=1 or if their internal flag is already set, other vehicles immediately change their pseudonyms.
The Context-Aware Privacy Scheme (CAPS) introduced in [22] revolves around the concept of vehicles determining the appropriate context for pseudonym change and entering/exiting silence periods. The method entails vehicles utilizing an in-vehicle tracker, which is an algorithm implemented to track vehicles, to monitor received beacons. When the tracker detects that a neighboring vehicle has ceased communication (entering a silent period), it will also enter a silent period. To resume communication with neighboring vehicles, the vehicle must choose an appropriate context. It is important to note that the initial silent period can be initiated by a predefined timer. The vehicles resume communication with a new pseudonym when an opportunity arises to mix their actual state with that of a silent neighbor.
A privacy-preserving scheme is proposed in [23], named CPESP (Cooperative Pseudonym Exchange and Scheme Permutation), which combines two techniques for location privacy preservation: cooperative pseudonym exchange and scheme permutation. The scheme consists on three parts; CPE (Cooperative Pseudonym Exchange), SP (Scheme Permutation) and CPESP (Cooperative Pseudonym Exchange and Scheme Permutation). CPE can improve privacy preservation when a large number of vehicles is a part of the network. During pseudonym exchange, CPE makes it hard for an attacker to keep track of vehicles. SP is useful when traffic density is low. It allows vehicles to exchange pseudonyms even in sparse areas. This scheme does not involve a trusted central entity; the authors claim that eliminating the trusted central entity cuts down communication overhead and delay constraints. The suitable algorithm can be opted by a vehicle when exchanging pseudonyms. This scheme ensures location privacy in both dense and sparse traffic areas. However, each algorithm in CPESP is designed for a different traffic setting. For each traffic setting, the driver manually has to select the appropriate algorithm after analyzing the traffic conditions. The authors in [24] discusses the privacy challenges in vehicular communications and the use of pseudonymous authentication to enhance user privacy while securing communication. To further enhance location privacy, cryptographic mix-zones have been proposed, allowing vehicles to transition to new credentials covertly. However, the resilience of these mix-zones to pseudonym linking attacks depends on factors such as geometry, mobility patterns, vehicle density, and arrival rates. The authors introduce a tracking algorithm that can link pseudonyms before and after a mixzone, demonstrating through experiments that a determined eavesdropper using standardized vehicular communication messages and road layout can successfully link a significant portion of pseudonyms during both rush and nonrush hours. To mitigate these inference attacks, the authors propose a novel cooperative mix-zone scheme. A subset of vehicles, called relaying vehicles, are selected to emulate non-existing vehicles. These relaying vehicles cooperatively disseminate decoy traffic without compromising safety-critical operations.
An efficient privacy preserving scheme has been presented in [25]. The authors have introduced a novel framework that preserves user privacy without using a vehicle's mobility patterns. Vehicular public key infrastructure has been used that is divided in long term certificate authority and pseudonym certificate authority. A resolution authority is able to detect malicious behavior and retrieve the real identity of a vehicle. This scheme works well in sparse traffic areas, because the adversary is unable to trace a vehicle using syntactic linking as well as semantic linking. However, this scheme requires third parties to work. Most serious security threat is posed by the resolution authority, because it can retrieve the real identity of a vehicle. If resolution authority is compromised, the privacy of all the vehicles is at risk. Another location privacy preserving scheme for low density areas has been proposed in [24], which is efficient in terms of computation and communication costs and protects against syntactic and semantic linking attacks. This scheme works in a very similar way as in [25]. This scheme also suffers from the same drawbacks as that of [25]; requirement of a third party.

III. BACKGROUND
In this section, we introduce the techniques used in this paper.

A. DIFFERENTIAL PRIVACY
Differential Privacy is a privacy framework that aims to protect the privacy of individuals in the analysis of sensitive data. The core principle of differential privacy is to add controlled noise to the data or the analysis results to mask the contribution of any specific individual. By doing so, even if an adversary has access to the entire dataset or has knowledge about all but one individual's data, it remains difficult to discern the specific information pertaining to that individual.
Definition 1 ((ϵ, δ)-Differential Privacy): A randomized mechanism M satisfies (ϵ, δ)-differential privacy if, for all pairs of neighboring datasets D and D ′ , and for all subsets S of the output space of M , the following inequality holds: where ϵ ≥ 0 is the privacy parameter that controls the level of privacy protection, and δ ≥ 0 is an additional parameter that accounts for any small probability of additional privacy loss beyond the ϵ threshold. The primary goal of differential privacy is to strike a balance between the usefulness of the analysis results and the privacy of individuals. It achieves this by introducing randomness or noise that obscures individual data points while preserving statistical properties and trends in the aggregate data.
Differential privacy can be implemented through various mechanisms, including randomized response, Laplace noise addition, and secure multiparty computation. These techniques add controlled randomness to the data or the analysis process, ensuring privacy while preserving statistical accuracy.
Differential privacy has become increasingly important in the field of data analysis, particularly in settings where sensitive or personal data are involved. It allows organizations to extract valuable insights from data while respecting the privacy of individuals and complying with privacy regulations. However, it has one serious limitation: the data are transmitted by the vehicles to a central entity to draw an analysis. This central entity gets all the data in raw form. This can pose a single point of failure and privacy threats in case the third entity is compromised.

B. LOCAL DIFFERENTIAL PRIVACY (LDP)
LDP is a privacy framework that provides strong privacy guarantees for individuals while preserving the utility of data at the vehicle level. It is a privacy-preserving mechanism that ensures privacy at the individual level, enabling users to contribute to the privacy preservation of the data while allowing it to be used by other entities in the network.
Definition 2 (ϵ-Local Differential Privacy (LDP)): A randomized mechanism M satisfies ϵ-local differential privacy if the following inequality holds: where D and D ′ are two neighboring datasets that differ by at most one individual's data and S is the output or result of the analysis function. P(M (D) = S) denotes the probability of obtaining S as the result of the analysis on dataset D. This equation ensures that the presence or absence of an individual's data does not significantly impact the analysis results, providing privacy guarantees. Similar to differential privacy, to achieve LDP, one common technique is the addition of Laplace noise, which follows a Laplace distribution with appropriate scale parameters.
In the case of numerical data, the LDP mechanism can be represented by the equation: is the deterministic result of the analysis on dataset D, f represents the sensitivity of the analysis function, which quantifies how much the analysis result changes with the addition or removal of an individual's data and ϵ is the privacy budget or parameter that controls the level of privacy protection. By adjusting the scale of the Laplace noise, the privacy budget ϵ can be controlled to achieve the desired level of privacy.

IV. LOCATION PRIVACY IN SPARSE TRAFFIC AREAS A. ATTACK MODEL
We consider a syntactic linking attack, in which an attacker can link a pseudonym with the real identity of a vehicle if a single vehicle out of a group of vehicles changes its pseudonym [24]. The aim of the attacker is to track a vehicle by using location traces encapsulated in a beacon message while a vehicle is on its trip. Location privacy is breached when an adversary de-anonymizes the location traces captured. In case when de-anonymization is successful, the attacker can correctly reconstruct traces of a vehicle's location. The adversary keeps attempting to link a pseudonym with a vehicle during a vehicle's trip. It also helps the attacker with future location privacy breaches.
The attacker model includes two elements given below.
The trackers can be servers with a large amount of resources and tracking algorithms implemented. The presence of a tracker in the system can cause many threats including eavesdropping, tracking and profile-generation even when it is passive. The tracker in our proposed scheme is global, i.e. it covers the entire network, and is not active. This type of attacker is called a Global Passive Adversary (GPA) in recent literature [26]. It has the ability to eavesdrop on the beacon messages, although it is not able to modify the contents of a message captured. VOLUME 11, 2023 2) EAVESDROPPING STATION Eavesdropping stations are deployed, which have the ability to collect the beacon messages within their transmission range. The number of messages collected depends on the targeted vehicles' coverage and transmission range. In our attacker model, the adversary has the following properties.

B. SYSTEM MODEL
A sparse traffic area is where traffic density is lower as compared to mix-zone, silent-zone and mix-context zones. One example is a highway; not a lot of vehicles have a trip together. There are no social spots in sparse areas either. A social spot refers to an area where vehicles keep gathering during the day, including schools, universities, hospitals, parking lots, etc. In LPSA, a sparse area in VANET is a zone where there are less than or equal to 50 vehicles within the communication range of a vehicle. Figure 1 shows the motivational scenario for LPSA. During one timestamp t, the traffic is dense, and on the next timestamp t + 1, the traffic is sparse. We propose a solution that works for both of these cases. In this research, we propose a scheme in which we focus on location privacy preservation in sparse traffic areas. Our scheme consists of two parts pseudonym changing and beacon message perturbation. In LPSA, vehicle that are moving in sparse areas have more than one pseudonyms at the same time and broadcast safety and traffic-related information using all these pseudonyms at different timestamps. The number of pseudonyms issued before starting the trip depends on the time that a vehicle needs to stay in sparse traffic, e.g., a highway. Only one of these pseudonyms is associated with the real location of the vehicle, whereas other pseudonyms will have slightly different locations. When pseudonym-changing threshold is about to expire, the vehicle perturbs the raw beacon message attributes using ϵ − LDP.
Only one pseudonym has the raw location of the vehicle, and all other pseudonyms have perturbed locations. In this way, an attacker that is keeping an eye on a vehicle is not able to tell that this vehicle is moving alone in sparse traffic areas. The safety messages sent from perturbed pseudonyms confuse the attacker and he/she will infer that there are more than one vehicles in the area.

C. LOCATION PRIVACY PRESERVATION IN DENSE AREAS
Before a vehicle starts a trip, it is given sufficient pseudonyms by the RSU. These pseudonyms, along with associated secret and public key pairs and certificates, are stored in the vehicle. It does not cause a storage overhead because the number of pseudonyms issued does not depend on the trip length. In a sparse area, a vehicle can privately communicate without having to change pseudonyms frequently. The pseudonyms need to be changed within a given interval, which is short for dense traffic areas and long for sparse traffic areas. Figure 2 shows the proposed model. At time t, when the traffic is dense, each vehicle broadcasts only one beacon message per beacon message interval, shown as yellow-colored message icons. However, at time t + 1, the traffic is sparse. Now each vehicle broadcasts five messages per beacon message interval. Four out of these five messages are perturbed. The perturbed messages are created using the real message. Noise is added to the real messages to create perturbed messages.
The above mentioned solution is implemented by adding Laplacian noise (Equarion 3) in the beacon message attributes. The real beacon messages are also transmitted after making sure that the real beacon attributes are not in their raw form. For this purpose, we also use LDP, but with lower values of ϵ, so that the values are not changed much. In this way, the utility stays optimal and privacy is also preserved.
Algorithm 1 shows the steps for location privacy preservation in dense traffic areas. When number of vehicles are more than 50, but not enough to change pseudonyms, vehicles wait for other vehicles to be in their neighbourhood. The time interval to broadcast beacon messages is decreased, so that a vehicle does not have to transmit more messages than it safely can with one pseudonym.
Noise is added to the attributes that make up a beacon message. VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.   The attributes of a beacon message include {PID i , t i , l i , d i , s i } where PID is the pseudo identity of i th vehicle, t i is the timestamp at which a message is sent, l i is the location of the i th vehicle, d i is direction and s i is speed of this particular vehicle. Because a beacon message consists of a number of attributes only, the cost of adding noise in this data is not high.

D. LOCATION PRIVACY PERSVERATION IN SPARSE AREAS
In case the number of vehicles drops, the pseudonyms are changed using a different method. For a new perturbed message, each real beacon message attribute goes through noise addition with a high value of ϵ.
The algorithm for the generation of perturbed messages is given in Algorithm 2. How much noise is added during perturbation depends on LDP's privacy budget ϵ. ϵ represents a privacy-utility trade-off offered by LDP, which means that for higher values of ϵ, the privacy is high but utility is low, and lower values of ϵ result in maximum utility but minimum privacy. For the creation of perturbed messages, the value of ϵ is kept between 0.6 and 0.7.
Return dm_m i 5: end for

1) TRAFFIC DENSITY THRESHOLD
In LPSA, the number of perturbed messages to be generated increase with decreasing number of vehicles and vice versa. When number of vehicles is low, the vehicles generate a bigger proportion of perturbed messages so as to confuse the adversary, similarly, when number of vehicles is increased, the proportion of perturbed messages is decreased.
We define a traffic density threshold λ. When total number of vehicles is less than λ, the traffic is considered to be sparse, and dense when equal to λ. This threshold has a fixed value depending on the number of vehicles within a vehicle's communication range. For instance, we test LPSA with values of λ set to 50, 100, 150 and 200. The results show that an optimal traceability value is achieved when λ = 100. The number of perturbed messages to be generated and broadcasted in the network also depends on this threshold. The formula that we use to determine the number of perturbed messages to be generated is given below.
where N p is the number of perturbed messages to be generated, λ is our traffic density threshold, and N v is the number of vehicles on the road. Using this formula, the number of perturbed messages can be changed dynamically by providing the number of vehicles. We use two characteristics of LDP to add noise in the data, namely sequence combinability and parallel combinability.
Definition 3 (Sequence Combinability): Given a set of privacy algorithms L 1 , L 2 , L 3 , . . . , L n and a dataset D, ϵ i -LDP is satisfied by L i , where 1 ≤ i ≤ n. The sequence VOLUME 11, 2023 combination of the set of algorithms satisfies ϵ-LDP where Definition 4 (Parallel Combinability): Given a dataset D and a privacy algorithm L that satisfies ϵ-LDP on D, L also satisfies ϵ-LDP for n number of disjoint subsets of D, The goal of using these characteristics is to transmit the data to learn the distribution of values while making sure that the privacy of individual users is not lost.

V. RESULTS AND DISCUSSIONS
In this section, we evaluate our proposed model's performance.

Theorem 1: The proposed scheme ensures that the tracking rate for a vehicle is low.
Proof: The probability of i th vehicle to be targeted by the attacker is given in the following equation.
where ASS is the anonymity set size, defined as the set of vehicles out of which a targeted vehicle is indistinguishable to the attacker. The sum of these probabilities for each vehicle i is always 1.
The entropy of identifying a targeted vehicle is calculated as given in Equation 8.
In a dense area, the vehicles are distributed uniformly, having the density φ. The arrival rate of vehicles is given by Poisson distribution. For both dense and sparse traffic areas, the arrival and departure rate of vehicular nodes is same. We denote the number of vehicles in an area A as v A .
where φ A is the mean of Poisson distribution rate. In dense traffic areas, n number of vehicles change their pseudonyms in a mix-context zone. The adversary observes that and now anonymity set size is n.
The probability of successful tracking is given in the following equation.
Accordingly, the new entropy of anonymity set is According to Equation 11: In sparse traffic areas, the number of vehicles and the predicted are are smaller than that of mix-context zones. In area A, there are n ′ number of vehicles that change their pseudonyms. The tracking probability is given in the equation below.
Now, the entropy of anonymity set is: According to Equation 14: where p ′ > p and H ′ (p) < H (p), which means successful tracking rate is low. □

B. SECURITY ANALYSIS
Theorem 2: The proposed scheme satisfies ϵ− LDP. Proof: Given LDP privacy-budget ϵ and a vector υ with l-dimensions, ϵ can be divided into n copies and adding ϵ/n to each dimension. For dimension υ 1 , from sequential position, we have: The Laplacian probability density distribution function is given in the following equation: We have Moreover, This implies, Similarly, for all dimensions, Therefore, Or, □ C. PRIVACY ANALYSIS Theorem 3: For any ϵ > 0, δ ∈ [0, 1] andδ ∈ [0, 1], the class of (ϵ, δ) differentially private mechanisms satisfy (εδ, 1 − (1 − δ) k (1 −δ))− differential privacy under k-fold adaptive composition, for In a high privacy regime provided by ϵ, when ϵ ≤ 0.9, the above bound can be further simplified as On vehicle end, typical regime of interest while performing LDP is the high-privacy regime given for composition privacy guarantee, which means, when factor √ kϵ 2 < 1. The theorem above suggests that we need the extra slack of approximate privacyδ of order √ kϵ 2 only. This means that under composition, all the values of ϵ r are summed up. In case we have kϵ or kϵ 2 in Equation 27, it can be substituted by summation in order to compute general results for heterogeneous composition.

D. ENVIRONMENTAL SETUP
We simulate LPSA in PREXT (Privacy Extension for Veins VANET Simulator) 1 simulator. It depends on VEINS, which is based upon OMNET++ and SUMO (Simulation of Urban Mobility. It includes adversary modules that eavesdrop on beacon messages. These adversaries are global and passive, i.e. they almost cover the entire network, and they do not have the ability to modify any content of the message. The adversarial model and the methods that the adversaries uses to locate a vehicle are given in Section IV-A. The SUMO mobility model is given in Figure 3, which is used in default simulation in PREXT by SUMO. Simulation parameters are given in Table 1. In our simulation, we use a GPA. This adversary has the ability to eavesdrop on beacon messages, and covers the entire network. The beacon messages, when received by the adversary, are uploaded to an entity, known as vehicle tracker. PREXT uses a tracking algorithm, which consists of four phases: • State estimation using Kalman filter • Data association using nearest neighbor probabilistic data association algorithm (NNPDA) • Gating phase • Track maintenance

1) MOBILITY MAP
In our simulation, we use the real road map of the Munich city in SUMO as given in Figure 3. SUMO is a traffic simulator and well known for VANETs simulations. It provides the features required for road traffic modeling. The map given in Figure 3 has been obtained from Open Street Map (OSM). The map is converted to SUMO using the tools NetConvert and PolyConvert that are included in 0.25.0.

E. EVALUATION
In this section, we provide our results and compare them with CPESP [23], Khodaei et al. [24], periodic pseudonym  change, RSP [19], SLOW [20], CAPS [22] and CPN [21]. We evaluate our proposed algorithm in terms of the following evaluation parameters: • Traceability • Anonymity set size • Average pseudonym change per trace • Average confusion per trace Our results show that LPSA performs well in terms of anonymity set size, traceability, pseudonym change per trace and average confusion per trace in both sparse traffic areas as well as mix-zones.

1) TRACEABILITY
In this subsection, we will evaluate the effectiveness of the proposed scheme in protecting against traceability attacks. Traceability poses a significant risk to location privacy in VANETs, as adversaries may attempt to link transmitted messages, actions, or data exchanges to specific vehicles. By establishing a traceable trail, adversaries can compromise the privacy of vehicles, identify their real identities or locations, and potentially engage in malicious activities.
Traceability measures how likely it is for an adversary to be able to track a vehicle for more than 90% of traces. It involves establishing a clear record or audit trail that allows for the identification and examination of the location based history and interactions of these vehicles. While measuring traceability, the traces that do not change pseudonyms are ignored. In order to be able to breach a vehicle's privacy, an adversary has to trace it continuously, because it is only possible when de-anonymization traces are complete, with minimum errors. The results are given in Figure 4. It is observed that LPSA has low traceability in sparse areas as well as in mix-zones.

2) ANONYMITY SET SIZE
Anonymity set size shows how many vehicles are to be observed by an adversary so that the target vehicle becomes indistinguishable. It depends on the probabilities that vehicles are assigned on these basis. The main concept behind anonymity was to select a number or a set of vehicles that broadcast a message, which can be clearly observed by the GPA. It can be defined as the size of a region in which a particular vehicle targeted by an adversary will blend.
Mathematically, the anonymity set size (AS) can be defined as: where N represents the total number of vehicles in the network and S represents the subset of vehicles that have similar or indistinguishable location information. The comparison results for anonimity set size are given in Figure 5. It is observed that LPSA performs well in terms of anonymity set size. A larger anonymity set size indicates a higher degree of anonymity because it increases the number of vehicles that could potentially occupy a given location. This makes it more challenging for an adversary to pinpoint the exact location of a specific vehicle. On the other hand, a smaller anonymity set size reduces anonymity and increases the likelihood of an adversary successfully linking a location to a particular vehicle.
The values of anonymity set size recorded for LPSA are 1.7657, 1.7194, 1.6542 and 1.5501 for 50, 100, 150 and 200 number of vehicles. Out of all the schemes, only CPN provides better anonymity set size than LPSA.

3) AVERAGE CONFUSIONS
Average confusion per trace presents the number of times a vehicle changes its pseudonym on average before an attacker gets confused and becomes unable to track it. A definition of confusion per trace is given in Equation 30 where |τ | is the number of traces, τ i is the i th trace, S(τ i ) is the set of real vehicles in trace τ i , S ′ (τ i ) is the set of inferred vehicles in trace τ i and M is a metric that represents the difference between the set of real vehicles and the set of inferred vehicles. A comparison between LPSA and other location privacy preserving schemes in terms of average confusions is given in Figure 6. It is observed that average confusion per trace has the highest values for LPSA and Khodaei

4) AVERAGE PSEUDONYM CHANGE PER TRACE
This measure shows the frequency of a vehicle to change its pseudonym when it is tracked by an adversary. It becomes harder for an adversary to track a vehicle if it changes pseudonyms frequently.
The average pseudonym change per trace can be calculated as follows: where total pseudonym changes represents the cumulative number of pseudonym changes that occurred across all vehicles during the traces and T represents the total number of traces or time intervals considered for the analysis.
A higher ACPT indicates a more frequent pseudonym change strategy, which enhances privacy by reducing the linkability of a vehicle's activities across different time intervals. It makes it harder for adversaries to trace or track a vehicle's movements or actions over an extended period. The results for this experiment are shown in Figure 7. X-axis shows number of vehicles and y-axis shows the number of times a pseudonym is changed per trace.

VI. CONCLUSION
In this paper, we proposed an algorithm that provides location privacy preservation in sparse traffic as well as mix-zones. To achieve this purpose, we have modified pseudonym changing technique to ensure location privacy in sparse areas. When traffic is dense, we utilize mix-context zone scheme, whereas when traffic is sparse, we propose LPSA scheme to preserve location privacy. LPSA sends multiple perturbed messages when vehicles are in sparse areas. We consider 50 number of vehicles as sparse traffic. The number of perturbed messages to be sent are determined by our traffic density threshold λ. We compare LPSA with CPESP, Khodaei et al., periodic pseudonym change, RSP, SLOW, CAPS and CPN. Our proposed scheme works efficiently in both dense and sparse traffic areas. We evaluate LPSA in terms of traceability, average anonymity set size per trace, average number of confusions and average pseudonym change per trace. It is observed that our proposed scheme outperforms VOLUME 11, 2023 most of these schemes in terms of all these parameters. Moreover, since the proposed scheme does not need to store data on a third party and the pseudonym pools are kept in the vehicle itself, LPSA is secure against a single point of failure attack. The proposed scheme also protects against colluding attacks by sending multiple beacon messages in sparse areas. In future, we aim to modify LPSA so as to achieve optimal entropy. AHSAN HAYAT received the bachelor's degree in computer science from Arid Agriculture University Rawalpindi, Pakistan, and the master's degree in information security from COMSATS University Islamabad, Pakistan. His research interests include location privacy, cryptography, and privacy preservation.
ZAINAB IFTIKHAR received the M.S. degree in information security from COMSATS University Islamabad, in 2021. Her research interests include data privacy, quantum cryptography, blockchain, IOTA ledger, and authentication.
MAJID IQBAL KHAN received the master's degree in software engineering and the Ph.D. degree in wireless sensor networks from the University of Vienna, Austriain, in 2004 and 2009, respectively. He is currently an Associate Professor with the Department of Computer Science, COMSATS University Islamabad. His research interests include trust management in distributed systems, realtime task scheduling in networks, and srouting issues in Internet of Things.