AAAS: An Anonymous Authentication Scheme Based on Group Signature in VANETs

As special ad-hoc networks, vehicular ad-hoc networks (VANETs) support vehicles to communicate with each other via opportunistic wireless links. In order to protect privacy of drivers, vehicles registered in VANETs are required to authenticate and communicate with surrounding vehicles or roadside infrastructure anonymously. However, due to high-speed driving and wireless environment, it is vital to propose a privacy protection scheme that is able to balance security and efficiency. Consequently, this paper proposes an anonymous authentication scheme in VANETs (AAAS). Specifically, we add region trust authority to provide more efficient anonymous authentication service for vehicles. Subsequently, group signature mechanism is adopted to achieve anonymity and conditional privacy. Moreover, security and performance analysis show that AAAS has higher security and efficiency.


I. INTRODUCTION
With the rapid development of wireless communication technology, intelligent transportation systems (ITSs) plays a crucial role in improving transportation safethy and enhancing producivity [1]. Recently, as providing stable communication services for vehicles, VANETs have extensive attention in ITSs. Generally, driving vehicles with OBU should inform surrounding vehicles and roside infrastures of their position, direction and velocity [2]. Meanwhile, as collectors, vehicles can integrate and analyze received information, so as to avoid congested road and prevent accidents. However, due to the wireless network communication environment, it's easy for attackers to intercept, tamper and replay the transmitted messages, which gives a risk to security and reliability of VANETs [3]. According to [4], authentication is considered to be the most reliable mechanism to ensure the legitimacy of entities in VANETs. Before data exchange, the legality of each 4extcolorredsender's identity must be verified, which can effectively prevent the security threat caused by adversaries attacks. Since adversaries can collect safety information broadcast by vehicle, it is likely for adversaries to obtain trajectory of vehicle and violate the personal privacy of the driver over time [5]. Thus, vehicles have to broadcast The associate editor coordinating the review of this manuscript and approving it for publication was Muhammad Imran . security messages anonymously to prevent being tracked. Consequently, proposing a secure and efficient anonymous authentication and communication scheme has become an important factor in the rapid popularization of VANETs.
Recently, many anonymous authentication schemes have been proposed to ensure the security in vehicle to infrastructure (V2I) communication. Symmetric cryptography, asymmetric cryptography, and group signature, are thought as main mechanisms to achieve anonymous authentication in VANETs.
For schemes based on symmetric cryptography, in [6], an authority called ombudsman (OM) issues a unique identity and a seed value to each vehicle. Each vehicle and OM can calculate a set of pseudonymous handles depending on seed values. Meanwhile, roadside units (RSUs) can provide the service of generating short-term pseudonyms for vehicles according to the handle. However, as all messages generated by vehicles using short-term pseudonym can only be verified by RSUs, receiver has to send these messages to RSU for verification, which increases delay and extra communication overhead. In [7], a prediction-based authentication for vehicle-to-vehicle communications (PBA) is designed by using symmetric cryptography mechanism. PBA adopts vehicle position prediction mechanism to integrate location prediction result into and generate beacon messages in advance to guarantee efficiency of signature verification. Besides,in order to reduce storage cost, PBA requests vehicles to use local keys and construct new temporary signatures. However, PBA is based on the accurate prediction of vehicle position, without considering how to achieve mutual authentication if the vehicle position prediction fails. In addition, symmetric cryptography is less flexible than asymmetric cryptography when it comes to the realization of authentication capabilities.
Pseudonym issue and authentication process of the schemes based on asymmetric cryptography mechanism are similar to the PKI mechanisms. In [8], Trust authority (TA) issues public key, private key, activation key and vehicle license to vehicle. And each vehicle is able to generate anonymous certificate based on message from TA that is easily verified by other vehicles. In addition, the scheme proposes an effective mechanism to enable RSU to achieve batch authentication of multiple vehicles when vehicle sender enters the area covered by a RSU and requests network service from the RSU. However, according to [9], for the purpose of privacy protection, vehicles are required to change pseudonyms and certifies frequently. In this step, vehicles must communicate with TA, which leads to high computational overhead and communication costs. Moreover, Hardly can it guarantee the high-speed vehicles to receive new certificates in time. Reference [10] proposes an efficient anonymous authentication (EAAP), which enable vehicles to generate pseudonyms independently. In EAAP, vehicle can use authorization key (AK) obtained from TA to generate anonymous certificates, which improves communication cost of changing anonymous certificates in the traditional scheme. Nevertheless, in order to protect the privacy of vehicles, vehicles are required to generate anonymous certificates frequently while communicating with other entities to request services. According to [11], due to the limited vehicle computing and storage capacities, EAAP has to meet the huge challenge in performance. To reduce computation cost in authentication, [12] proposes an identity (ID)-based signature (IBS) scheme (CPAS) to support anonymous authentication. Instead of Map To Point function, CPAS uses general hash functions to keep a balance between privacy security and operation. Furthermore, CPAS supports batch verification to improve efficiency of RSU authentication. Unfortunately, CPAS does not propose an effective revocation mechanism for illegal vehicles. Once vehicles are compromised, the threats facing VANETs cannot be ignored. In LIAP [13], Wang and Yao presented a local identity-based anonymous authentication protocol. Not only does the scheme has low computational cost but also it supports the batch signature verification. However, RSU is requested to distribute certificates to vehicles's identity and maintain vehicle identity, the scheme will confront a huge challenge, without sufficient computation and storage capacity.
In anonymous authentication scheme based on group signature, VANETs are composed of multiple groups, and each group manager is thought to be trustworthy. Generally, group members can generate signatures without revealing their real identity. In [14], anonymous certificate is cancelled and RSUs are considered as group leaders to provide anonymous authentication service for vehicles, which is able to effectively improve the transmission and communication costs caused by certificate issuance and revocation. However, [14] could not meet the security requirements of distributed resolution authority. Since RSUs has already saved privacy information of vehicles, once a RSU compromises, each vehicle privacy is at risk of being exposed. Reference [15] proposes a secure vehicular network communication schemes (GIGS) through combining group signatures and identity-based signature. GIGS adopts group signature and reduces vehicle information storage overhead. Apart from that, GIGS uses identity-based signature to release public key and certificate management pressure. However, once there are illegal vehicles in the network, the scheme does not provide an effective mechanism for illegal vehicles revocation. [16] adds regional group manager to support vehicles update their identifies and group secret keys periodically. In credential revocation, which decreases TA revocation cost significantly. Nevertheless, in anonymous authentication, a large number of point multiplication and bilinear pairing are executed, which makes the scheme inefficient. Ring signature, as a special group signature, is used in the scheme [17] for vehicle anonymous authentication. In [17], vehicles can generate ring signature independently without the help of RSUs or TA. In addition, identities of all members can be changed quickly without consent or messaging. However, the scheme does not mention how to disclose each illegal vehicle identity and trajectory, which is unable to solve the credential revocation of illegal vehicles. Reference [18] adopts a batch group signature scheme to achieve effcient message signature verifcation and propose group session key (GSK)-based revocation strategy (GSSA) to achieve fast vehicle revocation check. In terms of computation time cost, message delay and loss rate, GSSA is efficient. What is more, GSSA is able to resist to impersonation attacks, tracking attacks, sybil attacks, and replay attacks. However, due to lack of challenge value in signature, GSSA does not recognize the trustworthiness of the sender's message content, which causes vehicle could not verify the legal of the response from RSU.
To solve above problems, we propose an anonymous authentication scheme based on group signature in VANETs (AAAS). AAAS consists of four phases: system initialization, initial registration, initial V2I authentication, and handover V2I authentication.The main features of the proposed paper are as follows.
• AAAS adds region trust authority (RTA) as group manager to provide anonymous authentication and communication services for vehicles, which can effectively improve the computation and communication costs of TA and relieve the pressure of RSU with low computation and storage capacity.
• Pseudonym mechanism and group signature mechansim are integrated into the scheme to satisfy distrubuted resolution. Single authority cannot directly resolve the real identity, which effectively reduces the VOLUME 8, 2020 risk of vehicle privacy exposure once an authority is compromised.
• Security and performance analysis show that AAAS can maintain a balance between efficiency and security well. The rest of this paper is organized as follows. In Section II, we outline necessary preliminaries. The proposed scheme is elaborated in section III, followed by security proof and analysis in section IV. Section V evaluates the performance of the proposed scheme through communication overhead, computation cost, and signaling cost. Finally, we draw our conclusion and future work in section VI.

A. VANETs
As a vital part of intelligent transportation system (ITS), vehicular ad-hoc networks (VANETs) are able to use wireless communication technologies to support continuous and stable network communication service [19]. As shown in Figure 1, VANETs consist of three important entities: trust authority (TA), roadside units (RSUs), and vehicles equipped with on board units (OBUs) [20]. TA is usually regarded as a trust third party, which is trusted by all entities in VANETs. Security and reliability of TA are the basis for establishing a mutual trust relationship among other entities in VANETs. RSUs deployed on both sides of the road have high storage and computation capacity. RSUs can provide safety-related services, efficiency-related services, and entertainment-related services for vehicles through wireless communication. OBUs, installed in vehicles, can support the information exchange with RSUs or other OBUs to obtain required services.

B. BILINEAR PAIRING
Let G 1 be an additive group of prime order q, generated by P, and let G T be a multiplicative group with the same q.
3) Computability: There is an efficient algorithm to compute e(P, Q), where P, Q ∈ G 1 .

C. IDENTITY-BASED GROUP SIGNATURE
Group signature is considered as a special signature mechanism, in which authorized members can sign on behalf of the underlying group [22]. For a given group signature, any unauthorized entity can use group public key to verify whether the signature is legal, but it is impossible for any other verifier except for group manager to reveal the signer's identity. Consequently, group signature mechanism can be effectively used in anonymous authentication in VANETs [23]. However, in traditional group signature schemes, any verifier has to determine the validity of the group public key certificate before verifying the group signature, which may influence the efficiency and stability of communication for high-speed vehicles. In addition, due to limited computing and storage capacity of vehicles, the overhead of storing certificates for vehicles is also not negligible. Consequently, identity-based group signature is adopted in the proposed scheme, where publicly group mamanger identifier can be used as the public group key component [24]. To reduce the burden of public key certifificate management, verifier only needs to know the identity of the group manager to compute the group public key. The earliest identity-based group signature mechanism was proposed by Park et al. [25]. However, due to its high computation cost and low efficiency, it is difficult to be used in anonymous authentication in VANETs. Han et al. proposed a novel identity-based group signature scheme [26], which makes a balance between the security and effciency. In the perposed scheme, [26] is used in anonymous authentication and communication in VANETs. The details of the scheme are as follows.
1) Setup. Let G 1 and G T be two cyclic groups generated by P, whose order is prime q, where G 1 is additive group and G T is multiplicative group. The group manager (GM) chooses two cryptographic hash functions: and constructs a bilinear function e: G 1 × G 1 → G T . Then, GM generates a ∈ Z * q as the secret key of GM and sets P pub = aP as the public key of group. 2) Extract. When a new member U i wants to be an authorized member of the group, the member is requested to sent its identity f i to GM through the secure tunnel.
GM computes

III. THE PROPOSED SCHEMES
In this section, AAAS network architecture, trust model, system initialization, initial registeration, V2I initial authentication, and V2I handover authentication are described. We adopt identity based on signature mechanism (CC signatute [27]), Diffie-Hellman key exchange mechanism [28], and AES cipher mechanism [29] to support anonymous authenticaion and communication. Before introducing AAAS, a few of relevant abbreviations and descriptions used frequently are illustrated in Table 1. Figure 2 shows the network architecture of the proposed scheme, which includes four types of entities, name, trusted authority (TA), region trusted authority (RTA), RSU, and vehicle.

A. NETWORK ARCHITECTURE
• TA: As a trusted third-party entity, TA generates system parameters, issues private keys for RTA, and computes pseudonyms and private keys for vehicles. In addition, TA also maintains an identity list of vehicles and provides services for illegal vehicle revocation.
• RTA: In order to alleviate TA computation and communication pressure, in AAAS network architecture, RTA is added to manage all RSUs in each area and provides anonymous authentication and communication services for vehicles.
• RSUs: RSUs are usually deployed on both sides of the road to provide related safety services and entertainment services for legal vehivles on the road through wireless communications.
• Vehicles: For obtaining network service provided by VANETs, each vehicle equipped with OBU is able to to exchange information with surrounding RSUs and vehicles, so as to enjoy better driving experience for drivers.

B. TRUST MODEL
The trust model of the proposed scheme is described in Fig   need to submit true identities to apply for registration. Keeping security and reliability of TA is the basis to establish trust relationship among other entities in VANETs. RTA is requested to register with TA to establish trust relationship with TA. Meanwhile, RTA is trusted by all RSUs in the assigned areas, but there is no trust relationship between RTAs. RSU trusts TA and RTA in its area but not vehicles. Besides, RSU does not trust other RSUs. All vehicles trust TA, but vehicles do not trust other vehicles and RSUs. The purpose of the proposed scheme is to establish the trust relationship between vehicles and RSUs anonymously.

C. SYSTEM INITIALIZATION
In terms of the network architecture and trust model, system initialization is executed as follows.
• TA selects two cyclic groups G 1 and G T generated by P, whose order is a prime q, where G 1 is an additive group and G T a multiplicative group.
• TA chooses a bilinear pairing e : G 1 × G 1 → G T and three hash functions 1) Vehicle first randomly picks a secret key a ∈ Z * q , challenge value N 1 , and computes key-agreement  parameter aP, then vehicle uses the public key of TA to encrypt < ID v , aP, N 1 > and gets 3) When obtianing the ciphertext from vehicle, TA uses master key s to decrypt C v−TA and gets ID v , aP, and n is the total number of each vehicle obtaining pseudonym. Then TA computes the session key with vehicle K TA−v = saP and encrypts < a  2) RTA REGISTRATION PROTOCOL 1) RTA selects a random number b ∈ Z * q as its secret key and computes key-agreement parameter bP. RTA then computes ciphertext

3) RSU REGISTRATION PROTOCOL
In order to reduce the computation and communication pressure of TA, All RSUs are required to submit their registration applications to RTA in their area. Before RSU registration protocol is executed, RTA first chooses SK RTA = b and PK RTA = bP as group public/private key that are valid only in its area. Then RTA uses SK RTA to sign PK RTA and gets Sign RTA = Sign_SK RTA  1) Each RSU generates a secret key r ∈ Z * q randomly and calculate rP as key-agreement parameter with RTA. After that, RSU generates ciphertext If the verification is successful, the vehicle f i v is considered as a legal vehicle. Otherwise, RSU 2 refuses the request from vehicle communication. Finally, RSU 2 generates the session key with vehicle: K RSU 2 −v = r RSU 2 V v to verify N 7 and computes If N 8 is legal, then the trust relationship is established between vehicle and RSU 2 , otherwise, handover authentication fails.

IV. SECURITY PROOF AND ANALYSIS
In this section, security proof and analysis for AAAS are presented. We first use SVO logic to provide a formal security proof. Afterwards, we also give further security analysis to prove AAAS satisfies the security requirements in [30].

A. SVO LOGIC
Recently, an increasing number of researchers use formal analysis method to evaluate security of their protocols and schemes. Among all proposed formal security analysis methods, SVO logic [31], as an important BAN-like logic, owns the advantages of BAN logic, GNY logic, and AT logic. Besides, SVO logic redefines some concepts in formal semantic and owns very simple inference rules or axioms. Now, SVO logic has become a widely used formal analysis method. In most cases, since vehicles and RSUs perform V2I handover authentication protocol, formal security proof in AAAS handover authentication is provided in this section. Relevant notations and descriptions are given as Table 2.

2) SVO AXIOM SCHEMATA
For any principal P, Q and formulae ϕ, ψ, the following axiom schemates are introduced.

B. FURTHER SECURITY AND PRIVACY ANALYSIS
According to the security and privacy requirements of VANETs, we further analyze the security of the proposed scheme in the following aspects [30].

1) SECURITY ANALYSIS a: AUTHENTICATION
In VANETs, Authentication is the process of checking the authenticity and accuracy of certain claims, e.g., identity, privileges and authority. In the proposed scheme, all vehicles are required to perform mutual authentication protocol before getting network services from surrounding vehicles and RSUs. Depending on the group signature mechanism and identity based on signature, vehicles and RSUs can confirm the legitimacy of their identities. Besides, through Diffie-Hellman key exchange mechanism and challenge value,vehicles and RSUs can confirm that the information is transmitted correctly and a safe communication tunnel is built.

b: ACCOUNTABILITY
In some scenarios, when some vehicles commit illegal acts, e. g. broadcasting a forged warning message, there exists the serious risk of unnecessary traffic jams and accidents. In this situation, law enforcement agencies needs to have capacity to accurately identify the real identity of illegal vehicles and hold them accountable. In addition, accountability means non-repudiation, that is, sender cannot repudiate the message that has been sent. In the proposed scheme, each vehicle sends CC signature or group signature to prove the legitimacy of its identity. Receiver cannot know the true identity of sender, but once the vehicle has performed illegal acts, RTA and TA can resolve the real identity of the signer according to the content of the signature. Signer can not deny its signature, which meets accountability well.

c: RESTRICTED CREDENTIAL USAGE
Usage of a legal credential is required to to be limited by time and parallel use. In AAAS, as identity based signature is adopted, the identity of the vehicle is identified as a credential for authentication and accountability. In addition, since uncontrolled identity and signature of the vehicle may lead to abuse, and the attacker may use these credentials to launch a Sybil attack, AAAS adds expiration and timestamp into the signer's public key and signatures respectively to control service time of credential and prevents the signature used as credentials from being reused.

d: CREDENTIAL REVOCATION
As vehicles may be sold or broken, and theirs OBU could be compromised, it is crucial to exclude malfunctioning or misbehaving vehicles from the VANETs. Consequently, law enforcement agencies must be able to revoke their pseudonyms. AAAS implements vehicle credential revocation through cooperation mechanism between RTA and TA. When a vehicle is considered illegal, its signatures, pseudonyms and expirations are required to be sent to RTA. When receiving these messages, RTA is able to find pseudonym of illegal vehicles issued by TA. TA can reveal the true identity of illegal vehicle and distribute credential revocation List (CRL) to achieve credential revocation.

2) PRIVACY REQUIREMENT a: MINIMUM DISCLOSURE
Minimal disclosure means that messages revealed by receivers should be kept to minimum in communication.
In the mutual authentication of the proposed scheme, all messages sent need to be adaptive to authentication requirements and additional messages are not allowed to be added to authentication messages.

b: ANONYMITY AND UNLINKABILITY
It is the basis of protecting vehicle privacy to ensure vehicle communication anonymously. Based on the group signature mechanism, in AAAS, the verification of the vehicle's identity is realized by verifying the identity issued by TA and RTA. Verifier only needs to determine that the verified vehicle is approved by TA or RTA, and do not need to know the real identity of vehicle. Besides, as attackers cannot obtain the real identity of the vehicle through monitored messages, anonymous communication can also meet the privacy requirements of unlinkability in VANETs. In addition, multiple pseudonyms issued by TA and RTA also provide support for the vehicle to change pseudonyms regularly.

c: DISTRIBUTED RESOLUTION AUTHORITY
In order to protect the security of the vehicle's true identity, the capacity to resolve the identity of the vehicle should be distributed among multiple authorities, no authority can directly resolve the real identity of the vehicle by itself. In the proposed scheme, TA and RTA have to cooperate for the resolution of vehicle real identity. Specifically, RTA queries the pseudonym a i v issued by TA for the vehicle through the public pseudonym f i v of the vehicle, and TA is able to obtain the real identity of the vehicle through a i v .

A. COMPUTATIONAL COST
Computational cost is defined as the total amount of computation in authentication protocol. In order to analyze and compare the computational costs of above schemes, we need to consider operations that consume a lot of computing resources. As the processing time of bilinear pairing and point multiplication operation are thousands times of point addition operation or hash function, we ignore the cost of such low computation operations. In order to obtain the execution times of cryptographic operations, a Type A pairing uses JAVA Pairing-based Cryptography (JPBC) library [35] is adopted. We have executed the benchmark on the hardware platform with Intel(R) Core(TM) i7-6700HQ CPU running at 2.6 GHz with 2GB of RAM. Debian 9.4 was the operating system. JPBC is a Java porting of the PBC Library written in C, which provides a full ecosystem of interfaces and classes to simplify the use of bilinear maps and supports both exponentiation and pairing preprocessing. The experiment uses bilinear map e : G 1 × G 1 G T , G 1 and G T represent additive group and multiplicative group with order q respectively, which generated by P. The curve uses an equation y 2 = x 3 + x mod p with an embedding degree d = 2, prime number p = 512 bits, and Solinas prime number q = 160 bits. The experiment results are shown in Table 3.
holds, then vehicle is thought as legal vehicle. Therefore, EDKM computational cost includes nineteen point multiplication operations, seven point exponentiation operations, eight bilinear map operations, and four map-to-point hash function operation in G 1 .
In LIAP, vehicle first selects a random number , if the equation holds, RSU accepts the signature and vehicle is considered as a legal vehicle. Otherwise, RSU accepts it. Therefore, LIAP communicational cost comprises of six point multiplication operations, three bilinear map operations, and three map-to-point hash function operation in G 1 .
In AAAS, vehicle is required to sign msssage < f i v , Exp f i v , TS 4 , N 8 > for authentication. vehicle computes its signa- to verify whether sign is legal. AAAS  communicational cost includes six point multiplication operations three bilinear map operations, and two map-to-point hash function operation in G 1 . The comparison of computational costs is presented in Table 4 and Figure 9.
From Table 4 and Figure 9, we can observe that CPAS has a lower computational cost compared with AAAS. However, CAPS does not consider how to establish a session key, which is vital to guarantee secure communication between vehicle and RSU. Besides, since the signature of vehicle does not contain challenge value, it is difficult for the vehicle to determine whether RSU receives the message sent by the vehicle.

B. COMMUNICATION COST
Communication cost refers to the total size of message transmitted. According to [32], [33], for type A pairing with respect to 80 bit security level, the size of p is equal to 64 bytes, A point on the group of points E(F q ) consists of x and y coordinates. This means that the size of each element in G 1 is 64 * 2 = 128 bytes whilst that of each element in G 2 is 20 * 2 = 40 bytes. In addition, the size for a general hash function in Z * q , a expiration, and a timestamp are considered to be 20 bytes, 4 bytes, and 4 bytes, respectively. As the basic configuration information is the same for above schemes, we ignore the size of message and only take into account the size of the signature on the message with the corresponding pseudo-identity.

C. SIGNALING COST
In this section, we adopt fluid-flow model to evaluate signaling cost in authentication. We assume that subnets in VANETs are circular and of same size. Crossing rate(R) and signaling cost (SC) are defined as: where ρ, v, L refer to vehicle density, vehicle average velocity, and permeters of a subnet. HL means authentication delay, which includes communication overhead and transmission delay. Acording to [34], We sets L = 100 m, ρ = 0.1 ∼ 0.01(1/m 2 ), v = 0 ∼ 40(m/s), the wireless bandwidth is 6 Mbps. The result is shown in Figure 10. Vehicle density and velocity have a great influence on the signaling overhead. The signaling overhead increases rapidly as the vehicle density and velocityincreases. According to Figure 10, we can see that AAAS owns lower signaling cost than EDKM, LIAP, and GSSA due to low computational cost and communication cost. AAAS and CPAS have similar signaling cost, but AAAS has higher performance due to lower communication cost. Besides, the computational overhead of the session key in CPAS is also not negligible.

VI. CONCLUSION
This paper proposes an anonymous authentication scheme based on group signature in VANETs. Region trust authority as group manager is added to support vehicles to perform anonymous authentication as the group members. Pseudonym mechanism and identity based on signature mechanism are adopted, which reduces the costs caused by the storage and verification of pseudonym certificates. Moreover, security and performance analysis demonstrate that the proposed scheme is robust and efficient.
In the future, we will propose a V2V authentication scheme based on AAAS, and simulate the proposed scheme to obtain more accurate performance results.