VPPCS: VANET-Based Privacy-Preserving Communication Scheme

Over the past years, vehicular ad hoc networks (VANETs) have been commonly used in intelligent traffic systems. VANET’s design encompasses critical features that include autonomy, distributed networking, and rapidly changing topology. The characteristics of VANET and its implementations for road safety have attracted considerable industry and academia interest, particularly in research involving transport systems enhancement that could potentially save lives. Message broadcasting in an open access system, such as VANET, is the main and utmost challenging problem with regard to security and privacy in VANETs. Various studies on VANET security and privacy have been proposed. Nevertheless, none has considered overall privacy requirements such as unobservability. In order to address these shortcomings, we propose a VANET based privacy-preserving communication scheme (VPPCS), which meets the requirements for content and contextual privacy. It leverages elliptic curve cryptography (ECC) and an identity-based encryption scheme. We have carried out a detailed security analysis (burrows–abadi–needham (BAN) logic, random oracle model, security of proof, and security attributes) to validate and verify the proposed scheme. The analysis has shown that our scheme is secure and also shown to be effective in a performance evaluation. The proposed scheme does not only meet the previously mentioned security and privacy requirements, but also impervious to various types of attacks such as replay, impersonation, modification, and man-in-the-middle attacks.


I. INTRODUCTION
As the design of wireless communication technology and network systems is continuously and rapidly progressing, vehicular ad hoc networks (VANETs) have regained attention and interest in support of wireless vehicles in communicating with other vehicles and roadside units (RSUs) to guarantee traffic safety and improve driving experience [1]- [3]. VANETs also have the benefits of preventing collisions, lanefusion, optimizing traffic, collecting toll, location-based services and infotainment [4]- [7]. VANET is basically Mobile ad hoc networks (MANETs) associated with vehicles and RSUs. In contrast to the nodes in a MANET, the power, storage, and computing capacity of vehicles are typically not resource constrained. Typical VANET contains trusted authorities (TAs), RSUs (e.g., road-side or other facilities), The associate editor coordinating the review of this manuscript and approving it for publication was Sabah Mohammed . and onboard units (OBUs) equipped in vehicles [8], [9], as shown in Figure 1.
Using dedicated short-range communication (DSRC) protocol, the communication of VANET can be divided into vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) [8]. The OBU in the vehicle and the DSRC protocol will allow all vehicles to communicate on the roadside with adjacent vehicles and nearby RSUs. For example, traffic related messages on vehicle OBUs regularly broadcasts data on elements such as location, meteorological conditions, route, velocity, and traffic condition. The traffic-related message enables the participating vehicles in the region to take the necessary measures to prevent traffic accidents and avoid traffic congestion [10]. The traffic-related message (e.g., recent traffic incidents) may also be forwarded by the RSU and other vehicles to the traffic administration department and other relevant departments (e.g., the traffic police or fire department) to ensure necessary actions can be taken within the stipulated time [4], [11]. However, any personal information of the user (e.g. identity or location) can expose to the drivers' to criminals(e.g., intercepting malicious attackers and replacing intercepted messages by modified messages to re-route victims' vehicles). The privacy protection should include content and contextual specifications. The privacy of content ensures that sensitive information associated with the vehicle against inappropriate and unauthorized disclosure. However, this alone is not sufficient because an attacker can still identify the vulnerabilities of the vehicle. This problem can be mitigated by introducing contextual confidentiality.
In turn, three sub requirements, namely,: anonymity, unlinkability, and unobservability, should be considered to ensure privacy is not tampered with [12], [13]. Anonymity is required when the driver has transmitted information regarding their identity to the RSU or other vehicles without masking. A malicious adversary can monitor driver's path by capturing these messages. Anonymity in VANETs is therefore another crucial feature [14]. Unlinkability is necessary to prevent the connection of the vehicle with the two or more messages from the same driver. Unobservability is crucial to ensure communication between vehicles and RSUs are not done by unauthorized entities.
In fact, by tapping into the communication of the vehicle, the broadcast message of the vehicle can be revealed. The communication should therefore be disguised [15]. In order to prevent message modification done for malicious intents from being transmitted to RSUs or near vehicles, VANET architecture should include traceability component, similar to the ones used by wireless network operators. Traceability is therefore an essential feature [11]. The trusted authority (TA) is the only party that can extract the true identity of the vehicle. However, as discussed in Section II, these current schemes have limitations, and none of them have considered the requirements of privacy. In order to meet these requirements, we propose a new V2V and V2I communicator-based privacy-preserving scheme that can address existing privacy preservation weaknesses that is inherent in existing VANET schemes. More specifically, the scheme describes the contributions of VPPCS as follows: • A secure VANET based privacy preserving communication scheme called VPPCS, which protects privacy. Pseudonym-based identity verification signatures are used in the proposed scheme. In addition, batch verification is utilized to improve the computing efficiency of the scheme.
• Injecting fake messages during broadcasting, causing the attacker unable to discern if the message was sent.
• The proposed VPPCS uses a pseudonym set to sign the message which causes the attacker unable to identify the actual source of the message.
• A comprehensive security and privacy analysis is performed to demonstrate that the proposed scheme can withstand various attacks and satisfy the VANET security and privacy requirements.
• A security analysis that uses BAN logic, random oracle model, security of proof and security attributes are presented, which demonstrates that the proposed VPPCS is secure against various attacks such as (replay, impersonation, modification and man-in-middle).
• The balance between contextual privacy requirements and performance evaluation is provided and emphasized compared to existing related research • The performance of the scheme are evaluated in terms of computational costs and overhead communication. The scheme is better suited to VANET services than existing schemes.
The rest of the paper is structured as follows. Most relevant existing works are listed in Section II. Section III briefly discusses the vehicular system architecture and preliminaries based on a detailed description of the proposed scheme in Section IV. Sections V and VI describe the security and performance assessments, respectively. Section VII provides the discussion. Some concluding remarks and future work are provided in Section VIII.

II. RELATED WORK
The problem of privacy occurs when sensitive and private traffic-related messages are available, which need to be shielded from misuse or disclosure. In From the vehicular communication context, privacy issues at all vehicle interaction levels, such as aggregation, and processing, collection, evaluation, and visualization, must be tackled. Privacy preservation is an important issue in this context given the sensitiveness sensitivity of the information exchanged [16]. This topic has been widely studied. The most relevant research is identified in below.
Ming and Shen [17] suggested a conditional privacy conservation scheme focused on a message recovery certificateless signature. The scheme promotes conditional privacy, and guarantees unlinkability since an adversary will not be able VOLUME 8, 2020 to link a vehicle to its transmitted message. Nevertheless, the property of unobservability was not considered in this work.
Ming and Cheng [18] proposed a certificateless conditional privacy protection scheme based on elliptic curve. The scheme does not satisfy all privacy requirements, such as unobservability.
Hu et al. [19] proposed an HMAC-based security and privacy scheme that uses the revocation of vehicles instead of the certificate revocation list. It also provides anonymity. However, this scheme ignores the contextual privacy.
Xue and Ding [20] introduced location privacy-preserving authentication (LPA) scheme to address the issue of conditional privacy preserving in which safety messages can be anonymously authentication by peer vehicles. Also, the LPA scheme is supported by traceability features. However, unlinkability and unobservability requirements were not addressed.
An effective RSU-aided message (RAISE) scheme was proposed by Zhang et al. [21] based on K-anonymity method, authentication code, and hash message. Messages in the RAISE were checked by the RSU to provide low costs of communication and to maintain the privacy of the vehicle. The RAISE also assures that messages cannot be linked with an attack in the same vehicle. However, contextual privacy requirement is not met.
The VANET privacy enhancement communication schemes suggested by Chim et al. [22] defines a group communication protocol. A group of recognized vehicles can validate each other's signature without any other support of RSUs after simple handshaking to any RSU. For secure communication between group members, a typical group secret is established. The unlinkability of the message is also achieved; however, the remaining contextual requirements are ignored.
Shim [23] established an effective conditional privacy preservation scheme based on V2I communication architecture called CPAS. The proposed approach ensures a balance between privacy and traceability to achieve anonymity; however, the approach cannot provide unlinkability. As a result, conditional privacy and unobservability requirements are not fulfilled.
Recently, Alazzawi et al. [24] introduced a new robust pseudo identity privacy preservation based on the elliptic curve to achieve content privacy. This approach uses a pseudonym rather than a real identity to ensure privacy in VANET. The need for contextual privacy requirements is overlooked.
Under the same context, a new RSU-based security and privacy-preserving scheme was proposed by Bayat et al. [25]. In this method the RSUs are stored master keys in the tamperproof device in the RSU. This approach assumes that drivers do not prefer (due to privacy concerns) being recognized and tracked by others. In addition, provided unlinkability because an adversary cannot connect a drivers to their transmitted message [25]. However, the unobservability property is overlooked in this scheme.
Based on the review of previous works, it is clear that contextual privacy requirement is not fully or partially fulfilled despite their importance in a VANET context. Moreover, the unobservability property is overlooked in these schemes. In order to meet these requirements, we propose VANET based privacy-preserving communication scheme that can address existing weaknesses in VANET schemes. More specifically, the contextual privacy requirements such as anonymity, unlinkability and unobservability are addressed in the proposed scheme. In addition, by using BAN logic and random oracle model, the proposed scheme resists the various types of attacks such as replay, impersonation, modification and man-in-middle. Thus, we design an effective VANET scheme that satisfies security and privacy requirements.

III. VEHICULAR SYSTEM ARCHITECTURE AND PRELIMINARIES
In the following parts, the necessary mathematical tools used in this study are introduced. Then, the model for vehicular communication and the adversary models are discussed. Finally, the security and privacy requirements for the proposed scheme are described. Table 1 contains some notation and their description.

A. MATHEMATICAL TOOLS REQUIREMENT
Miller [26] suggested ECC, an algorithm that is widely used to provide asymmetrical encryption in an elliptical curve. This algorithm has smaller key lengths than the same security level as other encryption algorithms.
Definition 1 (Elliptic Curve): Let F p be a finite field, and a large prime number p is the order of F p . E is an elliptic curve defined as: y 2 = x 3 + ax +b mod p. a, b ∈ F p are constants. A group G q is defined on E, whose order is q and generator is P. The set contains an infinity point O.
• Scalar multiplication. Let P ∈ Gq , n ∈ Z * q , such that the scalar multiplication is x . P = P + P+P +P (x times). Definition 2: Elliptic curve discrete logarithm problem (ECDLP): is computationally infeasible. E has two random points P, Q from G, and Q = s.P. Computing s from Q in the polynomial time t is difficult.

B. SYSTEM MODEL
As illustrated in Figure 2, the proposed scheme consists of three entities: TA, RSU, and OBU. The three items are discussed below.
• TA TA is responsible for providing the principal parameter of RSUs and OBUs within its jurisdiction, with a reliable calculation and storage capacity. If false or malicious information is present in the system, then the TA can detect the actual identity of the information source. All entities consider TA be of absolute trust in the VANET system, and compromising TA is not feasible. TAs should be redundant to prevent a single point of failure or bottleneck caused by congestion.
• RSU An RSU is a stationary infrastructure distributed on the roadside. The RSU can communicates with OBU of the vehicle and TA through DSRC protocol and secure wired connections, respectively. The RSU can provide the driver with traffic-related conditions, such as traffic jams and accidents. Traffic-related messages from the signer, i.e. driver, can also be verified and forwarded to the TA or processed locally.
• OBU An OBU supporting the DSRC protocol is supplied to the vehicle. The OBU periodically transmits a trafficrelated message about traffic statuses, such as speed, position and danger warning to the other OBU or RSU.
Each OBU also has the public key of the system P TA Pub .

C. DESIGN GOALS
The following protection is the subject of this study, and the privacy objective should be met: • Identity Privacy Preservation RSU, vehicles, and participants from third parties cannot extract the real vehicle identity from any traffic-related messages of the vehicle.
• Traceability The TA is the only party can extract a real vehicle identity if necessary (e.g., a complaint against a faulty vehicle).
• Unlinkability By linking some of the messaging signatures, the malicious vehicle or RSUs cannot successfully identify the anonymous entity.
• Unobservability A vehicle should be able to use a resource or service without being noticed in the use of support or service by others, particularly the third parties.
• Message Integrity and Authenticity Every vehicle message should be checked by RSUs and OBUs, and nodes should be allowed to detect any modifications or fabrications of the messages received.

IV. PROPOSED SCHEME
The proposed scheme has three phases: initialization, joining, and broadcasting. In this scheme, after TA generates the initial public parameters of the system, the TA calculates the private and public keys for the domain i , which contains several registered RSUs from the registration list located nearby in a specific area (e.g.,city). The TA also stores the registered OBUs to the vehicle registration list.
In the second phase, after the OBU produces n pseudo ID list with its real identity and public TA parameters, the vehicle must establish a shared authentication with the nearest RSU in any domain to begin transmission and validate operations. Then, the TA will confirm the authenticity of the OBU via the private key of the system. Thereafter, the RSU generates a list of signatures that can be used in the selected timestamp, and then sends them securely to the OBU. n is a level of security anonymity, that is, the number of pseudo identities that a vehicle may unrepeatable in a region enclosed by the RSU [27]. Finally, the OBU uses the signature list until the time list expires. Figure 3 briefly describes the proposed scheme phases. The following subsection explains three phases in detail.

A. INITIALIZATION PHASE
During this phase, the TA creates system parameters to use the following steps: • The TA selects two large prime numbers p, q and a nonsingular elliptic curve E defined by the equation The TA selects a generator P with order q of the group G, which includes all points on the elliptic curve E and the point at infinity O. • The TA chooses a number x TA Pri ∈ Z * q at random as the private key and computes P TA Pub = x TA Pri . P as its corresponding public key.
• Three secure cryptographic hash functions are selected by TA,

1) ROADSIDE UNIT REGISTRATION
The RSU registers with the TA as follows.
• The TA chooses the number of RSUs located in a specific area as domain i .

2) ONBOARD UNIT REGISTRATION
The vehicle registers with the TA as follows.
• By using the 4G/5G technology, the driver sends the registration request to TA with the messages ENC P TA Pub (RID i , PW i ), where RID i refers to its real identity and PW i refers to its password.
• TA decrypts receiving message DEC x TA Pri (RID i , PW i ). Then, after the validity of the RID i is checked, TA preloads the public parameters parmas = {p, q, a, b, P, B. JOINING PHASE domain i -based RSU category refers to that the exchange of data based on RSU parameters should be authenticated to that VANET system when a vehicle reaches an RSU coverage area. When an OBU arrives at the coverage area of a new domain or its pseudo IDs are disabled, it has to enter the RSU group and is issued with an RSU signing key. The process of joining the OBU is described with the RSU group in Figure 4. After arriving at RSU j coverage area, the OBU i takes the following steps to complete the joining phase: • The OBU j chooses n randoms r l ∈ Z * q , l = 1: n, and family of unlinkable pseudo IDs is calculated: where R 1 = r 1 P TA Pub as the shared secret key. It sends Auth } checks the validity of timestamp T 1 . Each timestamp T is tested as follows: assume T delay is the time delay estimation, and T r is the receiving time. If (T delay > Tr -T). If not, then it is not fresh. Otherwise, the message is accepted, and RSU checks whether If not, then RSU does not accept the message; otherwise, it chooses z j ∈ Z * q and computes: } is send to the TA, it checks the validity of timestamp T 2 . By using private key (x TA Pri ), the TA computes L j = x TA Pri PID 1 RSU j and R 1 = x TA Pri PID 1 i1 to extracts the RID RSU j and RID i , respectively as follows: . Then, the TA checks whether RID RSU j and RID i matches the stored value in the RSU registration list and vehicle registration list, respectively. If not, then the TA does not accept the message; Otherwise, TA sends {R * , T 3 } to TA, where R * = R 1 ⊕ h 1 (L j ).
• Once the message {R * , T 3 } is received by the RSU, it checks the validity of timestamp T 3 and extracts R 1 = R * ⊕h 1 (L j ). Then RSU j decrypts the list by using R 1 as DEC L PID i = HMAC R 1 (L PID i T 1 ) and prepares the L SK il signature list with expiry time list T SK il for the vehicle as follows and organizes L SK il {SK i1 , . . . , SK in } For each pseudo ID in L PID i , l = 1:n: If not, OBU i does not accept the message; otherwise, OBU i decrypts the message (ENC L SK il ) by (R 1 ) to obtain the list of signature keys with list of expiration time T SK il as DEC L SK il = HMAC R 1 (L SK il T SK il ). Now the OBU i has a list of n signature keys, and pseudo ID that allows it to sign messages in an anonymity timestamp T j in the RSU j coverage area.

C. BROADCASTING PHASE
This phase involves two sub phases to sign and verify the message, as shown in Figure 5. These sub phases are explained in detail below.

1) MESSAGE SIGNING
If OBU i wants a real message M i to be signed, then the following steps must be executed, where T i is the timestamp: • OBUi randomly selects a pseudo ID PID i from the L PID il list and obtains the corresponding private key sk i from the L SK il list.
• OBU i signs the following message M i : • OBU i broadcasts the traffic-related message.
{T , T SK il , M i , PID in , σ m } to the nearest RSU or another OBU. VOLUME 8, 2020 To avoid the nodes from being observed by the attacker, the OBU i injects a fake message M FK i during the broadcasting, then the following steps must be conducted: The recipient rejects all traffic-related messages in case of Equation (1). Otherwise, the signature is valid, the transmitter is legal, and the recipient accepts the traffic-related message.

b: BATCH VERIFICATION
A batch validation approach is used in the proposed scheme to reduce the time spent in receiving a large number of traffic-related messages. We use a technique called the little test of exponents [28], [29] to satisfy the non-repudiation requirement. The verifier generates a random integer vector x = {x 1 , x 2 , . . . , x n }, where x i ∈ 2[1, 2 t ]and t is a small integer number, that does not increase the cost of computation. The following equation is used to verify traffic-related messages.
The recipient accepts all messages in the case of Equation (2). Otherwise, these vehicles contain at least one illegal vehicle. The illegal vehicle detection, which is a new algorithm proposed in [30], is adopted. The reader can refer to [30] for additional details.
• Fake Message: If the RSU or one OBU receives the fake message {T , T SK il F , M FK i , PID in , σ M FK i },then the traffic-related message continues to be verified by: (3) When Equation (3) holds, signatures will not be valid, and the transmitters will be an illegal or fake message.

V. SECURITY ANALYSIS
A security analysis of the proposed scheme is provided in this section to clarify that our scheme is secure under a Burrows-Abadi-Needham (BAN) logic, random oracle model and proof of security. We also provide the requirements for security and privacy in this paper.

A. FORMAL VALIDATION 1) BAN-BASED FORMAL VALIDATION
To verify the legitimacy of both OBU and RSU, the proposed scheme uses a widely accepted tool BAN logic achieving the certain security goals for the mutual authentication and key agreement [31].
The following are the primary notations and meanings of BAN logic: • S ⇒ R : S has the ability to control R. • (X m ) SK : The message X m is hashing by SK . Besides these, the main rules of BAN logic process are follows:

a: SECURITY GOALS
The goal of this process is to authenticate the session key between OBU and RSU. Therefore, the proposed scheme need to achieve the following seven primary goals.
b: IDEALIZE THE SCHEME PHASE • The messages for the scheme are: • The messages for the scheme are idealized as follows:

c: SUPPOSITIONS
The following Suppositions about the initial state of the proposed scheme as follows: Proof: We will proof that the proposed scheme achieves the above seven security objectives (Goal 1, Goal 2, Goal 3, Goal 4, Goal 5, Goal 6 and Goal 7) as follows.

2) RANDOM ORACLE MODEL-BASED VALIDATION
We set up a game between challenger A and attacker B, where A is the proposed scheme and B is the one that can undermine the security of the proposed scheme.
Sign-Oracle: Upon receiving an A sign request from B via message m, it generates h i,2 , h i,3 , σ m ∈ Z * q , PID 2 il ∈ G. A randomly and computes PID 1 (2): Output: A ends up with a traffic-related message {T , T SK il , M i , PID in , σ m }. A verifies this message using the following equation: A completes the game if this equation does not hold. According to the forgery lemma in [32], B can output another legitimate signature message {T , T SK il , M i , PID in , σ * m }. Thus, the following equation is obtained: From the two equations above, we can deduce Then, we can obtain( 3 ) −1 Therefore, the proposed scheme is resistant to the chosen adaptive message attacks in the random oracle model under the assumption that ECDLP is hard.

Theorem 1: A correct equation is present in the proposed scheme.
Proof of Equation (1): The recipient verifies the trafficrelated message with Equation (1) in the single verification.
Therefore, Equation (1) is accurately verified. The Proof of Equation (2): The verifier tests the trafficrelated messages with Equation (2) in the batch verification.
Therefore, Equation (2) is confirmed to be correct.

The Proof of Equation (3):
The verifier checks trafficrelated messages that use Equation (3) in a falsified message.
Therefore, Equation (3) is confirmed to be correct.

B. SECURITY ATTRIBUTES
This section shows that the proposed VPPCS scheme can satisfy the security and privacy requirements for vehicular communication mentioned in subsection design goals.

1) IDENTITY PRIVACY PRESERVATION
In the communication process, the vehicle's real identity of RID I is involved in PID in generated by OBU I , where P TA Pub = x TA Pri .P, PID 1 il = r l P, R 1 i = r l P TA Pub , PID 2 il = RID I ⊕ h 1 (R 1 i ), and PID in = {PID 1 il , PID 2 il } . To retrieve RID I from PID 2 il = RID I ⊕ h 1 (R 1 i ), the eavesdropper calculates r l P TA Pub = r l x TA Pri .P from P TA Pub = x TA Pri .P and PID 1 il = r l P. Thus, no adversary can obtain the real identity RID I of the vehicle through the PID 2 il .Therefore, the proposed scheme meets the identity privacy requirement. In other words, the proposed scheme satisfies the requirement for identity privacy preservation.

2) TRACEABILITY
The real identity of the vehicle RID I is hidden in PID 2 il created by the vehicle, where P TA Pub = x TA Pri .P, PID 1 il = r l P, x TA Pri . P = r l P TA Pub by using the system master key and retrieves the real identity by calculating RID I = PID 2 il ⊕ h 1 (R 1 i ). However, proposed scheme provides a traceability function.

3) UNLINKABILITY
During the message signing period, an anonymous identity is used to create the signature. An anonymous description of the vehicle in the other message is rendered by the different random numerals r l . The proposed VPPCS scheme also uses a current timestamp to calculate the signature. Any adversary who attempts to link two or more traffic-related messages may not succeed because of changes in their anonymous identity and timestamp given that the content of the message varies each time. Consequently, neither message can be linked to a specific vehicle under the proposed scheme; however, no linkability issue arises.

4) UNOBSERVABILITY
Given that every vehicle real traffic and transmits probabilistically, global adversaries can only observe several transmissions and cannot distinguish the real traffic-related message from any vehicles. Furthermore, they cannot distinguish between real traffic and noise because false messages are injected randomly. Thus, unobservability occurs, which strengthens the anonymity of the vehicle.

5) MESSAGE INTEGRITY AND AUTHENTICITY
We show in accordance with theorem 1 that an adversary cannot trump up valid traffic-related message in our proposed scheme, and recipients can verify that the message {T , T SK il , M i , PID in , σ m } has integrity and legality by verifying whether the equation Pub holds. Therefore, the integrity and authenticity of the proposed scheme VANET scheme are provided.

6) RESISTANCE TO VARIOUS TYPES OF ATTACKS
• Resistance to Replay Attack: The timestamps T in the traffic-related message {T , T SK il , M i , PID in , σ m }. After the recipient receives the message M i , it first verifies whether the inequality (T delay > Tr -T) hold. If it's fresh, the recipient accepts the message M i to be verified further; otherwise, the message does not accept. In addition, according to traffic-related message {T , T SK il , M i , PID in , σ m }, where σ m = r l + SK il .h 3 (M i T ) and SK il = s dom i Pri . h 2 (PID il PID il ) T SK il ). Thus, another timestamp cannot be used by attacker because this attack results in different values of σ m . In these procedure, replay of message M i in VANETs system is detected. Therefore, this proposed VPPCS scheme can resist replay attacks.
• Resistance to Impersonation Attack: According to the Theorem 2, the attacker cannot impersonate a valid traffic-related message {T , T SK il , M i , PID in , σ m } in the proposed VPPCS scheme. This is because the verifying recipients can verifies the authenticity of the tuple {T , If ok, the recipients accept the traffic-related message; otherwise, it does not accept it. The impersonation attack in the proposed VPPCS scheme is therefore ineffective.

• Resistance to Modification Attack:
The adversary cannot easily tamper and modify a legal traffic-related message {T , The real identity of a vehicle {T , T SK il , M i , PID in , σ m } is unknown. The VPPCS scheme can therefore resist the modification attack.
• Resistance to Man-in-the-Middle Attack: The study of message validity and authenticity above proves that it is necessary to check the relation between the sender and the verifier should be checked and that a genuine message cannot be changed and fabricated. Our proposed VPPCS scheme can thus be resisted by a manin-the-middle attack. In Figure 6, we demonstrate the resistance of the system to three attacks. Attacker 1 can collect legal signatures and conduct replay attacks. Attacker 2 can impersonate a legitimate signature, and Attacker 3 can modify and tamper legal VOLUME 8, 2020 message and transmits it to the recipient. Attacker 1 and attacker 3 are identical to an attacker of type 3, who cannot obtain partial user and master keys. Attacker 2 may be an attacker of type 3 or 2. However, neither can jeopardize the safety of the system. Attacker 1 and attacker 3 are similar to attackers of type 3 who access master keys. Attacker 2 can be either the type 3 attacker or the type 2 attacker. None of them may jeopardize the security of the system.

A. COMPUTATION OVERHEADS
The cryptography operation in [20], [22], [23], [25] are established on bilinear pairings, while those of [17], [18], [24] and the proposed scheme are established on ECC. This work uses MIRACL's cryptographic library [33] that calculates the time required for different cryptographic operations. The hardware platform comprises an Intel(R) Core(TM)2 Quad 2.66 GHz with a 4-gigabyte memory processor running the operating system Windows 7. Table 3 shows the definition of and execution times for associated cryptographic operations.
For flexibility, let MGS, SVM , and BVMM denote the message generation and signing, the single verification for a message, and the batch verification for multiple messages, respectively.
In the scheme in [17], MGS comprises one scalar multiplication, two secure hash functions and point additions. Thus, in this scheme, the overall calculation time of MGS is 1 T sm ecc + 2 T h + 2 T pa ecc ≈ 0.6800 ms. SVM comprises four scalar multiplications and three secure hash functions. Thus, it produces an overall computation time of 4T sm ecc + 3T h ≈ 2.6902 ms. BVMM in this scheme requires (2n+2) scalar multiplications,(2n) small scalar point multiplications, (2n) point additions, and (3n) secure hash functions. The overall computation time for BVMM is therefore (4n)T sm ecc +(3n)T h ≈ 2.6902n ms. In the scheme in [18], MGS comprises three scalar multiplications and two secure hash functions. Thus, in this scheme, the overall calculation time of MGS is 3T sm ecc +2T h ≈ 2.0174 ms. SVM comprises four scalar multiplications, three secure hash functions, and two point additions. Thus, it produces an overall computation time of 4T sm ecc + 3T h + 2T pa ecc ≈ 2.6964 ms. BVMM in this scheme requires (2n+2) scalar multiplications,(2n) small scalar point multiplications, (2n) point additions, and (3n) secure hash functions. The overall computation time for BVMM is therefore (2n + 2)T sm ecc + (2n)T sm−s ecc + (2n)T pa ecc + (3n)T h ≈ 1.4858n + 1.3436 ms. In the scheme in [20], MGS comprises three scalar multiplications and two map to point hash functions. Thus, the total computation time of MGS is 3 T sm bp + 2 T mtp ≈ 13.041 ms. This scheme has four bilinear pairing operations, one scalar multiplication and one map to point hash function, which gives the SVM an overall computation time of 4 T bp +1 T sm bp + 1 T mtp ≈ 28.9818 ms.
In the scheme in [22], MGS comprises three scalar multiplications, two point additions and one secure hash function. In the scheme in [24], MGS comprises one scalar multiplication and two secure hash functions. Thus, in this scheme, the overall calculation time of MGS is 1T sm ecc + 2T h ≈ 0.6728 ms. SVM comprises two scalar multiplications, two secure hash functions, and one point addition. Thus, it produces an overall computation time of 2T sm ecc + 1T h + 1T In the scheme in [25], MGS comprises one map to point hash function. Thus, the total computation time of MGS is 1 T mtp ≈ 4.1724 ms. This scheme has three bilinear pairing operations, a scalar multiplication, and a map to point hash function, which gives the SVM an overall computation time of 3 T bp + 1T sm bp + 1 T mtp ≈ 23.1708 ms. BVMM in this scheme requires three bilinear pairing operations, n scalar multiplications, and n map to point hash functions. The overall computation time for BVMM is 3 T bp + nT sm bp + nT mtp ≈ 5.7378n+17.4333 ms.
In VPPCS, MGS comprises only one multiplication and three secure hash functions. Therefore, in this scheme, the total computation time of MGS is1T sm ecc + 3T h ≈ 0.6748 ms. SVM includes two scalar multiplications, two secure hash functions, and one point addition. Thus, it provides an overall computation time of SVM of 2T sm ecc + 2T h + 1T    Table 2 compares the cost of computing the proposed scheme with the three other ID-based schemes for MGS, SVM , and BVMM . Figure 7 shows that our scheme has a significant advantage over MGS and SVM tow schemes. Figure 8 indicates the costs of BVMM in measuring various trafficrelated messages. Consequently, the proposed scheme is more productive and efficient than the methods in [17], [18], [20], [22], [23], [25] in terms of computation costs for MGS, SVM , and BVMM .

B. COMMUNICATION OVERHEADS
Communication overheads are now evaluated. The size of p − is 64 bytes, which indicates that the size of each item in G 1 is 128 bytes. The size of p is 20 bytes, which implies that the size of each item in G is 40 bytes. We also presume that the output sizes of the timestamp, secure hash function, and item in integer group Z * q are 4, 20, and 20 bytes, respectively, where the content of the message is omitted.
The traffic-related message contains two items in {PID 1 il , PK i ∈ G}, three items in {PID 2 il , u i , v i ∈ Z q } and two timestamps. The size of the traffic-related message in the scheme [17] is (2*40 + 3*20 + 2*4) = 148 bytes.
The traffic-related message contains six items in G {PID i,1 , PID 2 i,2 , R i , P i , D i ∈ G}, one item in {σ i ∈ Z q } and tow timestamps. The size of the traffic-related message in the scheme [18] is (4*2 + 20*5 + 40) = 148 bytes. The traffic-related message contains two items in {rx.P, Cert ∈ G 1 }, four items in {L i , U , V , W σ ∈ Z q } and two timestamps. The size of the traffic-related message in the scheme [20] is (128 * 2 +20 * 4) = 336 bytes.
In G 1 {ID i1 , ID i2 , σ ∈ G 1 }, the traffic-related message contents are three items. The size of the traffic-related message in scheme in [22] is (128*3) = 384 bytes.
The traffic-related message contains three items in {PID 1 il , PID 2 il , U i ∈ G 1 }, one item in {V i ∈ Z q } and three timestamps. The size of the traffic-related message in the scheme [23] is (20 + 3*128 + 2*4) = 412 bytes.
The traffic-related message contains three items in {PID v1 , PID v2 , w ∈ G}, one item in {σ ∈ Z q } and two timestamps. The size of the traffic-related message in the scheme [24] is (40 * 3 +20 + 2*4) = 148 bytes. In G 1 {PID 1 i , PID 2 i , σ ∈ G 1 }, the traffic-related message contents are three items. The size of the traffic-related message in scheme in [25] is (128*3) = 384 bytes. In the proposed VPPCS, the vehicle broadcasts a trafficrelated message with size (40 + 20*2 + 8) = 88 bytes. The traffic-related message contains one item in {PID 1 il ∈ G}, two items in {PID 2 il , σ m ∈ Z q }, and two timestamps. Table 5 indicates the overall communication overhead, and Figure 9 illustrates the corresponding outcome. The overall communication overhead is relatively low for the proposed scheme.

VII. DISCUSSION
Privacy preservation is the main concern of drivers. Thus, we argue that vehicular communication systems should be resolved by complying with all privacy requirements. Compared with similar works [17], [18], [20], [22]- [25], our only scheme meets all of the requirements for security and privacy. VANET schemes [17], [18], [20], [22]- [25] compared with the proposed scheme are described in Table 4. Notably these schemes focus heavily on information privacy. However, the contextual privacy requirement is not fully fulfilled despite their importance in a VANET context. Only certain proposals satisfy the sender's and receiver's anonymity and the unlinkability. Unobservability is completely ignored because of the overhead. The communication with VANET fulfills all the requirements for privacy based on identitybased cryptography and the specific communication situation. We show the robustness and reliability of our VPPCS system through our privacy and performance analysis.

VIII. CONCLUSION AND FUTURE WORK
Intelligent Transport System (ITS) has been gaining momentum as more elements in a transport systems are becoming more connected. In line with this, VANETs are becoming popular and greatly contribute to ITS. The specifications for contents and contextual privacy must be met to protect privacy vehicles in terms of identity and location as susceptible information. In this paper, we have proposed a scheme to ensure these requirements are met. The scheme ensures privacy of data through signing and verifying traffic-related messages, which are protected by the proposed VPPCS scheme. It also meets the requirement of all contextual privacy on the grounds of the injection for fake trafficrelated messages. Security and performance analyses were performed to validate the proposed scheme. The security analysis shows that VPPCS can withstand model security attacks and satisfy all privacy requirements. The performance evaluation reveals that the scheme proposed by VPPCS is VANET compatible and that our VANET scheme is efficient in terms of computational cost and communication overhead. The balance between privacy and performance was also emphasized.
When the pseudonym set is expired, the vehicle removes the old set and then requests to obtain a new set. Consequently, there is no accumulated storage, which leads to the overhead increased. In future research, the main focus of the next paper is to address the overhead of storage in the VANET system. Besides, we will carry out simulation experiment through simulation platform such as OMNET++ and SUMO to demonstrate the performance of the work.