HPBS: A Hybrid Proxy Based Authentication Scheme in VANETs

As a part of intelligent transportation, vehicle ad hoc networks (VANETs) have attracted the attention of industry and academia and have brought great convenience to drivers. As an open communication environment, any user can broadcast messages in the system. However, some of these users are malicious users and malicious users can broadcast false messages to interfere with the normal operation of the system. Therefore, we needed to authenticate the identity of the message sender. Currently, there are two main authentication methods in VANETs, one using public key infrastructure (PKI) to verify message integrity and sender identity, and the other using anonymous authentication schemes. Due to the high computational and transport overhead involved in validation, the certification efficiency of most existing schemes is not satisfactory. Therefore, these schemes are generally not applicable to real-world scenarios. In order to improve the efficiency of certification and satisfy the security requirements, in this paper, we proposed a hybrid proxy based authentication scheme (HPBS). In HPBS, by introducing the concept of agent vehicles and integrating identity-based and PKI-based hybrid authentication, we solved three problems in the VANETs environment: (1) improving the effectiveness of roadside units (RSUs) in terms of authenticating messages; (2) reducing the computational burden of RSUs; (3) protecting the privacy of users. The simulation results illustrate that the scheme not only ensures network security, but also greatly improves the efficiency of information verification.


I. INTRODUCTION
With the rapid development of artificial intelligence, wireless technology, automobiles and ad-hoc networks, the concepts of Intelligent Traffic System (ITS) and smart city have become more and more popular. In this context, the potential of vehicular ad hoc networks (VANETs) which can provide better driving services and road safety has attracted extensive attention from the government, academia and the business community. However, as an open communication environment, the security of VANETs communication has become an urgent problem to be solved [1].
In VANETs, vehicle-to-vehicle communication (V2V) and vehicle-to-infrastructure communication (V2I) are carried out in an open wireless channel environment. If we did not protect the communication properly [2], the personal privacy (geographical location, identity information and personal interests, etc.) of users will be easily acquired by attackers. Therefore, a message authentication scheme should be proposed to solve this problem.
The associate editor coordinating the review of this manuscript and approving it for publication was Fan Zhang. Security issues in VANETs have been widely studied in many literatures [3]- [6]. However, except security problems, the efficiency of certification should not be ignored, which is one of the key reasons why VANETs can be deployed. According to the dedicated short-range communication (DSRC) protocol, each vehicle needs to broadcast a large amount of information periodically which includes the information of traffic conditions, vehicle speed, and service requests [7]. So, the message authentication scheme not only needs to satisfy security requirements, but also needs to be able to authenticate a large number of messages in a relatively short period of time.
At present, the existing authentication schemes [8]- [14] are mainly divided into two categories: the traditional public key infrastructure (PKI) scheme and the scheme based on identity. In traditional PKI schemes, the storage capacity of the vehicle is greatly required because enough pseudonyms and key pairs need to be distributed from certificate authority (CA). When vehicles send or receive messages, each message must be accompanied by a certificate, which greatly increases the overhead of transmission. When a vehicle is deregistered, the CA needs to put all the vehicle's pseudonymous VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ certificates on the certificate revocation list (CRL). As the number of unregistered vehicles increases, the CRL will accumulate indefinitely, which will result in obvious computational and transmission overhead. The identity-based authentication scheme solves the problem of certificate management in PKI. However, this scheme greatly increases the computation and transmission costs of authentication [15]. In this scheme, each car has a large number of anonymous identities. When the vehicle needs to send a message, it needs to select a pseudonym to sign the message and send it. Therefore, the vehicle needs to have a large storage space to store the pseudonym. At the same time, the fact that a user has multiple anonymous identities increases a lot of computational overhead to the authority's tracking of real identities in case of communication disputes. To solve this problem, Zhang et al. [9] proposed an effective authentication based scheme that uses tamper-proof devices (TPD) to generate dynamic anonymous identities, which avoids the need for vehicles to store a large number of anonymous identities. At the same time, the login verification of TPD protects the user's personal privacy. In addition, this scheme uses RSU for batch authentication based on anonymous identity, which greatly reduces the computation and transmission costs of message authentication. However, the IBV scheme does not address V2V communication and is not resistant to replay attacks. And IBV scheme integrates information and authentication through RSU, which greatly increases the workload of RSU and reduces the efficiency of RSU authentication.
To solve these problems, in this paper, we proposed a proxy based hybrid authentication scheme (HPBS), which combines the PKI scheme and the identity-based anonymous batch authentication scheme and introduces the concept of proxy vehicle. During the system initialization phase, each agent vehicle and RSU receives a unique long term certificate from the CA. When the proxy vehicle enters the communication range of the new RSU, The proxy vehicle needs to be mutually verified with the RSU. At the end of authentication, the RSU and the proxy vehicle jointly generate a set of keys. In the group managed by the proxy vehicle, the message authentication of the ordinary vehicle is carried out using symmetric encryption with the group key as the key. When a proxy vehicle node or RSU node is compromised, the CA will revoke its unique certificate. Ordinary vehicles through the certificate of the proxy vehicle verify the validity of proxy vehicle. In V2I, we mainly used anonymous batch authentication based on identity twice. One is batch authentication of the agent vehicle to the ordinary vehicle, and the other is batch authentication of the RSU to the agent vehicle.
Specifically, our main contributions are as follows.
(1) We proposed a hybrid proxy based authentication scheme that satisfies the security and efficiency requirements of VANETs.
(2) Every RSU and proxy vehicle holds a long term PKI-based certificate, which is used to verify the validity of node. For the sent message, the vehicle needs to sign it with a locally generated pseudo-identity. The proxy vehicle and the RSU verify each other's certificates before they can communicate and generate group keys. Mutual authentication between vehicles can be quickly authenticated with group keys. The vehicle and RSU use bilinear batch authentication to authenticate the message.
(3) CA manages the revoked certificates by the RSU revocation lists (RCRL) and the proxy vehicle revocation lists (PVCRL). When the node registered in the list is corrupted, the CA can revoke its certificate. In view of the limited computing and storage resources of the RSU, we used the agent vehicle to decompress the RSU load.
The remainder of this paper is as follows: in section 2, we analyzed the relevant work of the existing literature. In section 3, we described the system model and preparation in detail. In section 4, we introduced the message authentication scheme proposed in this paper in detail. In section 5, we certified the safety of our program. In section 6, we analyzed and evaluated the performance of our solution in detail. In the last section, we summarized the research status and future work of this paper.

II. RELATED WORK
In VANETs, security authentication and privacy protection are two problems that need to be solved urgently. To solve these two problems, many anonymous authentication schemes [16]- [18] have been proposed. Most of them sign and authenticate messages based on PKI.
In order to protect the user's real identity and personal privacy, the concept of pseudonyms came into being. Chaum [19] established a pseudonymous system that allows entities to communicate effectively anonymously with other entities through pseudonyms. The proposed system plays a great role in protecting personal privacy. Fan et al. [20] solved the privacy protection and message authentication problems in vehicle communication systems, and proposed an efficient pseudonymy public key infrastructure (EPPKI) scheme using bilinear pairs. This scheme greatly improves the efficiency of message authentication. However, this scheme can not authenticate a large number of messages in a short time. In order to improve the security of the authentication system, Sun et al. [2] proposed an efficient anonymous authentication scheme based on bilinear pairings. However, the computational and transmission costs of this scheme are large. Yue et al. [21] proposed an anonymous authentication scheme based on group signature framework. The main advantage of this scheme is to improve the security of VANETs. However, the performance of this scheme still needs to be further improved.
In recent years, Zhang et al. [22] proposed an extensible vehicle anonymous batch authentication scheme that maintains the effectiveness of traditional schemes, reduces the size of CRL, and does not require the preloading of the same system private key. However, the scheme still requires large overhead in computation and storage.
To improve the efficiency of certification, in [23], Li et al. proposed a scheme for message authentication using secret sharing. The scheme uses verifiable secret sharing to verify each other and obtain a set of keys, and then uses this set of keys to generate and verify messages. This scheme has some advantages in performance. However, the scheme trusts the third party too much, and a single point of failure will cause the system to be completely destroyed.
Hasrouny et al. [24] proposed a group-based authentication scheme using elliptic curve cryptography (ECC). The scheme realizes the secure communication of V2V and reduces the delay caused by security message. The cost of validation is reduced because the recipient's certificate does not need to be validated. The scheme does not affect the efficiency of certification as the number of vehicles increases. However, the scheme does not take into account conditional privacy protection and batch authentication of messages. In [25], Shao et al. proposed an anonymous authentication scheme using bilinear pairs in distributed entity groups. This scheme adds the characteristics of threshold authentication on the basis of traditional anonymous authentication. The whole validation is based on batch authentication. However, for high-speed moving vehicles, the scheme will incur a lot of computing and communication costs, and the management of the certificate also has some problems. Gao et al. [26] proposed a virtual network privacy protection scheme based on pseudonym ring in order to solve the problems of ring establishment and ring member selection. The scheme has a deep network structure and a trust model. Compared with the traditional scheme, the scheme has stronger robustness and efficiency. In [27], Liu et al. proposed a practical distributed condition security authentication scheme. The scheme does not need to rely on TPD and has a significant improvement in security features. In [28], Mamun and Miyaji proposed a scheme based on bilinear pairings.This scheme improves batch authentication of identification-based Group Signature (IBGS). The scheme improves the original scheme by batch scheduling algorithm, which improves the performance of authentication. However, performance results for the scheme are not provided.

III. SYSTEM MODEL AND PRELIMINARIES
In this section, We introduced our system model in detail and briefly list the basic theoretical knowledge for our solution.

A. SYSTEM MODEL
At present, most studies [11] [29], [30] solve the VANET authentication problem through the two-layer network model. The two-layer network model is the management layer and the application layer respectively. The application layer is generally composed of vehicles and RSUs, which communicate with each other through the wireless DSRC channel. And vehicles are divided into group leader vehicles and general vehicles. Management consists of CA and application server (AS) who communicate with RSU via the Internet. In particular, the communication types can be divided into V2V and V2I, as shown in FIGURE 1. (1) V T : On the road, there are many buses that run a fixed route every day. We chose these buses with fixed routes and large computing and storage resources as our proxy vehicles. In Figure 1, V T is the proxy vehicle we chose. First, it needs to authenticate with the RSU and generate an in-group key. Secondly, it is also responsible for collecting and sorting out the authentication information of the surrounding vehicles, then verifying the time stamp, and finally integrating the verified information and handing it to the RSU for batch authentication.
(2) CA: CA is the trusted agency for the entire system. It is responsible for assigning long-term certificates to proxy vehicle nodes. All proxy vehicles and RSUs must be registered with CA before joining VANETs. It is maintained by CRL respectively. We assume that the CA has sufficient computing power and storage capacity for communication, and that it cannot be breached by any adversary.
(3) RSU: RSU connects management to the application layer. On the one hand, the RSU is responsible for checking the validity of the proxy vehicle certificate entering its communication range and providing the group key to the V T . On the other hand. The RSU is responsible for the bilinear batch authentication based on false identity for the group member authentication information sorted out by V T . Bilinear authentication based on false identity is performed for discrete common vehicles that are not in the group.
(4) On board Unit (OBU): OBU is a device that is built into the vehicle during production. OBU can communicate not only with other OBUs, but also with RSUs. In this scheme, we assume that each OBU is equipped with a TPD.

B. BILINEAR MAPS
Let G be a cyclic additive group and G M be a cyclic multiplicative group. The point P ∈ G generates the group G. G and G M have the same prime order q, |G| = |GM | = q. Let e : G × G → G M be a bilinear pairing which satisfies three flowing properties [32,33].
(3) Computability: There must is an efficient algorithm to compute e(P, T ) for all P, T ∈ G.
In bilinear groups with mapping e, DDH problem is easy to calculate, while CDH problem is difficult to calculate [33]. For example, for any x, y ∈ Z * q , and given xP, yP, xyP ∈ G, there exists an efficient algorithm to checking e(xP, yP) = e(P, xyP).

C. SECURITY REQUIREMENTS
The vehicle-to-All communication (V2X) scenario mainly satisfies to meet three security requirements: identity privacy protection, message authentication and traceability. We will discuss this in more detail below.
Message authentication: In V2X communication, authentication must be performed to ensure that the message has not been changed by the legal entity and is delivered in the communication. In addition, on heavily traffic-intensive routes, we need to make certification more efficient to avoid system crashes.
Identity privacy preserving: In V2X communication system, because of its broadcast nature, the information of specific identity will be monitored frequently. If the signature scheme used is a normal signature scheme, this can easily reveal the identity of the individual [34]. Even if we use a pseudonym for signature, an attacker can still link to a car by analyzing multiple signatures.This can lead to a loss of location privacy [35]. Therefore, identity privacy needs to be protected.
Traceability: When the signature is disputed or the message content is forged, the CA should be able to retrieve the vehicle's real identity from the vehicle's false identity.

IV. A HYBRID PROXY BASED AUTHENTICATION SCHEME
In this paper, we proposed a hybrid proxy based authentication scheme, which uses identity-based signature and the PKI-based certificate. Here, the certificate is mainly used to verify the identity of RSU nodes and V T nodes. The identity-based signature is mainly used for anonymous identity-based batch authentication of vehicles in the group and anonymous identity-based single authentication of discrete vehicles outside the group. The process of our scheme mainly includes the following five steps: the basic idea of the scheme, the initialization of the system, the generation of group key, the authentication of signature and the tracking of real identity. The symbols used in this article are listed in Table 1.

A. BASIC IDEAS
In this section, we introduced the idea of our scheme in the paper, as shown in FIGURE 2.
In VANETs, CA is the only organization used to register certificates and issue certificates. RSU and V T are registered in the CA for long term certificates, which are put into their OBU. Particularly, we let the CA manage revocation certificates for the RSU and vehicle, respectively. That is,  when the RSU and V T are revoked, their certificates are added to the CRL, respectively. When the RSU and V T need to be authenticated, other entities can query the status of the certificates they provide through Online Certificate Status Protocol (OCSP) and authenticate them with the public key in the certificate.
Both the RSU and V T periodically broadcast a hello message, including its own public key, certificate, and so on.
The RSU works as follows. When a vehicle enters the RSU communication range to send a message to the RSU, the RSU will judge the message it sends. If the communication vehicle is V T , the in-group key will be generated after being authenticated with V T , and the messages of all members sorted out by V T will be authenticated with bilinear batch based on anonymous identity. If the communication vehicle is a normal vehicle, only a single bilinear authentication based on anonymous identity is performed for the message.
As V T , each time it enters the communication range of the RSU, it first authenticates with the RSU and obtains the key within the group. V T also needs to collate messages from group members and send them to the RSU.
If the ordinary vehicle can find V T within the communication range, the V T is authenticated, and then the message that needs to be sent to the RSU is sent to V T after successful authentication. If V T does not exist within the communication range, the vehicle authenticates the RSU directly and sends a message.
In our scheme, we also had V2V communication. We divided V2V into two groups: V2V communication between two groups and vehicle communication within the group and discrete vehicle communication outside the group.

B. SYSTEM INITIALIZATION
The CA initializes the system parameters and assigns certificates to each RSU node and V T node.The system initialization process is as follows:

1) SYSTEM PARAMETER GENERATION
The CA as a trust institution that checks the vehicle's identity and generates and pre-distributes the vehicle's private key. During system initialization, the CA sets the following system parameters for each RSU and OBU: (1) G is a cyclic addition group of order q generated by P, and G M is the same group of multiplication cycles as G. Let e : G × G → G M be a bilinear map.
(2) CA selects a random number c ∈ Z * q as its private key SK CA , and then Calculate the public key PK CA = SK CA P.
(3) CA first randomly selected d 1 , d 2 ∈ Z * q as the two private keys, and calculated the corresponding public keys P pub 1 = d 1 P, P pub 2 = d 2 P. The CA puts the two keys into each vehicle's TPD.
(4) Each RSU node and OBU node is equipped with a public parameter {G, G M , P, q, PK CA , P pub 1 , P pub 2 , h, H , e}, and each vehicle's TPD is equipped with a parameter {d 1 , d 2 }. (5) The RID and PWD are required for the vehicle to start TPD. The RID is the unique identification of the vehicle, and the PWD is the password required to start TPD.

2) RSU CERTIFICATE ISSUANCE
For each RSU, the certificate and RSU key pair are generated when the RSU is registered. The process is as follows: (1) CA randomly selected a number t ∈ Z * q as RSU's private key SK R , and calculated RSU's public key PK R = tP.
(2) The CA signs PK R and generates the certificate Cert CA,R = {PK R , σ CA } and sends it to RSU for saving through a secure channel. And σ CA = sign PK CA (PK R ).

3) V T CERTIFICATE ISSUANCE
For each V T , the certificate and V T key pair are generated when the V T is registered.The process is as follows: (1) CA randomly selected a number l ∈ Z * q as V T 's private key SK T , and calculated V T 's public key PK T = lP.
(2) The CA signs PK T and generates the certificate Cert CA,T = {PK T , σ CA } and sends it to V T for saving through a secure channel. And σ CA = sign PK CA (PK T ).

C. THE IDENTITY OF A GROUP GENERATION AND ANONYMOUS IDENTITY GENERATION
The RSU broadcasts within its communication range.When a vehicle is communicating with it, the RSU detects if the vehicle is V T . If so, the RSU and V T jointly generate the group key of V T . The detail can be described as FIGURE 3.

1) THE IDENTITY OF A GROUP GENERATION
(1) RSU broadcasts message Mes 0 :{Cert CA,R , σ R , T 0 } within the communication range, where Cert CA,R = {PK R , σ CA }, σ R = sign PK R ( hello ) and T 0 is a timestamp.
(2) After receiving Mes 0 , V T first checks the status of Cert CA,R with OCSP, then checks the timestamp T 0 and verifies the certificate Cert CA,R and the signature σ R . When all validation is passed, V T generates a random number N 1 and sends Mes 1 :{Cert CA,T , Enc PK R (N 1 ), T 1 , σ T } to the RSU. And Cert CA,T = {PK T , σ CA }, σ CA = sign PK CA (PK T ).
(3) After receiving Mes 1 , RSU first checks the status of Cert CA,T with OCSP, then checks the timestamp T 1 and verifies the certificate Cert CA,T and the signature σ T . When all validation is passed, RSU generates a random number N 2 and computes PSK = N 1 N 2 . RSU sends information  The specific algorithm of group key generation is shown in Algorithm 1.

Algorithm 1 The Identity of a Group Generation RSU broadcast Mes
Here, we used the RSU and the proxy vehicle to generate identity of a group for each proxy vehicle's group. The identification of group identity is mainly used to distinguish the communication between groups in V2V communication. In Section 4.4.2, we went into detail.

2) ANONYMOUS IDENTITY GENERATION
All vehicles use the parameters given when the CA is registered and the TPD device to generate their respective anonymous identities. The process is as follows.
In order to protect the privacy of users, we used TPD to generate false identities and corresponding private keys [31]. TPD is mainly composed of the following parts: authentication module, pseudo-identity generation module, and private key generation module. These three modules are described in detail below.
Authentication module: The identity module is an access control module for TPD, and only if you have RID and PWD can you start the device. PWD is the CA's signature to RID.
Pass the verification of this module and go to the next module. Here, we assumed that TPD is unbeatable.
Pseudo identity generation module: This module is mainly used to generate pseudo-identities for RID, and each pseudo-identity AID consists of AID 1 and AID 2 . In this module, the ElGamal encryption algorithm [36] over the ECC [37] is employed to generate pseudonyms. And AID 1 = N · P, AID 2 = RID H (N · P pub 1 ), where N is a random nonce. Each pseudo-identity is guaranteed to be unique by every change of N . Here, P and P pub1 are the public parameters for the CA preload. AID 1 and AID 2 are generated and passed to the next module.
Private key generation module: This module uses identity-based encryption [32]. This module is mainly used to generate the private key SK , which consists of two parts, SK 1 and SK 2 , where SK 1 = d 1 · AID 1 and SK 2 = d 2 · H (AID 1 AID 2 ), respectively.
Finally, the vehicle can obtain a list of pseudo-identities AID = (AID 1 , AID 2 ) and the corresponding private key SK = (SK 1 , SK 2 ).

D. SIGNATURE VERIFICATION 1) MESSAGE SIGNING
According to the DSRC agreement, vehicles on the road need to periodically broadcast traffic-related information, because these transmitted information may affect the traffic control center's reasonable command of the traffic and make a correct judgment of the current traffic situation. Therefore, we needed to sign the sent message anonymously to improve the security of communication. The sender can protect its own privacy, and the recipient can verify the integrity and validity of the message by signing. The specific algorithm process is shown in TABLE 2. Details of the signature are as follows.
(1) First, the vehicle V i generates a daily traffic information m i .
(2) V i selects an anonymous identity and the corresponding private key to sign the message These steps are repeated every 100-300 ms according to the DSRC [38].

2) MESSAGE VERIFICATION
In message authentication, we mainly divided into three authentication methods. The vehicles in the group communicate with the RSU, Vehicles in the same group communicate with each other, Vehicles that are not in the same group communicate with each other.
(1) The vehicles in the group communicate with the RSU: Given the system public parameters: we used bilinear message authentication based on anonymous identity.
(3) Vehicles that are not in the same group communicate with each other: Here, we used bilinear message authentication based on anonymous identity. One of the vehicles sends a message (AID i , M i , σ i ) to the other vehicle, the signature Through the above four authentication methods, we will introduced the V2I and V2V message authentication methods in our system.
First of all, we used V T and RSU to achieve batch certification on dense traffic roads in our scheme, which greatly reduces the certification delay. We mixed in the PKI scheme and used certificates to guarantee the identity of RSU and V T , which improved the security of the whole system. We also used pseudonyms to protect users' privacy. We used V T to integrate the information and send a timestamp to the RSU for authentication, which not only prevented replay attacks, but also relieved the pressure on the RSU to authenticate and integrate the information at the same time.
In addition, in the authentication of intra-group communication, we used the authentication scheme based on symmetric key, which greatly reduces the authentication time of intra-group information, improves the rate of intra-group communication, and guarantees the security of communication.

V. SECURITY ANALYSIS
This section will mainly analyze the security of our proposed scheme. Firstly, BAN Logic is adopted to prove the correctness of the scheme. Secondly, we apply informal security analysis to illustrate the security requirements our solution meets.

A. PROOF OF SAFETY
In this section, we use BAN Logic in [39] to prove the logical correctness of HPBS scheme. BAN logic is a formal logic widely used for reasoning about encryption and protocols.The BAN logic can be used to prove that the protocol implementation is achieving the desired goal.At the same time, we can also use it to find some defects in the scheme design.
The HPBS programme has two main objectives. One is that during authentication, V T and RSU determine that they share a new session key. The other goal is for V T and RSU to get information from each other.
With X as V i , Y and Z as RSU, M A and M B as P a and P b , D A as Msg V T , D B and D C as Msg R , K A and K −1 A as PK T and SK T , K B and K −1 B as PK R and SK R , T A1 , T B , T A2 and T C as the timestamp, K AB as PSK, the messages in the HPBS scheme can be represented as follows: As a plaintext can be easily forged, the idealized message in BAN logic is shown as follows: As both of V T and RSU use their IDs as their public keys and broadcast to neighbors, it can be assumed that: Through the logic of BAN, we obtain: Using T A1 for fresh rule, we derive: Furthermore, with nonce-verification rule, we can infer: From RSU → V T , via the message-meaning, we also obtain: Using T B for fresh rule, we obtain: So, with nonce-verification rule,we obtain: With K AB , we can obtain: From the above equation, we can see the authentication process between V T and RSU, which means that the HPBS case can meet the first security objective.
From V T → RSU , we obtain: Using T A2 for fresh rule, we also derive: Therefore, we can derive by nonce-verification rule: From V T → RSU ,via the message-meaning, we obtain: In addition, using T C for fresh rule, we get: Finally, with nonce-verification rule, we can derive: It can be determined from the above proof that the HPBS program can also fulfill the second goal. Through the formal proof of HPBS scheme, we can conclude that the scheme can guarantee the integrity of the information exchanged and the confidentiality of the recipient.

B. THE FORMAL SECURITY ANALYSIS
In this section, we mainly proved the security of our scheme from four aspects: the message authentication, the user identity privacy preservation, the resist replay attacks, and the traceability by the CA.

1) THE MESSAGE AUTHENTICATION
The message authentication is the basic security requirements of VANETs. In our scheme, the signature i is actually a one-time identity-based signature. It is impossible to forge a valid signature without knowing SK 1 i and SK 2 i . Because of the NP-hard computation complexity of Diffie-Hellman problem in G, it is difficult to derive the private keys SK 1 i and SK 2 i by way of is a diophantine equation, and we knew that just knowing σ i and h(M i ) to get SK 1 i and SK 2 i is quite difficult. On the other hand, the CA assigns long-term certificates to each registered RSU and V T . When V T and RSU authenticate each other's messages, we used pki-based certificate authentication. We can authenticated the message by verifying the status of the certificate.
Therefore, we can concluded that the one-time identity-based signature in our scheme is secure as message authentication.

2) THE USER IDENTITY PRIVACY PRESERVATION
In our scheme, we generated two random pseudo-identities AID 1 i and AID 2 i using the real identity RID i of the vehicle i and the random number N , where AID 1 i = NP and ). Because the pseudo-identity pair (AID 1 i , AID 2 i ) is an ElGamaltype ciphertext, it can resist the opt-in plaintext attack. Therefore, without knowing the key pair (s 1 i , s 2 i ), no one can calculate the real identity of the vehicle i through the pseudo-identity pair. Also, because each signature uses a different pseudonymous pair (AID 1 i , AID 2 i ). Therefore, personal privacy is protected.

3) THE RESIST REPLAY ATTACKS
Because of the characteristics of wireless communication, the information we sent is often easy to be captured. Although attackers cannot forge signatures to tamper with information and forge information attacks, they can replay attacks. For example, suppose the vehicle i is found to have a traffic accident in a certain section of the road, in order to make the traffic control center deal with the incident and reasonably clear the road. The vehicle i sent a message M i at time T 1 , and both the attacker and the traffic center obtained M i . The transportation center went through a series of certification processes to make sure that it was credible, so it was reasonably arranged. If the attacker uses the obtained information to send out the message M i again at time T 2 , the traffic center will still pass the certification and take measures. However, it takes manpower and resources to find out that this is a hoax, and the traffic arrangement for emergencies will make the traffic situation chaotic. Imagine if there were an infinite number of such messages, and the whole system crashed.
In our scheme, we used private key timestamp signatures for individual authentication to prevent replay attacks. In batch authentication, we asked V T to collect the information by verifying the timestamp of each information, consolidating the information that is not in question, and then V T signs the time with its own group key and sends the consolidated information to the RSU. In intra-group authentication, we used the intra-group communication key to sign the timestamp and put it into the sending message.
Therefore, our scheme successfully withstands replay attacks in communication.

4) THE TRACEABILITY BY THE CA
In our scheme, in order to protect user privacy, we signed messages with different pseudonyms. As the only credible agency, CA can use the following formula to calculate the true identity of the vehicle.
Part of the private key d 1 i of vehicle i is only known by CA, so other vehicles and RSU cannot calculate the real identity of the vehicle. When a vehicle i delivers false messages and conducts illegal operations, the RSU can report to the CA, which calculates to obtain its real identity. This satisfies the traceability of the real identity of the vehicle.

VI. PERFORMANCE EVALUATION
In this section, we will evaluated the performance of the HPBS scheme primarily by verifying latency and transport overhead, and compare it with the related schemes, such as ECDSA [40] and LIAP [41] in terms of computation and transmission overheads. Considered that the ECDSA scheme is the signature algorithm adopted by IEEE1609.2 standard, we adopted it as a comparison scheme. LIAP is A local identity-based anonymous message authentication protocol. Our scheme has the same points as LIAP: (1) We both used a hybrid approach to design anonymous message authentication schemes; (2) We used identity-based and PKI-based to design mixed schemes. Differences between our approach and LIAP:(1) LIAP uses anonymous message authentication in part. Our scheme utilizes PKI-based ideas locally; (2) Our scheme introduces proxy vehicles. Therefore, we used LIAP as our comparison object. Here, we only considered the communication overhead of V2V and V2I, and we do not analyze the communication between CA and RSU.

A. COMPUTATION OVERHEAD ANALYSIS
In this section, we calculated the calculation cost of vehicle vehicle validation general vehicle information and RSU vehicle integration information respectively. Here, we added the two as total message validation computation overhead and compare the computation overhead with the other two scenarios in detail.
In the V2I communication phase, The computational overhead is mainly generated by message validation. The operations required to validate the message are as follows. T mul represents the time required to perform a point multiplication, T mtp represents the time required to perform a MapToPoint hash operation, and T par represents the time required to perform a pairing operation. The experiments run on an Intel i7-9750 3 GHZ machine. According to [28], The following parameters are obtained: T mul is 0.39 ms, T mtp is 0.09 ms and T par is 4.5 ms. TABLE 3 shows a comparison of three schemes for the computational overhead of an RSU signed for a single message and n messages. The time required for the ECDSA scheme to validate a message is 4T mul , and the time required for the validation of n messages is 4nT mul . The LIAP scheme takes T mul + T mtp + 3T par to validate a message and (n + 1)T mul + nT mtp + 3T par to validate n messages.
First, we assumed that the traffic density of the vehicle is equal to the number of messages to be verified sent by the vehicle during the cycle, and each vehicle sends a message at a fixed time of 300ms as the cycle. We assumed that in the RSU communication range, the number of proxy vehicles is m and the number of messages to verify is n. Therefore, the average number of messages that need to be validated per agent vehicle is n m . The time it takes to validate a message with our scheme is 2T mul + 2T mtp + 6T par , and the time it takes to validate n messages is (m + n/m) T mul + (m + n/m)T mtp + 6T par . FIGURE 4 illustrates the relationship between the number of messages and the number of proxy vehicles within an RSU's coverage area and the computation overhead of the RSU. We can see from the figure that the computation overhead increases as the number of messages and the number proxy vehicles increases. When the number of proxy vehicles is greater than 1, the calculation cost of our scheme is much higher than that of the other two schemes. Below, we drew the comparison line diagram of the three schemes of proxy vehicles m = 2 and m = 3.   than the other two schemes when the number of messages is more than 50. At the same time, as the number of messages increases, the computational overhead of our scheme is smaller than that of the other two schemes.
From FIGURE 6, We can saw that when there are three proxy vehicles in the communication range of RSU, the calculation cost of our scheme is less than the other two schemes as the number of messages increases. By comparing FIGURE 5 and FIGURE 6, we can find that as the number of proxy vehicles in the RSU communication range increases, the delay required to validate messages will decrease.
In V2V communication phase, The message authentication between vehicles is mainly divided into two ways: one is the authentication of vehicles within a group, and the other is the authentication of vehicles between different groups. Message authentication between vehicles in the same group only requires the computational overhead of decrypting a  symmetric signature using the group key. The computational overhead required for message authentication between vehicles that are not in the same group is a bilinear authentication operation, and the computational overhead required is T mul + T mtp + 3T par .

B. TRANSMISSION OVERHEAD ANALYSIS
In this section, We analyzed and compared the transmission overhead of ECDSA, LIAP, and HPBS. In our scheme, the transport overhead we calculate includes the transport overhead from the normal vehicle to the proxy vehicle and the transport overhead from the proxy vehicle to the RSU. TABLE 4 shows the number of bytes that need to be transferred under one message and n messages for each of the three scenarios. Here, we do not count message M i as transport overhead. Based on the authentication process in section IV, we can calculate that the number of bytes of message (AID i , σ i ) transmitted from the ordinary vehicle to the proxy vehicle is 21+42n. The information transferred from the proxy vehicle to the RSU is (AID T , σ T ), and we can calculate that the transfer overhead is 21+42m. And m is the number of proxy vehicles. We can figure out that the total cost of the transfer is 21 + 42n + 21 + 42m. FIGURE 7 illustrates the relationship between the number of messages and the number of proxy vehicles within an RSU's coverage area and the transmission overhead of the RSU. From the picture, we can see that, with the increase of the number of messages, the number of transmitted bytes of the three schemes all shows an increasing trend. The transmission overheads of ECDSA is the largest among the three schemes, and the transmission overhead of the HPBS is much smaller than the other two.
From FIGURE 8, we can clearly saw the comparison of transmission overhead of the three schemes when there are two proxy vehicles in the communication range of the RSU.   We found that after the number of messages is greater than 3, our scheme has the lowest transmission cost among the three VOLUME 8, 2020 schemes and the gap between the three becomes larger as the number of messages increases. By comparing FIGURE 9 and FIGURE 8, we can found that the transmission overhead of our scheme decreases slightly as the number of proxy vehicles increases. By looking at the number of proxy vehicles, there was a slight increase in the transmission overhead of our scheme. However, the transmission overhead of our scheme is always much less than that of the other two schemes.

VII. CONCLUSION
In HPBS, we used the computing power of the proxy vehicle to reduce the burden on the RSU, where the proxy vehicle can batch authenticate messages from other vehicles and the RSU is responsible for authenticating messages from the agent vehicle. At the same time, we use the group keys jointly generated by the proxy vehicle and the RSU to make intra-group V2V communication more efficient. In the event of an illegal operation of a node, HPBS can trace the node through CA and obtain its true identity. In addition, HPBS is able to withstand replay attacks. HPBS was analyzed and compared with other schemes in terms of computational and transmission overhead.
In the work of HPBS, we mainly proposed a hypothetical password algorithm that takes buses and other similar vehicles as proxy vehicles. Since the route of these special vehicles is fixed and concentrated on the road with high traffic flow, it is more advantageous for the scheme to be applied in practice. In the future, we will used the trust extension to increase the number of agent vehicles, which will further improve the efficiency of certification. In addition, we will also use game theory to study the incentive mechanism to minimize redundant authentication events.
HUA LIU is currently pursuing the master's degree with the Zhejiang University of Science and Technology. His research interests wireless mesh network security, cryptography, and information theory.
HAIJIANG WANG received the M.S. degree from Zhengzhou University, in 2013, and the Ph.D. degree from Shanghai Jiao Tong University, in 2018. He is currently a Teacher with the School of Information and Electronic Engineering, Zhejiang University of Science and Technology. His research interests include cryptography and information security, in particular, public key encryption, attribute-based encryption, searchable encryption.
HUIXIAN GU is currently pursuing the master's degree with the Zhejiang University of Science and Technology. His research interests edge cache, wireless communication, and information theory. VOLUME 8, 2020