A Privacy-Preserving Authentication and Pseudonym Revocation Scheme for VANETs

With the development of Intelligent Transportation Systems (ITS), Vehicular Ad hoc Networks (VANETs) have become a research hotspot in recent years. However, the vehicle communication system is vulnerable, resulting in threats to the privacy of users. This paper proposes a secure and efficient identity-based anonymous authentication scheme and uses pseudonyms to enhance the privacy protection of vehicle users. By improving the existing vehicle public key infrastructure and introducing Bloom filter to compress the Certificate Revocation List (CRL), the efficient pseudonym revocation scheme is then presented under the premise of ensuring user privacy. This scheme is able to perform batch pseudonym revocation and keep the pseudonym unlinkable. The security analysis shows that the proposed scheme is able to meet the security and privacy requirements in VANETs and CRL distribution.


I. INTRODUCTION
In an open access environment such as Vehicular Ad hoc Networks (VANETs), the vehicle communication (VC) system is vulnerable, resulting in threats to the privacy of users. Security and privacy solutions have been proposed by technical specifications represented by IEEE WAVE 1609.2 (Security Services for Applications and Management Messages) [1], ETSI 102 (Security, Trust and Privacy Management) [2], and projects (SeVeCom [3], PRESERVE [4], CAMP [5]). A consensus was reached on the use of public key cryptography (PKC) to protect Vehicle to Vehicle (V2V) and Vehicle to Infrastructure (V2I) communications [6]: a set of trust authorities (TAs) constitute the Vehicle Public-Key Infrastructure (VPKI), which provides multiple short-term certificates (pseudonyms) to legitimate vehicles. In V2V/V2I communication, the vehicle switches from one pseudonym to another to realize unlinkability. While anonymity is conditional. If the vehicle violates the law or its pseudonym certificate expires, the pseudonym and the certificate need to be revoked. Furthermore, when there are harmful behaviors in the network, it is necessary to spread the pseudonyms and certificate of the illegal vehicle to maintain communication The associate editor coordinating the review of this manuscript and approving it for publication was Adnan M. Abu-Mahfouz . security. In practice, Certificate Revocation List (CRL) is the most widely used revocation method for illegal vehicles in VANETs. In order to check the validity of certificates, vehicles need to obtain CRL frequently. Since the size of CRL file increases linearly with the number of revoked certificates, this method leads to a large delay and affects the real-time performance of the revocation scheme.
In the current VANETs security solutions, most researches focus on security and privacy. In [7], in order to realize identity authentication and ensure anonymity, the On Board Unit (OBU) of each vehicle needs to load a large number of anonymous public key and private key pairs in advance. However, this causes the problem of high management overhead of CRL. When the vehicle's certificate is revoked, a large number of pre-loaded certificates also need to be revoked. Some schemes try to use pseudonyms to replace certificates, while there are still problems in distributing CRL. Calandriello et al. [8] and Jung et al. [9] proposed pseudonymbased authentication schemes to keep vehicles anonymous. However, in these schemes, the distribution of CRL is heavy time consuming, which will greatly affect the availability of schemes. To reduce the size of CRL, the group signature is adopted in [10], [11]. Whereas it is not suitable for VANETs as the high cost and delay. Wang et al. [42] proposed an efficient authentication scheme mainly utilizing symmetric VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ encryption and message authentication code (MAC). Furthermore, vehicles need not maintain CRL. The scheme allows Key Management Centre (KMC) to manage the identity of all vehicles as the only trusted authority, and is also responsible for generating and updating the vehicle keys. KMC is a single threat model so the system is obviously not secure.
To distribute the capability of identity resolution between authorities, Ali et al. [43], [44] presented an authentication framework, which can avoid pseudonyms being linked. The pseudonyms validity is set as between 10 to 50 milliseconds [44] and the vehicle interacts with Pseudonym Provider (PP) frequently. Therefore, the connectivity between them needs to be considered. Furthermore, PP sends multiple pseudonyms to the vehicle each time and they are all legitimate at the same interval, which is not security enough.
In [45], Vijayakumar et al. proposed a privacy preservation and anonymous authentication scheme using anonymous certificates. In addition, it also provides a batch verification to authenticate the vehicles group by RSU. While, it is still not efficient enough because the communication overhead and message loss ratio are not considered, and vulnerable to DoS attack. Zhong et al. [46] presented an efficient conditional privacy-reserving authentication scheme utilizing hash operations with lower computational costs. It adopts a way that RSU assists OBU in message verification and also knows the OBU's identity. Moreover, it is not effective against all kinds of attacks. In recent years, in order to ensure effective anonymous authentication and revocation, RSU (Road Side Unit)-dependent authentication protocol [12] and cooperative authentication protocol [13], [14] were proposed. However, in [12], as a group manager, RSU issues a group member key to each vehicle, consequently, it can track the trajectory of the vehicle. In [13], in order to ensure privacy, each vehicle is assigned many pseudonyms. When the vehicle is revoked, CRL size will be greatly increased. whereas the cooperative authentication method proposed in [14] can only verify messages when the density of vehicles on the road is high. In addition, [14] uses the group key distribution approach to realize efficient revocation, which may cause security problems [15]. In recent vehicle revocation approaches, CRL slicing is used and each CRL slice is delivered independently [16]. CRL slices are distributed in a car-to-car manner to speed up the distribution process in high vehicle density areas [17]- [19]. However, dividing CRL into multiple fragments is vulnerable to attack. An attacker can use signature verification latency to forge CRL fragments for DoS attacks, thereby preventing the vehicle from obtaining real CRL fragments. In addition, for Vehicular Public-Key Infrastructure (VPKI) and receiving vehicles, the computational overhead increases linearly with the number of CRL fragments. To reduce the size of the transmitted CRL, a Bloom filter (BF) is proposed to compress the CRL [20]. However, the size of the CRL increases linearly with the number of revoked pseudonyms, and most of the compressed CRL may be independent of the receiving vehicle. There are also schemes to apply edge computing to the Internet of Things environment to distribute revocation information [21]. The combination of edge computing and VANETs is promising, which is still in the early research phase.
In this paper, we design a secure and efficient certificate revocation scheme for VANETs which can revoke the pseudonym effectively and provide strong privacy protection for users. The contributions are as follows: (1) A secure and efficient identity-based anonymous authentication scheme is proposed to support cross-domain vehicles. (2) The proposed scheme can effectively revoke a batch of pseudonyms without compromising the privacy of users. (3) In order to solve the problem of CRL management (e.g. distribution, update) caused by pseudonyms, Bloom filter is introduced to effectively reduce the size of CRL and decrease the management cost.
The remainder of this paper is organized as follows. In Section II, the necessary preliminaries are introduced. The system overview is presented in Section III. In Section IV, the proposed scheme is elaborated. The security analysis is given in Section V. Section VI evaluates the performance of the proposed scheme by comparing with other typical schemes in terms of anonymous authentication efficiency and pseudonym revocation efficiency. Finally, the conclusion is drawn in Section VII.

II. PRELIMINARIES
This section introduces the necessary preliminaries to support the proposed scheme.

A. BILINEAR PAIRING
Let G 1 be an additive cycle group with prime order p, and G 2 be a multiplicative group of the same order. A bilinear pairing e: G 1 × G 1 → G 2 satisfies the following properties [22]. 1) Bilinearity: For any P, Q ∈ G 1 , a, b ∈ Z * p , there are e(aP, bQ) = e(P, Q) ab . 2) Non-degeneracy: Existing a certain P, Q ∈ G 1 satisfies e(P, Q) = 1. 3) Computability: An efficient algorithm can calculate e(P, Q) ∈ G 2 , where P, Q ∈ G 1 .

B. MATHEMATICAL PROBLEMS AND ASSUMPTIONS
The relevant problem and the assumption are given below, which are the cornerstones of the cryptosystem involved in this paper. Definition 1: q-Strong Diffie-Hellman problem (q-SDHP) Given (P, xP, x 2 P, . . . , x q P) as input, finding (c, 1 x+c P) ∈ Z * p × G 1 with x, q, c ∈ Z * p . Assumption 1: q-Strong Diffie-Hellman (q-SDH) assumption If no algorithm can solve the q-SDHP on G 1 with the advantage ε within time t, then the q-SDHP on G 1 is difficult, that is, the q-SDH assumption holds.

C. BLMQ SIGNATURE MECHANISM
The proposed scheme uses the BLMQ signature mechanism introduced in [23], which makes a balance between security and efficiency. Let G 1 be an additive cycle group and the prime order is q. Let G 2 be a multiplicative group of the same order. Let e: G 1 × G 1 → G 2 be a bilinear pairing. The details of the mechanism are as follows.
1) Setup. PKG (Private Key Generator) generates public parameter param = G 1 , G 2 , q, e, P, P pub , g, H 1 , and g = e(P, P). PKG chooses s ∈ Z * q as the master key, and the public key is P pub =sP. 2) Extract. Given the signer's identity I D U , PKG computes the private key S U = 1 H 1 (I D U )+s P for the signer. 3) Sign. If a signer wants to sign message M , the following operations will be executed.
to verify whether σ is legal.

D. BLOOM FILTER
Bloom filter was proposed by Howard Bloom to retrieve whether a given element is in the collection. Bloom filter is a kind of random data structure, whose spatial efficiency is very high. A Bloom filter corresponds to an array of m bits, initially all set to 0. To represent a collection of n elements: S = {x 1 , x 2 , . . . , x n }, the Bloom filter maps each element to a specified range of {1, . . . , m} using k independent hash functions. For any given element x, the position h i (x) of the i-th hash function map is set to 1, 1 ≤ i ≤ k. When we want to determine whether y belongs to the set, we should first apply k times hash function to y. If the positions of h i (y) are all 1, then y can be considered as an element in S. However, Bloom filter may produce a falsepositive, which indicates that an element x is in S, even if it is not in S. But for many applications, this is perfectly acceptable as long as the probability of falsepositive is small enough. At present, Bloom filter is often used as message passing between nodes in network applications. Moreover, Compressed Bloom filter (CBF) [24] is able to improve the performance of Bloom filter and obtain a smaller false rate while ensuring a good transmission compression rate.

III. SYSTEM OVERVIEW
This section presents an overview of the proposed system including the system framework, the system model, the trust model, the attack model, revocation information and design objectives.

A. SYSTEM FRAMEWORK
As shown in Figure 1, the system has a four-layers architecture, including three types of entities. All infrastructures in the system are equipped with devices based on IEEE 802.11 RTA and TA: RTA is the root trusted authority, as the toplayer of the system, which can authorize and issue secondary certificates to the lower-layer TA (trusted authority). The public and private keys of TAs are generated by RTA and the public parameters of TAs are further generated according to the system parameters published by RTA.
Each TA is regarded as a regional trusted authority and manages all RSUs and vehicles within its communication area. TA is responsible for the registration of RSUs and vehicles, and generates anonymous credentials for legal vehicles to apply for their pseudonyms. All RSUs generate public and private keys according to the public parameters issued by TA. TA is also responsible for the aggregation of revocation information in the region and the issuance of authoritative CRL.
RSU: RSUs are infrastructures built along the road, which are in charge of the authentication of vehicles accessing VANETs and the communication between vehicles and TA during driving. RSUs also generate pseudonyms, pseudonym certificates, as well as the corresponding public and private keys for legal vehicles according to the anonymous credentials submitted by vehicles. When a revoked pseudonym appears, RSU is responsible for distributing the pseudonym certificates revocation information.
OBU: OBU is a processing unit embedded in the vehicle, which is responsible for V2X communication, which includes both V2V and V2I. All vehicles can regularly send security information through OBU during driving, which is collected by RSUs. The security information includes driving speed, direction, and position of the vehicle. RSU transfers information between vehicles and TA.
TA communicates with RTA, other TAs, and RSUs in its domain through wired channels, while V2I and V2V communications are launched through wireless networks following DSRC (Dedicated Short Range Communications) protocol. VOLUME 8, 2020 B. SYSTEM MODEL Since vehicles are likely to cross one or even several areas on a relatively long journey, the scheme extends and enhances the current VPKI system, taking into account the crossdomain situation. There are two different domains in our system: native domains and external domains. When a vehicle leaves the domain managed by the native TA (N-TA) which it has initially registered with, the vehicle needs the external TA (E-TA) and the RSUs in the external domain to continue to provide it with services in the VANETs.  Figure 2, we figure out two domains: native domain A and external domain B. First of all, each vehicle (also called OBU later) holds an identity certificate issued offline by the vehicle administration (equivalent to CA), which is called long-term certificate (LTC). LTC is generated according to the real ID of the vehicle and contains the real identity information of the vehicle and the signature from CA. In order to access VANETs, vehicles need to complete initial registration with their N-TA. The OBU submits LTC to N-TA through the secure channel to execute initial registration and obtains the anonymous credential (crdl) issued and signed by N-TA. The credential can be used to apply for pseudonyms from RSU in the domain (such as RSU a1 or RSU a2 in domain A). OBU determines when to execute the pseudonym acquisition protocol based on various factors [25]. If the pseudonym request time in the vehicle's credential is about to expire, OBU sends the current crdl and the new request time interval to TA in the domain to apply for a new credential to replace the current one through RSU. If the vehicle is traveling to an external domain (domain B), it does not have to register again with E-TA. OBU only needs to request E-TA for a new credential through the RSU of first access (i.e., RSU b1 ). The new credential is signed by E-TA and can be used to apply for pseudonyms from the RSU (such as RSU b2 ) in domain B. In this way, even if the vehicle travels across domains, its identity information is always protected and is not exposed to E-TA and RSUs. OBU can be authenticated by a currently valid pseudonym and can interact with all RSUs in its native or external domain. CRL obtained from RSU and Online Certificate Status Protocol (OCSP) are used to publish the revocation information [26]. We assume that all vehicles registered in the system are equipped with Tamper Proof Device (TPD) to ensure that the private keys are secure enough, and that there is a misconduct detection system to trigger the revocation, such as [27]. RSU is able to initiate the process of resolving and revoking all pseudonyms of the misbehaved vehicle. When the OBU has malicious behavior in VANETs, such as spreading disloyal traffic information, other OBUs communicating with it will report its pseudonym to the nearest RSU. The RSU will further report the pseudonym together with the credential to TA.

C. TRUST MODEL
The trust model of the proposed scheme is depicted as Figure  3. It is assumed that all TAs trust RTA and pre-store the certificate of RTA, which can verify the legitimacy of vehicles. TAs communicate through secure channels and have mutual trust relations. All RSUs in the same domain trust the TA. RSUs (such as RSU a1 and RSU a2 , RSU b1 and RSU b2 ) communicate through secure channels and trust each other. RSU trusts TAs of other domains conditionally. For example, RSU b1 needs to use the public key of T A a e.g. domain ID of T A a to verify the credentials signed by T A a . There is no trust relations between OBUs and RSUs. OBUs distrust each other before authentication.

D. ATTACK MODEL
We assume that the adversary who carries out passive attack can monitor the communication channel and eavesdrop the message. While in active attack, the external adversary, i.e., unauthorized entity, tries to tamper with the message or even replace the original message in order to induce legitimate vehicles to accept forged or harmful messages without being detected. In addition, the internal adversary, i.e., malicious, affected or non-cooperative entity, may obtain and analyze messages from others to maximize abuse of VANETs.
The anonymous authentication in the proposed scheme is based on Identity Based Signature (IBS) mechanism. For the attack model of IBS schemes, it is necessary to allow the adversary to perform key extraction queries and chosen identity attack. The IBS mechanism is secure if no polynomial time attacker A wins the following game with at least advantage ε in time t after q k times of key extraction queries and q s times of signature queries, where the advantage of A is defined as his or her probability of winning the game. The adaptively chosen and identity attack game of IBS system consists of the following three stages, which is a game between challenger C and attacker A. 1) Initialization: C runs the system Setup algorithm and sends the generated system parameters to A. C keeps the master key s secretly. 2) Attack: A performs Extract query and Sign query. In an Extract query, A selects an identity ID, and C returns the private key corresponding to ID which is obtained by running Extract. In a Sign query, A submits an identity ID and a message m. C first obtains the private key by running Extract, then runs Sign to generate the signature σ and sends σ to A.

3) Forgery:
A outputs (ID * , m * , σ * ). A wins the game when the following three conditions are met.
a) σ * is a valid signature for m * and ID * . b) ID * has not performed a Extract query. c) (ID * , m * ) has not performed a Sign query.
Our attack model also takes into account honest but curious VPKI entities, such as RSU, which comply with security protocols and policies, but may collect private information of vehicles and share it with other RSU to damage users' privacy.

E. REVOCATION INFORMATION
The concept of certificate chain and the relationship between certificate and revocation information is given in IEEE 1609.2 protocol. The revocation information is issued by CRACA(Certificate Revocation Authorizing CA) or by CRL signer directly authorized by CRACA.
In this paper, RSUs act as the role of CRL signer. As shown in Figure 4, TA is authorized by RTA and holds a CRACA certificate. TA authorizes all RSUs within its domain to act as CRL signer, enabling RSUs to issue revocation information. The pseudonym certificate of the vehicle is issued by RSU. Consequently, it is possible for vehicles to obtain the certificate revocation information directly through RSU in a timely manner rather than TA at regular intervals.

F. DESIGN OBJECTIVES
Referring to [28], the security and privacy requirements in VC system can be summarized as follows.
Authentication and Authorization. Authentication is to verify the authenticity of an identity or other message properties. In VC system, communication and cooperation between entities need to exchange information, so users should minimize the disclosure of personal information. In anonymous authentication, in order not to expose the sender's identity and ensure confidentiality, it is necessary to be able to authenticate through anonymous certificates or credentials issued by trusted third parties. Non-repudiation and revocation. In VC system, the reliability of messages is particularly important. Forged and illusive information may cause traffic accidents, so it is necessary to be able to hold the sender accountable, which means that the sender cannot deny having signed and sent a message. If anonymous credentials are used, only authorized entities can resolve the identity in case of disputes. At the same time, effective methods of revocation information distribution must be provided.
Anonymity and unlinkability. Anonymity requires that it is impossible to link the message to the sender according to the content of the message, and unlinkability requires that the relationship between two or more items of interest cannot be linked. The unlinkability of the sender and the message it sent is equivalent to the anonymity of the sender. The unlinkability of continuous messages from the same vehicle can avoid being tracked and protect location privacy.
According to the above requirements, the security and privacy objectives of the proposed scheme are put forward as follows.
Authentication and confidentiality. V2I and V2V authentication should be achieved without revealing the identity of the vehicle. When crossing domains, the vehicle does not need to provide the real identity to E-TA. Besides, communication between vehicles and RSUs should be encrypted.
Authorization and access control. Only legitimate vehicles can be verified and authorized by RSU and other vehicles without disclosing their real identity. Similarly, VANETs services are only available for legitimate vehicles.
Non-repudiation and revocation. All signatures in the scheme should not be denied by the signer. Once a dispute occurs and the real identity of the vehicle needs to be revealed to support traceability, the scheme should provide conditional anonymity and enable the vehicle to be revoked when misbehavior is detected.
Anonymity and unlinkability. The vehicle conceals its real identity even when crossing domains. In addition, it should be infeasible to link a pseudonym with the previous expired pseudonyms.
In terms of the effectiveness of the proposed scheme, we need to achieve the objective as follow. VOLUME 8, 2020 Efficiency. The computational cost of the proposed scheme should be reduced to efficiently realize authentication and revocation. Therefore, the proposed scheme should to be more robust, stable and scalable.

IV. THE PROPOSED SCHEME
This section elaborates on the proposed scheme. In order to facilitate the following description, we present the symbols and the definitions involved in the proposed scheme in Table 1. It should be noted that in our scheme, System Initialization and Key Extraction of RTA and TAs are based on IBS mechanism. RTA is the top authority. The public and private keys of all TAs are generated according to the public parameters issued by RTA, and each TA further generates the public parameters of its domain for the RSUs. All RSUs in the domain calculate their own public and private keys in terms of the public parameters issued by TA.
The proposed scheme is composed of the following protocols and methods: initial registration protocol, pseudonyms generation and credential acquisition protocol, pseudonyms resolution and revocation protocol, LTC resolution and revocation protocol, CRL construction, consistency and resolution.

A. INITIAL REGISTRATION PROTOCOL
When the OBU holds its LTC issued offline by the vehicle administration, it can access VANETs after it completes the initial registration process with the N-TA through the secure channel. At the same time, the OBU will receive crdl issued by the N-TA. As shown in Figure 5, OBU and N-TA execute initial registration protocol as below.

1) OBU generates a pseudonym request interval [t s , t e ]
according to the general fixed policy proposed in [25], i.e., each TA specifies a common fixed interval and all pseudonyms issued in its domain have a lifetime aligned to the system clock. OBU calculates the interval in terms of the fixed interval P3 given by TA. 2) OBU registers with N-TA through a secure channel.
OBU sends LTC and [t s , t e ] to N-TA.
3) N-TA encrypts OBU's real ID to generate the initial pseudonym V ID of the OBU and the corresponding private key s v according to the system parameters. After that, a ''credential identifiable key'' (IK crdl ) is created to bind the credential to the vehicle's certificate: I K crdl = h(C||t s ||t e ||Rnd I K crdl ), where C = Enc_K {V ID , exp} and Rnd I K crdl is the random number generated by N-TA for this credential, exp is the expiration of LTC. Then N-TA generates crdl. crdl includes χ and Sign(SK N −TA , χ), where χ ← (C, I K crdl , t s , t e ) and SK N −TA is the private key of N-TA. 4) N-TA sends V ID , s v , crdl, Rnd I K crdl to OBU through the secure channel.

B. PSEUDONYMS GENERATION AND CREDENTIAL ACQUISITION PROTOCOL
When the OBU has obtained its V ID , s v and crdl, it will use them to interact with the RSU to obtain pseudonyms. The protocol described in this section is based on the secure V2I protocol. After the RSU completes the V2I authentication with the OBU as shown in Figure 6, the RSU and the OBU establish a secure channel.
where r OBU is randomly selected and B = G r OBU mod p. Then OBU calculates the shared key K V −R with RSU: . 4) OBU sends c, σ 2 , B, T S 2 to RSU. 5) After receiving the message from OBU, RSU checks if T S 2 is fresh. If T S 2 is fresh, RSU calculates the shared key K V −R = B r RSU mod p and uses K V −R to decrypt c to obtain V ID . Then RSU uses V ID to verify σ 2 , if the verification is successful, OBU is regarded as a legal one, otherwise RSU will reject the access request from OBU.
If the above verification is successful, the RSU and the OBU can establish a secure channel by negotiating a shared key. The shared key is created by the Diffie-Hellman key agreement approach. Through the secure channel, the RSU sends pseudonyms, pseudonym certificates, and the corresponding public and private keys for the OBU. As shown in Figure 7, the steps of pseudonym generation protocol are as follows.
1) OBU generates a pseudonym request message m: m = crdl, Rnd I K crdl , t s , t e , where t s and t e are the start timestamp and the end timestamp of the actual pseudonym request interval. 2) Then OBU sends I d req , m, nonce, T S 3 to RSU through the secure channel, where nonce is a random value freshly generated by OBU. 3) After receiving the request, RSU first uses the shared key with OBU to decrypt the request message signed by RSU with its private key SK RSU . Then RSU generates ''pseudonym identifiable key'' IK P i v to bind pseudonyms to OBU's credential: ). RSU implicitly associates a batch of pseudonyms belonging to each OBU by calculating the pseudonym sequence number SN , i.e., when i=1, ). Afterwards the RSU generates pseudonyms for OBU: If the pseudonym request time in the credential is about to expire, the OBU sends the current crdl and the new request time interval [t s , t e ] to TA in the domain to apply for a new credential through the RSU. After the TA validates crdl, a new credential is generated to replace crdl that will soon be unavailable.
When the vehicle travels across domains, the OBU does not need to repeat the registration process with the E-TA. The OBU presents crdl and applies for a new ''native'' credential crdl . As shown in Figure 8, the steps are described in detail as follows.

7)
When OBU receives {R ID , σ 4 , A, T S 6 }, it first checks whether T S 6 is fresh. If T S 6 is fresh, OBU continues to verify σ 4 . If the verification is successful, OBU calculates the shared key: K V −R = A r OBU mod p. After completing the above steps, the OBU and the RSU in the external domain establish a secure channel. The RSU sends the temporarily stored crdl , Rnd I K crdl of the OBU and the new pseudonyms, pseudonym certificates, and corresponding public and private keys to the OBU through the secure channel.

C. PSEUDONYMS RESOLUTION AND REVOCATION PROTOCOL
When OBU has malicious behavior in VANETs, such as spreading disloyal traffic information, the pseudonyms (including those not expired) of the OBU should be revoked. The process of pseudonym resolution and revocation is described in detail as follows.
1) When OBU j receives the message m sent by OBU i and considers m to be a false message, OBU j generates a report including the message m, the pseudonym, pseudonym certificate, and R ID used to send m. 2) OBU j sends the report to the nearest RSU (RSU n ). 3) After receiving the report, RSU n needs to check whether message m is a malicious message or not. If so, RSU n broadcasts revocation information, and further transfers the report to TA. If the pseudonym and certificate are generated by RSU n , TA checks message m and the legality of OBU i . Otherwise, RSU n sends the report to the RSU (RSU p ) that generated the pseudonym and certificate for OBU i according to R ID . 4) After getting the report, RSU p double-checks message m. If m is malicious, RSU p then updates the contents of CRL to revoke all available pseudonym certificates of OBU i . For LTC resolution, RSU p sends the corresponding C to TA.

D. LTC RESOLUTION AND REVOCATION PROTOCOL
When TA receives revocation information of the OBU to be revoked from any RSU in the domain, two situations should be taken into account. Each TA maintains a list that records the Did corresponding to C and the crdl issued according to C. TA first searches the list according to C to check if Did is the native domain ID. If so, TA can directly recover the real identity of the OBU through decryption, and then revoke the LTC of the vehicle. If Did is not the native domain ID, TA needs to communicate with the TA in the domain specified by Did, informing it to resolve the real identity of the OBU and revoke the LTC.
All TAs send invalid or replaced crdl to all RSUs in the domain at any time, and send revoked LTC to other TAs.

E. CRL CONSTRUCTION
When a vehicle is to be deported, the RSU executes a CRL construction process comprising the following steps. 2) The RSU within a certain CRL will obtain the extended CRL with a Bloom filter.

F. CRL CONSISTENCY AND RESOLUTION
In our scheme, each RSU releases revocation information at any time to notify vehicles of any new revocation event.
Vehicles can receive the latest CRL timely through RSUs. In addition, TA will collect and check extended CRL generated by all the RSUs in its domain at all times and issue integrated authoritative CRL at fixed intervals. The two CRL are consistent in contents and BF test results. By performing the BF test, the vehicle can verify whether the pseudonym of the other is on the CRL. Upon receiving and verifying the CRL, for the operation of parsing it, each vehicle calculates the hash value x times by SN k and h k Rnd v of the revoked pseudonym: SN i+1 =h(SN i ||h(h i Rnd v )), i = {k, k + 1, k +2, . . . , k +x −1}, and calculates all revoked pseudonym sequence numbers. Reversed entries stored in local repository can be searched for in O(log(n)) time complexity [29]. The vehicle could locally generate a BF at a constant computational cost (O(1)) [18].

V. SECURITY ANALYSIS
In this section, the security analysis of the proposed scheme is mainly conducted from two aspects: satisfying the security and privacy requirements and resisting attacks.

A. SECURITY AND PRIVACY FEATURES
This subsection analyzes the security of the proposed scheme in detail to show that our scheme is capable of achieving desired design objectives as follows.
Authentication and confidentiality. The authentication scheme adopts BLMQ signature mechanism, and the security and correctness of the proposed scheme can be completely and effectively proved in V-B. The OBU and RSU that have completed authentication protocols will obtain a secure shared key for subsequent communication. The shared key is generated using a secure key sharing algorithm. Any malicious node cannot obtain the correct key, thus ensuring secure communication. Moreover, the proposed scheme can achieve V2X authentication without exposing OBU's identity. In the first mutual authentication process between OBU and RSU, OBU presents the initial pseudonym issued by N-TA. While in the authentication process between OBUs, the new anonymous identity issued by RSU is used to avoid exposing the relevant information about the real identity. When the vehicle travels across domains, the vehicle does not need to let the TA of the external domain know its real identity. As for CRL, the authenticity and integrity of the CRL published by RSU can be verified by CRL signer s signature.
Authorization and access control. As a Trusted Third Party (TPP), N-TA certifies and authorizes OBU, and issues crdl for OBU so that OBU can request pseudonyms from any RSU by presenting crdl. Even if driving to an external domain, the current crdl can help the OBU obtain a new available one without exposing its real identity information to entities in other domains. RSU then verifies the credential and VOLUME 8, 2020 provides pseudonyms for the OBU based on the previously established trust.
Unforgeability, non-repudiation and revocation. In our scheme, only legal OBU can obtain the pseudonym certificate and the corresponding private key to sign messages. Since all (pk i v , sk i v ) and Cert i v of OBU need to be generated by the cooperation of TA and RSU. No OBU can generate the keys and certificates on its own, nor can it forge other's signatures.
Once a dispute occurs and the LTC of the OBU needs to be revealed, our scheme enables traceability. Each TA can recover the real identity of the malicious OBU directly or through cooperation with relevant TA from its anonymous identity. See details in section IV-A, acquiring crdl requires the vehicle to submit LTC containing real identity information to TA and all crdl are acquired and replaced on a trusted and secure channel, and the pseudonym acquisition requires a valid crdl. TA and RSU compute the credential and the pseudonym identifiable key respectively to bind them to the corresponding LTC and the credential. Moreover, since the CRL with a BF is signed by RSU, no RSU can deny that it contains any pseudonym sequence number. The correctness of the CRL can also be verified by OBU through the authoritative CRL from TA. The segregation of duties between TA and RSU provides conditional anonymity and enables the vehicle to be revoked when misbehavior is detected. In addition, each request that gets a credential needs to be authenticated to prevent abuse of the mechanism by signing with the currently valid pseudonym of the vehicle.
Anonymity and unlinkability. In our scheme, pseudonym certificates are generated by RSU according to anonymous credentials. These certificates do not contain any identifiable information and cannot be linked to a particular OBU or to other pseudonym certificates. Only N-TA is able to decrypt C and recover the real identity of the OBU. Moreover, C is the encryption result of the real identity, so it reveals no identity information of the OBU to anyone except N-TA.
After OBU is connected to RSU, it obtains multiple pseudonyms issued by the RSU. In V2V authentication and communication, the unexpired pseudonyms used by OBU are not relevant to other pseudonyms, so the attacker cannot perform correlation analysis on multiple messages, i.e., given P i v and P i+1 v , it is computationally hard to decide that they are correspondence to the same OBU without knowing SN i and H i Rnd v . According to the proposed protocol, vehicle hides its real identity even when it crosses domains. The request interval for pseudonyms of the vehicle falls within the fixed P3 , and the validity period of the pseudonym is aligned, so the time information cannot be used to link two consecutive pseudonyms. In addition, since hash chains are used in the pseudonym publishing process, it is not feasible to link a pseudonym with the previous expired pseudonyms. Moreover, the random number Rnd v makes the pseudonyms in OBU's pseudonym certificates totally different, which makes it infeasible for the attacker to get the linkability between OBU's previous pseudonym certificates. For honest but inquisitive RSU, time information may be inferred from pseudonyms or the context of CRL to link pseudonym sets and track the vehicle. However, all issued pseudonyms are aligned with the clock of the RSU, so pseudonyms are not distinguishable.

B. ATTACK RESISTANCE
In the attack model of the proposed scheme, different threats are considered. Specifically, it is semantically protected against both passive and active attacks. Let a passive attacker get an encrypted and pseudonymized message during the communication. In order to find the valid key, the attacker has to solve the hard mathematical problems. The shared key is generated by the Diffie-Hellman key agreement algorithm, which is secure enough in ITS. Moreover, to further enhance security, nonce is also introduced. Therefore, without the key and the nonce, it is impossible for an attacker to eavesdrop the communication. For an active attacker, if he or she tries to insert a bogus message or alter the contents of the message as an external adversary, the verification of signatures is able to prevent the attacks happening. Furthermore, an external adversary cannot obtain any private information either since all the communication in the proposed scheme is encrypted and authenticated. If the attacker wants to generate the key pairs in real time, he or she should have prior knowledge of the parameters as elaborated in section IV-A. On the other hand, TA issues initial pseudonym to the vehicle in a secure channel. Therefore, the internal adversary cannot obtain the real identity of the vehicle. Similarly, after obtaining crdl and pseudonyms, the attacker is unaware of the valid identity of a vehicle during V2X communication. Consequently, it is impractical to launch active attacks.
As for the security of the authentication, in the proposed scheme, it mainly depends on the initial V2I authentication which is based on IBS mechanism. Reviewing III-D, there is Theorem 1.
Theorem 1: If no polynomial time attacker A wins the game in III-D with at least advantage ε in time t after q k times of key extraction queries and q s times of signature queries, the proposed scheme is secure under adaptive chosen message and identity attacks.
Proof: Reducing the description of Theorem 1 to q-SDHP, there is Theorem 2.
Theorem 2: Under the random oracle model [30], if there exists an adaptively chosen message and identity attacker A wins the game in III-D with advantage ε ≥ 10(q s + 1)(q s + q h 2 )/2 k within a time t after making q h i queries to random oracles H i (i = 1, 2) and q s queries to the signing oracle, then, there exists an algorithm C that is able to solve the q-SDHP for q = q h 1 in an expected time t ≤ 120686q h 1 q h 2 (t +O(q s τ bp ))/(ε(1−q/2 k ))+O(q 2 τ mul ) where τ bp and τ mul denote the cost of a pairing evaluation and a scalar multiplication respectively.
It can be proved that in the mechanism of the proposed scheme, C can provide A with a perfect simulation and solve q-SDHP through interaction with A. The mathematical proof depends on the forking lemma and is given in detail in [23]. The q-SDH assumption holds, that is, q-SDHP is difficult to solve, then there is no polynomial time attacker A wins the game in III-D with at least advantage ε in time t. Therefore, Theorem 1 is proved. The proposed scheme can be proved to be existentially unforgeable under adaptive chosen message and identity attacks.
Moreover, the scheme can also defend against other types of attacks. Impersonation attack. In the initial authentication process between the OBU and the RSU, the private key for signing and the public key for verifying signature of the OBU are both calculated by N-TA, and issued to the vehicle through the secure channel, so the attacker cannot impersonate other nodes to forge signatures.
Tampering attack. According to the scheme of this paper, the messages are signed separately in the mutual authentication phase between two OBUs or between OBU and RSU. If the message is tampered, it will lead to verification failure and effectively prevent tamper attack.
Replay attack. In our scheme, OBU and RSU use in conjunction with nonce and timestamp TS checking, which can effectively thwart replay attacks.
Spoofing attack. Since there is a secure channel between OBU and TA, it is impossible for an attacker to intercept LTC sent from the OBU and any available crdl and key pairs from TA. Furthermore, during V2X communication, signature ensures the integrity and tamper-proof of information. Even if the attacker successfully intercepts the message, he/she cannot modify the content of the message without the knowledge of both parties.
Key stealing attack. After the mutual authentication between OBU and RSU, RSU issues multiple anonymous identities and corresponding signature keys to OBU. The keys and pseudonyms will be encrypted with the shared key K V −R , which effectively prevents the keys from being stolen by attackers during key transmission.
Sybil and DoS attacks. When a vehicle requests a credential from TA, TA issues only one valid credential to the vehicle, preventing the vehicle from requesting more valid pseudonyms at the same time. In addition, the credential is implicitly bound to a specific TA (N-TA), so it cannot be used multiple times. RSU gives a pseudonym that does not overlap the validity period of the vehicle, and no vehicle can provide more than one valid pseudonym at any time, so Sybil attacks can be defended. We use a nonce (a unique string whose value is valid only for a short time) that is included in the payload to guard against DoS attacks and our scheme has an advantage for defending DDoS attacks through a significant reduction in CRL size.
Through the above analysis, the proposed scheme is able to meet the security and privacy requirements of VANETs well.

VI. PERFORMANCE ANALYSIS
In this section, the performance of the proposed scheme in terms of anonymous identity authentication efficiency and pseudonym revocation efficiency are analyzed.

A. ANONYMOUS IDENTITY AUTHENTICATION EFFICIENCY
The proposed scheme is compared with CPAS [36], ACPN [37], and PACP [38] in computational cost for the authentication efficiency analysis. The computational cost is calculated by the related network entities in the V2I and V2V authentication process. With the adoption of edge computing, RSUs typically have abundant computing resources and therefore the computing overhead of RSUs is not considered in this paper.
The following is a comparative analysis of the computing overhead of OBU under different schemes. For convenience of comparison, in our scheme, we calculate the overhead of the OBU according to RSA signature mechanism during signature and verification. In the authentication process of the schemes, the main computing operations include: bilinear pairing operation (bp), map-to-point hash operation (mtp), hash function (h), point addition (pa), point multiplication (pm), scale multiplication (mul), exponentiation in G 2 of the bilinear pairing (ep2) and RSA sign (RSA s ), RSA verification (RSA v ) and RSA encryption (RSA e ). Let T x denote the calculation cost of operation x. Compared with the above operations, the calculation cost of T h , T pa and T RSA v can be omitted according to [31], [32], and according to [38], the computational overhead of RSA encryption is the same as that of RSA verification. In addition, by summarizing the experimental results and conclusions from [33]- [35], we can obtain the following relationships of the execution time(ms) of the operations, as in (2)-(6).
T bp = 1.6(ms) = 3T RSA s (2) T mtp = 1.5T RSA s = 0.8(ms) (3) T ep2 = 1.125T RSA s = 0.6(ms) T mul = T RSA s = 0.533(ms) In the V2I authentication protocol of the scheme proposed in section IV-B, the OBU verifies the BLMQ signature by checking whether the equation h RSU = H 2 (A||T S 1 , e(V RSU , H 1 (R ID )P + P pub )g −h RSU ) is held and generates a signature. The OBU generates a BLMQ signature{h OBU , V OBU }, where x = g r OBU , h OBU = H 2 (B||T S 2 , x), V OBU = (r OBU + h OBU )s v . In addition, the OBU also needs to calculate the shared keyK V −R , which is equivalent to two RSA encryption operations. Therefore, the computational cost of the proposed scheme in the V2I authentication process is: In the V2V authentication process of our scheme, since all OBUs communicate with each other using pseudonyms, the OBU needs to verify the RSU's signature on the pseudonym VOLUME 8, 2020 certificate by checking whether {h RSU , V RSU } is valid. After the above verification is successful, the OBU will use the other OBU's public key to verify the signed message through one RSA verification operation. The OBU also needs to generate its RSA. From the above analysis, it can be seen that the computational cost of our scheme in the V2V certification process is: In the V2I certification process of CPAS scheme, the OBU calculates the digital signature: In addition, the OBU needs to verify the digital signature from the RSU: . Therefore, the computational cost of CPAS scheme in V2I certification process is: In the V2V certification process of CPAS scheme, the OBU calculates the digital signature: From the above analysis, the computational cost of the CPAS scheme in the V2V authentication process is: In the V2I authentication process of ACPN, the OBU generates a pseudonym: PS v = Time E PK (I D v ) HR RSU , where I D v is encrypted using the RSA encryption algorithm. The OBU generates a signature:r = e(P 1 , P), v = h(m, r), u = v · S 1 D + kP 1  {0, 1} * → G 1 . Therefore, the computational cost of the V2I authentication process of the ACPN scheme is: (11) In the V2V authentication process of ACPN, the OBU generates signature σ = H 4 (m, R)x + r and verifies signature (S, σ, R) by checking whether the equation e(P pub , S) = e(P · H 4 (m, R)R, Q ID ) holds, where H 4 : {0, 1} * × G 1 → Z q * . It can be seen that the computational cost of the ACPN scheme in the V2V authentication process is: In the V2I authentication process of the PACP scheme, the OBU generates an IBS signature and verifies the signature sent by the RSU. Since the author did not specify a specific signature algorithm, it is assumed to be the BLMQ signature. In addition, the OBU needs to perform encryption and decryption operations as follows:λ j (a,i) = e(τ j (a,i) , σ j aP), , 1} * . Therefore, the computational cost of the PACP scheme in the V2I authentication process is: In the V2V authentication process of PACP, the calculation process of the OBU is basically consistent with that in V2I. The OBU needs to generate a signature and verify the signature issued by the RSU by performing two map-topoint hash operations, two bilinear pairing operations, and one point multiplication. According to the above analysis, the computational cost of PACP scheme in the V2V certification process is: (14) The computational cost of the proposed scheme is evaluated and presented in Table 2 and Table 3, respectively. Since the time of the symmetric encryption operation (T enc ) is microsecond [42], it can be ignored. The computational costs of the different schemes for V2I and V2V authentication are shown in Figure 9. It should be noted that according to the previous analysis, we do not calculate the cost of T RSA e and T RSA v here. The comparative analysis shows that in the V2I and V2V authentication process, the proposed scheme owns lower computational cost than the other three schemes.  In order to further demonstrate a comprehensive comparison between our scheme and the existing schemes, a comparative analysis of the related schemes is shown in Table 4. It can be seen from the discussion in related work and the comparative analysis of performance that our scheme is more efficient than [7], [10], [14], [36]- [38], [45]. Though [42], [44], [46] also show obvious advantages in efficiency, [42] has key escrow problem, and those three all have the threat of Sybil attack. It is worth mentioning that although [46] does not address cross-domain issues, its distributed framework can also be extended to adjust to this scenario.

B. PSEUDONYM REVOCATION EFFICIENCY 1) DISTRIBUTION EFFICIENCY OF REVOKED PSEUDONYMS
Before comparative analysis, we will first give a scenario that there are 1 million cars in VANETs. On average, each vehicle travels for four hours. Assuming = 30 minutes and τ P = 5 minutes, then each needs 6 pseudonyms, i.e., 48 pseudonyms for each vehicle per day, and all these pseudonyms are issued in time at non-overlapping intervals [39]. Assume that one percent of these vehicles need to be expelled from the system for security reasons. Therefore, the revocation information published every day contains 480,000 entries, so the CRL size is about 14.6MB (each pseudonym has a 256-bit serial number). By implicitly binding the pseudonyms belonging to each OBU, one entry can be distributed with some additional information for a batch of revoked pseudonyms in , with a total of 8 entries distributed for each revoked vehicle instead of 48 entries. Therefore, the CRL contains 80,000 entries, each with 256-bit serial number and 256-bit additional information, and the CRL size will be significantly reduced to about 4.9 MB.

2) CRL SIZE
Our scheme is improved on the basis of C 2 RL scheme [40], which prevents vehicles from receiving a large amount of revocation information unrelated to their own travel through time alignment, and realizes batch revocation of pseudonyms while ensuring unlinkability through implicit binding of pseudonyms [47]. In the C 2 RL scheme, by compressing the revocation information, the size of the CRL is given by size = − N ×M ×ln p (ln 2) 2 [41], where N is the total number of damaged vehicles, M is the average number of pseudonyms revoked by each vehicle in each CRL , and p is the probability of false positive. As shown in Figure 10, if N is known, the size of the CRL increases linearly with M . Under the proposed scheme, it is adequate to publish only one entry to revoke all pseudonyms of the misbehaving vehicle within one CRL time interval. The size of the CRL in each CRL is given by (256 + 256) × N , where 256 bits are used for pseudonym sequence numbers and 256 bits are used for their corresponding hash values. In addition, only when the probability of false positive increases can C 2 RL scheme be comparable with the proposed scheme in the size of the CRL. For example, if M =10, the false positive probability of the C 2 RL scheme should be 10 −10 to achieve a size of the CRL equivalent to the proposed scheme. Moreover, when p = 10 −30 , the size of the CRL in our scheme will be reduced by more than 2 times compared with the C 2 RL scheme. Through the above comparative analysis, it can be shown that our scheme has a good performance in reducing the CRL size.

VII. CONCLUSION
This paper proposes a secure and efficient identitybased anonymous authentication scheme that can support VOLUME 8, 2020 cross-domain authentication of vehicles. Pseudonyms are adopted to strengthen the privacy protection of vehicle users. By introducing a fixed-interval pseudonym acquisition policy, all the pseudonyms issued in a domain have a lifetime aligned with the TA and RSUs, which can prevent linking of the pseudonyms. All the pseudonyms remain unlinked when the revocation event occurs, thereby improving the privacy protection strength. Bloom filter is further employed to optimize CRL. Moreover, pseudonyms are revoked in batches in terms of the pseudonym sequence number and a hash value in the CRL, which is able to enhance the performance of the scheme. Security and performance analysis demonstrate that the proposed scheme is robust and efficient.
The future work is to present a more effective pseudonym generation and changing mechanism for VANETs. The pseudonym generation mechanism will not depend on RSU or other trusted authority to issue public and private keys in advance. OBU may depend on the certificateless pseudonym scheme to generate random pseudonyms independently. Certificates or secret keys are no longer necessary, which will significantly reduce the deployment and management costs. Moreover, the performance of pseudonym revocation will be further improved by replacing CRL by employing noninteractive zero-knowledge.
JIAYU QI received the master's degree from Software College, Northeastern University, in 2019, where she is currently pursuing the Ph.D. degree, focusing on the application of edge computation and blockchain technology in VANETs security. During her master's degree, her research direction was the next generation of wireless network security. Her main research content is VANETs security and privacy protection. She has published a paper on anonymous authentication of VANETs in 2018. His primary research interests are next-generation network security, wireless mesh network security, security and privacy in ubiquitous computing, as well as virtual reality. VOLUME 8, 2020