Design of Secure Decentralized Car-Sharing System Using Blockchain

Car-sharing systems can solve various urban problems by providing shared vehicles to people and reducing the operation of personal vehicles. With the development of the Internet of Things, people can easily use a shared car through simple operations on their mobile devices. However, the car-sharing system has security problems. Sensitive information, such as the user’s identity, location information, and access code, is transmitted through a public channel for car-sharing. Hence, an attacker can access this information for illegal purposes, making the establishment of a secure authentication protocol essential. Furthermore, the traditional car-sharing system is established on the centralized structure, so there is a single point of failure. Thus, the design of a decentralized car-sharing scheme is vital for solving the centralized problem. This study designed a decentralized car-sharing scheme using blockchain. Specifically, blockchain technology was used to provide a decentralization car-sharing service and ensure data integrity. The participant entities of the proposed system can be authenticated anonymously. The proposed car-sharing system can be secured against various attacks and provide mutual authentication using informal analysis, automated validation of internet security protocols and applications (AVISPA) simulation, and BAN logic analysis. The computation costs and communication costs of the proposed scheme were also analyzed.


I. INTRODUCTION
Car-sharing systems were introduced to help solve transportation problems in urban areas, such as traffic congestion on the road, pollution from fuel combustion [1], [2], and shortage of parking place from the increased number of vehicles. Car-sharing systems offer the benefits of private vehicle use without the costs and responsibilities of ownership to users and reduce private vehicle ownership. Rather than owning one or more vehicles, a household or business can access a fleet of shared vehicles on an as-required basis. With these advantages, car-sharing systems have proliferated. In 2019, the car-sharing market size exceeded USD 2.5 billion and is expected to surpass USD 9 billion by 2026 [3].
The associate editor coordinating the review of this manuscript and approving it for publication was SK Hafizul Islam .
The car-sharing system is classified as business models such as Business-to-Consumer (B2C) and Peer-to-Peer (P2P) car-sharing service models [4]. In the B2C service model, companies have deployed their shared cars that are rented out to users. Unlike B2C, the P2P service model is a system in which car owners convert their personal vehicles into shared cars and rent them to other users on a short-term basis [5]. In both car-sharing models, a service vendor assists the car owners and renters by acting as an intermediary and provides the resources needed to make the exchange possible, such as an online platform and customer support [6]. Under this system, users can book and lease a shared car on an online service platform using their smartphones.
The advent of car-sharing systems can alleviate transportation problems, but car-sharing systems have security problems. The user operates their smartphone to lease a shared car by a simple operation on the online applications in the car-sharing system. However, because the information is transmitted through a public channel, a malicious attacker can easily eavesdrop, forge, delete, and modify the information. Unfortunately, if a digital key or code for accessing is exposed, the malicious attacker can control the shared car and steal it. Therefore, secure authentication must be guaranteed to provide a secure communication channel. Moreover, a user authentication step is essential to check that the user has the right and ability to drive a car. Users must submit their information (e.g., identity and driving license) to the service provider (e.g., sharing service company) when they request a car-sharing service. The service provider verifies that the customer has the right and ability to drive as a valid driver. After that, the user can utilize the car-sharing service through a service provider.
In a traditional car-sharing system, the user's information and service information can be stored and controlled at a centralized service server. However, a centralized server suffers from a single point of failure by a malicious attacker. For example, if the service server is compromised and all the sharing records are deleted, then the user will not obtain the previous records corresponding to the utilized car information when there is a missing item on the car. Furthermore, if the sharing records are tampered or rewritten when the user has conducted fraudulent activities during car-sharing. It is difficult to obtain the user's evidence a crime from these records. In addition, if the stored information has been leaked, it brings serious privacy issues because it is related to the user's privacy. Therefore, it is necessary to resolve the above-mentioned problems incurred from a centralized structure.
Blockchain is a network technology that keeps transactions and establishes a chain form linked by hash values [7]. Blockchain is considered a trusted distributed ledger that ensures the decentralization and integrity of information to resolve the above-mentioned problem [8], [9]. The tamperproof and traceable features of a blockchain system ensure the auditability of data operation, thereby ensuring data security [10], [11]. This paper proposes a decentralized car-sharing system model and a secure authentication protocol using blockchain to guarantee security, integrity, and decentralization. Stations provide a place for parking and sharing a car, and they act as the service vendor for a user to authenticate. These stations maintain a blockchain to provide a decentralized car-sharing service. When a car-sharing service occurs, the station authenticates the user and stores the service information in the blockchain. Furthermore, in the proposed system, a user utilizes the pseudonym for anonymity while using the car-sharing service. Therefore, even if the stored service information is leaked to an adversary, the attacker cannot infer the user.

A. CONTRIBUTION
The main contributions of this paper are as follows: • A secure decentralized car-sharing system was designed using blockchain where stations provide a car-sharing service for the users replacing a single service vendor, and the stations maintain the blockchain by acting as a blockchain node.
• This paper proposes a secure authentication scheme for the decentralized car-sharing system, which withstands various attacks, including impersonation and replay attacks, and provides secure mutual authentication and privacy-preserving.
• The Burrows-Abadi-Needham (BAN) logic analysis is presented to analyze whether the proposed car-sharing scheme provides secure mutual authentication.
• The automated validation of internet security protocols and applications (AVISPA) was performed to analyze man-in-the-middle (MITM) and replay attacks. The performance analysis was compared with related schemes to show that the proposed authentication scheme can be applied to the blockchain-based car-sharing system.

B. PAPER ORGANIZATION
This paper is organized as follows. Sections II and III review previous interrelated researches and relevant preliminaries, respectively. A secure decentralized model of a car-sharing system is defined in Section IV. Section V presents the proposed car-sharing system. The security of the scheme is analyzed in Section VI, and the computation and the communication costs of the proposed scheme are discussed in Section VII. Finally, this paper is concluded in Section VIII.

II. RELATED WORK
Some studies discussed the security and user privacy in carsharing systems [12]- [14]. Vaidaya and Mouftah [12] discussed security issues and the requirements of the car-sharing system. In their article, the connected and autonomous vehicles with external connectivity have security and privacy issues, such as eavesdropping, man-in-the-middle, replay, and denial-of-service attacks. Thus, secure communication and user authentication are essential for secure car-sharing systems. They also proposed a system overview of a personal vehicle sharing system. Symeonidis et al. [13] specified the security and privacy requirements for a car-sharing system. They reported that entity authentication, data integrity, confidentiality, non-repudiation, and authorization are required to design a car-sharing system to mitigate security threats. Furthermore, anonymity is needed to protect the users' privacy. Some studies proposed an authentication protocol and secure system in a car-sharing system [15]- [19]. Busold et al. [15] suggested an authentication protocol for car access and rights delegation using a smartphone and access token. Wei et al. [16] proposed a hierarchical carsharing system. Their system consisted of three entity levels: a key generation center was the top level; owners or sharing companies were the middle level; the users were the lowest level. Each level receives a key to access the vehicle from the upper level. Therefore, the user obtains the access key from VOLUME 9, 2021 the owners or companies and uses it to access the sharing vehicle through NFC communication. Laurent et al. [17] proposed an authentication protocol for a car-sharing service, which addresses privacy-preserving using a pseudonym. Park et al. [18] suggested an authentication method using fingerprints. In their protocol, the server is vulnerable to a DoS attack. Dmitrienko et al. [19] proposed a secure freefloating car-sharing system. In their system, if a user wants to reserve the car-sharing service, the user is authenticated by the car-sharing provider to obtain an access token. The user can then access the vehicle using the access token and mobile device. However, their scheme did not consider the users' privacy. Moreover, these authentication schemes for car-sharing systems suffered from a single point of failure problem and bottleneck problem because they depend on a central node to manage the data and operate the system.
Recently, the characteristics of blockchain, such as decentralization, tamper-proof, and security, have motivated researchers in security authentication. Some blockchainbased authentication schemes [20]- [22] use a blockchain to achieve secure authentication without depending on a central node. Wang et al. [20] designed a blockchain-based anonymous authentication and key agreement protocol for a smart grid system. Xiong et al. [21] proposed a blockchainbased authentication scheme for multi-server architectures. Wang et al. [22] proposed a blockchain-assisted handover authenticated key agreement scheme in an edge-computing environment. In these schemes [20]- [22], the authentication servers, which maintained the blockchain, authenticate the user by employing the user's information stored in the blockchain. Therefore, there is no need for support by a registration authority in the authentication phase.
From related work, there has not been a secure authentication protocol for car-sharing systems. Therefore, this paper proposes a decentralized car-sharing system model and a secure authentication protocol using blockchain.

III. PRELIMINARIES
This section introduces the adversary model and relevant mathematical preliminaries used in this paper, including the blockchain and elliptic curve cryptosystem (ECC).

A. BLOCKCHAIN
Blockchain is a distributed ledger that offers decentralization, integrity, and tamper resistance. Blockchain can be classified into three categories: public blockchain (also called permissionless blockchain), consortium blockchain, and private blockchain (also both are permissioned blockchain) [23], [24]. In a public blockchain, every node keeps the ledgers, participates in the consensus, and has the permissions for reading and writing the data. This results in the arduous task of reaching a consensus quickly and high maintenance costs. Moreover, any node in the public blockchain can join or leave the network easily without authorization; hence, an adversary can easily join. Therefore, a public blockchain is unsuitable in a car-sharing system because the car-sharing records are related to the users' privacy. On the other hand, only authorized nodes can access the blockchain in a consortium blockchain and private blockchain. A private blockchain is managed by an authorized organization, and it has centralized characteristics [25]. On the other hand, a consortium blockchain is partially private, and has efficient consensus time and maintenance costs, which is operated under an authorized group. Therefore, a consortium blockchain was used to propose a car-sharing system.

B. ELLIPTIC CURVE CRYPTOSYSTEM (ECC)
ECC is a public-key cryptosystem, which is based on elliptic curve [26], [27]. It is widely utilized to construct cryptographic protocols because of a smaller key length and the same level of security compared to other encryption methods. In an ECC, an elliptic curve is defined as E p (a, b): y 2 = x 3 + ax + b over a prime finite field Z q , where q is a large prime, (a, b) ∈ Z q , and 4a 3 + 27b 2 = 0 (mod q). Let P be a point on E p (a, b). The security of ECC depends on the following intractable problems.
• Elliptic Curve Discrete Logarithm Problem (ECDLP): The finding x ∈ Z q in probability polynomial time is negligible when given two points Q and P, where Q = x · P.
• Elliptic Curve Decisional Diffie-Hellman Problem (ECDDHP): The finding (x · y) · P in probability polynomial time is negligible when given three points Q, R,and P, where Q = x · P and R = y · P.

C. ADVERSARY MODEL
The capabilities of the adversary are based on the Dolev-Yao (DY) attack model. The Dolev-Yao threat model [28] is widely accepted in evaluating the security of a protocol [29]- [32]. The capabilities of an adversary model can be defined in the following manner: • An attacker can intercept, modify, forge, and delete the messages transmitted via a public channel.
• An attacker can guess either the identity or the password of a user but cannot guess both of them simultaneously.
• An attacker can steal the mobile device of a legitimate user. The attacker can then attempt a power analysis attack to extract the stored values in the device [29], [33].
• An attacker can attempt various attacks, such as impersonation, man-in-the-middle, replay attacks, etc.

IV. SYSTEM MODEL
The proposed authentication scheme for a car-sharing system was designed based on blockchain consisting of five entities: trust authority, stations, owner, vehicle, and user. A trust authority sets up the system and issues the credential and pseudo-identity to the user and the vehicle owner as a trust entity. Stations have data storage and computing and organize the consortium blockchain. The user sends the request for car-sharing to the owner through the station. After being authenticated, the user receives the access code to unlock and control the vehicle. The proposed system model is depicted in Figure 1.
• Trust authority: A trust authority is responsible for setting up the system, generating the keys for the stations, and issuing credentials and pseudo-identity to the user and vehicle owner. It is assumed that the trusted authority is not captured easily and is completely trustworthy. The credential proves who has a right and ability to drive, and the pseudo-identity is used in the car-sharing system to replace the real identity. When disputes occur in the car-sharing system, the trust authority exposes the identity of the malicious users based on the data stored in the blockchain.
• Stations: The station provides the car-sharing service place and platform for users and vehicle owners as an arbitrager. The station receives the user and owner's credentials for registration in the car-sharing system. The station verifies the received credentials and stores their information in the blockchain. When the station receives the user's request for a car-sharing service, the station authenticates the user using the information stored in the blockchain. It provides the car-sharing service by transmitting the information received from the vehicle owner. The station stores the provided service information in the blockchain, which can be used as the basis for the arbitration of disputes by the trusted authority.
• User: The user can use the car-sharing service through a mobile device, such as a smartphone. The user sends the request and authentication messages to the station to prove that the user is an authorized driver. The station authenticates the user based on the information stored at the blockchain. After being authenticated and obtaining the vehicle access code, the user can access the vehicle using their mobile device.
• Owner: The owner translates their vehicle to the shared vehicle by registering the information of the vehicle at the station. Once the station sends the user's request for sharing the vehicle, the owner generates the access code and transmits it to the station to distribute the access code to the user and vehicle.
• Vehicles: Vehicles are parked at the station and are ready for sharing by authorized users. There are communication modules and tamper-proofing modules in vehicles. The vehicle receives the access code through the communication modules, which it uses to check whether the user accessing it is authorized. All parameters used in vehicles are stored in a tamper-proof module for secrecy.
The communication flows on the proposed car-sharing system are depicted as follows:

User and owner send the real identities and licenses to
TA to obtain the pseudo-identity and the credentials for registering a car-sharing system. 2. The user and owner register their pseudo identities, public keys, and information of shared car at the station to access the car-sharing service. 3. The user sends the station a request for access to a shared car using a mobile device. The station authenticates the user and notifies the request to the owner. The owner issues a code to access a shared car and sends the code to the user and car through the station. 4. The user utilizes the mobile device that stores the code to access the shared car and starts the sharing service. When the user finishes the sharing service, they park the car at the nearest station and send the return messages to the station.

V. PROPOSED SCHEME
This section presents the proposed secure authentication scheme for the car-sharing system based on blockchain. The proposed protocol includes the system setup phase, registration phase, authentication phase, and return phase. Table 1 lists the symbols used in the paper.
A. SYSTEM SETUP Before the system, TA sets up the system parameters. TA selects large prime number p, q, an elliptic curve E p , a base point P, two hash functions h 1 : {0, 1} * → {0, 1} * , h 2 : {0, 1} * → Z q and a secret key sk TA . Then, the TA generates a public key PK TA = sk TA · P and publishes (p, q, G, P, PK TA , h 1 , h 2 ) it as the system parameters. U i and O j are the received credential and pseudo-identity from TA before registration in the car-sharing system. These steps are executed over a secure channel. Figure 2 and 3 present the detailed process.

1) USER SETUP
• Step 1: U i selects ID i and PW i and generates a private key and a random number sk i , a i ∈ Z q . U i then computes PK i = sk i · P and sends {ID i , l, PK i } to TA, where l is a driving license.
• Step 2: After TA receives {ID i , l, PK i }, it verifies the ID i and l. If it is valid, TA generates a random number r i ∈ Z q and computes  2) OWNER SETUP • Step 1: O j generates a private key sk j ∈ Z q . Then, O j computes PK j = sk j · P and sends {ID j , l, PK j } to TA, where l is a driving license.
• Step 2: TA receives {ID j , l, PK j }, and TA verifies the ID j and l. If it is valid, TA generates a random number r j ∈ Z q and computes CID j = ID j ⊕ h 1 (r j · PK TA ), R j = r j · P, z j = r j + h 2 (CID j ||R j ||PK j ) · sk TA . And then, TA stores CID j with R j and sends {z j , CID j , R j } to O j .

1) USER REGISTRATION
• Step 1: U i inputs ID i and PW i and calculates 2) OWNER REGISTRATION • Step 1: O j calculates PK j = sk j · P, HR j = R j ⊕ h 1 (sk j ·PK s ) and securely sends {HR j , CID j , PK j , z j , info} to ST s , where info is vehicle's information.
• Step 2: ST s computes R * j = HR j ⊕h 1 (sk j ·PK s ) and verifies the O j 's credential z j · P = R * j + h 2 (CID j ||R * j ||PK j ) · PK TA . If it is valid, ST s stores a transaction including {CID j , info, L, PK j } in the blockchain. L is the location information about the car.

C. AUTHENTICATION
When U i wants to use the car-sharing service, U i must authenticate with the nearest ST s . ST s then collects the access code from O j and sends it to U i and the vehicle. U i can then access the vehicle using the access code and starts the sharing service. Figure 6 summarizes the detailed authentication process.

• Step 1: U i inputs ID i and PW i and computes
· PK s . If it is valid, O j generates code for accessing to shared car and a random number y j , and computes  = SM 4 is correct, and if so, C stores the {code}. Finally, U i and C have the same access code and U i can access to C.

VI. SECURITY ANALYSIS
In this section, we conduct the formal security analysis using BAN-logic [34] and AVSIPA [35], [36], and informal security analysis. We then prove whether the proposed scheme is secure against malicious attacks and provides mutual authentication.

A. BAN LOGIC ANALYSIS
The BAN logic [34], which is a widely accepted formal security analysis [37]- [40], was performed to demonstrate that the proposed scheme achieves mutual authentication. This section describes the basic notations used in the BAN logic proof and presents the BAN logic postulates, the security goals, assumptions, and idealized forms. Finally, the BAN logic proof was performed to confirm the mutual authentication of the proposed scheme.

1) POSTULATES OF BAN LOGIC
Postulates of BAN logic are as follows.

5.
Freshness rule: The following goals are presented to prove that the proposed system achieves secure mutual authentication.

3) IDEALIZED FORMS
The idealized forms are as follows.
The assumptions to perform the BAN logic proof are defined as follows.

5) BAN LOGIC PROOF
The BAN logic proof of the proposed protocol is as follows Step 1: S 1 is obtained according to Msg 1 .
Step 2: S 2 is obtained by applying the MMR using S 1 and A 1 .
Step 3: S 3 is obtained by applying the FR using A 2 .
Step 4: S 4 is obtained by applying the NVR using S 2 and S 3 .
Step 5: S 5 is obtained from S 4 and the BR.
Step 6: S 6 is obtained from Msg 2 .
Step 7: S 7 is obtained by applying the MMR using A 4 and S 6 .
Step 8: S 8 is obtained by applying the FR using A 5 .
Step 9: S 9 is obtained by applying the NVR using S 7 and S 8 .
Step 10: S 10 is obtained from S 9 and the BR.
Step 11: S 11 is obtained from Msg 3 .
Step 12: S 12 is obtained by applying the MMR using A 7 and S 11 .
Step 13: S 13 is obtained by applying the FR using A 8 .
Step 14: S 14 is obtained by applying the NVR using S 12 and S 13 .
Step 15: S 15 is obtained from S 14 and the BR.
Step 16: S 16 is obtained from Msg 4 .
Step 17: S 17 is obtained by applying the MMR using A 10 and S 16 .
Step 18: S 18 is obtained by applying the FR using A 11 .
Step 19: S 19 is obtained by applying the NVR using S 17 and S 18 .
Step 20: S 20 is obtained from S 19 and the BR.
Step 21: S 21 is obtained by applying the JR using A 3 and S 5 .
Step 22: S 23 is obtained by applying the JR using A 6 and S 10 .
Step 23: S 23 is obtained by applying the JR using A 9 and S 15 .
Step 24: S 24 is obtained by applying the JR using A 12 and S 20 .

B. AVISPA ANALYSIS
The AVISPA simulation tool [35], [36] was used to analyze that the proposed protocol is secure against replay and man-in-the-middle attacks. The AVISPA simulation tool uses High-Level Protocol Specification Language (HLPSL) [41] to implement a designed security protocol. The HLPSL is converted to ''Intermediate Format (IF)'' with the help of the HLPSL2IF translator. Four backends are associated with the AVISPA simulation tool: ''On-the-Fly Model Checker (OFMC)'', ''Constraint Logic-based Attack Searcher (CL-AtSE)'', ''Tree automata based on Automatic Approximations for Analysis of Security Protocol (TA4SP)'', and ''SATbased Model Checker (SATMC)''. The IF is then given to one of the four backend models to produce the ''Output Format (OF)''. The OF presents the security analysis results of the protocol in few sections, which include the following: 'SUMMARY', which indicates that a protocol being 'SAFE' or 'UNSAFE'; 'DETAILS' that explains the declared result on the 'SUMMARY' section; 'PROTOCOL' that defines the HLPSL specification of the scheme in IF form; 'BACK-ENED', which displays the name of the backend which is used for the analysis. Figures 7, 8, 9, and 10 describe the role of user, station, owner, and trust authority nodes, respectively. Figure 11 indicates the goals and the role of the session and environment of the proposed protocol. Figure 12 presents the AVISAP simulation result of the proposed protocol using CL-AtSe and OFMC. The results under the CL-AtSe and OFMC backends show that the proposed protocol is safe. Therefore, the proposed protocol can be resilient against man-in-themiddle and replay attacks.

C. INFORMAL SECURITY ANALYSIS
Informal security analysis was performed to demonstrate that the proposed protocol prevents various attacks and supports user anonymity and mutual authentication.

1) IMPERSONATION ATTACK
A malicious adversary attempts to disguise themselves as a legitimate user by generating an authentication message However, the adversary is unable to generate the authentication message because they do not know the user's private key ski, random number xi, identity ID i , password PW i . Therefore, the adversary cannot generate the authentication message of a legitimate user, so the proposed scheme prevents the impersonation attack.

2) STOLEN MOBILE DEVICE ATTACK
Assume that a malicious adversary steals the mobile device of a legitimate user and can extract the stored information in the mobile device by conducting power analysis. The adversary can obtain However, the adversary cannot obtain sensitive information of a legitimate user because that information is masked with XOR and hash operations. Thus, the proposed scheme does not reveal any sensitive information if the mobile device of a legitimate user is stolen or lost.

3) OFFLINE PASSWORD GUESSING ATTACK
Assume that an adversary can guess the identity ID i or password PW i of a legitimate user. The proposed method also considers that the adversary is in possession of a legitimate user's mobile device. The adversary can obtain the stored information {B i , C i , D i , E i , HPID i , R i } in the mobile device and obtain the transmitted mes- , Y j } through public channels. However, the adversary cannot compute a i = h 1 (ID i ||PW i ) ⊕ B i without guessing the correct values for ID i and PW i simultaneously. Thus, the adversary cannot check either ID i or PW i at the same time using the extracted C i = sk i ⊕ h 1 (h 1 (ID i ||a i )||h 1 (PW i ||a i )). Hence, the proposed scheme is not vulnerable to an offline guessing attack.

4) REPLAY ATTACK AND MAN-IN-THE-MIDDLE ATTACK
An adversary can obtain the messages transmitted over an insecure channel among U i , ST s and O j to reuse in the authentication process. However, the transmitted messages contain a timestamp that is verified by the receiver for freshness and random numbers. Furthermore, the adversary cannot obtain the random numbers. Hence, the proposed scheme is secure to replay attacks and man-in-the-middle attacks.

5) USER ANONYMITY
In the authentication phase of the proposed scheme, all the participant entities use a pseudo-identity to replace a real identity. Assume that an adversary can extract the information stored in the mobile device and intercept the transmitted messages through a public channel. However, the adversary cannot obtain the real identity of the legitimate user because the transmitted pseudo-identity is protected by random numbers x i , XOR, and hash operations. Even if the adversary acquires the pseudo-identity, it cannot be calculated as a real identity, which is protected by the private key sk TA and random number r i . Therefore, the proposed scheme ensures the user's anonymity.

6) CONFIDENTIALITY AND INTEGRITY
An adversary can obtain the messages transmitted over an insecure channel among U i , ST s and O j to obtain sensitive information, such as the user identity ID i and access code {code}. However, this sensitive information is encrypted using ECDH keys, so the adversary needs to calculate the ECDH keys to extract information. For example, the access code {code} is hidden in CM 1 = {code} ⊕ h 1 (X * i · y j ). To extract the {code} from CM 1 , the adversary must compute X * i · y j = (x i · y j ) · P from X * i = x i · P and Y j = y j · P. By the ECDDHP described in Section III-B, the adversary cannot calculate the ECDH key. Furthermore, the integrity of the received messages is checked using a hash function. Therefore, the protocol provides confidentiality and integrity.

7) MUTUAL AUTHENTICATION
In the authentication phase, U i authenticates O j by verifying CM 1 , CM 2 and authenticates ST s by verifying SM 3  = Q s + h 2 (X * i ||SID||Q s ||T 2 ) · PK s to authenticate U i and ST s . U i , ST s , and O j authenticate each other. Therefore, the proposed scheme provides mutual authentication.

VII. PERFORMANCE ANALYSIS
This section evaluates the efficiency of the proposed scheme and compares the results with a related scheme, such as Wang et al. [20], Xiong et al. [21], and Wang et al. [22]. The authentication phase is more frequent than other phases, so only the authentication phase was compared. The proposed scheme was compared with those of Wang et al. [20], Xiong et al. [21], and Wang et al. [22]because these schemes perform authentication using blockchain and similar cryptography. This comparison shows that the proposed scheme is appropriate for practical car-sharing system because it considers three party authentication, including user, station and car owner.

A. COMPUTATION ANALYSIS
The computation cost of the proposed scheme was compared with the related schemes [20]- [22]. The existing experimental result shown in [42] was used to measure the computation cost of each cryptographic operation. T ea , T em , T hash , T mac are defined as the execution time of ''point addition'', ''point multiplication'', ''hash function'', and ''MAC function'', respectively, where T ea ≈ 0.081 ms, T em ≈ 13.405 ms, T hash ≈ 0.056 ms, and T mac ≈ 0.056 ms. The exclusive-OR (XOR) operation was omitted because its execution time is negligible compared to other operations. Table 3 lists the  computation costs of the proposed scheme and the related schemes. The total computation cost of the authentication phase in Wang et al. [20] was 10T em + 3T ea + 9T hash ≈ 134.797 ms. The total computation cost of the authentication phase in the scheme reported by Xiong et al. [21] was 8T em + T ea + 9T hash + 2T mac ≈ 107.937 ms. The total computation cost of the authentication phase by Wang et al. [22] was 14T em + 5T ea + 10T hash ≈ 188.635 ms. The user, station, and owner in the proposed scheme requires 3T em + 13T hash ≈ 40.943ms, 7T em + T ea + 9T hash ≈ 94.42ms, and 7T em + T ea + 9T hash ≈ 94.42ms, respectively. Comparative analysis of the computation for the user shows that the proposed authentication scheme is similar to Xiong et al. [21] and more efficient than Wang et al. [20] and Wang et al. [22]. A comparison of the computation cost on the station/serverside shows that the proposed scheme is slightly less than Wang et al. [22]. However, the computation cost was higher  than Wang et al. [20] and Xiong et al. [21] because the station authenticates the user and the owner. Overall, the proposed scheme also has certain advantages in energy consumption on the user side, which is more suitable to the user side with limited re-sources and computing power.

B. COMMUNICATION ANALYSIS
The communication cost of the proposed scheme was compared with the related schemes [20]- [22]. According to [42], it was assumed that the bit length of the identity, the hash output, the random number, the timestamp, and the elliptic curve point were 160 bits, 160 bits, 160 bits, 32 bits, and 320 bits, respectively. The bit length of the user's request information was assumed to be 160 bits. Table 4 lists the communication costs of the proposed scheme and related schemes. In Wang et al. [20], the communication cost of the authentication phase between the user and server was 1472 bits as {T , X , CT } and {Y , V }. The communication cost of Xiong et al. [21] was 1184 bits as {A, pid i , k, t i } and {B, w, t j }. The communication cost of Wang et al. [22] was 1184 bits as {A, W U , σ, T U } and {B, w 1 , T 1 }. In the proposed authentication phase, the exchanged messages {X i , CPID i , Auth u i , T 1 , request}, The total communication cost of the proposed scheme was high compared to the related schemes because an authentication phase was performed by the three parties for their carsharing service. However, in the personal car-sharing system, people can lend their car to others and rent another personal car. A service vendor supports the process of car-sharing service for user convenience during car-sharing. However, the existing blockchain-based authentication schemes are unsuitable for a car-sharing system because these schemes are designed for the user and servers. Hence, the car owner cannot be considered in the existing authentication schemes. On the other hand, car owners can convert car use easily and reject the service request. Therefore, this study designed the blockchain-based authentication scheme for three entities in the car-sharing system.

VIII. CONCLUSION
Car-sharing systems have attracted widespread attention as an approach that alleviates the transportation problems in urban areas. However, the traditional car-sharing system is exposed to some security problems owing to the centralized system structure and communication via a public channel. This paper proposed a secure decentralized model of a carsharing system and a secure authentication scheme to provide a decentralized sharing service for legitimate users. Blockchain was used to ensure the integrity of information of service information and provide a decentralized car-sharing service. Furthermore, a pseudonym of the user was applied in the car-sharing system to guarantee user's privacy. Thus, if the stored information is exposed to an adversary, they cannot know the user's real identity. BAN logic analysis was performed to show that the proposed protocol can provide secure mutual authentication between the user, station, and owner. In addition, the AVISPA simulation was employed to show that the proposed protocol is secure against replay and man-in-the-middle attacks. Moreover, the proposed protocol is secure against impersonation, stolen mobile devices, offline password guessing, replay, and man-in-the-middle attacks. The proposed protocol provides anonymity, confidentiality, and mutual authentication by conducting informal security analysis. The performance of the proposed protocol was compared with related schemes. The proposed protocol is efficient and can be applied in the blockchain-based carsharing system using blockchain. In the future, a simulation will be developed to test the protocol and apply the protocol to a real car-sharing system. JOONYOUNG LEE received the B.S. and M.S. degrees in electronics engineering from Kyungpook National University, Daegu, South Korea, in 2018 and 2020, respectively, where he is currently pursuing the Ph.D. degree with the School of Electronic and Electrical Engineering. His research interests include authentication, the Internet of Things, and information security.