2019 IEEE Projects | Diploma projects | IEEE projects 2019-2020 - … Efficient Message... · 2018-05-30 · computation overhead, He et al. [16] proposed an elliptic-curve-cryptography(ECC)-based

This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS 1

An Efficient Message-Authentication Scheme Basedon Edge Computing for Vehicular Ad Hoc Networks

Jie Cui , Lu Wei , Jing Zhang, Yan Xu, and Hong Zhong

Abstract— With the progress in wireless communicationtechnology and the increasing number of vehicles, vehicular adhoc networks (VANETs) have become essential for improvingroad conditions and enhancing driving experience. The core ofthe VANETs is the communication between different vehicles,and the security of the communication is based on messageauthentication. Several schemes have been designed to enhancethe efficiency of message authentication. However, these schemeshave the disadvantage of redundant authentication, i.e., repeatedauthentication of the same message, and fail to seek invalidmessages from the batch of messages. To solve these problems,this paper introduces a novel edge-computing concept into themessage-authentication process of VANETs. In our scheme,the roadside unit can efficiently authenticate messages fromnearby vehicles and broadcast the authentication results to thevehicles within its communication range, thereby reducing redun-dant authentication and enhancing the efficiency of the entiresystem. The security analysis results show that the proposedscheme satisfies the security requirements of the VANETs. Theperformance analysis results show that the proposed scheme cannot only work well in an ideal environment where the attacker isabsent but also capable of quickly identifying valid and invalidmessages even if the VANET is attacked.

Index Terms— VANETs, message authentication, redundantauthentication, batch authentication, edge computing.

I. INTRODUCTION

W ITH the development of the automobile industryand the improvement in the economy, vehicles have

become increasingly important. However, the increase in thenumber of vehicles has led to rising traffic congestion andfrequent traffic accidents. Therefore, there is a need to improvedriving experience and enhance driver safety. This has led tothe research of vehicular ad hoc networks (VANETs) with theaim of enhancing driver safety through inter-vehicle commu-nications (V2V) and communications with public infrastruc-ture (V2I) [2]. The typical structure of VANETs comprisesthree parts: a trusted authority (TA), a roadside unit (RSU),

Manuscript received October 11, 2017; revised March 2, 2018; acceptedApril 7, 2018. This work was supported in part by the National NaturalScience Foundation of China under Grant 61572001, Grant 61502008, andGrant 61702005, in part by the Key Program of National Natural ScienceFoundation of China under Grant U1405255, in part by the Natural ScienceFoundation of Anhui Province under Grant 1708085QF136, and in part bythe Excellent Talent Project of Anhui University. The Associate Editor forthis paper was H. Jula. (Corresponding author: Hong Zhong.)

The authors are with the School of Computer Science and Technology,Anhui University, Hefei 230601, China (e-mail: [email protected]).

Color versions of one or more of the figures in this paper are availableonline at http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TITS.2018.2827460

and an on-board unit (OBU). The TA, which acts as thetrusted management center, is responsible for the registrationand issuing of secret key material. The RSU, installed alongthe roads, serves as a bridge between the vehicles and theTA. The OBU equipped on each vehicle is in charge of theV2V and V2I communications [3], [4]. As V2V and V2Icommunications are wireless, malicious attackers can modifythe message sent from a vehicle, and even disguise themselvesas vehicles if there is no adequate security scheme for theVANETs. Therefore, in VANETs, the message recipient shouldcheck the integrity and reliability of the received message.Only if the message is credible, the information contained inthe message can be trusted.

In recent years, privacy has become a topic of concernwith regard to VANETs. No driver would like to haveinformation, such as driving route or identity, be leaked.Thus, the communication protocol in the VANETs shouldsatisfy anonymity, implying that a vehicle should commu-nicate with all entities via pseudo identity instead of a realone [5]. However, a completely anonymous scheme shouldbe avoided because of the following reasons. Although wecannot avoid the appearance of malicious vehicles that couldsend forged messages or attempt to modify the valid messages,we can trace malicious vehicles and determine their realidentities. In the VANETs, we consider schemes with suchcapacity to satisfy the conditional privacy-preserving (CPP)characteristic [6], [7].

To solve the security and privacy issues in VANETs,Raya and Hubaux [8] proposed a scheme for signature authen-tication based on public key infrastructure (PKI). In theirscheme, all traffic related information exchanged in VANETsneed to be authenticated before trusting the information.In terms of checking integrity and authentication, PKI-basedschemes [8]–[10] are well-accepted choices. However, theseschemes have the following disadvantages. First, all vehiclesneed to store many pseudonym certificates, thus linearlyincreasing the transmission overhead of the RSU with theincrease in the number of vehicles. Second, as certificateshave a relatively large size, network congestion may occurin the communication channel when the number of vehicles islarge. Finally, in their schemes, the RSU and vehicles verifythe received messages one after another; this process is veryinefficient and unsuitable to be deployed in real scenarios.

To address the performance issues of PKI-based schemes,Zhang et al. [11] introduced an efficient batch mes-sage signature verification scheme for V2I communications.

1524-9050 © 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

https://orcid.org/0000-0001-7258-3418

https://orcid.org/0000-0003-3386-609X

https://orcid.org/0000-0002-0392-9734


2 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS

Compared to the RSUs in previous schemes wherein thereceived messages are verified individually, the RSU in thisscheme can simultaneously verify multiple received messages,thus significantly reducing the total verification overhead andenhancing the operational efficiency of the VANETs. Morever,no certificate is required because this scheme is based onidentity, thereby making their scheme quite advantageous withregard to communication and computation overhead. Sincethe scheme proposed by Zhang [11], many improved identity-based batch authentication schemes have been proposed, suchas [11] and [12]. Although these schemes improve the effi-ciency, they fail to deal with unfavorable conditions, such aswhen the number of vehicles is extremely large.

The computation power of most vehicles is limited, andmultiple messages cannot be verified within the specifiedtime. To solve such problems, Chim et al. [14] proposed ascheme, wherein the RSU helps nearby vehicles to verify theirreceived messages so that the vehicles need not verify themindependently. In particular, the RSU verifies multiple mes-sages using the batch authentication technology. If the batchauthentication is successful, the messages in the batch arevalid. Otherwise, at least one invalid message exists; in whichcase the batch authentication along with a binary search wouldbe executed to find the invalid messages. After specifying thelegitimacy of the messages sent by the vehicles, the RSUwould set up two bloom filters to store the authenticationresults. In particular, the RSU is used to place the hash valueof a valid message in a positive filter and the hash value of aninvalid message in a negative filter. Thereafter, the RSU wouldbroadcast the positive and negative filters to nearby vehicles ata particular frequency. Hence, the vehicles would only have tocheck the two filters to verify the messages. This significantlyreduces redundant authentication and improves the efficiencyof the entire system. However, the complete dependence onthe computation performance of the RSU would burden it.

To take full advantages of the computational performancea vehicles, Liu et al. [15] demonstrated that the computationload on the RSU could be shared by nearby vehicles. In thisscheme, the system elects proxy vehicles on the basis of thecomputation power. The proxy vehicles need to share thework done by the RSU in verifying the messages and sendthe verification results back to the RSU. The RSU will thencheck whether the result is accurate. Although the proposedscheme significantly improves the verification performanceof the RSU, the performance of the scheme is insufficientbecause the basic operation comprises bilinear pairing andmap-to-point operation with huge overhead. In addition, if abatch of messages contains invalid messages, i.e., the signatureof a message is invalid, the RSU fails to confirm whetherthe original signature is invalid or whether the proxy vehicletampered with the legitimate signature.

The above schemes using bilinear pairings with a hugeoverhead would lead to performance issues. To minimize thecomputation overhead, He et al. [16] proposed an elliptic-curve-cryptography(ECC)-based scheme instead of usingbilinear pairings. The computation overhead of the schemeis significantly reduced by discarding the bilinear pairingoperation and the hash-to-point function. The literature [17]

is improved in this scheme [16], simplifying the signaturegeneration process and improving the efficiency without com-promising the security requirement.

In [14], the vehicle transfers the task of authenticatingmessages to the RSU, and the vehicle itself no longer performsthe authentication operation. Essentially, the RSU acts as thecloud for the vehicle, providing message authentication serviceto the vehicle. In this scenario, the vehicle plays only therole of a data consumer. Although message authenticationprocessed by the RSU can reduce redundant authenticationand improve the efficiency of the entire VANETs system, largenumber of vehicles will lead to a decrease in the computationperformance of the RSU and cause significant delay.

Similar to the VANETs, most data generated from the edgeof the VANETs (vehicles), and the edge of the data processedby the cloud are inefficient [18]. To solve this problem, edgecomputing has been introduced. The so-called edge computingis a technique that allows computation at the edge of thenetwork (close to the data source), instead of only at thecloud center [19]. The most important characteristic of edgecomputing is that the edge ends play the role of data consumersand data producers simultaneously. While in cloud computing,the edge of the network acts only as a consumer.

In this paper, we incorporate a novel edge-computing con-cept into the message authentication process of the VANETs.In our scheme, the RSU acts as the cloud of the vehicle, anda part of the vehicle acts as an edge-computing node to assistthe RSU with the message authentication task. In particular,the system elects a number of edge computing vehicles (ECVs)to assist the RSU in authenticating the message signature sentby nearby vehicles and subsequently sending the results tothe RSU on the basis of the available computation power ofthe vehicle. The RSU verifies the results sent from the ECVs,obtains the legitimacy of these messages, and finally, broad-casts the information regarding the legitimacy to the vehiclethrough a cuckoo filter. Consequently, the vehicle needs toonly query the filter to determine whether the message is validand need not verify the received messages independently inmost cases. The main contributions of this study are as follows:

1) We introduce the concept of edge computing into theVANETs by selecting sufficient number of ECVs toshare the load on the RSU in authenticating the mes-sages. In addition, this paper presents an efficient authen-tication mechanism that allows the RSU to quicklyverify the feedback given by the ECVs.

2) We centralize the authentication tasks of all vehicles onthe RSU and ECVs and broadcast the results through thecuckoo filter, thus significantly reducing the redundantauthentication of the same messages.

II. BACKGROUND

A. Network Model

As shown in Fig.1, the VANETs model used in ourpaper includes three parts: trusted authority (TA), roadsideunit (RSU), and the vehicle equipped with an onboardunit (OBU), wherein the vehicle participating in the mes-sage authentication is referred to as the edge computingvehicle (ECV).


CUI et al.: EFFICIENT MESSAGE-AUTHENTICATION SCHEME BASED ON EDGE COMPUTING 3

Fig. 1. The model of VANETs.

• TA: The TA, acts as the registry center of RSUs andvehicles, is trusted by all entities in the VANETs andresponsible for distributing key materials to all entities.And the TA has the ability to trace the real identityof the vehicle if necessary. For secure communication,a wired secure transport protocol such as Transport LayerSecurity (TLS) is used between TA and RSU. In orderto avoid the formation of performance bottlenecks andimprove reliability, redundant TA is usually set.

• RSU: The RSU is located on the roadside and can com-municate directly with the vehicle as a bridge betweenthe TA and vehicles. The RSU can authenticate itsreceived messages, and if necessary, process the resultslocally, or send the results to the traffic managementcenter for data analysis [16]. In order to ensure that RSUcan help the vehicle to carry out message authentication,RSU’s computation performance should be far greaterthan the vehicle [20].

• Vehicle: The OBU mounted on the vehicle periodicallybroadcast the traffic related information to improve theoperation efficiency of regional traffic and traffic security.Each vehicle has a tamper-proof device(TPD) to storereceived key material from the TA securely and weassume TPD unhackable [3]. In this paper, vehicles aredivided into two types: ordinary vehicles(OVs) and ECVs.Ordinary vehicles only play the role of data consumers,that is, it only needs to query the detail of RSU’s broad-cast which contains the message legitimacy informationinstead of verifying received messages independently inalmost all cases. And the ECVs serve as data producersand consumers at the same time. The ECVs have obliga-tions to help the RSU to authenticate the messages theyreceive, but also have the right to enjoy the conveniencefrom the RSU’s broadcast. The model diagram is shownin Fig. 1.

B. Security Objectives

A well-designed message authentication scheme shouldachieve the following security objectives:

1) Message Authentication and integrity: After receivinga message, the recipient of the message must firstdetermine the legitimacy of the message owner, andwhether the message itself is tampered with or whetherit is forged.

2) Identity Privacy Preserving: The real identity of thevehicle should remain anonymous, which means thatthe vehicle should use the pseudo identity when sendingtraffic-related information. No third party except for TAcan extract the real identity of the vehicle based onmultiple messages sent from the same vehicle.

3) Traceability: TA can trace the real identity of the vehi-cle by analyzing its pseudo identity extracted from itsmessage.

4) Replay Attack: A malicious vehicle cannot collect andstore a signed message and attempt to deliver it laterwhen the original message expired.

C. Elliptic Curve Cryptosystem

In 1984, Miller [20] applied the elliptic curve to cryp-tography for the first time. After Kobilitz [21] built theelliptic curve cryptography (ECC) with elliptic curve discretelogarithm problem (ECDLP), ECC began to be widely appliedto encryption, protocol and other safety-related areas. Let Fp

be a finite field, which is determined by a prime number p.Let a set of elliptic curve point E over be defined by theequation: y2 = x3 + ax + b mod p, where a, b ∈ Fp . Let thepoint at infinity be O, then O and other points on E makeup an additive elliptic curve group G with the order q andother generator P . The elliptic curve group G has the threefollowing properties.

• Additive: Let P and Q be two points of group G. If Pis not equal to Q, then we can get R = P + Q where Ris the intersection of E and the straight line connectingP and Q. If P = Q, then R = P + Q. If P = −Q, thenP + Q = O.

• Scalar point multiplication: Let P ∈ G p and m ∈ Z∗q ,

the scalar multiplication of E is defined as m · P = P +P + · · · + P .

• Elliptic curve discrete logarithm problem (ECDLP):Given two randomly generated points, it is difficult tocalculate x in the case of known P and Q.

D. Cuckoo Filter

For massive data, we need an index data structure to helpwith the query operation, to quickly determine the existenceof data records. And the most frequent choice is Bloom filterand its extended version. However, Bloom filter has high falsepositive and low space usage rate. Besides, a limitation ofBloom filter is that one cannot remove existing items withoutrebuilding the entire filter. Cuckoo filter is a new data structurefor set-membership tests, which has lower false positive, lowerspace overhead and better performance than traditional Bloomfilter. And cuckoo filter supports adding and removing itemsdynamically while achieving high performance [23]. A cuckoofilter is essentially a hash table consisting of a set of buckets,



Fig. 2. (a) The structure of Cuckoo filter; (b) The insertion operation.

and each bucket contains a fixed number of fingerprints (thehash function with fewer output bits), as shown in Fig. 2(a).

The cuckoo filter algorithm includes three functions: query,insert and delete. The query function first calculates the finger-print of the query item and gets the location of the query itemin the corresponding hash table according to the fingerprint.If the location is found, the query is successful, otherwisereturn false. The insert function calculates the fingerprint ofthe inserted item first, and gets the position of the inserted itemin the corresponding hash table according to the fingerprint.If the location is not occupied, insert directly into the inserteditem; if the location is occupied, remove the element fromthe position, insert the item to be inserted, and insert theremoval item into an empty position, as shown in Fig. 2(b).The delete function first query the hash table, if the queryis successful, regardless of the query to the bucket in thenumber of fingerprints meet the requirements, only delete onefingerprint.

E. Fuzzy Logic Control System

A fuzzy control system is a control system based on fuzzylogic mathematical system that analyzes analog input valuesin terms of logical variables that take on continuous valuesbetween 0 and 1, in contrast to classical or digital logic, whichoperates on discrete values of either 1 or 0 (true or false,respectively). Fuzzy logic is widely used in machine control.The term fuzzy refers to the fact that the logic involved candeal with concepts that cannot be expressed as the true or falsebut rather as partially true. Fuzzy logic has the advantagethat the solution to the problem can be cast in terms thathuman operators can understand, so that their experience canbe used in the design of the controller. This makes it easierto mechanize tasks that are already successfully performed byhumans [24], [25]. A typical fuzzy logic control system mainlycontains the following three steps:

• Fuzzification Fuzzification refers to the process whichconvert the crisp input value to the fuzzy value.

• Fuzzy rules defining The fuzzy rules are several If-Thenstatements which input several fuzzy values and output afuzzy value.

• Defuzzification Defuzzification is responsible for choosean appropriate representative value as a final outputwhich is a crisp value. The most common defuzzificationmethod is center of gravity(COG) method.

III. OUR PROPOSED SCHEME

In this section, we present our proposed scheme. Thedefinition of notations in our scheme is presented in Table I.

TABLE I

DEFINITION OF NOTATIONS IN OUR PROPOSED SCHEME

A. System Initialization Phase

At this phase, the TA generates the necessary systemparameters and then the TA preloads these system parametersinto all vehicles’ TPD and all RSUs’ memory. Because theRSU connect with the TA via secure wired network, the para-meter transmission can be processed anytime. And the vehiclecan get the parameters in some special situation like ETCgate or vehicle inspection under pre-store strategy [3]. Specificsteps in system initialization phase are as follows:

1) TA randomly selects two large prime p,q , and a non-singular elliptic curve E where is defined as y2 = x3 +ax + bmodq , and the generator element P is randomlyselected in the group.

2) TA randomly selects s ∈ Z∗q as the system private key,

and calculates the system public key Ppub = s P .3) TA randomly selects x ∈ Z∗

q as the private key of RSU,and calculates the RSU’s public key P K R = x P .

4) TA chooses the secure hash function h : {0, 1}∗ → Zq .5) TA assigns the real identity RI D and password PW D

to each vehicle, and preloads {RI D, PW D, s} to theTPD of the vehicle.

6) TA sends the private key x to the RSU.7) TA publishes system public parameters {p, q, a, b, P,

Ppub, P K R , h} to the RSU and all vehicles.

B. The Generation Phase of Vehicles’ PseudoIdentity and Signature

Before sending a message, the vehicle must provide asignature of the message in order to ensure the authenticity.The following work is completed by the TPD, used to generatethe vehicle’s pseudo identity, public key and signature.

1) The vehicle sends its own real identity RI D and pass-word PW D to the TPD for identity check. If the twovalues are equal to the pre-stored values in the TPD,the vehicle passes the authentication and proceeds tothe following steps. Otherwise, the authentication failsand the service is rejected.

2) TPD randomly selects a number ri ∈ Z∗q , and calculates

the pseudo identity P I Di = {P I D1i , P I D2

i }, whereP I D1

i = ri · P , P I D2i = RI D ⊕ h

(ri · Ppub

).

3) The vehicle gets message signature by combining mes-sage M and current timestamp T , and TPD inputs



Fig. 3. Distance metric membership function.

Fig. 4. Available performance metric membership function.

Mi = M||T and outputs corresponding signatureσi = sh (P I Di ) + ri h (Mi ).

4) The vehicle broadcasts {P I Di , Mi , σi }.

C. The Election Strategy of ECV

In order to make the possibility of success that ECVhelp the RSU authenticate message signatures as much aspossible, we choose the qualified general vehicles whichcontain two characters as ECVs: short distance to the RSUand enough available computation resource. We assume allvehicles exchange position and available computation resourceinformation through BSM(Basic Safety Message) and we onlyconsider the two metrics to select ECVs. However, the twometrics are always inaccurate. For example, the vehicle whichis close to the RSU may has very little available computationresource. Besides, the information(position and available com-putation resource) is always inaccurate. It would be very costlyif we use traditional mathematical model to solve the issue.Luckily, fuzzy logic can solve the uncertain and inaccurateinformation.

Fuzzification:We use the following membership function toconvert distance and available performance to fuzzy values.

1) Distance Membership Function: Because the ECVsshare the RSU’s authentication task, the distancebetween the ECVs and the RSU should be relativelyshort which can decrease the transmission delay and

TABLE II

FUZZY RULES

guarantee relatively better communication quality. TheRSU can calculate the distance according the GPSpositions of itself and the vehicle Vx . Let d(x) denotesthe distance between the vehicle Vx and the RSU,R denotes the max transmission range of the RSU. Thenwe can define distance metric membership function asEquation (1). And Fig.3 shows the membership functionof distance metric.

DM(x) =

⎧⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎩

1, d(x) ≤ R

2R − d(x)

R

2

,R

2< d(x) ≤ R

0, d(x) > R

(1)

2) Available Performance Metric Membership Function:Message authentication requires enough computationresource, so we need the vehicle which has enoughavailable computation resource to be ECV. We assumeall vehicles have the similar computation loads. LetUC R(x) denote used computation resource of vehicleVx , MC L(x) denote maximum computation load ofvehicle Vx . Then we can define available performancemembership function as Equation (2). And Fig. 4 showsthe membership function of available performancemetric.

AP M(x) = MC L(x) − UC R(x)

MC L(x)(2)

Fuzzy Rules: Here we map previous defined fuzzy valuesto the following IF/THEN rules by using Min-Max method.And the fuzzy rules are as shown in Table II.

Defuzzification:Based on the output membership func-tion and corresponding membership degrees, we can useCOG(Center of Gravity) method which is shown inEquation (3), to defuzzify the fuzzy results. And the outputmembership function is shown in Fig.5. In our scheme,the COG result(qualified degree to be ECV) represents thefitness of the vehicle Vi to be the ECV. If QD ≥ k(k is positively correlated with with the traffic density. If thenumber of vehicle in the proximity of RSU is relatively large,the computing load of the ECV will be much higher, and thenumber of malicious attacker will also be larger in probabilitythat requires the ECV to have better computation performanceand be in better position between other vehicles and RSU.),



Fig. 5. Output membership function.

it indicates that Vi is suitable to be ECV and the RSU wouldelect Vi to be ECV.

QD =∫

μ(x)xdx∫

μ(x)dx(3)

D. The Batch Authentication of ECV

In this phase, the ECV needs to go through the followingtwo stages from the beginning to the end of the task: taskdetermination, batch authentication, and result feedback.

1) Task Determination Phase: In this phase, the RSUallocates the pseudo identity list P I D = {P I D1,P I D2, · · · , P I Dn} of a part of its received messageowners to ECVi . The RSU then sends the message{

P I D, SI GS K R (P I D)}

to ECVi .2) Batch Authentication and Results Feedback Stage: After

receiving messages {P I D, SI GS K R (P I D)}, ECVi verifiesit by using the public key P K R of the RSU. If it isnot legal, rejects the message, otherwise, processes to thenext step. For the received P I D list as {P I D1, P I D2, . . . ,P I Dn}, ECVi searches the corresponding message signaturepair {P I Di , Mi , σi }(1 ≤ i ≤ n) which it needs to authenticatein its own message cache, then proceed as follows:

1) ECVi checks the freshness of these messages ECVi (1 ≤i ≤ n). If there is an expired message, the RSU sendsa report to the RSU. And the RSU will remove thecorresponding pseudo identity of the expired messagefrom the corresponding message owner list P I D.

2) ECVi randomly selects a small integer t of 10 bitslength, generates the random small factor vi (vi(1≤i≤n) ∈[1, 2t ]), and then verifies whether the batch authenti-cation Equation (4) holds or not. If the Equation (4)is established, it indicates that the batch of messagepasses the check. Otherwise, it means that the messagecontains at least one invalid message, i.e., the messagefail to pass one of the checks: the integrity of message,the legitimacy of message signature.(

n∑

i=1

vi · σi

)

P =(

n∑

i=1

vi · h (P I Di )

)

· Ppub

+n∑

i=1

vi · P I D1i · h (Mi ) (4)

3) In order to be able to quickly find the invalidmessages contained in the batch of messages,we set a list as List = {M1, M2, . . . , Mn} forstoring messages to be processed, and a emptylist List1 for storing invalid messages. And ECVi

executes batchSearch(List, List1, 1, n) in whichbatchSearch(List, List1, low, high) is defined inAlgorithm 1.

Algorithm 1 batchSearch(List, List1, low, high)

1: if batch Authentication(List, low, high) then2: return 13: else4: if low == high then5: List1.append(List[low])6: return 17: else8: mid = (low + high)/29: batchSearch(List, List1, low, mid)

10: batchSearch(List, List1, mid + 1, high)11: return 112: end if13: end if

4) Through the above steps, ECVi can get the invalidmessage list List1 which can be used to determinethe corresponding identity list Invalid ListEC Vi ={P I D1, P I D2, . . . , P I Dn} in the message buffer pool.And then ECVi feeds back the authentication resultsInvalid ListEC Vi to RSU. It is worth noting that,in order to save network bandwidth, ECVi only needsto send invalid message owner’s pseudo identity becausemost of the message signatures are valid in VANETs,and the RSU can extract the identities of valid messagesby executing List − List1 operation.

The validity of Equation (4) can be verified as follows:(

n∑

i=1

vi · σi

)

P

=(

n∑

i=1

vi · (sh (P I Di ) + ri h (Mi ))

)

P

=(

n∑

i=1

vi · s · h (P I Di )

)

· P +(

n∑

i=1

vi · ri · h (Mi )

)

· P

=n∑

i=1

vi · s · P · h (P I Di ) +n∑

i=1

vi · ri · P · h (Mi )

=(

n∑

i=1

vi · h (P I Di )

)

· Ppub +n∑

i=1

vi · P I D1i · h (Mi ) (5)

E. The RSU Checks the Authentication Result of ECV

In the real VANETs environments, packet loss and delayalways exist. If the RSU doesn’t receive the authenticationresult from ECVi with the �T , it can assign the authenticationtask to another ECV . Otherwise, the RSU first checks whether



the signature of the message is valid or not, if invalid, thenrejects the message, if valid, followes these steps:

1) The RSU searches for pseudo identity list ListEC Vi ={P I D1, P I D2, · · · , P I Dn } which are verified by ECVi

from its memory. Afterwards, the RSU gets pseudo iden-tity list which belongs to invalid messages by executingV alid ListEC Vi = ListEC Vi − Invalid ListEC Vi .

2) For the message signatures corresponding to all elementsin V alid ListEC Vi , the batch authentication is carried outas shown in Equation (4); if passed, output a = T rue;if not, output a = False. For the message signa-tures corresponding to all elements in Invalid ListEC Vi ,the single authentication is carried out as shown in thefollow Equation (6); if none of those authenticationpassed, output b = T rue; if not, output b = False.Through the two checks, the ECVi can not deceivethe RSU by claiming that the invalid messages arevalid or the valid messages are invalid.

σi · P = h (P I Di ) · Ppub + h (Mi ) · P I D1i (6)

3) If a = T rue ∧ b = True, then message authenticationresult of ECVi is reliable, and the RSU will sendP I DEC Vi to the TA to increase the credit of ECVi , andthen go to step 4); otherwise, it indicates that ECVi

tries to deceive RSU and RSU would identify ECVi

as a malicious vehicle, cancel the ECV qualification ofECVi , and send P I DEC Vi to TA in order to revokeECVi and decrease the credit of ECVi .

4) After step 3), the RSU can confirm that the authentica-tion results from ECVi are reliable. The RSU initializestwo cuckoo filters, i.e., the positive filter pos Filter andthe negative filter negFilter . The RSU calculates thefingerprint f inger print (Mi ) corresponding to everyelement in V alid ListEC Vi and puts the fingerprint intothe positive filter pos Filter . For every pseudo identityin Invalid ListEC Vi , the RSU calculates its fingerprintand puts it into the negative filter negFilter . Afterinitialization, the RSU broadcasts the positive filterpos Filter , the negative filter negFilter , and the corre-sponding signature SI GS KRSU (pos Filter, negFilter)to the nearby vehicles in the area.

5) If the vehicle density near the RSU is high, the sizeof cuckoo filters would be slightly large which couldcause high packet loss rate and frequent wirelesschannel contention and retransmission. One efficientsolution is to cut the filters into slices and distrib-ute the slices to nearby ECVs for relaying theseslices to nearby ordinary vehicles by ECVs. Thedetail steps are as shown below. First, the RSU cutsthe positive filter and the negative filter into slicesets {P F1, P F2, . . . , P Fm } and {N F1, N F2, . . . , N Fn }respectively. Second, the RSU sends these slices tonearby ECVs. Last, the RSU calculates σ f ilters =SI GS K RSU (h (P F1, P F2, . . . , P Fm , N F1, N F2, . . . ,N Fn )) using ECDSA signing algorithm and broadcaststhe signature to nearby vehicles.

TABLE III

POSSIBLE STATUS AND RESULTS WITH CUCKOO FILTER

F. The Message Authentication of the Ordinary Vehicles

In our scheme, the vehicle no longer needs to independentlyverify the messages sent by other vehicles in almost all cases,because the two filters already contain the message signaturelegitimacy information of nearby vehicles. If the vehicle wouldlike to verify one message valid or not, it just need toprocess the following steps. First, the vehicle extracts theslices of the filters from nearby ECVs and check the validityof extracted slices by using ECDSA verifying algorithm.Second, the vehicle calculates the corresponding fingerprintf = f inger print (Mi ) of message Mi that needs to beverified, respectively query whether the f value can be queriedsuccessfully in the positive filter pos Filter and negative filternegFilter , and determine whether the message valid or notaccording to the Table III.

If the query result satisfies case 1 or case 2, the conclusionwill be definite. However, there is a certain probability thatcase 3 or case 4 will happen. If case 3 happens, it indicatethat the RSU has not yet been updated the authenticationresult of the query message. The vehicle can wait for thenext update. Case 4 may happen because of the potential falsepositive of cuckoo filter. The next section would indicate thatthe probability of case 4 is very small.

IV. SECURITY PROOF AND ANALYSIS

A. Security Proof

In this section, we first show that our proposed signaturescheme is secure against an alternatively chosen messageattack under the random oracle model.

1) Forking Lemma: Let A be a probabilistic polynomialtime Turing machine whose input only consists of public data.We let Q denote the max number of queries in which A canask the random oracle, and let R denote the max number ofqueries in which A can ask the signer. And we also assume thatA can produce a valid signature {m, σ1, h, σ2}. If the triples{σ1, h, σ2} can be simulated without knowing the secret key,with an indistinguishable distribution probability, then there isanother machine that has control over the machine obtainedfrom A replacing interaction with the signer by simulation andproduces two valid signatures {m, σ1, h, σ2} and {σ1, h, σ2}such as h = h′ in expected time T ′ ≥ 120686QT/ε.

Let A be an adversary who performs an existential forgeryunder an alternatively chosen attack against our proposedscheme within a time bound T and with a probability of ε,and we can reach the following conclusion.



Theorem 1: Our proposed scheme can resist chosen messageattack under the random oracle model.

Proof: Suppose that an ECDLP instance (P, Q = x P)is given, where P ,Q are two points on E and there is anadversary A that could forge message {P I Di , Mi , σi }. We alsoset a challenger C which is able to solve the ECDLP byrunning A as a subroutine with a probability that cannot beignored.

2) Setup: The Setup algorithm takes a secure parameter nas input, and then C chooses a random number s as systemsecret key and computes its corresponding public key byPpub = s P . Next, C generates public parameters Params ={P, q, G, E, Ppub, h1, h2} and publishes it.

3) H1 Hash Query: When A makes an H1 query withmessage Mi , C checks whether the tuple 〈Mi , τH1〉 is in the listL H1 or not. If yes, C sends τH1 = H1(Mi ) to A . Otherwise,C chooses a random τH1 ∈ Z∗

q , adds 〈Mi , τH1〉 into the listL H1 , and then sends τH1 = H1(Mi ) to A .

4) H2 Hash Query: When A makes an H2 query withmessage Mi , C checks whether the tuple σ, hi,1, hi,2 ∈ Z∗

qis already in the list L H2 or not. If yes, sends τH2 =H2(P I D1

i ||P I D2i ) to A . Otherwise, C chooses a random

τH2 ∈ Z∗q , adds 〈P I D1

i , P I D2i , τH2〉 into the list L H2 , and

then sends τH2 = H2(P I D1i ||P I D2

i ) to A .5) Sign Query: When A makes a query on message Mi ,

C generates three random numbers σ, hi,1, hi,2 ∈ Z∗q and

calculates P I D1i = (σ P −hi,1 Ppub)/hi,2. And then C chooses

a random point P I D2i ∈ G, and then adds the tuple 〈Mi , hi,1〉

into the list L H1 and the tuple 〈P I D1i , P I D2

i , hi,2〉 into thelist L H2 .

By using Forking Lemma [26], after replaying A with thesame random element, C achieves two valid signatures σ =ri hi,1 + shi,2 and σ ′ = ri h′

i,1 + shi,2 within polynomial time,where C can successfully achieve the value x by computing:

h′i,1σ−hi,1σ ′

hi,2 (h′i,1−hi,1 )

mod q = s

As a result, C can break the ECDLP within expectedtime less than 120686QT/ε, if ε ≥ 10(R + 1)(R + Q)/q .However, it contradicts with the difficulty of solving theECDLP. Therefore, the signature scheme in our scheme issecure against forgery under the alternatively chosen messageattack in the random oracle model.

B. Security Analysis

In this section, we show that our proposed scheme satisfiesseveral security requirements.

1) Message Authentication: In this scheme, the signature ofthe message guarantees the integrity of the message and thelegitimacy of the message owner. Theorem 1 has proved thatthe signature used in our scheme cannot be forged under therandom oracle model. Therefore, malicious attackers cannotforge valid signatures. In theorem 2, we show that ECV cannotcheat the RSU successfully.

Theorem 2: ECV cannot successfully fake valid messagesignature authentication results in order to cheat the RSU.

Proof: Let T askListEC Vi denote the message signaturelist which is verified by ECVi , and let Invalid ListEC Vi

denote the invalid signature list which is the output of ECVi .

The RSU can get the valid signature list by executingV alid ListEC Vi = T askListEC Vi − Invalid ListEC Vi . For allsignatures in list V alid ListEC Vi , the RSU performs batchauthentication as described in Equation (4). Obviously, if thebatch authentication is passed, it would imply that the RSU isnot deceived by ECVi . For all signatures in V alid ListEC Vi ,the RSU performs single authentication as described in Equa-tion (5) one by one. If ECVi had not deceived RSU, then noneof these single authentication would pass, otherwise, at leastone single authentication would get passed. Because the RSUchecks the lists V alid ListEC Vi and Invalid ListEC Vi at thesame time, ECVi cannot deceive the RSU successfully.

2) Identity Conditional Privacy Preserving: In the V2Vcommunication process, the vehicle does not use its own realidentity, but use its pseudo identity P I Di = {P I D1

i , P I D2i }

where P I D1i = ri · P and P I D2

i = RI D ⊕ h(ri · Ppub

).

According to the discrete logarithm problem (DLP), othervehicles cannot get the private key of the vehicle throughP I D1

i and P . At the same time, the key material is storedin the TPD of the vehicle which is unable to be cracked,so even the vehicle itself cannot leak any information storedin the TPD. Thus, for any vehicle other than the owner ofa pseudo identity, the real identity which is correspondingto the pseudo identity cannot be obtained on the basis ofthe public pseudo identities and known public information.In order to be able to investigate the responsibility of amalicious vehicle, the TA needs to trace the real identity of thevehicle. If the TA needs to trace the real identity of the vehicle,it can get the real identity through using the correspondingpseudo identity P I Di = {P I D1

i , P I D2i } according to the

following equation.

P I D2i ⊕ h

(s · P I D1

i

)= RI D⊕h

(ri · Ppub

)⊕h (s · ri · P)

= RI D ⊕ h(ri · Ppub

)⊕h(ri · Ppub

)

= RI D

3) Replay Attack Resistance: In order to avoid outdatedmessage, the message receiver first checks whether the mes-sage is expired or not. Let TR indicate the receiving time of themessage, T indicate the message departure time,�t1 indicatethe time difference between the vehicle’s clock and the systemclock, and �t2 indicates the network delay. If |TR − T | <�t1 + �t2, then the receiver accepts the message, otherwise,it indicates that the message is expired and the recipient wouldreject the message.

4) Unlinkability: As shown in subsection B of section III,the pseudo identity which the vehicle uses contains the randomnumber ri . The message signature uses a random number andthe system private key which is safety saved in the unhackableTPD. Therefore, there is no malicious attacker can link thetwo pseudo identies or two signatures generated by the samevehicle.

V. PERFORMANCE ANALYSIS

A. Computation Overhead Analysis

In this subsection, we compare the computation overhead ofour proposed scheme with three recent schemes that consist



TABLE IV

THE EXECUTION TIME OF CRYPTOGRAPHIC OPERATIONS

of two schemes based on bilinear pairing and one ECC-basedscheme.

For ID-based schemes using bilinear pairings, we use abilinear pairing e : G1 × G1 → G2 to achieve the securitylevel of 80 bits, where G1 is an additive group generated by apoint P with the order q on the super singular elliptic curveE : y2 = x3+x mod p with embedding degree 2, where p is a512 bit prime number and q is a 160 bit Solinas prime number.For ID-based schemes using the ECC, we construct an additivegroup generated by a point P on a non-singular elliptic curveE : y2 = x3 +ax +b mod p, and its order is q , where p,q aretwo 160 bit prime numbers, and a, b ∈ Z∗

p. On the platformof 3.4GHZ i7-4770 [16], we can get the basic cryptographicoperation execution time by using MIRACL library [27] asshown in Table IV.

In our scheme, the RSU can quickly find the invalid messagesignatures according to the authentication result sent fromECVi . In the following part, we consider the RSU’s authen-tication overhead and the RSU’s authentication overhead plusauthentication overhead from nearby vehicles respectively.In ideal situations, there is no malicious attacker in VANETs;while in some situations, the malicious attacker exists. So wealso consider the two kind of situations respectively.

First, we only consider the computation overhead of theRSU in ideal situation. For the batch authentication phase ofChim et al.’s scheme [14], the RSU needs to execute twobilinear pairing operations, 2n scalar multiplication operationsrelated to the bilinear pairing, and n hash-to-point operationsrelated to the bilinear pairing. Therefore, the execution time ofthe phase is 2Tbp + 2nTsm−bp + nTmtp = 7.824n + 8.422 ms.In the batch authentication phase of He et al.’s scheme [16],the RSU needs to execute n+2 scalar multiplication operationsrelated to the ECC and 2n small scalar multiplication opera-tions related to the ECC. Therefore, the execution time of thephase is (n + 2) Tsm−ecc + 2nTsm−ecc−s = 0.4972n + 0.884ms. For the batch authentication phase of Zhang et al.’sscheme [12], the RSU needs to execute 3 bilinear pairingoperations, n+1 scalar multiplication operations related to thebilinear pairing. Therefore, the execution time of the phase is3Tbp + (n + 1) Tsm−bp = 1.709n + 14.342 ms. For the batchauthentication phase of our proposed scheme, the RSU needsto execute n + 2 scalar multiplication operations related tothe ECC and n small scalar multiplication operations relatedto the ECC. Therefore, the execution time of the phase is

Fig. 6. The relationship between the overhead of RSU and the number ofmessages.

(n + 2) Tsm−ecc + nTsm−ecc−s = 0.4696n + 0.884 ms. Basedon the above data, Fig. 6 shows the linear relationship betweenthe overhead of the RSU end and the number of messageswhen the batch authentication pass at one blow.

As we can see from Fig. 6, the scheme proposed in thispaper is better than the scheme [14] and the scheme [12],and a little better than the scheme [16] in most cases, thatis, the batch authentication performed by the RSU which getspassed at one blow.

Next, we consider all message authentication overheadwithin one RSU’s domain in ideal situation, that is, the sum ofthe overhead of RSU and all vehicles in one RSU’s domain.Assuming that there are n vehicles in one RSU’s domain,and according to the DSRC protocol, the updating periodfor vehicles to send messages is about 300ms [28]. For easeof analysis, it is assumed that each vehicle sends only onemessage in the 300ms. And let bv(n) indicates the overheadof batch authentication, TRSU indicates the authenticationoverhead of the RSU, TV indicate the authentication overheadof one vehicle, and TallCost indicates the authentication over-head of one RSU’s domain. In Chim et al.’s scheme [14],the authentication task of the vehicle is completely handedto the RSU to be centralized processing, and the vehicleonly needs to inquire about the authentication result fromthe broadcast of the RSU if it wants to verify the message.Hence, in their scheme, TallCost = TRSU = bv (n) =7.824n + 8.422 ms. In He et al.’s scheme [16], the one whoreceives the message is responsible for verifying the message,that is to say, the RSU and vehicles verify the messageindependently. Hence, in their scheme, TallCost = TRSU +nTV = bv (n) + n · bv (n − 1) = 0.4972n2 + 0.884n + 0.884ms. In Zhang et al.’s scheme [12], the message recipientverifies the message independently, in other words, TallCost =TRSU+nTV = 1.709n+14.342+n [1.709 (n − 1) + 14.342] =1.709n2 + 14.342n + 14.342 ms. In our proposed scheme,the message authentication task is assigned to the RSU andthe ECVs, so the overhead of the vehicle end only consistsof the overhead of ECVs. Hence, in our proposed scheme,TallCost = TRSU + TV = TRSU + TEC V ≈ 0.4696n + 0.884 +0.4696 (n − 1) = 0.9392n + 0.4144 ms. Based on the above



Fig. 7. The relationship between the overhead of RSU and the number ofmessages.

Fig. 8. The relationship between RSU’s overhead and the number ofmessages, and the ratio of invalid message signatures in one RSU’s domainwhen existing the malicious attacker in our proposed scheme.

data, we can get the relationship between the total overheadof the message authentication and the number of vehiclesin one RSU’s domain when all of batch authentication passsuccessfully, as shown in Fig. 7.

It can be seen from Fig. 7 that the efficiency of our schemeis significantly better than that of other schemes when thesystem does not have any invalid signature.

In the real VANETs scenario, there are often maliciousattackers which may produce invalid signatures. In this case,it would be very time-consuming if the RSU verifies themessage signatures independently because the batch authenti-cation have a high probability to fail. In our proposed scheme,the task to find invalid signatures is outsourced to ECVs, andthe RSU just needs to check the results from ECVs. Let nindicate the number of messages in one RSU’s domain, andε indicate the percentage of invalid signatures. When thereis at least one invalid signature, the overhead of the RSU isTRSU = nε · 1.326 + 0.4696 (n − nε) + 0.884 = 0.8564nε +0.4696n + 0.884 ms. Fig. 8 shows the relationship betweenthe overhead of the RSU and the number of messages, andthe percentage of invalid message signatures in this situation.

As is shown in Fig. 8, even the invalid message signatureratio is as high as 0.1 (the literature [29] pointed out that theattacker can compromise at most 10% vehicles), the RSU canverify more than 500 messages which contain 10% invalidmessages within the message update period of the vehicle,i.e., 300ms. While the other scheme [14] do not employ the

Fig. 9. The relationship between RSU’s overhead and the number ofmessages, and the ratio of invalid message signatures in one RSU’s domainwhen existing the malicious attacker in Chim et al.’s scheme.

TABLE V

COMPARISON OF COMMUNICATION COST

idea of edge computing, the binary search method combinedwith batch authentication is executed on RSU’s side. If theratio of the invalid signatures is slightly larger, the overhead ofthe RSU would be very large and we can see the phenomenonfrom Fig. 9. Comparing Fig. 8 with Fig. 9, we can drawa conclusion that the RSU in our proposed scheme has asignificantly lower authentication overhead.

In terms of the vehicle, the general vehicle is same withthat in Chim et al.’s scheme except in case 4, that is, thereis no message authentication overhead. And we will analysecase 4 in the follow subsection.

B. Communication Cost Analysis

In this subsection, we analyze the communication cost ofrelevant ID-based schemes for VANETs. Since the sizes ofp and p are 64 bytes and 20 bytes respectively, the sizes ofthe elements in group G1 and G are 128 bytes and 40 bytesrespectively. Besides, let the sizes of the hash function’s outputand timestamp be 20 bytes and 4 bytes respectively. Thecomparison of computation costs is presented in Table V.

In Chim et al.’s scheme [13], the vehicle broadcasts thepseudo identity and signatures {P I Di , Mi , σi } to the verifier,where P I Di = {P I D1

i , P I D2i }, P I D1

i , I D2i , σi ∈ G1. There-

fore, the communication cost of their scheme is 128×3 = 384bytes. In He et al.’s scheme [15], the vehicle broadcaststhe pseudo identity and signatures {P I Di , Ri , σi , Ti } whereP I Di = {P I D1

i , P I D2i }, P I D1

i , P I D2i , Ri ∈ G1. Therefore,

the communication cost of their scheme is 40 × 3 + 20 +4 = 144 bytes. In Zhang et al.’s scheme [11], the vehiclebroadcasts the pseudo identity and signatures {P I Di , σi , Ti }where P I Di = {P I D1

i , P I D2i }, P I D1

i , P I D2i , σi ∈ G1.

Therefore, the communication cost of their scheme is 128 ×3+4 = 388 bytes. In our proposed scheme, the vehicle broad-casts the pseudo identity and signatures {P I Di , σi , Ti }, where



P I Di = {P I D1i , P I D2

i }, P I D1i , Ri ∈ G, σi , P I D2

i ∈ Z∗q .

Therefore, the communication cost of our scheme is 40+20×2 + 4 = 84 bytes.

C. Analysis on Cuckoo Filter

In this subsection, we analyze the cuckoo filter approachbecause the cuckoo filter have the relatively small false pos-itive rate, which refer to the probability of falsely rejectingthe null hypothesis for a particular test. The false positive ratehas an influence on the efficiency of our proposed scheme.The following work shows that the impact is very small.

According to [23], the false positive of the cuckoo filterrate is Pr(F P) = 1 − (1 − 1/2 f )b, in which f refers to thefingerprint size of the item, b refers to the bucket size. Here,we set b = 4 because four buckets can achieve more than 95%space utilization rate [23]. Thus, the probability of case 3 isPr(case4) = 1 − (1 − Pr(F P))2 = 1 − (1 − (1 − 1/2 f )4)2.We can find that the larger the value of f , the lower thevalue of Pr(case4) and the larger space overhead the cuckoofilter. So we need adaptively change the value of f . Whenf = 12 bi ts, Pr(case4) drops to about 0.00195. That is,if there are 1000 signatures which the RSU in a batch,on average only 2 signatures will be affected by the falsepositive and need the cuckoo filter receiver to authenticationthe signatures independently. The use of cuckoo filter willbring more computation and communication overhead.

First, we analyze the computation overhead. In order to getthe overhead of the insert and query operation, we calculate thetwo operation execution time in the cuckoo filter which is writ-ten in C++ with the parameter settings as shown in Table VI.And we find that the execution time of 1000000 times oper-ations of insertion Tcuckoo−insert and query Tcuckoo−query are173ms and 66ms respectively. So we can get a conclusion thatthe insertion and query operation overhead of cuckoo filtercan be neglected. However, when case 4 happens, the vehicleneed to verify the message signature independently whichwill bring extra computation overhead. So the vehicle whichneeds to query one message has the average computationoverhead Tavg = Pr(case4) · 3Tsm−ecc + Tcuckoo−query =1.326(1 − (1 − (1 − 1/2 f )4)2) + Tcuckoo−query ms. Using theabove parameter settings, the average computation overheadfor the cuckoo filter query operation is only about 0.00265mswhich is negligible.

Next, we analyze the communication overhead. We assumethat the RSU need to send n message legitimacy informationand the fingerprint size is 12 bits. After the RSU puts nfingerprints into the two cuckoo filters, it needs to sign thesefilters using an ECDSA signature which is 56 bytes long.Together with a message header of 2 bytes long, the totalmessage overhead for verifying a batch of n signatures is2 + �12n/8� + 56 = �12n/8� + 58 bytes.

D. Analysis on the Selection Strategy on ECVs

RSU can get the instantaneous distance information bycalculating the coordination which is contained in BSM pack-ets sent from nearby vehicles. It’s noteworthy that knowingthe instantaneous distance is enough to determine whetherthe corresponding vehicle is qualified to be the ECV. In our

TABLE VI

CUCKOO FILTER SETTINGS

scheme, the ECV can finish one message authentication task atmost in 500ms in most cases even if the number of messagesreached one thousand. In China, the speed limit in highwayis 120km/h, so the ECV only moved at most a dozen metersduring the message authentication task, which is negligiblecompared with the valid max transmission range in DSRCstandard (1000meters) [28].

We test the ECV selection algorithm based on scikit-fuzzy [30] which is a Python written fuzzy logic library. Andwe find that the total computation overhead of fuzzification,fuzzy roles mapping and defuzzification is only about 1.2mson Intel i7-6700 platform. As long as RSU is equipped witha modern multi-core CPU, the computation overhead of ECVselection algorithm is negligible for RSU. The following tworeasons guarantee the ECV selection strategy can be carriedout all the time. First, There are always existing many vehiclesmoving toward the RSU which means that some of them havethe potential to be ECVs at certain points. Second, the vehiclealways has the extra computation resource.

VI. CONCLUSION AND FUTURE WORK

The instantaneous characteristics of VANETs significantlyreduce the efficiency of message signing and authentication.Therefore, this paper introduces an edge-computing conceptto improve the efficiency of message authentication. In ourscheme, the ECVs and RSU share the authentication tasksof all the vehicles in the domain of the RSU, thus reducingthe burden on the RSU, significantly decreasing redundantauthentication, and improving the operational efficiency of theentire VANET system. The security analysis results show thatthe proposed scheme meets the basic security requirementsof VANETs. The performance analysis results show that theperformance of the proposed scheme is better than that of theconventional scheme, making it more suitable for deploymentin real VANET scenarios.

In our proposed scheme, edge computing is only used inthe message authentication process of the VANETs, i.e., onlyfor computation, without requiring any storage. In the future,we plan to incorporate edge computing into the VANETs byallowing high frequency access information to be temporarilystored in the ECVs to enhance the efficiency of the entireVANET system.

ACKNOWLEDGMENT

The authors are very grateful to the anonymous referees fortheir detailed comments and suggestions regarding this paper.



REFERENCES

[1] J. Cheng, J. Cheng, M. Zhou, F. Liu, S. Gao, and C. Liu, “Routing inInternet of vehicles: A review,” IEEE Trans. Intell. Transp. Syst., vol. 16,no. 5, pp. 2339–2352, Oct. 2015.

[2] Y. Xie, L. Wu, Y. Zhang, and J. Shen, “Efficient and secure authenti-cation scheme with conditional privacy-preserving for VANETs,” Chin.J. Electron., vol. 25, no. 5, pp. 950–956, 2016.

[3] S. Jiang, X. Zhu, and L. Wang, “An efficient anonymous batch authen-tication scheme based on HMAC for VANETs,” IEEE Trans. Intell.Transp. Syst., vol. 17, no. 8, pp. 2193–2204, Aug. 2016.

[4] S. Zeadally, R. Hunt, Y.-S. Chen, A. Irwin, and A. Hassan, “Vehicularad hoc networks (VANETs): Status, results, and challenges,” Telecom-mun. Syst., vol. 50, no. 4, pp. 217–241, 2012.

[5] Y. Sun, R. Lu, X. Lin, X. Shen, and J. Su, “An efficient pseudony-mous authentication scheme with strong privacy preservation for vehic-ular communications,” IEEE Trans. Veh. Technol., vol. 59, no. 7,pp. 3589–3603, Sep. 2010.

[6] C.-C. Lee and Y.-M. Lai, “Toward a secure batch verification with grouptesting for VANET,” Wireless Netw., vol. 19, no. 6, pp. 1441–1449, 2013.

[7] J. K. Liu, T. H. Yuen, M. H. Au, and W. Susilo, “Improvements onan authentication scheme for vehicular sensor networks,” Expert Syst.Appl., vol. 41, no. 5, pp. 2559–2564, 2014.

[8] M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,”J. Comput. Secur., vol. 15, no. 1, pp. 39–68, 2007.

[9] J. P. Hubaux, S. Capkun, and J. Luo, “The security and privacy ofsmart vehicles,” IEEE Security Privacy, vol. 2, no. 3, pp. 49–55,May/Jun. 2004.

[10] C. Zhang, X. Lin, R. Lu, and P.-H. Ho, “RAISE: An efficient RSU-aidedmessage authentication scheme in vehicular communication networks,”in Proc. IEEE Int. Conf. Commun. (ICC), May 2008, pp. 1451–1457.

[11] C. Zhang, X. Lin, R. Lu, P. H. Ho, and X. Shen, “An efficient messageauthentication scheme for vehicular communications,” IEEE Trans. Veh.Technol., vol. 57, no. 6, pp. 3357–3368, Nov. 2008.

[12] Z. Jianhong, X. Min, and L. Liying, “On the security of a secure batchverification with group testing for VANET,” Int. J. Netw. Secur., vol. 16,no. 5, pp. 351–358, 2014.

[13] M. Bayat, M. Barmshoory, M. Rahimi, and M. R. Aref, “A secureauthentication scheme for VANETs with batch verification,” WirelessNetw., vol. 21, no. 5, pp. 1733–1743, 2015.

[14] T. W. Chim, S. M. Yiu, L. C. K. Hui, and V. O. K. Li, “SPECS: Secureand privacy enhancing communications schemes for VANETs,” Ad HocNetw., vol. 9, no. 2, pp. 189–203, 2011.

[15] Y. Liu, L. Wang, and H. Chen, “Message authentication using proxyvehicles in vehicular ad hoc networks,” IEEE Trans. Veh. Technol.,vol. 64, no. 8, pp. 3697–3710, Aug. 2014.

[16] D. He, S. Zeadally, B. Xu, and X. Huang, “An efficient identity-basedconditional privacy-preserving authentication scheme for vehicular adhoc networks,” IEEE Trans. Inf. Forensics Security, vol. 10, no. 12,pp. 2681–2691, Dec. 2015.

[17] H. Zhong, J. Wen, J. Cui, and S. Zhang, “Efficient conditional privacy-preserving and authentication scheme for secure service provisionin VANET,” Tsinghua Sci. Technol., vol. 21, no. 6, pp. 620–629,2016.

[18] W. Shi, J. Cao, Q. Zhang, Y. Li, and L. Xu, “Edge computing: Visionand challenges,” IEEE Internet Things J., vol. 3, no. 5, pp. 637–646,Oct. 2016.

[19] W. Shi and S. Dustdar, “The promise of edge computing,” Computer,vol. 49, no. 5, pp. 78–81, 2016.

[20] X. Lin, R. Lu, C. Zhang, H. Zhu, P.-H. Ho, and X. Shen, “Securityin vehicular ad hoc networks,” IEEE Commun. Mag., vol. 46, no. 4,pp. 88–95, Apr. 2008.

[21] V. Miller, “Use of elliptic curves in cryptography,” in Proc.Adv. Cryptology—CRYPTO. New York, NY, USA: Springer, 1986,pp. 417–426.

[22] N. Koblitz, “Elliptic curve cryptosystems,” Math. Comput., vol. 48,no. 177, pp. 203–209, 1987.

[23] B. Fan, D. G. Andersen, M. Kaminsky, and M. D. Mitzenmacher,“Cuckoo filter: Practically better than bloom,” in Proc. 10th ACM Int.Conf. Emerg. Netw. Experim. Technol., 2014, pp. 75–88.

[24] P. Hájek, Metamathematics of Fuzzy Logic (Trends in Logic), vol. 4.1998, pp. 155–174.

[25] W. Pedrycz, Fuzzy Control and Fuzzy Systems, 2nd ed. Baldock, U.K.:Research Studies Press, 1993.

[26] D. Pointcheval and J. Stern, “Security arguments for digital signaturesand blind signatures,” J. Cryptol., vol. 13, no. 3, pp. 361–396, 2000.

[27] Shamus Software Ltd. MIRACL Library. Accessed: May 1, 2015.[Online]. Available: http://www.shamus.ie/index.php?page=home

[28] J. B. Kenney, “Dedicated short-range communications (DSRC) standardsin the United States,” Proc. IEEE, vol. 99, no. 7, pp. 1162–1182,Jul. 2011.

[29] J.-L. Huang, L.-Y. Yeh, and H.-Y. Chien, “ABAKA: An anonymousbatch authenticated and key agreement scheme for value-added servicesin vehicular ad hoc networks,” IEEE Trans. Veh. Technol., vol. 60, no. 1,pp. 248–262, Jan. 2011.

[30] F. Pedregosa et al., “Scikit-learn: Machine learning in Python,” J. Mach.Learn. Res., vol. 12 no. 10, pp. 2825–2830, 2012.

Jie Cui received the Ph.D. degree in computerscience and technology from University of Scienceand Technology of China in 2012. He is currentlyan Associate Professor with the School of ComputerScience and Technology, Anhui University, China.He has authored over 50 papers. His current researchinterests include applied cryptography, Internet ofThings security, vehicular ad hoc networks, andsoftware-defined networking.

Lu Wei is currently a Research Student with theSchool of Computer Science and Technology, AnhuiUniversity, Hefei, China. His research focuses onvehicle ad hoc networks.

Jing Zhang is currently a Research Student withthe School of Computer Science and Technology,Anhui University. Her research interest is vehicle adhoc networks.

Yan Xu received the Ph.D. degree from Universityof Science and Technology of China in 2015. She iscurrently a Lecturer with the School of ComputerScience and Technology, Anhui University. Herresearch interests include network and informationsecurity.

Hong Zhong received the Ph.D. degree from Uni-versity of Science and Technology of China in 2005.Since 2009, she has been a Professor with theSchool of Computer Science and Technology, AnhuiUniversity, China, where she is currently the Dean.She has authored over 100 papers. Her researchinterests include applied cryptography, Internet ofThings security, vehicular ad hoc networks, andsoftware-defined networking.

Documents

2019 IEEE Projects | Diploma projects | IEEE projects 2019-2020 - … Efficient Message... · 2018-05-30 · computation overhead, He et al. [16] proposed an elliptic-curve-cryptography(ECC)-based