A weight-based conditional privacy-preserving authentication scheme in software-defined vehicular network

The rapid development of vehicular ad hoc networks (VANETs) has brought significant improvement to traffic safety and efficiency. However, owing to limitations associated with VANETs’ own unchanging model and traditional network structure, there are still many challenging concerns such as poor flexibility and controllability to deal with. To solve these inherent problems effectively, we propose a weight-based conditional anonymous authentication scheme by introducing the newly emerging software-defined networking (SDN) framework. Firstly, by making use of the global planning and dynamic management features of SDN, vehicles are classified into different priorities using weighted values to reduce communications redundancy, and control the participation of malicious vehicles. Then, an efficient conditional privacy-preserving scheme was developed to secure communications among vehicles. A two-step tracing approach has been designed to exclude and punish vehicles whose weights drop below the threshold. Extensive analyses indicate that our conditional privacy-preserving scheme is secure and has lower computation costs than conventional state-of-the-art authentication schemes.

The application of the Internet of Things (IoT) has effectively promoted the intelligent development of all fields of life [1, 2]. These applications has made limited resources more reasonably used and distributed, thereby improved industry efficiency and effectiveness [3, 4]. Representatively, the vehicular network currently has provided people with many life-changing benefits that they may not realize. VANETs were introduced to make vehicles safer and to offer an efficient tool to enhance the driving experience. They have attracted attention from both academia and industry since inception [5]. The onboard units (OBU) installed in vehicles allow communications between vehicles (V-2-V) as well as between vehicles and infrastructures (V-2-I) [6]. This hybrid combined network can offer many kinds of services that will bring great convenience and enhancements to current applications, such as optimum path planning, and broadcasting warnings of road accidents and other newsworthy events [7, 8]. Despite these advantages, security during communications must be considered when VANETs are used in real applications. This is for protecting the privacy of vehicles and prevent malicious users from damaging the system [9]. To overcome the shortcomings, many researchers have proposed anonymous authentication schemes to ensure secure communications [10, 11]. For instance, a conditional privacy protection authentication scheme in a multi-cloud environment [12] was proposed to secure the privacy and anonymity of vehicles by combining with cloud computing [13, 14].

However most of the present schemes are designed in traditional networks. There are some inherent problems in traditional networks, such as they can not suit the fastly changing topology of VANETs and may cause some uncontrollable security threats. Chen et al. [15] gave a survey on security problems on Software Defined Mobile Network (SDMN). To some extent, SDVN is similar to SDMN, such as the fast changing topology, as well as frequent joining and leaving. By this we got inspired to introduce SDN into VANETs to cope with those security problems. The survey of Jaballah et al. [16] gave a new direction to resolving the privacy problem in VANETs by including SDN technology [17].

SDN is a newly emerging and promising technology that breaks the traditional network model by decoupling the control and data planes. In the control plane, all the managing and monitoring functions are logically united into one entity called a controller. The data plane includes all kinds of wired or wireless networking infrastructure used to forward network traffic. In this way, the system can release routing-related equipment from heave forwarding jobs using the programmable properties of SDN to ease and enhance the overall network performance [10].

This new network architecture has received significant attention from mobile networks such as VANETs for its abilities to enhance performance, flexibility, and scalability [18]. By concentrating all protocol-specific features in the software, this extension of the SDN paradigm is expected to incorporate mobile network specific functionality [19]. Moreover, the new architecture also brings new opportunities and approaches to cope with some inherent problems in traditional networks, especially regarding security [20]. There have been some studies dedicated to solving security problems in the control plane [21], such as distributed denial-of-service and malware attacks. However, the security and privacy problems existing in the data plane have not received focus.

We are proposing a conditional privacy-preserving scheme, which is used to protect the communication security and improve network efficiency in a SDVN framework. In our scheme, a weigh-based is offered to execute the first-step detection as a filter to lower the message density. As background, the detailed work process and weighting system will be explained in “Background” section.

Our contributions

In this paper, we propose a conditional authentication scheme that offers a weight-based system to monitor malicious vehicles when protecting the privacy of vehicles in SDVNs. The main contributions of our scheme are threefold.

1. 1

   To support communication privacy and efficient traceability in SDVNs, a message privacy-preserving authentication scheme is proposed with two-step tracing. The authentication scheme relieves local controllers of the need to store information about vehicles and system parameters. The layered controller model also relieves the global controller of the heavy work burden of computation and reduces deployment costs.

2. 2

   We have built a framework of weight-based incentive system by offering vehicles candidate forwarding sets (CFSs) in the SDVN framework to encourage vehicles to upload correct and real-time information about traffic and roads. Information uploaded by vehicles will be used to enhance driving experiences like route planning and avoiding traffic congestion. This system evaluates vehicles and sets their priorities according to their weight values. Vehicles with low weight values will lose trust from controllers after a specific period.

3. 3

   Extensive analyses are performed to prove the security and efficiency of the proposed scheme.

Organization of this paper

The remainder of this paper is organized as follows. “Related work” section introduces the related works. “Background” section tells the system model and some background acknowledges used in our study. “Proposed scheme” section presents our specific scheme. Then, “Security proof and analysis” section shows the detailed security proof and analysis. In “Performance analysis” section, we give the performance evaluation and comparison. Finally, “Conclusion” section gives the conclusion and some concluding remarks.

There have been many works dedicated to designing efficient conditional privacy-preserving schemes [13, 22–25] to secure vehicles’ identities and communications [26–28]. With the advent of SDN technology, some research areas including VANETs have realized the convenience and advantages of this new network architecture. SDN has been introduced to address some inherent problems in [10, 13, 21, 29–33].

Shao et al. [34] proposed an anonymous authentication protocol for VANETs by using a new group signature scheme, which achieved threshold authentication and group signature in VANETs. However, massive and heavy computation overhead coming with bilinear pairing operation and map-to-point hash operation may strictly limit its practicability.

Lai et al. [35] proposed an integrated network architecture for secure group communication in SDN-based 5G-VANETs. With this scheme, some security challenges in both decentralized and centralized networks can be addressed and the performance evaluation proved to be outstanding, but it lacks a detailed concrete privacy-preserving approach to guarantee vehicles’ privacy. In [36], they introduced a unified secure and seamless IP communications framework for a group-oriented heterogeneous vehicular environment. The framework aimed to make use of the advantages of a SDN structure to set up the platoon securely and flexibly and control the handover signaling overload.

Cui et al. [37] designed an authentication protocol for 5G-enabled vehicular networks in which TA is in charge of the reputation management to filter vehicles with a reputation score below a given threshold, which reduces the existence of untrusted messages in VANETs. Zhang et al. [38] proposed a novel Chinese remainder theorem based conditional privacy-preserving authentication scheme to secure vehicular authentication. This scheme solved the leakage problem during side channel attacks and ensured security for the entire system.

Jaballah et al. [16] gave a detailed survey on SDVNs that introduced benefits, future directions and existing challenges, especially about communications security.

Garg et al. [39] presented a SDN based privacy-preserving scheme for vehicular networks at a 5G perspective. The scheme provided end-to-end security methods through its inbuilt modules including authentication and intrusion detection. The authentication scheme relies on ECC to authenticate the CA, CH, and the vehicles before data transmission. And the intrusion detection employs the concept of tensor-based dimensionality reduction to reduce the size of vehicular traffic data then expose it for detection. However, this scheme only introduced the identity authentications between CA and CH as well as CH and vehicles. The further message authentication scheme was not designed to secure communication. In addition, the authentication scheme may require too much computation and storage which will cause great overhead and delay while deploying.

Huang et al. [40] proposed 5G software-defined vehicular network model. Based on that, a conditional privacy-preserving authentication scheme which avoided single point of failure problems and using of ideal tamper-proofed device and certificate revocation list (CRL). The scheme used a revocation list to reduce the verification delay caused by checking the long CRL, and storage coming with the large number of pseudonyms in the CRL. However, every second pseudo identity (SPID) of V_i has a validation time and can only be used once, then it will be removed from the list. This design will cost too much storage and computation overhead while tracking the real identities of malicious vehicles.

In this section, we formalize the weight value computation system. Assumptions and security goals will be elaborated in detail as well.

System model

The proposed system model is composed of the following entities: global controller (GC), local controller (LC), the deployed access point (AP) and cellular network base station (BS), transport manager (TM) and OBUs that are preloaded on the vehicles, as presented in Fig. 1. Functions of these network entities and related assumptions will be demonstrated followed.

1. 1

   GC: The global controller of this system has extremely outstanding computing and storage capabilities compared with LCs and OBUs. In the narrower SDN system, the controller is a logic centralized strategy point based on OpenFlow protocol, and responsible for managing traffic flow, route discovery, and other control work. In our scheme, like the traditional Trusted Authority, the GC takes responsible for some heavy computation missions like generating and distributing system parameters, as well as updating them periodically. Beyond that, the GC also monitors and manages the global network, including updating route strategy and detecting malicious members. When necessary, the GC will take part in tracking real identities of vehicles.

   

   The system model of the proposed scheme

   Full size image

2. 2

   LC: Local controllers in the scheme are designed mainly for balancing the computation burden of the GC, and decline the cost of deployment considering the real situation. The layered structure is shown in Fig. 2. Each local controller takes charge of one specific area. Like the traditional Roadside Units, when received the requesting message including the real identity from a vehicle, the LC will return the pseudo-identity, the secret key, and some other parameters to the sender. Beyond that, LCs also make local route strategy, compute weight values, and execute some other controlling actions. But in consideration of security and storage costs, LCs will not store any of these identities entries. When there is a necessity to track the true identity, the LC will check if it has the ability to extract. If not, it submits the message to GC. Tracking steps will be presented in “Proposed scheme” section in detail.

   

   The structure of controllers

   Full size image

3. 3

   OBU: OBU is a computing unit that is preloaded in the vehicle. OBUs get access to wireless networks and offer vehicles various network services like navigation and disaster warning. Besides, OBUs submit vehicle conditions and surrounding traffic situations. These feedback will be used by LCs and GC to get overall planning for vehicles themselves [41].

4. 4

   AP and BS: Vehicles in our system can get access to not only cellular networks like 3G/4G/5G, but also city WiFi via access points and other types of networks. For ubiquitous 5G base stations still requires a quite long period to deploy, and the cost may be unaffordable for some users. So the coexistence of different types of networks is necessary.

5. 5

   TM: Transport manager is the vehicle-managing authority. It would notify and warn vehicle owners when their vehicles’ weight values drop below a specific threshold value.

The system assumptions are presented as below:

• The GC is completely trustable and can not be compromised.

• LCs is trusted but their capabilities are limited and far from taking place of the GC.

• Vehicles are half-trusted, but the vital parameters stored inside are not available to adversaries.

• The overall roads map and building distribution have been preloaded in GC. Local maps and distributions are preloaded in corresponding LCs.

Controllers in our scheme are only responsible for traffic managing and route planning or other network-related affairs. Vehicles management and other social service applications will be allowed to plug into the unified north APIs offered by controllers.

Weight computation system

In our proposed model, the weight computation system computes CFSs for vehicles. According to vehicles’ weight values in the current period, the system will classify them into different priorities for vehicles in the present area [37]. By introducing this model, vehicles that have sent too many bogus messages will be squeezed out of the high priority set. More invalid or fake messages they send, lower priorities will be labeled on them. The main mechanism of this part is shown in Fig. 3.

How the system model works

Full size image

1. 1

   When the vehicle V_i intends to send messages in the current area, it will request present parameters and its CFS via wireless network.

2. 2

   When received requested messages from vehicles, the LC will return security parameters and corresponding CFSs according to preloaded road maps and conditions of vehicles. The main elements that should be considered in our environment are:

   1. (a)

      Relative Distance (RDst): Denotes the relative distance between V_i and other vehicles according to their relative speeds.

   2. (b)

      Remaining Power (Pwr): Denotes the remain power including computing and storing capabilities of vehicles in the current areas. Vehicles with low remaining power may will not be able to afford other missions while satisfying their own needs.

   3. (c)

      Network Situation (NS): Denotes the network situations that vehicles getting access to including average expenses and traffic speeds.

   4. (d)

      Bogus Message (BM): Denotes the number of messages that a vehicle has sent in one specific period. In one accumulation cycle, the first time it gets detected, its BM value will be set as s. The second time, s=s+n1s, n1 is an appropriate coefficient that suits the present environment of this area. Similarly, the third bogus message will make s=n+n1s+n2s,n1≥1,n2≥1, and so on. It means that more bogus messages are detected from one vehicle, its weight value drops more quickly than constant multiple speed.

   5. (e)

      Other Elements (OE): There are a lot of roads conditions that should be taken seriously such as the distributions of buildings. For example, since the deployment of new 5G base stations are under way, the feature that its signal suffers more serious loss compared with other cellular networks should be taken into consideration. And if vehicles tend to transmit files like streaming files, the size of messages and their priorities must be taken into consideration as well, for there are great differences among the expenses of different networks.

   Take all the elements into count, the final weight computation formula would be

   $$ W_{v,i} = w_{1} RDst+w_{2} Pwr+w_{3} NS+w_{4} BM+w_{5} OE. $$

   (1)

   where w₁+w₂+w₃+w₄+w₅=1. After computing all the weight values in the area, the LC will set their priories. Here we set priorities as four levels: L1 (prior), L2 (sub-prior), L3 (medium) and L4 (low). The priories calculation method is shown as Algorithm 1. Then the LC returns security parameters with the CFS to the requesting vehicle. When all necessary contents are acquired, the vehicle will sign messages via the authentication scheme demonstrated in the next section. Then it sends out messages with the CFS attached as Algorithm 2 shows. If received messages, vehicles will check its priority in the CFS. If its priority is L1, it forwards without waiting. If the priority level is lower than L1, it awaits for a specific period. If vehicles do not receive ACK packages from the higher-level ones in this period, they forward [29]. Since the CFS is not integrated with any specific routing algorithm, it can be applied with all kinds of routing models to offers better candidates.

3. 3

   When an accumulation phase ends, LCs will upload to the GC entries of vehicles’ information. The numbers of bogus messages vehicles had sent in the previous period will be recorded.

4. 4

   Received real-time entries from LCs, the GC will upload its table with both the real identities it tracked and LCs submitted.

5. 5

   When vehicles are found their weight values have dropped below the threshold value, the GC will inform TM to take appropriate actions.

Security goals

Here we introduce the main security goals that our proposed scheme is aimed to achieve.

1. 1

   Authentication: Messages issued by vehicles should be signed by senders so that receivers could verify the integrity and authenticity of messages.

2. 2

   Identity Privacy Preserving: Vehicles in our model use pseudo identities to communicate, so that no third party with no authorization could track vehicles’ real identities.

3. 3

   Traceability: Though vehicles use pseudo identities to communicate, controllers need to be able to track their real identities when it’s necessary.

4. 4

   Unlinkability: Adversaries are not able to link messages sent by the same vehicle or to trace the vehicle’s movement tracks.

5. 5

   Resistance to Attacks: The proposed scheme is able to resist various other common attacks, for example, forgery attack, replay attack, impersonation attack, modification attack, and man-in-middle attack.

To achieve privacy-preserving and efficient traceability while communicating, the authentication scheme designed for our SDVN environment will be presented in detail in this section. Firstly, the GC chooses parameters and distributes them. When a LC receives parameters, it will set the system. Then if a vehicle enters into the managing range of the LC and requires to sign and send messages, the LC will choose the best CFS and send to it. Then the vehicle broadcasts the signed message with the CFS attached. Adjacent vehicles will check if they are in the CFS. If in, it verifies the message and decides to abandon or transfer. If it is necessary to track the identities of vehicles, our scheme offers a two-step tracing approach, which balances the computations and storage overloads of LCs and the GC to the greatest extent.

System initialization

Let F_p be a finite field, and p be a large prime number and the size of the field. (a,b)∈F_p are the parameters of the elliptic curve of E. P is the generator and q is the prime order of E. Some notations and definitions in our scheme are presented in Table 1.

1. 1

   The GC chooses \(H0:\{0,1\}^{*} \rightarrow Z_{q}^{*}\), \(H1:\{0,1\}^{*} \times G\rightarrow Z_{q}^{*}\), \(H2:\{0,1\}^{*} \times G\rightarrow Z_{q}^{*}\), \(H3:\{0,1\}^{*} \rightarrow Z_{q}^{*}\), \(H4:\{0,1\}^{*}\times \{0,1\}^{*}\times G\times \{0,1\}^{*}\times \{0,1\}^{*} \rightarrow Z_{q}^{*}\,\). Then it randomly selects \(\alpha,\beta,s\in Z_{q}^{*}\), s as the secret key and P_pub=sP as the public key of controllers system. Then the GC transmits parameters to LCs via secure channels.

2. 2

   When the LC_i receives parameters generated by GC, it computes A= α·P·H0(PID_LC,i), B= β·P, where PID_LC,i=ID_i⊕H1(P_pub∥B). Then LC_i publishes {H0,H1,H2,H3,H4,P,P_pub,q,PID_LC,i,A,B} as the present system parameters.

3. 3

   To successfully track the identities of vehicles when necessary, the GC stores a 5-tuple (PID_LC,is,P_pub,T_start,T_end). T_start and T_end means the enabling and disabling times respectively of secret keys s. To save computation cost, secret keys can serve irregular circularly. But to ensure the security of controllers, LCs don’t save any of them.

Vehicles registration

When vehicle V_j enters into the range of the LC_i, it sends request message including its identity ID_v,j to the LC_i. Then LC_i computes PID_v,j=LC_i⊕H2(s∥B) as its pseudo identity, SK_j=α·H3(PID_v,j) as its secret key.

Message signing and verifying

When V_j tends to communicate with other entities, it signs and encapsulates messages with attached data such as CFS_j. Surrounding vehicles will check if they are in CFS_j. If not, they retain the message for temporary and wait for ACK packages. Else they verify the signature then reforward it with its own CFS.

1. 1

   V_j randomly chooses a number \(r_{j}\in Z_{q}^{*}\) and lets R_j=r_j·P. And V_j signs message M with computing

   $$ {\begin{aligned} \sigma&=SK_{j}\cdot H0\left(PID_{LC,i}\right)\\&+r\cdot H4\left(M\Vert PID_{LC,i}\Vert R_{j}\Vert T_{t}\Vert CFS_{j}\right)mod\ q \end{aligned}} $$

   (2)

   where M denotes related message and T_t is the timestamp.

2. 2

   Then V_j issues out the message msg as the form of {M∥R_j∥PID_v,j∥PID_LC,i∥T_t∥σ∥P_pub∥CFS_j}.

3. 3

   To verify the message received, firstly timestamp T_t is checked. If it’s still fresh, then (3) will be verified if it holds.

   $$ \begin{aligned} \sigma\cdot P&=A\cdot H0\left(PID_{v,j}\right)\\ & +r\cdot H4\left(M\Vert PID_{LC,i}\Vert R_{j}\Vert T_{t}\Vert CFS_{j}\right)mod\ q. \end{aligned} $$

   (3)

   Batch Verification: When a vehicle receives n messages in a short interval, verifying them piece by one will consume lots of time and energy. So our scheme allows batch verification. Firstly, receiver checks if T_t,1,T_t,2,...,T_t,n are fresh. Then it selects n ephemeral values e₁,e₂,...,e_n randomly, where e∈[1,2^t] and t is a small integer. Finally, receiver verifies whether Eq. (4) holds.

   $$ {\begin{aligned} \sum_{j=1}^{n} \left(e_{j}\cdot\sigma_{v,j}\right)\cdot P &=\left(\sum_{j=1}^{n} e_{j}\cdot A_{j}\cdot H0\left(PID_{v,j}\right)\right)\\ &+\left(\sum_{j=1}^{n} e_{j}\cdot R_{j}\cdot H4\left(M\Vert PID_{LC,i}\Vert R_{j}\Vert T_{t}\Vert CFS_{j}\right)\right). \end{aligned}} $$

   (4)

Identity tracking

As we mentioned before, our scheme provides a two-step tracking approach to track a vehicle’s real identity when it is found the weight value drops below a certain threshold.

1. 1

   LC extracts P_pub from msg and judges if it equals the present P_pub. If it’s the present used parameter, the LC computes ID_v,j=PID_v,j⊕H2(s∥B). If P_pub extracted from msg does not equal to the serving one, it means the parameter expired or not published by the present LC, then the LC retransmits the message to GC.

2. 2

   GC extracts P_pub and T_t from msg. With T_t it can rapidly locate the corresponding tuple and find out the old secret key s in its storage. Then it computes and gains the real identity ID_v,j=PID_v,j⊕H2(s∥B). And based on protocols and laws, GC will blacklist vehicles for a certain period or refuse to offer services. Moreover, GC can submit malicious user’s list to related arbitration or credit managing apartment like TM.

Security proof

Firstly the definition of the elliptic curve discrete logarithm problem (ECDLP) that the whole analysis based on will be introduced.

Definition1(ECDLP): n∈Z_q and N=nP∈G, where P is the generator of the group G. Given N=nP it’s difficult to compute n. Then a game between adversary \(\mathcal {A}\) and challenger \(\mathcal {C}\) is introduced to set up the security model of our scheme.

Setup Oracle: In this query, \(\mathcal {C}\) generates the secret keys and other system parameters, which are sent to \(\mathcal {A}\).

H0 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Z_q and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list L_H0.

H1 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Z_q and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list L_H1.

H2 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Z_q and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list L_H2.

H3 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Z_q and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list L_H3.

H4 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Z_q and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list L_H4.

Sign Oracle: In this query, on receiving message M from \(\mathcal {A}\), \(\mathcal {C}\) generates msg and sends to \(\mathcal {A}\).

If adversary \(\mathcal {A}\) could generate a login request message, it is proved to be able to violate the authentication of the scheme. Let \(\Phi (\mathcal {A})\) denote the probability that \(\mathcal {A}\) violates the authentication of our scheme.

Definition 1.

Our scheme is secure if \(\Phi (\mathcal {A})\) is negligible for any polynomial adversary \(\mathcal {A}\).

We evaluated the proposed scheme and it is proved secure in the random oracle.

Theorem 1.

The proposed scheme is secure in the random oracle model.

Proof: Suppose that there exists adversary \(\mathcal {A}\) that could forge a msg. We construct a challenger \(\mathcal {C}\) that is able to solve the ECDLP problem with a non-negligible probability by running \(\mathcal {A}\) as a subroutine.

Setup Oracle: Firstly a security parameter k is taken as input. Then \(\mathcal {C}\) randomly selects a number s as its private key and computes P_pub=sP and \(\mathcal {C}\) sends {H0,H1,H2,H3,H4,P,P_pub,q,PID_LC,i,A,B}.

H0 Oracle: \(\mathcal {C}\) keeps a list L_H0〈PID_LC,i,h0〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈PID_LC,i〉, \(\mathcal {C}\) checks if 〈PID_LC,i,h0〉 already exists in L_H0. If so, \(\mathcal {C}\) returns h0. Otherwise it generates a random h0=H0(PID_LC,i), inserts 〈PID_LC,i,h0〉 in L_H0 and returns h0 to \(\mathcal {A}\).

H1 Oracle: \(\mathcal {C}\) keeps a list L_H1〈P_pub,B,h1〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈PID_LC,i,B〉, \(\mathcal {C}\) checks if 〈P_pub,B〉 already exists in L_H1. If so, \(\mathcal {C}\) returns h1. Otherwise it generates a random h1=H1(P_pub∥B), inserts 〈P_pub,B,h1〉 in L_H1 and returns h1 to \(\mathcal {A}\).

H2 Oracle: \(\mathcal {C}\) keeps a list L_H2〈s,B,h2〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈s,B〉, \(\mathcal {C}\) checks if 〈s,B〉 already exists in L_H2. If so, \(\mathcal {C}\) returns h2. Otherwise it generates a random h2=H2(s∥B), inserts 〈s,B,h2〉 in L_H2 and returns h2 to \(\mathcal {A}\).

H3 Oracle: \(\mathcal {C}\) keeps a list L_H3〈PID_v,j,h3〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈PID_v,j〉, \(\mathcal {C}\) checks if 〈PID_v,j〉 already exists in L_H3. If so, \(\mathcal {C}\) returns h3. Otherwise it generates a random h3=H3(PID_v,j), inserts 〈PID_v,j,h3〉 in L_H3 and returns h3 to \(\mathcal {A}\).

H4 Oracle: \(\mathcal {C}\) keeps a list L_H4〈M,PID_v,j,T_t,R_j,CFS_j,h4〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈M,PID_v,j,T_t,R_j,CFS_j〉, \(\mathcal {C}\) checks if 〈M,PID_v,j,T_t,R_j,CFS_j〉 already exists in L_H4. If so, \(\mathcal {C}\) returns h4. Otherwise it generates a random h4=H4(M∥PID_v,j∥T_t∥R_j∥CFS_j), inserts 〈M,PID_v,j,T_t,R_j,CFS_j,h4〉 in L_H4 and returns h4 to \(\mathcal {A}\).

Sign Oracle: On receiving \(\mathcal {A}\)’s query with message M and pseudo identity PID_v,j, \(\mathcal {C}\) chooses random α,β,R_j from Z_q and computes signature σ=αH0(PID_LC,i)+H4(M∥PID_LC,i∥R_j∥T_t∥CFS_j). Then \(\mathcal {C}\) inserts 〈PID_LC,i,h0〉 and 〈M,PID_v,j,T_t,R_j,CFS_j,h4〉 into L_H0 and L_H4 respectively.

Analysis: Based on Forking lemma [42], suppose that \(\mathcal {A}\) has generated two valid signatures σ=SK_jH0(·)+rH4(·) and \(\widetilde {\sigma }=SK_{j}\widetilde {H0}(\cdot)+\widetilde {r}\widetilde {H4}(\cdot)\). To obtain the secret key SK_j, it computes

As the result shows, \(\mathcal {C}\) is able to solve the ECDLP problem as a polynomial adversary, which contradicts Definition 1. So we come to the conclusion that the proposed scheme is secure against adaptive chosen message attack in the random oracle model.

Security and attributes analysis

1. 1

   Authentication: According to Theorem 1, there exists no polynomial adversary being able to forge a valid message. Therefore the integrity of messages are able to be verified by computing σ·P=A·H0(PID_v,j)+r·H4(M∥PID_LC,i∥R_j∥T_t∥CFS_j)mod q.

2. 2

   Identity Privacy Preserving: The vehicle’s real identity does take part in the communication process but in the form of pseudo identity, and the master key stays unexposed.If an adversary intends to obtain other vehicle’s identities, it has to solve the difficult problems in mathematics in our scheme, which makes sure the identity privacy preserved.

3. 3

   Tracebility: If messages are found dishonest while transporting, LCs or GC can obtain the identities of vehicles by computing ID_v,j=PID_v,j⊕H2(s∥B).

4. 4

   Unlinkability: As a result of using different pseudo identities in different areas or even different periods, adversaries are kept from figuring out if multiple messages come from one same vehicle.

5. 5

   Resistance to Attacks: The proposed scheme can also resistant the following attacks [43, 44].

   • Forgery Attack: This attack intends to forge and transmit false warning messages in order to contaminate roads information and mislead vehicles. In the proposed scheme, once a vehicle found to send out false messages, its weigh value will drop more quickly than constant multiple speed. At last, the messages transformed by this vehicle will be ignored by surrounding vehicles.

   • Replay Attack: The encapsulated message contains timestamps, which can prevent messages are saved then reforwarded. Receivers check the freshness of messages at the very first beginning when getting them.

   • Impersonation Attack: If an adversary tends to impersonate a legal vehicle, it must generate a signature of the related message which satisfying σ·P=A·H0(PID_v,j)+r·H4(M∥PID_LC,i∥R_j∥T_t∥CFS_j), which is difficult according to Theorem 1.

   • Modify Attack: If the message contained is modified, receivers will find out that the equation doesn’t hold. Then modified illegal message will be abandoned.

   • Man−in−the−middle Attack: Since messages sent by senders and receivers needs to be verified its integrity and non-reputation, the scheme can resist man-in-the-middle attack.

In this section, we are going to analyse the performance of our scheme with comparison of schemes of He et al. [11], Li et al. [24] (EPA-CPPA) and Li et al. [45]. First, we set the order q of group G on the super elliptic curve \(E:y^{2}=x^{3}+ax+b\ mod\ p,(a,b\in Z_{p}^{*})\), in which q, p are 160-bit prime numbers. The notations used in this part are presented as below:

1. 1

   T_m: The time spent on performing a scale multiplication operation x·P, where \(x\in Z_{p}^{*}, P\in G\).

2. 2

   T_a: The time spent on performing a point addition operation Q+R, where Q,R∈G.

3. 3

   T_h: The time required for performing an one-way hash function operation.

To compare fairly, we implemented the cryptographic operations in the following environment. The processor is Intel Core CPU i7-6700 at 3.40 GHz and 8 GB RAM, and the operating system is Windows 7. Table 2 gives running times of performing those operations. The analysis is parted into three aspects: signing a single message, single message verification, and batch messages verification. In the scheme of He et al. [11], to sign a single message, three scale multiplications and three one-way hash functions are required, which is 3T_m+3T_h≈0.9684 ms. When to verify a single message, it costs three scale multiplications, two point additions and two one-way hash functions, which is 3T_m+2T_a+T_h≈0.9712 ms. And when the batch verification is implemented, (n+2) scale multiplications, (3n−1) point additions and (2n) one-way hash functions are performed, which is (n+2)T_m+(3n−1)T_a+(2n)T_h≈(0.331n+0.6412) ms.

In the scheme of Li et al. [24] (EPA-CPPA), to sign a single message, one scale multiplication and two one-way hash functions are required, which is 1T_m+2T_h≈0.3238 ms. When to verify a single message, it costs four scale multiplications, one point addition and two one-way hash functions, which is 4T_m+1T_a+2T_h≈1.2916 ms. And when the batch verification is implemented, (2n+2) scale multiplications, (n) point additions and (2n) one-way hash functions are performed, which is (2n+2)T_m+(n)T_a+(2n)T_h≈(0.648n+0.6436) ms.

In the scheme of Li et al. [45], to sign a single message, one scale multiplication and one one-way hash function are required, which is 1T_m+1T_h≈0.3228 ms. When to verify a single message, it costs three scale multiplications, three point additions and two one-way hash functions, which is 3T_m+3T_a+2T_h≈0.9746 ms. And when the batch verification is implemented, (n+2) scale multiplications, (3n) point additions and (2n) one-way hash functions are performed, which is (n+2)T_m+(3n)T_a+(2n)T_h≈(0.331n+0.6436) ms.

In the proposed scheme, to sign a single message, one scale multiplication and two one-way hash functions are required, which is 1T_m+2T_h≈0.3238 ms. When to verify a single message, it costs one scale multiplication, one point addition and two one-way hash functions, which is T_m+T_a+2T_h≈0.3262 ms. And when the batch verification is implemented, (n) scale multiplications, (n) point additions and (2n) one-way hash functions are performed, which is (n)T_m+(n)T_a+(2n)T_h≈(0.3262n) ms. The overall overhead is shown in Table 3.

According to Fig. 4, our scheme shows obvious overhead advantages in terms of signing and verifying a single message. As shown in Fig. 5, our scheme costs the minimum time to batch verify messages among four schemes.

Computation overhead of signing and verifying

Full size image

Computation overhead of batch verifications

Full size image

In this paper, a weight-based conditional privacy-preserving authentication scheme in SDVNs is introduced. With this scheme, a secure way to protect the privacy of vehicles and communications between them is offered. By applying the weight-based system, the participation rate of malicious vehicles and communication redundancy are both reduced to ease the computing overhead of entities, which also keeps the communication environment for vehicles clear. The two-step tracing scheme means LCs do not need to store old parameters to obtain the identities of vehicles, thereby reducing deploying costs. For the next step, we will focus on how to manage the vehicles more efficiently to make full use of the advantages of the decoupled architecture in the environment of SDVNs.

Data supporting the results of this article have been included within the article.

The authors are very grateful to the anonymous referees for their detailed comments and suggestions regarding this paper.

The work was supported by the National Natural Science Foundation of China (No. 61872001, No. 62011530046, No. U1936220), the Cooperation and Exchange Project between NSFC and RFBR (No. 20-57-53019, No. 62011530046), the Open Fund of Key Laboratory of Embedded System and Service Computing (Tongji University), Ministry of Education (No. ESSCKF2018-03), the Open Fund for Discipline Construction, Institute of Physical Science and Information Technology, Anhui University and the Excellent Talent Project of Anhui University.

1. Hong Zhong contributed equally to this work.

Affiliations

1. School of Computer Science and Technology, Anhui University, Jiulong Road, Hefei, 230039, China

   Hong Zhong, Yingxue Geng, Jie Cui & Yan Xu

2. School of Informatics, University of Leicester, University Road, Leicester, LE1 7RH, UK

   Lu Liu

Contributions

Authors’ contributions

In this work, the idea and overall plan is proposed by Hong Zhong; the concrete cryptographic protocol is conceived and designed by Yingxue Geng; the experiments are performed by Jie Cui and the experimental/analysis tools are contributed by Yan Xu; Lu Liu analyses the collected experimental data.

Authors’ information

Hong Zhong was born in Anhui Province, China, in 1965. She received her PhD degree in computer science from University of Science and Technology of China in 2005. She is currently a professor and Ph.D. supervisor of the School of Computer Science and Technology at Anhui University. Her research interests include applied cryptography, IoT security, vehicular ad hoc network, cloud computing security and software-defined networking (SDN). She has over 120 scientific publications in reputable journals (e.g. IEEE Transactions on Dependable and Secure Computing, IEEE Transactions on Information Forensics and Security, IEEE Transactions on Parallel and Distributed Systems, IEEE Transactions on Vehicular Technology, IEEE Transactions on Intelligent Transportation Systems, IEEE Transactions on Network and Service Management, IEEE Transactions on Big Data and IEEE Internet of Things Journal), academic books and international conferences.

Yingxue Geng is now a research student in the School of Computer Science and Technology, Anhui University. Her research focuses on the secure authentication of vehicular ad hoc networks.

Jie Cui was born in Henan Province, China, in 1980. He received his Ph.D. degree in University of Science and Technology of China in 2012. He is currently a professor and Ph.D. supervisor of the School of Computer Science and Technology at Anhui University. His current research interests include applied cryptography, IoT security, vehicular ad hoc network, cloud computing security and software-defined networking (SDN). He has over 100 scientific publications in reputable journals (e.g. IEEE Transactions on Dependable and Secure Computing, IEEE Transactions on Information Forensics and Security, IEEE Journal on Selected Areas in Communications, IEEE Transactions on Vehicular Technology, IEEE Transactions on Intelligent Transportation Systems, IEEE Transactions on Multimedia, IEEE Transactions on Network and Service Management, IEEE Transactions on Emerging Topics in Computing and IEEE Transactions on Circuits and Systems), academic books and international conferences.

Yan Xu is currently an associate professor of School of Computer Science and Technology at Anhui University. She received the BS and MS degrees from Shandong University in 2004 and 2007, respectively, and the PhD degree from University of Science and Technology of China in 2015. Her research interests include information security and applied cryptography.

Lu Liu is the Professor of Informatics and Head of School of Informatics in the University of Leicester, UK. Prof Liu received the Ph.D. degree from University of Surrey, UK and MSc in Data Communication Systems from Brunel University, UK. Prof Liu’s research interests are in areas of cloud computing, service computing, computer networks and peer-to-peer networking. He is a Fellow of British Computer Society (BCS).

Corresponding author

Correspondence to Jie Cui.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and Permissions