 Research
 Open Access
 Published:
A weightbased conditional privacypreserving authentication scheme in softwaredefined vehicular network
Journal of Cloud Computing volume 9, Article number: 54 (2020)
Abstract
The rapid development of vehicular ad hoc networks (VANETs) has brought significant improvement to traffic safety and efficiency. However, owing to limitations associated with VANETs’ own unchanging model and traditional network structure, there are still many challenging concerns such as poor flexibility and controllability to deal with. To solve these inherent problems effectively, we propose a weightbased conditional anonymous authentication scheme by introducing the newly emerging softwaredefined networking (SDN) framework. Firstly, by making use of the global planning and dynamic management features of SDN, vehicles are classified into different priorities using weighted values to reduce communications redundancy, and control the participation of malicious vehicles. Then, an efficient conditional privacypreserving scheme was developed to secure communications among vehicles. A twostep tracing approach has been designed to exclude and punish vehicles whose weights drop below the threshold. Extensive analyses indicate that our conditional privacypreserving scheme is secure and has lower computation costs than conventional stateoftheart authentication schemes.
Introduction
The application of the Internet of Things (IoT) has effectively promoted the intelligent development of all fields of life [1, 2]. These applications has made limited resources more reasonably used and distributed, thereby improved industry efficiency and effectiveness [3, 4]. Representatively, the vehicular network currently has provided people with many lifechanging benefits that they may not realize. VANETs were introduced to make vehicles safer and to offer an efficient tool to enhance the driving experience. They have attracted attention from both academia and industry since inception [5]. The onboard units (OBU) installed in vehicles allow communications between vehicles (V2V) as well as between vehicles and infrastructures (V2I) [6]. This hybrid combined network can offer many kinds of services that will bring great convenience and enhancements to current applications, such as optimum path planning, and broadcasting warnings of road accidents and other newsworthy events [7, 8]. Despite these advantages, security during communications must be considered when VANETs are used in real applications. This is for protecting the privacy of vehicles and prevent malicious users from damaging the system [9]. To overcome the shortcomings, many researchers have proposed anonymous authentication schemes to ensure secure communications [10, 11]. For instance, a conditional privacy protection authentication scheme in a multicloud environment [12] was proposed to secure the privacy and anonymity of vehicles by combining with cloud computing [13, 14].
However most of the present schemes are designed in traditional networks. There are some inherent problems in traditional networks, such as they can not suit the fastly changing topology of VANETs and may cause some uncontrollable security threats. Chen et al. [15] gave a survey on security problems on Software Defined Mobile Network (SDMN). To some extent, SDVN is similar to SDMN, such as the fast changing topology, as well as frequent joining and leaving. By this we got inspired to introduce SDN into VANETs to cope with those security problems. The survey of Jaballah et al. [16] gave a new direction to resolving the privacy problem in VANETs by including SDN technology [17].
SDN is a newly emerging and promising technology that breaks the traditional network model by decoupling the control and data planes. In the control plane, all the managing and monitoring functions are logically united into one entity called a controller. The data plane includes all kinds of wired or wireless networking infrastructure used to forward network traffic. In this way, the system can release routingrelated equipment from heave forwarding jobs using the programmable properties of SDN to ease and enhance the overall network performance [10].
This new network architecture has received significant attention from mobile networks such as VANETs for its abilities to enhance performance, flexibility, and scalability [18]. By concentrating all protocolspecific features in the software, this extension of the SDN paradigm is expected to incorporate mobile network specific functionality [19]. Moreover, the new architecture also brings new opportunities and approaches to cope with some inherent problems in traditional networks, especially regarding security [20]. There have been some studies dedicated to solving security problems in the control plane [21], such as distributed denialofservice and malware attacks. However, the security and privacy problems existing in the data plane have not received focus.
We are proposing a conditional privacypreserving scheme, which is used to protect the communication security and improve network efficiency in a SDVN framework. In our scheme, a weighbased is offered to execute the firststep detection as a filter to lower the message density. As background, the detailed work process and weighting system will be explained in “Background” section.
Our contributions
In this paper, we propose a conditional authentication scheme that offers a weightbased system to monitor malicious vehicles when protecting the privacy of vehicles in SDVNs. The main contributions of our scheme are threefold.

1
To support communication privacy and efficient traceability in SDVNs, a message privacypreserving authentication scheme is proposed with twostep tracing. The authentication scheme relieves local controllers of the need to store information about vehicles and system parameters. The layered controller model also relieves the global controller of the heavy work burden of computation and reduces deployment costs.

2
We have built a framework of weightbased incentive system by offering vehicles candidate forwarding sets (CFSs) in the SDVN framework to encourage vehicles to upload correct and realtime information about traffic and roads. Information uploaded by vehicles will be used to enhance driving experiences like route planning and avoiding traffic congestion. This system evaluates vehicles and sets their priorities according to their weight values. Vehicles with low weight values will lose trust from controllers after a specific period.

3
Extensive analyses are performed to prove the security and efficiency of the proposed scheme.
Organization of this paper
The remainder of this paper is organized as follows. “Related work” section introduces the related works. “Background” section tells the system model and some background acknowledges used in our study. “Proposed scheme” section presents our specific scheme. Then, “Security proof and analysis” section shows the detailed security proof and analysis. In “Performance analysis” section, we give the performance evaluation and comparison. Finally, “Conclusion” section gives the conclusion and some concluding remarks.
Related work
There have been many works dedicated to designing efficient conditional privacypreserving schemes [13, 22–25] to secure vehicles’ identities and communications [26–28]. With the advent of SDN technology, some research areas including VANETs have realized the convenience and advantages of this new network architecture. SDN has been introduced to address some inherent problems in [10, 13, 21, 29–33].
Shao et al. [34] proposed an anonymous authentication protocol for VANETs by using a new group signature scheme, which achieved threshold authentication and group signature in VANETs. However, massive and heavy computation overhead coming with bilinear pairing operation and maptopoint hash operation may strictly limit its practicability.
Lai et al. [35] proposed an integrated network architecture for secure group communication in SDNbased 5GVANETs. With this scheme, some security challenges in both decentralized and centralized networks can be addressed and the performance evaluation proved to be outstanding, but it lacks a detailed concrete privacypreserving approach to guarantee vehicles’ privacy. In [36], they introduced a unified secure and seamless IP communications framework for a grouporiented heterogeneous vehicular environment. The framework aimed to make use of the advantages of a SDN structure to set up the platoon securely and flexibly and control the handover signaling overload.
Cui et al. [37] designed an authentication protocol for 5Genabled vehicular networks in which TA is in charge of the reputation management to filter vehicles with a reputation score below a given threshold, which reduces the existence of untrusted messages in VANETs. Zhang et al. [38] proposed a novel Chinese remainder theorem based conditional privacypreserving authentication scheme to secure vehicular authentication. This scheme solved the leakage problem during side channel attacks and ensured security for the entire system.
Jaballah et al. [16] gave a detailed survey on SDVNs that introduced benefits, future directions and existing challenges, especially about communications security.
Garg et al. [39] presented a SDN based privacypreserving scheme for vehicular networks at a 5G perspective. The scheme provided endtoend security methods through its inbuilt modules including authentication and intrusion detection. The authentication scheme relies on ECC to authenticate the CA, CH, and the vehicles before data transmission. And the intrusion detection employs the concept of tensorbased dimensionality reduction to reduce the size of vehicular traffic data then expose it for detection. However, this scheme only introduced the identity authentications between CA and CH as well as CH and vehicles. The further message authentication scheme was not designed to secure communication. In addition, the authentication scheme may require too much computation and storage which will cause great overhead and delay while deploying.
Huang et al. [40] proposed 5G softwaredefined vehicular network model. Based on that, a conditional privacypreserving authentication scheme which avoided single point of failure problems and using of ideal tamperproofed device and certificate revocation list (CRL). The scheme used a revocation list to reduce the verification delay caused by checking the long CRL, and storage coming with the large number of pseudonyms in the CRL. However, every second pseudo identity (SPID) of V_{i} has a validation time and can only be used once, then it will be removed from the list. This design will cost too much storage and computation overhead while tracking the real identities of malicious vehicles.
Background
In this section, we formalize the weight value computation system. Assumptions and security goals will be elaborated in detail as well.
System model
The proposed system model is composed of the following entities: global controller (GC), local controller (LC), the deployed access point (AP) and cellular network base station (BS), transport manager (TM) and OBUs that are preloaded on the vehicles, as presented in Fig. 1. Functions of these network entities and related assumptions will be demonstrated followed.

1
GC: The global controller of this system has extremely outstanding computing and storage capabilities compared with LCs and OBUs. In the narrower SDN system, the controller is a logic centralized strategy point based on OpenFlow protocol, and responsible for managing traffic flow, route discovery, and other control work. In our scheme, like the traditional Trusted Authority, the GC takes responsible for some heavy computation missions like generating and distributing system parameters, as well as updating them periodically. Beyond that, the GC also monitors and manages the global network, including updating route strategy and detecting malicious members. When necessary, the GC will take part in tracking real identities of vehicles.

2
LC: Local controllers in the scheme are designed mainly for balancing the computation burden of the GC, and decline the cost of deployment considering the real situation. The layered structure is shown in Fig. 2. Each local controller takes charge of one specific area. Like the traditional Roadside Units, when received the requesting message including the real identity from a vehicle, the LC will return the pseudoidentity, the secret key, and some other parameters to the sender. Beyond that, LCs also make local route strategy, compute weight values, and execute some other controlling actions. But in consideration of security and storage costs, LCs will not store any of these identities entries. When there is a necessity to track the true identity, the LC will check if it has the ability to extract. If not, it submits the message to GC. Tracking steps will be presented in “Proposed scheme” section in detail.

3
OBU: OBU is a computing unit that is preloaded in the vehicle. OBUs get access to wireless networks and offer vehicles various network services like navigation and disaster warning. Besides, OBUs submit vehicle conditions and surrounding traffic situations. These feedback will be used by LCs and GC to get overall planning for vehicles themselves [41].

4
AP and BS: Vehicles in our system can get access to not only cellular networks like 3G/4G/5G, but also city WiFi via access points and other types of networks. For ubiquitous 5G base stations still requires a quite long period to deploy, and the cost may be unaffordable for some users. So the coexistence of different types of networks is necessary.

5
TM: Transport manager is the vehiclemanaging authority. It would notify and warn vehicle owners when their vehicles’ weight values drop below a specific threshold value.
The system assumptions are presented as below:

The GC is completely trustable and can not be compromised.

LCs is trusted but their capabilities are limited and far from taking place of the GC.

Vehicles are halftrusted, but the vital parameters stored inside are not available to adversaries.

The overall roads map and building distribution have been preloaded in GC. Local maps and distributions are preloaded in corresponding LCs.
Controllers in our scheme are only responsible for traffic managing and route planning or other networkrelated affairs. Vehicles management and other social service applications will be allowed to plug into the unified north APIs offered by controllers.
Weight computation system
In our proposed model, the weight computation system computes CFSs for vehicles. According to vehicles’ weight values in the current period, the system will classify them into different priorities for vehicles in the present area [37]. By introducing this model, vehicles that have sent too many bogus messages will be squeezed out of the high priority set. More invalid or fake messages they send, lower priorities will be labeled on them. The main mechanism of this part is shown in Fig. 3.

1
When the vehicle V_{i} intends to send messages in the current area, it will request present parameters and its CFS via wireless network.

2
When received requested messages from vehicles, the LC will return security parameters and corresponding CFSs according to preloaded road maps and conditions of vehicles. The main elements that should be considered in our environment are:

(a)
Relative Distance (RDst): Denotes the relative distance between V_{i} and other vehicles according to their relative speeds.

(b)
Remaining Power (Pwr): Denotes the remain power including computing and storing capabilities of vehicles in the current areas. Vehicles with low remaining power may will not be able to afford other missions while satisfying their own needs.

(c)
Network Situation (NS): Denotes the network situations that vehicles getting access to including average expenses and traffic speeds.

(d)
Bogus Message (BM): Denotes the number of messages that a vehicle has sent in one specific period. In one accumulation cycle, the first time it gets detected, its BM value will be set as s. The second time, s=s+n1s, n1 is an appropriate coefficient that suits the present environment of this area. Similarly, the third bogus message will make s=n+n1s+n2s,n1≥1,n2≥1, and so on. It means that more bogus messages are detected from one vehicle, its weight value drops more quickly than constant multiple speed.

(e)
Other Elements (OE): There are a lot of roads conditions that should be taken seriously such as the distributions of buildings. For example, since the deployment of new 5G base stations are under way, the feature that its signal suffers more serious loss compared with other cellular networks should be taken into consideration. And if vehicles tend to transmit files like streaming files, the size of messages and their priorities must be taken into consideration as well, for there are great differences among the expenses of different networks.
Take all the elements into count, the final weight computation formula would be
$$ W_{v,i} = w_{1} RDst+w_{2} Pwr+w_{3} NS+w_{4} BM+w_{5} OE. $$(1)where w_{1}+w_{2}+w_{3}+w_{4}+w_{5}=1. After computing all the weight values in the area, the LC will set their priories. Here we set priorities as four levels: L1 (prior), L2 (subprior), L3 (medium) and L4 (low). The priories calculation method is shown as Algorithm 1. Then the LC returns security parameters with the CFS to the requesting vehicle. When all necessary contents are acquired, the vehicle will sign messages via the authentication scheme demonstrated in the next section. Then it sends out messages with the CFS attached as Algorithm 2 shows. If received messages, vehicles will check its priority in the CFS. If its priority is L1, it forwards without waiting. If the priority level is lower than L1, it awaits for a specific period. If vehicles do not receive ACK packages from the higherlevel ones in this period, they forward [29]. Since the CFS is not integrated with any specific routing algorithm, it can be applied with all kinds of routing models to offers better candidates.

(a)

3
When an accumulation phase ends, LCs will upload to the GC entries of vehicles’ information. The numbers of bogus messages vehicles had sent in the previous period will be recorded.

4
Received realtime entries from LCs, the GC will upload its table with both the real identities it tracked and LCs submitted.

5
When vehicles are found their weight values have dropped below the threshold value, the GC will inform TM to take appropriate actions.
Security goals
Here we introduce the main security goals that our proposed scheme is aimed to achieve.

1
Authentication: Messages issued by vehicles should be signed by senders so that receivers could verify the integrity and authenticity of messages.

2
Identity Privacy Preserving: Vehicles in our model use pseudo identities to communicate, so that no third party with no authorization could track vehicles’ real identities.

3
Traceability: Though vehicles use pseudo identities to communicate, controllers need to be able to track their real identities when it’s necessary.

4
Unlinkability: Adversaries are not able to link messages sent by the same vehicle or to trace the vehicle’s movement tracks.

5
Resistance to Attacks: The proposed scheme is able to resist various other common attacks, for example, forgery attack, replay attack, impersonation attack, modification attack, and maninmiddle attack.
Proposed scheme
To achieve privacypreserving and efficient traceability while communicating, the authentication scheme designed for our SDVN environment will be presented in detail in this section. Firstly, the GC chooses parameters and distributes them. When a LC receives parameters, it will set the system. Then if a vehicle enters into the managing range of the LC and requires to sign and send messages, the LC will choose the best CFS and send to it. Then the vehicle broadcasts the signed message with the CFS attached. Adjacent vehicles will check if they are in the CFS. If in, it verifies the message and decides to abandon or transfer. If it is necessary to track the identities of vehicles, our scheme offers a twostep tracing approach, which balances the computations and storage overloads of LCs and the GC to the greatest extent.
System initialization
Let F_{p} be a finite field, and p be a large prime number and the size of the field. (a,b)∈F_{p} are the parameters of the elliptic curve of E. P is the generator and q is the prime order of E. Some notations and definitions in our scheme are presented in Table 1.

1
The GC chooses \(H0:\{0,1\}^{*} \rightarrow Z_{q}^{*}\), \(H1:\{0,1\}^{*} \times G\rightarrow Z_{q}^{*}\), \(H2:\{0,1\}^{*} \times G\rightarrow Z_{q}^{*}\), \(H3:\{0,1\}^{*} \rightarrow Z_{q}^{*}\), \(H4:\{0,1\}^{*}\times \{0,1\}^{*}\times G\times \{0,1\}^{*}\times \{0,1\}^{*} \rightarrow Z_{q}^{*}\,\). Then it randomly selects \(\alpha,\beta,s\in Z_{q}^{*}\), s as the secret key and P_{pub}=sP as the public key of controllers system. Then the GC transmits parameters to LCs via secure channels.

2
When the LC_{i} receives parameters generated by GC, it computes A= α·P·H0(PID_{LC,i}), B= β·P, where PID_{LC,i}=ID_{i}⊕H1(P_{pub}∥B). Then LC_{i} publishes {H0,H1,H2,H3,H4,P,P_{pub},q,PID_{LC,i},A,B} as the present system parameters.

3
To successfully track the identities of vehicles when necessary, the GC stores a 5tuple (PID_{LC,i}s,P_{pub},T_{start},T_{end}). T_{start} and T_{end} means the enabling and disabling times respectively of secret keys s. To save computation cost, secret keys can serve irregular circularly. But to ensure the security of controllers, LCs don’t save any of them.
Vehicles registration
When vehicle V_{j} enters into the range of the LC_{i}, it sends request message including its identity ID_{v,j} to the LC_{i}. Then LC_{i} computes PID_{v,j}=LC_{i}⊕H2(s∥B) as its pseudo identity, SK_{j}=α·H3(PID_{v,j}) as its secret key.
Message signing and verifying
When V_{j} tends to communicate with other entities, it signs and encapsulates messages with attached data such as CFS_{j}. Surrounding vehicles will check if they are in CFS_{j}. If not, they retain the message for temporary and wait for ACK packages. Else they verify the signature then reforward it with its own CFS.

1
V_{j} randomly chooses a number \(r_{j}\in Z_{q}^{*}\) and lets R_{j}=r_{j}·P. And V_{j} signs message M with computing
$$ {\begin{aligned} \sigma&=SK_{j}\cdot H0\left(PID_{LC,i}\right)\\&+r\cdot H4\left(M\Vert PID_{LC,i}\Vert R_{j}\Vert T_{t}\Vert CFS_{j}\right)mod\ q \end{aligned}} $$(2)where M denotes related message and T_{t} is the timestamp.

2
Then V_{j} issues out the message msg as the form of {M∥R_{j}∥PID_{v,j}∥PID_{LC,i}∥T_{t}∥σ∥P_{pub}∥CFS_{j}}.

3
To verify the message received, firstly timestamp T_{t} is checked. If it’s still fresh, then (3) will be verified if it holds.
$$ \begin{aligned} \sigma\cdot P&=A\cdot H0\left(PID_{v,j}\right)\\ & +r\cdot H4\left(M\Vert PID_{LC,i}\Vert R_{j}\Vert T_{t}\Vert CFS_{j}\right)mod\ q. \end{aligned} $$(3)Batch Verification: When a vehicle receives n messages in a short interval, verifying them piece by one will consume lots of time and energy. So our scheme allows batch verification. Firstly, receiver checks if T_{t,1},T_{t,2},...,T_{t,n} are fresh. Then it selects n ephemeral values e_{1},e_{2},...,e_{n} randomly, where e∈[1,2^{t}] and t is a small integer. Finally, receiver verifies whether Eq. (4) holds.
$$ {\begin{aligned} \sum_{j=1}^{n} \left(e_{j}\cdot\sigma_{v,j}\right)\cdot P &=\left(\sum_{j=1}^{n} e_{j}\cdot A_{j}\cdot H0\left(PID_{v,j}\right)\right)\\ &+\left(\sum_{j=1}^{n} e_{j}\cdot R_{j}\cdot H4\left(M\Vert PID_{LC,i}\Vert R_{j}\Vert T_{t}\Vert CFS_{j}\right)\right). \end{aligned}} $$(4)
Identity tracking
As we mentioned before, our scheme provides a twostep tracking approach to track a vehicle’s real identity when it is found the weight value drops below a certain threshold.

1
LC extracts P_{pub} from msg and judges if it equals the present P_{pub}. If it’s the present used parameter, the LC computes ID_{v,j}=PID_{v,j}⊕H2(s∥B). If P_{pub} extracted from msg does not equal to the serving one, it means the parameter expired or not published by the present LC, then the LC retransmits the message to GC.

2
GC extracts P_{pub} and T_{t} from msg. With T_{t} it can rapidly locate the corresponding tuple and find out the old secret key s in its storage. Then it computes and gains the real identity ID_{v,j}=PID_{v,j}⊕H2(s∥B). And based on protocols and laws, GC will blacklist vehicles for a certain period or refuse to offer services. Moreover, GC can submit malicious user’s list to related arbitration or credit managing apartment like TM.
Security proof and analysis
Security proof
Firstly the definition of the elliptic curve discrete logarithm problem (ECDLP) that the whole analysis based on will be introduced.
Definition1(ECDLP): n∈Z_{q} and N=nP∈G, where P is the generator of the group G. Given N=nP it’s difficult to compute n. Then a game between adversary \(\mathcal {A}\) and challenger \(\mathcal {C}\) is introduced to set up the security model of our scheme.
Setup Oracle: In this query, \(\mathcal {C}\) generates the secret keys and other system parameters, which are sent to \(\mathcal {A}\).
H0 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Z_{q} and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list L_{H0}.
H1 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Z_{q} and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list L_{H1}.
H2 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Z_{q} and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list L_{H2}.
H3 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Z_{q} and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list L_{H3}.
H4 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Z_{q} and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list L_{H4}.
Sign Oracle: In this query, on receiving message M from \(\mathcal {A}\), \(\mathcal {C}\) generates msg and sends to \(\mathcal {A}\).
If adversary \(\mathcal {A}\) could generate a login request message, it is proved to be able to violate the authentication of the scheme. Let \(\Phi (\mathcal {A})\) denote the probability that \(\mathcal {A}\) violates the authentication of our scheme.
Definition 1.
Our scheme is secure if \(\Phi (\mathcal {A})\) is negligible for any polynomial adversary \(\mathcal {A}\).
We evaluated the proposed scheme and it is proved secure in the random oracle.
Theorem 1.
The proposed scheme is secure in the random oracle model.
Proof: Suppose that there exists adversary \(\mathcal {A}\) that could forge a msg. We construct a challenger \(\mathcal {C}\) that is able to solve the ECDLP problem with a nonnegligible probability by running \(\mathcal {A}\) as a subroutine.
Setup Oracle: Firstly a security parameter k is taken as input. Then \(\mathcal {C}\) randomly selects a number s as its private key and computes P_{pub}=sP and \(\mathcal {C}\) sends {H0,H1,H2,H3,H4,P,P_{pub},q,PID_{LC,i},A,B}.
H0 Oracle: \(\mathcal {C}\) keeps a list L_{H0}〈PID_{LC,i},h0〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈PID_{LC,i}〉, \(\mathcal {C}\) checks if 〈PID_{LC,i},h0〉 already exists in L_{H0}. If so, \(\mathcal {C}\) returns h0. Otherwise it generates a random h0=H0(PID_{LC,i}), inserts 〈PID_{LC,i},h0〉 in L_{H0} and returns h0 to \(\mathcal {A}\).
H1 Oracle: \(\mathcal {C}\) keeps a list L_{H1}〈P_{pub},B,h1〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈PID_{LC,i},B〉, \(\mathcal {C}\) checks if 〈P_{pub},B〉 already exists in L_{H1}. If so, \(\mathcal {C}\) returns h1. Otherwise it generates a random h1=H1(P_{pub}∥B), inserts 〈P_{pub},B,h1〉 in L_{H1} and returns h1 to \(\mathcal {A}\).
H2 Oracle: \(\mathcal {C}\) keeps a list L_{H2}〈s,B,h2〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈s,B〉, \(\mathcal {C}\) checks if 〈s,B〉 already exists in L_{H2}. If so, \(\mathcal {C}\) returns h2. Otherwise it generates a random h2=H2(s∥B), inserts 〈s,B,h2〉 in L_{H2} and returns h2 to \(\mathcal {A}\).
H3 Oracle: \(\mathcal {C}\) keeps a list L_{H3}〈PID_{v,j},h3〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈PID_{v,j}〉, \(\mathcal {C}\) checks if 〈PID_{v,j}〉 already exists in L_{H}3. If so, \(\mathcal {C}\) returns h3. Otherwise it generates a random h3=H3(PID_{v,j}), inserts 〈PID_{v,j},h3〉 in L_{H3} and returns h3 to \(\mathcal {A}\).
H4 Oracle: \(\mathcal {C}\) keeps a list L_{H4}〈M,PID_{v,j},T_{t},R_{j},CFS_{j},h4〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈M,PID_{v,j},T_{t},R_{j},CFS_{j}〉, \(\mathcal {C}\) checks if 〈M,PID_{v,j},T_{t},R_{j},CFS_{j}〉 already exists in L_{H4}. If so, \(\mathcal {C}\) returns h4. Otherwise it generates a random h4=H4(M∥PID_{v,j}∥T_{t}∥R_{j}∥CFS_{j}), inserts 〈M,PID_{v,j},T_{t},R_{j},CFS_{j},h4〉 in L_{H4} and returns h4 to \(\mathcal {A}\).
Sign Oracle: On receiving \(\mathcal {A}\)’s query with message M and pseudo identity PID_{v,j}, \(\mathcal {C}\) chooses random α,β,R_{j} from Z_{q} and computes signature σ=αH0(PID_{LC,i})+H4(M∥PID_{LC,i}∥R_{j}∥T_{t}∥CFS_{j}). Then \(\mathcal {C}\) inserts 〈PID_{LC,i},h0〉 and 〈M,PID_{v,j},T_{t},R_{j},CFS_{j},h4〉 into L_{H0} and L_{H4} respectively.
Analysis: Based on Forking lemma [42], suppose that \(\mathcal {A}\) has generated two valid signatures σ=SK_{j}H0(·)+rH4(·) and \(\widetilde {\sigma }=SK_{j}\widetilde {H0}(\cdot)+\widetilde {r}\widetilde {H4}(\cdot)\). To obtain the secret key SK_{j}, it computes
As the result shows, \(\mathcal {C}\) is able to solve the ECDLP problem as a polynomial adversary, which contradicts Definition 1. So we come to the conclusion that the proposed scheme is secure against adaptive chosen message attack in the random oracle model.
Security and attributes analysis

1
Authentication: According to Theorem 1, there exists no polynomial adversary being able to forge a valid message. Therefore the integrity of messages are able to be verified by computing σ·P=A·H0(PID_{v,j})+r·H4(M∥PID_{LC,i}∥R_{j}∥T_{t}∥CFS_{j})mod q.

2
Identity Privacy Preserving: The vehicle’s real identity does take part in the communication process but in the form of pseudo identity, and the master key stays unexposed.If an adversary intends to obtain other vehicle’s identities, it has to solve the difficult problems in mathematics in our scheme, which makes sure the identity privacy preserved.

3
Tracebility: If messages are found dishonest while transporting, LCs or GC can obtain the identities of vehicles by computing ID_{v,j}=PID_{v,j}⊕H2(s∥B).

4
Unlinkability: As a result of using different pseudo identities in different areas or even different periods, adversaries are kept from figuring out if multiple messages come from one same vehicle.

5
Resistance to Attacks: The proposed scheme can also resistant the following attacks [43, 44].

Forgery Attack: This attack intends to forge and transmit false warning messages in order to contaminate roads information and mislead vehicles. In the proposed scheme, once a vehicle found to send out false messages, its weigh value will drop more quickly than constant multiple speed. At last, the messages transformed by this vehicle will be ignored by surrounding vehicles.

Replay Attack: The encapsulated message contains timestamps, which can prevent messages are saved then reforwarded. Receivers check the freshness of messages at the very first beginning when getting them.

Impersonation Attack: If an adversary tends to impersonate a legal vehicle, it must generate a signature of the related message which satisfying σ·P=A·H0(PID_{v,j})+r·H4(M∥PID_{LC,i}∥R_{j}∥T_{t}∥CFS_{j}), which is difficult according to Theorem 1.

Modify Attack: If the message contained is modified, receivers will find out that the equation doesn’t hold. Then modified illegal message will be abandoned.

Man−in−the−middle Attack: Since messages sent by senders and receivers needs to be verified its integrity and nonreputation, the scheme can resist maninthemiddle attack.

Performance analysis
In this section, we are going to analyse the performance of our scheme with comparison of schemes of He et al. [11], Li et al. [24] (EPACPPA) and Li et al. [45]. First, we set the order q of group G on the super elliptic curve \(E:y^{2}=x^{3}+ax+b\ mod\ p,(a,b\in Z_{p}^{*})\), in which q, p are 160bit prime numbers. The notations used in this part are presented as below:

1
T_{m}: The time spent on performing a scale multiplication operation x·P, where \(x\in Z_{p}^{*}, P\in G\).

2
T_{a}: The time spent on performing a point addition operation Q+R, where Q,R∈G.

3
T_{h}: The time required for performing an oneway hash function operation.
To compare fairly, we implemented the cryptographic operations in the following environment. The processor is Intel Core CPU i76700 at 3.40 GHz and 8 GB RAM, and the operating system is Windows 7. Table 2 gives running times of performing those operations. The analysis is parted into three aspects: signing a single message, single message verification, and batch messages verification. In the scheme of He et al. [11], to sign a single message, three scale multiplications and three oneway hash functions are required, which is 3T_{m}+3T_{h}≈0.9684 ms. When to verify a single message, it costs three scale multiplications, two point additions and two oneway hash functions, which is 3T_{m}+2T_{a}+T_{h}≈0.9712 ms. And when the batch verification is implemented, (n+2) scale multiplications, (3n−1) point additions and (2n) oneway hash functions are performed, which is (n+2)T_{m}+(3n−1)T_{a}+(2n)T_{h}≈(0.331n+0.6412) ms.
In the scheme of Li et al. [24] (EPACPPA), to sign a single message, one scale multiplication and two oneway hash functions are required, which is 1T_{m}+2T_{h}≈0.3238 ms. When to verify a single message, it costs four scale multiplications, one point addition and two oneway hash functions, which is 4T_{m}+1T_{a}+2T_{h}≈1.2916 ms. And when the batch verification is implemented, (2n+2) scale multiplications, (n) point additions and (2n) oneway hash functions are performed, which is (2n+2)T_{m}+(n)T_{a}+(2n)T_{h}≈(0.648n+0.6436) ms.
In the scheme of Li et al. [45], to sign a single message, one scale multiplication and one oneway hash function are required, which is 1T_{m}+1T_{h}≈0.3228 ms. When to verify a single message, it costs three scale multiplications, three point additions and two oneway hash functions, which is 3T_{m}+3T_{a}+2T_{h}≈0.9746 ms. And when the batch verification is implemented, (n+2) scale multiplications, (3n) point additions and (2n) oneway hash functions are performed, which is (n+2)T_{m}+(3n)T_{a}+(2n)T_{h}≈(0.331n+0.6436) ms.
In the proposed scheme, to sign a single message, one scale multiplication and two oneway hash functions are required, which is 1T_{m}+2T_{h}≈0.3238 ms. When to verify a single message, it costs one scale multiplication, one point addition and two oneway hash functions, which is T_{m}+T_{a}+2T_{h}≈0.3262 ms. And when the batch verification is implemented, (n) scale multiplications, (n) point additions and (2n) oneway hash functions are performed, which is (n)T_{m}+(n)T_{a}+(2n)T_{h}≈(0.3262n) ms. The overall overhead is shown in Table 3.
According to Fig. 4, our scheme shows obvious overhead advantages in terms of signing and verifying a single message. As shown in Fig. 5, our scheme costs the minimum time to batch verify messages among four schemes.
Conclusion
In this paper, a weightbased conditional privacypreserving authentication scheme in SDVNs is introduced. With this scheme, a secure way to protect the privacy of vehicles and communications between them is offered. By applying the weightbased system, the participation rate of malicious vehicles and communication redundancy are both reduced to ease the computing overhead of entities, which also keeps the communication environment for vehicles clear. The twostep tracing scheme means LCs do not need to store old parameters to obtain the identities of vehicles, thereby reducing deploying costs. For the next step, we will focus on how to manage the vehicles more efficiently to make full use of the advantages of the decoupled architecture in the environment of SDVNs.
Availability of data and materials
Data supporting the results of this article have been included within the article.
References
 1
Ma X, Gao H, Xu H, Bian M (2019) An IoTbased task scheduling optimization scheme considering the deadline and costaware scientific workflow for cloud computing. EURASIP J Wirel Commun Netw 2019(1):249.
 2
Gao H, Xu Y, Yin Y, Zhang W, Li R, Wang X (2019) Contextaware QoS prediction with neural collaborative filtering for InternetofThings services. IEEE Internet of Things J 7(5):4532–4542.
 3
Deng S, Xiang Z, Zhao P, Taheri J, Gao H, Yin J, Zomaya A (2020) Dynamical resource allocation in edge for trustable InternetofThings systems: a reinforcement learning method. IEEE Trans Ind Inform 16(9):6103–6113.
 4
Gao H, Duan Y, Shao L, Sun X (2019) Transformationbased processing of typed resources for multimedia sources in the IoT environment. Wirel Netw:1–17. https://doi.org/10.1007/s11276019022006.
 5
Lai C, Lu R, Zheng D, Shen XS (2020) Security and privacy challenges in 5Genabled vehicular networks. IEEE Network 34(2):37–45.
 6
Wang M, Liu D, Zhu L, Xu Y, Wang F (2016) LESPP: lightweight and efficient strong privacy preserving authentication scheme for secure VANET communication. Computing 98(7):685–708.
 7
Cheng J, Yuan G, Zhou M, Gao S, Liu C, Duan H, Zeng Q (2020) Accessibility analysis and modeling for IoV in an urban scene. IEEE Trans Veh Technol 69(4):4246–4256.
 8
Cheng J, Yuan G, Zhou M, Gao S, Liu C, Duan H (2019) A fluid mechanicsbased data flow model to estimate VANET capacity. IEEE Trans Intell Transp Syst 21(6):2603–2614.
 9
Lai C, Zhang K, Cheng N, Li H, Shen X (2016) SIRC: A secure incentive scheme for reliable cooperative downloading in highway VANETs. IEEE Trans Intell Transp Syst 18(6):1559–1574.
 10
Li H, Dong M, Ota K (2016) Control plane optimization in softwaredefined vehicular ad hoc networks. IEEE Trans Veh Technol 65(10):7895–7904.
 11
He D, Zeadally S, Xu B, Huang X (2015) An efficient identitybased conditional privacypreserving authentication scheme for vehicular ad hoc networks. IEEE Trans Inf Forensics Secur 10(12):2681–2691.
 12
Cui J, Zhang X, Zhong H, Zhang J, Liu L (2019) Extensible conditional privacy protection authentication scheme for secure vehicular networks in a multicloud environment. IEEE Trans Inf Forensics Secur 15:1654–1667.
 13
Zhu M, Cao J, Pang D, He Z, Xu M (2015) SDNbased routing for efficient message propagation in VANET In: International Conference on Wireless Algorithms, Systems, and Applications, 788–797, Springer.
 14
Cui J, Wei L, Zhong H, Zhang J, Xu Y, Liu L (2020) Edge computing in VANETsan efficient and privacypreserving cooperative downloading scheme. IEEE J Sel Areas Commun 38(6):1191–1204.
 15
Chen M, Qian Y, Mao S, Tang W, Yang X (2016) Softwaredefined mobile networks security. Mob Netw Appl 21(5):729–743.
 16
Jaballah WB, Conti M, Lal C (2019) A survey on softwaredefined VANETs: benefits, challenges, and future directions. arXiv 1904.04577.
 17
Cheng J, Chen M, Zhou M, Gao S, Liu C, Liu C (2018) Overlapping community change point detection in an evolving network. IEEE Trans Big Data 6:189–200.
 18
Pentikousis K, Wang Y, Hu W (2013) Mobileflow: Toward softwaredefined mobile networks. IEEE Commun Mag 51(7):44–53.
 19
Liyanage M, Gurtov A, Ylianttila M (2015) Software Defined Mobile Networks (SDMN): Beyond LTE Network Architecture. John Wiley & Sons.
 20
Liyanage M, Ylianttila M, Gurtov A (2014) Securing the control channel of softwaredefined mobile networks In: Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014, 1–6, IEEE.
 21
Bousselham M, Abdellaoui A, Chaoui H (2017) Security against malicious node in the vehicular cloud computing using a softwaredefined networking architecture In: 2017 International Conference on Soft Computing and Its Engineering Applications (icSoftComp), 1–5, IEEE.
 22
Azees M, Vijayakumar P, Deboarh LJ (2017) EAAP: Efficient anonymous authentication with conditional privacypreserving scheme for vehicular ad hoc networks. IEEE Trans Intell Transp Syst 18(9):2467–2476.
 23
Lu R, Lin X, Zhu H, Ho PH, Shen X (2008) ECPP: Efficient conditional privacy preservation protocol for secure vehicular communications In: IEEE INFOCOM 2008The 27th Conference on Computer Communications, 1229–1237, IEEE.
 24
Li J, Choo KKR, Zhang W, Kumari S, Rodrigues JJ, Khan MK, Hogrefe D (2018) EPACPPA: An efficient, provablysecure and anonymous conditional privacypreserving authentication scheme for vehicular ad hoc networks. Veh Commun 13:104–113.
 25
Cui J, Wu D, Zhang J, Xu Y, Zhong H (2019) An efficient authentication scheme based on semitrusted authority in VANETs. IEEE Trans Veh Technol 68(3):2972–2986.
 26
Cui J, Zhang J, Zhong H, Xu Y (2017) SPACF: A secure privacypreserving authentication scheme for VANET with cuckoo filter. IEEE Trans Veh Technol 66(11):10283–10295.
 27
Sun Y, Lu R, Lin X, Shen X, Su J (2010) An efficient pseudonymous authentication scheme with strong privacy preservation for vehicular communications. IEEE Trans Veh Technol 59(7):3589–3603.
 28
Hamdoun S, Rachedi A, Ghamridoudane Y (2020) Graphbased radio resource sharing schemes for MTC in D2Dbased 5G networks. Mob Netw Appl:1–19.
 29
Duan P, Peng C, Zhu Q, Shi J, Cai H (2014) Design and analysis of software defined vehicular cyber physical systems In: 2014 20th IEEE International Conference on Parallel and Distributed Systems (ICPADS), 412–417, IEEE.
 30
Kim M, Jang I, Choo S, Pack S (2016) On security in softwaredefined vehicular cloud In: 2016 International Conference on Information and Communication Technology Convergence (ICTC), 1259–1260, IEEE.
 31
Lu R, Lin X, Shi Z, Shen XS (2013) A lightweight conditional privacypreservation protocol for vehicular trafficmonitoring systems. IEEE Intell Syst 28(3):62–65.
 32
Lo NW, Tsai JL (2015) An efficient conditional privacypreserving authentication scheme for vehicular sensor networks without pairings. IEEE Trans Intell Transp Syst 17(5):1319–1328.
 33
Gao H, Miao H, Liu L, Kai J, Zhao K (2018) Int J Softw Eng Knowl Eng 28(10):1369–1397.
 34
Shao J, Lin X, Lu R, Zuo C (2015) A threshold anonymous authentication protocol for VANETs. IEEE Trans Veh Technol 65(3):1711–1720.
 35
Lai C, Zhou H, Cheng N, Shen XS (2017) Secure group communications in vehicular networks: A softwaredefined networkenabled architecture and solution. IEEE Veh Technol Mag 12(4):40–49.
 36
Lai C, Lu R, Zheng D (2017) Achieving secure and seamless ip communications for grouporiented software defined vehicular networks In: International Conference on Wireless Algorithms, Systems, and Applications, 356–368, Springer.
 37
Cui J, Zhang X, Zhong H, Ying Z, Liu L (2019) RSMA: Reputation systembased lightweight message authentication framework and protocol for 5Genabled vehicular networks. IEEE Internet of Things J 6(4):6417–6428.
 38
Zhang J, Cui J, Zhong H, Chen Z, Liu L (2019) PACRT: Chinese remainder theorem based conditional privacypreserving authentication scheme in vehicular adhoc networks. IEEE Trans Dependable and Secure Comput. https://doi.org/10.1109/TDSC.2019.2904274.
 39
Garg S, Kaur K, Kaddoum G, Ahmed SH, Jayakody DNK (2019) SDNbased secure and privacypreserving scheme for vehicular networks: A 5G perspective. IEEE Trans Veh Technol 68(9):8421–8434.
 40
Huang J, Qian Y, Hu RQ (2020) Secure and efficient privacypreserving authentication scheme for 5G software defined vehicular networks. IEEE Trans Veh Technol. https://doi.org/10.1109/TVT.2020.2996574.
 41
Ming Y, Cheng H (2019) Efficient certificateless conditional privacypreserving authentication scheme in VANETs. Mob Inf Syst 2019:1–19.
 42
Pointcheval D, Stern J (2000) Security arguments for digital signatures and blind signatures. J Cryptol 13(3):361–396.
 43
Cui J, Zuo HF, Zhong H (2017) Asymmetric Biclique cryptanalysis of lightweight block ciphers MIBS and IPRESENT. Sci Sin Informationis 47(10):1395–1410.
 44
Cui J, Zuo HF, Zhong H (2017) Biclique cryptanalysis on lightweight block ciphers IPRESENT80 and IPRESENT128. J Commun 11:2.
 45
Li C, Zhang X, Wang H, Li D (2018) An enhanced secure identitybased certificateless public key authentication scheme for vehicular sensor networks. Sensors 18(1):194.
Acknowledgements
The authors are very grateful to the anonymous referees for their detailed comments and suggestions regarding this paper.
Funding
The work was supported by the National Natural Science Foundation of China (No. 61872001, No. 62011530046, No. U1936220), the Cooperation and Exchange Project between NSFC and RFBR (No. 205753019, No. 62011530046), the Open Fund of Key Laboratory of Embedded System and Service Computing (Tongji University), Ministry of Education (No. ESSCKF201803), the Open Fund for Discipline Construction, Institute of Physical Science and Information Technology, Anhui University and the Excellent Talent Project of Anhui University.
Author information
Affiliations
Contributions
Authors’ contributions
In this work, the idea and overall plan is proposed by Hong Zhong; the concrete cryptographic protocol is conceived and designed by Yingxue Geng; the experiments are performed by Jie Cui and the experimental/analysis tools are contributed by Yan Xu; Lu Liu analyses the collected experimental data.
Authors’ information
Hong Zhong was born in Anhui Province, China, in 1965. She received her PhD degree in computer science from University of Science and Technology of China in 2005. She is currently a professor and Ph.D. supervisor of the School of Computer Science and Technology at Anhui University. Her research interests include applied cryptography, IoT security, vehicular ad hoc network, cloud computing security and softwaredefined networking (SDN). She has over 120 scientific publications in reputable journals (e.g. IEEE Transactions on Dependable and Secure Computing, IEEE Transactions on Information Forensics and Security, IEEE Transactions on Parallel and Distributed Systems, IEEE Transactions on Vehicular Technology, IEEE Transactions on Intelligent Transportation Systems, IEEE Transactions on Network and Service Management, IEEE Transactions on Big Data and IEEE Internet of Things Journal), academic books and international conferences.
Yingxue Geng is now a research student in the School of Computer Science and Technology, Anhui University. Her research focuses on the secure authentication of vehicular ad hoc networks.
Jie Cui was born in Henan Province, China, in 1980. He received his Ph.D. degree in University of Science and Technology of China in 2012. He is currently a professor and Ph.D. supervisor of the School of Computer Science and Technology at Anhui University. His current research interests include applied cryptography, IoT security, vehicular ad hoc network, cloud computing security and softwaredefined networking (SDN). He has over 100 scientific publications in reputable journals (e.g. IEEE Transactions on Dependable and Secure Computing, IEEE Transactions on Information Forensics and Security, IEEE Journal on Selected Areas in Communications, IEEE Transactions on Vehicular Technology, IEEE Transactions on Intelligent Transportation Systems, IEEE Transactions on Multimedia, IEEE Transactions on Network and Service Management, IEEE Transactions on Emerging Topics in Computing and IEEE Transactions on Circuits and Systems), academic books and international conferences.
Yan Xu is currently an associate professor of School of Computer Science and Technology at Anhui University. She received the BS and MS degrees from Shandong University in 2004 and 2007, respectively, and the PhD degree from University of Science and Technology of China in 2015. Her research interests include information security and applied cryptography.
Lu Liu is the Professor of Informatics and Head of School of Informatics in the University of Leicester, UK. Prof Liu received the Ph.D. degree from University of Surrey, UK and MSc in Data Communication Systems from Brunel University, UK. Prof Liu’s research interests are in areas of cloud computing, service computing, computer networks and peertopeer networking. He is a Fellow of British Computer Society (BCS).
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Zhong, H., Geng, Y., Cui, J. et al. A weightbased conditional privacypreserving authentication scheme in softwaredefined vehicular network. J Cloud Comp 9, 54 (2020). https://doi.org/10.1186/s13677020001983
Received:
Accepted:
Published:
Keywords
 Authentication
 Softwaredefined vehicular network (SDVN)
 Weightbased system
 Conditional privacypreserving