A weight-based conditional privacy-preserving authentication scheme in software-defined vehicular network

The rapid development of vehicular ad hoc networks (VANETs) has brought significant improvement to traffic safety and efficiency. However, owing to limitations associated with VANETs’ own unchanging model and traditional network structure, there are still many challenging concerns such as poor flexibility and controllability to deal with. To solve these inherent problems effectively, we propose a weight-based conditional anonymous authentication scheme by introducing the newly emerging software-defined networking (SDN) framework. Firstly, by making use of the global planning and dynamic management features of SDN, vehicles are classified into different priorities using weighted values to reduce communications redundancy, and control the participation of malicious vehicles. Then, an efficient conditional privacy-preserving scheme was developed to secure communications among vehicles. A two-step tracing approach has been designed to exclude and punish vehicles whose weights drop below the threshold. Extensive analyses indicate that our conditional privacy-preserving scheme is secure and has lower computation costs than conventional state-of-the-art authentication schemes.


Introduction
The application of the Internet of Things (IoT) has effectively promoted the intelligent development of all fields of life [1,2]. These applications has made limited resources more reasonably used and distributed, thereby improved industry efficiency and effectiveness [3,4]. Representatively, the vehicular network currently has provided people with many life-changing benefits that they may not realize. VANETs were introduced to make vehicles safer and to offer an efficient tool to enhance the driving experience. They have attracted attention from both academia and industry since inception [5]. The onboard units (OBU) installed in vehicles allow communications between vehicles (V-2-V) as well as between vehicles and *Correspondence: cuijie@mail.ustc.edu.cn † Hong Zhong contributed equally to this work. 1 School of Computer Science and Technology, Anhui University, Jiulong Road, 230039 Hefei, China Full list of author information is available at the end of the article infrastructures (V-2-I) [6]. This hybrid combined network can offer many kinds of services that will bring great convenience and enhancements to current applications, such as optimum path planning, and broadcasting warnings of road accidents and other newsworthy events [7,8]. Despite these advantages, security during communications must be considered when VANETs are used in real applications. This is for protecting the privacy of vehicles and prevent malicious users from damaging the system [9]. To overcome the shortcomings, many researchers have proposed anonymous authentication schemes to ensure secure communications [10,11]. For instance, a conditional privacy protection authentication scheme in a multi-cloud environment [12] was proposed to secure the privacy and anonymity of vehicles by combining with cloud computing [13,14]. However most of the present schemes are designed in traditional networks. There are some inherent problems in traditional networks, such as they can not suit the fastly changing topology of VANETs and may cause some uncontrollable security threats. Chen et al. [15] gave a survey on security problems on Software Defined Mobile Network (SDMN). To some extent, SDVN is similar to SDMN, such as the fast changing topology, as well as frequent joining and leaving. By this we got inspired to introduce SDN into VANETs to cope with those security problems. The survey of Jaballah et al. [16] gave a new direction to resolving the privacy problem in VANETs by including SDN technology [17].
SDN is a newly emerging and promising technology that breaks the traditional network model by decoupling the control and data planes. In the control plane, all the managing and monitoring functions are logically united into one entity called a controller. The data plane includes all kinds of wired or wireless networking infrastructure used to forward network traffic. In this way, the system can release routing-related equipment from heave forwarding jobs using the programmable properties of SDN to ease and enhance the overall network performance [10].
This new network architecture has received significant attention from mobile networks such as VANETs for its abilities to enhance performance, flexibility, and scalability [18]. By concentrating all protocol-specific features in the software, this extension of the SDN paradigm is expected to incorporate mobile network specific functionality [19]. Moreover, the new architecture also brings new opportunities and approaches to cope with some inherent problems in traditional networks, especially regarding security [20]. There have been some studies dedicated to solving security problems in the control plane [21], such as distributed denial-of-service and malware attacks. However, the security and privacy problems existing in the data plane have not received focus.
We are proposing a conditional privacy-preserving scheme, which is used to protect the communication security and improve network efficiency in a SDVN framework. In our scheme, a weigh-based is offered to execute the first-step detection as a filter to lower the message density. As background, the detailed work process and weighting system will be explained in "Background" section.

Our contributions
In this paper, we propose a conditional authentication scheme that offers a weight-based system to monitor malicious vehicles when protecting the privacy of vehicles in SDVNs. The main contributions of our scheme are threefold.
1 To support communication privacy and efficient traceability in SDVNs, a message privacy-preserving authentication scheme is proposed with two-step tracing. The authentication scheme relieves local controllers of the need to store information about vehicles and system parameters. The layered controller model also relieves the global controller of the heavy work burden of computation and reduces deployment costs. 2 We have built a framework of weight-based incentive system by offering vehicles candidate forwarding sets (CFS s) in the SDVN framework to encourage vehicles to upload correct and real-time information about traffic and roads. Information uploaded by vehicles will be used to enhance driving experiences like route planning and avoiding traffic congestion. This system evaluates vehicles and sets their priorities according to their weight values. Vehicles with low weight values will lose trust from controllers after a specific period. 3 Extensive analyses are performed to prove the security and efficiency of the proposed scheme.

Organization of this paper
The remainder of this paper is organized as follows. "Related work" section introduces the related works. "Background" section tells the system model and some background acknowledges used in our study. "Proposed scheme" section presents our specific scheme. Then, "Security proof and analysis" section shows the detailed security proof and analysis. In "Performance analysis" section, we give the performance evaluation and comparison. Finally, "Conclusion" section gives the conclusion and some concluding remarks.

Related work
There have been many works dedicated to designing efficient conditional privacy-preserving schemes [13,[22][23][24][25] to secure vehicles' identities and communications [26][27][28]. With the advent of SDN technology, some research areas including VANETs have realized the convenience and advantages of this new network architecture. SDN has been introduced to address some inherent problems in [10,13,21,[29][30][31][32][33]. Shao et al. [34] proposed an anonymous authentication protocol for VANETs by using a new group signature scheme, which achieved threshold authentication and group signature in VANETs. However, massive and heavy computation overhead coming with bilinear pairing operation and map-to-point hash operation may strictly limit its practicability.
Lai et al. [35] proposed an integrated network architecture for secure group communication in SDN-based 5G-VANETs. With this scheme, some security challenges in both decentralized and centralized networks can be addressed and the performance evaluation proved to be outstanding, but it lacks a detailed concrete privacy- preserving approach to guarantee vehicles' privacy. In [36], they introduced a unified secure and seamless IP communications framework for a group-oriented heterogeneous vehicular environment. The framework aimed to make use of the advantages of a SDN structure to set up the platoon securely and flexibly and control the handover signaling overload. Cui et al. [37] designed an authentication protocol for 5G-enabled vehicular networks in which TA is in charge of the reputation management to filter vehicles with a reputation score below a given threshold, which reduces the existence of untrusted messages in VANETs. Zhang et al. [38] proposed a novel Chinese remainder theorem based conditional privacy-preserving authentication scheme to secure vehicular authentication. This scheme solved the leakage problem during side channel attacks and ensured security for the entire system. Jaballah et al. [16] gave a detailed survey on SDVNs that introduced benefits, future directions and existing challenges, especially about communications security.
Garg et al. [39] presented a SDN based privacypreserving scheme for vehicular networks at a 5G perspective. The scheme provided end-to-end security methods through its inbuilt modules including authentication and intrusion detection. The authentication scheme relies on ECC to authenticate the CA, CH, and the vehicles before data transmission. And the intrusion detection employs the concept of tensor-based dimensionality reduction to reduce the size of vehicular traffic data then expose it for detection. However, this scheme only introduced the identity authentications between CA and CH as well as CH and vehicles. The further message authentication scheme was not designed to secure communication. In addition, the authentication scheme may require too much computation and storage which will cause great overhead and delay while deploying.
Huang et al. [40] proposed 5G software-defined vehicular network model. Based on that, a conditional privacypreserving authentication scheme which avoided single point of failure problems and using of ideal tamperproofed device and certificate revocation list (CRL). The scheme used a revocation list to reduce the verification delay caused by checking the long CRL, and storage coming with the large number of pseudonyms in the CRL. However, every second pseudo identity (SPID) of V i has a validation time and can only be used once, then it will be removed from the list. This design will cost too much storage and computation overhead while tracking the real identities of malicious vehicles.

Background
In this section, we formalize the weight value computation system. Assumptions and security goals will be elaborated in detail as well.

System model
The proposed system model is composed of the following entities: global controller (GC), local controller (LC), the deployed access point (AP) and cellular network base station (BS), transport manager (TM) and OBUs that are preloaded on the vehicles, as presented in Fig. 1. Functions of these network entities and related assumptions will be demonstrated followed.
1 GC : The global controller of this system has extremely outstanding computing and storage capabilities compared with LC s and OBU s. In the narrower SDN system, the controller is a logic centralized strategy point based on OpenFlow protocol, and responsible for managing traffic flow, route discovery, and other control work. In our scheme, like the traditional Trusted Authority, the GC takes responsible for some heavy computation missions like generating and distributing system parameters, as well as updating them periodically.
Beyond that, the GC also monitors and manages the global network, including updating route strategy and detecting malicious members. When necessary, the GC will take part in tracking real identities of vehicles. 2 LC : Local controllers in the scheme are designed mainly for balancing the computation burden of the GC, and decline the cost of deployment considering the real situation. The layered structure is shown in Fig. 2. Each local controller takes charge of one specific area. Like the traditional Roadside Units, when received the requesting message including the real identity from a vehicle, the LC will return the pseudo-identity, the secret key, and some other parameters to the sender. Beyond that, LC s also make local route strategy, compute weight values, and execute some other controlling actions. But in consideration of security and storage costs, LC s will not store any of these identities entries. When there is a necessity to track the true identity, the LC will check if it has the ability to extract. If not, it submits the message to GC. Tracking steps will be presented in "Proposed scheme" section in detail. 3 OBU : OBU is a computing unit that is preloaded in the vehicle. OBU s get access to wireless networks and offer vehicles various network services like navigation and disaster warning. Besides, OBU s submit vehicle conditions and surrounding traffic situations. These feedback will be used by LC s and GC to get overall planning for vehicles themselves [41]. 4 AP and BS : Vehicles in our system can get access to not only cellular networks like 3G/4G/5G, but also city WiFi via access points and other types of networks. For ubiquitous 5G base stations still (2020) 9:54 Page 4 of 13

Fig. 1
The system model of the proposed scheme requires a quite long period to deploy, and the cost may be unaffordable for some users. So the coexistence of different types of networks is necessary. 5 TM : Transport manager is the vehicle-managing authority. It would notify and warn vehicle owners when their vehicles' weight values drop below a specific threshold value.
The system assumptions are presented as below: • The GC is completely trustable and can not be compromised. • LC s is trusted but their capabilities are limited and far from taking place of the GC. • Vehicles are half-trusted, but the vital parameters stored inside are not available to adversaries. • The overall roads map and building distribution have been preloaded in GC. Local maps and distributions are preloaded in corresponding LC s.
Controllers in our scheme are only responsible for traffic managing and route planning or other network-related affairs. Vehicles management and other social service applications will be allowed to plug into the unified north APIs offered by controllers.

Weight computation system
In our proposed model, the weight computation system computes CFSs for vehicles. According to vehicles' weight values in the current period, the system will classify them into different priorities for vehicles in the present area [37]. By introducing this model, vehicles that have sent too many bogus messages will be squeezed out of the high priority set. More invalid or fake messages they send, lower priorities will be labeled on them. The main mechanism of this part is shown in Fig. 3. (1) where w 1 + w 2 + w 3 + w 4 + w 5 = 1. After computing all the weight values in the area, the LC will set their priories. Here we set priorities as four levels: L1 (prior), L2 (sub-prior), L3 (medium) and L4 (low). The priories calculation method is shown as Algorithm 1. Then the LC returns security parameters with the CFS to the requesting vehicle. When all necessary contents are acquired, the vehicle will sign messages via the authentication scheme demonstrated in the next section. Then it sends out messages with the CFS attached as Algorithm 2 shows. If received messages, vehicles will check its priority in the CFS. If its priority is L1, it forwards without waiting. If the priority level is lower than L1, it awaits for a specific period. If vehicles do not receive ACK packages from the higher-level ones in this period, they forward [29]. Since the CFS is not integrated with any specific routing algorithm, it can be applied with all kinds of routing models to offers better candidates. 3 When an accumulation phase ends, LC s will upload to the GC entries of vehicles' information. The numbers of bogus messages vehicles had sent in the previous period will be recorded. 4 Received real-time entries from LC s, the GC will upload its table with both the real identities it tracked and LC s submitted. 5 When vehicles are found their weight values have dropped below the threshold value, the GC will inform TM to take appropriate actions.

Security goals
Here we introduce the main security goals that our proposed scheme is aimed to achieve. LC refuses the request 7: else 8: LC evaluates the environment of V i 9: Computes CFS 10:

Proposed scheme
To achieve privacy-preserving and efficient traceability while communicating, the authentication scheme designed for our SDVN environment will be presented in detail in this section. Firstly, the GC chooses parameters and distributes them. When a LC receives parameters, it will set the system. Then if a vehicle enters into the managing range of the LC and requires to sign and send messages, the LC will choose the best CFS and send to it. Then the vehicle broadcasts the signed message with the CFS attached. Adjacent vehicles will check if they are in the CFS. If in, it verifies the message and decides to abandon or transfer. If it is necessary to track the identities of vehicles, our scheme offers a two-step tracing approach, which balances the computations and storage overloads of LCs and the GC to the greatest extent.

System initialization
Let F p be a finite field, and p be a large prime number and the size of the field. (a, b) ∈ F p are the parameters of the elliptic curve of E. P is the generator and q is the prime order of E. Some notations and definitions in our scheme are presented in Table 1.
Then it randomly selects α, β, s ∈ Z * q , s as the secret key and P pub = sP as the public key of controllers system. Then the GC transmits parameters to LC s via secure channels. 2 When the LC i receives parameters generated by GC, it computes A =α · P · H0 PID LC,i , B =β · P, where PID LC,i = ID i ⊕ H1 P pub B . Then LC i publishes H0, H1, H2, H3, H4, P, P pub , q, PID LC,i , A, B as the present system parameters. 3 To successfully track the identities of vehicles when necessary, the GC stores a 5-tuple (PID LC,i s, P pub , T start , T end ). T start and T end means the enabling and disabling times respectively of secret keys s. To save computation cost, secret keys can serve irregular circularly. But to ensure the security of controllers, LC s don't save any of them.

Vehicles registration
When vehicle V j enters into the range of the LC i , it sends request message including its identity ID v,j to the LC i . Then LC i computes PID v,j = LC i ⊕ H2 (s B) as its pseudo identity, SK j = α · H3 PID v,j as its secret key.

Message signing and verifying
When V j tends to communicate with other entities, it signs and encapsulates messages with attached data such as CFS j . Surrounding vehicles will check if they are in CFS j . If not, they retain the message for temporary and wait for ACK packages. Else they verify the signature then reforward it with its own CFS.
1 V j randomly chooses a number r j ∈ Z * q and lets R j = r j · P. And V j signs message M with computing σ = SK j · H0 PID LC,i + r · H4 M PID LC,i R j T t CFS j mod q (2) where M denotes related message and T t is the timestamp. 2 Then V j issues out the message msg as the form of M R j PID v,j PID LC,i T t σ P pub CFS j . 3 To verify the message received, firstly timestamp T t is checked. If it's still fresh, then (3) will be verified if it holds. (3) Batch Verification: When a vehicle receives n messages in a short interval, verifying them piece by one will consume lots of time and energy. So our scheme allows batch verification. Firstly, receiver checks if T t,1 , T t,2 , ..., T t,n are fresh. Then it selects n ephemeral values e 1 , e 2 , ..., e n randomly, where e ∈[ 1, 2 t ] and t is a small integer. Finally, receiver verifies whether Eq. (4) holds. (4)

Identity tracking
As we mentioned before, our scheme provides a two-step tracking approach to track a vehicle's real identity when it is found the weight value drops below a certain threshold. And based on protocols and laws, GC will blacklist vehicles for a certain period or refuse to offer services. Moreover, GC can submit malicious user's list to related arbitration or credit managing apartment like TM.

Security proof
Firstly the definition of the elliptic curve discrete logarithm problem (ECDLP) that the whole analysis based on will be introduced. Definition1(ECDLP): n ∈ Z q and N = nP ∈ G, where P is the generator of the group G. Given N = nP it's difficult to compute n. Then a game between adversary A and challenger C is introduced to set up the security model of our scheme.
Setup Oracle: In this query, C generates the secret keys and other system parameters, which are sent to A.
H0 Oracle: On input m by A, C chooses a random number r from Z q and returns to A while inserting the tuple (m, r) into list L H0 .
H1 Oracle: On input m by A, C chooses a random number r from Z q and returns to A while inserting the tuple (m, r) into list L H1 .
H2 Oracle: On input m by A, C chooses a random number r from Z q and returns to A while inserting the tuple (m, r) into list L H2 . H3 Oracle: On input m by A, C chooses a random number r from Z q and returns to A while inserting the tuple (m, r) into list L H3 .
H4 Oracle: On input m by A, C chooses a random number r from Z q and returns to A while inserting the tuple (m, r) into list L H4 .
Sign Oracle: In this query, on receiving message M from A, C generates msg and sends to A.
If adversary A could generate a login request message, it is proved to be able to violate the authentication of the scheme. Let (A) denote the probability that A violates the authentication of our scheme.

Definition 1. Our scheme is secure if (A) is negligible for any polynomial adversary A.
We evaluated the proposed scheme and it is proved secure in the random oracle. Theorem 1. The proposed scheme is secure in the random oracle model.
Proof : Suppose that there exists adversary A that could forge a msg. We construct a challenger C that is able to solve the ECDLP problem with a non-negligible probability by running A as a subroutine.
Setup Oracle: Firstly a security parameter k is taken as input. Then C randomly selects a number s as its private key and computes P pub = sP and C sends H0, H1, H2, H3, H4, P, P pub , q, PID LC,i , A, B . H0 Oracle: C keeps a list L H0 PID LC,i , h0 initialized to empty. When A invokes this query with PID LC,i , C checks if PID LC,i , h0 already exists in L H0 . If so, C returns h0. Otherwise it generates a random h0 = H0 PID LC,i , inserts PID LC,i , h0 in L H0 and returns h0 to A.
H1 Oracle: C keeps a list L H1 P pub , B, h1 initialized to empty. When A invokes this query with PID LC,i , B , C checks if P pub , B already exists in L H1 . If so, C returns h1. Otherwise it generates a random h1 = H1 P pub B , inserts P pub , B, h1 in L H1 and returns h1 to A.
H2 Oracle: C keeps a list L H2 s, B, h2 initialized to empty. When A invokes this query with s, B , C checks if s, B already exists in L H2 . If so, C returns h2. Otherwise it generates a random h2 = H2(s B), inserts s, B, h2 in L H2 and returns h2 to A.
H3 Oracle: C keeps a list L H3 PID v,j , h3 initialized to empty. When A invokes this query with PID v,j , C checks if PID v,j already exists in L H 3. If so, C returns h3. Otherwise it generates a random h3 = H3 PID v,j , inserts PID v,j , h3 in L H3 and returns h3 to A. H4 Oracle: C keeps a list L H4 M, PID v,j , T t , R j , CFS j , h4 initialized to empty. When A invokes this query with M, PID v,j , T t , R j , CFS j , C checks if M, PID v,j , T t , R j , CFS j already exists in L H4 . If so, C returns h4. Otherwise it generates a random h4 = H4 M PID v,j T t R j CFS j , inserts M, PID v,j , T t , R j , CFS j , h4 in L H4 and returns h4 to A. Sign Oracle: On receiving A's query with message M and pseudo identity PID v,j , C chooses random α, β, R j from Z q and computes signature σ = αH0(PID LC,i ) + H4 M PID LC,i R j T t CFS j . Then C inserts PID LC,i , h0 and M, PID v,j , T t , R j , CFS j , h4 into L H0 and L H4 respectively.
Analysis: Based on Forking lemma [42], suppose that A has generated two valid signatures σ = SK j H0(·) + rH4(·) and σ = SK j H0(·) + r H4(·). To obtain the secret key SK j , it computes As the result shows, C is able to solve the ECDLP problem as a polynomial adversary, which contradicts Definition 1. So we come to the conclusion that the proposed scheme is secure against adaptive chosen message attack in the random oracle model.

Security and attributes analysis
1 Authentication: According to Theorem 1, there exists no polynomial adversary being able to forge a valid message. Therefore the integrity of messages are able to be verified by computing σ · P = A · H0 PID v,j + r · H4 M PID LC,i R j T t CFS j mod q. 2 Identity Privacy Preserving: The vehicle's real identity does take part in the communication process but in the form of pseudo identity, and the master key stays unexposed.
If an adversary intends to obtain other vehicle's identities, it has to solve the difficult problems in mathematics in our scheme, which makes sure the identity privacy preserved. 3 Tracebility: If messages are found dishonest while transporting, LC s or GC can obtain the identities of vehicles by computing ID v,j = PID v,j ⊕ H2(s B). 4 Unlinkability: As a result of using different pseudo identities in different areas or even different periods, adversaries are kept from figuring out if multiple messages come from one same vehicle. 5 Resistance to Attacks: The proposed scheme can also resistant the following attacks [43,44].  He et al. [11] 3 Li et al. [24] (EPA-CPPA)

Performance analysis
In this section, we are going to analyse the performance of our scheme with comparison of schemes of He et al. [11], Li et al. [24] (EPA-CPPA) and Li et al. [45]. First, we set the order q of group G on the super elliptic curve E : To compare fairly, we implemented the cryptographic operations in the following environment. The processor is Intel Core CPU i7-6700 at 3.40 GHz and 8 GB RAM, and the operating system is Windows 7. Table 2 gives running times of performing those operations. The analysis is parted into three aspects: signing a single message, single message verification, and batch messages verification. In the scheme of He et al. [11], to sign a single message, three scale multiplications and three one-way hash functions are required, which is 3T m + 3T h ≈ 0.9684 ms. When to verify a single message, it costs three scale multiplications, two point additions and two one-way hash In the scheme of Li et al. [24] (EPA-CPPA), to sign a single message, one scale multiplication and two oneway hash functions are required, which is 1T m + 2T h ≈ 0.3238 ms. When to verify a single message, it costs four scale multiplications, one point addition and two one-way hash functions, which is 4T m + 1T a + 2T h ≈ 1.2916 ms. And when the batch verification is implemented, (2n + 2) scale multiplications, (n) point additions and (2n) oneway hash functions are performed, which is (2n + 2)T m + (n)T a + (2n)T h ≈ (0.648n + 0.6436) ms.
In the scheme of Li et al. [45], to sign a single message, one scale multiplication and one one-way hash function are required, which is 1T m + 1T h ≈ 0.3228 ms. When to verify a single message, it costs three scale multiplications, three point additions and two one-way hash functions, which is 3T m + 3T a + 2T h ≈ 0.9746 ms. And when the batch verification is implemented, (n + 2) scale multiplications, (3n) point additions and (2n) one-way hash functions are performed, which is (n In the proposed scheme, to sign a single message, one scale multiplication and two one-way hash functions are required, which is 1T m + 2T h ≈ 0.3238 ms. When to verify a single message, it costs one scale multiplication, one point addition and two one-way hash functions, which is T m + T a + 2T h ≈ 0.3262 ms. And when the batch verification is implemented, (n) scale multiplications, (n) point additions and (2n) one-way hash functions are performed, which is (n)T m + (n)T a + (2n)T h ≈ (0.3262n) ms. The overall overhead is shown in Table 3.
According to Fig. 4, our scheme shows obvious overhead advantages in terms of signing and verifying a single message. As shown in Fig. 5, our scheme costs the minimum time to batch verify messages among four schemes.

Conclusion
In this paper, a weight-based conditional privacypreserving authentication scheme in SDVNs is introduced. With this scheme, a secure way to protect the privacy of vehicles and communications between them is offered. By applying the weight-based system, the participation rate of malicious vehicles and communication redundancy are both reduced to ease the computing overhead of entities, which also keeps the communication environment for vehicles clear. The two-step tracing scheme means LCs do not need to store old parameters to obtain the identities of vehicles, thereby reducing deploying costs. For the next step, we will focus on how to manage the vehicles more efficiently to make full use of the advantages of the decoupled architecture in the environment of SDVNs.

Availability of data and materials
Data supporting the results of this article have been included within the article.