A Traceable Concurrent Data Anonymous Transmission Scheme for Heterogeneous VANETs

by   Jingwei Liu, et al.
Xidian University

Vehicular Ad Hoc Networks (VANETs) are attractive scenarios that can improve the traffic situation and provide convenient services for drivers and passengers via vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communication. However, there are still many security challenges in the traffic information transmission, especially in the intense traffic case. For ensuring the privacy of users and traceability of vehicles, we propose a traceable concurrent data anonymous transmission scheme for heterogeneous VANETs. The scheme is based on certificateless aggregate signcryption, so it supports batch verification. Moreover, conditional anonymity is also achieved due to the involving of the pseudo-ID technique. Furthermore, it is a pairing-free scheme for the merit of multi-trapdoor hash functions. As a result, the total computation overhead is greatly reduced.



There are no comments yet.


page 1

page 2

page 3

page 4

page 5

page 6


Data Fast Transmission Method in Wireless Vehicle Ad-hoc Network

ABSTRACT: In vehicular ad hoc networks, the current method does not cons...

Proactive Certificate Validation for VANETs

Security and privacy in Vehicular Ad-hoc Networks (VANETs) mandates use ...

IBRS: An Efficient Identity-based Batch Verification Scheme for VANETs Based on Ring Signature

Vehicular ad-hoc networks (VANETs) are one of the most important compone...

Secured Traffic Monitoring in VANET

Vehicular Ad hoc Networks (VANETs) facilitate vehicles to wirelessly com...

V2X Content Distribution Using Batched Network Code

Content distribution is one of the most popular applications in intellig...

Scalable Resilient Vehicle-Centric Certificate Revocation List Distribution in Vehicular Communication Systems

In spite of progress in securing Vehicular Communication (VC) systems, t...

Protecting Privacy in VANETs Using Mix Zones With Virtual Pseudonym Change

Vehicular ad hoc networks VANETs use pseudonyms to communicate among the...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Nowadays, VANETs have become more and more widely used [1] in smart traffic. As a part of the intelligent transportation system, it can be integrated into IoT and play an important role to improve traffic conditions in smart city. The entities in VANETs can exchange information via Dedicated Short Range Communication (DSRC) or Transport Layer Security (TLS) protocols in three communication modes including Vehicle-to-Vehicle (V2V), Vehicle-to-Infrastructure (V2I) and hybrid mode.

Fig. 1: A Scene of VANETs

A typical architecture of VANETs, as shown in Fig. 1, consists of On-Board Units (OBUs), Roadside Units (RSUs) and trusted authorities (TAs). OBUs embedded with sensors can identify static information (size, weight, etc. ) and collect dynamic information of vehicles (speed, direction, etc.). In addition, as both sources and routers, OBUs are able to send, receive and forward all kinds of information in VANETs at any time. RSUs, a kind of infrastructures, are deployed at roadsides or crossroads. They can communicate with OBUs via wireless channel, as well as with other RSUs and TAs via wired channel. TAs are responsible for registering RSUs and OBUs, tracing vehicles involved in accidents and maintaining other services in VANETs. Aiming at the issue of the authentication of big data, there have been many batch authentication schemes specially designed for VANETs [2, 3, 4, 5, 6, 7, 8, 9, 10].

In 2003, the concept of aggregate signature was first introduced by D. Boneh et al. in [11]. By taking the advantages of certificateless public key cryptosystem (CLC), many certificateless aggregate signature schemes were proposed [12, 13]. An identity based aggregate signature scheme without pairing was then proposed for V2I communication [8]. In 1997, signcryption was first proposed by Y. Zheng in [14], which provided both public key encryption and digital signature in a single logic step. In 2010, Sun et al. proposed two heterogeneous signcryption schemes [15] that achieved mutual secure communication between PKI and IBC. It was the first work on heterogeneous cryptosystem. In 2009, the first aggregate signcryption was proposed by Selvi et al. in [16] that reduced computation overhead greatly. It allowed distinct signcryption cipertexts sent to the same recipient to be validated only once with the same security level. In recent years, many aggregate signcryptions have been raised [17, 18, 19, 20, 21]. However, the number of aggregate signcryption schemes is relatively small, in which some issues on security and efficiency still exist that remain to be solved. In 2015, Chandrasekhar et al. proposed an aggregate signcrytion scheme [22] based on a multi-trapdoor hash function [23].

In this paper, we mainly focus on two types of traffic data: unencrypted data and encrypted data. The unencrypted data is usually for vehicles to quickly obtain feedback from RSUs. The encrypted data is for the IoT data center to prevent opponents from eavesdropping or abusing these sensitive information. Unlike the first type of data, the second type of data often exists in the case of high traffic density. Therefore, based on an aggregate signcryption scheme with multi-trapdoor hash function, a secure data transmission scheme was proposed for V2I scenes. Our contributions are summarized as follows.

  1. Our scheme not only achieves batch verification of vehicles from OBUs to RSUs, but also accomplishes confidentiality and authentication in a single logic step.

  2. Based on multi-trapdoor hash functions, our scheme only involves scalar multiplications of fixed number without any bilinear pairing operations.

  3. The aggregate verification information could be validated without the plaintexts and the intended receiver. Therefore, it wouldn’t take extra computation on decryption, once the batch verification is invalid.

This paper is organized as follows. In section II, we briefly introduce some preliminaries. In section III, a traceable concurrent anonymous transmission scheme is constructed for VANETs. In section IV, we show the superiority of the proposed scheme by evaluating performance. Finally, the conclusion is given in section V.

Ii Preliminaries

Ii-a Multi-trapdoor hash functions

Let denote a set of parameters and (), denote , but the th pair is updated by a new one. The concept of multi-trapdoor hash function [22] is described as follows:

Assuming that there exist participants , each of them have their own key pair . is the public key (or hash key) for generating the multi-trapdoor hash value, and is the private key (or trapdoor key) that is kept securely to generate the multi-trapdoor hash function collision by its owner. Concretely, each takes a message , a random value and its public key as the input, then calculates a multi-trapdoor hash value as the output. In addition, with the corresponding trapdoor key , another chosen message and a random value , each can construct an ephemeral hash key such that . When all of the participates generate their collision parameters respectively, a multi-trapdoor hash collision value can be calculated, namely .

Ii-B Security Assumptions

Let be a set of points on an elliptic curve over a finite field . The security of the proposed scheme is dependent on the following security assumptions:

Definition 1. Elliptic Curve Discrete Logarithm Problem (ECDLP): Let be a point on an elliptic curve over a finite field. Given a random instance for any , it is difficult to compute .

Definition 2. Computational Diffie-Hellman Problem (CDHP): Let be a generator of . Given a random instance for any , it is difficult to compute .

Iii The Traceable Concurrent Data Anonymous Transmission Scheme for VANETs

Iii-a System Architecture

Fig. 2 shows the overview of the VANETs system architecture, including four entities: the OBUs equipped on the vehicles, the RSUs at the roadside, a trace authority (TRA) and a key management center (KMC).

The OBUs with constrained computing ability are responsible for transmitting the traffic-related data to the RSUs. The data should be signcrypted with the parameters stored in a tamper-proof device (TPD) that ensures the OBUs cannot be compromised. GPS equipped in OBUs can provide the precise localization. The RSUs with more computing power collect the sigcrypted traffic information from vehicles and unsigncrypt them in an aggregate manner. If the verification is valid, the RSUs will send feedback to vehicles and forward the traffic information to the traffic data center. The KMC is an honest but curious authority that is responsible for issuing certificates for the RSUs in PKI and generating partial private keys for vehicles in CLC. Different works [24, 25, 26, 27] have studied on the relevant security issues of key management. Furthermore, in order to achieve conditional anonymity in smart traffic, the TRA plays the role of a trusted authority who is in charge of generating the pseudo-ID and tracing malicious vehicles. Different from OBUs and RSUs that are online, the KMC and the TRA are offline in the registration stage and the trace stage respectively. According to the IEEE 802.11p standard, the OBUs and RSUs communicate with each other via a wireless communication protocol–DSRC, while the RSUs interact with the traffic data center via a wired protocol–TLS.

Iii-B Design Goals

To meet the security demands in VANETs, the proposed scheme can provide the following properties:

  • Confidentiality. Before sent to the nearby RSUs, the traffic information from OBUs should be encrypted to keep the opponents from eavesdropping and analyzing the further attacks. So, we deploy the aggregate signcryption scheme as the cryptographic essential for confidentiality.

  • Conditional anonymity. The identities of OBUs, such as the plate number, are often involved in the secure communication between OBUs and RSUs, which might lead to privacy issues. So it is necessary for OBUs to adopt the pseudo-IDs of participators instead of the real identities in the whole protocol.

  • Key escrow freeness. Our scheme adopts the certificateless technique to manage vehicles so that they can generate their own secret keys, avoiding key escrow problem.

  • Low computational overhead. In general, bilinear pairings are the most time-cost cryptographic operations in a security protocol. Based on an improved multi-trapdoor hash function, the proposed scheme achieves batch verification on the OBUs’ report without pairing operations, so the performance of the new scheme is improved greatly.

Fig. 2: A System Architecture for VANETs

Iii-C The Protocol

In this section, the traceable concurrent anonymous transmission scheme for heterogeneous VANETs will be introduced in detail. It consists of the following seven phases: system initialization, pseudo-ID generation, vehicle registration, RSU registration, RSU broadcast, traffic information uploading, batch verification and decryption. The detailed processes are described as follows.

Iii-C1 System Initialization

  • Both and choose a same elliptic curve over a finite field . Let be an additive group that consists of the points on , be a generator of , denote infinity, where .

  • randomly chooses as its master secret key and computes as the master public key.

  • randomly chooses as its secret key and computes as its public key.

  • Both and choose two one-way cryptographic hash functions: , , where denotes the bit length of the messages.

  • publishes the system parameter . Note that will be stored by and RSUs before their registration.

Iii-C2 Pseudo-ID Generation

  • randomly chooses and computes as one part of the pseudo-ID of .

  • sends to via a secure channel, where is the real identity of .

  • computes

    where is the period of validity of the pseudo-ID. Then it sends to via a secure channel, where is the other part of the pseudo-ID of .

  • sets as its pseudo-ID.

The scheme Cryptosystem Application Signcryption Verification Decryption
J. Kar [18] IBC Theory 1P+2M+3H 2H+4nM nP+nH
Ziba Eslami et al. [19] CLC Theory 1P+3M+2MH+1H (n+3)P+(n+1)MH nP+nM+nH
Y. Han et al. [20] PKI VANETs 3M+1MH+1H (n+1)P+nMH nM+nH
S. Basudan et al. [21] CLC VANETs 7M+3H (n+4)P+nM+(n+1)H 2nM+nH
Ours Heterogeneous VANETs 3M+3H 5M+(3n+1)H nM+nH
TABLE I: Complexity Comparison

Iii-C3 Vehicle registration

  • randomly chooses as its secret value and computes .

  • randomly chooses , computes as ’s partial public key, where , and computes as ’s partial private key. Finally, sends and to via a secure channel.

  • sets as its full private key, as its full public key.

Iii-C4 RSU registration

  • randomly chooses and computes its public key . Then, sends its identity and to via a secure channel.

  • generates a certificate for , where is a signature signed by ’s master secret key.

  • sends to via a secure channel.

Iii-C5 RSU broadcast

chooses a public random number and generates a digital signature with its private key , where denotes the timestamp. Then, constructs a packet and broadcasts it periodically.

Iii-C6 Traffic Information Uploading

  • When enters into the communication zone of , it firstly checks the broadcasted by . If illegal, it aborts. Otherwise, continues to verify if the signature in the broadcast packet is valid. If not, it aborts. Otherwise, extracts and from and goes to the next step.

  • Choose randomly and compute .

  • Collect traffic information and compute .

  • Compute the ephemeral trapdoor key
    , where denotes the timestamp.

  • Compute .

  • Send the signcrypted information

    to .

Iii-C7 Batch verification and decryption

On receiving signcrypted messages from , does as follows:

  • Compute , and for each .

  • Compute , , , where denotes the number of vehicles.

  • Compute the ephemeral hash key

  • Compute the multi-trapdoor hash function value

  • Compute the multi-trapdoor collision value

  • Check if the equation holds. If not, it aborts. Otherwise, it goes to the next step.

  • Calculate the message of .

Iii-D Correctness

We can validate the correctness of the proposed scheme through formula derivation below.

Iii-E Security analysis

In this section, we will discuss the security properties of the proposed scheme.

Iii-E1 Message authentication

In the signcrytion stage, only the vehicle with the corresponding trapdoor key can generate an ephemeral trapdoor key, so the adversary cannot forge a valid signcryption unless he can solve the ECDLP. Furthermore, if the adversary attempts to recover the plaintexts from an aggregate signcryption, he has to encounter the CDHP obviously. Hence, our scheme achieves confidentiality, authentication, integrity and non-repudiation simultaneously.

Iii-E2 Internal security

None of OBU can impersonate any other OBUs to forge signcrypted messages, while a RSU can decrypt the signcrypted messages that are sent to other RSUs. Furthermore, even the cannot forge a valid message of other entities in VANETs yet, since the certificateless cryptosystem is adopted in the registration stage. Hence, internal security is ensured in the proposed scheme.

Iii-E3 Conditional anonymity

Because the pseudo-ID is deployed for each , the adversary cannot obtain any information about the actual identity of without the secret key of that is used to generate the pseudo-ID during the data transmission process. If the adversary still attempts to reveal ’s real identity, it has to encounter the ECDLP that is assumed to be intractable.

Iii-E4 Traceability

When a dispute on happens, only can extract the information of the real identity of by calculating

which can make the traceability available.

Iii-E5 Unlinkability

We claim that a secure protocol possesses unlinkability when there is no adversary that can judge if two different messages are from the same vehicle. Obviously, the proposed scheme can cover distinct messages by diverse pseudo-IDs and the corresponding private keys, because vehicles will update pseudo-IDs over a period of time. Therefore, the adversary cannot link different messages at different times to a specific vehicle, so that our scheme achieves unlinkability to a certain extent.

Fig. 3: Time Consumption on Signcryption
Fig. 4: Time Consumption on Verification
Fig. 5: Time Consumption on Decryption
Fig. 6: Time Consumption on Unsigncryption

Iv Performance Evaluation

In this section, we compare the proposed scheme with other existing relevant schemes in terms of the computation overhead. Firstly, for theoretical analysis of computation complexity, let denote the pairing operation, denote the scalar multiplication operation in , denote the MapToPoint hash operation, denote the general hash operation. Note that other mathematical operations such as additive operations in are omitted here since their influence is tiny in the performance evaluation.

As shown in Table I, the proposed scheme does not involve any pairing operations in all stages and only has five scalar multiplication operations in the verification stage that are independent on the number of vehicles, so it achieves the least cryptographic complexity on the whole compared with the other four existing schemes, although the number of scalar multiplication operations in signcryption stage of ours is 2 more than that in Y. Han et al. [20].

In addition, in order to quantitatively analyze the computational efficiency of the proposed scheme, the simulation tests are performed over the type A elliptic curve in Java Pairing Based Cryptography 2.0.0 with an Intel G640 2.80 GHz processor. According to the results of the execution, the computational efficiency could be further analyzed. Fig. 3 demonstrates that the proposed scheme has a comparative advantage over other aggregate signcryption schemes on time-consumption in the signcryption stage. In Fig. 4, the growing trend of the computation overhead in our scheme is the lowest in contrast to other schemes in the verification stage, because only low-complexity hash operations are associated with the number of the vehicles in our scheme. Although, in Fig. 5, the time overhead on decryption is a little more than that in J. Kar [18], our scheme still achieves better performance than other schemes at the whole unsigncryption stage, as shown in Fig. 6.The results show that our scheme is much more practical in VANETs application scenarios.

V Conclusion

In this paper, based on an improved aggregate signcryption scheme with multi-trapdoor hash functions, a traceable concurrent anonymous transmission scheme for heterogeneous VANETs was constructed. The confidentiality, integrity, authentication and non-repudiation are all achieved in a single logic step due to the merits of the aggregate signcryption algorithm. A pseudonym authority guaranteed the conditional anonymity of vehicles. Because of CLC cryptosystem is involved in the registration of vehicles, the heavy burden of certificate management of the KMC center is lightened. Most of all, it greatly decreases the computational overhead in batch verification stage by deploying multi-trapdoor hash functions instead of bilinear pairings. The proposed scheme vastly improves the flexibility and practicability of VANETs.


This work is supported by the Key Program of NSFC-Tongyong Union Foundation under Grant U1636209, the 111 Project (B08038) and Collaborative Innovation Center of Information Sensing and Understanding at Xidian University.


  • [1] S. Zeadally, R. Hunt, Y. S. Chen, A. Irwin, and A. Hassan, “Vehicular ad hoc networks (vanets): status, results, and challenges,” Telecommunication Systems, vol. 50, no. 4, pp. 217–241, 2012.
  • [2] X. Du, Y. Xiao, M. Guizani, and H.-H. Chen, “An effective key management scheme for heterogeneous sensor networks,” Ad Hoc Networks, vol. 5, no. 1, pp. 24–34, 2007.
  • [3] C. Zhang, R. Lu, X. Lin, P. H. Ho, and X. Shen, “An efficient identity-based batch verification scheme for vehicular sensor networks,” in Proc. of IEEE INFOCOM’08, 2008, pp. 246–250.
  • [4] X. Du and H. H. Chen, “Security in wireless sensor networks,” IEEE Wireless Communications Magazine, vol. 15, no. 4, pp. 60–66, 2008.
  • [5] K. A. Shim, “CPAS: An efficient conditional privacy-preserving authentication scheme for vehicular sensor networks,” IEEE Transactions on Vehicular Technology, vol. 61, no. 4, pp. 1874–1883, 2012.
  • [6] S. J. Horng, S. F. Tzeng, P. H. Huang, X. Wang, T. Li, and M. K. Khan, “An efficient certificateless aggregate signature with conditional privacy-preserving for vehicular sensor networks,” Information Sciences, vol. 317, no. C, pp. 48–66, 2015.
  • [7] H. Zhang, Q. Zhang, and X. Du, “Toward vehicle-assisted cloud computing for smartphones,” IEEE Transactions on Vehicular Technology, vol. 64, no. 12, pp. 5610–5618, 2015.
  • [8] N. W. Lo and J. L. Tsai, “An efficient conditional privacy-preserving authentication scheme for vehicular sensor networks without pairings,” IEEE Transactions on Intelligent Transportation Systems, vol. 17, no. 5, pp. 1319–1328, 2016.
  • [9] S. Jiang, X. Zhu, and L. Wang, “An efficient anonymous batch authentication scheme based on hmac for vanets,” IEEE Transactions on Intelligent Transportation Systems, vol. 17, no. 8, pp. 2193–2204, 2016.
  • [10] L. Zhang, Q. Wu, J. Domingo-Ferrer, B. Qin, and C. Hu, “Distributed aggregate privacy-preserving authentication in vanets,” IEEE Transactions on Intelligent Transportation Systems, vol. 18, no. 3, pp. 516–526, 2017.
  • [11] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate and verifiably encrypted signatures from bilinear maps,” in Proc. of Eurocrypt’03, 2003, pp. 416–432.
  • [12] H. Xiong, Z. Guan, Z. Chen, and F. Li, “An efficient certificateless aggregate signature with constant pairing computations,” Information Sciences, vol. 219, pp. 225–235, 2013.
  • [13] H. Nie, Y. Li, W. Chen, and Y. Ding, “Nclas: a novel and efficient certificateless aggregate signature scheme,” Security and Communication Networks, vol. 9, no. 16, pp. 3141–3151, 2016.
  • [14] Y. Zheng, “Digital signcryption or how to achieve cost (signature & encryption) <<cost (signature)+ cost (encryption),” in Proc. of Annual International Cryptology Conference, 1997, pp. 165–179.
  • [15] Y. Sun and H. Li, “Efficient signcryption between tpkc and idpkc and its multi-receiver construction,” Science China Information Sciences, vol. 53, no. 3, pp. 557–566, 2010.
  • [16] S. S. D. Selvi, S. S. Vivek, J. Shriram, S. Kalaivani, and C. P. Rangan, “Identity based aggregate signcryption schemes,” in Proc. of International Conference on Cryptology in India, 2009, pp. 378–397.
  • [17] F. S. Babamir and Z. Eslami, “Data security in unattended wireless sensor networks through aggregate signcryption,” KSII Transactions on Internet And Information Systems, vol. 6, no. 11, pp. 2940–2955, 2012.
  • [18] J. Kar, “Provably secure identity-based aggregate signcryption scheme in random oracles,” IACR Cryptology ePrint Archive, vol. 2013, p. 37, 2013.
  • [19] Z. Eslami and N. Pakniat, “Certificateless aggregate signcryption: Security model and a concrete construction secure in the random oracle model,” Journal of King Saud University - Computer and Information Sciences, vol. 26, no. 3, pp. 276–286, 2014.
  • [20] Y. Han, D. Fang, Z. Yue, and J. Zhang, “Schap: The aggregate signcryption based hybrid authentication protocol for vanet,” in Proc. of International Conference on Internet of Vehicles, 2014, pp. 218–226.
  • [21] S. Basudan, X. Lin, and K. Sankaranarayanan, “A privacy-preserving vehicular crowdsensing based road surface condition monitoring system using fog computing,” IEEE Internet of Things Journal, vol. 4, no. 3, pp. 772–782, 2017.
  • [22] S. Chandrasekhar and M. Singhal, “Efficient and scalable aggregate signcryption scheme based on multi-trapdoor hash functions,” in Proc. of 2015 IEEE Conference on Communications and Network Security (CNS), 2015, pp. 610–618.
  • [23] S. Chandrasekhar, “Multi-trapdoor hash functions and their applications in network security,” in Proc. of 2014 IEEE Conference on Communications and Network Security, 2014, pp. 463–471.
  • [24] X. Du, M. Guizani, Y. Xiao, and H. H. Chen, “A routing-driven elliptic curve cryptography based key management scheme for heterogeneous sensor networks,” International Journal of Computer Technology & Applications, vol. 8, no. 3, pp. 1223–1229, 2009.
  • [25] Y. Xiao, V. K. Rayi, B. Sun, X. Du, F. Hu, and M. Galloway, “A survey of key management schemes in wireless sensor networks,” Computer Communications, vol. 30, no. 11-12, pp. 2314–2341, 2007.
  • [26] X. Du and F. Lin, “Designing efficient routing protocol for heterogeneous sensor networks,” in Proc. of 24th IEEE International Performance, Computing, and Communications Conference, 2005, pp. 51–58.
  • [27] H. Zhang, S. Chen, X. Li, H. Ji, and X. Du, “Interference management for heterogeneous networks with spectral efficiency improvement,” IEEE Wireless Communications, vol. 22, no. 2, pp. 101–107, 2015.