Today, the Internet of Things (IoT) is widely used in various areas, including smart transportation, smart grid, smart health, etc. Internet of Vehicles (IoV) 
is one of the revolutions of IoT. It develops from Vehicular Ad hoc Networks (VANETs). VANETs cannot make intelligent decisions due to lacking the capacity of processing, analyzing, and evaluating global information collected from vehicles and infrastructures. In contrast to VANETs, IoV integrates vehicles, human, things, and networks as an intelligent unit via network technologies including deep learning, fog computing, cloud computing, etc.
Relevant scholars have proposed several reference models on IoV, such as three-level model, four-level model, and five-level model. The four-level model was proposed by CISCO in 2013, as shown in Fig. 1. It mainly consists of vehicles, roadside units (RSUs), personal devices, and sensors. Various communication scenes in IoV are summarized in Fig. 2: Vehicle-to-Vehicle (V2V), Vehicle-to-Roadside unit (V2R), Vehicle-to-Personal devices (V2P) and Vehicle-to-Sensors (V2S). This kind of hybrid communication model could provide more convenient and intelligent services in IoV. The real-time connection between vehicles and IoV networks makes services more reliable and secure.
As an emerging paradigm, mobile cloud computing (MCC) is a branch of cloud computing for mobile Internet. In , Gerla proposed a new computing model based on MCC for vehicles—mobile vehicular cloud computing. Vehicles and RSUs often have three kinds of resources including data storage, sensors and computing. The interconnection of these resources and Internet establishes a vehicular cloud to provide intelligent service. For instance, vehicles pick up emergency road situation, and upload it to the vehicle cloud server. Finally, the cloud server reminds the relevant vehicles to notice the breaking information. Vehicle could upload global and constant contents to the Internet. It will decreases the event processing delay. All operations are based on the cooperation of vehicular cloud, public cloud, private cloud, enterprise cloud, and big data analysis, which make IoV more intelligent.
Many previous works provide the technical basis for IoV [6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18]. However, IoV still faces many challenges[19, 20, 21, 22, 23]. Security threats and privacy issues have been more and more crucial in IoV. If an attacker impersonates a vehicle to send fake messages, it may affect traveling routes of other vehicles. By now, many researches on the security of IoV [24, 25, 26] have been presented. Besides security concern, privacy preservation is another crucial requirement. It should prevent attackers from obtaining user’s private and sensitive information, such as the user’s real identity and location. However, if any vehicle is compromised, the trusted authority should be able to track it from relevant information. So, anonymity in IoV should be conditional.
Because of combing the merits of certificateless cryptosystem and short signature, certificateless short signature is suitable for recourse-constrained IoV scenario. In 2007, Huang et al. proposed the first certificateless short signature scheme and the security model . In 2013, He et al.  proposed an efficient scheme with better performance than the previous schemes.
In this paper, we mainly focus on the privacy preserving secure access issue in IoV. Considering the aforementioned conflicts and challenges, we propose an efficient anonymous authentication scheme for IoV. The main contributions of this paper are summarized as follows:
The proposed scheme provides conditional anonymous mutual authentication and privacy preservation.
A concept of regional management for roadside units is introduced. RSUs in the same region can work together to complete the verification of vehicles.
Compared with the previous schemes, our scheme is more efficient in terms of computational overhead.
The rest of this paper is organized as follows. In Section II, IoV scenario model and some preliminaries are introduced. Then, a certificateless short signature (CLSS) is proposed. In Section IV, an anonymous authentication scheme for IoV is proposed based on CLSS. The security analysis and performance evaluation are given in Section V. Finally, Section VI concludes this paper.
In this section, we introduce the IoV scenario model, security model, and design objectives.
Ii-a Scenario Model
A typical scenario model for IoV is illustrated in Fig. 3. It mainly consists of TCC, TBA, vehicles, and RSU.
TCC (Transportation Control Center): TCC is in charge of initializing systems, enrolling all entities in IoV, collecting data from RSU, tracking malicious vehicles, and maintaining revocation list.
TBA (Trace Back Authority): TBA is responsible for receiving relevant information of dishonest vehicle, confirming malicious behavior and implementing corresponding punishment.
Vehicles: Each vehicle in IoV is equipped with an OBU that can periodically send relevant road safety information to other vehicles and RSUs through wireless channels. In addition, it can receive and report the other OBUs’ messages in a multi-hop way.
RSU (Road-Side Unit): RSUs are the fixed road infrastructures deployed on road-side. RSUs generally communicate with TCC through wired channel. They are responsible for collecting, uploading and distributing real-time traffic information. Because RSUs can manage messages in their ranges, so they can act as gateways and provide wireless services for OBUs.
Ii-B Security Model
In general, a CLSS contains six parts: Setup, Partial-Private-Key-Extract, Set-Secret-Value, Set-Public-Key, Signing, and Verification. We assume that there are two types of opponents to try to attack CLSS based on the ability of the master key: can replace any user’s public key without the master key; can obtain the master key, but is unable to replace any user’s public key. It will be proved that our scheme is existentially unforgeable against adaptive chosen message and ID attacks for two adversaries in random oracle model.
To prove the security of CLSS, we assume the following hard problems:
Definition 1. The k-bilinear Diffie-Hellman inversion (k-BDHI) Problem: Given two groups and , and a generator P of , a (n+1)-tuple , compute .
Definition 2. The k-Collision Attack Algorithm (k-CAA) Problem: Given a fixed and known integer , and a (2k+2)-tuple , output a pair (A,c) such that .
Ii-C Design Objectives
The design objectives of our scheme are described as follows:
Anonymous authentication: Anonymous authentication is an efficient approach to protect vehicle’s privacy. The proposed scheme should be able to verify if the traffic information is released by legitimate vehicles. Furthermore, it should prevent attackers from obtaining vehicle’s actual identity.
Conditional Privacy Preservation: If vehicles follow the scheme honestly, their privacy should be protected very well. On the contrary, if dishonest vehicles deliberately release fake messages, TCC should be able to disclose their real identities.
Non-reputation: OBUs and RSUs cannot deny that they have distributed the relevant traffic information.
Iii An improved Certificateless Short Signature
In this section, we propose an improved CLSS as an essential cryptographic primitive for our anonymous authentication in IoV.
Iii-a System Setup
Key generation centre (KGC) first initializes the whole system as follows:
KGC takes the security parameter as input, and outputs cyclic additive group and multiplicative group with same order q, and a bilinear map ;
KGC selects a generator , a random system master key , and computes the system public key , where ;
KGC chooses three one-way hash functions , , .
Next, KGC publishes as the system parameters and keeps system master key in secret.
A signer chooses a random number as its secret value, and computes as its partial public key.
KGC chooses a random , and computes , mod , , where , . Then, it sends to the signer via a secure channel.
The signer can verify via the following equation:
The signer sets as its private key.
The signer sets as its public key.
The signer signs a message using its private key as follows:
Compute as the signature on ;
Send to the verifier.
On receiving the signer’s identity , public key , message , and the corresponding signature , the verifier does the following steps:
Compute , ;
Verify the equation . If it holds, the signer is authenticated; otherwise, the verification fails.
The correctness of the scheme is proved as follows:
Iii-H Security Analysis of CLSS
The proposed CLSS scheme is secure under adaptively chosen-message and ID attacks in random oracle model. The security of the CLSS scheme relies on k-BDHI and k-CAA. The security proof of our scheme is similar to the scheme [29, 30]. Due to the page limitation, we omit the full proof and will give the detailed security analysis in the future work.
Iv Anonymous authentication scheme for IoV
Based on the proposed CLSS, we design an anonymous authentication scheme for IoV.
Iv-a System Initialization
Given the security parameter , TCC generates the system public key and private key according to the method in Section III. Then, it chooses five one-way hash functions , , , , . Next, TCC chooses an encryption algorithm based on elliptic curve cryptography (ECC) and a message authentication code function . At the same time, TCC maintains and updates two lists: one is the legitimate user list , and the other is revocation list of illegal users .
TCC publishes as the system parameters.
RSUs and OBUs submit their registration requests to TCC respectively. Each OBU or RSU in IoV has its own identity that is unique and is stored into the tamper-proof device of it.
Iv-B1 OBU Registration
An OBU chooses a random , computes its partial public key , and then sends the registration request message to TCC. Then, TCC chooses a random , and computes , mod , , in which , . Finally, TCC sends to the OBU via a secure channel.
The OBU sets as its private key and keeps it in secret. Then, it uses its private key to compute partial public key , and sets as its public key.
Verification on : OBU verifies by . If the equation holds, the OBU accepts as its partial private key; otherwise, the OBU rejects the partial private key and aborts.
After completing the registration of the OBU, TCC adds relevant information to .
Iv-B2 RSU Registration
On receiving the registration request from a RSU, TCC computes , , and sends to RSU via a secure channel.
Verification on : RSU verifies by . If the equation holds, RSU accepts . Then RSU applies to TCC for revocation list .
Iv-C Report Uploading
This process can be divided into two phases: pseudonym generation and report signing.
Iv-C1 Pseudonym Generation
In this part, we introduce a concept of regional management for RSUs. RSUs in the same area are equipped with the same public/private key pairs. TCC periodically generates public/private key pairs, and issues them to RSUs within its range via a wireless secure channel.
When a vehicle enters a new area, it will receive the broadcasted public key from a RSU. If the vehicle wants to enjoy the service provided by this RSU, it needs to send a access report to the RSU. Then, it utilizes the public key to generate a pseudonym from user’s each report .
Iv-C2 Report Signing
OBU performs the following steps to complete report signing:
Obtain a current time stamp ;
Choose a random , compute , , and broadcast and to the other entities within its range;
Compute the following equations:
(1) (2) (3) (4)
The signature on report is calculated as follows:
Send the service request message to RSU.
Iv-D Mutual Authentication
The RSU can verify the OBU’s identity and report . Similarly, OBU uses the message authentication code function with the shared session key to authenticate RSU.
Iv-D1 RSU Verifies OBU
On receiving the service request from OBU, RSU first checks the validity of the time stamp . Then, it authenticates OBU as follows:
Compute , ;
Verify the signature via the equation .
Iv-D2 OBU Verifies RSU
In contrast, OBU also needs to authenticate RSU.
RSU uses its private key to decrypt OBU’s pseudonym: . Next, it extracts OBU’s identity . Then, RSU retrieves in . If contains , the authentication and service are terminated. After obtaining OBU’s real identity, RSU computes , , , and sends the message authentication code to OBU;
Upon receiving from RSU, OBU computes , , , and checks if is equal to the received . If both values are equivalent, RSU is authenticated.
Iv-E Vehicle Tracking
If a vehicle broadcasts the false message, the prosecutor will send the vehicle’s service request message to TBA. TBA first confirms whether the vehicle is malicious. If the vehicle has malicious behavior, TBA sends the request message and relevant evidence to TCC. Then, TCC can reveal real OBU’s identity as follows:
TCC finds the corresponding RSU that provides service for the dishonest vehicle according to the vehicle location information provided by TBA.
TCC obtains the exact time of the dispute by checking the time stamp in the service request message .
TCC finds the public/private key pair that the dispute used. Then, it computes .
RSU extracts the OBU’s identity from .
TCC adds the dishonest vehicle identity into the revocation list , and updates it.
TCC sends the malicious vehicle’s identity to TBA via a secure channel. Then, TBA records the dishonest vehicle’s behavior and implements corresponding punishment.
V Security Analysis and Performance Evaluation
V-a Security Analysis
In this section, we analyze the security properties of the anonymous authentication scheme in the following respects.
V-A1 OBU Anonymity
In our scheme, the OBU’s real identity is converted into the pseudonym that is not managed by any third party. The report makes each OBU’s pseudonym one-time, so adversaries cannot distinguish if two different pseudonyms come from a same vehicle. Moreover, it is intractable for adversaries to reveal OBU’s actual identity without RSU’s private key . Furthermore, the public key of a vehicle would be different after multiplied by a random , so none of the public keys can be linked to the same vehicle.
In the proposed scheme, any third party cannot obtain OBU’s real identity, so our scheme realizes the anonymity of the OBU.
OBU cannot deny the behavior of submitting some messages, because the service request message includes OBU’s pseudonym . RSU can discover OBU actual identity by computing with its private key. Therefore, non-repudiation property is satisfied.
V-A3 The Security of Session Key
In our scheme, the session key is a hash value that combines OBU’s real identity with RSU’s identity. The security of the session key depends on the security of OBU’s identity. According to the aforementioned analysis, we find that OBU’s real identity is secure. Therefore, the proposed scheme can guarantee that no third party can obtain the session key.
V-A4 Mutual Authentication
RSU can authenticate OBU by verifying the CLSS signature of OBU. In our scheme, only OBU and RSU know OBU’s real identity , so the session key is only shared between OBU and RSU. OBU can verify RSU by checking if the computed is equal to the received . Therefore, mutual authentication between the OBU and RSU is achieved.
V-A5 Resistant to Replay Attacks
In our scheme, current time stamp ensures the freshness of reports. On receiving the OBU’s service request message , RSU first checks if the time stamp is expired. If it is, RSU rejects to accept the OBU’s request. Thus, our scheme can resist replay attacks.
V-B Performance Evaluation
Due to lack of completely similar schemes for comparing, we briefly test the essential cryptographic operations instead of the whole scheme, which will not distort the results if performance evaluation. We compare our scheme with four existing schemes [32, 31, 28, 33] via experimental simulation. The simulation environment is Linux Ubuntu 16.04 LTS on an Intel Atom N450 GHz processor. We list the running time of the basic cryptographic operations in Table I. Table II shows the comparisons on computation overhead among different schemes. Let M denote multiplication in , H denote the Map-To-Point operation, PP denote the bilinear pairing in , and E denote the exponentiation in .
In the signing phase, our scheme only requires two scalar multiplications in . In the phase of verification, it requires one pairing operation and three scalar multiplications. Fig. 4 shows the time consumption on signing, verification and total time of these schemes. Our scheme takes the least time overhead. Fig. 5 shows the trend of the time consumption on verification with the increase of the number of vehicles. When a large number of vehicles enter the RSU’s range, our scheme can provides quicker verification compared to the other schemes.
Based on test experience, in general, the energy overhead on communication is only about one-thousandth or less of that on computation, so the communication overhead is ignored in the assessment process. Therefore, as a whole, our scheme achieves better performance than the other selected schemes. It is more suitable for IoV scenarios.
In this paper, we proposed an anonymous mutual authentication scheme based on a certificateless short signature for the vehicles and RSUs in IoV. The scheme is existentially unforgeable under adaptive chosen message attack in random oracle model. The security analysis shows that the proposed mutual authentication scheme can simultaneously achieve privacy preservation and traceability of vehicles, that is conditional anonymity. Moreover, compared to the existing schemes, our scheme has lower computation overhead and achieves higher efficiency. So it is an efficient conditional anonymous authentication solution for IoV scenes.
This work is supported by Natural Science Basic Research Plan in Shaanxi Province of China (No. 2016JM6057), the 111 Project (B08038) and Collaborative Innovation Center of Information Sensing and Understanding at Xidian University.
-  M. Gerla, E. K. Lee, G. Pau, and U. Lee, “Internet of Vehicles: From intelligent grid to autonomous cars and vehicular clouds,” in Proc. of IEEE World Forum on Internet of Things (WF-IoT), 2014, pp. 241–246.
-  N. Liu, “Internet of Vehicles: Your next connection,” Huawei WinWin, vol. 11, pp. 23–28, 2011.
-  F. Bonomi et al., “The smart and connected vehicle and the Internet of Things,” in Proc. of Workshop on Synchronization in Telecommunication Systems (WSTS), 2013.
-  O. Kaiwartya, A. H. Abdullah, Y. Cao, A. Altameem, M. Prasad, C. T. Lin, and X. Liu, “Internet of Vehicles: Motivation, layered architecture, network model, challenges, and future aspects,” IEEE Access, vol. 4, pp. 5356–5373, 2016.
-  M. Gerla, “Vehicular cloud computing,” in Proc. of the 11th Annual Mediterranean Ad Hoc Networking Workshop (Med-Hoc-Net), 2012, pp. 152–155.
-  X. Du and F. Lin, “Maintaining differentiated coverage in heterogeneous sensor networks,” EURASIP Journal on Wireless Communications and Networking, vol. 5, no. 4, pp. 565–572, 2005.
-  Z. Su, Q. Qi, Q. Xu, S. Guo, and X. Wang, “Incentive scheme for cyber physical social systems based on user behaviors,” IEEE Transactions on Emerging Topics in Computing, 2017.
-  X. Du, Y. Xiao, H. H. Chen, and Q. Wu, “Secure cell relay routing protocol for sensor networks,” Wireless Communications and Mobile Computing, vol. 6, no. 3, pp. 375–391, 2006.
-  Y. Xiao, V. K. Rayi, B. Sun, X. Du, F. Hu, and M. Galloway, “A survey of key management schemes in wireless sensor networks,” Computer communications, vol. 30, no. 11-12, pp. 2314–2341, 2007.
-  Y. Hui, Z. Su, and S. Guo, “Utility based data computing scheme to provide sensing service in internet of things,” IEEE Transactions on Emerging Topics in Computing, 2017.
-  X. Du, Y. Xiao, M. Guizani, and H. H. Chen, “An effective key management scheme for heterogeneous sensor networks,” Ad Hoc Networks, vol. 5, no. 1, pp. 24–34, 2007.
-  X. Huang, J. K. Liu, S. Tang, Y. Xiang, K. Liang, L. Xu, and J. Zhou, “Cost-effective authentic and anonymous data sharing with forward security,” IEEE Transactions on computers, vol. 64, no. 4, pp. 971–983, 2015.
-  Y. Xiao, X. Du, J. Zhang, F. Hu, and S. Guizani, “Internet protocol television (iptv): the killer application for the next-generation internet,” IEEE Communications Magazine, vol. 45, no. 11, pp. 126–134, 2007.
-  X. Du, M. Guizani, Y. Xiao, and H. H. Chen, “Secure and efficient time synchronization in heterogeneous sensor networks,” IEEE transactions on vehicular technology, vol. 57, no. 4, pp. 2387–2394, 2008.
-  F. Hu, X. Cao, and C. May, “Optimized scheduling for data aggregation in wireless sensor networks,” in Proc. of International Conference on Information Technology: Coding and Computing, 2005, pp. 557–561.
-  X. Du and H. H. Chen, “Security in wireless sensor networks,” IEEE Wireless Communications, vol. 15, no. 4, pp. 60–66, 2008.
-  J. Zhang, X. Chen, Y. Xiang, W. Zhou, and J. Wu, “Robust network traffic classification,” IEEE/ACM Transactions on Networking, vol. 23, no. 4, pp. 1257–1270, 2015.
-  X. Du, M. Guizani, Y. Xiao, and H. H. Chen, “A routing-driven elliptic curve cryptography based key management scheme for heterogeneous sensor networks,” IEEE Transactions on Wireless Communications, vol. 8, no. 3, pp. 1223–1229, 2009.
-  Y. Wang, S. Wen, Y. Xiang, and W. Zhou, “Modeling the propagation of worms in networks: A survey,” IEEE Communications Surveys & Tutorials, vol. 16, no. 2, pp. 942–960, 2014.
-  S. Yu, G. Gu, A. Barnawi, S. Guo, and I. Stojmenovic, “Malware propagation in large-scale networks,” IEEE Transactions on Knowledge and Data Engineering, vol. 27, no. 1, pp. 170–179, 2015.
-  S. Yu, G. Wang, and W. Zhou, “Modeling malicious activities in cyber space,” IEEE network, vol. 29, no. 6, pp. 83–87, 2015.
-  S. Yu, S. Guo, and I. Stojmenovic, “Fool me if you can: Mimicking attacks and anti-attacks in cyberspace,” IEEE Transactions on Computers, vol. 64, no. 1, pp. 139–151, 2015.
K. Manandhar, X. Cao, F. Hu, and Y. Liu, “Detection of faults and attacks including false data injection attack in smart grid using kalman filter,”IEEE transactions on control of network systems, vol. 1, no. 4, pp. 370–379, 2014.
-  J. Liu, S. Zhang, W. Sun, and Y. Shi, “In-vehicle network attacks and countermeasures: Challenges and future directions,” IEEE Network, vol. 31, no. 5, pp. 50–58, 2017.
-  W. Sun, J. Liu, and H. Zhang, “When smart wearables meet intelligent vehicles: challenges and future directions,” IEEE wireless communications, vol. 24, no. 3, pp. 58–65, 2017.
-  D. B. Rawat, M. Garuba, L. Chen, and Q. Yang, “On the security of information dissemination in the Internet-of-Vehicles,” Tsinghua Science and Technology, vol. 22, no. 4, pp. 437–445, 2017.
-  X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu, “Certificateless signature revisited,” in Proc. of Information Security and Privacy. Springer, 2007, pp. 308–322.
-  D. He, B. Huang, and J. Chen, “New certificateless short signature scheme,” IET Information Security, vol. 7, no. 2, pp. 113–117, 2013.
-  R. Tso, C. Gu, T. Okamoto, and E. Okamoto, “Efficient ID-based digital signatures with message recovery,” Cryptology and Network Security, pp. 47–59, 2007.
-  S. Cui, P. Duan, C. W. Chan, and X. Cheng, “An efficient identity-based signature scheme and its applications.” International Journal of Network Security, vol. 5, no. 1, pp. 89–98, 2007.
-  Y. H. Hung, Y. M. Tseng, and S. S. Huang, “A revocable certificateless short signature scheme and its authentication application,” Informatica, vol. 27, no. 3, pp. 549–572, 2016.
-  R. Tso, X. Huang, and W. Susilo, “Strongly secure certificateless short signatures,” Journal of Systems and Software, vol. 85, no. 6, pp. 1409–1417, 2012.
-  Y. C. Chen, G. Horng, and C. L. Liu, “Strong non-repudiation based on certificateless short signatures,” IET Information Security, vol. 7, no. 3, pp. 253–263, 2013.