Provably Secure with Efficient Data Sharing Scheme for Fifth-Generation (5G)-Enabled Vehicular Networks without Road-Side Unit (RSU)

Abstract

The vehicles in the fifth-generation (5G)-enabled vehicular networks exchange the data about road conditions, since the message transmission rate and the downloading service rate have been considerably brighter. The data shared by vehicles are vulnerable to privacy and security issues. Notably, the existing schemes require expensive components, namely a road-side unit (RSU), to authenticate the messages for the joining process. To cope with these issues, this paper proposes a provably secure efficient data-sharing scheme without RSU for 5G-enabled vehicular networks. Our work included six phases, namely: TA initialization (TASetup) phase, pseudonym-identity generation (PIDGen) phase, key generation (KeyGen) phase, message signing (MsgSign) phase, single verification (SigVerify) phase, and batch signatures verification (BSigVerify) phase. The vehicle in our work has the ability to verify multiple signatures simultaneously. Our work not only achieves privacy and security requirements but also withstands various security attacks on the vehicular network. Ultimately, our work also evaluates favourable performance compared to other existing schemes with regards to costs of communication and computation.

1. Introduction

With the continuous increasing demand for fifth-generation (5G) technology, research on the management of vehicle-to-everything (V2X) communication has emerged. Unlike the conventional vehicular networks, the V2X communication provides networks, things, users, and vehicles with reliable connectivity, manageable, operable, controllable, and high-quality [1,2,3,4].

The characteristics of 5G-enabled vehicular networks have a wide high bandwidth and coverage area. Based on data shared by 5G wireless, during peak periods, the data transmission rate can approach 20 Gb/s, while the average data transfer rate is over 100 Mb/s [5,6,7,8]. The capacity of the supported network is 1000 times that of conventional networks, and it can give a more steady connection [9,10,11].

Each vehicle in V2X communication is usually fitted with several expensive sensors, such as cameras of high-resolution, radars of microwave, and lidars of multi-beam, to get comprehensive and reliable data within urban or highway areas [12,13,14,15,16,17]. Moreover, each vehicle has installed wireless devices, namely onboard units (OBUs), to share large amounts of traffic-related information with others and connect technologies of heterogeneous wireless access during the outside world [18,19,20].

There are mainly two categories of data shared by vehicles in V2X communication [21,22]. One is calamities noticed by users, such as nearby hotel ratings and parking lot occupancy. The other is that information is collected by sensors when the vehicle crosses the road environment, such as conditions of the poor road, congestion of traffic, and extreme weather. With these data shared, vehicles offer the driver and passenger a comfortable driving experience, satisfactory transport access, and a safe driving environment.

Given the fact the 5G-enabled vehicular network exploits wireless channels, the data shared by vehicles have security and privacy vulnerabilities [23]. The third-party has the ability to change, delete, and alter the data shared by the vehicle to cause damage to the road environment. Meanwhile, when an attacker exposes any personal data of the user (e.g., location or identity), it will cause criminal charges. Therefore, several scholars have focused on achieving security and privacy requirements for vehicular networks by proposing sophisticated data-sharing schemes.

Nevertheless, these schemes require expensive components called road-side units (RSUs) to cooperate in the mutual authentication phase, which raises the latency of the vehicular networks. Besides, studies [11,24] have proven that a compromised RSU causes leakage of secret information preserved in the RSU.

Hence, the main motivation of this paper is to reduce the massive overhead of performance system in terms of communication and computation costs by proposing a lightweight operations instead of bilinear pair and map-to-point function operations. Our proposed solution does not use RSU to authenticate the vehicle during mutual authentication process. Our proposed solution applies the 5G technology to the fast exchange of messages among vehicles. This work is carried out in our simulation experiments with regards to network simulator (OMNeT++) and traffic simulator (SUMO) to analyze the results. The major contributions of our work can be listed as follows:

• We retrospectively analyze the taxonomy of existing schemes for vehicular networks. Furthermore, some security vulnerabilities of these schemes are highlighted. Then, we present the vehicular network architecture with regard to the system model and security goals.
• We propose a provably secure with an efficient data-sharing scheme for 5G-enabled vehicular networks. To improve efficiency further, our work does not use an expansive component called RSU for the authentication process.
• We implement simulation experiments over a simulation platform (traffic generation simulator and network generation simulator), displaying that the performance efficiency of our work in terms of computation and communication costs has been enhanced compared with the existing works.

The remainder of our work is organized as follows: Section 2 reviews the taxonomy of the existing schemes. Section 3 introduces vehicular network architecture. The six algorithms of the proposed scheme are provided in Section 4. The security analysis and performance comparison of our work are presented in Section 5 and Section 6, respectively. Section 7 shows the conclusions of our work.

2. Related Work

In this section, we retrospectively analyze some related work focusing on data-sharing among vehicles for vehicular networks. The taxonomy of existing schemes is as below. Additionally, we provide a critical analysis of the related work as well.

2.1. Massive Certificate-Based (MCB) Schemes

The fundamental concept of Massive Certificate-Based (MCB) schemes is that TA is responsible for issuing and preloading massive numbers of certificates (roughly 44,000) and their relevant pair-keys (private and public) to participating vehicles. These certificates are assigned based on level of the anonymity to archive security and privacy for vehicular networks.

Several scholars [25,26,27,28,29,30,31,32,33] have proposed MCB schemes for vehicular networks. However, there are three main drawbacks of the MCB schemes: (i) massive certificate arrangement burden for TA owing to the huge pool of anonymous certificates and the relevant pair-keys are needed; (ii) storage arrangement burden owing to limit vehicle storage, and (iii) massive computation and communication overheads owing to the need to verify certification in the investigation methods.

2.2. Group Signature-Based (GSB) Schemes

Chaum and van Heyst [34] first proposed the fundamental concept of group signatures in 1991. The group members are permitted to sign information anonymously on behalf of all members.

Several scholars [35,36,37,38,39] have proposed GSB schemes to overcome the drawbacks arising MCB schemes in a vehicular network. However, there are two main drawbacks of the GSB schemes: (i) the massive size of the Certification revocation list (CRL) owing to the number of blocked vehicle’s number is growing; and (ii) massive overheads of communication and computation owing to the two pairing-based operations that are needed.

2.3. Pseudonym Identity-Based (PIB) Schemes

To overcome the limitations concerning the two above (MCB and GSB) schemes, several scholars proposed Pseudonym Identity-Based (PIB) schemes to provide high-level security in vehicular networks.

In 2015, He et al. [40] first used elliptic curve cryptography rather than pairing-based cryptography to provide efficient performance and secure communications. In the scheme presented by He et al. [40], the private key of the system is saved on each vehicle. Nevertheless, if the vehicle is compromised by an adversary, the whole system is insecure. In 2017, Zhang et al. [41] designed a mutual authentication and preservation scheme to achieve distributed aggregate for the vehicular network. In the scheme designed by Zhang et al. [41], RSU is accountable for producing secret shares for vehicles within its communication area. In the same year, Azees et al. [42] designed an anonymous authentication by helping RSU to secure communication in vehicular networks. In 2018, Pournaghi et al. [43] combined the TPD of RSU and TPD of vehicles to achieve high-level security. In their scheme, the TA is saved with two private keys on the TPD of RSU. Therefore, RSU is responsible for temporarily computing the specific timestamp and generating the signature key of the vehicle. In 2019, Alazzawi et al. [44] designed a pseudonym-based system to achieve a robust integrity scheme. The scheme proposed by Alazzawi et al. [44] has not achieved likability requirements, since only one pseudonym identity is used within all travailing. Furthermore, the system’s secret key is saved on the RSU without using the TPD, which makes it an easy task for the attacker to disclose the key. In the same year, Bayat et al. [45] designed a pseudonym-based to design a RSU-based authentication scheme. RSU is responsible for preloading a pool of signature keys and pseudonym-IDs to each vehicle.

Ali and Li [46] proposed an authentication data-sharing scheme by using RSU to authenticate a large number of messages for vehicle-to-infrastructure (V2I) communication. This scheme replaced map-to-point hash functions by general one-way hash functions to sign message and verify signature. Nevertheless, this scheme uses bilinear pair operations, which are considered time-consuming and complicated.

Al-Shareeda et al. [47] designed a data-sharing scheme by using bilinear pair cryptography and cryptographic hash function. This scheme applies RSU to generate a signature key for the corresponding pseudonym-ID for authentic vehicles. This scheme is vulnerable to a massive overhead of performance costs as it uses complicated operations and is time-consuming.

Alshudukhi et al. [48] applied elliptic curve cryptography to propose an authentication data-sharing scheme for vehicular network. The TA in this scheme saves the system’s private key to each RSU. Once a vehicle wants to join the system, RSU computes and preloads security parameters to vehicles. However, since this scheme uses a large number of multiplication point operations based on ECC, the performance costs is challenged.

Ali et al. [49] constructed a hybrid signcryption based on and public key infrastructure and certificateless cryptosystem to provide security criteria in a single logical phase. This scheme uses bilinear pair operations to sign messages and verify signatures, which causes a massive overhead of performance system.

2.4. Critical Analysis

The summation of related work is as follows. The majority of existing schemes are based on three classes of approaches: (i) Massive certificate-based (MCB) schemes, (ii) Group signature-based (GSB) schemes, and (iii) Pseudonym identity-based (PIB) schemes. The first two approaches required high overhead costs to sign messages and verify signatures, which is not suitable for deployment in vehicular networks. In contracts, the third approach is called pseudonym identity-based (PIB) schemes, proposed by the researcher to address the overhead costs of the system. Our work is based on the third approach to address the existing scheme based on PIB schemes by applying 5G technology and avoiding using RSU.

Since the existing PIB schemes apply RSU to participate authentication process, if they make assumptions that no other things can discover the secrets in a TPD of a vehicle, if a vehicle is corrupted in one RSU, the third party can calculate the RSU’s master key.

3. Vehicular Network Architecture

This section presents the vehicular network architecture with regard to the system model and security goals in our work for 5G-enabled vehicular networks.

3.1. System Model

As presented in Figure 1, the three main entities are called: trusted authority (TA), 5G-base station (5G-BS), and onboard unit (OBU) for 5G-enabled vehicular networks. The main work of these entities is explained in the following steps.

• Trusted Authority (TA): TA is trustworthy by all entities in the 5G-enabled vehicular networks and has sufficient resources with regards to storage, communication, and computation. The TA is also in charge of generating the initial parameters of the network and registering the vehicles.
• 5G-base Station (5G-BS): is a radio receiver and has sufficient fast-moving and broad-spectrum in 5g-enabled vehicular networks. The main task of 5G-BS is to connect vehicles and TA. The 5G-BS does not save or compute the data regarding vehicular networks.
• Onboard Unit (OBU): Each enrolled vehicle has one onboard unit (OBU) for sending and receiving information about the surrounding environment. Each OBU has TPD to preserve sensitive data and do computation processes for cryptographic operations. OBU is a considered as a terminal node in networks which enjoys all types of services for 5G technology. Therefore, this work adds a security algorithm in a secure processing service (SPS) layer in each node for the simulation, as shown in Figure 2. The main reason behind using the SPS layer is to implement an authentication process that is higher than the MAC and physical layer.

Device-to-Device (D2D) Communication

The D2D wireless network in 5G technology is determined as direct communication among vehicles (terminal nodes) without passing via infrastructure node. In a traditional network, all data must go through the infrastructure node called the base station, even if it is inside the range of D2D communication. As a result, D2D communication can considerably increase the network’s spectral efficiency in this instance.

3.2. Security Goals

In this section, the security requirements should be achieved in our work.

• Authentication and Integrity: To make sure that the message transmitted has been carried out by a registered vehicle. Besides, the message has not been tampered with.
• Privacy Preserving: The original identity of the message broadcasting vehicle must be protected and the message should not disclose the identity to other units so that an attacker cannot utilize their identity for themselves.
• Traceability: When issuing a forged message, the vehicle has the traceable to its signer and that power must lie with the TA.
• Replaying Resistance: Our work should be capable of resisting replay attackers to avoid repeating the message sent by the registered vehicle.

4. Proposed Scheme

To address limitations in the existing schemes, this paper proposes a provably secure efficient data-sharing scheme for 5G-enabled vehicular networks. Our work has six phases, namely: TA initialization (TASetup) phase, pseudonym-ID generation (PIDGen) phase and key generation (KeyGen) phase, message signing (MsgSign) phase, single verification (SigVerify) phase, and batch signatures verification (BSigVerify) phase.

Our work is based on the scheme proposed by [50]. However, unlike the scheme proposed by [50], the proposed scheme uses 5G-BS to provide high-efficiency data-sharing among vehicles. This paper carried out the simulation experiments with regard to network simulators and traffic simulators (SUMO) to analyze the results of these phases. Furthermore, the proposed scheme does not need an expensive component (RSU) to authenticate the messages. Vehicles in our work can renew the security groups by sending a request to TA through 5G-BS wirelessly, which avoids repeat parameters used. The proposed scheme should be divided into the following phases:

• TASetup: The TA executes TASetup phase to obtain security parameter $\eta$. The network parameters $\mathsf{Y}$ and the private (secret) keys $\alpha$ and $\beta$ are returned on this algorithm. The system parameters $\mathsf{Y}$ are considered as an implicit input to all methods explained below.
• PIDGen and KeyGen: The TA executes the PIDGen and KeyGen algorithms to return the pseudonym-ID $PI{D}_i$ and the signature key $S{K}_i$, respectively.
• MsgSign: The registered vehicle $V_i$ executes MsgSign algorithm. The safety-related message $M_i$ for a pseudonym-ID $PI{D}_i$ is taken as input for returning the signature ${\delta }_i$.
• SigVerify: The verifying vehicle $V_j$ executes SigVerify algorithm. Once receiving a signature ${\delta }_i$ on a safety-related message $M_i$ for a pseudonym-ID $PI{D}_i$ from a vehicle $V_i$, if the signature ${\delta }_i$ is legitimate, it results true; otherwise, it outputs false.
• BSigVerify: The verifying vehicle $V_j$ executes SigVerify algorithm. Once receiving a batch of n signature (${\delta }_1,{\delta }_2,\dots .{\delta }_n$) on n safety-related messages ($M_1,M_2,\dots .,M_n$) for n pseudonym-IDs ($PI{D}_1,PI{D}_2,\dots .,PI{D}_n$) from n vehicles ($V_1,V_2,\dots ,V_n$) simultaneously, if the signatures (${\delta }_1,{\delta }_2,\dots .{\delta }_n$) are legitimate, it results true; otherwise, it results false.

4.1. TASetup

The TA executes the TASetup algorithm to return the network parameters $\mathsf{Y}$ and the private (secret) keys $\alpha$ and $\beta$ as the following steps.

• Given a network parameter $\eta \in Z^{+}$, TA selects a generator g based on a group G of the order prime q.
• Four cryptographic general hash functions, $H_1$, $H_2$, $H_3$ and $H_4$, are chosen by TA and set as $H_1:G\times G\to Z_q^{*}$, $H_2:{[0,1]}^{*}\to Z_q^{*}$, $H_3:{[0,1]}^{*}\times {[0,1]}^{*}\times G\times G\times {[0,1]}^{*}\to Z_q^{*}$ and $H_4:G\to Z_q^{*}$.
• TA sets the randomly picked number $\alpha \in Z_q^{*}$ as a private (secret) key, then measures its corresponding public key ${\xi }_{Pub-\alpha }=g^{\alpha }$ for private key extraction.
• TA sets the randomly picked number $\beta \in Z_q^{*}$ as a private (secret) key, then measures its corresponding public key ${\xi }_{Pub-\beta }=g^{\beta }$ for traceability.
• The network public parameters are set as $\mathsf{Y}=$$\{g,G,q,H_1,$$H_2$, $H_3$, $H_4,{\xi }_{Pub-\alpha },{\xi }_{Pub-\beta }\}$. Note that private (secret) keys $\alpha$ and $\beta$ are only known to TA.

Since our work is based on 5G technology, it is an easy task to renew the groups to avoid repeating them during the next steps. The renew process executes between vehicle and TA through 5G-BS.

4.2. PIDGen and KeyGen

To achieve mutual authentication and privacy-preservation in our work, the pseudonym-IDs ($PIDs$) that are particularly concerned with the relevant original identities $OIDs$ should be used by following these steps:

• User submits the original identity $OID$ of his/her vehicle to TA via secure communication. TA is responsible for testing the validity of $OID$.
• Once confirmed the authenticity of $OID$, TA sets a group of the randomly selected values {${\omega }_{i,l}$, ${\omega }_{i,2}$, …${\omega }_{i,n}$} $\in Z_q^{*}$ as a private key and then measures the relevant public keys $P{K}_i^{*}=\{P{K}_{i,l},P{K}_{i,2},\dots P{K}_{i,n}\}$, where $P{K}_{i,l}=g^{{\omega }_{i,l}}$ and $l\in \{1,2\dots n\}$.
• TA then computes a group of $PIDs$ for vehicle $V_i$ as $PI{D}_i^{*}=\{PI{D}_{i,l},PI{D}_{i,2},\dots ,PI{D}_{i,n}\}$, where $PI{D}_{i,l}=OI{D}_i\oplus H_1(P{K}_{i,l}^{\beta },{\xi }_{Pub-\beta })$ and $l\in \{1,2\dots n\}$.
• Once calculating the $PI{D}_i^{*}$, TA sets randomly selected values $S{K}_i^{*}=\{S{K}_{i,l},S{K}_{i,2},\dots .S{K}_{i,n}\}$ as a signature keys, where $S{K}_{i,l}=\alpha .H_2\left(PI{D}_{i,l}\right)$ and $l\in \{1,2\dots n\}$.
• Ultimately, TA preloads the network parameters $\mathsf{Y}$ and groups {$P{K}_i^{*}$, $PI{D}_i^{*}$, $S{K}_i^{*}$} to TPD of vehicle $V_i$ through a secure channel.

4.3. MsgSign

Prior to sending the safety-related messages to public channel in 5G-enabled vehicular network, vehicle $V_i$ signs them to achieve integrity and authentication. The message-signature tuples on one message $M_i\in {[0,1]}^{*}$ by participating vehicle $V_i$ is demonstrated as the following steps.

• Vehicle $V_i$ sets the randomly selected a signature key $S{K}_{i,l}$, a relevant $P{K}_{i,l}$ and pseudonym-ID $PI{D}_{i,l}$ from the groups $P{K}_i^{*}$, $PI{D}_i^{*}$, and $S{K}_i^{*}$, respectively.
• Vehicle $V_i$ sets the randomly picked value $d_i\in Z_q^{*}$ and calculates $D_i=g^{d_i}$.
• Vehicle $V_i$ signs message $M_i\in {[0,1]}^{*}$ as ${\mathsf{\Theta }}_i=H_3(M_i,D_i,T_i,PI{D}_{i,l},P{K}_{i,l})$, where $T_i$ is a freshness timestamp.
• Vehicle $V_i$ computes signature ${\delta }_i=(H_4\left(D_i\right)-S{K}_{i,l}.{\mathsf{\Theta }}_i).d_i^{-1}$.
• Finally, vehicle $V_i$ broadcasts the message-signature tuples $\{M_i,P{K}_{i,l},PI{D}_{i,l},D_i,T_i,{\delta }_i\}$ to others in 5G-enabled vehicular networks.

4.4. SigVerify

Once the verifying vehicle $V_j$ has acquired a single tuple signed by $V_i$, the following steps should be executed.

• Upon receiving the message-signature tuples $\{M_i,P{K}_{i,l},PI{D}_{i,l},D_i,T_i,{\delta }_i\}$, the verifying vehicle $V_j$ tests the brightness of timestamp $T_i$. Verifying vehicle $V_j$ rejects the message if it is not valid.
• If $T_i$ is fresh, verifying vehicle $V_j$ then calculates $H_2\left(PI{D}_{i,l}\right)$ and ${\mathsf{\Theta }}_i=H_3(M_i,D_i,T_i,PI{D}_{i,l},P{K}_{i,l})$.
• Finally, verifying vehicle $V_j$ checks whether Equation (1) holds or not.

  $$D_i^{{\delta }_i}.{\xi }_{Pub-\alpha }^{H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}\stackrel{?}{=}{g}^{H_4\left(D_i\right)}$$

  (1)

If Equation (1) is achieved, then the verifying vehicle $V_j$ accepts the message $M_i$; otherwise, the $V_j$ rejects it. The correctness of the SigVerify’s Equation is explained as follows:

$$\begin{array}{cc}\hfill & D_i^{{\delta }_i}.{\xi }_{Pub-\alpha }^{H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}\hfill \\ \hfill & ={\left(g^{d_i}\right)}^{(H_4\left(D_i\right)-S{K}_{i,l}.{\mathsf{\Theta }}_i).d_i^{-1}}.{\left(g^{\alpha }\right)}^{H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}\hfill \\ \hfill & =g^{d_i.(H_4\left(D_i\right)-\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i).d_i^{-1}}.g^{\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}\hfill \\ \hfill & =g^{d_i.d_i^{-1}.H_4\left(D_i\right)-\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}.g^{\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}\hfill \\ \hfill & =g^{H_4\left(D_i\right)-\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}.g^{\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}\hfill \\ \hfill & =g^{H_4\left(D_i\right)-\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i+\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}\hfill \\ \hfill & =g^{H_4\left(D_i\right)}\hfill \end{array}$$

4.5. BSigVerify

Upon receiving n message-signature tuples $\{{M_i}^1,{PI{D}_{i,l}}^1,{P{K}_{i,l}}^1,{D_i}^1,{T_i}^1,{{\delta }_i}^1\}$, $\{{M_i}^2,{PI{D}_{i,l}}^2,{P{K}_{i,l}}^2,{D_i}^2,{T_i}^2,{{\delta }_i}^2\}$,…,$\{{M_i}^n,{PI{D}_{i,l}}^n,{P{K}_{i,l}}^n,{D_i}^n,{T_i}^n,{{\delta }_i}^n\}$ simultaneously. Verifying vehicle $V_j$ uses the system public parameters $\mathsf{Y}=$$\{g,G,q,H_1,$$H_2$, $H_3$, $H_4,{\xi }_{Pub-\alpha },{\xi }_{Pub-\beta }\}$ to verify batch messages as the following steps.

• Verifying vehicle $V_j$ tests the validity of $\{T_1,T_2\dots T_n\}$, and drops the messages if some of them are not valid.
• Verifying vehicle $V_j$ sets the randomly selected n values $\{{\gamma }_1,{\gamma }_2\dots {\gamma }_n\}$, where ${\gamma }_i\in R[1,2^m]$ for $m=80$ and $i=1,2\dots ,n$ is typically acceptable [51].
• Verifying vehicle $V_j$ then calculates $H_2\left(PI{D}_{i,l}\right)$ and ${\mathsf{\Theta }}_i=H_3(M_i,D_i,T_i,PI{D}_{i,l},P{K}_{i,l})$, where $i=1,2\dots ,n$.
• Finally, verifying vehicle $V_j$ checks whether Equation (2) holds or not.

  $$g^{{\sum }_{i=1}^n({\gamma }_i.H_4\left(D_i\right))}\stackrel{?}{=}\sum _{i=1}^n{D}_i^{{\gamma }_i.{\delta }_i}.{\xi }_{Pub-\alpha }^{{\gamma }_i.H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}$$

  (2)

If Equation (2) is achieved, then the verifying vehicle $V_j$ accepts the messages; otherwise, the $V_j$ discards them. The correctness of the BSigVerify’s Equation is explained as follows:

$$\begin{array}{cc}\hfill & \sum _{i=1}^n{D}_i^{{\gamma }_i.{\delta }_i}.{\xi }_{Pub-\alpha }^{{\gamma }_i.H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}\hfill \\ \hfill & =\sum _{i=1}^n{\left(g^{{\gamma }_i.d_i}\right)}^{(H_4\left(D_i\right)-S{K}_{i,l}.{\mathsf{\Theta }}_i).d_i^{-1}}.{\left(g^{{\gamma }_i.\alpha }\right)}^{H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}\hfill \\ \hfill & =\sum _{i=1}^n{g}^{{\gamma }_i.d_i.(H_4\left(D_i\right)-\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i).d_i^{-1}}.g^{{\gamma }_i.\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}\hfill \\ \hfill & =\sum _{i=1}^n{g}^{{\gamma }_i.d_i.d_i^{-1}.H_4\left(D_i\right)-\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}.g^{{\gamma }_i.\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}\hfill \\ \hfill & =\sum _{i=1}^n{g}^{{\gamma }_i.H_4\left(D_i\right)-\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}.g^{{\gamma }_i.\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}\hfill \\ \hfill & =\sum _{i=1}^n{g}^{{\gamma }_i.H_4\left(D_i\right)-\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i+{\gamma }_i.\alpha .H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}\hfill \\ \hfill & =g^{{\sum }_{i=1}^n{\gamma }_i.H_4\left(D_i\right)}\hfill \end{array}$$

5. Security Analysis

In this section, the security definition, provable security, and security level of our work are analyzed in the following subsections.

5.1. Security Definition

The security model for the proposed scheme is provided by a game activated between a polynomial-time adversary $\mathcal{A}$ and a challenger $\mathcal{I}$. In the model, adversary $\mathcal{A}$ can access polynomially bounded queries oracle adaptively to challenger $\mathcal{I}$ as the following steps.

Setup: In this process, a TASetup algorithm of the 5G-enabled vehicular networks is simulated. $\mathcal{I}$ runs the TASetup algorithm to compute the network parameters $\mathsf{Y}$ and the private (secret) keys $\alpha$ and $\beta$. Once receiving this query, $\mathcal{I}$ sends $\mathsf{Y}$ to $\mathcal{A}$.

$H_{i=1,2,3,4}:$ When sending the information query $IQ$, $\mathcal{I}$ sets the randomly selected number ${\theta }_i\in Z_q^{*}$ and saves ($IQ$, ${\theta }_i$) in the list ${\mathcal{L}}_i$. Then, $\mathcal{I}$ returns ${\theta }_i$ to $\mathcal{A}$.

GenerateVeh: When receiving the original identity $OI{D}_i$ of vehicle $V_i$, $\mathcal{I}$ computes pseudonym-IDs $PI{D}_i^{*}$ and signature keys $S{K}_i^{*}$ of vehicle $V_i$. Then $\mathcal{I}$ saves {$OI{D}_i$, $PI{D}_i^{*}$, $S{K}_i^{*}$} in the list ${\mathcal{L}}_{veh}$.

CorruptVeh: When receiving the original identity $OI{D}_i$ of vehicle $V_i$, $\mathcal{I}$ sends pseudonym-IDs $PI{D}_i^{*}$ and signature keys $S{K}_i^{*}$ of vehicle $V_i$ to $\mathcal{A}$.

SignatureGen: When submitting pseudonym-ID $PI{D}_i$ and message M by $\mathcal{A}$, $\mathcal{I}$ produces and returns the relevant the message-signature tuples to $\mathcal{A}$.

Upon performing the above queries, $\mathcal{A}$ forges the signature ${\delta }_i^{*}$ of safety-related message $M_i^{*}$ related with original identity $OI{D}_i^{*}$ of vehicle $V_i^{*}$.

Forgery: When the below steps are achieved, $\mathcal{A}$ wins the game.

• ${\delta }_i^{*}$ is a legal signature of the message $M^{-}$.
• $\mathcal{A}$ signature of $M^{-}$ has not been queried in the CorruptVeh and SignatureGen.

Let the function $Ad{v}_{\mathsf{\Omega }.\mathcal{A}}^{Scheme}$ indicate the advantage of $\mathcal{A}$ in breaking the proposed scheme $\mathsf{\Omega }$.

Definition 1. 

The proposed scheme Ω for 5G-enabled vehicular networks is chosen-message and chosen-identity secure, when the function $Ad{v}_{\mathsf{\Omega }.\mathcal{A}}^{Scheme}$ is negligible for $\mathcal{A}$.

5.2. Provable Security

According to Definition 1, the selected message and chosen identity of our work utilizing the random oracle model (ROM) are analyzed. Figure 3 shows a game between a challenger $\mathcal{I}$ and an attacker $\mathcal{A}$.

Theorem 1. 

Supposing that the underlying DLP is unsolvable, the proposed scheme for 5G-enabled vehicular networks is secure in the ROM.

Proof. 

Suppose that an attacker of polynomial-time $\mathcal{A}$ can forge a legal the message-signature tuples $\{M_i,P{K}_{i,l},PI{D}_{i,l},D_i,T_i,{\delta }_i\}$ by an advantage of non-negligible $Ad{v}_{\mathsf{\Omega }.\mathcal{A}}^{Scheme}$, then challenger $\mathcal{I}$ could resolve DLP with advantage of non-negligible via working the $\mathcal{A}$ as a subroutine. Consider ${\xi }_{Pub-\alpha }=g^{\alpha }$ be an example of the DLP, and main work of the $\mathcal{A}$ is to calculate $\alpha$. Initially, $\mathcal{I}$ produces $\mathsf{Y}=$$\{g,G,q,H_1,$$H_2$, $H_3$, $H_4,{\xi }_{Pub-\alpha },{\xi }_{Pub-\beta }\}$ to $\mathcal{A}$. Then $\mathcal{A}$ runs oracle-queries adaptively modeled by $\mathcal{I}$ as the following steps. □

Oracle$\left(H_1\right):$$\mathcal{I}$ initializes the form of $\{\varrho ,{\xi }_{Pub-\beta },{\mu }_1\}$ in the list ${\mathcal{L}}_{H_1}$ firstly. Once a query $\{\varrho ,{\xi }_{Pub-\beta }\}$ is issued by $\mathcal{A}$, $\mathcal{I}$ tests whether the form of $\{\varrho ,{\xi }_{Pub-\beta },{\mu }_1\}$ existing in the list ${\mathcal{L}}_{H_1}$. If exists, $\mathcal{I}$ produces ${\mu }_1=H_1(\varrho ,{\xi }_{Pub-\beta })$ to $\mathcal{A}$, otherwise, $\mathcal{I}$ sets the randomly selected nonce ${\mu }_1\in Z_q^{*}$, produces to ${\mu }_1=H_1(\varrho ,{\xi }_{Pub-\beta })$ to $\mathcal{A}$ and puts $\{\varrho ,{\xi }_{Pub-\beta },{\mu }_1\}$ to the list ${\mathcal{L}}_{H_1}$.

Oracle$\left(H_2\right):$$\mathcal{I}$ initializes the form of $\{\lambda ,{\mu }_2\}$ in the list ${\mathcal{L}}_{H_2}$ firstly. Once a query $\left\{\lambda \right\}$ is issued by $\mathcal{A}$, $\mathcal{I}$ tests whether the form of $\{\lambda ,{\mu }_2\}$ existing in the list ${\mathcal{L}}_{H_2}$. If exists, $\mathcal{I}$ produces ${\mu }_2=H_2\left(\lambda \right)$ to $\mathcal{A}$, otherwise, $\mathcal{I}$ sets the randomly selected nonce ${\mu }_2\in Z_q^{*}$, produces to ${\mu }_2=H_2\left(\lambda \right)$ to $\mathcal{A}$ and puts $\{\lambda ,{\mu }_2\}$ to the list ${\mathcal{L}}_{H_2}$.

Oracle$\left(H_3\right):$$\mathcal{I}$ initializes the form of $\{M_i,D_i,T_i,PI{D}_{i,l},P{K}_{i,l},{\mu }_3\}$ in the list ${\mathcal{L}}_{H_3}$ firstly. Once a query $\{M_i,D_i,T_i,PI{D}_{i,l},P{K}_{i,l}\}$ is issued by $\mathcal{A}$, $\mathcal{I}$ tests whether the form of $\{M_i,D_i,T_i,PI{D}_{i,l},P{K}_{i,l},{\mu }_3\}$ existing in the pool ${\mathcal{L}}_{H_2}$. If exists, $\mathcal{I}$ produces ${\mu }_3=H_3(M_i,D_i,T_i,PI{D}_{i,l},P{K}_{i,l})$ to $\mathcal{A}$, otherwise, $\mathcal{I}$ sets the randomly selected nonce ${\mu }_3\in Z_q^{*}$, produces to ${\mu }_3=H_3(M_i,D_i,T_i,PI{D}_{i,l},P{K}_{i,l})$ to $\mathcal{A}$ and puts $\{M_i,D_i,T_i,PI{D}_{i,l},P{K}_{i,l},{\mu }_3\}$ to the list ${\mathcal{L}}_{H_3}$.

Oracle$\left(H_4\right):$$\mathcal{I}$ initializes the form of $\{D_i,{\mu }_4\}$ in the list ${\mathcal{L}}_{H_4}$ firstly. Once a query $\left\{D_i\right\}$ is issued by $\mathcal{A}$, $\mathcal{I}$ tests whether the form of $\{D_i,{\mu }_4\}$ existing in the list ${\mathcal{L}}_{H_4}$. If exists, $\mathcal{I}$ produces ${\mu }_4=H_4\left(D_i\right)$ to $\mathcal{A}$, otherwise, $\mathcal{I}$ sets the randomly selected nonce ${\mu }_4\in Z_q^{*}$, produces to ${\mu }_4=H_4\left(D_i\right)$ to $\mathcal{A}$ and puts $\{D_i,{\mu }_4\}$ to the list ${\mathcal{L}}_{H_4}$.

Oracle(GenerateVeh): $\mathcal{I}$ initializes the form of $\{OI{D}_i,\eta ,S{K}_i,PI{D}_i,P{K}_i\}$ in the list ${\mathcal{L}}_{veh}$ firstly. Once sending a query $\{OI{D}_i,\eta ,S{K}_i,PI{D}_i,P{K}_i\}$ to by $\mathcal{I}$, $\mathcal{A}$ tests whether the form of $\{OI{D}_i,\eta ,S{K}_i,PI{D}_i,P{K}_i\}$ existing in the pool ${\mathcal{L}}_{veh}$. If exists, $\mathcal{I}$ results $P{K}_i$ to $\mathcal{A}$, otherwise, $\mathcal{I}$ runs the following two points.

• If $OI{D}_i=OI{D}_i^{*}$, $\mathcal{I}$ sets the randomly selected three values ${\eta }_i$, ${\mu }_1$ and ${\mu }_2$, calculates $P{K}_i=g^{{\eta }_i}$ and holds $\{S{K}_i,PI{D}_i\}$. $\mathcal{I}$ saves $\{OI{D}_i,\eta ,S{K}_i,PI{D}_i,P{K}_i\}$, $\{\varrho ,{\xi }_{Pub-\beta },{\mu }_1\}$ and $\{\lambda ,{\mu }_2\}$ in the list ${\mathcal{L}}_{veh}$, ${\mathcal{L}}_{H_1}$ and ${\mathcal{L}}_{H_2}$ respectively. Finally, $\mathcal{I}$ returns $P{K}_i$ to $\mathcal{A}$.
• If $OI{D}_i\ne OI{D}_i^{*}$, $\mathcal{I}$ sets the randomly selected three values ${\eta }_i$, ${\mu }_1$ and ${\mu }_2$, calculates $P{K}_i=g^{{\eta }_i}$, $PI{D}_i=OI{D}_i\oplus {\mu }_1$ and $S{K}_i=\alpha .{\mu }_2$. $\mathcal{I}$ saves $\{OI{D}_i,\eta ,S{K}_i,PI{D}_i,P{K}_i\}$, $\{\varrho ,{\xi }_{Pub-\beta },{\mu }_1\}$ and $\{\lambda ,{\mu }_2\}$ in the list ${\mathcal{L}}_{veh}$, ${\mathcal{L}}_{H_1}$ and ${\mathcal{L}}_{H_2}$ respectively. Ultimately, $\mathcal{I}$ results $P{K}_i$ to $\mathcal{A}$.

Oracle(CorruptVeh): $\mathcal{I}$ invokes $\{OI{D}_i,\eta ,S{K}_i,PI{D}_i,P{K}_i\}$ from ${\mathcal{L}}_{veh}$ and produces $\{S{K}_i,PI{D}_i\}$ to $\mathcal{A}$.

Oracle(SignatureGen): When receiving a query with pseudonym-ID $PI{D}_i$ and message $M_i$ from $\mathcal{A}$, $\mathcal{I}$ sets the randomly selected three values $d_i$, ${\mu }_3$ and ${\mu }_4$ and calculates $D_i=g^{d_i}$, ${\delta }_i=(H_4\left(D_i\right)-S{K}_{i,l}.{\mathsf{\Theta }}_i).d_i^{-1}$. $\mathcal{I}$ saves $\{M_i,D_i,T_i,PI{D}_{i,l},P{K}_{i,l},{\mu }_3\}$ and $\{D_i,{\mu }_4\}$ in the list ${\mathcal{L}}_{H_3}$ and ${\mathcal{L}}_{H_4}$, respectively. Finally, $\mathcal{I}$ returns the message-signature tuples $\{M_i,P{K}_{i,l},PI{D}_{i,l},D_i,T_i,{\delta }_i\}$ to $\mathcal{A}$.

At last, $\mathcal{A}$ outputs the message-signature tuples $\{M_i,P{K}_{i,l},PI{D}_{i,l},D_i,T_i,{\delta }_i\}$ to $\mathcal{I}$. If $PI{D}_i\ne PI{D}_i^{*}$, then $\mathcal{I}$ ends the game. $\mathcal{I}$ verifies whether Equation (3) holds.

$$D_i^{{\delta }_i}.{\xi }_{Pub-\alpha }^{H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}\stackrel{?}{=}{g}^{H_4\left(D_i\right)}$$

(3)

When it is wrong, then $\mathcal{I}$ breaks the game by using forking lemma in [52]. When the $\mathcal{I}$ attempts the process with a various chosen $H_2$, then $\mathcal{A}$ can result in another valid message-signature tuple $\{M_i,PI{D}_{i,l},P{K}_{i,l},D_i,T_i,{\delta }_i^{*}\}$ with the advantage $Ad{v}_{\mathsf{\Omega }.\mathcal{A}}^{Scheme}⩾\frac{1}{9}$. Therefore, it obtains the following equation.

$$D_i^{{\delta }_i^{*}}.{\xi }_{Pub-\alpha }^{H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i^{*}}\stackrel{?}{=}{g}^{H_4\left(D_i\right)}$$

(4)

Based on Equations (3) and (4), it can be concluded as follows.

$$D_i^{{\delta }_i-{\delta }_i^{*}}\stackrel{?}{=}{\xi }_{Pub-\alpha }^{H_2\left(PI{D}_{i,l}\right).({\mathsf{\Theta }}_i-{\mathsf{\Theta }}_i^{*})}$$

(5)

$$D_i^{{\delta }_i.{\mathsf{\Theta }}_i^{*}-{\delta }_i^{*}.{\mathsf{\Theta }}_i}\stackrel{?}{=}{g}^{H_4\left(D_i\right).({\mathsf{\Theta }}_i^{*}-{\mathsf{\Theta }}_i)}$$

(6)

Thus, according to the above two equations, it can be respectively concluded as follows.

• $D_i^{{\delta }_i-{\delta }_i^{*}}\stackrel{?}{=}{g}^{H_4\left(D_i\right).({\mathsf{\Theta }}_i^{*}-{\mathsf{\Theta }}_i)}$, ${\left(g\right)}^{d_i.({\delta }_i-{\delta }_i^{*})}\stackrel{?}{=}{\left(g\right)}^{x.H_2\left(PI{D}_{i,l}\right).({\mathsf{\Theta }}_i^{*}-{\mathsf{\Theta }}_i)}$

  $$d_i.{\delta }_i-{\delta }_i^{*}\stackrel{?}{=}\alpha .H_2\left(PI{D}_{i,l}\right).({\mathsf{\Theta }}_i^{*}-{\mathsf{\Theta }}_i)$$

  (7)
• $D_i^{{\delta }_i.{\mathsf{\Theta }}_i^{*}-{\delta }_i^{*}.{\mathsf{\Theta }}_i}\stackrel{?}{=}{g}^{H_4\left(D_i\right).({\mathsf{\Theta }}_i^{*}-{\mathsf{\Theta }}_i)}$, $g^{d_i.({\delta }_i.{\mathsf{\Theta }}_i^{*}-{\delta }_i^{*}.{\mathsf{\Theta }}_i)}\stackrel{?}{=}{g}^{H_4\left(D_i\right).({\mathsf{\Theta }}_i^{*}-{\mathsf{\Theta }}_i)}$

  $$d_i.({\delta }_i.{\mathsf{\Theta }}_i^{*}-{\delta }_i^{*}.{\mathsf{\Theta }}_i)\stackrel{?}{=}{H}_4\left(D_i\right).({\mathsf{\Theta }}_i^{*}-{\mathsf{\Theta }}_i)$$

  (8)

Based on the above two equations, $\mathcal{I}$ results $H_4\left(D_i\right)$ . $H_2{\left(PI{D}_{i,l}\right)}^{-1}({\delta }_i-{\delta }_i^{*}).{({\delta }_i.{\mathsf{\Theta }}_i^{*}-{\delta }_i^{*}.{\mathsf{\Theta }}_i)}^{-1}$ as the output of the DLP. The following events to resolve the DLP by $\mathcal{I}$ are analyzed.

• $E{V}_{pid}$ indicates the event that $PI{D}_i^{*}$ = $PI{D}_i$.
• $E{V}_{fabricate}$ indicates the event that $\mathcal{I}$ can fabricate two legal signatures.

Let $N_{H_2}$ indicates the value of $H_2$ oracle queries. Therefore, it outputs $Prob\left[E{V}_{pid}\right]=\frac{1}{N_{H_2}}$, $Prob\left[E{V}_{fabricate}\right|E{V}_{pid}]⩾\frac{1}{9}$. The advantage and $Ad{v}_{\mathsf{\Omega }.\mathcal{A}}^{Scheme}$ that $\mathcal{A}$ could resolve the DLP is as follows.

$Prob[E{V}_{fabricate}\wedge E{V}_{pid}]$ = $Prob\left[E{V}_{fabricate}\right|E{V}_{pid}].Prob\left[E{V}_{pid}\right]$$⩾\frac{1}{9}.Ad{v}_{\mathsf{\Omega }.\mathcal{A}}^{Scheme}.\frac{1}{N_{H_2}}=\frac{Ad{v}_{\mathsf{\Omega }.\mathcal{A}}^{Scheme}}{9N_{H_2}}.$

Thus, $\mathcal{I}$ resolves the DLP with an advantage of non-negligible $\frac{Ad{v}_{\mathsf{\Omega }.\mathcal{A}}^{Scheme}}{9N_{H_2}}$ owing to the bounded $N_{H_2}$ and non-negligible $Ad{v}_{\mathsf{\Omega }.\mathcal{A}}^{Scheme}$. Hence, this completes the security proof for the proposed scheme.

5.3. Security Requirements

Our work should be achieved the security goals (Section 3.2) concerning security requirements as follows.

• Authentication and Integrity: Once the vehicle sending the message-signature tuples $\{M_i,P{K}_{i,l},PI{D}_{i,l},D_i,T_i,{\delta }_i\}$ to others, the checker in our work checks the correctness $D_i^{{\delta }_i}.{\xi }_{Pub-\alpha }^{H_2\left(PI{D}_{i,l}\right).{\mathsf{\Theta }}_i}\stackrel{?}{=}{g}^{H_4\left(D_i\right)}$ for testing the tuple’s integrity and authenticity. According to Theorem 1 in Section 5.2, there is no attacker $\mathcal{A}$ of polynomial-time that could impersonate/generate a legitimate message if the DLP is hardness.
• Privacy Preserving: In the PIDGen and KeyGen phase, the vehicle’s true identity is hidden in the $PI{D}_i^{*}=\{PI{D}_{i,l},PI{D}_{i,2},\dots ,PI{D}_{i,n}\}$ by TA, where $PI{D}_{i,l}=OI{D}_i\oplus H_1(P{K}_{i,l}^{\beta },{\xi }_{Pub-\beta })$ and $l\in \{1,2,..n\}$. To disclose the vehicle’s true identity $OI{D}_i$ from $PI{D}_{i,l}=OI{D}_i\oplus H_1(P{K}_{i,l}^{\beta },{\xi }_{Pub-\beta })$, $\mathcal{A}$ requires to calculate ${\xi }_{Pub-\beta }=g^{\beta }$ based on $\beta \in Z_q^{*}$. Nevertheless, this process contradicts the hardness of CDHP. Thus, our work satisfies privacy preserving.
• Traceability: By tracing the origin of messages sent, the TA is able to revoke and block the enrollment of any attacker that attempts to broadcast forge messages or disturb the system in 5G-enable vehicular networks. Once receiving the forge message, the vehicle reports it to the TA to verify its aid and, if available in the list, calculates the $OI{D}_i$ as $OI{D}_i=PI{D}_{i,l}\oplus H_1(\beta .P{K}_{i,l}^{\beta },{\xi }_{Pub-\beta })$ utilizing master key $\beta$. Thus, the function of traceability is provided by our work.
• Replaying Resistance: Our work can resist replay attacks by utilizing timestamp $T_i$ in the message-signature tuples $\{M_i,P{K}_{i,l},PI{D}_{i,l},D_i,T_i,{\delta }_i\}$. It denotes the signing time of tuples. Let $T_{ri}$ is the arrival time of the message. It requires to verify if $T_{ri}-T_i\ge \Delta T$. When this condition holds, then there is no replay attacks.

5.4. Security Level

In this section, we show the security level of our work compared to the existing schemes in terms of privacy and security requirements. Therefore, we summarize and compare the security and piracy requirements of our work with the existing works He et al. [40], Azees et al. [42], Pournaghi et al. [43], and Bayat et al. [45] in

Table 1. Comparison of Security Properties.

Schemes	Authentication and Integrity	Privacy Preserving	Replaying Resistance	Traceability	No RSU Aided
He et al. [40]	✓	✓	✓	✓	✗
Azees et al. [42]	✗	✓	✗	✓	✗
Pournaghi et al. [43]	✓	✓	✓	✓	✗
Bayat et al. [45]	✓	✓	✗	✓	✗
Our work	✓	✓	✓	✓	✓

. Thereby, all related works require RSU aid. Schemes of Azees et al. [42] and Bayat et al. [45] are vulnerable to replay attacks. Azees et al.’s scheme [42] is not satisfied by mutual authentication. As a result of Table 1, it can be concluded that our work achieves better security properties as compared to other works tabulated in that table.

6. Performance Comparison

In this section, the performance comparison of our work is evaluated with regard to costs of communication and computation. Meanwhile, the performance of our work is compared with schemes He et al. [40], Azees et al. [42], Pournaghi et al. [43], and Bayat et al. [45] via an experiment of simulation.

As presented in Figure 4, this work utilizes traffic generation simulator and network generation simulator such as OpenStreetMap [53], GatcomSUMO [54], SUMO [55] OMNeT++ [56], VEINS [57], Simu5G [58], and MIRACL [59,60] to execute experiments of simulation for 5G-enabled vehicular networks. OpenStreetMap is a very real trusted map website. GatcomSUMO is a java-based program utilized to facilitate the connection between the generation of traffic (SUMO) and the generation of the network (OMNeT++). SUMO is a road traffic simulation with a highly portable. OMNeT++ is a open-architecture for networks. Veins are joined with the generation of road traffic and the generation of networks. INET is a framework OMNeT++ suited for wired, wireless, and mobile networks. Simu5G is suited for a 5G-enabled vehicular network. MIRACL is a cryptographic library utilized to run operations based on cryptography algorithms.

Table 2. Parameters of Simulation Experiment.

Parameters	Value
Play ground size	x = 3463 m, y = 4270 m and z = 50 m
Simulation time	200 s
Physical Layer	IEEE 802.11p
Mac Layer	IEEE 1609.4
Bit rate	6 Mbps
Maximum transmission	20 mW

lists the parameters of the simulation experiment.

6.1. Computation Costs

For a fair evaluation, the notations with the costs of the execution time of some cryptographic operations are tabulated in

Table 3. Notation with its Costs of Execution Time.

Notation	Descriptions	Execution Time
$T_{bp}$	a bilinear pairing $\stackrel{-}{e}$ (P,Q)	5.811 ms
$T_{mul}$	a BP scalar multiplication $s.\stackrel{-}{P}$	1.5654 ms
$T_{add}$	a BP point addition $\stackrel{-}{P}$+ $\stackrel{-}{Q}$	0.0106 ms
$T_{MTP}$	a MapToPoint hash function	4.1724 ms
$t_{mul}$	a ECC scalar multiplication operation $s.P$	0.6718 ms
$t_{add}$	a ECC point addition operation $P+Q$	0.0031 ms
$t_h$	a secure cryptographic hash function	0.0001 ms

. This paper considers the computation overheads of generating pseudonym-IDs, signed message, and verification process, and compares them with existing schemes in

Table 4. The Cost of Computation of Five Authentication Schemes.

Scheme	MsgSign Phase	SigVerify Phase	BSigVerify Phase
He et al.’s scheme [40]	$3t_{mul}+3t_h\approx 2.0156$ ms	$5t_{mul}+t_{add}+2t_h\approx 3.3622$ ms	$(2+3n)t_{mul}+(2n-1)t_{add}+\left(2n\right)t_h\approx 1.3405+2.0236n$ ms
Azees et al.’s scheme [42]	$1T_{mul}+1t_h\approx 1.5655$ ms	$2T_{bp}+5T_{mul}+2T_{add}\approx 19.661$ ms	$(1+n)T_{bp}+\left(5n\right)T_{mul}+\left(2n\right)T_{add}\approx 5.811+13.6592n$ ms
Pournaghi et al.’s scheme [43]	$3T_{mul}+1T_{add}+2t_h+1T_{MTP}\approx 8.8794$ ms	$3T_{bp}+\left(n\right)T_{mul}+\left(n\right)T_{MTP}\approx 21.6054$ ms	$3T_{bp}+\left(n\right)T_{mul}+\left(n\right)T_{MTP}\approx 17.433+5.7378n$ ms
Bayat et al. ’s scheme [45]	$1T_{MTP}\approx 4.1724$ ms	$3T_{bp}+\left(n\right)T_{mul}+\left(n\right)T_{MTP}\approx 21.6054$ ms	$3T_{bp}+\left(n\right)T_{mul}+\left(n\right)T_{MTP}\approx 17.433+5.7378n$ ms
The proposed scheme	$1t_{mul}+2t_h\approx 0.6719$ ms	$4t_{mul}+t_{add}+2t_h\approx 2.6904$ ms	$(2+2n)t_{mul}+\left(n\right)t_{add}+\left(2n\right)t_h\approx 1.3436+1.3469n$ ms

.

In the MsgSign phase of the scheme of He et al. [40], the user needs to run three operations with regard to ECC scalar multiplication and three operations with regard to general hash function. Hence, the cost of computation of the MsgSign phase is $3t_{mul}+3t_h\approx 2.0156$ ms. In the SigVerify phase of He et al.’s scheme [40], the user needs to run five operations with regard to scalar multiplication, one operation with regard to addition point and two operations with regard to hash function. Hence, the cost of computation of the SigVerify phase is $5t_{mul}+t_{add}+2t_h\approx 3.3622$ ms. In the BSigVerify phase of He et al.’s scheme [40], the vehicle needs to run (2 + 3n) operations with regard to scalar multiplication, (2n − 1) operations with regard to addition point and (2n) operations with regard to hash function. Hence, the cost of computation of the BSigVerify phase is $(2+3n)t_{mul}+(2n-1)t_{add}+\left(2n\right)t_h\approx 1.3405+2.0236n$ ms.

In the MsgSign phase of Azees et al.’s scheme [42], the user needs to run one operation with regard to BP scalar multiplication and one operation with regard to general hash function. Hence, the cost of computation of the MsgSign phase is $1T_{mul}+1t_h\approx 1.5655$ ms. In the SigVerify phase of Azees et al.’s scheme [42], the user needs to run two operations with regard to bilinear pair, five operations with regard to scalar multiplication, and two operations with regard to addition point. Hence, the cost of computation of the SigVerify phase is $2T_{bp}+5T_{mul}+2T_{add}\approx 19.661$ ms. In the BSigVerify phase of Azees et al.’s scheme [42], the user needs to run (1 + n) operations with regard to bilinear pair, (5n) operations with regard to scalar multiplication, and (2n) operations with regard to addition point. Hence, the cost of computation of the BSigVerify phase is $(1+n)T_{bp}+\left(5n\right)T_{mul}+\left(2n\right)T_{add}\approx 5.811+13.6592n$ ms.

In the MsgSign phase of Pournaghi et al.’s scheme [43], the user needs to run three operations with regard to scalar BP multiplication, one operation with regard to addition point, two operations with regard to general hash function, and one operation with regard to MapToPoint hash function. Hence, the cost of computation of the MsgSign phase is $3T_{mul}+1T_{add}+2t_h+1T_{MTP}\approx 8.8794$ ms. In the SigVerify phase of the Pournaghi et al.’s scheme [43], the user needs to run three operations with regard to bilinear pair, one operation with regard to scalar multiplication, and one operation with regard to MapToPoint hash function. Hence, the cost of computation of the SigVerify phase is $3T_{bp}+\left(n\right)T_{mul}+\left(n\right)T_{MTP}\approx 21.6054$ ms. In the BSigVerify phase of Pournaghi et al.’s scheme [43], the user needs to run three operations with regard to bilinear pair, (n) operations with regard to scalar multiplication, and (n) operations with regard to MapToPoint hash function. Hence, the cost of computation of the BSigVerify phase is $3T_{bp}+\left(n\right)T_{mul}+\left(n\right)T_{MTP}\approx 17.433+5.7378n$ ms.

In the MsgSign phase of Bayat et al.’s scheme [45], the user needs to run only one operation with regard to MapToPoint hash function. Hence, the cost of computation of the MsgSign phase is $1T_{MTP}\approx 4.1724$ ms. In the SigVerify phase of the Bayat et al.’s scheme [45], the user needs to run three operations with regard to bilinear pair, one operation with regard to scalar multiplication, and one operation with regard to MapToPoint hash function. Hence, the cost of computation of the SigVerify phase is $3T_{bp}+\left(n\right)T_{mul}+\left(n\right)T_{MTP}\approx 21.6054$ ms. In the BSigVerify phase of Bayat et al.’s scheme [45], the user needs to run three operations with regard to bilinear pair, (n) operations with regard to scalar multiplication, and (n) operations with regard to MapToPoint hash function. Hence, the cost of computation of the BSigVerify phase is $3T_{bp}+\left(n\right)T_{mul}+\left(n\right)T_{MTP}$$\approx 17.433+5.7378n$ ms.

In the MsgSign phase of our work, the user needs to run one operation with regard to ECC scalar multiplication and two operations with regard to general hash function. Hence, the cost of computation of the MsgSign phase is $1t_{mul}+2t_h\approx 0.6719$ ms. In the SigVerify phase of our work, the vehicle needs to run four operations with regard to scalar multiplication, one operation with regard to addition point and two operations with regard to hash function. Hence, the cost of computation of the SigVerify phase is $4t_{mul}+t_{add}+2t_h\approx 2.6904$ ms. In the BSigVerify phase of our work, the user needs to run (2 + 2n) operations with regard to scalar multiplication, (n) operations with regard to addition point, and (2n) operations with regard to hash function. Hence, the cost of computation of the BSigVerify phase is $(2+2n)t_{mul}+\left(n\right)t_{add}+\left(2n\right)t_h\approx 1.3436+1.3469n$ ms.

Furthermore, the entire time is based on the runtime of each cryptographic operation. The elapsed time (ET) between the exit and entrance is the overhead cost.

$$ET=\frac{1}{M}\sum _{i=1}^{n}M(T_{out}^i-T_{in}^i)$$

(9)

where, M is the message number, $T_{in}^i$ is the entrance time of message i, and $T_{out}^i$ is the exit time of message i. Figure 5 and Figure 6 depict the average time to sign and verify a message between the proposed and scheme of He et al. [40]. The main reason for comparing our work against only He et al. [40] is to the same cryptography operations (e.g., ECC) used to sign message and verify signature. Additionally, the cost of He et al.’s scheme [40] is most efficient compared with other schemes according to Table 4. The results of the experimental methods show that our work is much more efficient than existing methods.

6.2. Communication Costs

In this section, the primary concentrate is the cost of communication included in the timestamps, signatures, and pseudonym-IDs for the message-signature tuples.

Table 5. The Sizes of Elements Used.

Element	Size
$Z_q^{*}$	160 bits
G	320 bits
$G_1$	1024 bits
Timestamp	32 bits
Hash function	160 bits

shows the sizes of cryptographic elements used for communication costs.

In the scheme of He et al. [40], the signer broadcasts the message-signature tuple $\{M_i,R_i,AI{D}_{i,1},T_i,AI{D}_{i,2},{\sigma }_i\}$ to the recipient, where ${\sigma }_i\in Z_q$, $\{R_i,AI{D}_{i,2},AI{D}_{i,1}\}\in G$ and $T_i$ is a timestamp. Consequently, the cost of communication is 3 × 320 + 160 + 32 = 1152 bits. In the scheme of Azees et al. [42], the signer broadcasts the message-signature tuple $\left\{Cer{t}_k\right|\left|Y_k\right|\left|Sig\right\}$ to the recipient, where $Cer{t}_k=\{E_i\left|\right|{\sigma }_1\left|\right|\left|\right|y_v\left|\right|\lambda \left|\right|{\sigma }_2\left|\right|Y_k\left|\right|y_u\left|\right|DI{D}_{ui}\}$, $\{E_i,y_u,Y_k,DI{D}_{u_i},sig\}$$\in G_1$, $\{{\sigma }_2,{\sigma }_1,\lambda \}\in Z_q^{*}$, c is a hash operation. Consequently, the cost of communication is 6 × 1024 + 3 × 160 + 32 = 6656 bits. In Pournaghi et al.’s scheme [43], the signer sends the message-signature tuple $\{M_i,I{D}_{RS{U}_j},pI{D}_i^1,pI{D}_i^2,{\sigma }_i\}$ to the recipient, where $\{pI{D}_i^1,pI{D}_i^2\}\in G_1$ and $\{{\sigma }_i,I{D}_{RS{U}_j}\}\in Z_q^{*}$. Consequently, the cost of communication is 2 × 1024 + 2 × 160 = 2368 bits. In Bayat et al.’s scheme [45] the signer broadcasts the message-signature tuple $\{M_i,pI{D}_i^1,pI{D}_i^2,{\sigma }_i\}$ to the recipient, where $\{pI{D}_i^1,pI{D}_i^2\}\in G_1$ and ${\sigma }_i\in Z_q^{*}$. Consequently, the cost of communication is 2 × 1024 + 1 × 160 = 2208 bits. In our work, the signer sends the message-signature tuple $\{M_i,P{K}_{i,l},PI{D}_{i,l},D_i,T_i,{\delta }_i\}$ to others in 5G-enabled vehicular networks, where $\{P{K}_{i,l},D_i\}\in G$, $T_i$ is the timestamp and $\{{\delta }_i,PI{D}_{i,l}\}$ is a hash operations. Consequently, the cost of communication is 2 × 320 + 2 × 160 + 32 = 992 bits.

Communication cost comparisons for all works are presented in

Table 6. The Costs of Communication Comparison.

Scheme	Message-Signature Tuple	Size (bits)	n Size (bits)
He et al. [40]	$\{AI{D}_{i,1},AI{D}_{i,2},M_i,R_i,T_i,{\sigma }_i\}$	3 × 320 + 160 + 32 = 1152	1152 n
Azees et al. [42]	$\left\{Sig\right|\left|Y_k\right|\left|Cer{t}_k\right\}$	6 × 1024 + 3 × 160 + 32 = 6656	6656 n
Pournaghi et al. [43]	$\{M_i,I{D}_{RS{U}_j},pI{D}_i^1,pI{D}_i^2,{\sigma }_i\}$	2 × 1024 + 2 × 160 = 2368	2368 n
Bayat et al. [45]	$\{M_i,pI{D}_i^1,pI{D}_i^2,{\sigma }_i\}$	2 × 1024 + 1 × 160 = 2208	2208 n
Our Proposed	$\{M_i,P{K}_{i,l},PI{D}_{i,l},D_i,T_i,{\delta }_i\}$	2 × 320 + 2 × 160 + 32 = 992	992 n

. Similar to the cost of computation, our work is significantly better than other existing works, as presented in Figure 7.

7. Conclusions

This paper proposed a provably secure with efficient data-sharing scheme without using RSU for 5G-enabled vehicular networks. Our work does not use an expansive component called RSU for the authentication process to improve efficiency further. Furthermore, the provable security displayed that our work is secure against adaptive selected-message attacks based on the random oracle model. Furthermore, our work not only achieves the requirements of security (message authentication and integrity, identity privacy preservation, and traceability) but also resists the security attacks such as replay attacks. This work carried out our simulation experiments with regard to network simulator (OMNeT++) and traffic simulator (SUMO) to analyze the results. Lastly, this paper reduces the computation cost to sign the message, verify signature, and batch signature verification by 66.67%, 19.98%, and 20.01%, respectively. This paper reduces the communication overhead the message-signature-tuple size by 13.89%.

The major limitation the proposed approach is uses large numbers (e.g., four operations) of ECC-based multiplication point to verify messages sent among vehicles. A fast-moving vehicle requires fast verification by using lightweight operations to verify messages. Therefore, in future work, it will contain the design of a fog computing-based authentication scheme that uses an operation based on ECC cryptographic algorithm in 5G-enabled vehicular networks.