PAS: Privacy-Preserving Authentication Scheme Based on SDN for VANETs

Abstract

Privacy disclosure has become a key challenge in vehicular ad hoc networks (VANETs). Although IEEE, ERSI, etc. suggest that a pseudonym-based scheme is a solution, how to support pseudonym management and vehicle authentication is still an open issue. In this paper, a secure VANETs authentication scheme (PAS) is proposed, where software-defined network (SDN) is integrated as a suitable infrastructure to support anonymous authentication and pseudonym management, while removing the requirement for pseudonym certification in the dynamic VANETs environment. The security and performance analysis indicate that PAS is able protect the privacy of vehicles and has a high efficiency.

1. Introduction

The intelligent transportation system (ITS) integrates a variety of advanced equipment and technologies (e.g., sensors and intelligent access control), and has become a vital part of next-generation urban transportation. Vehicle ad hoc networks (VANETs), the important part of ITS, are able to realize rapid interconnection among vehicles and surrounding terminals by utilizing dedicated short-range communication technology (DSRC) [1] to guarantee that drivers and passengers obtain continuous and stable communication services. On the one hand, VANETs effectively make up for the shortcoming of the unstable communication in terms of distance and direction to ensure vehicle driving safety. On the other hand, VANETs can fully share information among various traffic environments and obtain relevant services. Recently, VANETs have been considered to be a major research direction to strengthen the relationship among vehicles, roads, and drivers [2]. Different from traditional ad hoc networks, VANETs own unique features, such as the frequent changing topology, variable network density, and predictable mobility, which are able to provide continuous and stable network communication services for high-speed moving vehicles [3]. In VANETs, vehicles can communicate with infrastructures on both sides of the road (e.g., roadside units, RSUs) to obtain diverse application services [4]. Furthermore, vehicles are also able to communicate with each other so that drivers may gain surrounding traffic information in time. However, due to the wireless communication environment, all messages are transmitted in the form of broadcast and any adversaries within the signal domain can obtain the messages freely. Meanwhile, as for the features of the dynamic change of network topology and the high-speed running of vehicles, it is challenging to resist cyber threats and quickly establish a safe and stable communication among entities in VANETs [5,6]. Consequently, a secure, reliable, and efficient communication scheme that withstands various attacks is vital for VANETs [7].

Secure and efficient authentication protocol is considered key during the large-scale deployment of VANETs. Plenty of authentication protocols that support vehicle verification have been proposed in the past four years. Nevertheless, several shortcomings have been exposed. (i) Once the trusted authority is compromised or data are lost, the message of vehicles in VANETs is likely to be leaked. Consequently, it becomes impossible to rely on a single trusted authority to establish a trusting relationship among the entities. (ii) In the traditional authentication schemes, if a vehicle misbehaves, the informant needs to submit relevant evidence to the trusted authority to revoke the illegal vehicle. However, these schemes do not mention how to determine the integrity and authenticity of the evidence, which makes the evidence difficult to trust. (iii) When providing communication services for vehicles, RSUs have to store and maintain some necessary information for vehicles, which causes huge pressure to be applied to the RSU due to its limited computation and storage capacity. (iv) Authentication protocols in the proposed schemes are treated as one-model-fits-all. Once the protocols are determined, it becomes hard to upgrade and update them.

As a result, in terms of the conflicting goals of security and efficiency, we propose a privacy-preserving authentication scheme based on SDN for VANETs (PAS). The contributions are summarized as follows:

(i)

The proposed scheme integrates with software-defined network (SDN) to support vehicle identity management and anonymous authentication.

(ii)

Integrity, confidentiality, non-repudiation, and the unforgeability of vehicle identities are guaranteed when using the secure-data-sharing approach.

(iii)

A complete privacy-preserving authentication scheme is proposed, including a vehicle-to-infrastructure (V2I) authentication protocol, vehicle-to-vehicle (V2V) authentication protocol, and pseudonym revocation. Furthermore, extensive experiments are adopted to evaluate PAS compared with the typical ones.

The organization of the paper is structured as follows: Section 2 describes the related works about anonymous authentication schemes in VANETs. The preliminaries such as SDN, bilinear mapping, GDH assumption, and BLS signature mechanism are sketched in Section 3. Section 4 formalizes the network architecture, trust model, threat model, and the details of PAS. Security analysis, privacy analysis, and performance analysis are discussed in Section 5. Finally, the conclusion and future work are presented in Section 6.

2. Relate Works

2.1. Symmetric Cryptography-Based Authentication Schemes

In symmetric cryptography, the sender and the receiver share the same secret key. Compared to other cryptography mechanisms, symmetric cryptography has higher efficiency. In [8], vehicles generate a set of pseudonymous which handle depending on the seeds issued by the trusted authority, where RSUs are able to assign short-term pseudonyms for vehicles based on the handles. The proposed scheme alleviates the cost of generating and maintaining the pseudonyms for ombudsman and reduces the delay of changing pseudonyms. However, as only the pseudonym owner and RSU know the key corresponding to the pseudonym, when receiving the message from the sender, the receiver has to communicate with RSU to verify the legality of the message from the sender. Ref. [9] proposed prediction-based authentication (PBA). PBA adds the location prediction result generated by a position-prediction mechanism. In order to improve efficiency and reduce storage pressure, a short signature mechanism is adopted to guarantee the security of the location prediction result. Rhim et al. uses an efficient MAC-based message to achieve mutual authentication [10]. In the proposed scheme, all messages transmitted by vehicles do not include any identifying information, which ensures privacy protection. However, the above schemes cannot guarantee non-repudiation. Once the key is disclosed, it is difficult to identify the adversaries from all entities in VANETs.

2.2. Asymmetric Cryptography-Based Authentication Schemes

In asymmetric cryptography-based authentication schemes, pseudonym and certification are usually considered as an essential message to prove the legality of the sender. In [11], the trusted authority (TA) provides the registration and anonymous authentication services for all RSUs and vehicles. When a registered vehicle enters VANETs, the vehicle can get the TPD activation key from the TA through RSU. The vehicle with the TPD activation key is able to generate a short-term anonymous certificate to achieve anonymous authentication. Moreover, in V2I authentication protocol, RSUs support the batch verifications of anonymous communication requests from multiple vehicles. However, according to [12], in order to prevent external adversaries from obtaining the vehicle’s trajectory, each vehicle needs to change its own pseudonym and corresponding certificate frequently. Consequently, the TA has to provide services for a large number of vehicles that need to change pseudonyms at the same time, which leads to high communication cost and computational cost for the TA. Refs. [13,14] propose the anonymous authentication schemes to achieve conditional privacy-preserving, where anonymous certificates are maintained by vehicles themselves. Vehicles are able to generate dummy identities and certificates independently to achieve mutual authentication and communication. However, since the computational cost of certificate generation is high, frequent changes of pseudonyms and certificates are computationally expensive for vehicles [15].

2.3. Identity-Based Cryptography-Based Authentication Schemes

Different from traditional asymmetric cryptography mechanism, IBC takes the identity information of the sender instead of the certificate for message authentication, which addresses the issue of storing and guaranteeing the security of vehicle certificates in traditional asymmetric cryptography authentication schemes. Ref. [16] provides an anonymous authentication scheme to protect vehicle privacy and trajectory. The proposed scheme assures that additional authentication beyond the threshold will lead to the revocation of illegal vehicles. Meanwhile, Ref. [16] designs a role-splitting mechanism to guarantee that any vehicles cannot be framed by a single corrupted authority. Meanwhile, identity-based cryptography is adopted to facilitate communication and storage efficiently. Ref. [17] presents an IBS-based scheme for mutual authentication in VANETs. The scheme adopts online and offline signatures to achieve V2I and V2V authentication, respectively, which meets conditional privacy and non-repudiation. However, as part of the asymmetric cryptography mechanism, IBC-based authentication schemes have to face the challenge of the limited computation and storage capacities of vehicles.

2.4. Group Signature-Based Authentication Schemes

In group signature-based authentication schemes, VANETs contain multiple groups, where each group manager is trustworthy. All group members are able to participate in authentication and communication as a group without revealing their real identities. Ref. [18] provides a threshold anonymous authentication protocol for VANETs. The proposed scheme employs a decentralized group model to release the burden of vehicle certificate generation and maintenance for the TA. Meanwhile, Ref. [18] supports traceability and message linkability. The tracking manager (TM) can easily trace the true identity of illegal vehicles. However, in mutual authentication protocol, the computational cost and authentication delay are too high for vehicles, which makes it difficult to build a trusting relationship between vehicles. In [19], RSUs, as the group leaders, are required to support vehicles’ anonymous authentication. As an anonymous certificate is cancelled, Ref. [19] can effectively reduce the transmission and communication costs in certificate issuing and anonymous authentication. However, the RSU is vulnerable to adversaries. Once the RSU is compromised, the information of all vehicles in the group will be exposed. Ref. [20] proposes a group signature-based secure VANETs communication scheme (GIGS). GIGS adopts a group signature to achieve the secure communication among vehicles, where messages are able to be anonymously signed by vehicles to hide their identities. On the other hand, in [20], as a certificate is canceled, the risk of certificate leakage is solved and the computational cost of certificate verification is reduced. However, there is no effective mechanism to revoke illegal vehicles. In [21], a regional group manager is added into VANETs to update vehicle identifiers and group keys periodically, which is able to solve the authorisation disputes. Nevertheless, for vehicle signature and verification, a large number of point multiplications and bilinear pairings seriously affects the communication efficiency. In addition, if a vehicle is considered as the illegal node, it is difficult to trace the vehicle’s historical communication records. NECPPA [22] adopts a group signature to support conditional privacy-preserving. In order to protect the security of VANETs, all vital information is stored in RSUs and TPDs. In addition, NECPPA achieves batch verifications to improve efficiency. However, the pseudonyms are randomly generated by vehicles; once a vehicle misbehaves, it is difficult to trace the vehicle. Ring signature, a special group signature mechanism, is employed in [23]. Vehicles can generate a ring signature independently; thus, RSU is able to centralize computation and communication capabilities to provide services for vehicles. However, in order to revoke illegal vehicles, other vehicles have to traverse all the information of the ring members, which leads to a low efficiency of revocation.

2.5. Blockchain-Based Authentication Schemes

Due to the characteristics of decentralization, immunity, auditability and fault tolerance, blockchain technology is being tried by researchers to support VANETs authentication. BUA [24] realizes the maintenance of the blockchain storing vehicle information by adding multiple service managers. On this basis, the vehicles are able to independently generate legal pseudonyms to participate in anonymous authentication. However, due to the complete anonymization, BUA cannot meet the conditional privacy. It is difficult to track the malfunctioning vehicle. In order to solve the issue, BPPA [25] integrates certificate with blockchain, where all activities of issuing certificate for the vehicle are recorded in blockchain. Furthermore, in order to verify the legitimacy of vehicles, BPPA requires blockchain nodes to synchronize the issued certificate to RSUs and vehicles through the consensus mechanism. BPPA hides the real identity of the vehicle in the certificate, realizes the anonymity of the vehicle and ensures the traceability to the malicious vehicle. However, the proposed scheme does not solve the problem of high computational cost caused by verifying the certificates. EPAM [26] supports the distributed authentication by extending the blockchain with an asynchronous accumulator, and reduces the computational cost through a one-way hash function instead of certificates. In order to improve the authentication efficiency, the RSU can query the hash value of the vehicle certificate from the regional service manager who maintains the blockchain. However, the above schemes ignore the cost of vehicle information maintenance. Due to the high computational cost of blockchain and communication delay caused by the consensus mechanism, blockchain-based authentication schemes usually require blockchain nodes to have high computation and storage capacity.

A summary and comparison of the above schemes and PAS are shown in

Table 1. Comparison of the related schemes.

Schemes	Identity Authentication	Message Authentication	Anonymity	Key Agreement	Distributed Resolution	Conditional Tracking	Unlinkablity
Choi et al. [8]	√	√	√	×	√	×	×
Lyu et al. [9]	√	√	√	×	√	×	×
Taeho et al. [10]	√	√	×	×	×	×	×
Vijayakumar et al. [11]	√	√	×	√	×	×	√
Azees et al. [13]	√	√	√	×	×	√	√
Wang et al. [14]	√	√	√	×	×	√	√
Sun et al. [16]	√	√	√	×	×	×	√
Li et al. [17]	√	√	√	×	×	√	√
Shao et al. [18]	√	√	√	×	√	×	×
Zhang et al. [19]	√	√	√	×	×	√	×
Lin et al. [20]	√	√	√	×	×	√	√
Sun et al. [21]	√	√	√	×	√	×	×
Pournaghi et al. [22]	√	√	√	×	√	×	√
Chaurasia et al. [23]	√	√	√	×	×	×	×
Liu et al. [24]	√	√	√	×	√	×	√
Lu et al. [25]	√	√	√	×	√	√	√
Feng et al. [26]	√	√	√	×	√	√	√
PAS	√	√	√	√	√	√	√

.

3. Preliminaries

3.1. VANETs

VANETs are considered as an essential part of ITS to connect vehicles either to each other or to an infrastructure. In VANETs, a broad range of mobile communication technologies are integrated into roadside unit (RSU) and vehicles to relieve traffic congestion, improve safety, and enhance productivity. As shown in Figure 1, vehicles with on-board units (OBUs) adopt dedicated short-range communication (DSRC) to communicate with RSUs or other OBUs to obtain the required services [27]. RSUs provide safety-related services, efficiency-related services, entertainment-related services, and so forth for vehicles with surrounding vehicles. The base station can communicate with external networks and provide network communication services for VANETs. Consequently, two different types of communication are used to support the application and services in VANETs. (1) Vehicle-to-infrastructure (V2I) communication—V2I refers to the communication between the vehicle and RSU. When vehicles enter the signal coverage range of RSUs, vehicles are able to adopt DSRC to request RSUs to obtain the services. RSUs deployed and managed by motorway operators own external network communication capability through interconnection with surrounding base stations, and provide necessary services for surrounding vehicles; (2) vehicle-to-vehicle (V2V) communication—V2V refers to the communication between vehicles, which is completed by vehicles independently, without the participation of central entities. This type of communication is usually carried out without the RSU or in some specific scenarios.

3.2. Software-Defined Network

Due to VANETs’ salient features, it is difficult to supply coordinate services according to diverse quality of service (QoS) requirements. As a result, building a programmable network architecture to support the inter-operation among entities in VANETs becomes vital [28]. Software-defined network (SDN) is an important network architecture to support network management. The core concern of SDN is how to separate the system (control plane) and the sending capacities (data plane) [29], which are able to improve network performance in terms of network management, control, and data handling.

As shown in Figure 2, SDN consists of a control plane and data plane. The control plane is responsible for generating internal exchange paths, boundary service routes, as well as handling the network state change events. The data plane only provides a simple data forwarding function, which can quickly process matching packets to meet the increasing demand of traffic. A standard protocol (e.g., openflow) is used for communication between the two planes. Openflow switch is the core component of the whole network, which stores a flow table that is generated, maintained, and distributed by an external controller to support data forwarding. There are two modes for distributing the flow table: active mode and passive mode. In active mode, the SDN controller actively sends the flow table data collected by itself to open the flow switch. Then, the open flow switch is able to directly forward data according to the flow table. The advantage of active mode is that the data plane shortens the waiting time for controller operation and greatly reduces the forwarding delay. However, this mode has high requirements for the capacity of the flow table. In passive mode, after receiving the packet, the open flow switch first finds the forwarding target port on the local flow table. If there is no match, the open flow switch forwards the data packet to the controller. The control layer determines the forwarding port and issues the flow table. The advantage of passive mode is that the network equipment does not need to maintain all flow tables. Only when the actual traffic is generated can the flow table records be obtained from the controller. When the records expire, the corresponding flow tables are deleted, so the storage space is greatly saved.

3.3. Bilinear Mapping

$G_1$ and $G_T$ are supposed as two multiplicative groups with the large prime number order q. A bilinear pairing e: $G_1$×$G_1$ → $G_T$ satisfies the following properties [30].

(i)

Bilinearty: for any P, Q∈$G_1$, a, b∈$Z_q^{*}$, there is $e(aP,bQ)=e{(P,Q)}^{ab}$.

(ii)

Non-degeneracy: existing P, Q∈$G_1$ satisfies $e(P,Q)=1$.

(iii)

Computability: for all P, Q∈$G_1$, an algorithm exists to calculate $e(P,Q)$.

3.4. Gap Diffie–Hellman (GDH) Groups

Given an additive group G generated by P, whose order is a prime p with $\lambda$ bits, let a, b, and c be elements of $Z_q^{*}$. The following mathematical problems are detailed:

• Computation Diffie–Hellman Problem (CDHP). Given P, $aP$, and $bP$, no PPT algorithm exists that is able to output $abP$ with negligible probability $negl\left(K\right)$.
• Decisional Diffie–Hellman Problem (DDHP). Given P, $aP$, $bP$, and $cP$, no PPT algorithm exists that decides whether $c==ab$ with negligible probability $negl\left(K\right)$.

Group G is the GDH group if a probabilistic algorithm exists to solve DDHP in polynomial time; however, no probabilistic algorithm can solve CDHP with a non-negligible advantage within polynomial time.

3.5. Short Signature Scheme (BLS)

In 2001, a short signature scheme (BLS) based on pairing cryptography was proposed by Boneh et al. [31]. The length of the signature is only half of the digital signature algorithm (DSA). Thus, BLS can guarantee the lower communication cost in VANETs. The BLS scheme is expressed as follows:

Setup. Private key generator (PKG) chooses an cycle addition group $G_1$ and cycle multiplication group $G_T$ generated by prime q, a bilinear mapping $e:G_1\times G_1\to G_T$, P is the generator of $G_1$, and hash function: $H_0:{\{0,1\}}^{*}\to G_1$.

Extract. The signer randomly chooses $r\in Z_q^{*}$ as its long term private key and gets the public key $P_{pub}=rP$.

Sign. For message M, the signer calculates the signature as: $V=r{H}_0\left(M\right)$.

Verify. During verifying V, the verifier checks whether $e(P_{pub},H_0\left(M\right))==e(P,V)$ is satisfied. If yes, then the verifier accepts the message M. Otherwise, the message M is refused.

4. The Proposed Scheme

In this section, the details of the proposed scheme are presented, which include network architecture, trust model, system initialization, registration protocol, and authentication protocol. The relevant symbols and descriptions are first given in

Table 2. Symbols and descriptions.

Symbol	Description
$I{D}_A$	The true identity of A
$P{K}_A/S{K}_A$	The public and private key of A
$K_{A-B}$	The shared key between A and B
$C_{A-B}$	The ciphertext generated by A and sent to B
$Sig{n}_A$	The signature generated by A
$P{S}_A$	A’s pseudonym
$TS$	Timestamp
$EXP$	Expiration
N	Challenge value
$H_i$	Hash function
$\left|\right|$	Concatenations between messages
$Enc\_ALG\_P{K}_A\left\{M\right\}$	Using $P{K}_A$ to encrypt message M through ALG algorithm
$Sign\_ALG\_S{K}_A\left\{M\right\}$	Using $S{K}_A$ to sign message M through ALG algorithm
$Enc\_ALG\_K_{A-B}\left\{M\right\}$	Using $K_{A-B}$ to encrypt message M through ALG algorithm

.

4.1. Network Architecture

This part describes the secure communication network architecture based on SDN. As depicted in Figure 3, the below entities are incorporated for deploying the system.

Department of Motor Vehicles (DMV) provides necessary management service for vehicles, such as registration, user change, transfer, mortgage, and cancellation registration. Vehicles need to apply for registration with DMV.

Trust authority (TA) is liable for computing and broadcasting system parameters. Meanwhile, the TA provides public keys and private keys for vehicles registered in DMV. Moreover, the TA communicates with the SDN controller to provide the vehicles’ public keys for supporting anonymous authentication.

SDN controller is considered as the global intelligence to control all network behaviors. SDN controller communicates with TA to obtain vehicles’ public keys and relay them to SDN RSU controllers.

SDN RSU controllers are deployed into base stations, which are mainly responsible for vehicle identity management. Furthermore, in order to support the authentication protocol, SDN RSU controllers periodically send vehicles’ information to RSUs.

RSUs use the information stored from SDN RSU controller to verify the legality of vehicles. Once the vehicles are thought to be legal, RSUs are able to provide the services for the vehicles.

Vehicles equipped with OBUs adopt DSRC and IEEE WAVE standard to communicate with the surrounding vehicles and RSUs to obtain various services.

4.2. Threat Model

The proposed threat model is built on the network architecture. The DMV, TA, and SDN controller are assumed to be fully trusted entities. Any adversary cannot compromise and breach them. SDN RSU controllers and RSUs are honest but curious, which means that these entities follow the proposed scheme, but may attempt to obtain vehicles’ privacy through the received message. Vehicles are vulnerable and easily breached by adversaries. As a result, these vehicles are the most likely to threaten the safety of VANETs.

DMV, TA, and SDN controllers can resist external attacks. Since the DMV, TA, and SDN controller are maintained by the government or regulator, the proposed scheme defaults so that it is impossible to be attacked from an internal source.

RSU controllers may try to obtain the identities, location, and transmitted message of a vehicle, which indicates that they may find the real ID and the trajectory of the vehicle from the stored data, so as to associate it with the owner’s identity information and privacy.

RSUs are curious about the real identities of the vehicles. Since vehicles need to connect to the backbone network through RSUs, RSUs are likely to be interested in the data forwarded, so as to obtain the owners’ hobbies, occupations and other useful information. Moreover, as each vehicle needs to broadcast a beacon regularly, RSUs may be very inquisitive about the vehicles’ trajectories when receiving this information.

Vehicles can not only pretend to be legitimate users to communicate with other entities, but also forge false messages to worsen the road service level and traffic safety.

External adversaries have the ability to eavesdrop on communication channels and collect the messages to violate vehicles privacy. Furthermore, external adversaries have the ability to impersonate an RSU or vehicle to obtain the privacy of other vehicles.

4.3. System Initialization

The TA is required to generate system parameters of VANETs during system initialization. The details are depicted as follows:

(i)

The TA chooses an additive group and a multiplicative group $G_1$, $G_T$, respectively, where the prime order is q and the generator is P.

(ii)

A bilinear pairing e: $G_1$ × $G_1$ → $G_T$, and four hash functions $H_0$, $H_1$:${\{0,1\}}^{*}\to$$G_1$, $H_2$: ${\{0,1\}}^{*}\to$$Z_q^{*}$, and $H_3$: ${\{0,1\}}^{*}\times G_1\to Z_q^{*}$ are selected.

(iii)

TA chooses $S{K}_{TA}\in Z_q^{*}$ as the master key and $P{K}_{TA}=S{K}_{TA}P$ as the public key. In addition, $K\in {\{0,1\}}^n$ is selected as a secret key.

TA broadcasts the parameters $param$={$G_1$, $G_T$, e, q, P, $P{K}_{TA}$, $H_0$, $H_1$, $H_2$, $H_3$} to all entities in VANETs.

4.4. Vehicle Registration Protocol

After submitting the basic information to the DMV, the vehicle needs to upload its real identity to the TA and apply for registration. The details are shown as Figure 4.

(i)

Vehicle submits its real $ID$ information to the DMV offline, such as the owner’s identity, to apply for registration.

(ii)

The DMV confirms the validity of the received information. If considered a legal vehicle, the vehicle will receive an identity confirmation message. Meanwhile, the DMV will send vehicle information to the TA via a secure channel.

(iii)

The vehicle chooses $a\in Z_q^{*}$ as the key agreement parameter, and random number $N_1$ as the challenge value. Then, the vehicle computes $aP$ and ciphertext $C_{v-TA}$, where $C_{v-TA}=Enc\_ECIES\_P{K}_{TA}\{I{D}_v,aP,N_1\}$.

(iv)

The vehicle sends $C_{v-TA}$ to the TA for registration.

(v)

When receiving $C_{v-TA}$ from the vehicle, the TA takes the private key $S{K}_{TA}$ to decrypt $C_{v-TA}$ and obtains $I{D}_v$, $aP$, $N_1$. Then, the TA verifies the legality of $I{D}_v$, depending on the information from the DMV. If $I{D}_v$ is legal, then the TA computes the vehicle multiple pseudonyms $P{S}_v^i=H_2(I{D}_v\left|\right|r_i)$, private keys $S{K}_v^i\in Z_q^{*}$, and public keys $P{K}_v^i=S{K}_v^{i}P$, where $r_i$ is the random number without repetition.

(vi)

The TA sends multiple pseudonyms, public keys, and expirations to SDN RSU controllers via the SDN controller. The RSU SDN controller stores them locally.

(vii)

The TA stores vehicle information and computes session key $K_{TA-v}=S{K}_{TA}aP$. Finally, the TA encrypts $P{S}_v^i$, $P{K}_v^i$, $S{K}_v^i$, and $N_1$ to get $C_{TA-v}=Enc\_AE{S}_{\_}{K}_{TA-v}\{P{S}_v^i$, $P{K}_v^i$, $S{K}_v^i$, $N_1\}$.

(viii)

The TA sends $C_{TA-v}$ to the vehicle.

(ix)

When receiving $C_{TA-v}$, the vehicle generates the session key with the TA $K_{v-TA}=aP{K}_{TA}$ and decrypts $C_{TA-v}$ to get $P{S}_v^i$, $P{K}_v^i$, $S{K}_v^i$, and $N_1$. Then, the vehicle checks $N_1$. If $N_1$ is correct, the vehicle stores $P{S}_v^i$, $P{K}_v^i$, and $S{K}_v^i$; otherwise, the vehicle discards $C_{TA-v}$, and re-applies for registration.

4.5. RSU Registration Protocol

Before joining into VANETs, the RSU is required to execute RSU registration protocol and obtain its privacy key. RSU first submits $I{D}_{RSU}$ to the TA via a secure channel. When receiving $I{D}_{RSU}$, the TA needs to check the legality of $I{D}_{RSU}$. If the RSU is valid, the TA generates $S{K}_{RSU}=S{K}_{TA}{H}_1\left(I{D}_{RSU}\right)$ and sends it to the RSU. When obtaining $S{K}_{RSU}$, the RSU is able to generate the legal signature through the IBPS mechanism proposed by [32].

4.6. V2I Authentication Protocol

The V2I authentication protocol is executed when the vehicle and RSU need to prove their legality to each other.The details are depicted in Figure 5.

(i)

RSU first signs its true identity $I{D}_{RSU}$, timestamp $T{S}_1$, and challenge value $N_2$ through the signature mechanism shown in Algorithm 1 to get $Sig{n}_{RSU}$= $Sign\_IBPS\_S{K}_{RSU}\{$

$I{D}_{RSU}$, $T{S}_1$, $N_2\}$. Then, the RSU broadcasts $I{D}_{RSU}$, $T{S}_1$, $N_2$, and $Sig{n}_{RSU}$.

(ii)

When entering the signal coverage of RSU, the vehicle can receive the broadcast message from the RSU. The vehicle first checks the freshness of $T{S}_1$; if $T{S}_1$ is not fresh, the authentication has failed. Otherwise, the vehicle checks $e(V,P)==e(H_1(I{D}_{RSU}\left|\right|T{S}_1$$\left|\right|N_2),P_{Pub})$$e(H_1(I{D}_{RSU}\left|\right|T{S}_1$$\left|\right|N_2),W)$ to verify $Sig{n}_{RSU}$. If the verifications are successful, then the vehicle computes session key $K_{v-RSU}=S{K}_v^{i}W$. Finally, the vehicle adopts the BLS signature mechanism [31] to sign $P{S}_v^i$, timestamp $T{S}_2$, and challenge value $N_3$ to get $Sig{n}_v=Sign\_BLS\_S{K}_v^i\{P{S}_v^i,T{S}_2,N_3\}$=$S{K}_v^i{H}_0(P{S}_v^i\left|\right|T{S}_2\left|\right|N_3)$. Meanwhile, the vehicle encrypts $N_2$ to get $C_{v-RSU}=Enc\_AE{S}_{\_}{K}_{v-RSU}\left\{N_2\right\}$.

(iii)

The vehicle sends $P{S}_v^i$, $T{S}_2$, $N_3$, $Sig{n}_v$, and $C_{v-RSU}$ to the RSU.

(iv)

Once obtaining the message from vehicle, the RSU confirms the freshness of $T{S}_2$. If $T{S}_2$ is fresh, then the RSU continues to confirm whether $P{S}_v^i$ is stored in the local database. If there is no $P{S}_v^i$, RSU sends $request$ to SDN RSU controller and obtains the latest data. Then, the RSU selects the vehicle public key $P{K}_v^i$ according to $P{S}_v^i$ and checks $e(P,Sig{n}_v)$ == $e(P{K}_v^i,H_0(P{S}_v^i\left|\right|$. $T{S}_2\left|\right|N_3$)) to verify $Sig{n}_v$. If $Sig{n}_v$ is legal, the vehicle is considered a legal vehicle. Afterwards, the RSU generates the session key $K_{v-RSU}=rP{K}_v^i$ and decrypts $C_{v-RSU}$ to check $N_2$. Finally, the RSU encrypts $N_3$ to get $C_{v-RSU}=Enc\_AES\_K_{v-RSU}\left\{N_3\right\}$.

(v)

The RSU sends $C_{v-RSU}$ to the vehicle.

(vi)

The vehicle decrypts $C_{v-RSU}$ and verifies $N_3$. If $N_3$ is legal, the secure bi-tunnel between the vehicle and RSU is established.

(vii)

During the communication between the vehicle and RSU, the RSU needs to send the pseudonyms and public keys of other vehicles to the vehicle for future V2V authentication.

Algorithm 1 RSU signture algorithm.

Input:     RSU true identity $I{D}_{RSU}$, timestamp $T{S}_1$, challenge value $N_2$, RSU privacy key $S{K}_{RSU}$ Output:    RSU signature $Sig{n}_{RSU}$ 1: Choose a random number $r\in Z_q^{*}$ 2: Calculate $V=S{K}_{RSU}+r{H}_1(I{D}_{RSU}$$\left|\right|$$T{S}_1$$\left|\right|$$N_2)$ 3: Compute $W=rP$ 4: return $Sig{n}_{RSU}=(V,W)$

4.7. V2V Authentication Protocol

The V2V authentication protocol is executed when the vehicle v and the vehicle $v^{\prime }$ needs to prove their legality to each other. The details about the V2V authentication protocol are depicted in Figure 6.

(i)

Vehicle v chooses its pseudonym $P{S}_v^i$ and generates signature $Sig{n}_v=Sign\_BLS\_S{K}_v^i$$\{P{S}_v^i,$$T{S}_3$, $N_4\}$, where $T{S}_3$ is the current timestamp, $N_4$ is the challenge value.

(ii)

v sends $P{S}_v^i$, $T{S}_3$, $N_4$, and $Sig{n}_v$ to $v^{\prime }$.

(iii)

Vehicle $v^{\prime }$ first checks the freshness of $T{S}_3$, and then selects $P{K}_v^i$ from $P{S}_v^i$. Then, $v^{\prime }$ verifies $Sig{n}_v$. $v^{\prime }$ chooses $P{S}_{v^{\prime }}^i$, $S{K}_{v^{\prime }}^i$ to compute $K_{v^{\prime }-v}=S{K}_{v^{\prime }}^{i}P{K}_v^i$ and $Sig{n}_{v^{\prime }}=$$Sign\_BLS\_S{K}_{v^{\prime }}^i\{P{S}_{v^{\prime }}^i,T{S}_4,N_5\}$, where $T{S}_4$ is the current timestamp and $N_5$ is the challenge value. Finally, $v^{\prime }$ encrypts $N_4$ to get $C_{v^{\prime }-v}=Enc\_AES\_K_{v^{\prime }-v}\left\{N_4\right\}$.

(iv)

$v^{\prime }$ sends $P{S}_{v^{\prime }}^i$, $T{S}_4$, $N_5$, $Sig{n}_{v^{\prime }}$, and $C_{v^{\prime }-v}$ to v.

(v)

When obtaining the message from $v^{\prime }$, v confirms the freshness of $T{S}_4$. Then, v queries $P{K}_{v^{\prime }}^i$ and verifies $Sig{n}_{v^{\prime }}$. If $v^{\prime }$ is thought as a legal vehicle, v computes $K_{v-v^{\prime }}=S{K}_v^{i}P{K}_{v^{\prime }}^i$ and decrypts $C_{v^{\prime }-v}$ to confirm $N_4$. Finally, v encrypts $N_5$: $C_{v-v^{\prime }}=Enc\_AES\_K_{v^{\prime }-v}\left\{N_5\right\}$.

(vi)

v sends $C_{v-v^{\prime }}$ to $v^{\prime }$.

(vii)

$v^{\prime }$ decrypts $C_{v-v^{\prime }}$ to verify $N_5$. If $N_5$ is legal, then the secure bi-tunnel between v and $v^{\prime }$ is built. Otherwise, the V2V authentication has failed.

4.8. Vehicle Revocation Protocol

When the vehicle v misbehaves, vehicle revocation protocol is executed. The details are shown in Figure 7.

(i)

Other vehicle (e.g., $v^{\prime }$) is able to send $P{S}_v^i$ to the RSU via a secure bi-tunnel.

(ii)

When receiving the message from $v^{\prime }$, the RSU forwards the pseudonym to the SDN controller via the SDN RSU controller.

(iii)

The SDN controller confirms the vehicle v’s misbehaviors and sends a request for the TA to obtain all pseudonyms of v.

(iv)

TA queries all pseudonyms of v and sends these pseudonyms to the SDN RSU controller via the SDN controller.

(v)

The SDN RSU controller removes all local pseudonyms $P{S}_v^i$, public keys $P{K}_v^i$, expirations $EX{P}_v^i$ and broadcasts the newest identity information of vehicles to another SDN RSU controller.

(vi)

All legal vehicles are able to obtain the newest identity information of surrounding legal vehicles, which include the pseudonyms, public key, and expirations.

5. Security and Privacy Analysis

In this section, we present the security and privacy analysis of PAS in the following aspects in terms of the requirement proposed by [33].

5.1. Security Analysis

(i)

Anonymity. In the vehicle registration phase, the TA conceals the vehicle’s true identity $I{D}_v$ into $P{S}_v^i$, where $P{S}_v^i=H_2(I{D}_v\left|\right|r_i)$, $r_i$ is the random number selected by the TA. As a result, adversaries have to launch the second-preimage attack to find x, where x meets $H_2(I{D}_v\left|\right|r_i)==H_2\left(x\right)$. However, due to the feature of weak collision resistance for $H_2$, the probability of finding x is quite low.

(ii)

Authentication. In VANETs, authentication includes identity authentication and message authentication. In PAS, all legal public keys are stored into the SDN RSU controller and only vehicles with legal private keys can generate legal signatures to participate in authentication. Thus, any adversaries cannot generate a set of legal pseudonyms, public keys, and private keys to participate in the authentication. In addition, since each signed message contains a timestamp, PAS is able to effectively resist replay attacks. The adversaries cannot forward the legal signature to the target disguised as a legal vehicle for authentication, which satisfies identity authentication. For message authentication, vehicles are required to adopt a BLS signature to prove the legitimacy of their identity. All legal public keys are stored into the SDN RSU controller, and adversaries cannot generate a set of legal pseudonyms, public keys, and private keys to participate in the authentication. Meanwhile, Refs. [31,32] have proved the security of the signature mechanism, which guarantees that the proposed scheme is able to resist an MOV attack. Furthermore, adversaries cannot obtain a session key unless the DH problem is solved.

(iii)

Accountability and credential revocation. VANETs require the whole network to own the ability to record the misbehaviors of vehicles in time and exclude these vehicles from the network. PAS supports removing illegal vehicles from VANETs. Once the illegal vehicle is identified, vehicle revocation protocol is triggered to remove the public keys of illegal vehicles. Thus, the corresponding real identities are exposed in time. Furthermore, accountability denotes non-repudiation, which means that all messages transmitted cannot be denied by the senders. In PAS, all signatures need to be verified by the public keys stored at the SDN RSU controller. Since the mapping between the public keys and the real identities of the vehicles are stored in the TA, the vehicles cannot deny their signature. Meanwhile, these signatures also imply the real identities of the vehicles.

(iv)

Restricted credential usage. In the proposed scheme, all legal public keys stored in the RSU SDN controller must be used within the validity period. Once the public key expires, the vehicle has to communicate with the TA again to obtain a new pseudonym, public key, and private key. Furthermore, each signature contains a timestamp and challenge value to resist a replay attack and Sybil attack.

5.2. Privacy Analysis

(i)

Minimum disclosure. In authentication protocol, all authentication messages sent can only reveal the information required in the authentication process, but cannot expose more information. In PAS, the signed message only contains a pseudonym, timestamp, and challenge value—no additional messages need to be transmitted.

(ii)

Unlinkability. The unlinkability of vehicle identity and messages is vital to prevent vehicles from being tracked by external adversaries. PAS supports mainstream pseudonym exchange protocols, such as mix-zone, silent period, etc. These mechanisms guarantee that each vehicle identity cannot be linked through cooperation with surrounding vehicles. In addition, when the pseudonym is changed, the public key and private key of the vehicle are also changed. Therefore, in authentication and message transmission, adversaries have no way to link the different messages sent before and after the pseudonym change.

(iii)

Distributed resolution authority. As for the privacy of vehicles, a single authority is not allowed to reveal the vehicle identity, obtain the vehicle track, and revoke vehicle at the same time. In PAS, the mapping of the vehicle’s real identity and pseudonym is maintained by the TA, the vehicle’s public key and expiration list is protected by the SDN RSU controller, and the misbehavior verification and confirmation of illegal vehicles are performed by the SDN controller. It is not possible for any single authority to decide whether a vehicle can join VANETs or revoke a vehicle from VANETs.

(iv)

Perfect forward privacy. Due to active interference by adversaries, vehicles’ long term secret keys are likely to be compromised in the future. Perfect forward privacy ensures that even if the secret key is leaked, the encrypted communication in the past will not be recovered. In PAS, given the public key of vehicle v: $P{K}_v^i$, there is no way for adversaries to compute the other public keys of vehicle v. Therefore, even if the secret key of a vehicle is known by the adversary, the adversary cannot obtain the privacy information of the message sent by the vehicle, which equips PAS with perfect forward privacy.

6. Performance Analysis

The proposed scheme (PAS) is compared with EAAP [13], TAAP [18], and LIAP [14] in computational cost and communication cost. In addition, Veins simulation framework [34] is introduced to test the performance of the schemes including average authentication delay and packet loss ratio.

6.1. Computational Cost

Computational cost refers to the total computation time required for authentication. Since the computational cost of bilinear pairing and point multiplication are thousands time of hash function: $\{0,1\}\to Z_q^{*}$, we focus on such high computation operations.

In order to get the computational cost of each cryptographic operations, we adopted the pairing-based cryptography library [35] that provides interfaces and classes to support cryptographic operations based on bilinear pairing. The benchmark includes: the hardware platform with 2.6 GHz Intel(R) Core(TM) i7-6700HQ CPU, 2 GB RAM, operating system with Debian 9.4. The experiment adopted a bilinear map $e:G_1\times G_1\to G_T$, where $G_1$ is the additive group, $G_T$ represents the multiplicative group, and the generator is P. Equation $y^2=x^3+x$ $mod$ p defines the curve, where p: 512 bits, and Solinas prime number q = 160 bits.

Table 3. The execution time of pairing and element functions.

Symbol	Description	Time (ms)
$T_{mtp}$	Hash-to-point function	4.06
$T_{bp}$	Bilinear pairing function	1.35
$T_{pm}$	Point multiplication function	1.77
$T_{pe}$	Point exponentiation function	1.74

shows the experiment results.

For V2I anonymous authentication in EAAP, the vehicle is required to generate anonymous certificates. The vehicle first chooses temporary private keys $r_1,r_2,\dots ,r_l\in Z_q^{*}$ and computes corresponding public keys $Y_k=g_2^{r_k}$, where $l\le n,k=1,2,\dots ,l$, $g_2$ is the public parameter. Then, the vehicle selects $\mu ,k_1,k_2\in Z_q^{*}$ and generates its anonymous certificate: ${\gamma }_U=B_1^{\mu }$, ${\gamma }_V=T_i{A}_1^{\mu }$, $\lambda =(\mu +r_k)$$mod$ q, ${\lambda }_1={\gamma }_U^{\mu +k_1}$, ${\lambda }_2={\gamma }_U^{\mu +k_1}/{\gamma }_V^{\mu +k_2}$, where $B_1,A_1$ are public parameters, and $T_i\in$ is the vehicle authorization key ($AK=\{DI{D}_{\mu },T_i,E_i\}$). Finally, the vehicle computes the challenger $c=H\left(DI{D}_{\mu }\right|\left|A_1\right|\left|B_1\right|\left|E_i\right|\left|{\gamma }_U\right|\left|{\gamma }_V\right|\left|Y_k\right|\left|{\lambda }_1\right|\left|{\lambda }_2\right)$, ${\delta }_1=(r_k-k_1)$$mod$ q, ${\delta }_2=(r_k-k_2)$$mod$q, anonymous certificate $Cer{t}_k=\{Y_k\left|\right|E_i\left|\right|DI{D}_{\mu }\left|\right|{\gamma }_U\left|\right|{\gamma }_V\left|\right|c\left|\right|\lambda \left|\right|{\delta }_1\left|\right|{\delta }_2\}$, and signature of message M: $sig=g_1^{1/(r_k+H\left(M\right))}$. The vehicle sends M, $sig$, $Y_k$, and $Cer{t}_k$ to the verifier. When getting the packet from the vehicle, the verifier derives $N_i=E_i·DI{D}_{\mu }$, ${\lambda }_1^{\prime }={\gamma }_U^{\lambda }/{\gamma }_U^{{\delta }_1}$, ${\lambda }_2^{\prime }={\gamma }_U^{\lambda }\times {\lambda }_V^{{\delta }_2}$/(${\gamma }_U^{{\delta }_1}\times {\gamma }_V^{\lambda }$). Then, $c^{\prime }=H(DI{D}_{\mu }\left|\right|N_i\left|\right|B_1\left|\right|E_i\left|\right|{\gamma }_U\left|\right|{\gamma }_V\left|\right|Y_k\left|\right|{\lambda }_1^{\prime }\left|\right|{\lambda }_2^{\prime })$ are computed. If $c^{\prime }==c$, the verifier verifies the signature: $e(sig,Y_k·g_2^{H\left(M\right)})==e(g_1,g_2)$. If it holds, M will be accepted; otherwise, it will be rejected. Therefore, the computational cost of EAAP includes 14 point exponentiation operations and 2 bilinear pairing operations.

In TAAP, the given private key $x_{obu}$, group certificate $C_1,C_2$, group public key $y_{gm}$, ${y^{\prime }}_{gm,1}$, ${y^{\prime }}_{gm,2}$ vehicle chooses random numbers r, $\alpha$, $\beta$, s and signs the message M to get the signature $<{\sigma }_1,{\sigma }_2,{\sigma }_3,{\sigma }_4,{\sigma }_5,{\sigma }_6,{\sigma }_7,{\sigma }_8,{\sigma }_9,{\sigma }_{10},{\sigma }_{11}>$, where ${\sigma }_1=C_1\left(y_{gm}^{x_{OBU}}\right)$, ${\sigma }_2=C_2{g}_1^{r^{\prime }}$, ${\sigma }_3={g^{\prime }}_1^{\alpha }$, ${\sigma }_4={g^{\prime }}_2^{\beta }$, ${\sigma }_5={g^{\prime }}_1^{x_{OBU}}$, ${\sigma }_6={\sigma }_2^{x_{OBU}}$, ${\sigma }_7={\sigma }_2^{\alpha }$, ${\sigma }_8={\sigma }_2^{\beta }$, ${\sigma }_9=H_1{\left(M\right)}^{x_{obu}}$, ${\sigma }_{10}=H_2\left(M\right||{\sigma }_1\left|\right|{\sigma }_2\left|\right|...\left|\right|{\sigma }_9\left|\right|{\sigma }_2^s\left|\right|H_1{\left(M\right)}^s)$, ${\sigma }_{11}=s-{\sigma }_{10}^{x_{obu}}$$mod$q, $g_1\in G_1$, ${g^{\prime }}_1$, ${g^{\prime }}_2$$\in G_2$. If receiving the message from the vehicle, the verifier computes:

$$\begin{array}{cc}\hfill e({\sigma }_1,{g^{\prime }}_1)e({\sigma }_6,{y^{\prime }}_{gm,1})& ==e(g,{y^{\prime }}_{gm,2})\hfill \\ \hfill e({\sigma }_2,{\sigma }_3)& ==e({\sigma }_7,{g^{\prime }}_1)\hfill \\ \hfill e({\sigma }_2,{\sigma }_4)& ==e({\sigma }_8,{g^{\prime }}_2)\hfill \\ \hfill e({\sigma }_2,{\sigma }_5)e({\sigma }_6,{g^{\prime }}_1)& ==e({\sigma }_7{\sigma }_8,{y^{\prime }}_{gt})\hfill \end{array}$$

where ${y^{\prime }}_{gt}$ is the public key of group tracer. If all the above equalities hold, a vehicle is considered to be legal; otherwise, the verifier refuses to communicate with the vehicle. Hence, the computational cost of TAAP includes 11 point exponentiation operations, 10 bilinear pairing operations, and 2 hash-to-point function operations in $G_1$.

In LIAP, vehicle chooses random number $k_i\in Z_q^{*}$ to get $PI{D}_i^1=k_{i}P$, $PI{D}_i^2=RI{D}_i\oplus H\left(k_{i}P{K}_{CA}\right)$, $PS{K}_i^1=m_i^{1}PI{D}_i^1$, and $PS{K}_i^2=m_i^{2}H(PI{D}_i^1,PI{D}_i^2)$, where $RI{D}_i$ is vehicle real identity, $PI{D}_i=(PI{D}_i^1,PI{D}_i^2)$ is the pseudonym of vehicle, $PS{K}_i=(PS{K}_i^1,PS{K}_i^2)$ is the corresponding private key. The signatures of message M are computed: ${\sigma }_i=PS{K}_i^1+h\left(M\right)PS{K}_i^2$. Then, $PI{D}_i$, M, $P{K}_{R_i}$, and ${\sigma }_i$ are sent to RSU. When receiving the message, RSU checks the equation $e({\sigma }_1,P)==e(PI{D}_i^1,RP{K}_i^1)e(h\left(M\right)H(PI{D}_i^1\left|\right|PI{D}_i^2),RP{K}_i^2)$. If the equation holds, the signature is legal; otherwise, the RSU rejects it. Consequently, the computational cost of LIAP consists of six point-multiplication operations, three bilinear pairing operations, and three hash-to-point operations in $G_1$.

In PAS, vehicle needs to generate its signature $Sig{n}_v=Sign\_BLS\_S{K}_v^i\{P{S}_v^i,TS,N\}$, where $Sig{n}_v=S{K}_v^i{H}_1(P{S}_v^i\left|\right|TS\left|\right|N)$. When receiving the signature, RSU checks $e(P,Sig{n}_v)$ == $e(P{K}_v^i,H_1(P{S}_v^i\left|\right|TS\left|\right|N\left)\right)$ to verify the legality of vehicle. Thus, the communicational cost includes one point multiplication-operation, two bilinear pairings operations, and two map-to-point hash function operations in $G_1$.

The computational cost of each scheme is shown in

Table 4. The computational cost of each scheme.

Scheme	Computational Cost	Execution Time (ms)
EAAP	$7T_{pe}+13T_{pm}+2T_{bp}$	37.89
TAAP	$11T_{pe}+5T_{pm}+10T_{bp}+2T_{mtp}$	49.61
LIAP	$6T_{pm}+3T_{bp}+3T_{mtp}$	26.85
PAS	$T_{pm}+2T_{bp}+2T_{mtp}$	12.59

. We can see that PAS owns the lowest computational cost compared with other ones.

6.2. Communication Cost

Communication cost is defined as the total size of messages contained in VANETs in order to achieve mutual authentication. According to [36,37], for type A pairing with respect to 80 bits security level, the size of p is 64 bytes. A point on the group of points $E\left(F_q\right)$ consists of x and y coordinates. This means that the size of each element in $G_1$ is 64 × 2 = 128 bytes, whilst that of each element in $G_2$ is 20 × 2 = 40 bytes. In addition, the size for a general hash function in $Z_q^{*}$, an expiration, and a timestamp were considered to be 20 bytes, 4 bytes, and 4 bytes, respectively. As the basic configuration message is the same in VANETs, we only considered the size of the signature on the message with the corresponding vehicle’s identity.

In EAAP, the vehicle sends message $msg$= $\{M,sig,Y_k,Cer{t}_k\}$ to the verifier, where $sign\in G_1,Y_k\in G_2$, and $Cer{t}_k=\{Y_k\left|\right|E_i\left|\right|DI{D}_{\mu }\left|\right|{\gamma }_U\left|\right|{\gamma }_V\left|\right|c\left|\right|\lambda \left|\right|{\delta }_1\left|\right|{\delta }_2\}$, $E_i$, $DI{D}_{\mu }$, ${\gamma }_U,$${\gamma }_V$, $\lambda \in G_1$, c, ${\delta }_1$, ${\delta }_2$$\in Z_q^{*}$. Thus, the total of communication cost in EAAP is $6\times 128+40+3\times 20=868$ bytes. For the authentication protocol in TAAP, the vehicle is requested to transfer message M and signature $sign=\{{\sigma }_1,{\sigma }_2,{\sigma }_3,{\sigma }_4,{\sigma }_5,{\sigma }_6,{\sigma }_7,{\sigma }_8,{\sigma }_9,{\sigma }_{10},{\sigma }_{11}\}$, where ${\sigma }_1$, ${\sigma }_2$, ${\sigma }_6$, ${\sigma }_7$, ${\sigma }_8$, ${\sigma }_9$, ${\sigma }_{10}$, ${\sigma }_{11}$$\in G_1$, ${\sigma }_3$, ${\sigma }_4$, ${\sigma }_5$$\in G_2$. As a result, the communication cost of TAAP is $8\times 128+3\times 40=1144$ $bytes$. In LIAP, vehicle needs to transfer its pseudonym $PID=\{PI{D}^1,PI{D}^2\}\in G_1$, public key $P{K}_{RSU}\in G_1$, timestamp $TS$, and signature $\sigma \in G_1$. Thus, the communication cost of LIAP is $128\times 4+4=516$ bytes. In PAS, vehicle is requested to send a signature $Sig{n}_v=S{K}_v^i{H}_1(P{S}_v^i\left|\right|TS\left|\right|N)$ to prove the legitimacy of its identity, where $Sig{n}_v\in G_1$, $P{S}_v^i\in Z_q^{*}$, $TS$ is timestamp, and $N\in Z_q^{*}$. Thus, the total communication cost of PAS is $128+20+4+20$ = 172 bytes. The communication costs of each scheme are shown in

Table 5. The communication cost of each scheme.

Scheme	Message-Signature	Communication Cost (byte)
EAAP	$6|G_1|+|G_2|+3|Z_q^{*}|$	868
TAAP	$8|G_1|+3|Z_q^{*}|$	1144
LIAP	$4|G_1|+|TS|$	516
PAS	$|G_1|+2|Z_q^{*}|+|TS|$	172

.

6.3. Simulation

In this section, we use Veins [34] to test the performance of PAS and the other three schemes with regard to average authentication delay and packet loss ratio. Veins is an open source network framework. As a comprehensive model, veins can be used for rapid setup and interactive operation simulation through the GUI and IDE of OMNeT++ and Sumo, which guarantees that VANETs simulation is as real as possible without sacrificing speed. In the simulation, we adopt the real map of Tianhe District in Guangzhou, China, obtained from OpenStreetMap.The SUMO NET map of Guangzhou, and simulation parameters are shown in Figure 8, and

Table 6. Simulation parameters.

Parameter	Values
Hardware platform	CPU: 2.6 GHz Intel(R) Core(TM) i7-6700HQ, 2 GB RAM
Operating system	Debian 9.4
Traffic generator	SUMO
Network simulator	OMNET++
Simulator	veins
Simulation area	2000 × 2000 (m2)
Data Transmission Rate	6 Mbps
Transmission Power	20 mW
Simulation time	500 s
Number of cars	20–200
Cryptography library	The Pairing-Based Cryptography (PBC) Library, Crypto++ Library

, respectively.

6.4. V2I Average Authentication Delay

The V2I average authentication delay is defined as the average of the time taken by the RSU and all vehicles covered by the RSU to complete the authentication protocol. The equation of average authentication delay ($AD$) is depicted as follows:

$$\begin{array}{cc}\hfill AD& =\frac{1}{N}\sum _{i=1}^N(T_{end}^i-T_{start}^i)\hfill \end{array}$$

(1)

where N is the number of vehicles within the communication range of RSU, $T_{end}^i$ represents the end time of V2I authentication protocol, and $T_{start}^i$ refers to the start time of V2I authentication protocol.

Figure 9 displays the simulation results of PAS, EAAP, TAAP, and LIAP in terms of V2I average authentication delay, with the number of vehicles ranging from 20 to 200. We can see that the average authentication delay tends to increase steadily with the increasing number of vehicles. Due to limited channel bandwidth, the high computational cost and communication cost, EAAP, TAAP, and LIAP lead to longer average authentication delay. Moreover, with the increase of the number of vehicles, the efficiency of RSU continues to decrease, while the average authentication delay of PAS holds steady.

6.5. Packet Loss Ratio

Packet loss ratio ($PR$) is defined as the percentage of dropped packets in total sent packets. The equation to compute $PR$ is depicted as follows:

$$\begin{array}{cc}\hfill PR& =\frac{1}{N}\sum _{i=1}^N\frac{D_i}{R_i}\hfill \end{array}$$

(2)

where N refers to the number of vehicles within the communication range of RSU, $D_i$ represents the number of data packets dropped, and $R_i$ is the total number of packets sent.

Figure 10 shows the relationship between $PR$ and the number of vehicles within the RSU. In V2I authentication, due to the limitation of network bandwidth, with the increase in vehicles, the signal-to-noise ratio (SNR) is decreasing. At the same time, when a large number of vehicles send messages to the RSU, a channel congestion issue has to be faced, which results in $PR$ increasing. EAAP, TAAP, and LIAP require vehicles and RSUs to send request/response packets, which causes a longer transmission delay and a higher $PR$ compared with PAS.

7. Discussion

In terms of the high identity management cost and low authentication and communication efficiency, PAS adopts BLS signature mechanism and SDN to propose a privacy-preserving authentication scheme, which includes registration protocol, V2I authentication protocol, V2V authentication protocol, and vehicle revocation protocol. Compared with the traditional authentication schemes, PAS has the following advantages:

• PAS alleviates the high computational cost and communication cost caused by certificate generation, transmission and verification, which improves authentication efficiency.
• Since the traditional schemes focus on the authentication of vehicle identity and ignore the establishment of a secure tunnel for reliable data transmission, PAS requires the vehicle to store the key negotiation parameters in a signed message. Once authenticated, the vehicle assumes that the message can be sent and received safely and reliably.
• By integrating SDN, it is more convenient to dynamically update the public keys of vehicles, which improves the flexibility of vehicle management.

However, in order to support the large-scale deployment of VANETs, there are several problems that must be addressed.

• Multi-hop packet routing and forwarding mechanism—As the vital part of data transmission in VANETs, multi-hop packet routing and forwarding mechanism supports vehicles to interact with other vehicles across a wider range. However, due to the high-speed of vehicles and the rapid change in network topology, it is difficult to find an appropriate intermediate node for data transmission between the source node and the destination node, resulting in unstable communication between vehicles with a long distance between them. As a result, establishing a new multi-hop packet routing and forwarding mechanism to improve the stability of data transmission and ensure the reliability of data is very important for the rapid promotion of VANETs.
• Pseudonym change mechanism—In order to protect the location privacy, the vehicles need to periodically change their identity to prevent the tracking from adversaries. However, the traditional pseudonym change schemes are severely limited by the environment in which the vehicles are located, and cannot change the pseudonym in areas with low vehicle density safely. Therefore, proposing an efficient pseudonym change scheme is crucial to protect the location privacy of vehicles.
• Data-sharing mechanics—The data-sharing mechanism supports the vehicles to obtain the required data in time and improves the driving experience. However, it is easy for the adversaries to forge the shared data and confuse the surrounding vehicles in VANETs. The traditional data-sharing mechanisms usually face the problems of complex access control mechanism and low efficiency of data sharing. Therefore, designing a secure and efficient data-sharing mechanism is very important to support the rapid development of VANETs.

8. Conclusions

Authentication is considered to be the vital approach to guarantee the security of VANETs. This paper proposes a privacy-preserving authentication scheme based on SDN for VANETs (PAS). In PAS, SDN is introduced to provide identities management, anonymous authentication, and revocation for vehicles. The pseudonym maintenance costs of TA and RSU are reduced, and the computational cost in V2I and V2V authentication is improved. Security analysis and performance analysis show that the proposed scheme is secure and efficient.

In future work, we will explore the pseudonym change schemes based on adaptive privacy metrics, where vehicles are able to choose the most appropriate pseudonym change strategy according to the actual scene to keep the balance between security and efficiency.