An Enhanced Privacy-Preserving Authentication Scheme for Vehicle Sensor Networks

Abstract

Vehicle sensor networks (VSNs) are ushering in a promising future by enabling more intelligent transportation systems and providing a more efficient driving experience. However, because of their inherent openness, VSNs are subject to a large number of potential security threats. Although various authentication schemes have been proposed for addressing security problems, they are not suitable for VSN applications because of their high computation and communication costs. Chuang and Lee have developed a trust-extended authentication mechanism (TEAM) for vehicle-to-vehicle communication using a transitive trust relationship, which they claim can resist various attacks. However, it fails to counter internal attacks because of the utilization of a shared secret key. In this paper, to eliminate the vulnerability of TEAM, an enhanced privacy-preserving authentication scheme for VSNs is constructed. The security of our proposed scheme is proven under the random oracle model based on the assumption of the computational Diffie–Hellman problem.

1. Introduction

With the rapid development of the intelligent transportation systems (ITSs) [1], vehicular ad hoc networks (VANETs) have become increasingly popular. The vehicles in VANETs can communicate with each other via wireless communication [2]. If vehicles can interact with other vehicles or the roadside infrastructure to exchange collected data for decision-making and safer driving, traffic jams can be avoided and the safety of drivers can be guaranteed to the utmost extent; consequently, VANETs are a promising means of improving traffic safety and management. At present, vehicles are equipped with various sensors that can provide valuable data. Further equipping vehicles with onboard sensing devices can turn VANETs into vehicle sensor networks (VSNs) [3]. Therefore, the authentication protocols used in VANETs can also be used in VSNs. Moreover, dynamic traffic information and many types of physical data associated with traffic distributions can be sensed and collected by such vehicular communication networks. Therefore, VSNs are expected to significantly facilitate future wireless communication.

Two types of communication exist in VANETs, namely vehicle-to-vehicle (V2V) communication and vehicle-to-infrastructure (V2I) communication, which depend on two essential kinds of components: onboard units (OBUs) and roadside units (RSUs). As shown in Figure 1, OBUs are the wireless communication units equipped on vehicles, whereas RSUs are wireless access units located at significant places on the road. Generally, to assist vehicles and RSUs in performing certain tasks, such as authentication, a backend server should be deployed remotely. The characteristics of VANETs include self-organization, channel-opening behavior, and rapidly changing and multiple-hop topologies. Due to these characteristics, VANETs are more susceptible to malicious attacks. Since safety and privacy are a concern in many applications in VANETs [4,5], communication security issues are worthy of attention. Among the various security mechanisms used in VANETs, authentication is one basic component that is critical for ensuring security. However, a desirable authentication scheme must be efficient and practical for use in fast-moving scenarios, which means that the computation cost for authentication should be as low as possible to enable real-time response. In addition, privacy preservation should be considered, including the identity privacy, location privacy, and interest privacy. Moreover, the location of a vehicle is closely related to who is driving it. When a vehicle communicates with others in a wireless network, it will not be acceptable to the public if the vehicle’s identity and location are disclosed. Thus, privacy preservation must be achieved in the authentication procedure. In addition, it should be possible for the real identities of the malicious vehicles to be revealed by the authorities when necessary [5]. These requirements pose a considerable challenge for the development of an ideal authentication scheme.

Figure 1. Structure of a vehicular ad-hoc network.

The contributions of this paper are as follows: (1) an enhanced privacy-preserving authentication scheme based on the Chuang–Lee’s scheme is proposed that can resist internal attack. In addition, we demonstrate the correctness and security of the improved scheme and analyze its computational costs; (2) to preserve the identity privacy of drivers, anonymity is achieved by randomizing the real identities; and (3) to preserve the location privacy of drivers, unlinkability is achieved in the authentication procedure.

The remainder of this paper is organized as follows. Related work is introduced in Section 2. Preliminaries are presented in Section 3. A review of the Chuang–Lee’s scheme is provided in Section 4. Then, a concrete description of the proposed scheme is offered in Section 5. Section 6 presents the proofs of correctness, security and performance. Finally, the conclusions are provided.

2. Related Work

To cope with the challenges associate with VANETs, many types of authentication schemes have been investigated. Porambage et al. [6] introduced a two-phase authentication protocol for sensor networks that uses certificates and consequently cannot preserve the unlinkability of messages. Raya and Hubaux [7] proposed an authentication scheme for VANETs using anonymous certificates, in which each vehicle can utilize distinct key pairs in each authentication stage to avoid being tracked. However, frequent changing of key pairs is likely to result in burdensome management and storage requirements. Lu et al. [8] proposed an alternative way to avoid the complexity of preloading a large number of anonymous certificates with the support of RSUs. When a vehicle passes an RSU, it will be issued a short-term anonymous certificate; thus, the unlinkability of messages is preserved. However, the efficiency will inevitably be low because each vehicle must frequently interact with RSUs. Subsequently, Lin et al. [9] introduced another secure scheme that does not require interaction with RSUs, in which membership managers, rather than RSUs, are responsible for the issuing of certificates based on group signatures. However, the efficiency of this solutions is low. Zhang et al. [10] presented two additional authentication schemes with privacy preservation; however, the computational costs of their methods are somewhat high because of the utilization of bilinear pairing. Similarly, Zheng et al. [11] introduced an authenticated key agreement scheme based on bilinear pairing. Ou et al. [12] later showed that Zheng et al.’s scheme is susceptible to impersonation attacks, and proposed a more secure authenticated key agreement scheme; however, the computational cost of this scheme is again somewhat high because of the utilization of bilinear pairing. In addition, an authentication scheme with access control for VANETs was investigated by Yeh et al. [13]; however, Horng et al. [14] later showed that Yeh et al.’s scheme [13] is susceptible to privilege escalation attacks.

Recently, Chuang and Lee [15] developed a trust-extended authentication mechanism, called TEAM, for VANETs. In TEAM, vehicles are classified into three types, namely, law executors (LEs), mistrusted vehicles (MVs) and trusted vehicles (TVs), as shown in Figure 1. Moreover, it required each vehicle is equipped with a tamper-proof device from which no attacker can extract any stored data, which is so strong that it is not practical. The performance of this mechanism in response to several types of attacks has been analyzed; however, the linkability of messages in the authentication procedure and the possibility of internal attacks during the secure communication procedure, which can easily be executed by a malicious vehicle, have been ignored. A malicious vehicle can trace a driver by intercepting the message sent during the authentication procedure because the values $D_i$ and $M_4$ are constant. Moreover, a malicious trusted vehicle can compute the real identity of a user and the session key by intercepting a message communicated via the secure communication procedure because it possesses the authorized parameter. Kumari et al. [16] proposed an enhanced trust-extended authentication scheme based on TEAM. However, their scheme fails to protect against internal attacks. Therefore, we have developed an improved authentication procedure and secure communication procedure and have proven their correctness and security. The updating of the constant values used in the authentication procedure is performed by the user himself. Finally, we analyze the computational costs and security features of the improved secure communication procedure.

3. Preliminaries

3.1. Security Model

To accurately capture the capabilities of an attacker, an experiment concerning the interaction between an adversary and a challenger is introduced. The random oracle model, which originates from the work of Bellare et al. [17], is adopted in our security proof. An adversary A can be allowed to communicate with the participants through defined oracle queries; thus, the adversary’s behavior during a real attack can be modeled. In our proposed protocol, each participant is either a common vehicle’s OBU $V_i$ or an LE $E_i$. Let U represent all participants that is the union of common vehicle’s OBUs and LEs.

3.1.1. Protocol Execution

Let $U_i^i$ represent the ith instance of a participant $U_i$ and let b denote a randomly chosen bit. All possible oracle queries are described as follows:

• $Execute(V_i^i,U_j^i)$: The passive attack capability of the adversary A is tested by this query. Executing this query will output an honest execution transcript of the protocol.
• $Send(U_i^i,M)$: The active attack capability of the adversary A is tested by this query. A can send a $Send$ request on a message M to $U_i^i$. Upon receiving this message, $U_i^i$ proceeds with the normal execution of the protocol, and then returns the calculated result to the adversary A.
• $Corrupt(V_i^i)$: This query models an attack that steals a vehicle’s OBU attack. Upon execution of this query, all the information stored in the OBU of vehicle $U_i^i$ will be extracted by A.
• $Reveal(U_i^i)$: This query models a known key attack. If a session key has been obtained by $U_i^i$, then the session key of instance $U_i^i$ is returned to A. Otherwise, ⊥ is returned.
• $Test(U_i^i))$: This query models the ability of the adversary A to distinguishing a real session key from a random key. If the session key of participant $U_i^i$ has not been defined, ⊥ will be returned. Otherwise, if $b=1$, then the session key of instance $U_i^i$ will be returned; if $b=0$, a random key of the same size will be returned.

3.1.2. Notation

An instance $U_i^i$ is said to have been opened if A has issued a query $Reveal\left(U_i^i\right)$ to it; otherwise, it is said to be unopened [18]. After receiving the last expected protocol message, $U_i^i$ enters an accept mode and it is said to be accepted.

3.1.3. Partnering

To illustrate the process of partnering, the concept of a session identification code $sid$ is introduced. Given $U_1,U_2\in OBU$, instances $U_1^i$ and $U_2^i$ are called partners only when the following conditions hold: (1) $U_1^i$ and $U_2^i$ have entered accept mode. (2) The same $sid$ is shared between $U_1^i$ and $U_2^i$. (3) $U_1^i$ and $U_2^i$ are partners of each other.

3.1.4. Freshness

To avoid cases in which the security of the scheme is trivially broken by the adversary, the concept of freshness is introduced. The objective is to only permit the adversary to issue $Test$ queries to fresh oracle instances. Specifically, an instance $U_i^i$ is called fresh when it enters accept mode and both $U_i^i$ and its partner are unopened.

3.1.5. Semantic Security

Suppose that an adversary A executes a protocol P. A can ask a $Test$ query to a fresh instance after being given access to $Execute$, $Send$, $Reveal$, $Corrupt$ and $Test$ queries, and outputs a guess bit $b^{\prime }$. If $b^{\prime }=b$ where b is chosen in the $Test$ query, A is said to win this experiment defining semantic security. Let $Succ$ represent the event in which A is successful. The advantage of A in breaking the semantic security of P is defined as follows

$${Adv}_{P,D}\left(A\right)=2Pr\left[Succ\right]-1,$$

where the password is selected from a dictionary D.

3.2. Elliptic Curve Discrete Logarithm Problem

Let G be an elliptic curve group defined by a generator P and a prime number p. Then, the two central mathematical problems in elliptic curve cryptography (ECC), namely, the discrete logarithm problem and the computational Diffie–Hellman assumption, can be defined as follows [19].

Definition 1.

Elliptic curve discrete logarithm (ECDL) problem. Let $Q=aP$, where $Q,P\in G$ and $a{\in }_R{Z}_p^{*}$. The objective of the elliptic curve discrete logarithm problem is to find a when given two points $Q,P\in G$.

Definition 2.

Elliptic curve computational Diffie–Hellman (ECCDH) assumption. Let G denote a representative group of order p and A denote an adversary. Consider the following experiment:

$$\begin{array}{c}ExperimentEx{p}_G^{ECCDH}(G,P,p),\hfill \\ Q_1=r_{1}P,Q_2=r_{2}P,r_1,r_2{\in }_R{Z}_p^{*},\hfill \\ Q=A_{ECCDH}(Q_1,Q_2),\hfill \\ ifQ=r_1·r_2·P,b=1,elseb=0,\hfill \\ returnb.\hfill \end{array}$$

The advantage of A in solving the ECCDH problem is defined as follows:

$$Ad{v}_G^{ECCDH}\left(A\right)=Pr[Ex{p}_G^{ECCDH}(G,P,p)=1],$$

$$Ad{v}_G^{ECCDH}\left(t\right)=max\left\{Ad{v}_G^{ECCDH}\left(A\right)\right\},$$

where the maximum is taken over all A with time-complexity at most t.

4. Review of the Chuang–Lee’s Scheme

In this section, we review Chuang and Lee’s trust-extended authentication scheme (TEAM) [15]. In their scheme, the vehicles are classified into three types, namely, law executors (LEs), mistrusted vehicles (MVs) and trusted vehicles (TVs), as shown in Figure 1. An LE, such as a police vehicle, is treated as permanently trusted and plays a role similar to that of a mobile authentication server (AS). When a normal vehicle is authenticated successfully, it is deemed to be trusted, otherwise, it is treated as mistrusted. A TV will turn into an MV once the lifetime of its key has expired. To ensure the security of communication, an OBU can obtain service from providers only if it has been authenticated successfully.

TEAM consists of eight procedures: registration, login, password change, general authentication, trusted-extended authentication, secure communication, key update and key revocation. Before each vehicle joins the network, its OBU performs the registration procedure to register itself with the AS. The login procedure is performed when a vehicle intends to access service from the vehicular ad hoc network. After successfully completing the login procedure, the OBU checks its authentication state. If the vehicle is an MV, it needs to perform either the general authentication procedure or the trust-extended authentication procedure; it will then turn into a TV once it has been authenticated successfully and has obtained an authenticated key. Then, it can play the role of an LE to authenticate other mistrusted OBUs via the trust-extended authentication procedure. Two trusted vehicles can perform the secure communication procedure to interact with each other. A trusted vehicle can choose to perform the key update procedure with an LE when its key is approaching expiration. Otherwise, the state of the TV changes to mistrusted when the lifetime of the key has expired.

The OBU of each vehicle is equipped with secure hardware, including a tamper-proof device (TPD) and an event data recorder (EDR). The TPD hinders an attacker from obtaining information from the OBU. Recording important data, such as public parameters, preloaded secret keys, times, and locations, is the responsibility of the EDR. In addition, each vehicle is synchronized via a GPS device. Finally, each vehicle periodically broadcasts a hello message with its authentication state (mistrusted or trusted). The related notations are briefly defined in Table 1. The details of the TEAM protocol follow.

Table 1. The notations.

Notation	Definitions
x	A private key for the AS
$x_i$	A private key for user i
$PSK$	A pre-shared secure key set among the LEs and the AS
$I{D}_i$	The identification code for entity i
$P{W}_i$	The password for user i
$AI{D}_i$	The alias for entity i
h	A secure hash function
⊕	The XOR operator
∥	The combination of strings
$P_{pu{b}_i}$	A public key for user i and $P_{pu{b}_i}=x_{i}P$
p	A secure large prime
$E\left(F_p\right)$	A secure elliptic curve
P	The primitive generator for G
G	The subgroup of $E\left(F_p\right)$ with order p
$Z_p^{*}$	The set consisting of all primes in $\{0,1,\dots ,p-1\}$
$r,y{\in }_R{Z}_p^{*}$	An element selected randomly from $Z_p^{*}$
$S{K}_{ij}$	A session key between entity i and entity j
$MS{G}_{KU}$	A key update message

4.1. Registration

LE Registration: In this procedure, an LE registers itself with the AS via the manufacturer or a secure channel. The secure key set $\{PS{K}_i,i=1,\dots ,n\}$ is sent to the LE by the AS. Only this secure key set is required to be stored in the secure hardware of the LE. No other user information needs to be stored. Furthermore, the lifetime of each $PS{K}_i$ is set to be short for robust security. When the lifetime of each trusted vehicle’s key expires, this vehicle is required to perform the key update procedure with the LE. The procedure for the key set generation is depicted in Figure 2. It can be seen that the old $PSK$ (e.g., $PS{K}_1$) cannot be used to derive the new $PSK$ (e.g., $PS{K}_2$) because a one-way hash function is introduced in the key generation procedure.

Figure 2. Key set generation scheme based on the hash–chain method.

Normal Vehicle Registration: All vehicles except LEs need to perform this procedure when they are delivered to market. This registration procedure is performed only once by each vehicle.

Step1.

$U_i\to AS$: A user $U_i$ chooses his password $P{W}_i$ and sends its public identity $I{D}_i$ and $P{W}_i$ to the AS via the manufacturer or a secure channel.

Step2.

The AS evaluates the following parameters for $U_i$ after it receives $I{D}_i$ and $P{W}_i$: $A_i=h\left(I{D}_i\parallel x\right)$, $B_i=h^2\left(I{D}_i\parallel x\right)=h\left(A_i\right)$, $C_i=h\left(P{W}_i\right)\oplus B_i$, and $D_i=PSK\oplus A_i$.

Step3.

$AS\to U_i$: The parameters (i.e., $I{D}_i,B_i,C_i,D_i,h\left(\right)$) are stored in the OBU’s secure hardware by the AS via a secure channel.

4.2. Login

The login procedure is performed when a user $U_i$ intends to access the service from vehicle sensor networks. The login procedure is described as follows:

Step1.

$U_i\to OB{U}_i$: $I{D}_i$ and $P{W}_i$ are input to $OB{U}_i$ by $U_i$.

Step2.

First, $OB{U}_i$ verifies $I{D}_i$. Then, it checks whether $B_i=h\left(P{W}_i\right)⨁C_i$ holds. If so, $OB{U}_i$ launches the general authentication procedure or the trust-extended authentication procedure. Otherwise, the login request will be rejected.

4.3. Password Change

When a user $U_i$ wants to update his password, he invokes the optional password change procedure. The steps of this procedure are described below:

Step1.

$I{D}_i$ and $P{W}_i$ are input to its $OB{U}_i$ by $U_i$.

Step2.

First, $OB{U}_i$ verifies $I{D}_i$ checks whether $B_i=h\left(P{W}_i\right)\oplus C_i$. If so, $U_i$ will be requested to input his new password $P{W}_i^{*}$. $OB{U}_i$ computes $C_i^{*}=C_i\oplus h\left(P{W}_i\right)⨁h\left(P{W}_i^{*}\right)$ and replaces $C_i$ with $C_i^{*}$. Otherwise, the request will be rejected.

4.4. General Authentication

The general authentication procedure is performed between $OB{U}_i$ and $L{E}_j$ after $U_i$ has completed the login procedure. The steps of this procedure are described below:

Step1.

$OB{U}_i$ chooses a random number $r_i$ and computes its alias $AI{D}_i=h\left(r_i\right)\oplus I{D}_i$. Then, it produces the request messages $M_1=h\left(B_i\right)\oplus r_i$ and $M_2=h(r_i\parallel AI{D}_i\parallel D_i)$.

Step2.

$OB{U}_i\to L{E}_j$: The authentication messages (i.e., $AI{D}_i$,$M_1$,$M_2$ and $D_i$) are sent from $OB{U}_i$ to $L{E}_j$.

Step3.

Upon receiving the authentication request message (i.e., $AI{D}_i$,$M_1$,$M_2$,$D_i$), $L{E}_j$ uses $PSK$ to retrieve $A_i=D_i\oplus PSK$ and $r_i=M_1\oplus h^2\left(A_i\right)$ and then checks whether $M_2=h(r_i\parallel AI{D}_i\parallel D_i)$ holds. The authentication request will be rejected if this equation does not hold. Otherwise, $L{E}_j$ computes $I{D}_i=AI{D}_i\oplus h\left(r_i\right)$ and produces a random number $r_j$ with which to calculate $AI{D}_j=r_j\oplus I{D}_j$ and $S{K}_{ij}=h(r_i\parallel r_j)$. Finally, $L{E}_j$ calculates the response messages $M_3=r_j\oplus h^2\left(r_i\right)$, $M_4=A_i\oplus h\left(I{D}_i\right)$ and $M_5=h(M_4\parallel r_j\parallel AI{D}_j)$.

Step4.

$L{E}_j\to OB{U}_i$: $L{E}_j$ returns its response messages (i.e., $AI{D}_j$,$M_3$,$M_4$,$M_5$) to $OB{U}_i$.

Step5.

$OB{U}_i$ computes $h^2\left(r_i\right)$ to retrieve $r_j=M_3\oplus h^2\left(r_i\right)$ and checks whether $M_5=h(M_4\parallel r_j\parallel AI{D}_j)$ holds. $OB{U}_i$ terminates the process if this equation does not hold. Otherwise, $OB{U}_i$ computes $A_i=M_4\oplus h\left(I{D}_i\right)$, calculates $S{K}_{ij}=h(r_i\parallel r_j)$, and stores $A_i$ in its secure hardware.

Step6.

$OB{U}_i\to L{E}_j$: The message $S{K}_{ij}\oplus h\left(r_j\right)$ is sent to $L{E}_j$ by $OB{U}_i$.

Step7.

$L{E}_j$ uses $S{K}_{ij}$ to retrieve $h\left(r_j\right)$. Then, it checks whether the retrieved hash value is equal to the pre-computed hash value using the chosen $r_j$. In this way, a replay attack from an illegal OBU is avoided.

As this time, the state of $OB{U}_i$ changes to trusted since $OB{U}_i$ has been authenticated successfully and has obtained the parameter $PSK=A_i\oplus D_i$. Now, not only LE but also $OB{U}_i$ can authenticate other mistrusted OBUs.

4.5. Trust-Extended Authentication

A mistrusted OBU becomes trusted once it has been authenticated successfully and has obtained $PSK$. Then, it can play the role of an LE to authenticate other mistrusted OBUs. The corresponding trust-extended authentication procedure is the same as the general authentication procedure.

4.6. Secure Communication

The secure communication procedure is performed between two trusted vehicles $OB{U}_i$ and $OB{U}_j$ when they intend to interact with each other.

Step1.

After completing the login procedure, $OB{U}_i$ generates a random number $r_i$ and computes the messages $AI{D}_i=I{D}_i\oplus r_i$, $M_1=PSK\oplus r_i$ and $M_2=PSK\oplus h(AI{D}_i\parallel r_i)$, where $PSK$ was obtained in a previous authentication procedure.

Step2.

$OB{U}_i\to OB{U}_j$: A secure communication request (i.e., $AI{D}_i$,$M_1$,$M_2$) is sent to $OB{U}_j$ by $OB{U}_i$.

Step3.

Upon receiving (i.e., $AI{D}_i$,$M_1$,$M_2$), $OB{U}_j$ uses $PSK$ to retrieve $r_i$ from $M_1$ and then computes $PSK\oplus h(AI{D}_i\parallel r_i)$ and checks whether it is equal to $M_2$. The request will be rejected if this equality does not hold. Otherwise, $OB{U}_j$ randomly chooses $r_j$ and computes $AI{D}_j=I{D}_j\oplus r_j$, $M_3=PSK\oplus r_j$, $M_4=PSK\oplus h(AI{D}_j\parallel r_j\parallel h\left(r_i\right))$ and a session key $S{K}_{ij}=h(r_i\parallel r_j\parallel PSK)$.

Step4.

$OB{U}_j\to OB{U}_i$: $OB{U}_j$ returns the response messages (i.e., $AI{D}_j$,$M_3$,$M_4$) o $OB{U}_i$.

Step5.

After receiving the messages $\{AI{D}_j$,$M_3$,$M_4\}$, $OB{U}_i$ verifies whether $OB{U}_j$ is trusted: $OB{U}_i$ uses $PSK$ to retrieve $r_j$ from $M_3$ and checks whether $M_4=h(AI{D}_j\parallel r_j\parallel h\left(r_i\right))$ holds. If so, $OB{U}_i$ computes a session key $S{K}_{ij}=h(r_i\parallel r_j\parallel PSK)$ and a reply message $M_5=S{K}_{ij}\oplus h\left(r_j\right)$. Otherwise, the process is terminated.

Step6.

$OB{U}_i\to OB{U}_j$: $OB{U}_i$ sends $\left(M_5\right)$ to $OB{U}_j$.

Step7.

After receiving the message $M_5$, $OB{U}_j$ computes $S{K}_{ij}\oplus h\left(r_j\right)$ and then checks whether it is equal to $M_5$. If this quality holds, then the two trusted vehicles can communicate securely using $S{K}_{ij}$. Otherwise, $OB{U}_j$ terminates the process.

4.7. Key Revocation

Key revocation will be triggered when the lifetime of a key expires. The state of a mistrusted vehicle changes to trusted when the mistrusted vehicle is authenticated successfully and obtains $PSK$ via performing either the general authentication procedure or the trust-extended authentication procedure. Then, a timer is instantiated by the secure hardware and begins to count down. The state of the vehicle becomes mistrusted when the lifetime of the key expires. When key expiration is approaching, the system requests that the trusted vehicle performs the key update procedure.

4.8. Key Update

The key update procedure will be invoked by $OB{U}_i$ when the key lifetime of the TV is approaching expiration. The steps of this procedure are described as follows.

Step1.

$OB{U}_i$ randomly chooses $r_i$ to compute the messages $M_1=PS{K}_{old}\oplus r_i$, $M_2=PS{K}_{old}MS{G}_{KU}$, and $M_3=h(r_i\parallel MS{U}_{KU})$.

Step2.

$OB{U}_i\to L{E}_j$: A key update request (i.e., $M_1$,$M_2$,$M_3$) is sent to $L{E}_j$ by $OB{U}_i$.

Step3.

$L{E}_j$ retrieves $r_i$ and $MS{G}_{KU}$ using the current $PSK$ (i.e., $PS{K}_{old}$). The key update request will be rejected if $h(r_i\parallel MS{G}_{KU})$ does not match $M_3$. Otherwise, $L{E}_j$ chooses a random number $r_j$ and computes $M_4=r_j\oplus h\left(r_i\right)$, $M_5=PS{K}_{new}\oplus r_j$, and $M_6=h(r_j\parallel PS{K}_{new})$, where $PSK$ is produced via the hash–chain method. Therefore, the new $PSK$ cannot be inferred by other OBUs using the current $PSK$. Finally, $L{E}_j$ computes $S{K}_{ij}=h(r_i\parallel r_j\parallel PS{K}_{new})$.

Step4.

$L{E}_j\to OB{U}_i$: $L{E}_j$ returns the reply messages (i.e., $M_4$,$M_5$, and $M_6$) to $OB{U}_i$.

Step5.

Upon receiving the reply messages, $OB{U}_i$ computes $h\left(r_i\right)$ to retrieve $r_j=M_4\oplus h\left(r_i\right)$, and obtains $PS{K}_{new}=M_5\oplus r_j$. Next, $OB{U}_i$ checks whether $M_6=h(r_j\parallel PS{K}_{new})$ and $PS{K}_{old}=h\left(PS{K}_{new}\right)$. If this condition holds, $OB{U}_i$ renews the $PSK$ and computes $S{K}_{ij}=h(r_i\parallel r_j\parallel PS{K}_{new})$. Otherwise, $OB{U}_i$ terminates the process.

Step6.

$OB{U}_i\to L{E}_j$: $OB{U}_i$ sends the message $S{K}_{ij}\oplus h\left(r_j\right)$ to $L{E}_j$.

Step7.

$L{E}_j$ retrieves $h\left(r_j\right)$ using $S{K}_{ij}$. Then, it checks whether the retrieved hash value is equal to the pre-computed hash value using the chosen $r_j$. In this way, a replay attack from an illegal OBU is avoided. Now, this session key can be used to communicate securely between two trusted vehicles.

5. Improved Scheme

A concrete description of our enhanced privacy-preserving authentication scheme is presented in this section. In our scheme, the vehicles are also classified into three types: law executors (LEs), mistrusted vehicles (MVs) and trusted vehicles (TVs) as displayed in Figure 1. The LEs are equipped with TPD, but the normal vehicles such as TV and MV are not equipped with TPD. Our improved scheme consists of nine procedures: initialization, registration, login, password change, general authentication, trust-extended authentication, secure communication, key update and revocation. The notations used in this section are also briefly defined in Table 1.

5.1. Initialization

The initialization procedure is performed by the AS when it sets up the system parameters:

Step1.

Let G be an elliptic curve group defined by a generator P and a prime number p. The AS randomly selects $\left\{x\in Z_p^{*}\right\}$ as its secret key.

Step2.

The AS computes the secure key set $\{PS{K}_i,i=1,\dots ,n\}$ using the hash–chain method as shown in Figure 2, e.g., $h^2\left(x\right)=h\left(h\left(x\right)\right)$.

5.2. Registration

LE Registration: In this procedure, an LE registers itself with the AS via the manufacturer or a secure channel. The secure key set $\{PS{K}_i,i=1,\dots ,n\}$ and the public parameters $\{G,p,P\}$ are sent to the LE by the AS. Only the secure key set and the public parameters are required to be stored in the secure hardware of the LE. No other user information needs to be stored. Similarly, the lifetime of each $PS{K}_i$ is set to be short for robust security. When the lifetime of each trusted vehicle’s key expires, this vehicle is required to perform the key update procedure with an LE.

Normal Vehicle Registration: All vehicles except LEs need to perform this procedure when they are delivered to market. This registration procedure is performed only once by each vehicle. The steps of the normal vehicle registration procedure are described in Figure 3.

Figure 3. Normal vehicle registration procedure.

Step1.

$U_i\to AS$: A user $U_i$ chooses his password $P{W}_i$ and sends its public identity $I{D}_i$ and $P{W}_i$ to the AS via the manufacturer or a secure channel.

Step2.

The AS chooses a random number $y_i$ with which to evaluate the following parameters for $U_i$ after it receives $I{D}_i$ and $P{W}_i$: $A_i=h\left(I{D}_i\parallel x\right)$, $B_i=h\left(P{W}_i\right)\oplus A_i$,$C_i=h\left(PSK\parallel y_i\right)\oplus A_i$, and $D_i=h(I{D}_i\parallel P{W}_i\parallel A_i)$.

Step3.

$AS\to U_i$: The parameters (i.e., $B_i$, $C_i$, $D_i$, $y_i$, $h$,G,p,P) are stored in the OBU’s secure hardware by the AS via a secure channel.

Step4.

$U_i$ chooses a number $x_i$ as his private key and computes $P_{pu{b}_i}=x_{i}P$ as his public key, and then computes $Z_i=x_i\oplus h\left(P{W}_i\right)$ and stores ($P_{pu{b}_i}$, $Z_i$) in its OBU secure hardware.

5.3. Login

The login procedure is performed when a user $U_i$ intends to access service from the vehicle sensor network. The login procedure is described as follows:

Step1.

$U_i\to OB{U}_i$: $I{D}_i$ and $P{W}_i$ are input to $OB{U}_i$ by $U_i$.

Step2.

First, $OB{U}_i$ retrieves $A_i=h\left(P{W}_i\right)\oplus B_i$. Then, it checks whether $D_i=h(I{D}_i\parallel P{W}_i\parallel A_i)$ holds. If so, $OB{U}_i$ launches the general authentication procedure or the trust-extended authentication procedure. Otherwise, the login request will be rejected.

5.4. Password Change

When a user $U_i$ wants to update his password, the optional password change procedure will be invoked. The steps of this procedure are described as follows:

Step1.

$I{D}_i$ and $P{W}_i$ are input to $OB{U}_i$ by $U_i$.

Step2.

First, $OB{U}_i$ retrieves $A_i=h\left(P{W}_i\right)\oplus B_i$. Then, it checks whether $D_i=h(I{D}_i\parallel P{W}_i\parallel A_i)$ holds. If so, $U_i$ will be requested to input his new password $P{W}_i^{*}$. $OB{U}_i$ computes $B_i^{*}=B_i\oplus h\left(P{W}_i\right)⨁h\left(P{W}_i^{*}\right)$ and $D_i^{*}=h(I{D}_i\parallel P{W}_i^{*}\parallel A_i)$ and replaces $B_i$ and $D_i$ with $B_i^{*}$ and $D_i^{*}$. Otherwise, the request will be rejected.

5.5. General Authentication

The general authentication procedure is performed between $OB{U}_i$ and $L{E}_j$ after $U_i$ has completed the login procedure. The general authentication procedure is shown in Figure 4 and the steps are described as follows.

Figure 4. General authentication procedure.

Step1.

$OB{U}_i$ chooses a random number $r_i$ and computes its alias $AI{D}_i=h\left(r_i\right)\oplus I{D}_i$. Then, it produces the request messages $M_1=h\left(A_i\right)\oplus r_i$ and $M_2=h(r_i\parallel AI{D}_i\parallel C_i\parallel y_i)$, where $A_i$ is obtained from the login procedure.

Step2.

$OB{U}_i\to L{E}_j$: The authentication messages (i.e., $AI{D}_i$, $M_1$, $M_2$, $C_i$, and $y_i$) are sent from $OB{U}_i$ to $L{E}_j$.

Step3.

Upon receiving the authentication request messages (i.e., $AI{D}_i$, $M_1$, $M_2$, $C_i$, and $y_i$), $L{E}_j$ uses $PSK$ to retrieve $A_i=C_i\oplus h(PSK\parallel y_i)$ and $r_i=M_1\oplus h\left(A_i\right)$ and then checks whether $M_2=h(r_i\parallel AI{D}_i\parallel C_i\parallel y_i)$ holds. The authentication request will be rejected if it does not. Otherwise, $L{E}_j$ produces a random number $r_j$ to calculate $AI{D}_j=I{D}_j\oplus h\left(r_j\right)$ and $S{K}_{ij}=h(r_i\parallel r_j)$. Finally, $L{E}_j$ calculates the response messages $M_3=r_j\oplus h^2\left(r_i\right)$, $M_4=PSK\oplus r_j$, and $M_5=h(AI{D}_j\parallel S{K}_{ij}\parallel r_j\parallel PSK)$.

Step4.

$L{E}_j\to OB{U}_i$: $L{E}_j$ return response messages (i.e., $AI{D}_j$, $M_3$, $M_4$, and $M_5$) to $OB{U}_i$.

Step5.

$OB{U}_i$ computes $h^2\left(r_i\right)$ to retrieve $r_j=M_3\oplus h^2\left(r_i\right)$, $PSK=M_4\oplus r_j$, and $S{K}_{ij}=h(r_i\parallel r_j)$ and checks whether $M_5=h(AI{D}_j\parallel S{K}_{ij}\parallel r_j\parallel PSK)$ holds. $OB{U}_i$ terminates the process if it does not. Otherwise, $OB{U}_i$ calculates the reply message $M_6=S{K}_{ij}\oplus h\left(r_j\right)$; computes $C_{inew}=h(PSK\parallel r_i)\oplus A_i$ and $E_i=h\left(P{W}_i\right)\oplus PSK$; replaces $C_i$ and $y_i$ with $C_{inew}$ and $r_i$, respectively, and stores $E_i$ in its secure hardware.

Step6.

$OB{U}_i\to L{E}_j$: The message $M_6$ is sent to to $L{E}_j$ by $OB{U}_i$.

Step7.

$L{E}_j$ uses $S{K}_{ij}$ to retrieve $h\left(r_j\right)$. Then, it checks whether the retrieved hash value is equal to the pre-computed hash value using the chosen $r_j$. In this way, a replay attack from an illegal OBU is avoided .

At this time, the state of $OB{U}_i$ changes to trusted since $OB{U}_i$ has been authenticated successfully and has obtained the parameter $PSK$. Now, not only $LE$ but also $OB{U}_i$ can authenticate other mistrusted OBUs.

5.6. Trust-Extended Authentication

This procedure is the same as in the Chuang–Lee scheme.

5.7. Secure Communication

The secure communication procedure is performed between two trusted vehicles $OB{U}_i$ and $OB{U}_j$ when they intend to interact with each other. The secure communication procedure is shown in Figure 5 and the steps are described as follows.

Figure 5. Secure communication procedure.

Step1.

After completing the login procedure, $OB{U}_i$ retrieves $PSK=E_i\oplus h\left(P{W}_i\right)$,$x_i=Z_i\oplus h\left(P{W}_i\right)$, then it generates a random number $r_i$ and computes the messages $AI{D}_i=I{D}_i\oplus h(r_i{P}_{{pub}_j})$, $T=r_{i}P$, $u_i=T+PSK·P$, and $M_1=h(T\parallel I{D}_i\parallel AI{D}_i)$, where $E_i$ was obtained from a previous authentication procedure.

Step2.

$OB{U}_i\to OB{U}_j$: A secure communication request (i.e., $AI{D}_i$, $u_i$, $M_1$) is sent to $OB{U}_j$ by $OB{U}_i$.

Step3.

Upon receiving (i.e., $AI{D}_i$, $u_i$, $M_1$), $OB{U}_j$ uses $PSK$ to retrieve T from $u_i$ and then computes $I{D}_i=AI{D}_i\oplus h\left(x_{j}T\right)$, and checks whether $M_1$ is equal to $h(T\parallel I{D}_i\parallel AI{D}_i)$. The request will be rejected if this equality does not holds. Otherwise, $OB{U}_j$ randomly chooses $r_j$ and computes

$$\begin{array}{c}AI{D}_j=I{D}_j\oplus h\left(r_j{P}_{{pub}_i}\right),\hfill \\ R=r_{j}P,\hfill \\ u_j=R+PSK·P,\hfill \\ s=r_j{P}_{{pub}_i}+x_{j}T,\hfill \\ k=h(T\parallel R\parallel P_{{pub}_i}\parallel P_{{pub}_j}\parallel s),\hfill \\ M_2=h(I{D}_j\parallel k).\hfill \end{array}$$

Step4.

$OB{U}_j\to OB{U}_i$: $OB{U}_j$ returns the response messages (i.e., $AI{D}_j$, $u_j$, $M_2$) to $OB{U}_i$.

Step5.

After receiving the messages $\{AI{D}_j,u_j,M_2\}$, $OB{U}_i$ verifies whether $OB{U}_j$ is trusted: $OB{U}_i$ computes $R=u_j-PSK·P$, $I{D}_j=AI{D}_j\oplus h\left(x_{i}R\right)$, $s=r_i{P}_{{pub}_j}+x_{i}R$ and $k=h(T\parallel R\parallel P_{{pub}_i}\parallel P_{{pub}_j}\parallel s)$, and then checks whether $M_2=h(I{D}_j\parallel k)$ holds. If so, $OB{U}_i$ computes a reply message $M_3=h(u_j\parallel k)$. Otherwise, the process is terminated.

Step6.

$OB{U}_i\to OB{U}_j$: $OB{U}_i$ sends $M_3$ to $OB{U}_j$.

Step7.

After receiving the message $\left\{M_3\right\}$, $OB{U}_j$ checks whether $M_3=h(u_j\parallel k)$ holds. if so, the two trusted vehicles can communicate securely using k. Otherwise, $OB{U}_j$ terminates the process.

5.8. Key Revocation

This procedure is the same as in the Chuang–Lee scheme.

5.9. Key Update

This procedure is the same as in the Chuang–Lee scheme.

6. Analysis

In this section, we first validate the correctness of the critical general authentication procedure and secure communication procedure using the BAN logic, and we then prove the security of our improved scheme. Finally, we evaluate the performance of our scheme against that of the existing related schemes.

6.1. Correctness

The BAN logic is a useful way to validate the correctness of security protocols, especially for the authentication protocols [20]. Some relevant notations are listed in Table 2. The verification procedure consists of the following steps.

Table 2. Symbol and description of BAN logic.

Symbol	Description
$P\mid \equiv X$	Entity P trusts opinion X
$P◃X$	Entity P sees opinion X, or P holds X
$P\mid \sim X$	Entity P has said opinion X
$P\mid \Rightarrow X$	Entity P completely control over X
$♯\left(X\right)$	X is fresh
$\frac{Rule1}{Rule2}$	$Rule2$ comes from $Rule1$
$\stackrel{k}{\mapsto }P$	k is the public key of entity P
$P\stackrel{k}{⟷}Q$	k is a secret key or information between P and Q
${\left\{X\right\}}_{PSK}$	X is encrypted by key K

6.1.1. The Correctness of the General Authentication Procedure

Idealization

First, we use formal logical language to idealize the general authentication procedure in our improved scheme in accordance with the rules of the BAN logic as follows:

(1).

$OB{U}_i\to L{E}_j$ : $\{M_1=h(r_i\parallel AI{D}_i\parallel C_i\parallel y_i),AI{D}_i,{\{r_i\}}_{A_i},{\{A_i\}}_{PSK}\},$

(2).

$L{E}_j\to OB{U}_i$ : $\{M_2=h(AI{D}_j\parallel S{K}_{ij}\parallel r_j\parallel PSK),AI{D}_j,{\{r_j\}}_{r_i},{\{PSK\}}_{r_j}\},$

(3).

$OB{U}_i\to L{E}_j$ : $\{M_3=S{K}_{ij}\oplus h\left(r_j\right).$

Goal

There are two roles in the general authentication procedure: $OB{U}_i$ and $L{E}_j$. Since $OB{U}_i$ needs to obtain the authorized parameter $PSK$ from the $L{E}_j$, it must believe $PSK$. Moreover, $OB{U}_i$ and $L{E}_j$ must believe each other and each other’s aliases, and they must believe the session key computed in the general authentication procedure. Thus, there are five goals of the general authentication procedure in our improved scheme as follows:

G1.

$OB{U}_i\mid \equiv L{E}_j\mid \equiv PSK$: $OB{U}_i$ believes $PSK$.

G2.

$OB{U}_i\mid \equiv L{E}_j\mid \equiv AI{D}_j$: $OB{U}_i$ believes $L{E}_j$ and his alias $AI{D}_j$.

G3.

$L{E}_j\mid \equiv OB{U}_i\mid \equiv AI{D}_i$: $L{E}_j$ believes $OB{U}_i$ and his alias $AI{D}_i$.

G4.

$OB{U}_i\mid \equiv OB{U}_i\stackrel{S{K}_{ij}}{⟷}L{E}_j$: $OB{U}_i$ believes the share key between himself and $L{E}_j$.

G5.

$L{E}_j\mid \equiv$$L{E}_j\stackrel{S{K}_{ij}}{⟷}OB{U}_i$: $L{E}_j$ believes the share key between himself and $OB{U}_i$.

Assumptions

With the goals set, the assumptions also need to be stated as follows:

A1.

$OB{U}_i◃AI{D}_i$: $OB{U}_i$ possesses an alias $AI{D}_i$.

A2.

$L{E}_j◃AI{D}_j$: $OB{U}_j$ possesses an alias $AI{D}_j$.

A3.

$OB{U}_i\mid \equiv ♯(r_i,r_j)$: $OB{U}_i$ believes the freshness of $r_i$ and $r_j$.

A4.

$L{E}_j\mid \equiv ♯(r_i,r_j,y_i)$: $L{E}_j$ believes the freshness of $r_i$, $r_j$ and $y_i$.

A5.

$L{E}_j\mid \equiv$$L{E}_j\stackrel{PSK}{⟷}OB{U}_i$: $L{E}_j$ believes the share key $PSK$ between himself and $OB{U}_i$.

A6.

$OB{U}_i\mid \equiv$$OB{U}_i\stackrel{r_i}{⟷}L{E}_j$: $OB{U}_i$ believes the share key $r_i$ between himself and $L{E}_j$.

A7.

$L{E}_j\mid \equiv$$L{E}_j\stackrel{r_j}{⟷}OB{U}_i$: $L{E}_j$ believes the share key $r_j$ between himself and $OB{U}_i$.

Verification

In this subsection, we will verify the correctness of our proposed general authentication procedure using the BAN logic. The detailed steps of the proof are as follows:

$OB{U}_i$ computes $AI{D}_i$ and ${\left\{r_i\right\}}_{A_i}:$

V1.

$\frac{L{E}_j⊲{\left\{r_i\right\}}_{A_i},AI{D}_i,{\left\{A_i\right\}}_{PSK},M_2,y_i,L{E}_j\mid \equiv L{E}_j\stackrel{PSK}{⟷}OB{U}_i}{OB{U}_j\mid \equiv OB{U}_i\sim M_2},$

V2.

$\frac{L{E}_j\mid \equiv ♯(r_i,y_i),L{E}_j\mid \equiv OB{U}_i\sim M_2}{L{E}_i\mid \equiv OB{U}_i\mid \equiv M_2}$,

V3.

$\frac{L{E}_j\mid \equiv OB{U}_i\mid \equiv M_2}{L{E}_j\mid \equiv OB{U}_i\mid \equiv AI{D}_i},$

$L{E}_j$ computes $L{E}_j\stackrel{S{K}_{ij}}{⟷}OB{U}_i$, ${\left\{r_j\right\}}_{r_i}$, ${\left\{PSK\right\}}_{r_j},$

V4.

$\frac{OB{U}_i⊲AI{D}_j,{\left\{r_j\right\}}_{r_i},{\left\{PSK\right\}}_{r_j},M_5,OB{U}_i\mid \equiv OB{U}_i\stackrel{r_i}{⟷}L{E}_j}{OB{U}_i\mid \equiv L{E}_j\sim M_5}$,

V5.

$\frac{OB{U}_i\mid \equiv ♯(r_i,r_j),OB{U}_i\mid \equiv L{E}_j\sim M_5}{OB{U}_i\mid \equiv L{E}_j\mid \equiv M_5}$,

V6.

$\frac{OB{U}_i\mid \equiv L{E}_j\mid \equiv M_5}{OB{U}_i\mid \equiv L{E}_j\mid \equiv r_j}$,

V7.

$\frac{OB{U}_i\mid \equiv ♯(r_i,r_j)}{OB{U}_i\mid \equiv ♯\left(S{K}_{ij}\right)}$,

V8.

$\frac{OB{U}_i\mid \equiv ♯\left(S{K}_{ij}\right),OB{U}_i\mid \equiv L{E}_j\mid \equiv r_j}{OB{U}_i\mid \equiv OB{U}_i\stackrel{S{K}_{ij}}{⟷}L{E}_j}$,

V9.

$\frac{OB{U}_i\mid \equiv L{E}_j\mid \equiv M_5}{OB{U}_i\mid \equiv L{E}_j\mid \equiv AI{D}_j}$,

V10.

$\frac{OB{U}_i\mid \equiv L{E}_j\mid \equiv M_5}{OB{U}_i\mid \equiv L{E}_j\mid \equiv PSK},$

$OB{U}_i$ computes $M_6,$

V11.

$\frac{L{E}_j⊲S{K}_{ij},M_6,L{E}_j\mid \equiv L{E}_j\stackrel{r_j}{⟷}OB{U}_i}{L{E}_j\mid \equiv OB{U}_i\sim M_6}$,

V12.

$\frac{L{E}_j\mid \equiv ♯\left(r_j\right),L{E}_j\mid \equiv OB{U}_i\sim M_6}{L{E}_j\mid \equiv OB{U}_i\mid \equiv M_6}$,

V13.

$\frac{L{E}_j\mid \equiv OB{U}_i\mid \equiv M_6}{L{E}_j\mid \equiv OB{U}_i\mid \equiv r_i}$,

V14.

$\frac{L{E}_j\mid \equiv ♯(r_i,r_j)}{OB{U}_j\mid \equiv ♯S{K}_{ij}}$,

V15.

$\frac{L{E}_j\mid \equiv ♯\left(S{K}_{ij}\right),L{E}_j\mid \equiv OB{U}_i\mid \equiv r_i}{L{E}_j\mid \equiv L{E}_j\stackrel{S{K}_{ij}}{⟷}OB{U}_i}.$

In formula $V3$ and formulas $V9$ and $V10$, $L{E}_j$ believes that $OB{U}_i$ has sent $M_2$ and $OB{U}_i$ believes that $L{E}_j$ has sent $M_5$. Because $L{E}_j$ has verified the correctness of message $M_2$ and $OB{U}_i$ has verified the correctness of message $M_5$, $OB{U}_i$ and $L{E}_j$ each believe the other party and its alias, and $OB{U}_i$ believes the $PSK$ obtained from $L{E}_j$. In formula $V8$, because $OB{U}_i$ is able to calculate $r_j$ and believes this value which is necessary to compute $S{K}_{ij}$, $OB{U}_i$ believes the freshness of $S{K}_{ij}$, and $OB{U}_i$ believes the session key $S{K}_{ij}$ that it computes. Similarly, in formula $V15$, $L{E}_j$ believes the value $r_i$ and the freshness of $S{K}_{ij}$, thus $OB{U}_i$ believes the session key $S{K}_{ij}$ that it computes. According to formulas $V3$, $V8$, $V9$, $V10$ and $V15$, we can infer that our improved general authentication procedure achieves our goals.

6.1.2. The Correctness of the Secure Communication Procedure

Idealization

First, we use formal logical language to idealize the secure communication procedure in our improved scheme in accordance with the rules of the BAN logic as follows:

(1).

$OB{U}_i\to OB{U}_j$ : $\{M_1=h(r_{i}P\parallel I{D}_i\parallel {\{I{D}_i\}}_{P_{pu{b}_j}}),{\{I{D}_i\}}_{P_{pu{b}_j}},{\{r_{i}P\}}_{PSK}\},$

(2).

$OB{U}_j\to OB{U}_i$ : $\{M_2=h(I{D}_j\parallel k),{\{I{D}_j\}}_{P_{pu{b}_i}},{\{r_{j}P\}}_{PSK}\},$

(3).

$OB{U}_i\to OB{U}_j$ : $\{M_3=h({\{r_{j}P\}}_{PSK}\parallel k)\}.$

Goal

There are two roles in the secure communication procedure: $OB{U}_i$ and $OB{U}_j$, which are the on-board units of the two communication vehicles. Since $OB{U}_i$ and $OB{U}_j$ need to generate a common session key for their communication, they must believe each other and each other’s identities, and they must believe the session key computed in the secure communication procedure. Thus, there are four goals of the secure communication procedure in our improved scheme as follows:

G1.

$OB{U}_i\mid \equiv OB{U}_j\mid \equiv I{D}_j$: $OB{U}_i$ believes $OB{U}_j$ and its identity $I{D}_j$.

G2.

$OB{U}_j\mid \equiv OB{U}_i\mid \equiv I{D}_i$: $OB{U}_j$ believes $OB{U}_i$ and its identity $I{D}_i$.

G3.

$OB{U}_i\mid \equiv OB{U}_i\stackrel{k}{⟷}OB{U}_j$: $OB{U}_i$ believes the shared key between itself and $OB{U}_j$.

G4.

$OB{U}_j\mid \equiv$$OB{U}_j\stackrel{k}{⟷}OB{U}_i$: $OB{U}_j$ believes the shared key between itself and $OB{U}_i$.

Assumptions

With the goals set, the assumptions also need to be stated as follows:

A1.

$OB{U}_i◃I{D}_i$: $OB{U}_i$ owns its identity $I{D}_i$.

A2.

$OB{U}_j◃I{D}_j$: $OB{U}_j$ owns its identity $I{D}_j$.

A3.

$OB{U}_i◃x_i$: $OB{U}_i$ holds own private key $x_i$.

A4.

$OB{U}_j◃x_j$: $OB{U}_j$ holds own private key $x_j$.

A5.

$OB{U}_i\mid \equiv \stackrel{P_{pu{b}_i}}{\mapsto }OB{U}_i$: $OB{U}_i$ believes own public key $P_{pu{b}_i}$.

A6.

$OB{U}_j\mid \equiv \stackrel{P_{pu{b}_j}}{\mapsto }OB{U}_j$: $OB{U}_j$ believes own public key $P_{pu{b}_j}$.

A7.

$OB{U}_i◃(P_{pu{b}_i},P_{pu{b}_j})$: $OB{U}_i$ holds own public key $P_{pu{b}_i}$ and $OB{U}_j$’s public key $P_{pu{b}_j}$.

A8.

$OB{U}_j◃(P_{pu{b}_i},P_{pu{b}_j})$: $OB{U}_j$ holds own public key $P_{pu{b}_j}$ and $OB{U}_i$’s public key $P_{pu{b}_i}$.

A9.

$OB{U}_i\mid \equiv ♯(r_i,r_j)$: $OB{U}_i$ believes the freshness of $r_i$ and $r_j$.

A10.

$OB{U}_j\mid \equiv ♯(r_i,r_j)$: $OB{U}_j$ believes the freshness of $r_i$ and $r_j$.

A11.

$OB{U}_i\mid \equiv$$OB{U}_i\stackrel{PSK}{⟷}OB{U}_j$: $OB{U}_i$ believes the share key $PSK$ between himself and $OB{U}_j$.

A12.

$OB{U}_j\mid \equiv$$OB{U}_j\stackrel{PSK}{⟷}OB{U}_i$: $OB{U}_j$ believes the share key $PSK$ between himself and $OB{U}_i$.

Verification

In this subsection, we will verify the correctness of our proposed secure communication procedure using the BAN logic. The detailed steps of the proof are as follows:

$OB{U}_i$ computes ${\left\{I{D}_i\right\}}_{P_{pu{b}_j}}$ and ${\left\{r_{i}P\right\}}_{PSK}$

V1.

$\frac{OB{U}_j\mid \equiv \stackrel{P_{pu{b}_j}}{\mapsto }OB{U}_j,OB{U}_j⊲{\left\{I{D}_i\right\}}_{P_{pu{b}_j}}}{OB{U}_j⊲I{D}_i}$,

V2.

$\frac{OB{U}_j⊲{\left\{r_{i}P\right\}}_{PSK},I{D}_i,M_1,OB{U}_j\mid \equiv OB{U}_j\stackrel{PSK}{⟷}OB{U}_i}{OB{U}_j\mid \equiv OB{U}_i\sim M_1}$,

V3.

$\frac{OB{U}_j\mid \equiv ♯\left(r_i\right),OB{U}_j\mid \equiv OB{U}_i\sim M_1}{OB{U}_j\mid \equiv OB{U}_i\mid \equiv M_1}$,

V4.

$\frac{OB{U}_j\mid \equiv OB{U}_i\mid \equiv M_1}{OB{U}_j\mid \equiv OB{U}_i\mid \equiv I{D}_i}.$

$OB{U}_j$ computes $OB{U}_j\stackrel{k}{⟷}OB{U}_i$ , ${\left\{r_{j}P\right\}}_{PSK}$

V5.

$\frac{OB{U}_i\mid \equiv \stackrel{P_{pu{b}_i}}{\mapsto }OB{U}_i,OB{U}_j⊲{\left\{I{D}_j\right\}}_{P_{pu{b}_i}}}{OB{U}_i⊲I{D}_j}$,

V6.

$\frac{OB{U}_i⊲{\left\{r_{j}P\right\}}_{PSK},r_i,x_i,P_{pu{b}_i},P_{pu{b}_j},M_2,OB{U}_i\mid \equiv OB{U}_i\stackrel{PSK}{⟷}OB{U}_j}{OB{U}_i\mid \equiv OB{U}_j\sim M_2}$,

V7.

$\frac{OB{U}_i\mid \equiv ♯(r_i,r_j),OB{U}_i\mid \equiv OB{U}_j\sim M_2}{OB{U}_i\mid \equiv OB{U}_j\mid \equiv M_2}$,

V8.

$\frac{OB{U}_i\mid \equiv OB{U}_j\mid \equiv M_2}{OB{U}_i\mid \equiv OB{U}_j\mid \equiv I{D}_j}$,

V9.

$\frac{OB{U}_i\mid \equiv OB{U}_j\mid \equiv M_2}{OB{U}_i\mid \equiv OB{U}_j\mid \equiv s},$

V10.

$\frac{OB{U}_i\mid \equiv ♯(r_i,r_j)}{OB{U}_i\mid \equiv ♯\left(k\right)}$,

V11.

$\frac{OB{U}_i\mid \equiv ♯\left(k\right),OB{U}_i\mid \equiv OB{U}_j\mid \equiv s}{OB{U}_i\mid \equiv OB{U}_i\stackrel{k}{⟷}OB{U}_j}.$

$OB{U}_i$ computes $M_3$

V12.

$\frac{OB{U}_j⊲{\left\{r_{i}P\right\}}_{PSK},k,M_3,OB{U}_j\mid \equiv OB{U}_j\stackrel{PSK}{⟷}OB{U}_i}{OB{U}_j\mid \equiv OB{U}_i\sim M_3},$

V13.

$\frac{OB{U}_j\mid \equiv ♯(r_i,r_j),OB{U}_j\mid \equiv OB{U}_i\sim M_3}{OB{U}_j\mid \equiv OB{U}_i\mid \equiv M_3},$

V14.

$\frac{OB{U}_j\mid \equiv OB{U}_i\mid \equiv M_3}{OB{U}_j\mid \equiv OB{U}_i\mid \equiv s},$

V15.

$\frac{OB{U}_j\mid \equiv ♯(r_i,r_j)}{OB{U}_j\mid \equiv ♯\left(k\right)}$,

V16.

$\frac{OB{U}_j\mid \equiv ♯\left(k\right),OB{U}_j\mid \equiv OB{U}_i\mid \equiv s}{OB{U}_j\mid \equiv OB{U}_j\stackrel{k}{⟷}OB{U}_i}$.

In formula $V4$ and formula $V8$, $OB{U}_j$ believes that $OB{U}_i$ has sent $M_1$ and $OB{U}_i$ believes that $OB{U}_j$ has sent $M_2$. Because $OB{U}_j$ has verified the correctness of message $M_1$ and $OB{U}_i$ has verified the correctness of message $M_2$ , $OB{U}_i$ and $OB{U}_j$ each believe the other’s identity and that the other party is a trusted vehicle. In formula $V11$, because $OB{U}_i$ can use its private key to obtain $I{D}_j$ and calculate k, $OB{U}_i$ can verify $M_2$ by means of $I{D}_j$ and k; thus, $OB{U}_i$ believes the session key k that it computes. Similarly, in formula $V16$, $OB{U}_j$ can compute the session key k to verify $M_3$, so $OB{U}_j$ believes the session key k that it computes. According to formulas $V4$, $V8$, $V14$ and $V16$, we can infer that our improved secure communication procedure achieves our goals.

6.2. Security Analysis

In this section, the security proof of the critical secure communication procedure and general authentication procedure is presented. We show that the proposed improved protocol is secure through a formal security analysis in the random oracle model as well as an informal security analysis.

6.2.1. The Formal Security Analysis

Theorem 1.

Let $GAP$ denote the general authentication procedure presented in Figure 4. Let $|Hash|$ and $|D|$ denote the range space of the hash function and the size of the password dictionary D, respectively. Finally, let A represent an adversary within a polynomial time t against the semantic security of $GAP$ by issuing $q_{send}$ Send queries, $q_{exe}$ Execute queries and $q_h$ hash queries. Then, we have

$$\begin{array}{c}Ad{v}_{GAP,D}\left(A\right)\le \frac{q_h^2}{|Hash|}+\frac{2q_{send}}{|D|}.\end{array}$$

Proof of Theorem 1.

To complete the proof, four experiments are constructed, where the first one simulates a real attack. For every experiment $Ex{p}_n$, we use an event $Suc{c}_n$ to denote the event in which the adversary successfully guesses the bit b from the $Test$ query. ☐

Experiment $Ex{p}_0.$

This experiment simulates an actual attack. According to definition, we have

$${Adv}_{GAP,D}\left(A\right)=2Pr\left[Suc{c}_0\right]-1.$$

(1)

Experiment $Ex{p}_1.$

In this experiment, the oracles $Execute$, $Send$, $Corrupt$, $Reveal$, $Test$ as in an actual attack are simulated. It can be seen that one cannot distinguish this experiment from the actual experiment. Thus,

$$Pr\left[Suc{c}_1\right]=Pr\left[Suc{c}_0\right].$$

(2)

Experiment $Ex{p}_2.$

All oracles considered in experiment ${\mathrm{Exp}}_1$ are also simulated in this experiment; however, all executions are halted where a collision occurs when simulating the $Send$ and the h oracle. A issues $Send$ to try to deceive the other participants into accepting a modified message. Simultaneously, it can query the h oracle to verify whether a hash collision exists. Since the messages transmitted in the network are all associated with a participant’s identity, a temporary secret random number and a long-lived key, and the authentication procedure only uses an XOR operation and a hash function, there is no other collision except hash collision. The probability of collision in the h oracle is at most $q_h^2/2|Hash|$ by the birthday paradox. Hence,

$$|Pr\left[S{\mathrm{ucc}}_1\right]-Pr\left[S{\mathrm{ucc}}_2\right]|\le \frac{q_h^2}{2|Hash|}.$$

(3)

Experiment $Ex{p}_3.$

All oracles considered in experiment ${\mathrm{Exp}}_2$ are simulated in this experiment, in addition to stopping the stimulation of a $Corrupt$ query to an OBU. Note that the information $B_i$, $C_i$,$D_i$, $y_i$, $Z_i$ and $P_{pu{b}_i}$ stored in the OBU can be extracted by A when the $Corrupt\left(U_i\right)$ query is issued. However, this information is useless to A for calculating the session key since it would also need the secret $A_i$, and it is difficult to derive $A_i$ from $B_i$ without also obtaining the user’s correct password $P{W}_i$ via the password attack. Hence, we obtain

$$|Pr\left[S{\mathrm{ucc}}_2\right]-Pr\left[S{\mathrm{ucc}}_3\right]|\le \frac{q_{send}}{|D|}.$$

(4)

In addition, we know that the adversary A can only win the game by guessing the bit b when querying the $Test$ oracle because the adversary has no advantage. Therefore,

$$Pr\left[S{\mathrm{ucc}}_3\right]=\frac{1}{2}.$$

(5)

From Equations (2) to (5), we have

$$\begin{array}{cc}\hfill |Pr\left[S{\mathrm{ucc}}_0\right]-\frac{1}{2}|& =|Pr\left[S{\mathrm{ucc}}_0\right]-Pr\left[S{\mathrm{ucc}}_3\right]|\hfill \\ & \le |Pr\left[S{\mathrm{ucc}}_0\right]-Pr\left[S{\mathrm{ucc}}_1\right]|+|Pr\left[S{\mathrm{ucc}}_1\right]-Pr\left[S{\mathrm{ucc}}_2\right]|\hfill \\ & +|Pr\left[S{\mathrm{ucc}}_2\right]-Pr\left[S{\mathrm{ucc}}_3\right]|\hfill \\ & \le \frac{q_h^2}{2|Hash|}+\frac{q_{send}}{|D|}.\hfill \end{array}$$

Therefore, from Equation (1), we get

$$\begin{array}{c}Ad{v}_{GAP,D}\left(A\right)\le \frac{q_h^2}{|Hash|}+\frac{2q_{send}}{|D|}.\end{array}$$

Theorem 2.

Let G represent a group with a prime order p, and $SCP$ denote the secure communication procedure presented in Figure 5. Let ℓ be the size of the identity space, $|Hash|$ and $|D|$ represent the range space of the hash function and the size of the password dictionary D. Finally, let A represent an adversary attacking the semantic security of the secure communication protocol with time-complexity at most t by issuing $q_{send}$ Send queries, $q_{exe}$ Execute queries and $q_h$ Hash queries. Then, we have:

$$\begin{array}{cc}\hfill Ad{v}_{SCP,D}\left(A\right)& \le \frac{2(q_{send}+q_{exe})}{\ell }+\frac{q_h^2}{|Hash|}+\frac{{(q_{send}+q_{exe})}^2}{p}+\frac{2q_{send}}{|D|}\hfill \\ & +2q_{h}Ad{v}_G^{ECCDH}(t+(q_{send}+q_{exe})t_p),\hfill \end{array}$$

where $t_p$ denotes the time required to produce a point.

Proof of Theorem 2.

To complete the proof, six experiments are constructed, where the first one simulates a real attack. For every experiment $Ex{p}_n$, we use $Suc{c}_n$ to denote the event in which the adversary successfully guesses the bit b from the $Test$ query. ☐

Experiment $Ex{p}_0.$

This experiment simulates an actual attack, which begins with the random selection of a secure key $PSK$. According to definition, we have

$${Adv}_{SCP,D}\left(A\right)=2Pr\left[Suc{c}_0\right]-1.$$

(6)

Experiment $Ex{p}_1.$

In this experiment, the oracles $Execute$, $Send$, $Corrupt$, $Reveal$, and $Test$, as in the actual attack with a chosen random secure key $PSK$ are simulated. It can be seen that one cannot distinguish this experiment from the actual experiment. Thus,

$$Pr\left[Suc{c}_1\right]=Pr\left[Suc{c}_0\right].$$

(7)

Experiment $Ex{p}_2.$

All oracles considered in experiment $Ex{p}_1$ are also simulated in this experiment. In addition, we stop simulating the adversary to execute guessing attacks on the real identity of a participant. In this case, we have

$$|Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_2\right]|⩽\frac{q_{send}+q_{exe}}{\ell }.$$

(8)

Proof. 

Each participant’s real identity is always converted into an alias using a random number (i.e., $AI{D}_i=I{D}_i\oplus H\left(r_i{P}_{pu{b}_j}\right)$). Therefore, the adversary cannot determine the participant’s real identity because every alias is different and there is nothing that can be used to verify the real identity. ☐

Experiment $Ex{p}_3.$

All oracles considered in experiment ${\mathrm{Exp}}_2$ are also simulated in this experiment; however, all executions are halted where a collision occurs among $(AI{D}_i$, $u_i$, $M_1)$, $(AI{D}_j$,$u_j$,$M_2)$, and $\left(M_3\right)$. The probability of colliding in the h oracle is at most $q_h^2/2|Hash|$ by the birthday paradox. Similarly, the probability of colliding in the transcript is at most ${(q_{send}+q_{exe})}^2/2p$, Consequently,

$$|Pr\left[S\mathrm{uc}{\mathrm{c}}_2\right]-Pr\left[S\mathrm{uc}{\mathrm{c}}_3\right]|\le \frac{q_h^2}{2|Hash|}+\frac{{(q_{send}+q_{exe})}^2}{2p}.$$

(9)

Experiment $Ex{p}_4.$

All oracles considered in as experiment ${\mathrm{Exp}}_3$ are simulated in this experiment, in addition to stopping the stimulation of a $Corrupt$ query to an OBU. Note that the information $B_i$, $C_i$, $D_i$, $y_i$, $Z_i$, $P_{pu{b}_i}$, and $E_i$ stored in the OBU can be extracted by A when the $Corrupt\left(U_i\right)$ query is issued. However, this information is useless to A for calculating the session key since it would require the secure key $PSK$, a private key $x_i$ and a temporary secret random number, and it is difficult to derive $PSK$ and $x_i$ from $E_i$ and $Z_i$ without obtaining the user’s correct password $P{W}_i$ via the password attack. Hence, we obtain

$$|Pr\left[S\mathrm{uc}{\mathrm{c}}_3\right]-Pr\left[S\mathrm{uc}{\mathrm{c}}_4\right]|\le \frac{q_{send}}{|D|}.$$

(10)

Experiment $Ex{p}_5.$

In this experiment, we use the private oracle $h^{\prime }$ in place of the oracle h for computing k as shown in Table 3, such that the session key is totally independent of h. More precisely, one obtains $k=h^{\prime }(T\parallel R\parallel P_{pu{b}_i}\parallel P_{pu{b}_j})$ in $Execute$ queries. Therefore, the experiments $Ex{p}_4$ and $Ex{p}_5$ are indistinguishable except for the occurrence of the following event $Ask{H}_6$: A issues queries to h on $T\parallel R\parallel P_{pu{b}_i}\parallel P_{pu{b}_j}\parallel s$, i.e., the value $T\parallel R\parallel P_{pu{b}_i}\parallel P_{pu{b}_j}\parallel ECCDH(T,P_{pu{b}_j})+ECCDH(R,P_{pu{b}_i})$. In addition, regardless of the b value that is chosen to be used in a $Test$ query, the response is independent for all sessions since it is a random number. Therefore,

$$Pr\left[S\mathrm{uc}{\mathrm{c}}_5\right]=\frac{1}{2}.$$

(11)

Table 3. Simulation of random oracles h and $h^{\prime }$.

A hash query $h\left(m\right)$ (resp.$h^{\prime }$) that matches a record $(m,r^{\prime })$ in the list ${\Lambda }_h$ (resp.${\Lambda }_{h^{\prime }}$), returns $r^{\prime }$.

Otherwise, it chooses a random number r, adds the record $(m,r)$ to the list ${\Lambda }_h$ (resp.${\Lambda }_{h^{\prime }}$), and returns r.

Experiment $Ex{p}_6.$

The execution of the random self-reducibility of the elliptic curve computational Diffie–Hellman assumption given an $ECCDH$ instance $(A,B)$ is simulated in this experiment. We randomly select $\alpha ,\beta ,\gamma ,\phi \in Z_p^{*}$, and let $T=\alpha A-PSK·P$, $R=\beta A-PSK·P$, $P_{pu{b}_i}=\gamma B$, and $P_{pu{b}_j}=\phi B$ . Note that $Ask{H}_6$ means that a query h on $T||R||Y$ has been issued by A, where $Y=ECCDH(T,P_{pu{b}_j})+ECCDH(R,P_{pu{b}_i})$. Indeed, $Pr\left[Ask{H}_6\right]=Pr\left[S\mathrm{uc}{\mathrm{c}}_6\right]$ . We have:

$$ECCDH(T,P_{pu{b}_j})=\alpha \phi ·ECCDH(A,B)-\phi PSK·B,$$

$$ECCDH(R,P_{pu{b}_i})=\beta \gamma ·ECCDH(A,B)-\gamma PSK·B.$$

Therefore,

$$ECCDH(T,P_{pu{b}_j})+ECCDH(R,P_{pu{b}_i})=(\alpha \phi +\beta \gamma )·ECCDH(A,B)-(\phi +\gamma )PSK·B.$$

If A knows the session key k constructed by $(\alpha A,\beta A,PSK·P,\gamma B,\phi B)$, it must have issued queries to h on $T\parallel R\parallel P_{pu{b}_i}\parallel P_{pu{b}_j}\parallel s$ that was recorded in the list ${\Lambda }_h$. Therefore, we can conclude that

$$Pr\left[Suc{c}_6\right]\le q_{h}Ad{v}_G^{ECCDH}(t+(q_{send}+q_{exe})t_p).$$

(12)

From Equations (7) to (12), we have

$$\begin{array}{cc}\hfill |Pr\left[S{\mathrm{ucc}}_0\right]-\frac{1}{2}|& =|Pr\left[S{\mathrm{ucc}}_0\right]-Pr\left[S{\mathrm{ucc}}_5\right]|\hfill \\ & \le |Pr\left[S{\mathrm{ucc}}_0\right]-Pr\left[S{\mathrm{ucc}}_1\right]|+|Pr\left[S{\mathrm{ucc}}_1\right]-Pr\left[S{\mathrm{ucc}}_2\right]|+|Pr\left[S{\mathrm{ucc}}_2\right]-Pr\left[S{\mathrm{ucc}}_3\right]|\hfill \\ & +|Pr\left[S{\mathrm{ucc}}_3\right]-Pr\left[S{\mathrm{ucc}}_4\right]|+|Pr\left[S{\mathrm{ucc}}_4\right]-Pr\left[S{\mathrm{ucc}}_5\right]|\hfill \\ & \le \frac{q_{send}+q_{exe}}{\ell }+\frac{q_h^2}{2|Hash|}+\frac{{(q_{send}+q_{exe})}^2}{2p}+\frac{q_{send}}{|D|}\hfill \\ & +q_{h}Ad{v}_G^{ECCDH}(t+(q_{send}+q_{exe})t_p).\hfill \end{array}$$

Therefore, from Equation (6), we get

$$\begin{array}{cc}\hfill Ad{v}_{SCP,D}\left(A\right)& \le \frac{2(q_{send}+q_{exe})}{\ell }+\frac{q_h^2}{|Hash|}+\frac{{(q_{send}+q_{exe})}^2}{p}+\frac{2q_{send}}{|D|}\hfill \\ & +2q_{h}Ad{v}_G^{ECCDH}(t+(q_{send}+q_{exe})t_p).\hfill \end{array}$$

6.2.2. Informal Security Analysis

Confidentiality of Session Key

In our proposed scheme, when an authentication, secure communication or key update procedure is performed, a session key is generated using two random numbers chosen by the participants. Then, the generated key is used to ensure a secure communication. Moreover, the random numbers used to generate each session key are different. Therefore, it is difficult for an adversary A to successfully guess the session key or derived it from the communicated messages.

Anonymity

In our proposed scheme, to preserve users’ privacy, the original identity of every participant is converted into an alias via an XOR operation with a hash that takes a random number $r_i$ as an input (i.e., $AI{D}_i=I{D}_i⨁h\left(r_i\right)$, $AI{D}_i=I{D}_i⨁h\left(r_i{P}_{pu{b}_j}\right)$). Therefore, an adversary A cannot determine a user’s original identity without the random number $r_i$ or the private key $x_j$ even if T has been obtained because of the hardness of the ECCDH problem in G.

Unlinkability

In our proposed scheme, the original identities of the participants are not transmitted over the unsecure network; instead, every participant’s identity is converted into an alias. Moreover, the authentication, secure communication and key update phases are independent of each other. In addition, after every authentication procedure performed by $OB{U}_i$, the value $C_i$ updates itself. Therefore, for two or more authentication messages that are sent by the same user, the adversary A cannot determine whether they have the same origin. Thus, A cannot trace the location of a user by intercepting messages.

Resistance to Impersonation Attack

In the authentication procedure of our improved scheme, if an adversary wishes to impersonate $OB{U}_i$, it must obtain both the $A_i$ and $I{D}_i$ of $OB{U}_i$. Otherwise, it cannot compute a valid authentication request, since the original identity of $OB{U}_i$ is converted into an alias via an XOR operation with a random number $r_i$ chosen by itself and this random number $r_i$ is hidden by its $A_i$. Moreover, the adversary can successfully impersonates $OB{U}_i$ only by correctly guessing the random number, which is difficult because the random number is reselected with each authentication. Furthermore, in the secure communication procedure, the original identity of $OB{U}_i$ is also converted into an alias with a random number $r_i$($AI{D}_i=I{D}_i⨁h\left(r_i{P}_{pu{b}_j}\right)$). The adversary cannot successfully impersonate the OBU since the random number cannot be guessed.

Resistance to Internal Attack

In our proposed scheme, an internal attack refers to the case in which the owner of a vehicle, who possesses the common secure key $PSK$, attempts to reveal the session key for a communication channel. Under our improved scheme, in the secure communication procedure, even if the adversary can intercept all exchanged messages, $(AI{D}_i$, $u_i)$ of $OB{U}_i$ and $(Ai{D}_j$, $u_j)$ of $OB{U}_j$ and compute T and R using the secure key $PSK$, it cannot determine the user’s original identity or compute the session key k under the assumption of the hardness of $ECCDH$ problem in G.

6.3. Performance Analysis

In our proposed scheme, the general authentication procedure is based only on an XOR operation and a hash function; thus, the computation cost is low. To demonstrate the performance of the proposed scheme, we compare the the critical secure communication procedure with the existing two-party secure communication schemes with session key agreement [6,11,12,15,16]. Next, we implement our scheme based on cryptographic libraries and present a concrete comparison of execution times. Then, we compare the security features of these schemes. Some notations are defined as follows for convenience:

• T_h : The execution time of a hash function operation.
• T_bp : The execution time of a bilinear pairing operation.
• T_mul : The execution time of an ECC-based scalar point multiplication operation.
• T_add : The execution time of an ECC-based scalar point addition operation.

The detailed comparison is presented in Table 4, where the middle and right columns list the complexity and total execution time, respectively, of each scheme. The transmission time is not considered in the comparison since it depends on the actual characteristics of the network, not the scheme. All operations listed in Table 4 were implemented using the OpenSSL library and the JPBC library, and the experiments were conducted on a Windows 7 PC (Samsung Electronics, Hwaseong, Korea) equipped with an Intel(R) Core(TM) i7-6500U CPU (Santa Clara, CA, USA).

Table 4. The execution time of basic operation.

Operation	${\mathit{T}}_{\mathit{h}}$	${\mathit{T}}_{\mathit{mul}}$	${\mathit{T}}_{\mathit{bp}}$	${\mathit{T}}_{\mathit{add}}$
Execution time (ms)	$0.004$	$0.326$	$6.28$	$0.038$

As seen in Table 5 and Figure 6, the execution time of our scheme is less than those of some other schemes [11,12]. Although the execution times of Chuang–Lee’s scheme and Kumari’s scheme are less than that of our scheme, their schemes fail to resist internal attack because the participants’aliases depend only on a random number that is hidden by $PSK$ as shown in Table 6. Therefore, a trusted vehicle can reveal a participant’s real identity because it holds $PSK$. Meanwhile, because Porambage’s scheme uses certificates for authentication, the unlinkability of messages cannot be preserved, and a user’s anonymity can be violated. Therefore, our proposed scheme is a preferable solution for secure communication in vehicle sensor networks compared with the existing similar schemes presented in [6,11,12,15,16].

Table 5. Comparison of efficiency.

Scheme	Computation Cost	Computation Time (ms)
Reference [6]	$4T_h+4T_{mul}+2T_{add}$	≈1.838
Reference [11]	$10T_h+6T_{mul}+2T_{bp}+4T_{add}$	≈14.7
Reference [12]	$10T_h+6T_{mul}+2T_{bp}+4T_{add}$	≈14.7
Reference [15]	$8T_h$	≈0.032
Reference [16]	$10T_h$	≈0.04
Proposed	$12T_h+10T_{mul}+6T_{add}$	≈3.54

Figure 6. Execution time(ms) of different authentication protocols.

Table 6. Comparison of security features.

Security Threats and Scheme	Ref. [6]	Ref. [11]	Ref. [12]	Ref. [15]	Ref. [16]	Proposed
Provides user anonymity	×	×	×	×	×	√
Resistance to user traceability attack	×	×	×	×	×	√
Resistance to impersonation attack	√	×	√	√	√	√
Resist inside attack	√	√	√	×	×	√
Unlinkability of message	×	√	√	×	√	√

7. Conclusions

With the emergence of intelligent transportation, the security of vehicle sensor networks is attracting attention from individuals and vehicle manufacturers, and privacy preservation in communication over vehicle sensor networks has become a critical issue. In this paper, we have demonstrated that Chuang and Lee’s TEAM scheme exists the linkability of messages in the authentication protocol; thus, a malicious vehicle can track a driver by intercepting transmitted message. Simultaneously, TEAM scheme can suffer the internal attack in the secure communication protocol; thus, a malicious trusted vehicle can compute the real identity of a user and the session key. To address this shortcoming, an improved authentication scheme based on elliptic curves for better performance and security has been constructed, in which the difficulty of deriving real identities arises from the need to solve an elliptic curve discrete logarithm problem. In this way, privacy preservation is achieved since the real identities of users are protected. The correctness of our proposed scheme has been proven using BAN logic, and a rigorous security proof has been provided based on the random oracle model. In future work, elliptic curves based authentication schemes involving three parities will be investigated.