SELWAK: A Secure and Efficient Lightweight and Anonymous Authentication and Key Establishment Scheme for IoT Based Vehicular Ad hoc Networks

Abstract

In recent decades, Vehicular Ad Hoc Networks (VANET) have emerged as a promising field that provides real-time communication between vehicles for comfortable driving and human safety. However, the Internet of Vehicles (IoV) platform faces some serious problems in the deployment of robust authentication mechanisms in resource-constrained environments and directly affects the efficiency of existing VANET schemes. Moreover, the security of the information becomes a critical issue over an open wireless access medium. In this paper, an efficient and secure lightweight anonymous mutual authentication and key establishment (SELWAK) for IoT-based VANETs is proposed. The proposed scheme requires two types of mutual authentication: V2V and V2R. In addition, SELWAK maintains secret keys for secure communication between Roadside Units (RSU_s). The performance evaluation of SELWAK affirms that it is lightweight in terms of computational cost and communication overhead because SELWAK uses a bitwise Exclusive-OR operation and one-way hash functions. The formal and informal security analysis of SELWAK shows that it is robust against man-in-the-middle attacks, replay attacks, stolen verifier attacks, stolen OBU attacks, untraceability, impersonation attacks, and anonymity. Moreover, a formal security analysis is presented using the Real-or-Random (RoR) model.

1. Introduction

The past decade has witnessed colossal advancements in Information and Communication technologies (ICT) resulting in a number of concepts appearing on technological horizons. In practice, ICT has become an integral part of every field of human life. The concept of “smart and autonomous environment” is the result of emerging ICT models that can benefit human society at large. The Internet of Things enables the autonomous and smart society to connect billions of smart devices to inter- and intra-communication to achieve its goals [1,2,3]. These intelligent sensing and interconnected devices depict a tremendous capacity for replicating the physical environment into corresponding digital environments. IoT-based smart environments can assist society in a broad spectrum, such as e-health care, business, e-commerce, logistics, education, agriculture, defense, and many more.

VANETs are a crucial component of a smart and autonomous environment with an aim to deliver Intelligent Transport System [4] where vehicles communicate with each other, roadside infrastructure, and/or other network services. ITS aims to provide controlled traffic flows, co-operative traffic monitoring, collision prevention, detour route computation, and internet connectivity to moving vehicles. Therefore, VANETS became a combination of wireless ad hoc networks and IoT-based devices for the provision of services. There are three main components of ITS: (a) vehicle, (b) Trust Authority (TA), and (c) Road-Side Unit (RSU), as shown in Figure 1. Vehicular communication takes place in two ways: (a) Vehicle to Vehicle (V2V) and (b) Vehicle to RSU (V2R). Each vehicle is equipped with an onboard unit (OBU) that receives and processes traffic-related data. The OBU also transmits information related to neighboring vehicles and RSU_s using Dedicated Short Range Communication (DSRC) protocols [5]. The RSU is deployed beside the road as a base station and acts as a connecting node between OBU_s and the Trusted Authority (TA). The RSU performs various authentication operations. The TA’s responsibilities are to register the OBU_s and RSU_s, perform maintenance, and conduct the entire vehicular system.

Moving vehicles with varying accelerations make VANETs different from traditional ad hoc networks, thereby featuring specific network challenges in the case of VANETs. Resource-constrained IoT devices and the wireless nature of communication in VANETs make security a concern of prime focus [6]. Insecure communication may result in the transfer of life-critical information to an adversary. Unauthentic information may lead a passenger to a path of adversary’s choice, thus, putting life in danger [7]. Acceptance of a malicious message may cause malfunctioning of the vehicle system. Therefore, security gains prime importance in the case of VANETs, as unwanted situations may cause privacy breaches to one extent and prove to be fatal to the other.

A Secure and Efficient Lightweight Anonymous Mutual Authentication and Key establishment scheme for IoT-based vehicular ad hoc networks (SELWAK) is proposed in this paper. The proposed scheme uses a simple XOR operation and a one-way hash function, making it light in terms of resource usage. Various authentication and key establishment schemes have been discussed in the literature. Moreover, resource-constrained devices do not support traditional cryptographic operations due to low memory and computational power, and therefore demand lightweight cryptographic preemptive. Ensuring the privacy of vehicles is a challenging issue because an adversary can trace the traveling routes of vehicles and identify vehicles that may cause serious danger. To overcome privacy issues, the proposed scheme uses mask identities to ensure anonymity and privacy preservation. In addition to this, an attacker cannot relate driver’s multiple mask identities to reveal his/her real identity. The proposed scheme provides better security services in a cost-effective manner compared to existing schemes. The SELWAK consists of four phases: (i) Registration, (ii) authentication and key agreement, (iii) RSU-to-RSU key establishment, and (iv) password change.

In the registration phase, vehicles and roadside units register with the TA. The driver of the vehicle chooses various credentials and sends them to the TA in a secure way. Then, the vehicle is deployed on the VANETs. Before deployment of a vehicle in VANETs, TA sends the information to vehicle V_i in a secure way, and OBU_i stores that information for future use. In the RSU registration phase, the TA generates credentials for every RSU that is deployed in VANETs. The second phase consists of two sub phases, such as (i): V2V authentication key agreement phase and (ii) the V2RSU authentication key agreement phase. In each sub phase, after successful mutual authentication, a session key is established between two entities, and this key is later used for authentication purposes. In the key establishment phase of RSU-to-RSU, a session key is established between those RSU_s on the basis of their preloaded credentials. For secure communication, it is necessary that the driver of the vehicle change the password periodically. There is an option available for drivers to change passwords locally without interacting with the TA. Formal security analysis of the SELWAK was done using the Real-or-Random (RoR) model. SELWAK provides better security services and effectively reduces computational cost and communication overhead, as indicated by the derived results. The following are the main contributions of this paper.

• In this paper, a novel lightweight anonymous authentication and key establishment scheme for VANETs is proposed that uses one-way cryptographic hash functions and simple XOR operations.
• We ensure the privacy of vehicles so that an adversary cannot trace the real identity and travel routes of vehicles.
• SELWAK is secure against replay attacks, impersonation attacks, man-in-the-middle attacks, stolen verifier attacks, stolen OBU attacks, untraceability, and anonymity.
• Formal security proof of establishing a secure session key is provided using the RoR model.

The remainder of the paper is organized as follows. Section 2 discusses related work, whereas Section 3 presents systems models. In Section 4, the proposed SELWAK is described, while Section 5 presents the security analysis. In Section 6, we evaluate the performance of the proposed scheme, and Section 7 concludes the paper.

2. Related Work

Numerous studies exist on authentication, key establishment, and privacy preservation in VANETs. Below, we present a brief discussion of the few existing techniques. Wang et al. [8] proposed an authentication scheme for VANET using a group signature. According to the authors, when vehicles apply for group membership, membership validity is checked to determine whether the vehicle is still a member of the group. Batch verification of vehicles can also be done in the proposed scheme. The authors in [9] proposed a password based novel group key agreement protocol. Their scheme provides batter privacy services in the field of VANET. The proposed scheme uses a hash function for authentication and integrity. According to the authors, their scheme has less computational cost as well as communication overhead as compared to certificate-based public key cryptography and identity-based public key cryptography but is vulnerable to denial-of-service attacks. In a novel secure and efficient anonymous authentication scheme with a privacy preserving scheme (EAAP) [10], RSU_s and OBU_s use digital signatures to sign each message. The EAAP scheme uses a bilinear-pairing technique to conform to the integrity and authentication of messages. Bilinear pairing has a high computational cost compared to the cryptographic general hash function [11]. A discrete event-based threat-driven authentication scheme has been proposed to ensure secure V2I and V2V communication in [12]. To satisfy the secure communication between V2V and V2R, the proposed approach uses a session key, private key, and public key simultaneously. The authors used the Petri Nets and Veins framework for the formal analysis of their scheme. Zhang et al. [13] proposed an identity-based public key cryptographic (ID-PKC) scheme for privacy-preservation communication. The authors used bilinear pairing and ID-PKC to originate vehicular clouds and secure communication in vehicular clouds. In this scheme, a secure and anonymous dynamic vehicular cloud comes from using pseudonyms. The authors also presented a well-organized protocol that allowed cloud users to join or leave the group dynamically. Two schemes that control traffic lights intelligently using for computing were proposed in [14]. The first scheme’s security is based on Computational Diffie-Hellman puzzle hardness, and the second is based on the hash collision puzzle. After a fixed interval of time, the traffic lights generate the puzzle and verify it. For VANETs, a decentralization mutual authentication and key agreement scheme were proposed in [15]. The vehicles communicate in the cluster’s fashion and use the hash function and XOR operation. There are three types of authentication taking place: vehicles-to-cluster heads, between cluster heads and cluster heads, and roadside units. This scheme does not deliberate batch verification and privacy preservation of the signatures of multiple messages. Ibrahim et al. [16] proposed two schemes, epidemic-based and topology-based, in which RSU switches its authentication service to the nearest vehicle for the betterment of the authentication service. The topology-based scheme depends upon network analysis and computing node degree, but the scheme based on the epidemic level did not depend on network analysis. The authors have compared both schemes and show that topology-based schemes have better performance but more security threats than epidemic-based schemes. An authentication scheme with privacy preservation property based on identity was proposed in [17]. To reduce communication overhead, a registration list is used instead of the revocation list. The security features of VANET were not affected by malicious vehicles. Moreover, their scheme did not use bilinear pairing operations, which takes more execution time, thus dramatically reducing computation and communication costs. Gope et al. [18] proposed an efficient authentication scheme based on RFID with privacy features. This scheme uses a distributed IoT infrastructure for secure localization servers to facilitate smart city environments. The backend server has a full command to recognize RFID tags without any trouble. However, the problem with this scheme is that the managing server is so powerful that it can know the entire communication of RFID tags. The security of the scheme depends on the backend server. If the backend server has a strong security mechanism, then the attacker cannot get security credentials, but if backend server security is compromised, then the attacker can easily get secret information and execute a forgery attack. Second, the RFID tags did not have any physical security. A signature based on an identity scheme for authentication of V2V communication has been proposed in [19]. This scheme is based on elliptic curve cryptography. The advantage of batch signature verification is that it can authenticate a large number of vehicles at a time. This scheme uses an RoR model for security proof. According to the authors, their scheme reduces the execution time and communication burden compared to other schemes. Cui et al. [20] proposed an authentication scheme that preserves the privacy property in the field of VANET. This scheme uses ECC and identity-based signatures for both V2I and V2V communication. The authors used the binary search method and the cuckoo filter method to improve the success rate of batch signature verification. Xie et al. [21] proposed a robust and secure conditional privacy-preserving scheme using identity-based authentication. The reliability and integrity of the messages are ensured using identity-based signatures for V2V communication and V2I communication. The results of this scheme show that it has a high computational cost and communication overhead. A conditional-based privacy and authentication scheme was proposed in [22]. The prevention from side channel attacks is gained by storing sensitive data on the TPD of OBU and updating it periodically. The formal security analysis of their scheme has been shown using BAN-logic. Their approach is based on a one-way hash function and ECC; therefore, according to the authors, their scheme is efficient in terms of cost compared to existing schemes [23,24,25,26]. To ensure secure communication in VANET, an authentication scheme based on ECC that satisfies privacy preservation was proposed in [27]. In this scheme, the authors combined RSU- and TPD-based schemes to handle privacy and security issues in VANET. All the system’s public credentials and keys are preloaded in the TPD of RSU. Their scheme worked in four phases: initialization phase, mutual authentication, signing, and verification phases. Jie et al. [28] presented a chaos mapping-based full session key agreement scheme. This scheme worked in two phases. In the first phase, group key agreement was made between the cluster head and the fog server. In the second phase, a group key agreement is made among vehicle nodes. A secure and robust authentication and privacy scheme has been introduced for vehicular communication [24]. The trusted authority preloads the already computed private key in the vehicle’s TPD via a secure medium. Jalawai et al. [27] presented an authentication mechanism using elliptic curve cryptography, which satisfied conditional privacy preservation. They addressed some security and privacy concerns based on the combined usage of TPD-based schemes with RSU-based schemes. The system’s key and all the initial public parameters are preloaded in the TPD of RSU. There are some issues with privacy and security, and some attacks are also possible. Vijayakumar et al. [29] proposed an authentication and key distribution scheme for VANET. According to the authors, their scheme is efficient in terms of both computation cost and communication overhead. In addition, the vehicles that come in the orbit of RSU securely distribute the group key among the vehicles. The RSU uses the group key to send the message related to the location among the neighboring vehicles via a secure channel. Vijayakumar et al. [30] proposed a novel batch authentication and key exchange protocol based on 6G technology for VANET. In addition, their scheme reduces the load on the RSU in congested areas. An elliptic curve-based intelligent conditional privacy-preserving technique for VANET has been proposed in [31]. The authors claimed that this scheme is secure, efficient, and can easily deploy. A cuckoo filter-based authentication scheme that improved timed efficient stream loss tolerance for VANETs was proposed in [32]. The authentication information of vehicles that came under the communication range of the RSU can be saved by a cuckoo filter. This scheme provides robust, anonymous authentication and reduces costs. To provide safety in VANET, an efficient anonymous mutual authentication approach with privacy is proposed in [32]. In their scheme, the trusted authority preloaded a group of pseudonym identities and a group of private keys to each vehicle, which may cause problems for managing huge certificates, which will increase the burden for management of certificates for TA due to the limited storage capacity of the vehicle. Ren et al. [33] proposed a blockchain-based, certificateless public key signature scheme for VANET. Their scheme provides support for batch verification of signatures, and blockchains are used to protect the privacy of vehicles. Moreover, this scheme also realized the traceability property. An authentication approach for global mobility networks was proposed in [34]. This scheme is based on an elliptic curve cryptosystem and therefore takes much execution time to perform major cryptographic operations.

The schemes discussed in the literature have some problems. Due to the fast movement of vehicles in VANET, the performance of signature-based schemes is not optimal. OBU has limited storage capacity, computing power, and power. The signing and verification of road safety-related messages slows down due to heavy cryptographic operations. For example, bilinear pairing operations consume more time for message’s signing and verification process [30]. Therefore, it is difficult for RSU to verify a large number of vehicles in its range moving with high speed in a short period of time. This puts a heavy burden on the verification vehicle, and behind the current demand for an efficient and lightweight scheme that validates many traffic-related messages on V2V, V2RSU, and RSU2RSU connections in high traffic density areas without compromising safety. On the other hand, a group signature-based scheme requires registration of each vehicle with the TA and receives its private key via a secure channel. These time-consuming operations create hurdles for vehicles to change private keys easily. Therefore, the likelihood of an attack increases.

Motivations

VANETs and vehicles travel at high speeds; therefore, the schemes mentioned in the literature are not optimal for such an environment. The OBU fixed in the vehicle has limited storage capacity, power supply, and computational power. Various major cryptographic operations slow down the signature generation and verification processes of road safety-related messages. For example, elliptic curve point multiplication and point addition are considered to be the most time-consuming operations in ECC-based schemes. Therefore, it is difficult to verify vehicles moving at high speeds by the RSU in a short time period in its communication range. It creates a high load on verifying entities, which is the reason it demands a secure and efficient lightweight and anonymous authentication and key establishment scheme for IoT-based vehicular ad hoc networks.

3. System Model

The network and thread models are presented in this section.

3.1. Network Model

The network model for VANET used in the SELWAK is shown in Figure 1. In this model, the entities involved are vehicles (V_i), roadside units (RSU_s), and TA. In the network model, three types of participation involved: V2V, V2RSU and RSU2RSU.The TA is responsible for generating identities, for example, keys, and identities for vehicles and RSU_s. The information generated by TA is stored in the memory of RSU_s and OBU_s, which can be used for authentication purposes. In light of the proposed model, the authentication processes that are required are V2V, V2RSU and RSU2RSU.

3.2. Threat Model

According to this model, all entities are assumed to communicate with each other through the insecure channel. RSU_s are also assumed to be semi-trusted. An attacker can easily delete, modify, or eavesdrop the transmitted message. As RSU_s are considered semi-trusted, we considered that the RSU’s confidential information is stored in tamper-proof devices within RSU_s. However, we considered that OBU_s are not installed with tamper-proof devices. Moreover, by using a power analysis attack [22,23], an attacker can extract all the sensitive information from some stolen OBU_s of the vehicles. Finally, the TA is considered a fully trusted authority.

4. Proposed Scheme

In this paper, a novel lightweight and anonymous authentication and key establishment scheme for IoT-based VANETs is proposed. In SELWAK, when a vehicle joins the region of another vehicle, anonymous mutual authentication between the vehicles is performed to avoid communication with malicious vehicles. To perform different types of wireless communications in VANETs, our authentication scheme can be divided into three categories: Vehicle-to-Vehicle, Vehicle-to-Roadside Unit, and Roadside Unit-to- Roadside Unit authentication. The proposed scheme works in four phases: registration phase, authentication, and key agreement phase, RSR-to RSU key establishment phase, and password change phase. Before giving a detailed description of the various phases, we briefly describe each phase in Figure 2. The definitions of the notations in our scheme are described in

Table 1. Notations used in the paper.

Notation	Description
$RS{U}_j$	jth Roadside Units
$V_i$	ith Vehicle
$Dr{v}_i$	$\mathrm{Driver}\mathrm{of}\mathrm{the}\mathrm{vehicle}{V}_i$
$dr{v}_{id}$	Identity of the driver
$RSUI{D}_j$	$\mathrm{Identity}\mathrm{of}RS{U}_j$
$Mdr{v}_{id}$	Masked Identity of drivers
$TMRS{U}_j$	$\mathrm{Time}\mathrm{dependent}\mathrm{masked}\mathrm{identity}\mathrm{of}RS{U}_j$
$OB{U}_i$	ith Onboard Unit
$T{A}_{id}$	Identity of TA
α, β	160 bits secret keys of TA
$PW{D}_i$	Password chosen by drivers
$R{T}_{vi}$	$\mathrm{Registration}\mathrm{time}\mathrm{stamp}\mathrm{of}{V}_i$
$R{T}_{RSUj}$	$\mathrm{Registration}\mathrm{time}\mathrm{stamp}\mathrm{of}RS{U}_j$
T	Current time stamp
N	Random Nonce
ΔT	Max transmission delay
h(.)	One way hash function
||	Concatenation
⊕	Bitwise XOR operation

.

4.1. Registration Phase

In this phase, the registration of vehicles and roadside units is done in the following ways.

4.1.1. Vehicle Registration Phase

It is necessary to register each vehicle offline with the TA for secure V2V and V2R communication. The vehicle’s registration with the TA is a one-time process; hence, for the execution of this process, a secure channel is required, e.g., in person. The steps below are used for this purpose.

• The driver Drv_i of vehicle V_i, on his own choice, chooses a password PWD_i and unique identity Drv_id and two 160-bit random numbers s_i and k. OBU_i computes a masked password $MPW{D}_i=h(PW{D}_i\left|\right|s_i)$, transmit $(dr{v}_{id},(MPW{D}_i\oplus k\left)\right)$to the TA through a secure channel.
• After receiving the registration request $(dr{v}_{id},(MPW{D}_i\oplus k\left)\right),$TA calculated $Mdr{v}_{id}=h(dr{v}_{id}\left|\right|a),E{ }_1=h(Mdr{v}_{id}\left|\right|\alpha )$using a pre-generated 160-bit secret key α. It further calculate $E_2=h(dr{v}_{id}\left|\right|E_1\left|\right|T{A}_{id}),r=h(T{A}_{id}\left|\right|\alpha ),r^{\prime }=h(T{A}_{id}\left|\right|\beta ),A_1=r\oplus E_2\oplus (MPW{D}_i\oplus k),\mathrm{and}{A}_2=r^{\prime }\oplus E_2\oplus (MPW{D}_i\oplus k).$Furthermore, for every registered vehicle V_i, a unique secret key $SeK{V}_i$ is also generated by TA and computes time based credential $T{V}_i=h(SeK{V}_i\left|\right|R{T}_{vi}\left|\right|dr{v}_{id})$ on the basis of timestamp generated duringregistration time $R{T}_v\mathrm{of}{V}_i\mathrm{and}\mathrm{identity}dr{v}_{id}\mathrm{of}\mathrm{driver}.$Then, TA transmit $(Mdr{v}_{id},T{V}_i,T{A}_{id},E_1,E_2,A_1,A_2)$ to through a secure channel.
• After receiving information $\left(Mdr{v}_{id}, T{V}_i,T{A}_{id},E_1, E_2, A_1, A_2\right), OB{U}_i$ compute $$\begin{gathered} f_i=h(PW{D}_i\left|\right|dr{v}_{id})\oplus s_i{, E}_1^{\prime } =E_1\oplus h(dr{v}_{id}\left|\right|s_i), {\mathit{TA}}_{\mathit{id}}^{\prime }h({drv}_{id}\left|\right|s_i)T{A}_{id}, E_3=h({drv}_{id}\left|\right| \\ MPW{D}_i\left|\right|{TA}_{id}\left|\right|E_1),E_4=h(E_3\left|\right|E_2),Mdr{v}_{id}^{\prime }=Mdr{v}_{id}\oplus h(PW{D}_{id}\left|\right| \\ dr{v}_{id}\left|\right|s_i), {\mathit{TV}}_i^{\prime } = {TV}_i\oplus h({PWD}_i\left|\right|s_i),A=A_1\oplus k=r\oplus E_2\oplus MPW{D}_i. \end{gathered}$$

OBU_i then deletes k$,Mdr{v}_{id},T{V}_i,$TA_id, E₁, A₁ and A₂ from its memory. Finally, OBU_i contains $\{Mdr{v}_{id}^{\prime }, {TV}_i^{\prime }, {\mathit{TA}}_{\mathit{id}}^{\prime }, f_i, Y, E_1^{\prime },E_4,h(·)\}.$ The pictorial representation of algorithm is given in Figure 3.

4.1.2. Roadside Unit Registration Phase

Trusted authority generates 160-bit secret keys α and β, before deployment of $RS{U}_s$ in VANETs. Then trusted authority generates unique identities of $RS{U}_s$ like $RS{U}_{id1}$, $RS{U}_{id2}$ … $RS{U}_{idn}$ and corresponding masked identities ${\gamma }_i,{\gamma }_j \dots {\gamma }_n$ that are generated as $\gamma =h (RS{U}_{idk}||\beta ).$ The TA further generates identities for $RS{U}_j$ as $r{ }^{\prime }=h(T{A}_{id}|| \beta )$. In addition, TA generates time-based identities for each $RS{U}_j$ as $T{\mathit{RSU}}_j=h\left({\mathit{TA}}_{\mathit{id}}\left|\left|{\mathit{RTRSU}}_j\right|\right|\beta \right)$. The $RS{U}_j$ then give the information $\left\{r, \gamma ,TRS{U}_j\right\}.$ In our scheme γ is used for Vehicle V_i to $RS{U}_j$ authentication and $TRS{U}_j$ is used for symmetric key establishment between $RS{U}_s$. The polynomial-based key distribution for RSU2RSU key establishment. To do this, TA first selects bivariate polynomial $þ\left(x,y\right)$ = $þ\left(x,y\right)={\displaystyle \sum }_l^{n}0{\displaystyle \sum }_{m=0}^n{s}^l,m^{x^l{y}^m}\in GF\left(þ\right)\left[x,y\right]$ over a finite field degree n. For each $RS{U}_j$ TA computer polynomial share $þ\left(TRS{U}_j, y\right).$ The $RS{U}_j$ is also loaded with $þ\left(TRS{U}_j, y\right)$ in its memory.

4.2. Authentication and Key Establishment Phase

Initially, $Dr{v}_i$ inputs a password ${\mathit{PWD}}_i^{*}$ and identity drv_id to $OB{U}_i$. The $OB{U}_i$ calculates $s_i^{*}=f_1\oplus h(PW{D}_i^{*}||dr{v}_{id}$), $E_1^{*}=E_1^{\prime }\oplus h(dr{v}_{id}||s_i^{*}$) $=h(Mdr{v}_{id}||\alpha )$, $MPD{W}_i^{*}$ = h($PW{D}_i^{*}$ ||$s_i^{*}$), $T{A}_{id}^{*}$ = $T{A}_{id}^{\prime }\oplus$h($dr{v}_{id}$ ||$s_i^{*}$) and $Mdr{v}_{id}$ = $Mdr{v}_{id}^{\prime }\oplus$h($PW{D}_i^{*}$||$dr{v}_{id}$||$s_i^{*}$). $OB{U}_i$ further computes E₂* = h ($Mdr{v}_{id}$||$E_1^{*}$||${TA}_{id}^{*}$), $r=A\oplus E_2^{*}\oplus MPD{W}_i^{*}$, $r\prime =A\prime \oplus E_2^{*}\oplus MPD{W}_i^{*}$,$E_3^{*}$ = h ($dr{v}_{id}$||$MPD{W}_i^{*}$||$T{A}_{id}^{*}$||$E_1^{*}$) and $E_4^{*}$ = h ($E_3^{*}$||$E_2^{*}$). Inputting correct credentials: password and identity by authorized users. Each vehicle also computes the same r and r’. OBU_i checks the condition if $E_4^{*}$ = E₄. If conditions hold, it implies that $dr{v}_i$ is authentic users. If the condition is not satisfied, then the phase is terminated. In addition, $OB{U}_i$ also computes $T{V}_i=T{V}_i^{\prime }\oplus MPD{W}_i^{*}$.

4.2.1. V-To-V Authentication and Key Establishment Phase

In V2V authentication, two neighboring vehicles perform the following steps:

• Onboard Unit OBU_i generates current timestamp T₁ and chooses random nonce $N_{OBUi},$and computes secret key $KS{r}_1=h\left(r\right||T_1).$Two neighbor vehicles used r and $r^{\prime }$ for authentication in VANETs. An OBU_j further compute $J_1=h(N_{OBUi}\left|\right|Mdrv{ }_{id}\left|\right|TV{ }_i\left|\right|T_1),L_1=KS{r}_1\oplus J_1$ and $L_2=h(J{ }_1{\left|\right|\mathit{TA}}_{\mathit{id}}^{*}\left|\right|T_1),$and sends authentication requests {L₁, L₂, T₁} to its neighboring vehicle through a public channel.
• “After receiving {L₁, L₂, T₁}, OBU_j validates the timeliness of T₁ by checking condition $|T1-T1*|\le \Delta T,$where $T1*$ is the time when the message is received and ΔT is the maximum transmission delay. If the condition holds, OBU_j calculates the time-dependent secret key $KS{r}_1=h\left(r\right|\left|T1\right)$ on the basis of T₁ and previously computed r. It then computes $J_1^{\prime }=KS{r}_1\oplus L_1=h(N_{OBUi}\left|\right|Mdr{v}_{id}\left|\right|T{V}_i\left|\right|T_1).$To proceed, it then calculates $L_3=h(J_1^{\prime }\left|\right|T{A}_{id}^{*}\left|\right|T_1).$The OBU_i further checks the condition L₃ = L₃, if condition holds then V_j authenticate V_i and reject otherwise.
• The OBU_j selects a random nonce $N_{OBUi}$ and current timestamp T₂, and computes time-dependent secret key $KS{r}_2=h(N_{OBUj}\left|\right|T_2),J_2=h(N_{OBUj}\left|\right|Mdr{v}_{idj}\left|\right|T{V}_i\left|\right|T_1\left|\right|T_2)\mathrm{and}L{ }_4= T{V}_i\oplus J_2.$Then, the session key is computed $S_{kvv}=h\left(h\right(r\left|\right|T{ }_1\left|\right|T_2\left)\right||J_1^{\prime }\left|\right|J_2\left|\right|T{A}_{id}^{*})\mathrm{and}{L}_5=h(S_{kvv}\left|\right|T_2),$ and sends {L₄, L₅, T₂} to V_i via a public channel.
• On the reception of {L₄, L₅, T₂}, OBU_i also checks the validity of T₂ by $|T2-T2*|\le \Delta T,$where $T_2^{*}$ I message arrival time. If the condition is fulfilled, by using received T₂ and earlier computer r and $J_2^{\prime }=KS{r}_2\oplus L_4=h(N_{OBUj}\left|\right|Mdr{v}_{idj}\left|\right|T{V}_j\left|\right|T_1\left|\right|T_2).$, OBU_i computes $KS{r}_2=h\left(r\right||T_2)$. The OBU_i further computes the session key $S_{kvv}^{\prime }=h\left(h\right(r\left|\right|T_1\left|\right|T_2\left)\right||J_1\left|\right|J{ }_2^{\prime }\left|\right|T{A}_{id}^{*}),L_6=h(S_{kvv}^{\prime }\left|\right|T_2).$ It then checks the condition L₆ = L₅. If the condition is satisfied, V_i successfully authenticates_. Using the current timestamp T₃, the OBU computes $L_7=h(S_{kvv}^{\prime }\left|\right|T_3),$and finally sends a response message {L₇, T₃} to V_j via a public channel.
• On the reception of {L₇, T₃}, OBU_j checks the correctness of T₃ by checking condition $|T3-T3*|\le \Delta T,\mathrm{where}T3*$ is reaching time. Then, it computes $L_8=h(S{ }_{kvv}\left|\right|T_3)$and checks whether $L{ }_8=L_7.$If the condition is satisfied, the session key computed by OBU_i is correct, and it guarantees that both V_i and the session key are established by V_j in this way $S_{kvv}(=S_{kvv}^{\prime })\mathrm{to}$start mutual communication. The pictorial representation of algorithm is given in Figure 4.

4.2.2. V-to-RSU Authentication and Key Establishment Phase

In this phase, vehicle $V_i$ and neighbor roadside unit RSU_j perform the following steps for authentication and key establishment:

• An OBU_i chooses a timestamp T₁ and random nonce $N{V}_i$ and calculates the time-dependent key $S{K}_r^{\prime }=h(r^{\prime }\left|\right|T1)$on the basis of previously calculated r. It further computes $J_1=h(N{V}_i\left|\right|Mdr{v}_{id}\left|\right|T{V}_i\left|\right|T_1),L{ }_1=S{K}_{r1}^{\prime }\oplus J_1\mathrm{and}{L}_2=h(J_1\left|\right|TA{ }_{id}^{*}\left|\right|T_1)$and sends {L₁, L₂, T₁} as an authentication message to its nearby RSU_j through a public channel.
• After receiving {L₁, L₂, T₁} RSU_j validate T₁. If it validates the timestamp, then RSU_j calculates the time-dependent key $S{K}_{r1}^{\prime }=h(r^{\prime }\left|\right|T_1)\mathrm{on}\mathrm{the}\mathrm{basis}\mathrm{of}{T}_1.\mathrm{It}\mathrm{then}\mathrm{computes}{J}_1^{\prime }=S{K}_r^{\prime }\oplus L_1=h(N{V}_i\left|\right|Mdr{v}_{id}\left|\right|T{V}_i\left|\right|T_1)\mathrm{and}{L}_3=h(J_1^{\prime }\left|\right|TA{ }_{id}^{*}\left|\right|T_1).$If L₃ = L₂ holds the RSU_j authenticate V_i and reject otherwise.
• The RSU_j then chooses the current timestamp T₂ and random nonce N_RSU to calculate another time-dependent key $K{S}_r=h(r^{\prime }\left|\right|T_2),J_2=h(N_{RSUj}\left|\right|\gamma \left|\right|T_1\left|\right|T_2)\mathrm{and}{L}_4=K{S}_r\oplus J_2.$It further calculates the session key $S_{kVR}=h\left(h\right(r^{\prime }\left|\right|T_1\left|\right|T_2\left)\right||J_1^{\prime }\left|\right|J_2\left|\right|TA{ }_{id}^{*})$ and $L_5=h(S_{kVR}\left|\right|T_2),$ and sends message {L₄, L₅, T₂} to V_i through an open channel. The pictorial representation of algorithm is given in Figure 5.

4.3. Key Establishment Phase between RSU_s

Two neighbor Roadside Units, namely RSU_u and RSU_v established pairwise key using the following steps.

• The random nonce $N_{RSU}{}_u$ is generated by RSU_u and sends $\{TRS{U}_u,N_{RSU}{}_u\}$to RSU_v.
• Upon receiving “$\{TRS{U}_u,N_{RSU}{}_u\},$RSU_u calculates symmetric key shared with RSU_u as $S_{kRR}=þ(TRS{U}_v,TRS{U}_u)$ by pre-loaded polynomial share þ (TRS_v, y) and $S_{KV}=h(S_{kRR}\left|\right|N_{RSU}{}_u).$The RSU_v then sends the message $\{TRS{U}_u,S_{KV}{\}\mathrm{to}\mathit{RSU}}_u.$
• Finally, on reception of ${\{\mathit{TRSU}}_u{,S}_{\mathit{KV}}\},$RSU_u calculate the symmetric key and share with RSU_u$\mathrm{as}{S}_{kRR}^{\prime }=þ(TRS{U}_u,TRS{U}_v\left)\right(=S_{kRR})$by pre-loaded polynomial share þ (TRSU_u, y) and $S_{KV}^{\prime }=h(S_{kRR}^{\prime }\left|\right|N_{RSU}{}_u)$ on the basis of its own already generated random nonce $N_{RSU}{}_u.$In addition to this, RSU_u proves if $S_{KV}^{\prime }=S_{KV}.\mathrm{If}\mathrm{the}\mathrm{condition}\mathrm{is}\mathrm{satisfied},$it showed that both RSU_u and RSU_v used valid symmetric keys for their onward communication.
• After receiving {L₄, L₅, T₂}, OBU_i also validates T₂. If it is valid, then OBU_i calculate time-dependent key $S{K}_{r2}^{\prime }=h(r^{\prime }\left|\right|T_2)\mathrm{on}$the basis of T₂ and $J_2^{\prime }=S{K}_r^{\prime }\oplus L_4=h(N_{RSUj}\left|\right|\gamma \left|\right|T_1\left|\right|T_2).$ It further calculates a session key $S_{kVR}^{\prime }=h\left(h\right(N_{RSUj}\left|\right|\gamma \left|\right|T_1\left|\right|T_2\left)\right||J_1\left|\right|J_2^{\prime }\left|\right|TA{ }_{id}^{*})$and $L_6=h(S_{kVR}^{\prime }\left|\right|T_2).\mathrm{If}\mathrm{condition}{L}_6=L_5$ is satisfied then V_i successfully authenticate RSU_j. The OBU_i again generates the current timestamp T₃ to calculates $L_7=h(S_{kVR}^{\prime }\left|\right|T_3)$ and sends {L₇, T₃} to RSU_j through an open channel.
• Upon receiving a message {L₇, T₃}, RSU_j Validates T₃. If it is valid, then RSU_j calculates $L_8=h(S_{kVR}\left|\right|T_3)$ and checks whether L₈ = L₇. If the condition is satisfied, then the session key computed by OBU_i is correct.

4.4. Password Update Phase

In SELWAK, after the registration phase, the Vehicle’s $OB{U}_i$ can update password without using a verification table. The legal user changes the password periodically to improve the security of the system. The following steps are used:

• Drv_i provides provides an identity drv_id and an old password $$\begin{gathered} PW{D}_i^{old}.\mathrm{The}OB{U}_i\mathrm{then}\mathrm{computes}{s}_i^{*}=f_i\oplus h(PW{D}_i^{old}\left|\right|dr{v}_{id}),E_1^{*}=E_1^{\text{'}}\oplus h(dr{v}_{id}\left|\right|s_i^{*}), \\ MPW{D}_i^{old}=h(PW{D}_i^{old}\left|\right|s_i^{*}),T{A}_{id}^{*}=T{A}_{id}^{\text{'}}\oplus h(dr{v}_{id}\left|\right|s_i^{*}),Mdr{v}_{id}^{*}=Mdr{v}_{id}^{\text{'}}\oplus h(PW{D}_i^{old}\left|\right|dr{v}_{id}\left|\right|s_i^{*}), \\ {E}_2^{*}=h(Mdr{v}_{id}^{*}\left|\right|E_1^{*}\left|\right|T{A}_{id}^{*}),E_3^{old}=h(dr{v}_{id}\left|\right|MPW{D}_i^{old}\left|\right|T{A}_{id}^{*}\left|\right|E_1^{*})\mathrm{and}{E}_4^{old}=h(E_3^{old}\left|\right|E_2^{*}). \end{gathered}$$
  ${\mathit{OBU}}_i\mathrm{checks}\mathrm{if}{E}_4^{old}=E_4.$ If the condition is not satisfied, the password updating process is stopped. Else, $Dr{v}_i\mathrm{is}\mathrm{a}\mathrm{authentic}$ user and allowed the OBU_i to update the password.
• The driver Drv_i is requested to give a new password $PW{D}_i^{new}.$Then, it computes $$\begin{gathered} Mdr{v}_{id}^{**}=Mdr{v}_{id}^{*}\oplus h(PW{D}_i^{new}\left|\right|dr{v}_{id}\left|\right|s_i^{*}),T{V}_i^{*}=T{V}_i^{\prime }\oplus MPW{D}_i^{old},T{V}_i^{**}= \\ T{V}_i^{*}\oplus h(T{V}_i^{*}\oplus s_i^{*}),f_i^{new}=h(PW{D}_i^{new}\left|\right|dr{v}_{id}\oplus s_i^{*}\left)\right),MPW{D}_i^{new}=h(PW{D}_i^{new}\left|\right|s_i^{*}), \\ {E}_3^{new}=h(dr{v}_{id}\left|\right|MPW{D}_i^{new}\left|\right|T{A}_{id}^{*}\left|\right|E_1^{*}),E_4^{new}=h(E_3\left|\right|E_2^{*}), \\ {A}^{*}=A\oplus (MPW{D}_i^{old}\oplus PW{D}_i^{new})=r\oplus E_2\oplus PW{D}_i^{new}\mathrm{and}A**=A\prime \oplus (PW{D}_i^{old}\oplus PW{D}_i^{new})= \\ {r}^{\prime }\oplus E_2\oplus PW{D}_i^{new}. \end{gathered}$$
• Finally, OBU_i replaces $PW{D}_i^{\prime },T{V}_i^{\prime },f_i,A,A^{\prime }\mathrm{and}{E}_4$ with $dr{v}_{id}^{**},T{V}_i^{**},f_i^{new},A^{*},A^{**}\mathrm{and}{E}_4^{new}$ in its memory. Therefore, OBU_i contains the message $\{Mdr{v}_{id}^{**},T{V}_i^{**},T{A}_{id}^{\prime },f_i^{new},A^{*},A^{**},A_1^{\prime },E_4^{new},h(·)\}$ after the password update. The pictorial representation of algorithm is given in Figure 6.

5. Security Analysis

The RoR model [21] was used for the formal security analysis of SELWAK. We also show that our scheme is secure against well-known attacks.

5.1. Formal Security Analysis

Formal security analysis of SELWAK is presented using the Real-or-Random (RoR) model. The security of the session key is shown using the RoR model for the proposed scheme. There are two main participants in our scheme: Vehicle V_i and Roadside Unit $RS{U}_j$. The RoR [35] has the following components.

5.1.1. Participants

Let ${ῃ}_{vi}^t$ and ${ῃ}_{RSUj}^u$ be the instance t and u of the V_i and $RS{U}_j$, and called as oracles.

5.1.2. Accepted State

The ${ῃ}^t$ is an instance that is called an accepted state. Upon reception of the last message, it changes into an accepted state. The ${ῃ}^t$ concatenate the entire sent and received messages in proper order and for the current session form a session identification of ${ῃ}^t$.

5.1.3. Partnering

Two of the instances ${ῃ}^{t1}$ and ${ῃ}^{t2}$ are called the partners of each other if they fulfill the following conditions.

• Both of ${ῃ}^{t1}$ and ${ῃ}^{t2}$ are in valid accepted states.
• Both of ${ῃ}^{t1}$ and ${ῃ}^{t2}$ mutual authenticate and share identical session identification.
• Both of ${ῃ}^{t1}$ and ${ῃ}^{t2}$ are mutual partners [36].

5.1.4. Freshness

If attacker A cannot apply the key generated for a particular session of two nodes on the bases reveal query then ${ῃ}_{vi}^t$ and ${ῃ}_{RSUj}^u$ are called fresh.

5.1.5. Adversary

Adversary A has full control over the communication between the partners and has the ability to alter the message. Adversary has the following access to queries:

• EX (${ῃ}_{vi}^t$, ${ῃ}_{RSUj}^u$): An adversary executes this query to obtain a message that is exchanged between two original partners. This is called an eavesdropping attack.
• RL (${ῃ}^t$): An adversary using this query gets the current session key generated by ${ῃ}^t$.
• SN (${ῃ}^t$, message): By executing this query, an adversary sends a message to the participant and receives the message. This is called an active attack.
• OBU (${ῃ}_{vi}^t$): An adversary executes this query to extract stored information in OBU. This is called a stolen attack.
• Test (${ῃ}^t$):It models the semantic security ofa session key. After starting the experiment, coin c is flipped, and only the adversary can know the output. This is helpful for determining the output of a test query.

5.1.6. Session Key’s Semantic Security

The main task of an attacker is to differentiate the real session key from the random session key of an instance in the RoR model. An adversary has several test queries to either ${ῃ}_{vi}^t$ and ${ῃ}_{RSUj}^u$. The random bit c and the output of the test query should be consistent. When an experiment is over, an adversary outputs a guessed bit $c\prime$ and wins the game if $c\prime =c$. Suppose Win is an event in which an adversary can win a game. The advantage of Adversary is that it breaks the semantic security of the proposed authentic key exchange schemes. Authentic key exchange is defined by $a{d}_{TA}^{AKE}=\left|2pr\left[Win\right]-1\right|$. TA is secure if $a{d}_{TA}^{AKE}\le \theta$ for a sufficient smart real number θ > 0.

5.1.7. Random Oracle

All the participants, including the adversary, will have to access a one-way hash function, which is called the random oracle model [36].The security proof of Theorem 1 presented in [20] is the same. The breaking of the semantic security of the session key for V2V and V2R is proved in Theorem 1 [37].

Theorem 1.

In the RoR model, intruder A runs in polynomial time t against the SELWAK. Let Q_h, |Hash|, Dec, |Dec| and Q_SN be a number of the H queries, the range space of h(·), distributed password dictionary, size of dictionary, and number of sent queries. An adversary’s advantage $a{d}_{TA}^{AKE}$break the semantic security of the session key between OBU and RSU in the proposed scheme is defined as

$$a{d}_{TA}^{AKE}\le Q_h^2/\left|Hash\right|+\raisebox{1ex}{$2.Q_{SN}$}\!\left/ \!\raisebox{-1ex}{$\left|Dec\right|$}\right..$$

(1)

Proof. 

As in the Chang and Le scheme [36], here the sequences of the four games says G_i = (0,1,2,3). Win_i is an event where an adversary can successfully guess a bit c in game G_i. Below is a detailed description of these games. □

Game G₀: In the random oracle model, it is considered a real attack of the adversary on the proposed scheme. An adversary first guess bit c at the start of the game. By definition, we have

$$a{d}_{RSU}^{AKE}=\left|2prb\left[Wi{n}_0\right]-1\right|$$

(2)

Game G₁: In this game, an eavesdropping attack of an adversary is simulated by executing an EX (${ῃ}_{vi}^t$, ${ῃ}_{RSUj}^u$) query. At the end of the game, the adversary makes a test query. An adversary will have to know whether the test query’s output is the real session key of the vehicle and RSU or a random number. We get

$$Prb\left[Wi{n}_0\right]=Prb\left[Wi{n}_1\right]$$

(3)

Game G₂: In this game, an active attack on an adversary is simulated. An adversary tries to cheat the participants to receive the altered message. To verify the collision in the hash output, an adversary is allowed to query several oracles. When the birthday paradox is applied, we have

$$\left|Prb\left[Wi{n}_1\right]-Prb\left[Wi{n}_2\right]\right|\le Q_h^2/2\left|Hash\right|$$

(4)

Game G₃: In this game, the Corrupt OBU query is simulated. An adversary extracts the information stored in OBU_i. It is difficult to calculate the correct password. If the system only allows a specific password as an input, we can get

$$\left|Prb\left[Wi{n}_2\right]-Prb\left[Wi{n}_3\right]\right|\le \raisebox{1ex}{$Q_{SN}$}\!\left/ \!\raisebox{-1ex}{$\left|Dec\right|$}\right.$$

(5)

An adversary can simulate all the games except that an adversary needs to guess c to win the game after the test query to oracle; we get $Prb\left[Wi{n}_3\right]=1/2$ from Equation (1), we have

$$\left(1/2\right)a{d}_{RSU}^{AKE}=\left|prb\left[Wi{n}_0\right]-1/2\right|.$$

(6)

With the help of triangular inequality, we have $\left|Prb\left[Wi{n}_1\right]-Prb\left[Wi{n}_3\right]\right|\le \left|Prb\left[Wi{n}_1\right]-Prb\left[Wi{n}_2\right]\right|+\left|Prb\left[Wi{n}_2\right]-Prb\left[Wi{n}_3\right]\right|\le Q_h^2/2\left|Hash\right|+\raisebox{1ex}{$Q_{SN}$}\!\left/ \!\raisebox{-1ex}{$\left|Dec\right|$}\right.$. As a result, Equations (2) and (6) become

$$\left|prb\left[Wi{n}_0\right]-\frac{1}{2}\right|\le Q_h^2/2\left|Hash\right|+\raisebox{1ex}{$Q_{SN}$}\!\left/ \!\raisebox{-1ex}{$\left|Dec\right|$}\right..$$

(7)

Finally, from Equations (6) and (7). we get $a{d}_{TA}^{AKE}\le Q_h^2/\left|Hash\right|+\raisebox{1ex}{$2.Q_{SN}$}\!\left/ \!\raisebox{-1ex}{$\left|Dec\right|$}\right.$.

5.2. Informal Security Analysis

In this section, the proposed scheme’s resilience against some well-known attacks is discussed, and the security features of the proposed scheme are also compared with existing schemes.

• Replay Attack: In the V2V and V2RSU authentication processes, the corresponding messages MSG₁ = (L₁, L₂, T₁) and MSG₂ = (L₇, T₃) have timestamps T₁ and T₃. If an attacker wants to reply to the message with delay, then the timestamp attached to the message will fail. Therefore, our scheme is robust against reply attacks.
• Impersonation Attack: During the V2V authentication an attacker can impersonate the vehicle; to do so, an attacker must create an authentic message MSG₁ = (L₁, L₂, T₁). For creating MSG₁ an attacker requires secret r. An attacker cannot calculate message MSG₁ even if he/she generates his/her own timestamp and random none as secret r, Mdrv_id, TV_i and TA_id.
• Man-in-the-middle Attack: In the proposed scheme, two messages, namely MSG₁ = (L₁, L₂, T₁) and MSG₂ = (L₇, T₃) are required for V2V authentication. If an attacker wants to modify the message, then he/she first generates a current timestamp and random nonce. An attacker cannot calculate KS_r1A = h(r||T_1A as he/she did not have a secret key. Thus, an attacker cannot modify messages.
• Stolen Verifier Attack: The information (${\mathit{Mdrv}}_{id}^{\prime }$, ${\mathit{Mdrv}}_{id}^{\prime }$, ${TV}_i^{\prime }$, ${TA}_{id}^{\prime }$, f_i, Y, $E_1^{\prime }$, E₄, h(·)) is stored in OBU_i of the vehicle. We assume that an attacker can steal stored information from OBU_i. However, the one-way hash function protects the secrets PWD_i, r, r’, TA_id, drv_id. An attacker cannot guess the secrets PWD_i, r, r′, TA_id, drv_id correctly due to the collision resistance property of a one-way hash function.
• Stolen OBU Attack: Suppose that an attacker has stolen the OBU_i of the vehicle. An attacker can extract the stored information (${\mathit{Mdrv}}_{\mathit{id}}^{\prime }$, ${\mathit{Mdrv}}_{\mathit{id}}^{\prime }$, ${\mathit{TV}}_i^{\prime }$, ${\mathit{TA}}_{\mathit{id}}^{\prime }$, f_i, Y, $E_1^{\prime }$, E₄, h(·)) from OBU_i. It is difficult for an attacker to drive drv_id from Mdrv_id without having the secret α.
• Untraceability: In the V2V and V2RSU authentication phases of the proposed scheme, two messages are followed: MSG₁ = (L₁, L₂, T₁) and MSG₂ = (L₇, T₃). All messages are distinct in each session, and the attacker cannot trace the RSU or vehicle.
• Anonymity: In the proposed scheme, the messages for V2V and V2RSU authentication do not involve the identities of the RSU and the user. Therefore, it is infeasible for an attacker to drive the real identities of the RSU and the user. Hence, the proposed scheme satisfies the anonymity property.
• Insider Attack: SELWAk is robust against insider attacks. The neighboring vehicles cannot get unauthorized access to the sensitive information of a particular vehicle by stealing its credentials.

6. Performance Analysis

In this section, the performance of the proposed scheme and the existing schemes are analyzed. The proposed scheme is implemented with the following specifications: 2.66 GHz Intel(R) Core TM 2 Quad processor with 4 GB of memory using Windows 10. We compared SELWAK with some existing schemes based on computational costs, as well as communication costs. The performance result shows that our scheme is efficient in terms of computational cost and communication overhead compared to existing schemes.

6.1. Computation Overhead

The notations T_pm-ECC, T_pa-ECC, and T_h used in

Table 2. Computation Cost Comparison.

Scheme	Total Computational Overhead	Total Execution Time (ms)
[17]	500Th	≈0.5
[19]	1Tpm − ECC + 1Tpa − ECC	≈0.6749
[20]	2Tpm − ECC + 1Tpa − ECC	≈1.3467
[21]	2Tpm − ECC + 1Tpa − ECC + Th	≈1.3477
[32]	6 Tpm − ECC + 1 Tpa − ECC + 4 Th	≈4.0348
[24]	7 Tpm − ECC + 2 Tpa − ECC + 4 Th	≈4.7128
[27]	5 Tpm − ECC + 1 Tpa − ECC + 4 Th	≈3.3661
[38]	4Tpm − ECC + 12Th	≈2.6992
SELWAK	16 Th + 11 TXOR	≈0.016

represent Elliptic Curve Cryptographic points multiplication, Elliptic Curve Cryptographic points addition, and one-way hash function, respectively. As bitwise XOR operations take negligible time, we have not considered them for performance evaluation.

We have considered the values 0.6718 ms, 0.0031 ms, and 0.001 ms for various cryptographic operations like T_pm-ECC, T_pa-ECC, and T_h from existing experimental values [5,19,27]. The computational costs of SELWAK and some existing schemes are compared in Table 2. The schemes to which we compare our work include those of Zhong et al. [17], Ali et al. [19], Cui et al. [20], Xie et al. [21], Li et al. [24], Al-shareeda et al. [27], and Jalawai et al. [32]. An authentication scheme with privacy preservation property based on identity was proposed in [17]. To reduce communication overhead, a registration list is used instead of a revocation list. The security features of VANET were not affected by malicious vehicles. Moreover, their scheme did not use bilinear pairing operations, which takes more execution time. An elliptic curve cryptography-based and identity-based signature with a conditional privacy-preserving authentication scheme and general one-way hash functions for V2V communication is proposed in [19]. Cui et al. [20] presented a secure authentication approach with privacy properties for VANET. This scheme uses ECC and identity-based signatures for both V2I and V2V communication. The authors used the binary search method and the cuckoo filter method to improve the success rate of batch signature verification. Xieet al. [21] proposed a robust and secure conditional privacy-preserving scheme using identity-based authentication. The reliability and integrity of the messages are ensured using identity-based signatures for V2V and V2I communication. Performance analysis shows that this scheme has a high computational cost and communication overhead. To ensure secure communication in VANET, an authentication scheme based on ECC that satisfies privacy preservation is proposed in [27]. An efficient, provably-secure and anonymous conditional privacy-preserving authentication scheme for vehicular ad hoc networks has been proposed in [32]. Similarly, an authentication approach for global mobility networks was proposed in [38]. This scheme is based on an elliptic curve crypto system and therefore takes much execution time to perform major cryptographic operations.

The total computational cost for SELWAK is 16T_h + 11T_XOR, which is less than that of all compared schemes. The performance result shows that our scheme is efficient in terms of computational cost and communication overhead compared to existing schemes.

6.2. Communication Overhead

In this section, we have compared our scheme with [17,19,20,21,24,27,32], schemes. The authentication message of [17] is {T, m, σ}. Thus, the size of the authentication message is 160 × 2 + 4 = 352 bits. In [19] the size of the authentication message is 2 × 40 + 2 × 20 + 4 + 160 = 1152 bits. In [20] the size of message authentication is 40 + 2 × 20 + 4 + 160 + 256 = 1084 bits. The communication cost analysis shows that the corresponding authentication message of [21] scheme is [T_i, δ]. Thus, the size of the message is 320 × 2 + 100 × 2 + 32 = 992 bits. In our scheme, the authentication and key establishment phase require two messages MSG₁ = (L₁, L₂, T₁) and MSG₂ = (L₇, T₃) and need (160 + 160 + 32) = 352 bits and (160 + 32) = 192 bits. Thus, the total computational cost for V2V and V2RSU authentication phases is equal to (352 + 192) = 544 bits. The communication overhead of various schemes have been shown in

Table 3. Communication Cost Comparison.

Schemes	Communication Overhead (Bits)
[17]	352 bits
[19]	1152 bits
[20]	1084 bits
[21]	992 bits
[32]	1152 bits
[24]	1024 bits
[27]	832bits
[38]	2176 bits
SELWAK	544 bits

.

As shown in Figure 7, the execution time taken by our proposed scheme is much less than that of the other four schemes. The proposed scheme is also efficient, even in the worst case, compared to other schemes.

In Figure 8, we show total extra bits sent with the original message during vehicle communication for various schemes.

7. Conclusions

We proposed a novel SELWAK scheme for VANETs. Our scheme is efficient in terms of computational cost and communication overhead due to the one-way hash function and bitwise XOR operations. The SELWAK has extra features, such as mutual authentication and Vehicles and roadside unit anonymity properties. The proposed scheme is robust against driver impersonation attacks, OBU impersonation attacks, OBU capture attacks, RSU impersonation attacks, anonymity, and untraceability, perfect forward and backward secrecy, eavesdropping attacks, and insider attacks. The formal analysis of the proposed scheme was conducted using the RoR model. Therefore, the proposed scheme works efficiently for intelligent transportation systems.

In future work, anonymous mutual authentication will be carried out using BAN Logic and some simulation platforms, such as NS2, SUMO, and OMNET++, to simulate VANETs.