Edge Computing-Based VANETs’ Anonymous Message Authentication

Abstract

Vehicular Ad-hoc Networks (VANETs) have high requirements for real-time data processing and security of message authentication. In order to solve the computing power asymmetry between vehicles and road side units (RSUs) in VANETs under high-density traffic, accelerate the processing speed of message authentication, and solve the problems of high computational overhead and long message authentication time caused by the use of bilinear pairing encryption technology in similar message-batch-authentication schemes, we propose introducing the concept of edge computing (EC) into VANETs and using idle nodes’ resources to assist the RSU in quickly authenticating messages to achieve computing power load balancing under multiple traffic flows. We propose introducing the idea of edge computing (EC) into VANETs and using idle nodes’ resources to assist RSUs in quickly authenticating messages. This scheme performs two identity-based message authentications based on the identity signature constructed by elliptic curve cryptography (ECC). One of them is the batch authentication of the vehicle sending messages by the RSU-authenticated vehicles with free resources, as temporary edge computing nodes (TENs), and the other is the authentication of the temporary TEN messages by the fixed-edge-node RSUs. The resources of the TEN are used to reduce the computational burden of RSUs and message authentication time, thereby improving the efficiency of system authentication of messages. We performed a security analysis of the scheme to prove its security properties and compared it with other schemes in terms of performance. The experimental results show that our scheme has a transmission overhead of 2400 bytes when there are four TENs, and the number of verification message requests reaches 20, which outperforms other methods. The gap will be more evident as the numbers of TEN and message verification requests increase.

1. Introduction

1.1. Background and Motivation

With the rapid development of wireless communication technology and the automotive industry, VANETs also brings more convenience to us. A typical VANET system is shown in Figure 1, which consists of three main components: a trusted authority (TA), a roadside unit (RSU), and a vehicle with an onboard unit (OBU) [1], which includes wireless communication devices and sensor units. The vehicle can sense and collect data related to its driving information and traffic conditions, then realize wireless communication with a RSU or TA through dedicated short range communication (DSRC) [2,3]. Under the DSRC protocol, vehicles need to broadcast their geographic locations, driving speed [4], congestion, vehicle driving intentions [5,6], and other relevant real-time traffic information [7,8] every 100~300 ms at a rate of 6~276 Mbps [9]. Once this information is received, other vehicles can change their routes to avoid possible traffic incidents, such as traffic jams and crashes. In addition, RSUs can also send information about traffic conditions to the traffic control center. Based on the information received, the traffic control center can take some timely actions (such as adjusting traffic lights) to improve traffic safety and efficiency. All the above benefits make VANET a promising technology for modern intelligent traffic systems. However, the workload of RSUs is high, and packet loss is severe under high traffic conditions. Although methods such as fog computing have been proposed to share the workload of RSUs, this method undoubtedly increases the deployment cost of VANETs. We propose to use idle vehicles as temporary edge computing nodes. We only need to give a particular reward to the idle vehicles involved in the computation, which means that our deployment cost will be elastic. When traffic volume is high, it will be easier to get temporary TENs to help with the RSUs’ computational load.

The security of VANETs directly affects the safety of users’ lives and properties [10,11], so there is a need to address the information security issues brought about by external devices. The first step to ensure the reliability of the VANET is identity authentication, and only vehicles that have passed identity authentication legally can join a VANET. In a VANET, in order to keep traffic information safe and reliable, the vehicle must update and broadcast the current traffic situation regularly. A VANET provides wisdom and decisions based on its traffic information, so the security and availability of VANET are based on the vehicle’s ability to update the traffic information in real time. However, due to the low computing power of edge computing units (ECUs), it is still a great challenge to solve the problem of vehicle network information security. To resist forgery attacks, tampering attacks, and privacy disclosure attacks, researchers have studied many authentication schemes in VANETs [12,13]. The study of authentication protocols based on privacy-preserving policies is the primary method to ensure message transmission’s integrity, reliability, and identity privacy. It is also the basis for securing the transmission of automotive information. When any entity in a VANET receives a relevant traffic message, it must first be authenticated to ensure that the message’s source is reliable, the content is complete and trustworthy, it has not been tampered with and replayed, and the user’s identity has not been compromised. To solve the certificate management problem in the public key infrastructure (PKI), Groza proposed an identity-based cryptosystem [14]. In this system, each user’s identity information can be used as the user’s public key, such as email name, phone number, and ID number. A third-party, trusted public key generator (PKG) calculates a private key based on each user’s public key and sends it to the user. Users can use the public and private keys in their hands for data encryption and digital signature operations. Cryptosystems provide data integrity mechanisms, digital envelopes, user identification, authentication, and other techniques.

To ensure that vehicle information messages are safe and secure and that legitimate vehicles are on the network, VANETs must also authenticate messages sent by vehicles in a VANET to ensure that the messages come from legitimate vehicles. Even if the messages are broadcasted by legitimate vehicles, attackers can still threaten the communication security of a VANET using DoS attacks, Sybil attacks, replay attacks, and other methods. Suppose there are false messages in a VANET that neighboring users accept. In that case, it is easy to cause traffic accidents due to wrong traffic information, resulting in unavailability or even paralysis of the VANETs, so it is also necessary to authenticate the messages in the VANET. At the same time, a VANET also has high requirements for real-time data processing because the traffic situation in real scenarios changes in real time, and vehicles obtain information about the external environment through the VANET to make corresponding decisions. The message processing rate is directly related to the operational efficiency of the whole VANET and may even lead to traffic accidents due to the lag of messages. The current mainstream solutions are divided into two types: studying a more lightweight authentication scheme to reduce the load of RSU and assisting RSU computation through edge computing solutions.

1.2. Contributions

In this paper, we introduce the idea of edge computing in which vehicles parked near RSUs with free computing and storage resources are selected as TENs to help RSU participate in message authentication. Our contributions are summarized as follows:

(1)

propose a lightweight elliptic curve-based message authentication scheme that supports vehicles in bulk for anonymous authentication and message authentication, and provides a security proof process.

(2)

We propose a vehicle network architecture that can generate temporary edge computing nodes and validate in our experiments that the efficiency of our architecture will be continuously improved as the number of temporary edge computing nodes increases.

(3)

Our simulation results in omnet++ prove that our scheme can keep the packet loss rate below 5% when there are more than three TENs in the case of high traffic. Moreover, as the number of TENs increases, our computation overhead and communication overhead will further exceed those of other methods.

1.3. Organization

In Section 2, we describe the recent work and its limitations. We present the general framework of our authentication scheme and its operation mechanism in Section 3. In Section 4, we analyze the security of our proposed message authentication scheme. In Section 5, we analyze the performance of our method in terms of computational overhead and transmission security through simulations. Finally, in Section 6, we conclude and provide an outlook for the future.

2. Related Works

The first solutions for message authentication in a VANET are still based on traditional PKI schemes. Still, these schemes require large numbers of certificates and signatures, which consume a lot of computational and storage resources and are also challenging to apply in the practical scenarios of VANETs. In many schemes today, many message-batch-authentication schemes are proposed, but most are based on bilinear pair cryptography, and their computational overhead is too significant to meet the real-time requirements of VANETs. As we all know, the computational and storage resources of nodes in any VANET are limited. When RSUs encounter peak traffic, the number of messages to be authenticated and their performance limitations make them unable to complete the authentication of all messages efficiently and quickly.

2.1. Lightweight Authentication-Based Schemes

Regarding security verification to address the need for larger storage space for vehicles and RSUs to store certificates, Lu et al. [15] proposed a conditional privacy-preserving authentication (conditional privacy-preserving authentication, CPPA) scheme based on temporary credentials. However, this method increases the computational load on the RSU because the vehicle must frequently request anonymous certificates from the RSU to secure the communication. In the id-based CPPA scheme proposed by Zhang et al. [16], neither the vehicle nor the RSU must store a certificate. In addition, this scheme supports a bulk authentication function, which can verify the validity of multiple messages simultaneously, so the authentication cost is low. However, the authentication work of RSUs is frequent, and the load is high. When encountering peak travel times, i.e., vehicles send a large number of message packets, the RSU is affected by the computational performance, cannot complete messages authentication quickly, and has a high packet loss rate.

Wang et al. [17] designed a secure authentication and road vehicle evasion scheme for emergency vehicles using bilinear pairs. Although it simplifies the subsequent authentication process and reduces the transmission consumption on the wireless communication of the whole system, the scheme has high infrastructure requirements for RSUs. It requires RSUs to constantly send and store messages related to vehicle authentication by wired transmission between RSUs, which is not achievable for VANETs with such a large number of user groups. RSUs need help finding the vehicle’s authentication information in a short time. Xu et al. [18] surveyed VANET edge service optimization, and the results showed that VANET technology plays a crucial role in diversifying services with its powerful real-time information collection capability. Wang et al. [19] proposed a scheme based on Paillier encryption. However, this literature designed authentication schemes with severe centralization problems and many communication interactions to increase the communication and computational costs. Dong et al.

To avoid repeated authentication of messages, Cui et al. [20] proposed a new identity-based authentication scheme for privacy-preserving messages. They offered to select proxy vehicles using fuzzy rules, and proxy vehicles distinguish whether the message has been authenticated by other proxy nodes by looking up the message fingerprint stored in the Cuckoo filter, which greatly improves the authentication efficiency. The space network provides one-way control services, such as positioning, navigation, and high-precision clock synchronization, so that driving can get information about vehicles in a more extensive range and improve driving safety. Lee et al. [21] proposed a batch authentication processing scheme for messages using bilinear pairs. Although the security is more robust, Wu et al. [22] also used elliptic curves to design a new efficient identity-based message authentication scheme, which reduces the computational complexity of the signature and authentication process while providing a function of conditional privacy protection. Although both methods have good efficiency and security, they still need to solve the problem of high packet loss rate and low efficiency of RSUs in the face of a massive amount of messages requiring authentication.

Since the birth of blockchain technology in 2008, it has become an excellent solution to the problem of centralization of the VANET authentication scheme, which not only provides anonymity, authenticity, and integrity of information but also plays an essential role in the cross-domain authentication of vehicles. Li et al. [23] used the decentralization, persistence, anonymity, and adorability of the blockchain to successfully overcome the over-reliance on traditional public keys. Wang et al. [24] combined blockchain and smart contracts, making business logic and business processes integrated into the blockchain, and proposed a trust management framework based on blockchain timestamps. They could connect the dynamics of vehicles in real-time. Wang et al. [25] came up with an effective blockchain-based VANET decentralized authentication mechanism, which solves the centralization problem brought by traditional centralized authentication, but the scheme is not secure enough, does not protect the privacy information of vehicles, does not provide a comprehensive security analysis of the method, and leaves the cars vulnerable to security attacks such as identity relocation. Lei et al. [26] constructed a VANET authentication-key-negotiation protocol using blockchain and designed a new network topology. Xu et al. [27] developed a VANET authentication-key-negotiation protocol using blockchain and cloud computing, which uses only some lightweight computation with the help of blockchain to complete authentication and key negotiation, which dramatically reduces the computational overhead cost of the whole authentication process. However, it still has the problem of data centering, where every authentication must access the cloud server, and the authentication efficiency is easily affected by the cloud server data center.

2.2. Edge Computing-Assisted Authentication

Basudan et al. [28] designed a privacy-preserving protocol through swarm intelligence awareness and fog computing to improve the security of VANETs. Yao et al. [29] proposed a blockchain-based distributed car fog service for lightweight anonymous authentication. They used the Lagrangian difference theorem to achieve that only the designated RSU can compute the messages sent by the vehicle, which significantly improves security. However, this approach requires the car to have more storage space to store the public keys of RSUs in the whole VANET system, which makes the storage resources of the vehicle more easily limited. Kang et al. [30] used mobile edge computing and blockchain to achieve data sharing and information security in VANET. The authentication scheme of this design does not support mutual authentication of vehicles and VANET managers, so the security is lower.

Xie et al. [31] proposed an anonymous two-way-authentication and key-negotiation protocol in a multi-server architecture. Still, this scheme needs to handle exceptional cases, such as partial fog servers being dropped or corrupted. Armor et al. [32] used VANET technology to connect vehicles to the Internet to exchange data for remote control and proposed a new authentication protocol. In their scheme, new sensor nodes are added to existing sensors, and random and specific IDSn and KGSni are generated as identifiers and keys for the new sensors, respectively. Wang et al. [33] proposed an accurate traffic prediction method based on locality-sensitive hashing (LSH), which utilizes sensor data from multiple cameras deployed at urban intersections to perform accurate traffic flow prediction and dramatically protects the privacy of traffic data. Azees et al. [34] proposed an anonymous authentication scheme with conditional privacy protection for VANETs. In their scheme, a vehicle can obtain a smart card (with some privacy information pre-installed in the vehicle smart card) after registering with a trusted authority, thereby further using the vehicle’s privacy information to generate a signature, which then exchanges messages with the connected fog server. These fog servers accept the vehicle’s messages when and only when the corresponding signatures are valid. In addition, their scheme provides a cloud-assisted tracking mechanism. Vijayakumar et al. [35] proposed an anonymous batch authentication and key exchange protocol for 6g-enabled VANET. In this scheme, vehicles are registered with a trusted authority, which distributes the pseudonyms of the vehicles to the fog server and the corresponding vehicles. In addition, the car and its connected fog server can generate a valid session key by mutual authentication with the associated pseudonym. Xia et al. [36] used a conditional identity-privacy-preserving authentication scheme based on multiple fog servers working in concert to verify the legitimacy of a vehicle without revealing its true identity using fog servers. In this decentralized authentication scheme, even if a few fog servers or vehicles are dropped or maliciously attacked, it can provide authentication and privacy protection for vehicles. Tan et al. [37] proposed a network authentication mechanism based on lightweight physical unclonable functions, which significantly reduces the storage overhead and resource loss during data transmission and enhances the completion of data transmission. Effectively improves the privacy protection of data.

In summary, the lightweight authentication scheme can reduce the load on the RSU without increasing the cost of VANET deployment. As the variety of VANET services increases and the blockchain technology is introduced, there is no guarantee that the RSU will have sufficient data processing capacity. However, using multiple fog servers to calculate keys undoubtedly increases the deployment cost of VANETs.

3. Materials and Methods

With the dramatic increase in vehicles today, authenticating vehicle-broadcast messages is becoming increasingly demanding, and the workload of RSUs will continue to increase. Due to the limited resources of RSUs themselves, they are prone to performance bottlenecks in the face of massive message authentication tasks and the need to authenticate messages quickly. This section introduces our solution in terms of architecture and messaging flow.

3.1. VANET Framework Overview

In this paper, we only use idle vehicles with computing and storage resources to participate in authentication, which can provide convenient and effective services to intelligent transportation systems and create a privacy-protected and secure communication environment. The proposed system framework for a VANET authentication protocol based on edge computing, as shown in Figure 2, mainly includes four entities, i.e., TA, RSUs, temporary edge computing nodes (TENs), and vehicle users with OBUs.

The specific definitions are as follows:

(1)

A TA is a fully trusted node responsible for the registration tasks of RSU and vehicles, generating the public system’s parameters, and distributing keys to each participating node. The TA can also trace vehicles’ real identities in critical moments. To enhance the security of the whole VANET system, the TA and RSUs use a wired secure transmission protocol. Redundant TAs are generally set up to prevent the efficiency of VANET authentication from being affected by the performance bottlenecks of TAs.

(2)

An RSU is a wireless communication device that communicates directly with vehicles and is usually set up on the roadside. It is responsible for retrieving received messages and the message broadcast task.

(3)

A TEN is a vehicle involved in message authentication (parked around the RSU). With certain computing and storage capabilities, it is responsible for authenticating the vehicle messages and sending the results of the authenticated messages to the RSU.

(4)

A vehicle is the vehicle carrying the OBU device. It is only responsible for sending the correct traffic information to RSU or TEN for authentication.

3.2. Message Authentication Scheme

The message authentication process for program participants is shown in Figure 3:

Our proposed scheme consists of four phases: system initialization, generating vehicles’ anonymous identities, generating TENs, and batch authentication of messages. Each step of the method is explained in detail next, and 

Table 1. Descriptions of labels.

Lable	Interpretation
$Pu{b}_{TA}$	TA’s public key
$Pu{b}_1/Pu{b}_2$	Part of TA’s public key
$S_1/S_2$	Part of TA’s key
$PI{D}_i$	Anonymous identity of the vehicle
$PI{D}_1/PI{D}_2$	Part of anonymous identity of the vehicle
$S_i$	Keys of the vehicle
$RI{D}_i$	The true identity of the vehicle
$EI{D}_i$	Anonymous identity of proxy vehicles
$EI{D}_1/EI{D}_2$	Partial anonymity of proxy vehicles

illustrates the meaning of each symbol in the scheme.

3.2.1. System Initialization

In initialization phase, the TA first generates some public system parameters and sends them to the corresponding communication entities as follows: When the system is established, the trust institution TA randomly selects two large prime numbers, P and q, and chooses a non-singular elliptic curve defined as $y^2=x^3+ax+bmodq$. G is the nth-order cyclic group generated by the basepoint P. The TA randomly selects $S_1,S_2\in Z_q^{*}$ as the system’s private key and calculates the system public key $Pu{b}_{TA}=\left(Pu{b}_1,Pu{b}_2\right)$, where $Pu{b}_1=S_1·P,Pu{b}_2=S_2·P$. The TA selects a secure hash function $h{\{0,1\}}^{*}\to Z_q$, and exposes the system parameter $\left\{G,P,Pu{b}_{TA},h\right\}$.

Then, the TA chooses a random number $x_i^1,x_i^2\in Z_q^{*}$ as the key of the RSU and calculates the public key $Pu{b}_{RSU}=\left\{Pu{b}_{RSU}^1,Pu{b}_{RSU}^1\right\}$ of the RSU:

$$Pu{b}_{RSU}^1=x_i^1·P$$

(1)

$$Pu{b}_{RSU}^2=x_i^1·P$$

(2)

The TA sends $x_i^1,x_i^2,S_1,S_2$ to the RSU via a secure channel.

Finally, the TA assigns a real identity $RI{D}_i$ for each registered vehicle and sends $RI{D}_i$ and $S_1$ through a secure channel to the vehicle’s tamper-proof device time propagation delay (TPD).

3.2.2. Generate Vehicle Anonymous Identities and Signatures

All vehicles use pseudonyms to broadcast traffic messages, to protect the privacy of vehicles, and to prevent relocation attacks. To ensure the integrity of the message and the reliability of the user’s identity, the vehicle user needs to sign the traffic message as follows:

1

Users need to enter the real identity of the vehicle $RI{D}_i$ and password $PWD$ to verify their legitimacy before using the vehicle’s TPD equipment. If there are problems, such as input errors, then the vehicle refuses to provide services. They can input the correct information and then continue to complete subsequent operations.

2

The TPD device of the vehicle selects a random number V and calculates the anonymous identity $PI{D}_i$:

$$PI{D}_i=\left\{PI{D}_i^1,PI{D}_i^2\right\}$$

(3)

$$PI{D}_i^1=V_i·\mathrm{P}$$

(4)

$$PI{D}_i^2=RI{D}_i\oplus h\left(V_i·Pu{b}_1\right)$$

(5)

3

After the anonymous identity is generated for the vehicle, the TPD device generates a private key $K_i$ for the vehicle based on its anonymous identity, which is used to sign the traffic information M.

$$K_i=V_i+h\left(PI{D}_i\right)·S_1$$

(6)

4

The vehicle inserts the current timestamp $T_i$, i.e., $M_i=\left\{M\parallel T_i\right\}$, into the traffic information that needs to be sent, and then enters $M_i$ into the TPD device to sign it with the private key $K_i$:

$${\sigma }_i=K_i+S_{2}h\left(M_i\right)$$

(7)

5

The vehicle broadcasts $\left\{PI{D}_i,M_i,{\sigma }_i\right\}$ to the network every 100~300 ms.

3.2.3. Generate TEN

To optimize idle computing and storage resources, idle cars parked near an RSU can apply to become TENs to assist with the RSU’s message authentication work. To improve the motivation and reliability of TEN work, the RSU can use remuneration and other means to make the TEN authentication viable. Additionally, considering the stability and trustworthiness of city buses, this paper uses city buses parked near an RSU for a long time as TENs to assist in the authentication.

When an idle car with computing and storage resources parked around the RSU wants to become a TEN, it can send an application message $M_{request}$ to the RSU and sign the application message through the TPD device using the key $K_i$:

$${\partial }_i=K_i+S_{2}h\left(M_{\mathrm{request}}\right)$$

(8)

Then, the idle vehicle sends $\left\{PI{D}_i,M_{\mathrm{request}},{\partial }_i\right\}$ to the RSU for checking the legal identity.

When an RSU receives a request message from an idle car, it verifies it by Equation (9). If the equation holds, the vehicle’s identity is approved, and the RSU agrees to its application, and the vehicle can be considered a candidate for a TEN. Otherwise, it will be rejected as a candidate for TEN.

$${\partial }_i·P=PI{D}_i^1+Pu{b}_{1}h\left(PI{D}_i\right)+Pu{b}_{2}h\left(M_{\mathrm{request}}\right)$$

(9)

The computational resources of city buses are much greater than those of ordinary vehicles. When there are city buses competing as TENs, we will prioritize them. In the process of electing a TEN, we mainly consider two attributes, the straight-line distance between the vehicle and the RSU and the amount of computational resources:

The factor of distance: Considering that the task of the TEN is to assist the RSU in authentication and the success rate of authentication, it should maintain a short communication distance from the RSU. We assume that the maximum communication distance of an RSU is X and D is the linear distance between the vehicle and the RSU, and the distance factor can be calculated according to the defined Equation (10).

$$d_i=\left\{\begin{array}{c}1,D<\frac{X}{2}\\ \frac{X-D}{X/2},\frac{X}{2}<D<X\\ 0,D>X\end{array}\right\}$$

(10)

The factor of resources: To assist an RSU with message authentication, the TEN must consume a certain amount of storage resources. We assume that all ordinary vehicles have the same maximum computing resources as $U_{\max }$ (except for buses), and the currently available computing resource for cars is $U_{\mathrm{use}}$, which can be calculated according to Equation (11).

$$r_i=U_{\mathrm{use}}/U_{max}$$

(11)

We can select TEN by Equation (eq:seTEN):

$${\theta }_i=e_i\frac{1}{d_i}+f_i\frac{1}{r_i}+{\beta }_i$$

(12)

where $e_i$ and $f_i$ are the weights, respectively, and $e_i+f_i=1$, ${\beta }_i$ is the bus parameter. ${\beta }_i=0$ when the candidate vehicle is a bus. Otherwise, ${\beta }_i=1$. We select n cars with the minimum value of ${\theta }_i$ as TEN according to the demand of RSU. The TEN selection algorithm is shown in Algorithm 1.

Algorithm 1 TEN selection algorithm

Input:$\left(PI{D}_i,D_i,U_{\mathrm{use}}^i\right)$ Output: The set of Edge nodes $PI{D}_i$ 1: for each i in $[0,n]$ do 2:  chose $e_i,f_i$ from $[0,1]$; 3:  if $PI{D}_i$ is Bus then 4:   ${\beta }_i=0$; 5:  else 6:   ${\beta }_i=1$; 7:  end if 8:  compute $d_i$ via Equation (10); 9:  compute $r_i$ via Equation (11); 10:   compute ${\theta }_i$ via Equation (12); 11: end for 12: chose ${\theta }_{min}=minmum\left({\theta }_i\right)$; 12: return $PI{D}_i$;

When the vehicle becomes a TEN $H_i$, the RSU sends $x_i^1$ to its TPD device via secure transmission for the TEN’s anonymous identity and key generation. The TEN $H_i$ uses the TPD device to select a random number $R_i\in Z_q^{*}$ to start calculating the TEN’s anonymous identity $PI{D}_i$ and the key $W_i$:

$$HI{D}_i=\left\{HI{D}_i^1,HI{D}_i^2\right\}$$

(13)

$$HI{D}_i^1=R_i·P$$

(14)

$$HI{D}_i^2=RI{D}_i\oplus h\left(R_i·Pu{b}_{RSU}\right)$$

(15)

$$W_i=R_i+h\left(HI{D}_i\right)S_1$$

(16)

3.2.4. Batch Authentication of Messages

According to the DSRC protocol, vehicles must continuously broadcast traffic messages to the network. VANETs can enact reasonable commands for traffic control after analyzing and judging the messages broadcasted by vehicles. The system needs to authenticate the message to ensure the integrity of the vehicle-broadcast message and the legitimacy of the user’s identity.

When the TEN receives the instruction to process messages from the RSU, the TEN takes the n vehicle messages $\left\{PI{D}_i,M_i,{\sigma }_i\right\}$ (where $1<i<n$) received by the broadcast during this period for batch authentication, and the message-batch-authentication equation is shown in Equation (17). If the batch message authentication is successful, it is judged that they are all messages sent by legitimate vehicles. In addition, to ensure the balance of security and validity, we choose a random security parameter t of size 10 bit and generate a random vector $A=\left\{a_1,a_2\dots \dots a_n\right\}$ to be added to the batch authentication equation, where $a_i\in \left[1,2^t\right]$. The TEN merges the messages with successful authentication and correct timestamps into $M_T=\left({\sum }_{i=1}^n{M}_i\right)\parallel T_i$ and sends $\left\{M_T,{\beta }_i,HI{D}_i\right\}$ to the RSU for authentication, where ${\beta }_i$ is the signature of the TEN and ${\beta }_i=W_i+x_i^1\mathrm{h}\left(M_T\right)$.

$$\left(\sum _{i=1}^n{a}_i·{\sigma }_i\right)P=\sum _{i=1}^n{a}_i·\left(PI{D}_i^1+h\left(PI{D}_i\right)Pu{b}_1\right)+\sum _{i=1}^n{a}_i·Pu{b}_2·h\left(M_i\right)$$

(17)

When the RSU receives the result from the TEN, its identity and message need to be verified, and the verification is as Equation (18):

$${\beta }_i·P=HI{D}_i^1+h\left(HI{D}_i\right)Pu{b}_1+h\left(M_T\right)Pu{b}_{RSU}^1$$

(18)

If the equation verification passes, the RSU accepts the traffic information sent by TEN and pays according to the number of messages. If the equation is not valid, it rejects its message. When the RSU accepts the message, it will look for the anonymous identity $PI{D}_i$ corresponding to the message sender according to the received message set $M_T$ and add it to the legitimate identity set $Identity\left[\right]$. Then, it uses the private key for a signature to broadcast to all vehicles. After receiving the broadcast message, the vehicle checks whether the message it sent passes authentication, and if it disagrees with the authentication result, it resends its message $\left\{PI{D}_i,M_i,{\sigma }_i\right\}$ to the RSU for authentication. The RSU will re-authenticate the message sent by the vehicle. If the authentication passes and is not in the result sent by TEN, it re-authenticates the original n messages sent by vehicle using Equation (17) for batch authentication. Suppose the RSU does not receive a request for re-verification from the vehicle within a fixed period. In that case, the TEN-authenticated message is considered to have passed entirely, and a reward is paid.

4. Security Analysis

In this section, a conventional security analysis of the proposed scheme is performed to demonstrate that the proposed protocol not only enables secure authentication of identity messages between entities but also resists a variety of well-known attacks.

4.1. Analysis of Message Correctness and Non-Falsifiability

In the VANET system, a message’s signature guarantees both the message’s integrity and the legitimacy of the message sender’s identity. In this scheme, the signature ${\sigma }_i=K_i+S_{2}h\left(M_i\right)$ of the vehicle is a one-time identity-based signature, and it is impossible to forge a legitimate signature of the vehicle without knowing $V_i$ and $S_2$. On the one hand, since ${\sigma }_i=V_i+h\left(PI{D}_i\right)·S_1+S_{2}h\left(M_i\right)$ is a Diophantine equation (DE), it is not easy to calculate $S_2$ and $V_i$ by $h\left(PI{D}_i\right)$ and $h\left(M_i\right)$ in only polynomial time.

On the other hand, it is difficult to derive $S_2$ and $V_i$ by $PI{D}_i^1$, $h\left(PI{D}_i\right)$, P, $Pu{b}_1$, $Pu{b}_2$, and $h\left(M_i\right)$.

Suppose there exists adversary A who can obtain the vehicle’s key $V_i$, $Ad{v}_A^{ECDLP}\left(t\right)=Prb\left[A\left(PI{D}_i,P\right)=V_i\right]$, by $Pu{b}_1$, $Pu{b}_2$; and the system’s keys $S_1$ and $S_2$, i.e., $Ad{v}_A^{ECDLP}\left(t\right)=Prb\left[A\left(Pu{b}_1,P\right)=S_1\right]$, $Ad{v}_A^{EEDLP}\left(t\right)=Prb\left[A\left(Pu{b}_2,P\right)=S_2\right]$ by $Pu{b}_1$ and $Pu{b}_2$. Then, A can use the obtained $V_i$, $S_1$, and $S_2$ to forge the vehicle’s signature ${\sigma }_i$. The above operations of A are based on the fact that it can crack the ECDLP problem in polynomial time t. However, what can be known is that $Ad{v}_A^{ECDLP}\left(t\right)=Prb\left[A\left(PI{D}_i,P\right)=V_i\right]<ϵ$, $Ad{v}_A^{ECDLP}\left(t\right)=Prb\left[A\left(Pu{b}_1,P\right)=\right.$ $\left.S_1\right]<ϵ$, $Ad{v}_A^{ECDLP}\left(t\right)=Prb\left[AA\left(Pu{b}_2,P\right)=S_2\right]<ϵ$, where the probability of $ϵ>0$ is very small, so A cannot obtain the vehicle key. In summary, it is proved that our scheme is secure and a malicious attacker cannot forge or tamper with the legitimate vehicle identity signature.

Instead of directly authenticating the messages and signatures broadcasted by vehicles, the RSU first implements authentication through TENs. A TEN may be compromised and become a malicious node and send wrong messages to the RSU. For example, part of the valid signature message could be erased, or an illegal signature message could be added to the valid notifications $M_T$. The RSU broadcasts the received identity set $Identity$ of the sender of the valid message back to all vehicles so that the vehicles know the result of their broadcast. If a vehicle finds that its message is not authenticated, it will resend an authentication request to the RSU. n$\left\{PI{D}_i,M_i,{\sigma }_i\right\}$ will be re-authenticated if the RSU receives a request from a vehicle to re-authenticate. This can well ensure that the TEN cannot cheat the RSU and also ensure the legitimacy of all the passed information.

When TEN verifies messages sent from vehicles, we determine the legitimacy of the message’s source by verifying Equation (20), and the proof process is as follows:

$$\begin{array}{c}\left({\displaystyle \sum _{i=1}^n}{a}_i·{\sigma }_i\right)P=\left({\displaystyle \sum _{i=1}^n}{a}_i·\left[K_i+S_{2}h\left(M_i\right)\right]\right)P\\ =\left({\displaystyle \sum _{i=1}^n}{a}_i·\left[PI{D}_i^1+h\left(PI{D}_i\right)Pu{b}_1+Pu{b}_2·h\left(M_i\right)\right]\right)\end{array}$$

(19)

$$=\sum _{i=1}^n{a}_i·\left(PI{D}_i^1+h\left(PI{D}_i\right)Pu{b}_1\right)+\sum _{i=1}^n{a}_i·Pu{b}_2·h\left(M_i\right)$$

(20)

4.2. Privacy Protection of Vehicles

In VANET communication, all communicating entities use anonymous identities for transmission to protect identity privacy and security issues. As an example, an ordinary vehicle uses a random number $V_i$ and the real identity $RI{D}_i$ to generate its anonymous identity as $PI{D}_i=\left\{PI{D}_i^1,PI{D}_i^2\right\}$, where $PI{D}_i^1=V_i·P,PI{D}_i^2=RI{D}_i\oplus h\left(V_i·Pu{b}_1\right)$. According to the discrete logarithm puzzle, a malicious attacker cannot calculate the random number $V_i$ by $PI{D}_i^1$ and P because the hash function has non-collision and non-reversibility, and a malicious attacker cannot calculate $h\left(V_i·Pu{b}_1\right)$ and cannot know the real identity of the vehicle $RI{D}_i$, so the identity privacy of each entity is protected. If a vehicle wants to change its anonymous identity $PI{D}_i$, it only needs to re-pick a new random number $V_i$ and calculate a new $PI{D}_i=\left\{PI{D}_i^1,PI{D}_i^2\right\}$. Vehicles sending multiple messages can use different identities and signatures, and the attacker will not be able to trace back to the source of the message sent.

4.3. Real ID Traceability

In this protocol, anonymous identities are used for communication to protect users’ privacy. To prevent legitimate users from committing malicious acts, TA can trace each anonymous identity to obtain the real essence. The TA identity tracing method is shown in Equation (21):

$$h\left(S_1·PI{D}_i^1\right)\oplus PI{D}_i^2=h\left(S_1·PI{D}_i^1\right)\oplus RI{D}_i\oplus h\left(V_i·Pu{b}_1\right)=RI{D}_i$$

(21)

As the system keys $S_1$ are stored in the TPD device of the vehicle, only TA can access it, so neither other vehicles nor RSU can calculate the real identity of the vehicle, which will ensure the traceability requirement of VANETs.

4.4. Defensive Capabilities against Replay Attacks

Since VANETs use wireless communication, malicious attackers easily capture the messages. Even though they cannot forge the legitimate signatures of the vehicles, they can try to replay the old messages $\left\{PI{D}_i,M_i,{\sigma }_i\right\}$ of the vehicles to launch replay attacks. All traffic messages sent by vehicles $M_i=\left\{M\parallel T_i\right\}$ rely on the timestamp $T_i$, which is also an integral part of the signed message, and the timestamp cannot be modified. Based on ensuring the time synchronization of all vehicles and RSUs, upon receiving an authentication request from a vehicle or TEN, the receiver first checks the freshness of the message timestamp. The message will be discarded if $T_{\mathrm{now}}-T_i>\Delta$ (a fixed time interval). This provides a reasonable guarantee against replay attacks.

5. Experiment and Analysis

5.1. Simulation Enviroment

To demonstrate the advantages of our scheme in terms of computational overhead, communication overhead, and transmission stability, we conducted deployment experiments on a computer with an Intel i7-11800H 2.3 GHz CPU, 40G of memory at 2600 MHZ frequency, and a Win10 operating system. We evaluated the computational overhead of the encryption algorithm of this scheme using the Crypto++ library under Visual Studio 2019. Additionally, we analyzed the communication cost and stability in VANETs using omnet++ with a Veins simulation test.

5.2. Computational Cost

Since the AKDT scheme uses a bilinear pair cipher and we used an elliptic curve cipher, two cryptographic operation schemes with a security level of 80 bit were constructed. The bilinear pairing cryptographic scheme was set as follows: $e:G_1\times G_1\to G_2$, where the additive group $G_1$ is the additive group of order $q_1$ generated by the generating element $P_1$; $P_1$ is the point on the hyper-singular curve $E1$: $y^2=x^3+ax+bmodq$, which is also a 512 bit prime number; and $q_1$ is a 160 bit prime number. The ECC cipher was set as follows: the additive group G is an additive group of order q generated by the generating element P, and P is a point on the non-hyper singular elliptic curve E: $y^2=x^3+ax+bmodq$, where P and q is a 160 bit prime.

The protocol’s performance is first considered in terms of computational overhead, which is calculated separately for each entity involved in each process of the scheme. The parameter data obtained in the experiments are listed in

Table 2. The execution times of cryptographic operations.

Symbol	Operation	Execution Time/ms
$T_{PM}$	Point multiplication on elliptic curves	0.7358 ms
$T_{PMS}$	Vector point multiplication for elliptic curves	0.0428 ms
$T_{PA}$	Point addition and multiplication operations on elliptic curves	0.004 ms
$T_{GE}$	Bilinear pair operation	6.4164 ms
$T_{GM}$	Bilinear point-to-point multiplication operation	2.6439 ms
$T_{GA}$	Bilinear point addition operation	0.01646 ms
$T_{MPT}$	MapToPoint operation	1.3277 ms
$T_H$	One-way hash function operation	0.0002 ms

, and each cryptographic base operation’s run time is the average value derived from 1000 runs in this experimental environment. Let $T_{PM}$ represent the dot product operation on the elliptic curve, where $T_{PMS}$ represents the elliptic curve vector point multiplication operation, $T_{PA}$ represents the bilinear pairwise point multiplication operation, $T_{GE}$ represents the bilinear pairwise operation, $T_{GA}$ represents the bilinear pairwise point addition operation, $T_{MPT}$ represents the MapToPoint operation, and $T_H$ represents the one-way hash function operation.

In this scheme, we use a TEN to achieve the first batch authentication, and then the RSU verifies the feedback results of the TEN. In most cases, the TEN for batch authentication passes the first time. We first consider the overhead cost in one RSU region. The time required to authenticate a traffic message is $6T_{PM}+4T_{PA}+4T_{H}ms$. Assume that the traffic density of vehicles is equal to the number of messages n that the vehicle needs to authenticate in that cycle, and each vehicle sends a message in a fixed period of 300 ms. The number of messages to be verified within the communication range of a given RSU is n, and the number of TENs is x. Then, the number of messages that need to be verified by each TEN is $n⁄x$, and the number of messages that need to be verified by the RSU is x. Then, the time $T_{\mathrm{ours}}=[(n/x+x)+1]T_{PM}+[(n/x+x)+1]T_{PA}+2(n/x+x)T_H+2(n/$ $x+x)T_{PMS}ms$ to verify these messages in the whole RSU domain.

We also compared it with several other schemes. The CPPA scheme takes $2T_{PM}+T_H+T_{PA}ms$ to validate one message and $T_{CPPA}=3n{T}_{PMS}+2n{T}_{PM}+n{T}_H+T_{PA}ms$ to validate n messages. The ESMA scheme takes $3T_{PM}+3T_H+3T_{PA}ms$. The time required to verify n messages is $T_{ESMA}=n{T}_{PMS}(3+n)T_{PM}+3n{T}_H+(2n+1)T_{PA}ms$. The time required for the AKDT scheme to verify one message is $3T_{GE}+3T_{GM}+T_{MPT}+T_{H}ms$. The time required to verify n messages is $T_{AKDT}=3T_{GE}+n{T}_{GM}+n{T}_{MPT}+n{T}_H+(3n-1)T_{GA}ms$.

Table 3. Computational overhead.

Plan	Verify 1 Message	Verify n Information
CPAA	$2T_{PM}$+$T_H$+$T_{PA}$	$3n{T}_{PMS}$+$2n{T}_{PM}$+$n{T}_H$+ $T_{PA}$
ESMA	$3T_{PM}$+$3T_H$+$3T_{PA}$	$n{T}_{PMS}(3+n)T_{PM}$+$3n{T}_H$+ $(2n+1)T_{PA}$
AKDT	$3T_{GE}$+$3T_{GM}$+$T_{MPT}$+$T_H$	$3T_{GE}$+$n{T}_{GM}$+$n{T}_{MPT}$+$n{T}_H$+$(3n-1)T_{GA}$
Ours	$6T_{PM}$+$4T_{PA}$+$4T_H$	$[(n/x+x)+1]T_{PM}$+$[(n/x+x)+1]T_{PA}$+$2(n/x+x)T_H$+ $2(n/x+x)T_{PMS}$

lists the computational overhead for verifying one message and n messages.

The computational overhead of this scheme is smaller than those of other schemes. Figure 4 shows that all schemes’ computational times in the batch authentication phase of the messages grow linearly with the number of messages. The computational times of ESMA and this scheme are similar for the two TENs. However, when the number of messages exceeds 500, the computational times of these two schemes are much lower than those of the other schemes.

We also consider the impact of the number of TENs on the batch authentication processing time. It is seen from Figure 5 that as the number of TENs in the RSU’s range increases, the computational time required for message batch authentication in this scheme decreases, which can significantly ease the authentication pressure on the RSU.

Figure 6 depicts the relationship between the RSU computation time consumption, the number of verification messages, and the number of TENs. It is clear that this scheme, with the assistance of TENs, takes far less time than the other schemes, and the performance is better, as the number of TENs increases, which better meets the needs of VANETs and enables the traffic messages sent by vehicles to be authenticated by the RSU more quickly.

5.3. Communication Cost and Performance

In this section, we analyze and compare the transmission overheads of CPPA, ESMA, AKDT, and this scheme. In this scheme, the transmission overhead is the sum of all transmitted messages in an RSU domain from all the vehicles, TENs, and RSUs that join the VANETs. From Equation (eq:pp), we know that $P_1$ and P occupy 64 bytes and 20 bytes, respectively. Hence, the numbers of bytes occupied by the elements in group $G_1$ and group G are 128 bytes and 40 bytes, respectively. Assume that the traffic message transmitted by the vehicle in VANETs is 16 bytes, the timestamp is 4 bytes, the true identity of the vehicle and TEN $PI{D}_i$ and $RI{D}_i$ is 20 bytes, and the general hash function’s output is 20 bytes.

Table 4. Communication overhead.

Plan	Verify 1 Message	Verify n Information
CPPA	120 bytes	120n bytes
ESMA	160 bytes	160n bytes
AKDT	292 bytes	292n bytes
Ours	200 bytes	200n bytes

illustrates the transmission overhead incurred by these schemes in authenticating one message and n messages.

In the scheme CPPA, the vehicle broadcast’s anonymous identity and message signature are $\left\{PI{D}_i,M_i,T_i,{\delta }_i\right\}$, where $PI{D}_i\in \mathrm{G},{\delta }_i\in Z_q^{*}$, so the transmission overhead of the CPPA broadcast is $40\times 2+16+4+20=120$ bytes. In the ESMA scheme, the vehicle-broadcast message is $\left\{PI{D}_i,M_i,T_i,{\delta }_i,R_i,U_i\right\}$, where $PI{D}_i,R_i,U_i\in G,{\delta }_i\in Z_q^{*}$. The transmission overhead of ESMA is $40\times 3+16+4+20=160$ bytes. AKDT consisting of $\left\{M_i,I{D}_1,I{D}_2,{\delta }_i\right\}$, where $I{D}_1,{\delta }_i\in G_1$, requires a transmission overhead of $128\times 2+20+16=292$ bytes. In our scheme, the broadcasted messages are sent by the vehicle and TEN, which are $\left\{PI{D}_i,M_i,{\sigma }_i,HI{D}_i,M_T,{\beta }_i\right\}$, where $PI{D}_i^1,HI{D}_i^1\in G$, $PI{D}_i^2,PI{D}_i^2\in Z_q^{*}$, and PID ${}_i^2=R_{ID}\oplus h\left(V_i·\right.$ Pub $\left.b_1\right)=20$ btyes. The transmission overhead generated by the message is $2\times (40+20+16+4+20)=200$ bytes, and the transmission overhead caused by n messages is $n(40+20+16+4+20)+m\left[\right(40+20+16+4+20\left)\right]$ bytes, where m is the number of TENs.

When only one traffic message needs to be verified, our scheme has a slightly higher communication transmission overhead than the other schemes because both the vehicle and TEN need to send messages to increase the transmission overhead. However, with more verification messages and the addition of TENs, our transmission overhead will be smaller than other schemes. As shown in Figure 7, when having four TENs, our method consumes less time than the other three methods when processing 20 and more verification messages simultaneously.

To verify the performance of this scheme in terms of packet loss rate, we built a simulation scenario using the Veins simulation platform to conduct experiments. The simulation scenario was set up as follows: an RSU with a communication radius of 800 m was arranged at 3 km intervals on a bi-directional 4-lane road with a total length of 12 km, and a different number of vehicles was allowed to pass by, the speed was controlled at 40~120$\mathrm{km}/\mathrm{h}$, the communication radius of the cars was 250 m, and the vehicle broadband was set to $200\mathrm{kbit}/\mathrm{s}$. The packet loss rate is defined as the number of lost signature messages transmitted by the vehicles to the total number of the ratio of the total number of signature messages. As shown in Figure 8 that the packet loss rate of all four schemes increases as the traffic volume increases, because the RSU is out of communication range before the vehicle has time to process the message. The scheme proposed in this paper is always faster than several other schemes. We fully utilized the arithmetic power of idle vehicles that had already passed message verification to help the RSU perform message verification, and at the same time, widen the communication radius because of the idle vehicles as bridging points.

6. Conclusions

In this paper, we propose using ECC to authenticate messages in VANETs and vehicles without computational tasks as TEN-assisted RSUs for message authentication. We presented this scheme in terms of the system network mechanism, a specific description of the scheme protocol, security analysis, and performance analysis. We simulated a VANET scenario using the Veins simulation platform, assuming different numbers of vehicles willing to join the VANET message verification. We confirmed that our approach can effectively reduce the packet loss rate of communication to less than 8%. Additionally, unlike previous methods, such as adding fog computing servers or edge computing units, we used idle vehicles as TENs to extend the communication range of RSUs without adding additional hardware for computing. Our approach provides a new mindset for future vehicular networking in balancing the computational load and designing communication policies. However, our scheme relies on the willingness of idle vehicles to participate in message authentication tasks. Further design of reward mechanisms to encourage vehicles to join in VANETs’ message authentication is needed for deployment in realistic scenarios. Therefore, we will further investigate the task delegation in edge computing and its corresponding reward strategy to reduce the computational load and improve the operational efficiency of VANETs using edge computing techniques.