Secure and Efficient Message Authentication Scheme for 6G-Enabled VANETs

Abstract

In 6G-enabled vehicle ad hoc networks (VANETs), the messages transmitted through wireless communication face security problems such as tampering and disclosure. In this paper, to ensure the security of transmitted messages and the privacy of vehicle users, we propose an anonymous and secure message authentication (ASMA) scheme. The ASMA scheme can realize message verification and conditional privacy preservation with a lower computation overhead, and its security does not depend on a tamper-proof device (TPD). As the numbers of vehicles and applications increase in 6G-enabled VANETs, the number of messages in the network increases greatly. One-by-one verification messages in the ASMA scheme cannot meet the strict low-latency requirements. To improve the efficiency of the ASMA scheme, we investigate a proxy-vehicle-assisted batch message authentication (PVBA) scheme. In the scheme, a proxy vehicle selection algorithm is designed to choose a certain number of proxy vehicles, and the message verification tasks are completed by a roadside unit (RSU) and the proxy vehicles synchronously. Performance analysis shows that in the case of large-scale messages, the PVBA scheme has lower verification delay than related schemes, and the verification efficiency is greatly improved.

1. Introduction

With the rapid development of intelligent transportation systems (ITSs), the number of vehicles has greatly increased, traffic jams are common and traffic accidents occur frequently [1]. In order to improve road safety and traffic efficiency, vehicle ad hoc networks (VANETs) have been widely studied. VANETs are composed of three parts  [2]: a trusted authority (TA), a roadside unit (RSU) and vehicles with on-board units (OBUs). The TA is responsible for registering and issuing system parameters. The RSU is deployed on the roadside and provides services for vehicles. Vehicles are equipped with OBUs, and each OBU acts as a communication module, supporting vehicle-to-vehicle communication (V2V) and vehicle-to-infrastructure (V2I) communication. The V2V and V2I communications are wireless communications, and for a long time, the solution used was directed short-range communication (DSRC) [3]. However, with the development of wireless communication technology [4], 6G offers new opportunities for ITSs, due to its excellent functions such as ultra-low delay communication, high throughput and large-scale autonomous networks [5]. 6G-enabled VANETs provide strong support for ITSs by providing high-speed information transportation and real-time data sharing among vehicles, infrastructure and pedestrians.

Due to the rapidly changing topology and the vulnerable wireless communication of the 6G-enabled VANETs, the transmitted messages face the risks of eavesdropping, tampering and disclosure. Since the various applications in an ITSs are based on information communication, it is very important to ensure the safety of message transmission. In addition, privacy is another very important topic to be discussed with regard to VANETs. A common privacy problem is that an attacker may obtain users’ privacy information from a large amount of transmitted data. Therefore, location and identity should be carefully considered, so that attackers cannot link data to users. No vehicle users are willing to disclose their personal identity, driving route and other private information.

To deal with the security and privacy problems in VANETs, many authentication schemes have been proposed, mainly divided into public key infrastructure (PKI)-based and identity (ID)-based schemes. PKI-based and ID-based schemes use asymmetric encryption as their security basis. Asymmetric encryption requires four keys, i.e., both sides of the communication prepare a pair of public and private keys. The public keys are used to encrypt information and the private keys are reserved by the information receiver for decryption. PKI-based schemes [6,7,8] represent a good choice for achieving message authentication. However, the use of certificates in PKI-based schemes consumes large storage, computation and communication resources. Firstly, vehicles need to store anonymous certificates, which increases the transmission pressure on the system. Secondly, due to the large size of the certificates, network congestion may occur. Shamir first proposed an ID-based signature encryption system, in which the public key consists of the user’s identity while the private key is generated by a trusted third party. Based on this idea, many ID-based message verification schemes have emerged. Azees M. et al. [9] designed an ID-based scheme which can realize anonymous authentication.

However, the design of this scheme involves complex bilinear pairing (BP) operations, and the computational cost is high. Since a pairing operation consumes more computational overhead than a scalar multiplication [10], researchers focus on designing a pairless authentication scheme to reduce the computational cost and improve the efficiency of the authentication schemes. Alazzawi et al. [10] proposed a scheme without BP operations to reduce the computational cost. ID-based schemes do not need to transmit and store certificates, and BP operation is time-consuming, making ID-based pairless authentication schemes a major branch of research. In addition, in most ID-based schemes, security information such as the master key must be loaded into a tamper-proof device (TPD) in advance, and the TPD is assumed to be an ideal device which can resist external attacks and is used to provide anonymity. Many studies [11] have shown that the assumption that the TPD is secure in the existing scheme is optimistic. The sensitive information directly pre-loaded into the TPD is not absolutely safe under a side-channel attack [12,13], which will lead to the collapse of the system security.

In this paper, an anonymous and secure message authentication (ASMA) scheme is proposed to solve the security and privacy problems in VANETs. The ASMA scheme has the characteristics of high security, low overhead and batch verification. Since the elliptic curve cryptography (ECC) encryption algorithm [10] has high security and fast decryption, we apply it to the design of the scheme. To further improve the efficiency of the ASMA scheme, we design a proxy-vehicle-assisted batch message authentication (PVBA) scheme incorporating the concept of edge computing. In the PVBA scheme, the RSU is responsible for selecting a certain number of proxy vehicles and assigning part of the verification tasks to the proxy vehicles. After completing the message verification, the proxy vehicles return the results to the RSU for verification. Finally, the RSU publishes the verification results to the surrounding vehicles. This study makes following contributions:

• The ASMA scheme is ID-based and pairless, which costs less in terms of computational and communication overheads than schemes based on PKI and pairing operations. What is more, the secret key is not directly installed in the TPD, which ensures that the scheme is secure even when the TPD is stolen. In addition, the ASMA scheme can realize conditional privacy protection, i.e., vehicle identity privacy protection and traceability.
• In the PVBS scheme, a novel proxy vehicle selection algorithm is designed for the RSU to select proxy vehicles. The RSU coordinates the verification tasks and verifies them with the proxy vehicles at the same time, which solves the problem of redundant message verification as well as reducing the verification delay of the system.
• Performance analysis indicates that the ASMA scheme consumes less computation overhead when the number of messages is small; however, in the case of large-scale messages, the PVBA scheme shows obvious advantages in verification efficiency. Thus, the RSU can dynamically adjust and adopt the ASMA scheme or the PABM scheme according to the number of received messages and vehicles.

The rest of the paper is organized as follows. Section 2 discusses related work, and Section 3 introduces the preliminary knowledge. A detailed introduction to the ASMA scheme is given in Section 4, and the PVBA scheme is introduced in Section 5. Finally, Section 6 concludes the paper.

2. Related Work

Verification schemes [6,7,8,9,10] can improve the security of message transmission in VANETs; however, they face the problem of low efficiency, since messages are verified one by one. When the total number of vehicles is extremely high, especially in the case of a traffic jam, the computational burden of the system increases sharply.

To address the efficiency problems in VANETs, many batch authentication schemes have been proposed. He et al. [14] designed a pairless message authentication scheme that supports both batch authentication and privacy protection. Lo and Tsai [15] developed an ID-based batch authentication scheme. Gayathri et al. [16] designed a scheme without pairing, where the batch authentication mechanism significantly reduces the burden on RSUs. Feng et al. [17] introduced a novel batch verification scheme for a high-density traffic situation, in which the size of the batch authentication is dynamically adjusted according to the authentication result of the last round. Xiong [1] constructed a batch authentication scheme based on ECC, which achieves double-insurance for private keys. In addition, Hao et al. [18] and Sarencheh et al. [19] proposed collaborative batch verification schemes in which vehicles in the same area authenticate all the messages cooperatively and share their results with others. By reducing the computational overhead of some cryptographic operations, the efficiencies of the batch verification schemes [1,14,15,16,17,18,19] are improved. However, there is the problem that the same security messages are verified by multiple terminals, which wastes the computing power of each terminal and reduces the verification efficiency of VANETs.

In recent years, central-level batch authentication schemes have been proposed to deal with the redundant message verification problem. In centralized batch authentication schemes [20,21,22], the RSU must authenticate received messages and publish the verification results, and each message is verified only once. However, with the continuous growth of access devices, the increasing frequency of information interactions and the limited computing power of RSUs, the traditional centralized batch authentication structure is facing great challenges. Nowadays, edge computing has become an effective method of achieving low latency for VANETs by transferring computing power to the network edge [23]. Based on the ideas of edge computing and distributed computing [24,25], researchers have proposed batch message authentication solutions named proxy-based batch verification. Liu et al. [26] designed a proxy-vehicle-assisted authentication scheme in which the proxy vehicles are chosen based on their extra computation resource, and they verify the same number of messages. Since the scheme is based on BP operations and the messages may be verified repeatedly, the efficiency of the scheme requires improvement. Cui et al. [27] presented an authentication scheme to address the repeated message verification problem. In this scheme, the RSU chooses the proxy vehicles using fuzzy mathematics, according to the extra computing resource of the vehicle and the distance between the vehicle and the RSU, and assigns the verification task to the edge-computing vehicles (ECVs). After completing the verification task, the ECVs return the verification results to the RSU. Wu et al. [28] introduced a distributed batch verification scheme based on an auxiliary verification terminal. In this scheme, a certain number of auxiliary verification terminals are selected that cooperate with the RSU to handle message verification. In these proxy-based batch authentication schemes [26,27,28], the RSU must coordinate the message verification tasks and select the vehicles with extra computing resources as proxy vehicles. Since the quantity of, and selection method for, proxy vehicles directly affect the verification efficiency, the question of how many proxy vehicles to select and how to choose the proxy vehicles becomes a challenge.

3. Preliminaries

This section discusses the preliminary knowledge required, i.e., the system model, the security and privacy requirements and the mathematical assumptions.

3.1. System Model

Figure 1 shows the system model, which consists of three major components: the TA, RSUs and vehicles with OBUs. Vehicles communicate with each other or with the RSU through a wireless link, and the communication between the RSU and the TA is via a wired link [29].

The TA is fully trusted and responsible for registering the RSU and the vehicles. In addition, the TA must generate and issue system parameters and vehicles’ partial keys. The RSU is deployed on the roadside and is responsible for authenticating the safety messages sent by vehicles. Vehicles have OBUs and a global positioning system installed. In addition, each OBU has a TPD that stores sensitive information and has limited storage and computing capabilities.

In VANETs, vehicles regularly broadcast traffic-related information. To protect the security of the transmitted messages, vehicles should sign the messages before sending them to the RSU. After receiving the messages, the RSU must verify their validity. If the message is valid, the RSU broadcasts it to the surrounding vehicles and RSUs, and otherwise, it discards the message. Our proposed message authentication scheme is suitable for urban traffic, especially in the case of heavy traffic.

3.2. Security and Privacy Requirements

A single secure message authentication scheme should satisfy the following objectives:

• Message authentication: the scheme should realize the message authentication and detect modification of the messages.
• Identity privacy preservation: the vehicle’s identity information must not be revealed through the transmitted messages.
• Traceability: once a dispute appears, the vehicle’s identity information can only be extracted by the TA.
• Unlinkability: the transmitted messages from the same vehicle cannot be linked by RSUs and malicious vehicles, i.e., the vehicle’s private information cannot be traced.
• Resistance to common attacks: the scheme should overcome common attacks such as impersonation attacks, modification attacks, replay attacks and stolen device attacks.
• Efficient performance: the scheme should have low communication and computation overheads.

3.3. Mathematical Assumptions

The following complex mathematical problems and assumptions form the security basis of the proposed schemes.

• Elliptic Curve Discrete Logarithm Problem (ECDLP): the elliptic curves finite cyclic group consisting of the prim order q and the generator P is $\mathbb{G}=〈P〉$. The ECDLP problem is that given $Q\in \mathbb{G}$ and $Q=xP$, for random $x\in {\mathbb{Z}}_q^{*}$, s must be computed.
  ECDLP Assumption: it is impossible for a probabilistic polynomial time (PPT) algorithm to handle the ECDLP with the negligible probability ${ϵ}_{ecdlp}$ within the maximum time $t_{ecdl}$.
• Computational Diffie–Hellman Problem (CDHP): the elliptic curves finite cyclic group consisting of the prim order q and the generator P is $\mathbb{G}=〈P〉$. The CDH problem is that given $Q,R\in \mathbb{G}$ and $Q=xP,R=yP$, for random $x,y\in {\mathbb{Z}}_q^{*}$, $\left(xy\right)P$ must be computed.
  CDHP Assumption: it is impossible for a PPT algorithm to handle the CDHP with non-negligible probability ${ϵ}_{cdh}$.
• One-Way Hash Function: the output of a secure one-way hash function $h(.)$ is fixed, regardless of the length of the input.
  Hash Function Assumption: for any input z, it is easy to compute $y=h\left(z\right)$ and infeasible to find the hash function $h^{-1}(.)$ which satisfies $z=h^{-1}\left(y\right)$. In addition, for any input z, it is impossible to find $z^{{}^{\prime }}\ne z$, where $h^{{}^{\prime }}\left(z^{{}^{\prime }}\right)=h\left(z\right)$.

4. Anonymous and Secure Message Authentication Scheme

In this section, we introduce the anonymous and secure message authentication (ASMA) scheme in detail. In addition, the security analysis and the performance analysis of the ASMA scheme are discussed.

4.1. The Proposed Scheme

The ASMA scheme is ID-based and pairless, and the master key is not directly stored on the TPD. The TA is responsible for registering vehicles and generating a partial key to form the vehicle’s private key. In addition, the pseudonym identity is pre-generated offline by the TPD.

A. System Initialization (by the TA)

The TA is responsible for initializing and publishing the system parameters as follows:

• The TA selects an elliptic curve $E_{a,b}$ generated by $y^2=x^3+ax+b$$\left(modP\right)$, in which $a,b\in {\mathbb{Z}}_p^{*}$, $(4a^3+27b^2)$$modp$$\ne 0$ and p is a large prime number.
• The TA selects a large prime q to construct a cyclic group $\mathbb{G}$ on the elliptic curve $E_{a,b}$, with generator P$(P\in \mathbb{G})$.
• The TA randomly chooses $s\in {\mathbb{Z}}_q^{*}$ as the master key and computes $P_{pub}=sP$, where $P_{pub}$ is the public key.
• The TA selects three hash functions $H_1:\mathbb{G}\to {\{0,1\}}^l$, $H_2:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$ and $H_3:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$, in which l is the length of the vehicle’s real identity.
• The TA publishes the system parameters $para=\{P,P_{pub},H_1,H_2,H_3\}$.

B. Vehicle Registration and Partial Key Generation (by the TA)

Before joining the VANET, the vehicles must be registered offline in the TA, and at the same time, the TA generates the partial key for each vehicle as follows:

• Vehicle $V_i$ submits the identity $I{D}_i$ and password $P{W}_i$ to the TA through a secure channel, and then the TA checks their validity. If they are valid, the TA proceeds to the next step.
• The TA randomly selects $a_i\in {\mathbb{Z}}_q^{*}$ and computes

  $$A_i=a_{i}P,x_i=s+a_i,$$

  (1)

  where $x_i$ is the partial secret and is used to generate the secret key of vehicle $V_i$ in the message signing stage. Then, the TA preloads the secret parameter $\{A_i,x_i\}(i=1,2,\cdots ,n)$ to the TPD of vehicle $V_i$.

C. Pseudonym Identity and Secret Key Generation (by the TPD)

Vehicle $V_i$ inputs $I{D}_i,P{W}_i$ to the TPD and the TPD verifies their validity. If they are valid, the TPD generates the pseudonym identity for vehicle $V_i$ as follows.

The TPD selects a random number $k_{i,j}$ and computes $K_{i,j}=k_{i,j}P$. The pseudonym identity is defined as

$$PI{D}_{i,j}=I{D}_i\oplus H_1\left(k_j{P}_{pub}\right).$$

(2)

Then, TPD computes ${\omega }_{i,j}=H_2(PI{D}_{i,j}\left|\right|T_{i,j})$ and generates the secret key $s{k}_{i,j}$ for vehicle $V_i$ as

$$s{k}_{i,j}=x_i+{\omega }_{i,j}{k}_{i,j}.$$

(3)

The jth pseudonym identity of vehicle $V_i$ is $PI{D}_{i,j}$, and its valid period is $T_{i,j}$. Note that the pseudonym identities can be pre-generated offline, and that the tuple $\{PI{D}_{i,j},T_{i,j},K_{i,j}\}$ is public and $s{k}_{i,j}$ is secret.

D. Message Signing (by vehicles)

The real-time traffic messages sent to the RSUs should be signed by the vehicles first as follows:.

• Vehicle $V_i$ randomly selects $b_{i,j}$ as the secret key and computes $B_{i,j}=b_{i,j}P$.
• Vehicle $V_i$ randomly chooses $\{PI{D}_{i,j},T_{i,j},s{k}_{i,j}\}$ from the TPD and computes

  $$h_{i,j}=H_3(PI{D}_{i,j}\left|\right|B_{i,j}\left|\right|M_i),$$

  (4)

  and

  $${\alpha }_{i,j}=s{k}_{i,j}+h_{i,j}{b}_{i,j}.$$

  (5)
• The signature on $M_i$ is ${\sigma }_{i,j}=(B_{i,j},{\alpha }_{i,j})$, and vehicle $V_i$ sends $\{M_i,PI{D}_{i,j},T_{i,j},A_i,K_{i,j},{\sigma }_{i,j},t_i\}$ to the RUS, where  $t_i$ is the current time.

E. Verification (by the RUS)

After receiving $\{M_i,PI{D}_{i,j},T_{i,j},A_i,K_{i,j},{\sigma }_{i,j},t_i\}$, the RSU verifies the signature ${\sigma }_{i,j}$, where $i=1,2,\cdots ,n$, as follows:

• The RSU checks the freshness of $t_i$. If the time has expired, the message will be rejected. Otherwise, it proceeds to the next step.
• The RSU computes ${\omega }_{i,j}^{{}^{\prime }}=H_2(PI{D}_{i,j}\left|\right|T_{i,j})$ and $h_{i,j}^{{}^{\prime }}=H_3(PI{D}_{i,j}\mid \mid B_{i,j}\mid \mid M_i)$, then checks whether the equation ${\alpha }_{i,j}P=P_{pub}+A_i+{\omega }_{i,j}^{{}^{\prime }}{K}_{i,j}+h_{i,j}^{{}^{\prime }}{B}_{i,j}$ holds. If true, the message is legal. Otherwise, the message is discarded.

F. Batch Verification (by the RUS)

The ASMA scheme can achieve batch verification. Suppose the RSU has received multiple tuples, i.e., $\{M_i,PI{D}_{i,j},T_{i,j},A_i,K_{i,j},{\sigma }_{i,j},t_i\}$$(i=1,2,\cdots n)$. Then, the batch verification is performed as follows:

• The RSU checks the freshness of $t_i$, where $i=1,2,\cdots n$, and discards the stale messages.
• In order to quickly detect modifications of these signatures, the RSU randomly selects a vector $\delta =\{{\delta }_1,{\delta }_2,\dots ,{\delta }_n\}$${\delta }_i\in [1,2^t]$, where t is a small integer.
• The RSU computes ${\omega }_{i,j}^{{}^{\prime }}=H_2(PI{D}_{i,j}\left|\right|T_{i,j})$ and $h_{i,j}^{{}^{\prime }}=H_3(PI{D}_{i,j}\mid \mid B_{i,j}\mid \mid M_i)$ and checks whether the following equation is valid:

  $$\sum _{(i=1)}^n\left({\delta }_i{\alpha }_{i,j}\right)P=P_{pub}+\sum _{(i=1)}^n{\delta }_i{A}_i+\sum _{(i=1)}^n{\delta }_i{\omega }_{i,j}^{{}^{\prime }}{K}_{i,j}+\sum _{(i=1)}^n{\delta }_i{h}_{i,j}^{{}^{\prime }}{B}_{i,j},$$

  (6)
  If true, the messages pass through the verification. Otherwise, it indicates that an invalid message exists.

Correctness proof: We know that if the tuple $\{M_i,PI{D}_{i,j},T_{i,j},A_i,K_{i,j},{\sigma }_{i,j},t_i\}$ has not been tampered with, then Equation (7) holds. Since $P_{pub}=sP,A_i=a_{i}P$, $K_{i,j}=k_{i,j}P$ and $B_{i,j}=b_{i,j}P$, we have

$$\begin{array}{cc}\hfill {\alpha }_{i,j}P& =(s_{i,j}+h_{i,j}{b}_{i,j})P\hfill \\ \hfill & =(s+a_i+{\omega }_{i,j}{k}_{i,j})P+h_{i,j}{b}_{i,j}P\hfill \\ \hfill & =P_{pub}+A_i+{\omega }_{i,j}{K}_{i,j}+h_{i,j}{B}_{i,j}.\hfill \end{array}$$

(7)

This indicates that, Equation (7) is valid.

4.2. Security Analysis

In this section, the security and performance of the ASMA scheme are analyzed. First, we prove that the ASMA scheme is secure, using the random oracle model. Secondly, the security requirements of ASMA are introduced. Finally, the performance analysis is presented by comparing the ASMA scheme with related schemes.

A. Security Proof

Considering the unforgeability of the authentication tuples of the ASMA scheme, we divide the adversaries into two types, i.e., a type 1 adversary has the vehicle’s partial private key, and a type 2 adversary has the vehicle’s private key. We use the game played between adversary $\mathcal{A}$ and challenger $\mathcal{C}$ to prove the security.

Theorem 1.

The ASMA scheme can resist a chosen message attack by a type 1 adversary.

Proof of Theorem 1.

Suppose adversary ${\mathcal{A}}_1$ can forge an authentication tuple, and algorithm ${\mathcal{C}}_1$ can address the ECDLP by running ${\mathcal{A}}_1$ with a probability that cannot be neglected.

Setup-Oracle: ${\mathcal{C}}_1$ generates the private key s and system parameters $para$ when ${\mathcal{A}}_1$ invokes this query, and sends $para$ to ${\mathcal{A}}_1$. The challenger ${\mathcal{C}}_1$ produces the vehicle’s partial private key and public key.

$H_1$-Oracle Query: ${\mathcal{C}}_1$ has the list $L_H=〈T,\tau 〉$, and the list is initialized as empty. When ${\mathcal{A}}_1$ makes an $H_1$ query with T, $C_1$ checks $L_{H_1}$. If the tuple $〈T,\tau 〉$ exists in $L_{H_1}$, ${\mathcal{C}}_1$ delivers $\tau$ to ${\mathcal{A}}_1$. Otherwise, ${\mathcal{C}}_1$ chooses the string $\tau \in {\{0,1\}}^l$ and sends it to ${\mathcal{A}}_1$, then adds $〈T,\tau 〉$ to $L_{H_1}$.

$H_2$-Oracle Query: ${\mathcal{C}}_1$ has the list $L_{H_2}=〈PI{D}_{i,j},T_{i,j},\tau 〉$, and the list is initialized as empty. When ${\mathcal{A}}_1$ makes an $H_2$ query with $〈PI{D}_{i,j},T_{i,j}〉$, ${\mathcal{C}}_1$ checks $L_{H_2}$. If the tuple $〈PI{D}_{i,j},T_{i,j},\tau 〉$ exists in $L_{H_2}$, ${\mathcal{C}}_1$ delivers $\tau$ to ${\mathcal{A}}_1$. Otherwise, ${\mathcal{C}}_1$ chooses the string $\tau \in {\mathbb{Z}}_q^{*}$ and delivers it to ${\mathcal{A}}_1$, then adds $〈PI{D}_{i,j},T_{i,j},\tau 〉$ to $L_{H_2}$.

$H_3$-Oracle Query: ${\mathcal{C}}_1$ has the list $L_{H_3}=〈PI{D}_{i,j},B_{i,j},M_i,\tau 〉$, and the list is initialized as empty. When ${\mathcal{A}}_1$ makes an $H_3$ query with $〈PI{D}_{i,j},B_{i,j},M_i〉$, ${\mathcal{C}}_1$ checks $L_{H_3}$. If the tuple $〈PI{D}_{i,j},B_{i,j},M_i,\tau 〉$ exists in $L_{H_3}$, ${\mathcal{C}}_1$ sends $\tau$ to ${\mathcal{A}}_1$. Otherwise, ${\mathcal{C}}_1$ randomly selects a string $\tau \in {\mathbb{Z}}_q^{*}$ and sends it to ${\mathcal{A}}_1$, then adds $〈PI{D}_{i,j},B_{i,j},M_i,\tau 〉$ to $L_{H_3}$.

Signing-Oracle Query: For a message $M_i$, algorithm ${\mathcal{C}}_1$ randomly selects $x_1,x_2,x_3\in {\mathbb{Z}}_q^{*}$$T_{i,j}$$v\in {\{0,1\}}^l$ and $t_i$, then computes

$$\begin{array}{cc}\hfill & A_i=x_1{K}_{i,j}+x_2{B}_{i,j}+x_{3}P-P_{pub}\hfill \\ \hfill & PI{D}_{i,j}=I{D}_i\oplus v\hfill \\ \hfill & {\omega }_{i,j}=H_2(PI{D}_{i,j}\left|\right|T_{i,j})=-x_1\hfill \\ \hfill & h_{i,j}=H_3(PI{D}_{i,j}\left|\right|B_{i,j}\left|\right|M_i)=-x_2\hfill \\ \hfill & {\alpha }_{i,j}=-x_3\hfill \end{array}$$

(8)

Then, ${\mathcal{C}}_1$ adds $〈PI{D}_{i,j},T_{i,j},-x_1〉$ to $L_{H_2}$ and $〈PI{D}_{i,j},B_{i,j},M_i,-x_2〉$ to $L_{H_3}$.

Output: ${\mathcal{A}}_1$ outputs the forged authentication tuple $\{M_i^{{}^{\prime }},PI{D}_{i,j}^{{}^{\prime }},T_{i,j}^{{}^{\prime }},A_i^{{}^{\prime }},K_{i,j},B_{i,j},{\alpha }_{i,j}^{{}^{\prime }},t_i^{{}^{\prime }}\}$. ${\mathcal{C}}_1$ rewinds ${\mathcal{A}}_1$ to query $H_2(PI{D}_{i,j}^{{}^{\prime }}\left|\right|T_{i,j}^{{}^{\prime }})$, and ${\mathcal{A}}_1$ outputs another forged authentication tuple $\{M_i^{{}^{″}},PI{D}_{i,j}^{{}^{\prime }},T_{i,j}^{{}^{″}},A_i^{{}^{\prime }},K_{i,j},B_{i,j},{\alpha }_{i,j}^{{}^{″}},t_i^{{}^{″}}\}$, where $PI{D}_{i,j}^{{}^{\prime }}$ and $A_i^{{}^{\prime }}$ should be the same.

For simplicity, let $t=s+a_i$. The outputs of the $H_2$ hash oracle queries are $a_1=H_2(PI{D}_{i,j}^{{}^{\prime }}\left|\right|T_{i,j}^{{}^{\prime }})$ and $a_2=H_2(PI{D}_{i,j}^{{}^{\prime }}\left|\right|T_{i,j}^{{}^{″}})$. Similarly, the outputs of the $H_3$ hash oracle queries are $b_1=H_3(PI{D}_{i,j}^{{}^{\prime }}\left|\right|B_{i,j}^{{}^{\prime }}\left|\right|M_i^{{}^{\prime }})$ and $b_2=H_3(PI{D}_{i,j}^{{}^{\prime }}\left|\right|B_{i,j}^{{}^{\prime }}\left|\right|M_i^{{}^{″}})$. Therefore, we have

$${\alpha }_{i,j}^{{}^{\prime }}=t+a_{1}x+b_{1}y,{\alpha }_{i,j}^{{}^{″}}=t+a_{2}x+b_{2}y,$$

(9)

where x and y are unknown values, and ${\mathcal{C}}_1$ can solve the above equation and output x and y as the solution of the ECDLP.    □

Theorem 2.

Our proposed scheme can resist a chosen message attack by a type 2 adversary.

Proof of Theorem 2.

We assume that adversary ${\mathcal{A}}_2$ can forge an authentication tuple and algorithm ${\mathcal{C}}_2$ can address the ECDLP by running ${\mathcal{A}}_2$ with a probability that cannot be ignored.

Setup-Oracle: Same as the proof of Theorem 1.

$H_1$-Oracle Query: same as the proof of Theorem 1.

$H_2$-Oracle Query: same as the proof of Theorem 1.

$H_3$-Oracle Query: same as the proof of Theorem 1.

Signing-Oracle Query: same as the proof of Theorem 1.

Output: same as the proof of Theorem 1.

For simplicity, let $t=s+a_i$. The outputs of the $H_2$ hash oracle queries are $a_1=H_2(PI{D}_{i,j}^{{}^{″}}\left|\right|T_{i,j}^{{}^{\prime }})$ and $a_2=H_2(PI{D}_{i,j}^{{}^{\prime }}\left|\right|T_{i,j}^{{}^{″}})$. Similarly, the outputs of the $H_3$ hash oracle queries are $b_1=H_3(PI{D}_{i,j}^{{}^{\prime }}\left|\right|B_{i,j}^{{}^{\prime }}\left|\right|M_i^{{}^{\prime }})$ and $b_2=H_3(PI{D}_{i,j}^{{}^{\prime }}\left|\right|B_{i,j}^{{}^{\prime }}\left|\right|M_i^{{}^{″}})$. Therefore, we have

$${\alpha }_{i,j}^{{}^{\prime }}=t+a_{1}x+b_{1}y,{\alpha }_{i,j}^{{}^{″}}=t+a_{2}x+b_{2}y,$$

(10)

where t and x are unknown values, and ${\mathcal{C}}_2$ can solve the above equation and output t and x as the solution of the ECDLP.    □

B. Security Requirements

• Message authentication: the RSU confirms the message tuple $\{PI{D}_{i,j},T_{i,j},A_i,{\sigma }_{i,j},M_i,t_i\}$ by verifying whether the equation ${\alpha }_{i,j}P=P_{pub}+A_i+h_{i,j}^{{}^{\prime }}{B}_{i,j}$ holds. The ASMA scheme can realize message authentication.
• Identity privacy preservation: since the $I{D}_i$ of vehicle $V_i$ is hidden in $PI{D}_{i,j}$, and $PI{D}_{i,j}=I{D}_i\oplus H_1\left(k_j{P}_{pub}\right)$, the adversary extracts $I{D}_i$ from $PI{D}_{i,j}$ by computing $k_j{P}_{pub}=K_{i,j}s$ and $I{D}_i=PI{D}_{i,j}\oplus k_j{P}_{pub}$. However, because the adversary has no knowledge of s and the hardness of the ECDLP, the adversary cannot obtain $I{D}_i$.
• Traceability: the $I{D}_i$ of $V_i$ is hidden in $PI{D}_{i,j}$. The TA can obtain $I{D}_i$ by computing $I{D}_i=PI{D}_{i,j}\oplus H_1\left(K_{i,j}s\right)$, since the TA possesses s and $K_{i,j}$, $PI{D}_{i,j}$.
• Unlinkability: to generate the signature of the message $M_i$, firstly, vehicle $V_i$ selects $k_j$ to generate the pseudonym identity $PI{D}_{i,j}$. Then, vehicle $V_i$ selects $b_{i,j}$ to compute $h_{i,j}=H_2(PI{D}_{i,j}\left|\right|B_{i,j}\left|\right|M_i)$ and ${\alpha }_{i,j}=x_i+h_{i,j}{b}_{i,j}$. Since $k_j$ and $b_{i,j}$ are randomly chosen, it is impossible for the adversary to link two pseudonym identities or two signatures sent by the same vehicles.
• Resistance to common attacks: the adversary must forge the right authentication tuple when impersonating a legal vehicle. However, according to the security proof mentioned above, it is impossible to forge a legitimate signature message in probabilistic polynomial time. Furthermore, the modification of the transmission message by adversary $\mathcal{A}$ can be detected at the verification stage. To resist replay attacks, a time stamp was used in the design of the scheme. Since the secret key is not stored in the TPD directly, our scheme can withstand a stolen device attack. Thus, the ASMA scheme can withstand the common attacks, i.e., impersonation attacks, modification attacks, replay attacks and stolen device attacks.

4.3. Performance Analysis

In this section, we discuss the performance analysis of the ASMA scheme and the EAAP [9], CPPA [1], ESCA [21] and SIPA [22] schemes.

A. Computation Overhead

The cryptographic operations used in EAAP [9] are based on BP, and CPPA [1], ESCA [21] and SIPA [22], as well as our scheme, are based on ECC. For ease of comparison, only the time-consuming cryptographic operations at the signing and verification stages are considered. The execution times of the cryptographic operations are taken from the experimental results in [1] and are expressed as follows:

• $T_{bp}$: the time for carrying out a BP operation $e(P,Q)$, $T_{bp}=4.211$ ms.
• $T_{bp-m}$: the time for carrying out a BP-related scale multiplication operation $aP$, where $a\in {\mathbb{Z}}_p^{*}$, $T_{bp-m}=1.709$ ms.
• $T_{em}$: the time for carrying out an ECC-related scale multiplication operation $aP$, where $a\in {\mathbb{Z}}_p^{*}$, $T_{em}=0.442$ ms.
• $T_{esm}$: the time for carrying out an ECC-related small-scale multiplication operation $xP$, where $x\in [1,2^t]$, $T_{esm}=0.0276$ ms.

For the EAAP [9] scheme, the cost at the signing stage is one BP-related scale multiplication operation, and the overheads for verifying a single message and n messages are $2T_{bp}+5T_{bpm}$ and $(n+1)T_{bp}+5n{T}_{bpm}$, respectively. For the CPPA [1] scheme, the computation overheads at the signing stage and verification stage are three ECC-related scalar multiplication operations. When verifying n messages, the computation overhead of the RSU is $(n+2)T_{em}+n{T}_{esm}$. For the ESCA [21] scheme, the vehicle executes one ECC-related scalar multiplication operation and the RSU executes four ECC-related scalar multiplication operations in a single verification. For verifying n messages, the computation overhead of the RSU is $(2n+3)T_{em}+2n{T}_{esm}$. For the SIPA [22] scheme, the operations are related to ECC. When signing one message, the vehicle must execute one scalar multiplication operation. When verifying a single message, the RSU executes four scalar multiplication operations, while it executes $(2n+3)$ scalar multiplication operations and $2n$ small-scale multiplication operations when verifying n messages. In the ASMA scheme, since the pseudonym identity and secret key generation are pre-generated offline, the computation overheads mainly occur at the signing and verification stages, i.e., the vehicle executes one scalar multiplication operation when signing a message, and the RSU executes three scalar multiplication operations when verifying a single message. In the batch verification case, the overhead of the RSU is $(2n+1)T_{em}+n{T}_{esm}$.

The comparison of computation overheads is given in

Table 1. Comparison of computation overheads.

Scheme	Signing	Verification	Batch Verification	System Overhead
EAAP [9]	$T_{bpm}$	$2T_{bp}+5T_{bpm}$	$(n+1)T_{bp}+5n{T}_{bpm}$	$(n+1)T_{bp}+6n{T}_{bpm}$
CPPA [1]	$3T_{em}$	$3T_{em}$	$(n+2)T_{em}+n{T}_{esm}$	$(4n+2)T_{em}+n{T}_{esm}$
ESCA [21]	$3T_{em}$	$3T_{em}$	$(2n+1)T_{em}$	$(5n+2)T_{em}+n{T}_{esm}$
SIPA [22]	$T_{em}$	$4T_{em}$	$(2n+1)T_{em}+2n{T}_{esm}$	$(3n+2)T_{em}+2n{T}_{esm}$
Proposed	$T_{em}$	$3T_{em}$	$(2n+1)T_{em}+n{T}_{esm}$	$(3n+2)T_{em}+n{T}_{esm}$

, and Figure 2 shows the computation overheads for different batch sizes. According to Figure 2, the ASMA scheme has lower computation overheads than the EAAP [9], ESCA [21] and SIPA [22] schemes, and a slightly higher overhead than the CPPA [1] scheme. In addition, since the generation of the pseudo-identity and partial key in CPPA [1] is completed by the TA, while the pseudo-identity and secret key in the ASMA scheme are pre-generated offline, the total system overhead of CPPA [1] is higher than that of the ASMA scheme, as shown in Table 1.

B. Communication Overhead

The lengths of p and q are 64 and 20 bytes [1], and therefore, the lengths of the additive groups ${\mathbb{G}}_{⊮}$ and $\mathbb{G}$ are 128 bytes and 40 bytes, respectively. In addition, the output length of the hash functions is 20 bytes, and the length of the time stamp is 4 bytes.

Table 2. Comparison of communication overheads.

Scheme	Communication Message	Communication Overhead
EAAP [9]	$\{sig,Y_k,Cer{t}_k\}$	848 bytes
CPPA [1]	$\{A_{j,i},PI{D}_{j,i},T_{j,i}\}$ and $\{A_{j,i},PI{D}_{j,i},S_{pub},T_{j,i},{\beta }_{j,i},t_{j,i}\}$	192 bytes
ESCA [21]	$\{PI{D}_i,vp{k}_{PI{D}_i},M_i,T_i,{\sigma }_i\}$	204 bytes
SIPA [22]	$\{M_i,PI{D}_{ij},t{t}_i,U_{ij},v_{ij}\}$	124 bytes
Proposed	$\{PI{D}_{i,j},T_{i,j},K_{i,j},A_i,{\sigma }_{i,j},t_{i,j}\}$	168 bytes

shows the communication overhead comparison between the ASMA scheme and the related schemes [1,9,21,22].

For EAAP [9], the signature to be sent is $\{sig,Y_k,Cer{t}_k\}$, where $Cer{t}_k=(Y_k\left|\right|E_i\left|\right|$$DI{D}_{ui}\left|\right|{\gamma }_u\left|\right|{\gamma }_v\left|\right|c\left|\right|\lambda \left|\right|{\sigma }_1\left|\right|{\sigma }_2)$, $sig,E_i,DI{D}_{ui},{\gamma }_u,{\gamma }_v,\lambda \in {\mathbb{G}}_{⊮}$ and $c,{\sigma }_1\left|\right|{\sigma }_2\in {\mathbb{Z}}_p^{*}$. Therefore, the communication overhead is $128\times 6+20\times 3=848$ bytes. For CPPA [1], at the stage of generating the pseudonym and partial key, the TA sends $\{A_{j,i},PI{D}_{j,i},T_{j,i}\}$ to $V_j$. Since $A_{j,i}\in \mathbb{G}$ and $PI{D}_{j,i}\in {\mathbb{Z}}_p^{*}$, the communication overhead of this stage is $40+20+4=64$ bytes. In addition, after the message signing stage, the vehicle sends the tuple $\{A_{j,i},PI{D}_{j,i},S_{pub},T_{j,i},{\beta }_{j,i},t_{j,i}\}$ to the RSU, in which $A_{j,i},S_{pub}\in \mathbb{G}$ and $PI{D}_{j,i},{\beta }_{j,i}\in {\mathbb{Z}}_p^{*}$. Then, the overhead is $40\times 2+20\times 2+4\times 2=128$ bytes. The total communication overhead of the CPPA scheme is $64+128=192$ bytes. For ESCA [21], the vehicle sends the authentication tuple $\{PI{D}_i,vp{k}_{PI{D}_i},M_i,T_i,{\sigma }_i\}$ to the RSU. Since $vp{k}_{PI{D}_i}=\{Q_i,R_i\}$, ${\sigma }_i=U_i,s_i$ and $PI{D}_{i,1},Q_i,R_i,U_i\in \mathbb{G}$ and $PI{D}_{i,2},s_i\in {\mathbb{Z}}_p^{*}$, the overhead is $40\times 4+20\times 2+4=204$ bytes. For SIPA [22], the authentication tuple sent by vehicle is $\{M_i,PI{D}_{ij},t{t}_i,U_{ij},v_{ij}\}$ and $PI{D}_{ij}=PI{D}_{i1},PI{D}_{i2}$, $PI{D}_{i1},U_{ij}\in \mathbb{G}$, $PI{D}_{i2},v_{ij}in{\mathbb{Z}}_p^{*}$, and therefore the overhead is $40\times 2+20\times 2+4=124$ bytes. In the ASMA scheme, vehicles broadcast the authentication tuple $\{PI{D}_{i,j},T_{i,j},K_{i,j},A_i,{\sigma }_{i,j},t_{i,j}\}$ to the RSU, in which $A_i,K_{i,j},B_{i,j}\in \mathbb{G}$ and $PI{D}_{i,j}^1,{\alpha }_{i,j}\in {\mathbb{Z}}_p^{*}$. The overhead of the ASMA scheme is $40\times 3+20\times 2+4\times 2=168$ bytes.

As shown in Table 2, the ASMA scheme has a lower communication overhead than EAAP [9], CPPA [1] and ESCA [21] but a slightly higher communication overhead than SIPA [22]. As shown in Table 1, the ASMA scheme is more efficient than SIPA [22] in terms of computation overhead. In addition, given the high data rate of 6G, the requirements regarding communication overheads are not so strict.

5. Proxy-Vehicles-Assisted Batch Message Authentication Scheme

As introduced in the DSRC standard [3], vehicles send location-based messages (LBMs) to surrounding vehicles and the RSU every 150–300 ms, which means that an RSU must verify 340 LBMs in one second if there are 100 vehicles in its coverage. The high data rate of 6G-enabled VANETs means that the RSU faces a higher verification burden, which will increase further in the case of traffic jams. In order to handle the high verification burden of the RSU, in this section we introduce a proxy-vehicles-assisted batch message authentication scheme (PVBA).

5.1. The Verification Process of the PVBA Scheme

In the PVBA scheme, the RSU receives the traffic status messages from vehicles in its coverage, and the message verification tasks are handled by the RSU and proxy vehicles synchronously. The PVBA scheme is based on the ASMA scheme introduced in Section 4, where the first four stages are the same, while the fifth step, i.e., the verification stage, is different. In the verification stage of the PVBA scheme, firstly, the RSU selects proxy vehicles and sends part of the verification tasks to them. Secondly, the proxy vehicles complete the verification tasks and return the results to the RSU, and finally, the RSU verifies the authentication results sent from the proxy vehicles. The information transfer path in the verification stage of the PVBA scheme is shown in Figure 3.

Prior to the verification stage, the RSU must select a certain number of proxy vehicles. When choosing the proxy vehicles, the following factors should be considered. Firstly, the proxy vehicles must have enough extra resources, and secondly, the distance between a proxy vehicle and the RSU should not be too great, since the verification tasks must be transmitted from the RSU to the proxy vehicles. In addition, the proxy vehicles have lower computation power than the RSU. The RSU should confirm the number of proxy vehicles, as more proxy vehicles may lead to a large computation overhead. Therefore, we first introduce the verification overhead of the PVBA scheme, and then we introduce the selection of proxy vehicles.

5.2. The Verification Overhead of the PVBA Scheme

Due to the high data transmission rate of 6G-enabled VANETs and the close distances, we ignore the transmission time between the RSU and the proxy vehicles. The verification overhead of the PVBA scheme consists of two parts. One is the overhead consumed by the RSU and the proxy vehicles when handling the verification tasks simultaneously, and the other is the overhead for the RSU to confirm the verification results from the proxy vehicles. We assume that the message verification overhead of proxy vehicle $V_{pj}$ is $T_j$, $j\in [1,k]$, the message verification overhead of RSU is $T_r$ and the verification overhead for the RSU to confirm the verification results from proxy vehicles is $T_{rp}$. Then, the verification time of the PVBA scheme is

$$T=max\{T_1,T_2,\cdots ,T_k,T_r\}+T_{rp},$$

(11)

where p is the number of proxy vehicles.

According to Equation (6), the batch verification time of the ASMA scheme is $(2n+1)T_{em}+n{T}_{esm}=n(2T_{em}+T_{esm})+T_{em}$. We define $T_A=(2T_{em}+T_{esm})$ and $T_B=T_{em}$. For the PVBA scheme, suppose the RSU verifies $n_r$ messages and the proxy vehicle $V_{pj}$ verifies $n_j$ messages. The power values of the RSU and the proxy vehicle $V_{pj}$ are $f_r$ and $f_j$. The verification overheads consumed by the RSU and the proxy vehicle $V_{pj}$ are as follows:

$$\begin{array}{cc}\hfill T_r& =(2n_r+1)T_{em}+n_r{T}_{esm}=n_r{T}_A+T_B\hfill \\ \hfill T_j& =\frac{f_r}{f_j}((2n_j+1)T_{em}+n_j{T}_{esm})=\frac{f_r}{f_j}(n_j{T}_A+T_B).\hfill \end{array}$$

(12)

Similarly, the overhead consumed by the RSU in verifying the verification results from proxy vehicles is

$$T_{rp}=(2k+1)T_{em}+k{T}_{esm}=k{T}_A+T_B.$$

(13)

5.3. The Selection of Proxy Vehicles and the Computation of the Minimum Verification Overhead

For simplicity, suppose the maximum number of extra messages that vehicles can verify represents the extra resources of the vehicles, the computing power of the RSU is 1.5 times that of a vehicle, i.e., $\frac{f_r}{f_i}=1.5,i\in [1,N]$ and N is the number of vehicles covered by the RSU. The selection of proxy vehicles includes the followings steps.

Step 1. The RSU computes the initial number of proxy vehicles.

According to Equations (11) and (12), in order to obtain the minimum verification overhead T, we should decide the number of proxy vehicles first. Here, we consider an ideal system where the number of messages verified by each proxy vehicle is the average extra message number that all vehicles can verify, i.e., $n_j=\overline{n}=\frac{1}{n}{\sum }_{i=1}^N{n}_i$. Then, the verification overhead of the proxy vehicles becomes

$$T_1=T_2=\cdots =T_k=1.5(\overline{n}{T}_A+T_B).$$

(14)

Since the verifications on the proxy vehicles are conducted at the same time as the verification on the RSU, if the proxy vehicles verify too many messages, $T_j$ will be larger than $T_r$. Similarly, if there are too many messages verified by the RSU, $T_r$ will be larger than $T_j$. The total verification overhead is smallest when $T_j=T_r$, i.e.,

$$1.5(\overline{n}{T}_A+T_B)=n_r{T}_A+T_B.$$

(15)

If the number of messages verified by the RSU plus the number of messages verified by the proxy vehicles is the total number of messages n, i.e., $n_r+{\sum }_{i=1}^k{n}_j=n$, then the initial number of proxy vehicles is

$$k=\frac{n-1.5\overline{n}{T}_A-0.5T_B}{\overline{n}{T}_A}.$$

(16)

Step 2. The RSU computes the verification overhead $T\left(k\right)$.

Suppose the number of extra messages that the vehicles can verify is $J=\{n_1,n_2,\cdots$, $n_i,\cdots ,n_N\}$ and the distance between the vehicles and the RSU is $L=\{l_1,l_2,\cdots ,l_i,\cdots ,l_N\}$. The benefit functions of $V_i$ are

$$U_i=\alpha \frac{n_i}{\overline{n}}+\beta \frac{1}{l_i},$$

(17)

where $\alpha ,\beta \in [0,1]$ and $\alpha +\beta =1$. The RSU sorts the benefit functions from large to small and selects the vehicles corresponding to the first k benefit functions.

In fact, vehicles have different resources, according to Equations (11)–(13), and therefore the verification overhead based on k proxy vehicles is

$$T\left(k\right)=max\{1.5(n_1{T}_A+T_B),1.5(n_2{T}_A+T_B),\cdots ,1.5(n_k{T}_A+T_B),n_r{T}_A+T_B\}+(k{T}_A+T_B).$$

(18)

Step 3. The minimum verification overhead $T_{min}$ and the proxy vehicles list L are output.

Assume that the minimum verification overhead is $T\left(k\right)$ and the corresponding proxy vehicles list is $L1$. The total verification number of proxy vehicles is

$$DJ\left(k\right)=\sum _{i=1}^k{n}_j,DJ\left(k\right)<n.$$

(19)

By changing the number of proxy vehicles k, the RSU can obtain the minimal verification overhead $T_{min}$ and the corresponding proxy vehicles list L. A detailed description of the proxy vehicles selection algorithm is given in Algorithm 1.

Algorithm 1 The Proxy Vehicles Selection Algorithm.

Input:           The location list L, the extra resources J, the velocity V; Output:           The minimal verification overhead $T_{min}$;           Proxy vehicles list L;      1: Compute the initial number of proxy vehicles k and the benefit functions of the vehicles.      2: Sort the benefit functions from large to small, and select the proxy vehicles $L1$ corresponding to the first k benefit functions;      3: Compute $T\left(k\right)$ according to Equation (18);      4: $T_{min}\leftarrow T\left(k\right)$;      5: $L\leftarrow L1$;      6: Compute the total verification number $DJ\left(k\right)$ according to Equation (19);      7: if$DJ\left(k\right)>n$then      8:    for $k1=1:k$ do      9:      Compute $T\left(k1\right)$ according to Equation (18);    10:      Determine $T_{min}$ and L;    11:    end for    12: else    13:    for $k1=k:N$ do    14:      Compute $T\left(k1\right)$ according to Equation (18);    15:      Determine $T_{min}$ and L;    16:    end for    17: end if

5.4. Performance Analysis

To analyze the performance of the PVBA scheme, we set the following simulation conditions. The number of vehicles covered by the RSU was 100, and the probability that vehicles send a message in every 300 ms was 0.8. Since the dwell time of a vehicle within the RSU coverage is associated with the velocity of the vehicle and the distance between the vehicle and the RSU, the maximal number of messages sent in the minimum dwell time can be calculated. Figure 4 shows the comparison of PVBA, ASMA and MAEC [27] from the perspective of the verification overhead. As shown, the MAEC scheme [27] has a higher verification overhead than the ASMA scheme. What is more, on the one hand, in the case where the number of messages is less than 35, the overheads of the ASMA scheme and the PVBA scheme are the same, while the overhead of the MAEC scheme [27] is slightly higher. On the other hand, in the case where the number of messages is greater than 35 and less than 90, the PVBA scheme has a higher verification overhead than the ASMA scheme and the MAEC scheme [27], because the computation power of the selected proxy vehicles is lower than that of the RSU. In the above two cases, we prefer to use the ASMA scheme to complete the verification tasks. However, in the case where the number of messages is greater than 95, the overheads of the ASMA scheme and the MAEC scheme [27] increase linearly, while the overhead of the proposed PVBA scheme increases slowly. The relationship between the number of messages and the number of proxy vehicles is shown in Figure 5. Obviously, the more messages there are, the more proxy vehicles are required. In summary, the PVBA scheme has obvious advantages when the number of messages is large and can effectively improve the verification efficiency.

6. Conclusions

In this paper, we proposed an ASMA scheme to improve the security of 6G-enabled VANETs. The security and performance analyses indicated that the ASMA scheme was secure and efficient. Although ASMA can achieve batch authentication, in the case of large-scale messages the burden of the RSU is high and the efficiency of the ASMA scheme requires improvement. Therefore, we proposed a PVBA scheme, in which a proxy vehicles selection algorithm was designed for the RSU to choose proxy vehicles based on the benefit functions of the vehicles. In addition, the RSU coordinates the verification tasks and verifies them with the proxy vehicles at the same time, which solves the problem of redundant message verification as well as reducing the verification delay of VANETs. What is more, the performance analysis indicated that the PVSA scheme consumed less overhead than the ASMA scheme in the case of large-scale messages, and the RSU could adjust, adopting the ASMA scheme or the PABM scheme according to the number of received messages and vehicles.