**5. Formal Modeling and Specification**

High-Level Petri Nets (HLPN) is used for two reasons [65]: to simulate the proposed model and provide mathematical representation for analyzing the proposed model's behavior and structure properties. Formal modeling benefits are the interconnection of system components and processes, information flow among the processes, and information processing. We used HLPN for formal modeling and specification of the proposed scheme. HLPN is a set of seven tuples (*P*, *T*, *F*, *ϕ*, *R*, *L*, *M*0) as defined in [66].

In this section, we formally model and specify the proposed scheme CMC. We present the CMC scheme in HLPN in terms of mathematical properties (rules). For the representation of the system in HLPN, we define places and their associated data types; then, we specify a set of rules used in HLPN. Tables 2 and 3 contain details of the symbols and places used in the Petri nets. We design HLPN for Algorithms in the proposed model. Figure 8 shows the HLPN for the mix context scheme. The vertical bar shows transitions, and the circle shows places used in HLPN. The arrowheads in the diagram show the data flow in HLPN.


**Table 2.** Symbol description used in the mix-context method.

**Table 3.** Places used in HLPN for mix-context method.


**Figure 8.** HLPN for mix context method.

The vehicle must register with TA before joining the network. For this purpose, the vehicle requests TA for registration. The TA processes the demand and provides Public Key (*PKv*) and pseudonyms (*P*) in Equation (1). In Equation (2), a vehicle requests a pseudonym pool if it has expired. To assign the pseudonym pool to a vehicle, the vehicle's identity is verified, and the pseudonym pool is assigned to a vehicle as given in Equation (3). The identity of the vehicle is matched with *VID* and LPN in the vehicle registration list. The data in VRD is updated with a pseudonym pool assignment:

$$\begin{aligned} \mathsf{R}(\mathsf{Registortion}) &= \forall \ i 2 \in \mathsf{x2} \land i 3 \in \mathsf{x3} \mid i 2[1] \neq i \mathtt{3}[1] \\ &\qquad \wedge \mathsf{x3'} := \mathsf{x3} \cup \{i 2[1], i \mathtt{3}[2], i \mathtt{3}[3]\}. \end{aligned} \tag{1}$$

$$\begin{aligned} \mathsf{R}(\mathsf{Pseudo} - \mathsf{Registoration}) &= \forall \, i5 \in \mathsf{x5} \land i6 \in \mathsf{x6} \mid \\ \qquad &Add - request(\mathsf{x6'} := \mathsf{x6} \cup \{i5[1], i6[1]\}). \end{aligned} \tag{2}$$

$$\begin{aligned} \mathsf{R}(\mathsf{AssigmPool}) &= \exists \; i\mathsf{7} \in \mathsf{x7} \land i\mathsf{8} \in \mathsf{x8} \mid compare \\ (i\mathsf{7}[1], i\mathsf{8}[1]) &= True \to \mathsf{x8}' := \mathsf{x8} \land i\mathsf{8}[1]. \end{aligned} \tag{3}$$

After the vehicle registration process, the concerned strategy of mix context is started as given in Equation (4), where vehicles sense the road conditions. First, vehicles will monitor the speed using speed check-in Equation (5). If the vehicle speed is in a particular range, then the distance (Equation (6)) is calculated with its neighboring vehicles. The distance calculation process takes position coordinates of transmission range vehicles. The vehicle will select another neighboring vehicle with a minimum distance for mixing road context information. The minimum distance is checked in (Equation (7)):

$$\begin{aligned} \mathbf{R}(\mathbf{A}\mathbf{p}\mathbf{p}\mathbf{t}\mathbf{S}\mathbf{t}\mathbf{t}\mathbf{e}\mathbf{y}\mathbf{y}) &= \forall\ i\mathbf{9}\in\mathbf{x}\mathbf{9}\land i\mathbf{10}\in\mathbf{x}\mathbf{10} \\ \mid\;RoodCondition(i\mathbf{10}[1], i\mathbf{10}[2], i\mathbf{10}[3])\land\end{aligned} \tag{4}$$

$$\begin{aligned} \mathbf{x10'} &:= \mathbf{x10}\cup\{i\mathbf{9}[1], i\mathbf{10}[1]\} \end{aligned} \tag{5}$$

$$\begin{aligned} \mathsf{R} \{ \mathsf{SpeedCheck} \} &= \forall \ i 11 \in \mathsf{x11} \land i 12 \in \mathsf{x12} \mid \\ i 11 [1] \in i 12 [3] \land \mathsf{x12}' &:= \mathsf{x12} \cup \{ i 12 [1], i 12 [2] \}. \end{aligned} \tag{5}$$

$$\begin{aligned} \mathbf{R}(\mathbf{C} \text{check} \mathbf{D} \text{distance}) &= \forall \ i 14 \in \ge 11 \land i 15 \in \ge 15 \mid \\ i 14 [1] \in i 15 [1] \land Distance(i 15 [2], i 15 [3]) &\to i 15 [4]. \end{aligned} \tag{6}$$

$$\begin{aligned} \mathbf{R} \{ \mathbf{M} \| \mathbf{D} \mathbf{i} \mathbf{t} \mathbf{D} \mathbf{i} \mathbf{t} \} &= \forall \ i \mathbf{1} \mathbf{6} \in \mathbf{x1} \mathbf{6} \land i \mathbf{17} \in \mathbf{x17} \mid \begin{pmatrix} i \mathbf{16} \mathbf{[4} \end{pmatrix} \\ \leq \mathbf{i17[2]}) = \mathbf{T} \mathbf{u} \mathbf{e} \to \mathbf{x17} := \mathbf{x17} \cup \{ i \mathbf{17[3]} \} . \end{aligned} \tag{7}$$

After measuring the minimum distance between neighboring vehicles, the neighbor with minimum distance is selected as given in Equation (8). Next, the number of neighbors within the transmission range is counted in Equation (10). Certain conditions are required and, if the condition fails, as given in Equation (9), then finding of neighbors in transmission range starts again:

$$\begin{aligned} \mathsf{R}\{\mathsf{S}\mathtt{selection}\} &= \forall \, i19 \in \mathsf{x19} \land i20 \in \mathsf{x20} \mid (i19[1] \neq i20[1] \\ &\land i20[2] \le \mathsf{300}) = \mathsf{True} \to \mathsf{x20}' := \mathsf{x20} \cup \{i20[3] \}. \end{aligned} \tag{8}$$

$$\begin{aligned} \mathbf{R} \mathbf{(ConditionF)} &= \forall \; i \mathbf{21} \in \mathbf{x21} \land i \mathbf{22} \in \mathbf{x22} \mid \\ (i \mathbf{21}[1] = i \mathbf{22}[1]) \land &\exists \; (i \mathbf{22}[1] = \mathbf{x22}[1]) .\end{aligned} \tag{9}$$

$$\mathbf{R(Count)} = \forall \; i25 \in \mathbf{x26} \land i26 \in \mathbf{x26} \mid i25[1] \neq i26[1] \land \tag{10}$$

$$\text{tr}(i25[3] \le \text{300}) = \text{True} \to \text{x26}' := \text{x26} \cup \{i26[2] + +\}. \tag{17}$$

When the counting of neighbors is complete, the neighbor threshold is checked to determine the concerned case of mix context. In Equation (11), the neighbor threshold is met, and the process of cooperative pseudonym changing is circulated in the neighborhood as given in Equation (12):

$$\begin{aligned} \mathsf{R}\{\mathsf{ThreshSuccess}\} &= \forall \; i27 \in \mathsf{x27} \land i28 \in \mathsf{x28} \mid \left(i27[2] \\ \geq i28[3]\right) = True &\to \mathsf{x28}' := \mathsf{x28} \cup \{i28[2], i28[4]\}. \end{aligned} \tag{11}$$

$$\begin{aligned} \mathbf{R} \{ \mathbf{C} \text{irreducible} \} &= \forall \ i 29 \in \mathbf{x29} \land i 30 \in \mathbf{x30} \mid \\ (i 30[3] = i 29[4]) \land \mathbf{x30}' &:= \mathbf{x30} \cup \{ i 30[3] \}. \end{aligned} \tag{12}$$

Next, Equation (13) shows the start of cooperative pseudonym updating process, and the vehicles in the transmission range change their pseudonyms; set a flag to 0 means that all neighboring vehicles change pseudonyms successfully. A time limit (Equation (20)) is set for the newly changed pseudonym, and after the pseudonym time expiry, vehicles set a flag to 1 (Equation (15)), which means that vehicles are ready for another pseudonym changing process:

$$\begin{aligned} \mathsf{R} \{ \mathsf{U} \mathsf{p} \mathsf{d} \mathsf{a} \mathsf{f} \mathsf{n} \} &= \forall \ i \mathbf{3} \mathbf{1} \in \mathsf{x} \mathbf{3} \mathbf{1} \land i \mathbf{3} \mathbf{2} \in \mathsf{x} \mathbf{3} \mathbf{2} \mid i \mathbf{3} \mathbf{1} [1] =\\ \mathsf{i} \mathbf{3} \mathbf{2} [1] \to \mathsf{x} \mathbf{3} \mathbf{2}' &:= \mathsf{x} \mathbf{3} \mathbf{2} \cup \{ i \mathbf{3} \mathbf{2} [3] == \mathbf{0} \land i \mathbf{3} \mathbf{2} [2] \}. \end{aligned} \tag{13}$$

$$\begin{aligned} \mathbf{R} \{ \mathbf{Time} \text{Limit} \} &= \forall \; i \mathbf{3} \mathbf{3} \in \mathbf{x3} \land i \mathbf{34} \in \mathbf{x34} \mid (i \mathbf{33}[2] \\ &\ge i \mathbf{34}[2]) = \mathbf{True} \to \mathbf{x34}' := \mathbf{x34} \cup \{ i \mathbf{34}[3] \}. \end{aligned} \tag{14}$$

$$\begin{aligned} \mathsf{R} \{ \mathsf{PseudoExpire} \} &= \forall \; i \exists 5 \in \mathsf{x35} \land i \exists 6 \in \mathsf{x36} \mid \\ (i \exists 5 [1] &= i \exists 6 [1] \land i \exists 5 [3] \ge i \exists 5 [2] = True \\ &\to \mathsf{x36}' = \mathsf{x36} \cup \{ i \exists 6 [4] == 1 \} . \end{aligned} \tag{15}$$

If the neighbor threshold is not met (Equation (16)), then the second case of mix context is chosen, in which a target vehicle in a vicinity randomly selects a neighboring vehicle (as given in Equation (17)) for a virtual pseudonym exchange process. The messages are exchanged between selected neighboring vehicles (Equation (18)) for a pseudonym update process. Next, vehicles exchange pseudonyms as given in Equation (19). In Equation (20), again a time limit is set for the expiry of the newly changed pseudonym:

$$\begin{aligned} \mathbf{R} \{ \mathbf{ThreshF} \} &= \forall \; i37 \in \mathbf{x37} \land i38 \in \mathbf{x38} \mid \left( i37[2] < \\\ i38[3] &\right) = True \rightarrow \mathbf{x38'} := \mathbf{x38} \cup \{ i38[2], i38[4] \}. \end{aligned} \tag{16}$$

*R*(*RandSelection*) = ∀ *i*39 ∈ *x*39 ∧ *i*40 ∈ *x*40 | *i*39[4] = *i*40[3] ∧ *x*40<sup>0</sup> := *x*40 ∪ {*i*40[4]}. (17)

*R*(*MsgExchange*) = ∀ *i*41 ∈ *x*41 ∧ *i*42 ∈ *x*42 |

$$\stackrel{\frown}{i}(i\mathbf{4}\mathbf{2}[\mathbf{2}] \in i\mathbf{4}\mathbf{1}[\mathbf{4}]) = True \rightarrow \tag{18}$$

$$\mathfrak{x42}' := \mathfrak{x42} \cup \{ \text{Exchange}(i42[3], i42[4]) \}.$$

$$\begin{aligned} \text{R\{PseudoExchange\}} &= \forall \; i43 \in \mathbb{x} 43 \land i44 \in \mathbb{x} 44 \mid \\ \text{Exchange}(i43[3], i43[4]) &= True \to \ge 44' := \ge 44 \end{aligned} \tag{19}$$

∪{*Exchange*(*i*44[2], *i*44[3])}.

$$\begin{aligned} \mathbf{R} \{ \mathbf{Time} \text{Limit} \} &= \forall \ i 45 \in \mathbb{x} 45 \land i 34 \in \mathbb{x} 34 \mid (\text{Exchange} \\ (i 44 \, [2], i 44 \, [3])) &= True \to \mathbb{x} 34' := \mathbb{x} 34 \cup \{ i 34 \, [3] \}. \end{aligned} \tag{20}$$
