An Efficient Conditional Privacy-Preserving
An Efficient Conditional Privacy-Preserving
4, MAY 2012
Abstract—In this paper, we propose a conditional privacy- will undoubtedly play an important role in future wireless
preserving authentication scheme, called CPAS, using pseudo- metropolitan-area networks. VANETs are a subgroup of mobile
identity-based signatures for secure vehicle-to-infrastructure ad hoc networks (MANETs) with the distinguishing property
communications in vehicular ad hoc networks. The scheme
achieves conditional privacy preservation, in which each message that the nodes are vehicles such as cars, trucks, buses, and
launched by a vehicle is mapped to a distinct pseudo-identity, motorcycles. However, vehicles are not subject to strict energy,
and a trust authority can always retrieve the real identity of space, and computing capability restrictions normally adopted
a vehicle from any pseudo-identity. In the scheme, a roadside for MANETs. More challenging is the potentially very high
unit (RSU) can simultaneously verify multiple received signatures, speed of the nodes (up to 250 km/h) and the large dimensions
thus considerably reducing the total verification time; an RSU
can simultaneously verify 2540 signed-messages/s. The time for of the VANETs. Due to the high-speed mobility of a VANET,
simultaneously verifying 800 signatures in our scheme can be timely communications and strict time constraints should be
reduced by 18%, compared with the previous scheme. enforced. A VANET consists of onboard units (OBUs) installed
Index Terms—Anonymity, batch verification, bilinear pairing, on vehicles, roadside units (RSUs) along the roads, and trusted
computational Diffie–Hellman (CDH) problem, digital signature, authorities (TAs). In VANETs, OBUs frequently broadcast
ID-based system, privacy preservation, traceability, unlinkability. routine traffic-related messages with information about such
factors as traffic events, current time, and the position, direction,
I. I NTRODUCTION and speed of vehicles and whether they are accelerating or
decelerating. By frequently broadcasting and receiving traffic-
W ITH THE advancement and wide deployment of wire-
less communication technologies, car manufactures and
telecommunication industries have recently started to equip
related messages, drivers can gain better awareness of their
driving environment. They can take early action to respond
to an abnormal situation to avoid possible damage, or they
vehicles with wireless devices that allow the vehicles to com-
can follow a better route that circumvents traffic bottleneck. In
municate with each other and with the roadside infrastructure
addition, with a VANET connected to the backbone Internet,
to enhance driving safety and improve the driving experience
passengers sitting in vehicles can go online to enjoy various
[17]. These types of vehicular communication networks, which
entertainment-related Internet services with their laptops. These
are also referred to as vehicular ad hoc networks (VANETs),
services include downloading/uploading data from the Inter-
inherently provide an ideal means of collecting dynamic traffic
net, obtaining local information (e.g., road maps and hotel
information and sensing various physical quantities related to
information), and viewing electronic advertisements. Intervehi-
traffic distributions at a very low cost with a high level of accu-
cle (vehicle-to-vehicle; V-to-V) communications or communi-
racy. Such functionalities simply turn a VANET into a vehicular
cations with roadside infrastructure (vehicle-to-infrastructure;
sensor network (VSN) [12], which is considered essential for
V-to-I) bring the promise of improved road safety and opti-
achieving automatic and dynamic information collection and
mized road traffic through cooperative system applications.
fusion in an intelligent transportation system [31]. VSNs have
Our main contributions in this paper are given as follows:
the potential to revolutionize the driving experience and create
1) We first propose an identity (ID)-based signature (IBS)
a new metropolitan-area traffic flow control framework. They
scheme KIBS secure in the random oracle model under the
computational Diffie–Hellman (CDH) assumption. The KIBS
scheme uses general hash functions, instead of an inefficient
Manuscript received April 12, 2011; revised August 4, 2011, October 25, special function known as the MapToPoint function. 2) We
2011, and December 15, 2011; accepted January 20, 2012. Date of publication
February 6, 2012; date of current version May 9, 2012. This work was construct a secure conditional privacy-preserving authentica-
supported by the National Institute for Mathematical Sciences Grant B21203 tion scheme CPAS for secure V-to-I communications using
funded by the government of Korea. The review of this paper was coordinated a pseudo-IBS scheme based on the KIBS scheme to keep a
by Prof. J. Misic.
The author is with the Division of Fusion and Convergence of Mathematical balance between privacy and traceability achieving anonymous
Sciences, National Institute for Mathematical Sciences, Daejeon 305-390, authentication, message integrity, traceability, and unlinkabil-
Korea (e-mail: [email protected]). ity. 3) The CPAS scheme supports the fastest batch verification
Color versions of one or more of the figures in this paper are available online
at http://ieeexplore.ieee.org. process at the RSUs, where the time for verifying 750 signa-
Digital Object Identifier 10.1109/TVT.2012.2186992 tures simultaneously is less than 300 ms.
The rest of this paper is organized as follows: A survey of Raya and Hubaux [22] and Lu et al. [15] proposed PKI-
related works is provided in Section II. In Section III, we pro- based schemes, in which each vehicle is preloaded with a large
pose a new IBS scheme that does not rely on the MapToPoint number of anonymous public/private key pairs, together with
function and give its security proof in the random oracle model the corresponding public key certificates. To achieve privacy,
under the CDH assumption. In Section IV, we construct a it requires a public/private key pair with a short lifetime, with
privacy-preserving pseudo-ID-based authentication scheme for a pseudo-ID used in each public key certificate. Therefore, it
secure V-to-I communications. We then give security analysis requires a large storage capacity and incurs high verification
of our scheme and conduct a performance evaluation. Conclud- costs. Moreover, its certificate revocation list (CRL), which is
ing remarks are given in Section V. produced by a TA, is typically bulky, rendering the revocation
protocols highly inefficient. Gamage et al. [6] adopted an ID-
based ring signature scheme to achieve signer ambiguity and
II. R ELATED W ORKS
hence fulfill the privacy requirement in VANET applications.
VANETs are formed by mobile nodes embedded in vehicles, However, it does not provide conditional privacy, meaning
which are connected in a self-organized manner without an that traceability cannot be achieved. To achieve conditional
underlying hierarchical infrastructure. Messages from an OBU privacy, group-signature-based authentication schemes were
have to be checked for integrity and authenticated before they proposed in [13], [14], [24], [28], and [29], where a group
can be deemed reliable. Otherwise, an attacker can replace the manager who possesses the group master key can reveal the
safety message from a vehicle or even impersonate a vehicle real identity of any group member. A secure privacy-preserving
to transmit a fake safety message. Advanced cryptography can protocol, GSIS, for VANETs [15] uses group signatures for
be used to make such messages secure and trustworthy. Before V-to-V communications and IBSs for V-to-I communications.
putting the aforementioned attractive applications into practice Its group-signature-based V-to-V communications reduce the
in VANETs, we must resolve security and privacy issues. storage cost of the public/private key pairs and the bandwidth
The V-to-I communication scenario is subject to the following consumption used to transmit the CRL. The size of the CRL
security requirements: source authentication, message integrity, and the checking costs are two important performance metrics
identity privacy preservation, traceability, and unlinkability. At for revocation mechanism. Unfortunately, pseudonym-based
the time of authentication, the identities of claimants must be authentication schemes in the PKI are prone to generate a
hidden from a vehicle, and on the other hand, the authority huge CRL, whereas the checking cost in group-signature-based
should be able to trace the claimant or the sender of a message schemes is unacceptable for vehicles with limited computa-
by revealing its identity when required. Thus, privacy must tion power. Recently, Zhang et al. [34] proposed an ID-based
be preserved and conditional. Unlinkability is stronger than batch verification scheme based on bilinear pairings for secure
anonymity and refers to the fact that different interactions of V-to-I communications. They used a pseudo-ID-based one-time
the same user cannot be related. Unlinkability prevents user signature scheme, which removes the transmission and verifica-
tracking and profiling. To ensure both source authentication tion cost of certificates for public keys. It reduces the overall
and message integrity in VANETs, one appealing solution is to verification delay of a batch of message signatures, and its
sign each message with a digital signature before the message batch verification process for signatures from multiple vehicles
is sent. However, traditional public key infrastructure (PKI)- is much faster than that of other PKI-based schemes, such
based signature schemes that verify the received messages may as the Elliptic Curve Digital Signature Algorithm (ECDSA),
fail to satisfy the stringent time requirement of the vehicular despite the heavy pairing computation. However, Zhang et al.
communication applications. In this scenario, according to the assumed that a long-term system master secret s is preloaded
Dedicated Short-Range Communications (DSRC) protocol [4], into all tamper-proof devices, and all security functions rely
an RSU can communicate with hundreds of OBUs [30], each on it. In fact, tamper-proof devices are popular for protecting
sending a safety-related message to the RSU every 100–300 ms. sensitive data such as cryptographic keys in these embedded
In this case, sequentially verifying a large number of signatures devices. However, recent studies [1], [21] have shown that ad-
can become a time-consuming process and can therefore create versaries can effectively extract the sensitive data from tamper-
a processing bottleneck at the RSU. For instance, in a high- proof devices by launching side-channel attacks, such as power
density traffic scenario, there may be roughly 180 vehicles analysis and laser scanning. Thus, their security assumption is
within the communication range of an RSU, and each vehicle too strong to be accepted. Because once one of the tamper-proof
is sending a message every 300 ms. This implies that a verifier devices is cracked by the side channel attacks and the system
(such as an RSU) must verify around 600–2000 messages/s, master secret is leaked to an adversary, the whole system will
which is clearly a challenge for any current digital signa- be compromised. Our scheme still makes use of tamper-proof
ture scheme. The maintenance of public key certificates un- devices, but the strong assumption that a long-term system
der the PKI incurs considerable communication/computation master secret is preloaded into all tamper-proof devices is
overhead, so ID-based cryptography [26] may particularly removed. Furthermore, Zhang et al.’s scheme requires a special
be suitable for VANETs as the work required for certificate hash function known as the MapToPoint function in signature
management and transmission overhead can be significantly generation/verification, which is used to map (pseudo-)identity
reduced. Thus, ID-based cryptography and an efficient means information into a point on an elliptic curve. The function is
of verifying a batch of signatures within a short period of time inefficient and probabilistic, and while there has been much
are desirable. discussion regarding the construction of such a hash algorithm,
1876 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO. 4, MAY 2012
there has been no efficient deterministic polynomial time algo- We say that G satisfies the CDH assumption if, for any
rithm proposed for it thus far. A key challenge in this paper is randomized polynomial time in t algorithm A, we have that
to reduce the verification cost. To do this, we use a new pseudo- AdvG,A (t) is a negligible function. When G satisfies the CDH
IBS scheme without using the MapToPoint function, thus assumption, we say that the CDH problem is hard in G1
providing the fastest batch verification process. We propose a generated by G. We say that an algorithm A(t, ε)-breaks the
conditional privacy-preserving authentication scheme CPAS CDH problem in G if A solves the CDH problem in time t and
based on our pseudo-IBS scheme for secure V-to-I communica- AdvG,A is at least ε. We say that the CDH problem is (t, ε)-hard
tions, which still makes use tamper-proof devices, but the strong if there is no algorithm that (t, ε)-breaks the CDH problem.
assumption that a long-term system master secret is preloaded
into all tamper-proof devices is removed. It supports the fastest
batch verification process at the RSUs and achieves anonymous B. Signature Scheme: KSS
authentication, message integrity, traceability, and unlinkabil-
ity. The time for simultaneously verifying 800 signatures in To construct an IBS scheme without using the MapToPoint
our scheme can be reduced by up to 18% compared with the function, we first propose a new standard signature (SS) scheme
Zhang et al. scheme. In addition, an RSU in our scheme can KSS. Let (G1 , G2 ) be a bilinear group pair, where |G1 | =
simultaneously verify 2540 signed-messages/s. |G2 | = q for some prime q. We set G1 = G2 . We adopt the
definition and formal security model of SS schemes in [9]. The
KSS scheme is given as follows:
III. P RELIMINARIES
We first describe mathematical tools and cryptographic prim- 1) Setup. Run the parameter generator G on input a security
itives used as building blocks in our authentication scheme. parameter k ∈ Z+ to generate a prime q, two groups G1
and GT of order q, a generator P in G1 , and a bilinear
A. Definitions and Computational Assumptions pairing e : G1 × G1 → GT . Choose a cryptographic hash
function H1 : {0, 1}∗ → Zq .
We briefly review the necessary facts about bilinear maps and 2) KeyGen. Pick a random x ∈ Z∗q and Q ∈R G1 , compute
groups [2], [3]. Y = xP , and set P K = (Y, Q) as a public key and
1) (G1 , ∗), (G2 , ∗), and (GT , ∗) are three cyclic groups of a SK = x as a secret key.
prime order q. 3) Sign. For a given m ∈ {0, 1}∗ , choose a random number
2) g1 is a generator of G1 , and g2 is a generator of G2 . k ∈ Z∗q , and compute T = kP , h = H1 (m, T ) ∈ Zq and
3) e : G1 × G2 → GT is a bilinear map, i.e., a map satisfy- S = (x + h · k) · Q. Output σ = (T, S) as a signature on
ing the following properties: m under P K.
a) Bilinearity: e(ua , v b ) = e(u, v)ab for all u ∈ G1 , v ∈ 4) Vfy. Given a signature σ = (T, S) of m under P K =
G2 , and a, b ∈ Z. (Y, Q), compute h = H1 (m, T ), and verify whether
b) Nondegeneracy: e(g1 , g2 ) = 1 and is, thus, a genera- e(S, P ) = e(Y + h · T, Q) holds or not. If it holds,
tor of GT . accept the signature.
Formally, one defines a bilinear group generation algorithm
G that takes as input a security parameter k ∈ Z+ and outputs We show that the KSS scheme is existentially unforgeable
the description of groups G1 , G2 , and GT and a bilinear map under an adaptive chosen-message attack in the random oracle
e : G1 × G2 → GT . There exist probabilistic polynomial time model.
algorithms (in k) for computing the group operations in G1 , G2 , Theorem 3.1: Suppose that the (t , )-CDH assumption
GT , and the bilinear map e. holds in G1 . Then, the KSS scheme is (t, qS , ) − euf − cma
We define the general notion of bilinear groups as follows: for all t and satisfying ε ≥ 4qS (nm + 1) · ε , and t = t +
Definition 3.1: We say that (G1 , G2 ) are a bilinear group O(qS ).
pair if there exists a group GT and a nondegenerate bilinear Proof: Suppose that A is a forger who breaks the KSS
map e : G1 × G2 → GT , such that the group order q = |G1 | = scheme. Algorithm B is given a CDH instance (P, xP, yP ) for
|G2 | = |GT | is prime, and the pairing e and the group opera- x, y ∈R Zq . By using A, we will construct an algorithm B
tions in G1 , G2 , and GT are all efficiently computable. that outputs a CDH solution xyP . Algorithm B performs the
We consider the problem and assumption that will be used following simulation by interacting with A.
for the security proof of our signature schemes. Setup: Algorithm B sets Y = xP and Q = yP and starts
Definition 3.2. [CDH Problem]: Given (g, g x , g y ) to com- by giving A the system parameters Params and the public key
pute g xy , where x, y ∈R Z∗q , and g is a generator of G1 . (Y, Q).
Definition 3.3. [CDH Assumption]: Let G be a CDH parame- H1 -Queries: To respond to H1 queries, B maintains a list
ter generator. We say that an algorithm A has advantage (k) in of tuples (M, T, h), as explained here. We refer to this list as
solving the CDH problem for G if, for a sufficiently large k the H1 − list. When A queries the oracle H1 at (M, T ), B
responds as follows.
AdvG,A (t)
1) If the query (M, T ) already appears on the H1 − list
A(q, G1 , g, g x , g y ) = g xy | in a tuple (M, T, h), then B responds with H1 (M, T ) =
= Pr ≥ ε(k).
(q, G1 ) ← G(1k ), g ← G1 , x, y ← Z∗q h ∈ Zq .
SHIM: CPAS: CONDITIONAL PRIVACY-PRESERVING AUTHENTICATION SCHEME FOR VSNs 1877
2) Otherwise, B picks a random h ∈ Zq and adds the tuple • IB − Sign. Given a private key (TID , SID ) and a message
(M, T, h) to the H1 − list and responds to A with M ∈ {0, 1}∗ , two steps occur.
H1 (M, T ) = h. 1) Choose r ∈R Z∗q , and compute U = r · P ∈ G1 .
At any time, A can query the signing oracle. To answer these 2) Compute h = H2 (ID, M, TID , U ) ∈ Zq and V =
queries, B does the following: h · SID + r · Q . Then, τ = (TID , U, V ) is a signature
Sign Queries: When A makes a Sign-query on M under on M for ID.
the public key, B chooses k, h ∈R Zq , and computes T = • IB − Vfy. Given a signature τ = (TID , U, V ) of M for
h−1 (kP − Y ), S = kQ. Then, σ = (T, S) is a valid signa- an identity ID, compute h = H1 (ID, TID ) and h =
ture on m under (Y, Q) since it satisfies e(Y + h · T, Q) = H2 (ID, M, TID , U ) ∈ Zq , and verify whether
e(kP, Q) = e(S, P ). If the tuple (M, T, h) already appears on
the H1 − list, B chooses another r, h ∈ Z∗q , and tries again. e(V, P ) = e (h · [PPub + h · T ], Q) · e(U, Q )
Then, B responds to A with σ = (T, S) and stores (M, T, h) in
the H1 − list. holds or not. If it holds, accept the signature.
Note that A’s view is identical to its view in the real attack. Now, we prove the security of the KIBS scheme in the
Output: By the Forking Lemma [20], after replaying A with random oracle model. We deal with H1 and H2 as random
the same random tape, B obtains two valid signatures σ = oracles. Let an adversary A be a probabilistic polynomial time
(M ∗ , h, T, S) and σ = (M ∗ , h∗ , T, S ∗ ) within a polynomial algorithm whose input is Params = q, G1 , GT , e, P, H1 , H2
,
time, where where q ≥ 2k . The adversary A can make qH1 queries to the H1
hash, qH2 queries to the H2 hash, qE queries to the Extract,
S = (x + hk) · Q, S ∗ = (x + h∗ k) · Q. and qIS queries to the IB − Sign.
Theorem 3.2: If the KSS scheme is (t, qS , ) − euf − cma,
Then, B computes the KIBS scheme is (t, qH1 , qH2 , qE , qIS , ε)-secure against
−1 −1 −1 existential forgery under an adaptive chosen-message and an
h − (h∗ )−1 h S − (h∗ )−1 S ∗ = x · Q = xyP. adaptive chosen-ID attack, for any t and ε satisfying ε ≈ ε and
t = t + O(qS ).
Finally, B outputs xyP as a solution to the CDH instance.
Proof: Suppose that A is a forger who breaks the KIBS
scheme. A public key P K = (Y, Q) is given for x ∈R Z∗q ,
C. New IBS Scheme: KIBS where Y = xP . By using the forgery algorithm A, we will
construct an algorithm B that outputs a forgery of the KSS
The ID-based infrastructure allows a user’s public key to be scheme. Algorithm B performs the following simulation by
easily derivable from her known identity information such as an interacting with A.
email address [26]. The ID-based infrastructure involves users Setup: Algorithm B sets PPub = Y = xP , chooses μ ∈R
and a private key generator (PKG) having a master public/secret Z∗q , computes Q = μP ∈ G1 , and starts by giving A system
key pair, and the PKG is responsible for generating private keys parameters Params, including P, Ppub , Q, Q
.
for users. Such cryptosystems alleviate the certificate overhead At any time, A can query the random oracles H1 and H2 and
and solve the problems of PKI technology. Now, we propose a Extract and IB − Sign oracles. To answer these queries, B
new IBS scheme KIBS based on the KSS scheme. We adopt does the following:
the definition and formal security model of the IBS schemes H1 and H2 Queries: To respond to H1 queries (H2 queries),
in [27]. B maintains a list of tuples (ID, T, h) ((ID, M, T, U, h )),
KIBS Scheme: as explained here. We refer to this list as the H1 − list
• Setup. Given a security parameter k ∈ Z+ , the algorithm (H2 − list). When A queries the oracle H1 (H2 ) at (ID, T )
works as follows. ((ID, M, T, U )), B responds as follows.
1) Run the parameter generator G on input k to generate 1) If the query (ID, T ) ((ID, M, T, U )) already appears
a prime q; two groups G1 and GT of order q; three on the H1 − list (H2 − list) in a tuple (ID, T, h)
distinct generators P , Q, and Q in G1 ; and a bilinear ((ID, M, T, U, h )), then B responds with H1 (ID, T ) =
pairing e : G1 × G1 → GT . Pick a random s ∈ Z∗q , h ∈ Zq (H2 (ID, M, T, U ) = h ).
and set PPub = sP . 2) Otherwise, B picks a random h ∈ Zq (h ∈ Zq ), adds the
2) Choose two cryptographic hash functions H1 : tuple (ID, T, h) ((ID, M, T, U, h )) to the H1 − list
{0, 1}∗ → Zq and H2 : {0, 1}∗ → Zq . The system (H2 − list), and responds to A, with H1 (ID, T ) = h
parameters are Params = q, G1 , GT , e, P, PPub , Q, (H2 (ID, M, T, U ) = h ).
Q , H1 , H2
. Extract Queries: When A queries a private key correspond-
• Extract. For a given string ID ∈ {0, 1}∗ , the following ing to IDi , B requests a signature Si ← Sign(x, IDi ) on IDi
steps are taken: under (Y, Q) to the signing oracle of the KSS scheme. Then, B
1) Choose k ∈R Z∗q , and compute TID = kP . responds to A with Si and stores (IDi , Si ) to the Ext − list.
2) Compute h = H1 (ID, TID ) ∈ Zq and SID = (s + IB-Sign Queries: When A makes a IB − Sign-query on M
h · k) · Q, and set a private key (TID , SID ) correspond- for IDi , B finds the corresponding pair (IDi , Si ) from the
ing to ID, where s is a master secret. Ext − list.
1878 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO. 4, MAY 2012
• If (IDi , Si ) already appears on the Ext − list, then B between OBUs and RSUs is 5.9-GHz DSRC identified as
can compute a signature σi by performing the signing IEEE 802.11p. Each vehicle has its own real identity, pseudo-
algorithm. ID, and a private key, with which all messages are signed and
• Otherwise, B requests an Extract-query to obtain the cor- then sent to a nearby RSU. Each RSU that receives traffic-
responding private key Si . Then, B computes a signature related information is responsible for verifying the digital sig-
σi on M for IDi using Si , responds to A with σi , and natures of the messages. In general, the top layer is comprised
stores (IDi , Si ) to the Ext − list. of application servers (such as a traffic control analysis center)
Note that A’s view is identical to its view in the real attack. and TAs. The RSUs communicate with an application server
Output: Eventually, A outputs a forgery τ ∗ = (T ∗ , U ∗ , V ∗ ) and the TAs using a secure transmission protocol, such as
on m∗ for ID∗ such that ID∗ has never requested to the the wired Transport Layer Security protocol. The RSUs are
private key extraction oracle and the pair (m∗ , ID∗ ) has never responsible for forwarding the valid messages received from
requested to the IB − Sign oracle, where T ∗ = kP , U ∗ = rP , OBUs to the application server. The application server is in
V ∗ = h SID∗ + r · Q . Algorithm B computes (h )−1 (V ∗ − charge of making further analysis and/or giving feedback to
μU ) = SID∗ . Then, (T ∗ , SID∗ ) is a valid signature on ID∗ the RSUs after collecting traffic-related information such as
under P K of the KSS scheme. Finally, B outputs (T ∗ , SID∗ ) the current time, location, instances of traffic accidents, the
as a forgery of the KSS scheme. traffic distribution, and the road weather information [23] from
the RSUs. As the secure vehicular communications are mainly
meant for civilian applications, in most highway scenarios,
IV. CPAS: A C ONDITIONAL P RIVACY-P RESERVING
RSUs are assumed to connect with the TAs by wired links or via
AUTHENTICATION S CHEME FOR S ECURE
any other link utilizing high bandwidth, low delay, and low bit
V EHICLE - TO -I NFRASTRUCTURE C OMMUNICATIONS
error rates. RSUs also communicate with each other either via
Here, we propose a secure conditional privacy-preserving the TAs or through a secure and reliable peer-to-peer channel.
authentication scheme CPAS based on the KIBS scheme for We aim to design a scheme that satisfies the following
secure V-to-I communications. security requirements: 1) Authentication and message integrity:
Messages from vehicles have to be authenticated to confirm that
they were indeed sent by legitimate entities for the RSUs with-
A. System Model and Security Requirements
out being modified or forged. 2) Identity privacy preserving:
The system consists of four network entities, i.e., two TAs, The real identity of a vehicle should be kept anonymous with
a trace authority (TRA) and a PKG, immobile RSUs at the regard to other vehicles, and a third party should not be able to
roadside, and mobile OBUs equipped on the vehicles. The TRA reveal a vehicle’s real identity by analyzing multiple messages
who is in charge of the registration of RSUs and OBUs can sent by it. 3) Traceability: Although a vehicle’s real identity
reveal the actual identity of a signed message from an OBU. should be hidden from other vehicles, if necessary, the TRA
The PKG is responsible for generating and assigning private should have the ability to obtain a vehicle’s real identity. The
keys for OBUs and RSUs. We assume the following: 1) The TRA should have the ability to retrieve a vehicle’s real identity
TRA and PKG are always trusted and can never be compro- from its pseudo-ID when the signature is in dispute or when the
mised. Of course, we assume that two TAs do not collude. content of a message is not genuine.
They are also powered with sufficient computation and stor-
age capability. The OBUs have limited computational power,
B. Our Construction: CPAS
whereas the RSUs have greater computation power than the
OBUs. 2) Each vehicle has a reliable positioning [e.g., global Our conditional privacy-preserving authentication scheme
position system (GPS)] and can get accurate time information. CPAS consists of four phases, i.e., System Parameters
Based on this system, vehicles compare the physical location of Setup, Pseudo − Identity Generation/Private Key
the message sender with the location information in the RSU’s Extraction, Message Signing, and Batch Verification
identity string. 3) Each vehicle is equipped with a tamper-proof of Traffic Information Messages. In the System Pa−
device, which prevents an adversary from extracting any data rameters Setup, the TAs generate the system param-
stored in the device, including the private key, the data, and eters. In the Pseudo − Identity Generation/Private Key
the code [10], [22]. Vehicles will also store their own private Extraction phase, the TRA generates pseudo-IDs for vehicles
keys corresponding to the pseudo-IDs in the device, which is after verifying their real identities, and the PKG then computes
responsible for signing outgoing messages. The device should private keys corresponding to the pseudo-IDs. Unlike sensors
have its own battery (which can be recharged from the vehicle) and some mobile nodes, storage is not a stringent requirement
and clock (which can be securely resynchronized while passing for vehicles, rendering the preloading of a large pool of pseudo-
by a trusted roadside base station). The cryptographic keys of IDs feasible. Raya and Hubaux [22] quantitatively studied
the vehicle can be renewed during periodic technical checkups. the storage space requirement for preloading anonymous keys
These features are currently available on several commercial (pseudonyms) and associated certificates. Their results were
products [32]. obtained based on quantifying the upper and lower bounds of
We introduce a two-layer vehicular network model, as pre- the pseudonym change interval to maintain a satisfactory degree
sented in [34]. The lower layer is composed of OBUs and of privacy. We use this preloading method based on our IBS
RSUs. According to [4], the medium used for communications scheme, in which a pool of pseudo-IDs with short expiration
SHIM: CPAS: CONDITIONAL PRIVACY-PRESERVING AUTHENTICATION SCHEME FOR VSNs 1879
times/private keys is loaded into the vehicle by the TAs at the Pseudo-IDs for privacy preservation are generated as a com-
Pseudo−Identity Generation/Private Key Extraction bination of some contribution of the TRA and some user-chosen
phase. When the network is accessible and less busy at secret. Accordingly, only the TRA who knows the master secret
some time close to an update, the pseudo-ID pool will α can recover the real identity RIDi from P IDi . The pseudo-
be replenished via a secure channel between the vehicle IDs/private keys are then stored in the tamper-proof device of
and TAs after proper authentication. Through these two the vehicle.
phases for initialization, all vehicles are registered with the [Message signing]: To ensure message integrity and au-
TAs and preloaded with system parameters and their own thentication, each message sent by a vehicle should be signed
pseudo-IDs and private keys. In the Message Signing and and verified when it is received. A vehicle Vi randomly selects
Batch Verification of Traffic Information Messages a pseudo-ID P IDi from its storage and chooses a current
phases, each vehicle sends signed messages to a nearby RSU, timestamp tti , where tti provides freshness of a signed message
and the RSU verifies multiple signatures from the vehicles. against replay attacks. The vehicle Vi , with the private key
The notations throughout this paper are listed in Table I. SKi = (Ti , Si ), signs a traffic-related message Mi .
CPAS Scheme: Vehicle to RSU: 1) Choose ri ∈R Z∗q , and compute Ui = ri · P ∈ G1 .
[System parameters setup]: Prior to the deployment of the 2) Compute hi = H2 (P IDi , Mi , tti , Ti , Ui ) ∈ Zq and Vi =
network, the TRA and the PKG generate the system parameters hi · Si + ri · Q . Then, τi = (Ti , Ui , Vi ) is a signature on
as follows. Mi
tti for P IDi .
1) Given a security parameter k ∈ Z+ , the TAs generate a 3) Subsequently, Vi sends the final message P IDi , Mi ,
prime q; two groups G1 and GT of order q; three distinct tti , τi
to a nearby RSU. These steps are repeated every
generators P, Q and Q in G1 ; and a bilinear pairing e : 100–300 ms according to the DSRC.
G1 × G1 → GT . The PKG picks a random s ∈ Z∗q and
set PPub = sP , where s is a master secret for private key [Batch verification of traffic information messages]:
extraction, which is known to only the PKG. Once an RSU receives a traffic-related message signed by a
2) The TRA chooses a random α ∈ Z∗q and sets TPub = αP , vehicle, the RSU has to verify the signature of the message
where α is a master secret for traceability, which is known to ensure that the corresponding vehicle is not attempting
to only the TRA. to impersonate any other legitimate vehicle or disseminate
3) They choose two cryptographic hash functions H1 : {0, false messages. Given n distinct message-signature tuples
1}∗ → Zq and H2 : {0, 1}∗ → Zq . Then, the system P ID1 , M1 , tt1 , τ1
, . . . , P IDn , Mn , ttn , τn
, which are
parameters are Params = q, G1 , G2 , e,P,TPub ,PPub , signed by n distinct vehicles V1 , . . . , Vn , respectively, where
Q, Q , H1 , H2
. τi = (Ti , Ui , Vi ), if tti (i = 1, . . . , n) is in a valid time interval
and ETi (i = 1, . . . , n) in P IDi is valid, then the RSU
The tamper-proof devices of all vehicles are preloaded with
performs the following procedures.
this public system parameters Params.
[Pseudo-identity generation/private key extraction]: Con- 1) Compute hi = H1 (P IDi , Ti ) and hi = H2 (P IDi , Mi ,
ditional privacy-preserving authentication in our scheme can tti , Ti , Ui ) ∈ Zq for i = 1, . . . , n.
be achieved by using pseudo-IDs that are intimately linked 2) Verify whether
to real identities. In this phase, a vehicle sends information n n
containing its real identity RID to the TRA, where the real
n
e Vi , P = e hi · Ppub + hi hi Ti , Q
identity uniquely identifies the vehicle such as its license plate
i=1 i=1 i=1
number. Pseudo-IDs from real identities are generated by the
method used in [34].
n
·e Ui , Q
1) A vehicle Vi computes P IDi,1 = ki P for ki ∈ Z∗q and
i=1
sends (RIDi , P IDi,1 ) to the TRA in a secure way, where
the RIDi uniquely identifies the vehicle Vi . holds or not. If it holds, accept the signatures.
2) After confirming RIDi , the TRA computes
Efficiency: From the aforementioned batch verification
P IDi,2 = RIDi ⊕ H(αP IDi,1 , P IDi,1 , ETi , TPub ) equation, the computation cost for an RSU to verify n sig-
natures dominantly comprises (n + 1) scalar multiplications
where ETi defines the valid period of this pseudo-ID, in G1 and three pairing computations. Thus, compared with
P IDi , and α is the master secret of the TRA. Then, a previous schemes that use IBS schemes with batch verification,
pseudo-ID P IDi = (P IDi,1 , P IDi,2 , ETi ) is delivered the time for an RSU to verify a large number of signatures sent
to the PKG via a secure way. by surrounding vehicles can be considerably reduced. Thus, it
3) For a given pseudo-ID P IDi , the PKG chooses a reduces the message loss ratio caused by the potential signature
random number ti ∈ Z∗q and computes Ti = ti P , hi = verification bottleneck at the RSU.
H1 (P IDi , Ti ) ∈ Zq , and Si = (s + hi · ti ) · Q. Then, Unlike vehicle-to-RSU communication, in RSU-to-vehicle
the PKG sets the private key as SKi = (Ti , Si ), where communication, the messages sent by RSUs are not subject
s is the master secret of the PKG. to privacy requirements. Therefore, we directly use our IBS
4) They send pseudo-IDs/private keys P IDi /SKi
to the scheme to sign the messages launched from RSUs for RSU
vehicle via a secure channel. authentication and message integrity. The CPAS scheme for
1880 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO. 4, MAY 2012
TABLE I
N OTATIONS
RSU to vehicle is the same as that for vehicle to RSU, except holds or not. If it holds, accept the signature. If multiple signed
for removing the Pseudo − Identity Generation part. messages from the same RSU in a time interval are given,
CPAS Scheme: RSU to Vehicle: for l distinct message-signature tuples IDR , M1 , tt1 , τ1R
,
[Private key extraction]: For a given string IDR ∈ · · · , IDR , Mn , ttl , τlR
, which are signed by the same RSU,
{0, 1}∗ , which is an RSU’s identity information, the PKG where τiR = (TR , UiR , ViR ), the vehicle performs the follow-
generates a private key as follows. ing.
1) Compute hR = H1 (IDR , TR ) and hi = H2 (IDR , Mi ,
1) Choose a random number k ∈ Z∗q , and compute TR = TR , tti , UiR ) ∈ Zq for i = 1, . . . , l.
kP . 2) Verify whether
2) Compute hR = H1 (IDR , TR ) ∈ Zq and SR = (s + h · l l
k) · Q, and set the private key as SKR = (TR , SR ),
e Vi , P = e l · hR · Ppub +
R
hi hR T R , Q
where s is the master secret.
i=1 i=1
The PKG sends the private key to the RSU via a secure
l
channel. Then, the private key SKR = (TR , SR ) corresponding ·e UiR , Q
to the identity IDR is stored in the RSU. The format of RSU’s i=1
identity follows that in [14] (see Table II). holds or not. If it holds, accept the signatures.
[RSU message signing]: When an RSU broadcasts a In this case, batch verification of l signatures from the same
traffic-related message to vehicles, the RSU with the private key RSU requires mainly three pairing computations and two scalar
(TR , SR ) chooses a current timestamp tti and signs the traffic- multiplications in G1 . Thus, the time required for a vehicle to
related message Mi as follows. verify multiple signatures sent by the same RSU can be sharply
1) Choose ri ∈R Z∗q , and compute UiR = ri · P ∈ G1 . reduced, compared with that needed for sequential verifications
2) Compute hi = H2 (IDR , Mi , TR , tti , UiR ) ∈ Zq and of l individual signatures.
ViR = hi · SR + ri · Q . Then, τiR = (TR , UiR , ViR ) is a
signature on Mi
tti for IDR . C. Security Analysis
3) Subsequently, the RSU sends the final message Source Authentication and Message Integrity: In
IDR , Mi , ttR , τiR
to the vehicles. Section III-C, we prove that the KIBS scheme is secure
[Verification of traffic information messages]: A vehicle against existential forgery under an adaptive chosen-message
receiving a signed message from an RSU with the location and an adaptive chosen-ID attack in the random oracle model
information in the RSU’s identifier string must take steps to under the CDH assumption. The security of our pseudo-IBS
prevent an attacker from taking the device off of one RSU scheme is reduced to that of the KIBS scheme. Thus, pseudo-
and putting it elsewhere. The receiver compares the identity ID authentication, message integrity, and nonrepudiation are
information in the received message with the property con- achieved.
tained in the identifier string. If the received identity infor- Identity Privacy-Preserving: In our scheme, a user’s pseudo-
mation does not match this property, the message is ignored. ID is a combination of the TRA’s master secret key α and some
Otherwise, given a signature τiR = (TR , UiR , ViR ) of Mi
tti user-chosen secret ki such that only one who knows ki or α can
SHIM: CPAS: CONDITIONAL PRIVACY-PRESERVING AUTHENTICATION SCHEME FOR VSNs 1881
compute αP IDi,1 . In other words, its security depends on the TABLE III
C OMPUTATIONAL C OMPLEXITY OF THE IBS S CHEMES
intractability of the CDH problem, i.e., given P IDi,1 = ki P IN THE N UMBER n OF S IGNATURES
and TPub = αP , compute αP IDi,1 = αki P . Therefore, our
scheme does not leak any information related to real identities.
Traceability: Given a pseudo-ID P IDi = (P IDi,1 ,
P IDi,2 , ETi ) in a signed message, the TRA with the master
secret α for traceability can trace the real identity of a vehicle
by computing
TABLE IV
F ORMAT OF THE S IGNED M ESSAGE
TABLE V
F ORMAT OF THE S IGNED M ESSAGE FOR OBUs (RSUs)
communicate with the RSU. We also assume that the commu- obtain the y-coordinate by computing the square root to reduce
nication coverage of an RSU is 1 km2 and that each vehicle the communication overhead. Then, the total signature size
periodically broadcasts a traffic-related message every 300 ms. is 159 + 159 + 159 + 3 = 480 bits, as each element in G1 is
The traffic density is taken as the number of vehicles within an 159 bits. Then, the total pseudo-ID size is 159 + 159 + 2 + 4 =
RSU’s radiation range. In Fig. 1, the traffic density is equal to 324 bits, where ETi is taken as 4 B. The CPAS scheme for
the number of signatures. The figure illustrates the performance RSU to vehicle uses a real identity, instead of a pseudo-ID, so
results (in milliseconds) of two schemes on a 3.07-GHz Intel i7 that 10 B are enough to represent the real identity information.
central processing unit. We used the MIRACL cryptographic The total packet length from vehicle to RSU (RSU to vehicle)
library [16] by choosing the Tate pairing on a 159-bit subgroup in our scheme is 209 (178) B. If we take 1, 1, and 67 B as
of an MNT curve with an embedding degree 6 at an 80-bit se- Type ID, Message ID, and Payload(Message) as in Table V,
curity level. The most time-consuming operation in our scheme then the total packet length is 174 (143) B.
is a scalar multiplication: The computational complexity of our
scheme is dominant to the number of scalar multiplications. The
state-of-the-art timing of a scalar multiplication is 0.39 ms, i.e., V. C ONCLUSION
it is known that the time for performing a scalar multiplication We have proposed a secure conditional privacy-preserving
on an MNT curve with an embedding degree of 6 is the fastest authentication scheme, called CPAS, using a new IBS scheme
at an 80-bit security level. In this curve, the time for performing with the fastest batch verification process for secure V-to-I com-
a MapToPoint function takes 0.09 ms, whereas the time for munications in VANETs. The scheme achieves conditional pri-
performing a SHA-1 hash function is negligible. As shown in vacy preservation in which each message launched by a vehicle
Fig. 1, the time for simultaneously verifying 2000 signatures has been mapped to a distinct pseudo-ID and a TRA can always
in our scheme can be reduced by 18% compared with the retrieve the real identity of a vehicle from any pseudo-ID. In
Zhang et al. scheme. If each vehicle periodically broadcasts a the CPAS scheme, an RSU can simultaneously verify multiple
traffic-related message every 300 ms, i.e., its time gap is less received signatures such that the total verification time can be
than 300 ms, then the time for verifying signatures gathered considerably reduced. The time for simultaneously verifying
in a time interval must be less than 300 ms. Fig. 1 shows that, 800 signatures in our scheme can be reduced by 18% compared
in our scheme, the time for verifying 750 signatures gathered in with Zhang et al.’s scheme. To the best of our knowledge, the
a time interval is less than 300 ms. In addition, an RSU in our CPAS is the fastest conditional privacy-preserving authentica-
scheme can simultaneously verify 2540 signed-messages/s. tion scheme for secure V-to-I communications. However, our
Communication overhead: We analyze communication pseudo-IBS scheme designed for efficient batch verification is
overhead of our scheme. The current IEEE Trial-Use stan- more suitable for the V-to-I communications than the V-to-V
dard for VANET security provides detailed documentation, communications. The basic IBS scheme requires three pairing
including the choice of cryptosystems in the PKI. To authen- computations to verify a signature, and therefore, verifying a
ticate a message sender and guarantee the message integrity, number of signatures sequentially transmitted from multiple
OBUs or RSUs should sign messages with their private keys vehicles causes a processing bottleneck at each vehicle with
before the messages are sent. Table IV shows the format limited computational power. Therefore, a pairing-free pseudo-
of a signed message, where a 125-B certificate and a 56-B IBS scheme is suitable for such an environment. In our future
ECDSA signature [11] have to be attached for each 69-B work, we will extend our challenge to V-to-V communication
intervehicle communications message. Obviously, the crypto- and conduct more performance evaluation on message end-to-
graphic overhead (the certificate and the signature) takes up end delay and message loss ratio in V-to-V communication,
a significant portion of the total packet size (250 B). In our as well as the evaluation of CPAS on a large-scale VANET
scheme based on the ID-based infrastructure, the total packet testbed with varying vehicle mobility models.
size can be reduced by 209 B. We follow the format of safety
messages between OBUs and RSUs as in [14]. The first four
parts in Table V are signed by the OBUs, which derives the R EFERENCES
“Signature” part. To reduce the signature length, it is suitable [1] R. Anderson and M. G. Kuhn, “Tamper resistance—A cautionary note,”
to use a 159-bit subgroup of the MNT curve with an embed- in Proc. USENIX Workshop Electron. Commerce, 1996, pp. 1–11.
[2] D. Boneh and M. Franklin, “Identity-based encryption from the Weil pair-
ding degree of 6. When one sends a point Q = (x, y) of the ing,” in Advances in Cryptology-Crypto. New York: Springer-Verlag,
curve, it sends only the x-coordinate of Q, and a verifier can 2001, pp. 213–229.
SHIM: CPAS: CONDITIONAL PRIVACY-PRESERVING AUTHENTICATION SCHEME FOR VSNs 1883
[3] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the Weil [23] Road Weather Management. [Online]. Available:
pairing,” in Advances in Cryptology-Asiacrypt. New York: Springer- http://ops.fhwa.dot.gov/weather/
Verlag, 2002, pp. 514–532. [24] K. Sampigethaya, L. Huang, M. Li, R. Poovendran, K. Matsuura, and
[4] Dedicated Short Range Communications (DSRC). [Online]. Available: K. Sezaki, “Caravan, Providing location privacy for vanet,” in Proc.
http://www.standards.its.dot.gov/Documents/advisories/dsrc_advisory.htm ESCAR, 2005, pp. 1–15.
[5] J. R. Douceur, “The sybil attack,” in Proc. IPTPS, Mar. 2002, pp. 251– [25] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11,
260. pp. 612–613, Nov. 1979.
[6] C. Gamage, B. Gras, B. Crispo, and A. S. Tanenbaum, “An identity-based [26] A. Shamir, “Identity-based cryptosystems and signature schemes,” in
ring signature scheme with enhanced privacy,” in Proc. SecureComm, Advances in Cryptology-Crypto. New York: Springer-Verlag, 1984,
2006, pp. 1–5. pp. 47–53.
[7] P. Gemmell, “An introduction to threshold cryptography,” CryptoBytes, A [27] K. A. Shim, “An ID-based aggregate signature scheme with constant
Techn. Newsl. RSA Lab., vol. 2, no. 3, pp. 7–12, 1997. pairing computations,” J. Syst. Softw., vol. 83, no. 10, pp. 1873–1880,
[8] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Secure distributed Oct. 2010.
key generation for discrete-log based cryptosystems,” in Advances in [28] A. Studer, E. Shi, F. Bai, and A. Perrig, “TACKing together efficient au-
Cryptology-Eurocrypt. New York: Springer-Verlag, 1999, pp. 295–310. thentication, revocation, and privacy in VANETs,” in Proc. IEEE SECON
[9] S. Goldwasser, S. Micali, and R. L. Rivest, “Digital signature scheme se- Conf., 2009, pp. 1–9.
cure against adaptive chosen-message attacks,” SIAM J. Comput., vol. 17, [29] J. Sun, C. Zhang, Y. Zhang, and Y. Fang, “An identity-based security sys-
no. 2, pp. 281–308, Apr. 1988. tem for user privacy in vehicular ad hoc networks,” IEEE Trans. Parallel
[10] J. P. Hubaux, S. Capkun, and J. Luo, “The security and privacy of smart Distrib. Syst., vol. 21, no. 9, pp. 1227–1239, Sep. 2010.
vehicles,” IEEE Security Privacy, vol. 2, no. 3, pp. 49–55, May/Jun. 2004. [30] “Vehicle safety communications project,” U.S. Dept. Transp., Nat. High-
[11] IEEE Trial-Use Standard for Wireless Access in Vehicular way Traffic Safety Admin., Washington, DC, 2006.
Environments—Security Services for Applications and Management [31] F. Wang, D. Zeng, and L. Yang, “Smart cars on smart roads: An IEEE in-
Messages, IEEE Std. 1609.2, Jul. 2006. telligent transportation systems society update,” IEEE Pervasive Comput.,
[12] U. Lee, E. Magistretti, B. Zhou, M. Gerla, P. Bellavista, and A. Corradi, vol. 5, no. 4, pp. 68–69, Oct.–Dec. 2006.
“Mobeyes: Smart mobs for urban monitoring with a vehicular sensor [32] Wave Syst. Corp. EMBASSY 2100 cryptographic controller. [Online].
network,” IEEE Wireless Commun., vol. 13, no. 5, pp. 52–57, Oct. 2006. Available: http://www.wave.com/about/datasheets/03-000139MBASSY
[13] X. Lin, R. Lu, C. Zhang, H. Zhu, P.-H. Ho, and X. Shen, “Security in 2100.pdf
vehicular ad hoc networks,” IEEE Commun. Mag., vol. 46, no. 4, pp. 88– [33] H. J. Yoon, J. H. Cheon, and Y. Kim, “Batch verification with ID-based
95, Apr. 2008. signatures,” in Proc. ICISC, vol. 3506, LNCS, 2005, pp. 233–248.
[14] X. Lin, X. Sun, P. H. Ho, and X. Shen, “GSIS: A secure and privacy- [34] C. Zhang, R. Lu, X. Lin, P. H. Ho, and X. Shen, “An efficient identity-
preserving protocol for vehicular communications,” IEEE Trans. Veh. based batch verification scheme for vehicular sensor networks,” in Proc.
Technol., vol. 56, no. 6, pp. 3442–3456, Nov. 2007. IEEE INFOCOM, 2008, pp. 246–250.
[15] R. Lu, X. Lin, H. Zhu, P.-H. Ho, and X. Shen, “ECPP: Effi-
cient conditional privacy-preservation protocol for secure vehicular
communications,” in Proc. IEEE Conf. Comput. Commun., Apr. 2008,
pp. 1229–1237.
[16] MIRACL Cryptographic Library: Multiprecision Integer and Rational
Arithmetic C/C++ Library. [Online]. Available: http://indigo.ie/~mscott/
[17] J. A. Misener, “Vehicle-infrastructure integration (VII) and satety: Rubber
and radio meets the road in California,” Intellimotion, vol. 11, no. 2, pp. 1–
3, 2005.
[18] Nat. Inst. Stand. Technol., Secure Hash Standard. Federal Information Kyung-Ah Shim received the Ph.D. degree in
Processing Standard, FIPS-180-1, Apr. 1995. mathematics from Ewha Womans University, Seoul,
[19] Nat. Inst. Stand. Technol., Secure Hash Standard. Federal Information Korea.
Processing Standard, FIPS-180-1, Aug. 2002. From 2000 to 2008, she was a Senior Re-
[20] D. Pointcheval and J. Stern, “Security arguments for digital signatures and searcher with the Korea Information Security
blind signatures,” J. Cryptol., vol. 13, no. 3, pp. 361–396, 2000. Agency and then a Research Professor with the
[21] S. Ravi, A. Raghunathan, and S. Chakradhar, “Tamper resistance mech- Department of Mathematics, Ewha Womans Uni-
anisms for secure embedded systems,” in Proc. Int. Conf. VLSID, 2006, versity. In September 2008, she joined the Division
pp. 605–611. of Fusion and Convergence of Mathematical Sci-
[22] M. Raya and J. P. Hubaux, “Securing vehicular ad hoc networks,” ences, National Institute for Mathematical Sciences,
J. Comput. Security—Special Issue Security Ad Hoc Sensor Netw., vol. 15, Daejeon, Korea, as a Senior Researcher. Her research
no. 1, pp. 39–68, Jan. 2007. interest is cryptography.