1874
4, MAY 2012
CPAS: An Efficient Conditional Privacy-Preserving
Authentication Scheme for Vehicular
Sensor Networks
Kyung-Ah Shim
Abstract—In this paper, we propose a conditional privacy-
preserving authentication scheme, called CPAS, using pseudo-
identity-based signatures for secure vehicle-to-infrastructure
communications in vehicular ad hoc networks. The scheme
achieves conditional privacy preservation, in which each message
launched by a vehicle is mapped to a distinct pseudo-identity,
and a trust authority can always retrieve the real identity of
a vehicle from any pseudo-identity. In the scheme, a roadside
unit (RSU) can simultaneously verify multiple received signatures,
thus considerably reducing the total verification time; an RSU
can simultaneously verify 2540 signed-messages/s. The time for
simultaneously verifying 800 signatures in our scheme can be
reduced by 18%, compared with the previous scheme.
Index Terms—Anonymity, batch verification, bilinear pairing,
computational Diffie–Hellman (CDH) problem, digital signature,
ID-based system, privacy preservation, traceability, unlinkability.
I. I NTRODUCTION
W ITH THE advancement and wide deployment of wire-
less communication technologies, car manufactures and
telecommunication industries have recently started to equip
vehicles with wireless devices that allow the vehicles to com-
municate with each other and with the roadside infrastructure
to enhance driving safety and improve the driving experience
[17]. These types of vehicular communication networks, which
are also referred to as vehicular ad hoc networks (VANETs),
inherently provide an ideal means of collecting dynamic traffic
information and sensing various physical quantities related to
traffic distributions at a very low cost with a high level of accu-
racy. Such functionalities simply turn a VANET into a vehicular
sensor network (VSN) [12], which is considered essential for
achieving automatic and dynamic information collection and
fusion in an intelligent transportation system [31]. VSNs have
the potential to revolutionize the driving experience and create
a new metropolitan-area traffic flow control framework. They
Manuscript received April 12, 2011; revised August 4, 2011, October 25,
2011, and December 15, 2011; accepted January 20, 2012. Date of publication
February 6, 2012; date of current version May 9, 2012. This work was
supported by the National Institute for Mathematical Sciences Grant B21203
funded by the government of Korea. The review of this paper was coordinated
by Prof. J. Misic.
The author is with the Division of Fusion and Convergence of Mathematical
Sciences, National Institute for Mathematical Sciences, Daejeon 305-390,
Korea (e-mail: [email protected]).
Color versions of one or more of the figures in this paper are available online
at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TVT.2012.2186992
0018-9545/$31.00 © 2012 IEEE
IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO.
will undoubtedly play an important role in future wireless
metropolitan-area networks. VANETs are a subgroup of mobile
ad hoc networks (MANETs) with the distinguishing property
that the nodes are vehicles such as cars, trucks, buses, and
motorcycles. However, vehicles are not subject to strict energy,
space, and computing capability restrictions normally adopted
for MANETs. More challenging is the potentially very high
speed of the nodes (up to 250 km/h) and the large dimensions
of the VANETs. Due to the high-speed mobility of a VANET,
timely communications and strict time constraints should be
enforced. A VANET consists of onboard units (OBUs) installed
on vehicles, roadside units (RSUs) along the roads, and trusted
authorities (TAs). In VANETs, OBUs frequently broadcast
routine traffic-related messages with information about such
factors as traffic events, current time, and the position, direction,
and speed of vehicles and whether they are accelerating or
decelerating. By frequently broadcasting and receiving traffic-
related messages, drivers can gain better awareness of their
driving environment. They can take early action to respond
to an abnormal situation to avoid possible damage, or they
can follow a better route that circumvents traffic bottleneck. In
addition, with a VANET connected to the backbone Internet,
passengers sitting in vehicles can go online to enjoy various
entertainment-related Internet services with their laptops. These
services include downloading/uploading data from the Inter-
net, obtaining local information (e.g., road maps and hotel
information), and viewing electronic advertisements. Intervehi-
cle (vehicle-to-vehicle; V-to-V) communications or communi-
cations with roadside infrastructure (vehicle-to-infrastructure;
V-to-I) bring the promise of improved road safety and opti-
mized road traffic through cooperative system applications.
Our main contributions in this paper are given as follows:
1) We first propose an identity (ID)-based signature (IBS)
scheme KIBS secure in the random oracle model under the
computational Diffie–Hellman (CDH) assumption. The KIBS
scheme uses general hash functions, instead of an inefficient
special function known as the MapToPoint function. 2) We
construct a secure conditional privacy-preserving authentica-
tion scheme CPAS for secure V-to-I communications using
a pseudo-IBS scheme based on the KIBS scheme to keep a
balance between privacy and traceability achieving anonymous
authentication, message integrity, traceability, and unlinkabil-
ity. 3) The CPAS scheme supports the fastest batch verification
process at the RSUs, where the time for verifying 750 signa-
tures simultaneously is less than 300 ms.
SHIM: CPAS: CONDITIONAL PRIVACY-PRESERVING AUTHENTICATION SCHEME FOR VSNs
The rest of this paper is organized as follows: A survey of
related works is provided in Section II. In Section III, we pro-
pose a new IBS scheme that does not rely on the MapToPoint
function and give its security proof in the random oracle model
under the CDH assumption. In Section IV, we construct a
privacy-preserving pseudo-ID-based authentication scheme for
secure V-to-I communications. We then give security analysis
of our scheme and conduct a performance evaluation. Conclud-
ing remarks are given in Section V.
II. R ELATED W ORKS
VANETs are formed by mobile nodes embedded in vehicles,
which are connected in a self-organized manner without an
underlying hierarchical infrastructure. Messages from an OBU
have to be checked for integrity and authenticated before they
can be deemed reliable. Otherwise, an attacker can replace the
safety message from a vehicle or even impersonate a vehicle
to transmit a fake safety message. Advanced cryptography can
be used to make such messages secure and trustworthy. Before
putting the aforementioned attractive applications into practice
in VANETs, we must resolve security and privacy issues.
The V-to-I communication scenario is subject to the following
security requirements: source authentication, message integrity,
identity privacy preservation, traceability, and unlinkability. At
the time of authentication, the identities of claimants must be
hidden from a vehicle, and on the other hand, the authority
should be able to trace the claimant or the sender of a message
by revealing its identity when required. Thus, privacy must
be preserved and conditional. Unlinkability is stronger than
anonymity and refers to the fact that different interactions of
the same user cannot be related. Unlinkability prevents user
tracking and profiling. To ensure both source authentication
and message integrity in VANETs, one appealing solution is to
sign each message with a digital signature before the message
is sent. However, traditional public key infrastructure (PKI)-
based signature schemes that verify the received messages may
fail to satisfy the stringent time requirement of the vehicular
communication applications. In this scenario, according to the
Dedicated Short-Range Communications (DSRC) protocol [4],
an RSU can communicate with hundreds of OBUs [30], each
sending a safety-related message to the RSU every 100–300 ms.
In this case, sequentially verifying a large number of signatures
can become a time-consuming process and can therefore create
a processing bottleneck at the RSU. For instance, in a high-
density traffic scenario, there may be roughly 180 vehicles
within the communication range of an RSU, and each vehicle
is sending a message every 300 ms. This implies that a verifier
(such as an RSU) must verify around 600–2000 messages/s,
which is clearly a challenge for any current digital signa-
ture scheme. The maintenance of public key certificates un-
der the PKI incurs considerable communication/computation
overhead, so ID-based cryptography [26] may particularly
be suitable for VANETs as the work required for certificate
management and transmission overhead can be significantly
reduced. Thus, ID-based cryptography and an efficient means
of verifying a batch of signatures within a short period of time
are desirable.
1875
Raya and Hubaux [22] and Lu et al. [15] proposed PKI-
based schemes, in which each vehicle is preloaded with a large
number of anonymous public/private key pairs, together with
the corresponding public key certificates. To achieve privacy,
it requires a public/private key pair with a short lifetime, with
a pseudo-ID used in each public key certificate. Therefore, it
requires a large storage capacity and incurs high verification
costs. Moreover, its certificate revocation list (CRL), which is
produced by a TA, is typically bulky, rendering the revocation
protocols highly inefficient. Gamage et al. [6] adopted an ID-
based ring signature scheme to achieve signer ambiguity and
hence fulfill the privacy requirement in VANET applications.
However, it does not provide conditional privacy, meaning
that traceability cannot be achieved. To achieve conditional
privacy, group-signature-based authentication schemes were
proposed in [13], [14], [24], [28], and [29], where a group
manager who possesses the group master key can reveal the
real identity of any group member. A secure privacy-preserving
protocol, GSIS, for VANETs [15] uses group signatures for
V-to-V communications and IBSs for V-to-I communications.
Its group-signature-based V-to-V communications reduce the
storage cost of the public/private key pairs and the bandwidth
consumption used to transmit the CRL. The size of the CRL
and the checking costs are two important performance metrics
for revocation mechanism. Unfortunately, pseudonym-based
authentication schemes in the PKI are prone to generate a
huge CRL, whereas the checking cost in group-signature-based
schemes is unacceptable for vehicles with limited computa-
tion power. Recently, Zhang et al. [34] proposed an ID-based
batch verification scheme based on bilinear pairings for secure
V-to-I communications. They used a pseudo-ID-based one-time
signature scheme, which removes the transmission and verifica-
tion cost of certificates for public keys. It reduces the overall
verification delay of a batch of message signatures, and its
batch verification process for signatures from multiple vehicles
is much faster than that of other PKI-based schemes, such
as the Elliptic Curve Digital Signature Algorithm (ECDSA),
despite the heavy pairing computation. However, Zhang et al.
assumed that a long-term system master secret s is preloaded
into all tamper-proof devices, and all security functions rely
on it. In fact, tamper-proof devices are popular for protecting
sensitive data such as cryptographic keys in these embedded
devices. However, recent studies [1], [21] have shown that ad-
versaries can effectively extract the sensitive data from tamper-
proof devices by launching side-channel attacks, such as power
analysis and laser scanning. Thus, their security assumption is
too strong to be accepted. Because once one of the tamper-proof
devices is cracked by the side channel attacks and the system
master secret is leaked to an adversary, the whole system will
be compromised. Our scheme still makes use of tamper-proof
devices, but the strong assumption that a long-term system
master secret is preloaded into all tamper-proof devices is
removed. Furthermore, Zhang et al.’s scheme requires a special
hash function known as the MapToPoint function in signature
generation/verification, which is used to map (pseudo-)identity
information into a point on an elliptic curve. The function is
inefficient and probabilistic, and while there has been much
discussion regarding the construction of such a hash algorithm,
1876
there has been no efficient deterministic polynomial time algo-
rithm proposed for it thus far. A key challenge in this paper is
to reduce the verification cost. To do this, we use a new pseudo-
IBS scheme without using the MapToPoint function, thus
providing the fastest batch verification process. We propose a
conditional privacy-preserving authentication scheme CPAS
based on our pseudo-IBS scheme for secure V-to-I communica-
tions, which still makes use tamper-proof devices, but the strong
assumption that a long-term system master secret is preloaded
into all tamper-proof devices is removed. It supports the fastest
batch verification process at the RSUs and achieves anonymous
authentication, message integrity, traceability, and unlinkabil-
ity. The time for simultaneously verifying 800 signatures in
our scheme can be reduced by up to 18% compared with the
Zhang et al. scheme. In addition, an RSU in our scheme can
simultaneously verify 2540 signed-messages/s.
III. P RELIMINARIES
We first describe mathematical tools and cryptographic prim-
itives used as building blocks in our authentication scheme.
A. Definitions and Computational Assumptions
We briefly review the necessary facts about bilinear maps and
groups [2], [3].
1) (G1 , ∗), (G2 , ∗), and (GT , ∗) are three cyclic groups of a
prime order q.
2) g1 is a generator of G1 , and g2 is a generator of G2 .
3) e : G1 × G2 → GT is a bilinear map, i.e., a map satisfy-
ing the following properties:
a) Bilinearity: e(ua , v b ) = e(u, v)ab for all u ∈ G1 , v ∈
G2 , and a, b ∈ Z.
b) Nondegeneracy: e(g1 , g2 ) = 1 and is, thus, a genera-
tor of GT .
Formally, one defines a bilinear group generation algorithm
G that takes as input a security parameter k ∈ Z+ and outputs
the description of groups G1 , G2 , and GT and a bilinear map
e : G1 × G2 → GT . There exist probabilistic polynomial time
algorithms (in k) for computing the group operations in G1 , G2 ,
GT , and the bilinear map e.
We define the general notion of bilinear groups as follows:
Definition 3.1: We say that (G1 , G2 ) are a bilinear group
pair if there exists a group GT and a nondegenerate bilinear
map e : G1 × G2 → GT , such that the group order q = |G1 | =
|G2 | = |GT | is prime, and the pairing e and the group opera-
tions in G1 , G2 , and GT are all efficiently computable.
We consider the problem and assumption that will be used
for the security proof of our signature schemes.
Definition 3.2. [CDH Problem]: Given (g, g x , g y ) to com-
pute g xy , where x, y ∈R Z∗q , and g is a generator of G1 .
Definition 3.3. [CDH Assumption]: Let G be a CDH parame-
ter generator. We say that an algorithm A has advantage (k) in
solving the CDH problem for G if, for a sufficiently large k
AdvG,A (t)
 
A(q, G1 , g, g x , g y ) = g xy |
= Pr ≥ ε(k).
(q, G1 ) ← G(1k ), g ← G1 , x, y ← Z∗q
IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO. 4, MAY 2012
We say that G satisfies the CDH assumption if, for any
randomized polynomial time in t algorithm A, we have that
AdvG,A (t) is a negligible function. When G satisfies the CDH
assumption, we say that the CDH problem is hard in G1
generated by G. We say that an algorithm A(t, ε)-breaks the
CDH problem in G if A solves the CDH problem in time t and
AdvG,A is at least ε. We say that the CDH problem is (t, ε)-hard
if there is no algorithm that (t, ε)-breaks the CDH problem.
B. Signature Scheme: KSS
To construct an IBS scheme without using the MapToPoint
function, we first propose a new standard signature (SS) scheme
KSS. Let (G1 , G2 ) be a bilinear group pair, where |G1 | =
|G2 | = q for some prime q. We set G1 = G2 . We adopt the
definition and formal security model of SS schemes in [9]. The
KSS scheme is given as follows:
1) Setup. Run the parameter generator G on input a security
parameter k ∈ Z+ to generate a prime q, two groups G1
and GT of order q, a generator P in G1 , and a bilinear
pairing e : G1 × G1 → GT . Choose a cryptographic hash
function H1 : {0, 1}∗ → Zq .
2) KeyGen. Pick a random x ∈ Z∗q and Q ∈R G1 , compute
Y = xP , and set P K = (Y, Q) as a public key and
SK = x as a secret key.
3) Sign. For a given m ∈ {0, 1}∗ , choose a random number
k ∈ Z∗q , and compute T = kP , h = H1 (m, T ) ∈ Zq and
S = (x + h · k) · Q. Output σ = (T, S) as a signature on
m under P K.
4) Vfy. Given a signature σ = (T, S) of m under P K =
(Y, Q), compute h = H1 (m, T ), and verify whether
e(S, P ) = e(Y + h · T, Q) holds or not. If it holds,
accept the signature.
We show that the KSS scheme is existentially unforgeable
under an adaptive chosen-message attack in the random oracle
model.
Theorem 3.1: Suppose that the (t ,  )-CDH assumption
holds in G1 . Then, the KSS scheme is (t, qS , ) − euf − cma
for all t and  satisfying ε ≥ 4qS (nm + 1) · ε , and t = t +
O(qS ).
Proof: Suppose that A is a forger who breaks the KSS
scheme. Algorithm B is given a CDH instance (P, xP, yP ) for
x, y ∈R Zq . By using A, we will construct an algorithm B
that outputs a CDH solution xyP . Algorithm B performs the
following simulation by interacting with A.
Setup: Algorithm B sets Y = xP and Q = yP and starts
by giving A the system parameters Params and the public key
(Y, Q).
H1 -Queries: To respond to H1 queries, B maintains a list
of tuples (M, T, h), as explained here. We refer to this list as
the H1 − list. When A queries the oracle H1 at (M, T ), B
responds as follows.
1) If the query (M, T ) already appears on the H1 − list
in a tuple (M, T, h), then B responds with H1 (M, T ) =
h ∈ Zq .
SHIM: CPAS: CONDITIONAL PRIVACY-PRESERVING AUTHENTICATION SCHEME FOR VSNs
2) Otherwise, B picks a random h ∈ Zq and adds the tuple
(M, T, h) to the H1 − list and responds to A with
H1 (M, T ) = h.
At any time, A can query the signing oracle. To answer these
queries, B does the following:
Sign Queries: When A makes a Sign-query on M under
the public key, B chooses k, h ∈R Zq , and computes T =
h−1 (kP − Y ), S = kQ. Then, σ = (T, S) is a valid signa-
ture on m under (Y, Q) since it satisfies e(Y + h · T, Q) =
e(kP, Q) = e(S, P ). If the tuple (M, T, h) already appears on
the H1 − list, B chooses another r, h ∈ Z∗q , and tries again.
Then, B responds to A with σ = (T, S) and stores (M, T, h) in
the H1 − list.
Note that A’s view is identical to its view in the real attack.
Output: By the Forking Lemma [20], after replaying A with
the same random tape, B obtains two valid signatures σ =
(M ∗ , h, T, S) and σ  = (M ∗ , h∗ , T, S ∗ ) within a polynomial
,
time, where
S = (x + hk) · Q, S ∗ = (x + h∗ k) · Q.
Then, B computes
 −1 −1  −1  existential forgery under an adaptive chosen-message and an
h − (h∗ )−1 h S − (h∗ )−1 S ∗ = x · Q = xyP.
Finally, B outputs xyP as a solution to the CDH instance. 
C. New IBS Scheme: KIBS
The ID-based infrastructure allows a user’s public key to be
easily derivable from her known identity information such as an
email address [26]. The ID-based infrastructure involves users
and a private key generator (PKG) having a master public/secret
key pair, and the PKG is responsible for generating private keys
.
for users. Such cryptosystems alleviate the certificate overhead
and solve the problems of PKI technology. Now, we propose a
new IBS scheme KIBS based on the KSS scheme. We adopt
the definition and formal security model of the IBS schemes
in [27].
KIBS Scheme:
• Setup. Given a security parameter k ∈ Z+ , the algorithm
works as follows.
1) Run the parameter generator G on input k to generate
a prime q; two groups G1 and GT of order q; three
distinct generators P , Q, and Q in G1 ; and a bilinear
pairing e : G1 × G1 → GT . Pick a random s ∈ Z∗q ,
and set PPub = sP .
2) Choose two cryptographic hash functions H1 :
{0, 1}∗ → Zq and H2 : {0, 1}∗ → Zq . The system
parameters are Params = q, G1 , GT , e, P, PPub , Q,
Q , H1 , H2
. Extract Queries: When A queries a private key correspond-
• Extract. For a given string ID ∈ {0, 1}∗ , the following
steps are taken:
1) Choose k ∈R Z∗q , and compute TID = kP .
2) Compute h = H1 (ID, TID ) ∈ Zq and SID = (s +
h · k) · Q, and set a private key (TID , SID ) correspond-
ing to ID, where s is a master secret.
1877
• IB − Sign. Given a private key (TID , SID ) and a message
M ∈ {0, 1}∗ , two steps occur.
1) Choose r ∈R Z∗q , and compute U = r · P ∈ G1 .
2) Compute h = H2 (ID, M, TID , U ) ∈ Zq and V =
h · SID + r · Q . Then, τ = (TID , U, V ) is a signature
on M for ID.
• IB − Vfy. Given a signature τ = (TID , U, V ) of M for
an identity ID, compute h = H1 (ID, TID ) and h =
H2 (ID, M, TID , U ) ∈ Zq , and verify whether
e(V, P ) = e (h · [PPub + h · T ], Q) · e(U, Q )
holds or not. If it holds, accept the signature.
Now, we prove the security of the KIBS scheme in the
random oracle model. We deal with H1 and H2 as random
oracles. Let an adversary A be a probabilistic polynomial time
algorithm whose input is Params = q, G1 , GT , e, P, H1 , H2
where q ≥ 2k . The adversary A can make qH1 queries to the H1
hash, qH2 queries to the H2 hash, qE queries to the Extract,
and qIS queries to the IB − Sign.
Theorem 3.2: If the KSS scheme is (t, qS , ) − euf − cma,
the KIBS scheme is (t, qH1 , qH2 , qE , qIS , ε)-secure against
adaptive chosen-ID attack, for any t and ε satisfying ε ≈ ε and
t = t + O(qS ).
Proof: Suppose that A is a forger who breaks the KIBS
scheme. A public key P K = (Y, Q) is given for x ∈R Z∗q ,
where Y = xP . By using the forgery algorithm A, we will
construct an algorithm B that outputs a forgery of the KSS
scheme. Algorithm B performs the following simulation by
interacting with A.
Setup: Algorithm B sets PPub = Y = xP , chooses μ ∈R
Z∗q , computes Q = μP ∈ G1 , and starts by giving A system
parameters Params, including P, Ppub , Q, Q
At any time, A can query the random oracles H1 and H2 and
Extract and IB − Sign oracles. To answer these queries, B
does the following:
H1 and H2 Queries: To respond to H1 queries (H2 queries),
B maintains a list of tuples (ID, T, h) ((ID, M, T, U, h )),
as explained here. We refer to this list as the H1 − list
(H2 − list). When A queries the oracle H1 (H2 ) at (ID, T )
((ID, M, T, U )), B responds as follows.
1) If the query (ID, T ) ((ID, M, T, U )) already appears
on the H1 − list (H2 − list) in a tuple (ID, T, h)
((ID, M, T, U, h )), then B responds with H1 (ID, T ) =
h ∈ Zq (H2 (ID, M, T, U ) = h ).
2) Otherwise, B picks a random h ∈ Zq (h ∈ Zq ), adds the
tuple (ID, T, h) ((ID, M, T, U, h )) to the H1 − list
(H2 − list), and responds to A, with H1 (ID, T ) = h
(H2 (ID, M, T, U ) = h ).
ing to IDi , B requests a signature Si ← Sign(x, IDi ) on IDi
under (Y, Q) to the signing oracle of the KSS scheme. Then, B
responds to A with Si and stores (IDi , Si ) to the Ext − list.
IB-Sign Queries: When A makes a IB − Sign-query on M
for IDi , B finds the corresponding pair (IDi , Si ) from the
Ext − list.
1878
• If (IDi , Si ) already appears on the Ext − list, then B
can compute a signature σi by performing the signing
algorithm.
• Otherwise, B requests an Extract-query to obtain the cor-
responding private key Si . Then, B computes a signature
σi on M for IDi using Si , responds to A with σi , and
stores (IDi , Si ) to the Ext − list.
Note that A’s view is identical to its view in the real attack.
Output: Eventually, A outputs a forgery τ ∗ = (T ∗ , U ∗ , V ∗ )
on m∗ for ID∗ such that ID∗ has never requested to the
private key extraction oracle and the pair (m∗ , ID∗ ) has never
requested to the IB − Sign oracle, where T ∗ = kP , U ∗ = rP ,
V ∗ = h SID∗ + r · Q . Algorithm B computes (h )−1 (V ∗ −
μU ) = SID∗ . Then, (T ∗ , SID∗ ) is a valid signature on ID∗
under P K of the KSS scheme. Finally, B outputs (T ∗ , SID∗ )
as a forgery of the KSS scheme.
IV. CPAS: A C ONDITIONAL P RIVACY-P RESERVING
AUTHENTICATION S CHEME FOR S ECURE
V EHICLE - TO -I NFRASTRUCTURE C OMMUNICATIONS
Here, we propose a secure conditional privacy-preserving
authentication scheme CPAS based on the KIBS scheme for
secure V-to-I communications.
A. System Model and Security Requirements
The system consists of four network entities, i.e., two TAs,
a trace authority (TRA) and a PKG, immobile RSUs at the
roadside, and mobile OBUs equipped on the vehicles. The TRA
who is in charge of the registration of RSUs and OBUs can
reveal the actual identity of a signed message from an OBU.
The PKG is responsible for generating and assigning private
keys for OBUs and RSUs. We assume the following: 1) The
TRA and PKG are always trusted and can never be compro-
mised. Of course, we assume that two TAs do not collude.
They are also powered with sufficient computation and stor-
age capability. The OBUs have limited computational power,
whereas the RSUs have greater computation power than the
OBUs. 2) Each vehicle has a reliable positioning [e.g., global
position system (GPS)] and can get accurate time information.
Based on this system, vehicles compare the physical location of
the message sender with the location information in the RSU’s
identity string. 3) Each vehicle is equipped with a tamper-proof
device, which prevents an adversary from extracting any data
stored in the device, including the private key, the data, and
the code [10], [22]. Vehicles will also store their own private
keys corresponding to the pseudo-IDs in the device, which is
responsible for signing outgoing messages. The device should
have its own battery (which can be recharged from the vehicle)
and clock (which can be securely resynchronized while passing
by a trusted roadside base station). The cryptographic keys of
the vehicle can be renewed during periodic technical checkups.
These features are currently available on several commercial
products [32].
We introduce a two-layer vehicular network model, as pre-
sented in [34]. The lower layer is composed of OBUs and
RSUs. According to [4], the medium used for communications
IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO. 4, MAY 2012
between OBUs and RSUs is 5.9-GHz DSRC identified as
IEEE 802.11p. Each vehicle has its own real identity, pseudo-
ID, and a private key, with which all messages are signed and
then sent to a nearby RSU. Each RSU that receives traffic-
related information is responsible for verifying the digital sig-
natures of the messages. In general, the top layer is comprised
of application servers (such as a traffic control analysis center)
and TAs. The RSUs communicate with an application server
and the TAs using a secure transmission protocol, such as
the wired Transport Layer Security protocol. The RSUs are
responsible for forwarding the valid messages received from
OBUs to the application server. The application server is in
charge of making further analysis and/or giving feedback to
the RSUs after collecting traffic-related information such as
the current time, location, instances of traffic accidents, the
 traffic distribution, and the road weather information [23] from
the RSUs. As the secure vehicular communications are mainly
meant for civilian applications, in most highway scenarios,
RSUs are assumed to connect with the TAs by wired links or via
any other link utilizing high bandwidth, low delay, and low bit
error rates. RSUs also communicate with each other either via
the TAs or through a secure and reliable peer-to-peer channel.
We aim to design a scheme that satisfies the following
security requirements: 1) Authentication and message integrity:
Messages from vehicles have to be authenticated to confirm that
they were indeed sent by legitimate entities for the RSUs with-
out being modified or forged. 2) Identity privacy preserving:
The real identity of a vehicle should be kept anonymous with
regard to other vehicles, and a third party should not be able to
reveal a vehicle’s real identity by analyzing multiple messages
sent by it. 3) Traceability: Although a vehicle’s real identity
should be hidden from other vehicles, if necessary, the TRA
should have the ability to obtain a vehicle’s real identity. The
TRA should have the ability to retrieve a vehicle’s real identity
from its pseudo-ID when the signature is in dispute or when the
content of a message is not genuine.
B. Our Construction: CPAS
Our conditional privacy-preserving authentication scheme
CPAS consists of four phases, i.e., System Parameters
Setup, Pseudo − Identity Generation/Private Key
Extraction, Message Signing, and Batch Verification
of Traffic Information Messages. In the System Pa−
rameters Setup, the TAs generate the system param-
eters. In the Pseudo − Identity Generation/Private Key
Extraction phase, the TRA generates pseudo-IDs for vehicles
after verifying their real identities, and the PKG then computes
private keys corresponding to the pseudo-IDs. Unlike sensors
and some mobile nodes, storage is not a stringent requirement
for vehicles, rendering the preloading of a large pool of pseudo-
IDs feasible. Raya and Hubaux [22] quantitatively studied
the storage space requirement for preloading anonymous keys
(pseudonyms) and associated certificates. Their results were
obtained based on quantifying the upper and lower bounds of
the pseudonym change interval to maintain a satisfactory degree
of privacy. We use this preloading method based on our IBS
scheme, in which a pool of pseudo-IDs with short expiration
SHIM: CPAS: CONDITIONAL PRIVACY-PRESERVING AUTHENTICATION SCHEME FOR VSNs
times/private keys is loaded into the vehicle by the TAs at the
Pseudo−Identity Generation/Private Key Extraction
phase. When the network is accessible and less busy at
some time close to an update, the pseudo-ID pool will
be replenished via a secure channel between the vehicle
and TAs after proper authentication. Through these two
phases for initialization, all vehicles are registered with the
TAs and preloaded with system parameters and their own
pseudo-IDs and private keys. In the Message Signing and
Batch Verification of Traffic Information Messages
phases, each vehicle sends signed messages to a nearby RSU,
and the RSU verifies multiple signatures from the vehicles.
The notations throughout this paper are listed in Table I.
CPAS Scheme: Vehicle to RSU:
[System parameters setup]: Prior to the deployment of the
network, the TRA and the PKG generate the system parameters
as follows.
tti for P IDi .
1) Given a security parameter k ∈ Z+ , the TAs generate a
prime q; two groups G1 and GT of order q; three distinct
to a nearby RSU. These steps are repeated every
generators P, Q and Q in G1 ; and a bilinear pairing e :
G1 × G1 → GT . The PKG picks a random s ∈ Z∗q and
set PPub = sP , where s is a master secret for private key
extraction, which is known to only the PKG.
2) The TRA chooses a random α ∈ Z∗q and sets TPub = αP ,
where α is a master secret for traceability, which is known
to only the TRA.
3) They choose two cryptographic hash functions H1 : {0,
1}∗ → Zq and H2 : {0, 1}∗ → Zq . Then, the system
, . . . , P IDn , Mn , ttn , τn
, which are
parameters are Params = q, G1 , G2 , e,P,TPub ,PPub ,
Q, Q , H1 , H2
. τi = (Ti , Ui , Vi ), if tti (i = 1, . . . , n) is in a valid time interval
The tamper-proof devices of all vehicles are preloaded with
this public system parameters Params.
[Pseudo-identity generation/private key extraction]: Con-
ditional privacy-preserving authentication in our scheme can
be achieved by using pseudo-IDs that are intimately linked
to real identities. In this phase, a vehicle sends information

containing its real identity RID to the TRA, where the real
identity uniquely identifies the vehicle such as its license plate
number. Pseudo-IDs from real identities are generated by the
method used in [34].
1) A vehicle Vi computes P IDi,1 = ki P for ki ∈ Z∗q and
sends (RIDi , P IDi,1 ) to the TRA in a secure way, where
the RIDi uniquely identifies the vehicle Vi .
2) After confirming RIDi , the TRA computes
P IDi,2 = RIDi ⊕ H(αP IDi,1 , P IDi,1 , ETi , TPub )
where ETi defines the valid period of this pseudo-ID,
P IDi , and α is the master secret of the TRA. Then, a
pseudo-ID P IDi = (P IDi,1 , P IDi,2 , ETi ) is delivered
to the PKG via a secure way.
3) For a given pseudo-ID P IDi , the PKG chooses a
random number ti ∈ Z∗q and computes Ti = ti P , hi =
H1 (P IDi , Ti ) ∈ Zq , and Si = (s + hi · ti ) · Q. Then,
the PKG sets the private key as SKi = (Ti , Si ), where
s is the master secret of the PKG.
4) They send pseudo-IDs/private keys P IDi /SKi
to the scheme to sign the messages launched from RSUs for RSU
vehicle via a secure channel.
1879
Pseudo-IDs for privacy preservation are generated as a com-
bination of some contribution of the TRA and some user-chosen
secret. Accordingly, only the TRA who knows the master secret
α can recover the real identity RIDi from P IDi . The pseudo-
IDs/private keys are then stored in the tamper-proof device of
the vehicle.
[Message signing]: To ensure message integrity and au-
thentication, each message sent by a vehicle should be signed
and verified when it is received. A vehicle Vi randomly selects
a pseudo-ID P IDi from its storage and chooses a current
timestamp tti , where tti provides freshness of a signed message
against replay attacks. The vehicle Vi , with the private key
SKi = (Ti , Si ), signs a traffic-related message Mi .
1) Choose ri ∈R Z∗q , and compute Ui = ri · P ∈ G1 .
2) Compute hi = H2 (P IDi , Mi , tti , Ti , Ui ) ∈ Zq and Vi =
hi · Si + ri · Q . Then, τi = (Ti , Ui , Vi ) is a signature on
Mi
3) Subsequently, Vi sends the final message P IDi , Mi ,
tti , τi
100–300 ms according to the DSRC.
[Batch verification of traffic information messages]:
Once an RSU receives a traffic-related message signed by a
vehicle, the RSU has to verify the signature of the message
to ensure that the corresponding vehicle is not attempting
to impersonate any other legitimate vehicle or disseminate
false messages. Given n distinct message-signature tuples
P ID1 , M1 , tt1 , τ1
signed by n distinct vehicles V1 , . . . , Vn , respectively, where
and ETi (i = 1, . . . , n) in P IDi is valid, then the RSU
performs the following procedures.
1) Compute hi = H1 (P IDi , Ti ) and hi = H2 (P IDi , Mi ,
tti , Ti , Ui ) ∈ Zq for i = 1, . . . , n.
2) Verify whether
 n   n
  
n
e Vi , P = e hi · Ppub + hi hi Ti , Q
i=1 i=1 i=1
 

n

·e Ui , Q
i=1
holds or not. If it holds, accept the signatures.
Efficiency: From the aforementioned batch verification
equation, the computation cost for an RSU to verify n sig-
natures dominantly comprises (n + 1) scalar multiplications
in G1 and three pairing computations. Thus, compared with
previous schemes that use IBS schemes with batch verification,
the time for an RSU to verify a large number of signatures sent
by surrounding vehicles can be considerably reduced. Thus, it
reduces the message loss ratio caused by the potential signature
verification bottleneck at the RSU.
Unlike vehicle-to-RSU communication, in RSU-to-vehicle
communication, the messages sent by RSUs are not subject
to privacy requirements. Therefore, we directly use our IBS
authentication and message integrity. The CPAS scheme for
1880 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO. 4, MAY 2012

TABLE I
N OTATIONS

TABLE II for an identity IDR , it computes hR = H1 (IDR , TR ) and hi =

F ORMAT OF RSU’s I DENTITY
H2 (IDR , Mi , tti , TR , UiR ) ∈ Zq and verifies whether

RSU to vehicle is the same as that for vehicle to RSU, except
for removing the Pseudo − Identity Generation part.
CPAS Scheme: RSU to Vehicle:
,
[Private key extraction]: For a given string IDR ∈
, which are signed by the same RSU,
{0, 1}∗ , which is an RSU’s identity information, the PKG
generates a private key as follows.
1) Choose a random number k ∈ Z∗q , and compute TR =
kP .
2) Compute hR = H1 (IDR , TR ) ∈ Zq and SR = (s + h ·

k) · Q, and set the private key as SKR = (TR , SR ),
where s is the master secret.
The PKG sends the private key to the RSU via a secure
channel. Then, the private key SKR = (TR , SR ) corresponding
to the identity IDR is stored in the RSU. The format of RSU’s
identity follows that in [14] (see Table II).
[RSU message signing]: When an RSU broadcasts a
traffic-related message to vehicles, the RSU with the private key
(TR , SR ) chooses a current timestamp tti and signs the traffic-
related message Mi as follows.
1) Choose ri ∈R Z∗q , and compute UiR = ri · P ∈ G1 .
2) Compute hi = H2 (IDR , Mi , TR , tti , UiR ) ∈ Zq and
ViR = hi · SR + ri · Q . Then, τiR = (TR , UiR , ViR ) is a
signature on Mi
tti for IDR . C. Security Analysis
3) Subsequently, the RSU sends the final message
IDR , Mi , ttR , τiR
to the vehicles. Section III-C, we prove that the KIBS scheme is secure
[Verification of traffic information messages]: A vehicle
receiving a signed message from an RSU with the location
information in the RSU’s identifier string must take steps to
prevent an attacker from taking the device off of one RSU
and putting it elsewhere. The receiver compares the identity
information in the received message with the property con-
tained in the identifier string. If the received identity infor-
mation does not match this property, the message is ignored.
Otherwise, given a signature τiR = (TR , UiR , ViR ) of Mi
tti user-chosen secret ki such that only one who knows ki or α can
e ViR , P = e (hi · [PPub + hR · TR ], Q) · e UiR , Q
holds or not. If it holds, accept the signature. If multiple signed
messages from the same RSU in a time interval are given,
for l distinct message-signature tuples IDR , M1 , tt1 , τ1R
· · · , IDR , Mn , ttl , τlR
where τiR = (TR , UiR , ViR ), the vehicle performs the follow-
ing.
1) Compute hR = H1 (IDR , TR ) and hi = H2 (IDR , Mi ,
TR , tti , UiR ) ∈ Zq for i = 1, . . . , l.
2) Verify whether
 l   l
 

e Vi , P = e l · hR · Ppub +
R
hi hR T R , Q
i=1 i=1
 

l

·e UiR , Q
i=1
holds or not. If it holds, accept the signatures.
In this case, batch verification of l signatures from the same
RSU requires mainly three pairing computations and two scalar
multiplications in G1 . Thus, the time required for a vehicle to
verify multiple signatures sent by the same RSU can be sharply
reduced, compared with that needed for sequential verifications
of l individual signatures.
Source Authentication and Message Integrity: In
against existential forgery under an adaptive chosen-message
and an adaptive chosen-ID attack in the random oracle model
under the CDH assumption. The security of our pseudo-IBS
scheme is reduced to that of the KIBS scheme. Thus, pseudo-
ID authentication, message integrity, and nonrepudiation are
achieved.
Identity Privacy-Preserving: In our scheme, a user’s pseudo-
ID is a combination of the TRA’s master secret key α and some
SHIM: CPAS: CONDITIONAL PRIVACY-PRESERVING AUTHENTICATION SCHEME FOR VSNs 1881

compute αP IDi,1 . In other words, its security depends on the TABLE III
C OMPUTATIONAL C OMPLEXITY OF THE IBS S CHEMES
intractability of the CDH problem, i.e., given P IDi,1 = ki P IN THE N UMBER n OF S IGNATURES
and TPub = αP , compute αP IDi,1 = αki P . Therefore, our
scheme does not leak any information related to real identities.
Traceability: Given a pseudo-ID P IDi = (P IDi,1 ,
P IDi,2 , ETi ) in a signed message, the TRA with the master
secret α for traceability can trace the real identity of a vehicle
by computing

P IDi,2 ⊕ H(αP IDi,1 , P IDi,1 , ETi , TPub ) = RIDi

because αP IDi,1 = ki TPub = ki αP , and P IDi,1 = ki P .

Therefore, once a signature is in dispute, the TRA who had
assigned pseudo-IDs to the real identity of the vehicles has the
ability to trace the vehicle from the disputed message.
Security Against Sybil Attacks—Short-Term Linkability:
When the same vehicle sends two or more messages within a
small time frame t, a recipient should be able to verify that
these messages came from the same sender. We would like to
enforce short-term linkability in order that a malicious vehicle
cannot launch Sybil attacks [5], [28], where a single vehicle
impersonates multiple vehicles. Short-term linkability does not
hurt drivers’ privacy, but a vehicle can identify messages sent
by the same sender within a short time in the communication
range of the same RSU. In our scheme, one can detect the
Sybil attack by checking the linkability of pseudo-IDs in the
short-time periods appointed in the pseudo-IDs. It is easy to
distinguish the signatures produced by the same signer although
Fig. 1. Verification delay versus traffic density.
the signer is anonymous. Thus, our scheme with short-term
linkability can thwart the Sybil attacks, as well as achieve long- system, the number of authorities for sharing the secret and
term unlinkability. for revealing the identity can be adjusted by setting different
Long-Term Unlinkability: A basic privacy requirement is n and k values, respectively. Threshold schemes are used as
that an observer cannot link messages sent by a vehicle to cryptographic means to distribute secret information to multiple
the driver’s name, license plate number, or other personally entities to eliminate power centralization and a single point of
identifying information. More specifically, if the same vehicle failure. A benefit in doing so is that corrupted authorities (the
sends two messages m and m more than Δt time apart, then number being less than the threshold) cannot arbitrarily trace
an adversary should not be able to determine whether m and m vehicle users to compromise their privacy. More precisely, any
originate from the same sender or not. In the CPAS scheme, k or more TRAs must cooperate to trace the real identities of
given all the messages are signed with different pseudo-IDs, the vehicles, i.e., if the number of the colluding TRAs is less
if the short expiration times ETi in the pseudo-IDs satisfy than k, then the TRAs cannot trace the vehicles.
Δt > ETi , then neither of the messages can be connected to
a single vehicle.
D. Performance Evaluation
Role Separation: In our scheme, there are two TAs: one is
a TRA, which is in charge of generating vehicles’ pseudo-IDs In this section, we evaluate the performance of our scheme
and tracing the real identities from signed messages. The other in terms of verification delay. A comparison of the efficiency of
is a PKG, which is responsible for generating vehicles’ pri- our scheme with the scheme of Zhang et al. (ZLLHS [34]) and
vate keys corresponding to their pseudo-IDs. Therefore, unlike schemes based on known IBS schemes with batch verification,
Zhang et al.’s scheme, even the PKG cannot trace the real including those of Yoon et al. (Yoon − Cheon − Kim [33]) and
identity of a vehicle from the signed message. The tracing secret Shim (EIBS [27]) is given in Table III. In this table, P, SM
key α stored at the TRA and the master secret key s stored at the and MTP represent the time to perform a pairing computation,
PKG must be strongly protected in the same way that the private a scalar multiplication in G1 , and a MapToPoint operation.
key of a certification authority (CA) in the PKI is protected. To improve efficiency, our scheme uses general hash functions
One way of protecting this key is by distributing it among H1 and H2 such as SHA-1 or SHA-2 [18], [19], instead of
different sites using techniques of threshold cryptography [7], the MapToPoint function. The schemes in Table III, with the
[8]: The master secret key s (α) can easily be distributed in a exception of our scheme, require n pairing computations or n
k-out-of-n fashion by giving each of the n PKGs (TRAs) one MapToPoint operations, where n is the number of signatures.
share si (αi ) of a Shamir secret sharing of s (α) mod q [25]. As our scheme focuses on reducing the signature verification
Applying the (k, n)-threshold secret sharing schemes to our cost at an RSU, we assume that all of the vehicles can directly
1882
TABLE IV
F ORMAT OF THE S IGNED M ESSAGE
TABLE V
F ORMAT OF THE S IGNED M ESSAGE FOR OBUs (RSUs)
communicate with the RSU. We also assume that the commu-
nication coverage of an RSU is 1 km2 and that each vehicle
periodically broadcasts a traffic-related message every 300 ms.
The traffic density is taken as the number of vehicles within an
RSU’s radiation range. In Fig. 1, the traffic density is equal to
the number of signatures. The figure illustrates the performance
results (in milliseconds) of two schemes on a 3.07-GHz Intel i7
central processing unit. We used the MIRACL cryptographic
library [16] by choosing the Tate pairing on a 159-bit subgroup
of an MNT curve with an embedding degree 6 at an 80-bit se-
curity level. The most time-consuming operation in our scheme
is a scalar multiplication: The computational complexity of our
scheme is dominant to the number of scalar multiplications. The
state-of-the-art timing of a scalar multiplication is 0.39 ms, i.e.,
it is known that the time for performing a scalar multiplication
on an MNT curve with an embedding degree of 6 is the fastest
at an 80-bit security level. In this curve, the time for performing
a MapToPoint function takes 0.09 ms, whereas the time for
performing a SHA-1 hash function is negligible. As shown in
Fig. 1, the time for simultaneously verifying 2000 signatures
in our scheme can be reduced by 18% compared with the
Zhang et al. scheme. If each vehicle periodically broadcasts a
traffic-related message every 300 ms, i.e., its time gap is less
than 300 ms, then the time for verifying signatures gathered
in a time interval must be less than 300 ms. Fig. 1 shows that,
in our scheme, the time for verifying 750 signatures gathered in
a time interval is less than 300 ms. In addition, an RSU in our
scheme can simultaneously verify 2540 signed-messages/s.
Communication overhead: We analyze communication
overhead of our scheme. The current IEEE Trial-Use stan-
dard for VANET security provides detailed documentation,
including the choice of cryptosystems in the PKI. To authen-
ticate a message sender and guarantee the message integrity,
OBUs or RSUs should sign messages with their private keys
before the messages are sent. Table IV shows the format
of a signed message, where a 125-B certificate and a 56-B
ECDSA signature [11] have to be attached for each 69-B
intervehicle communications message. Obviously, the crypto-
graphic overhead (the certificate and the signature) takes up
a significant portion of the total packet size (250 B). In our
scheme based on the ID-based infrastructure, the total packet
size can be reduced by 209 B. We follow the format of safety
messages between OBUs and RSUs as in [14]. The first four
parts in Table V are signed by the OBUs, which derives the
“Signature” part. To reduce the signature length, it is suitable
to use a 159-bit subgroup of the MNT curve with an embed-
ding degree of 6. When one sends a point Q = (x, y) of the
curve, it sends only the x-coordinate of Q, and a verifier can
IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO. 4, MAY 2012
obtain the y-coordinate by computing the square root to reduce
the communication overhead. Then, the total signature size
is 159 + 159 + 159 + 3 = 480 bits, as each element in G1 is
159 bits. Then, the total pseudo-ID size is 159 + 159 + 2 + 4 =
324 bits, where ETi is taken as 4 B. The CPAS scheme for
RSU to vehicle uses a real identity, instead of a pseudo-ID, so
that 10 B are enough to represent the real identity information.
The total packet length from vehicle to RSU (RSU to vehicle)
in our scheme is 209 (178) B. If we take 1, 1, and 67 B as
Type ID, Message ID, and Payload(Message) as in Table V,
then the total packet length is 174 (143) B.
V. C ONCLUSION
We have proposed a secure conditional privacy-preserving
authentication scheme, called CPAS, using a new IBS scheme
with the fastest batch verification process for secure V-to-I com-
munications in VANETs. The scheme achieves conditional pri-
vacy preservation in which each message launched by a vehicle
has been mapped to a distinct pseudo-ID and a TRA can always
retrieve the real identity of a vehicle from any pseudo-ID. In
the CPAS scheme, an RSU can simultaneously verify multiple
received signatures such that the total verification time can be
considerably reduced. The time for simultaneously verifying
800 signatures in our scheme can be reduced by 18% compared
with Zhang et al.’s scheme. To the best of our knowledge, the
CPAS is the fastest conditional privacy-preserving authentica-
tion scheme for secure V-to-I communications. However, our
pseudo-IBS scheme designed for efficient batch verification is
more suitable for the V-to-I communications than the V-to-V
communications. The basic IBS scheme requires three pairing
computations to verify a signature, and therefore, verifying a
number of signatures sequentially transmitted from multiple
vehicles causes a processing bottleneck at each vehicle with
limited computational power. Therefore, a pairing-free pseudo-
IBS scheme is suitable for such an environment. In our future
work, we will extend our challenge to V-to-V communication
and conduct more performance evaluation on message end-to-
end delay and message loss ratio in V-to-V communication,
as well as the evaluation of CPAS on a large-scale VANET
testbed with varying vehicle mobility models.
R EFERENCES
[1] R. Anderson and M. G. Kuhn, “Tamper resistance—A cautionary note,”
in Proc. USENIX Workshop Electron. Commerce, 1996, pp. 1–11.
[2] D. Boneh and M. Franklin, “Identity-based encryption from the Weil pair-
ing,” in Advances in Cryptology-Crypto. New York: Springer-Verlag,
2001, pp. 213–229.
SHIM: CPAS: CONDITIONAL PRIVACY-PRESERVING AUTHENTICATION SCHEME FOR VSNs
[3] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the Weil
pairing,” in Advances in Cryptology-Asiacrypt. New York: Springer-
Verlag, 2002, pp. 514–532.
[4] Dedicated Short Range Communications (DSRC). [Online]. Available:
http://www.standards.its.dot.gov/Documents/advisories/dsrc_advisory.htm
[5] J. R. Douceur, “The sybil attack,” in Proc. IPTPS, Mar. 2002, pp. 251–
260.
[6] C. Gamage, B. Gras, B. Crispo, and A. S. Tanenbaum, “An identity-based
ring signature scheme with enhanced privacy,” in Proc. SecureComm,
2006, pp. 1–5.
[7] P. Gemmell, “An introduction to threshold cryptography,” CryptoBytes, A
Techn. Newsl. RSA Lab., vol. 2, no. 3, pp. 7–12, 1997.
[8] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Secure distributed
key generation for discrete-log based cryptosystems,” in Advances in
Cryptology-Eurocrypt. New York: Springer-Verlag, 1999, pp. 295–310.
[9] S. Goldwasser, S. Micali, and R. L. Rivest, “Digital signature scheme se-
cure against adaptive chosen-message attacks,” SIAM J. Comput., vol. 17,
no. 2, pp. 281–308, Apr. 1988.
[10] J. P. Hubaux, S. Capkun, and J. Luo, “The security and privacy of smart
vehicles,” IEEE Security Privacy, vol. 2, no. 3, pp. 49–55, May/Jun. 2004.
[11] IEEE Trial-Use Standard for Wireless Access in Vehicular
Environments—Security Services for Applications and Management
Messages, IEEE Std. 1609.2, Jul. 2006.
[12] U. Lee, E. Magistretti, B. Zhou, M. Gerla, P. Bellavista, and A. Corradi,
“Mobeyes: Smart mobs for urban monitoring with a vehicular sensor
network,” IEEE Wireless Commun., vol. 13, no. 5, pp. 52–57, Oct. 2006.
[13] X. Lin, R. Lu, C. Zhang, H. Zhu, P.-H. Ho, and X. Shen, “Security in
vehicular ad hoc networks,” IEEE Commun. Mag., vol. 46, no. 4, pp. 88–
95, Apr. 2008.
[14] X. Lin, X. Sun, P. H. Ho, and X. Shen, “GSIS: A secure and privacy-
preserving protocol for vehicular communications,” IEEE Trans. Veh.
Technol., vol. 56, no. 6, pp. 3442–3456, Nov. 2007.
[15] R. Lu, X. Lin, H. Zhu, P.-H. Ho, and X. Shen, “ECPP: Effi-
cient conditional privacy-preservation protocol for secure vehicular
communications,” in Proc. IEEE Conf. Comput. Commun., Apr. 2008,
pp. 1229–1237.
[16] MIRACL Cryptographic Library: Multiprecision Integer and Rational
Arithmetic C/C++ Library. [Online]. Available: http://indigo.ie/~mscott/
[17] J. A. Misener, “Vehicle-infrastructure integration (VII) and satety: Rubber
and radio meets the road in California,” Intellimotion, vol. 11, no. 2, pp. 1–
3, 2005.
[18] Nat. Inst. Stand. Technol., Secure Hash Standard. Federal Information
Processing Standard, FIPS-180-1, Apr. 1995.
[19] Nat. Inst. Stand. Technol., Secure Hash Standard. Federal Information
Processing Standard, FIPS-180-1, Aug. 2002.
[20] D. Pointcheval and J. Stern, “Security arguments for digital signatures and
blind signatures,” J. Cryptol., vol. 13, no. 3, pp. 361–396, 2000.
[21] S. Ravi, A. Raghunathan, and S. Chakradhar, “Tamper resistance mech-
anisms for secure embedded systems,” in Proc. Int. Conf. VLSID, 2006,
pp. 605–611.
[22] M. Raya and J. P. Hubaux, “Securing vehicular ad hoc networks,”
J. Comput. Security—Special Issue Security Ad Hoc Sensor Netw., vol. 15,
no. 1, pp. 39–68, Jan. 2007.
1883
[23] Road Weather Management. [Online]. Available:
http://ops.fhwa.dot.gov/weather/
[24] K. Sampigethaya, L. Huang, M. Li, R. Poovendran, K. Matsuura, and
K. Sezaki, “Caravan, Providing location privacy for vanet,” in Proc.
ESCAR, 2005, pp. 1–15.
[25] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11,
pp. 612–613, Nov. 1979.
[26] A. Shamir, “Identity-based cryptosystems and signature schemes,” in
Advances in Cryptology-Crypto. New York: Springer-Verlag, 1984,
pp. 47–53.
[27] K. A. Shim, “An ID-based aggregate signature scheme with constant
pairing computations,” J. Syst. Softw., vol. 83, no. 10, pp. 1873–1880,
Oct. 2010.
[28] A. Studer, E. Shi, F. Bai, and A. Perrig, “TACKing together efficient au-
thentication, revocation, and privacy in VANETs,” in Proc. IEEE SECON
Conf., 2009, pp. 1–9.
[29] J. Sun, C. Zhang, Y. Zhang, and Y. Fang, “An identity-based security sys-
tem for user privacy in vehicular ad hoc networks,” IEEE Trans. Parallel
Distrib. Syst., vol. 21, no. 9, pp. 1227–1239, Sep. 2010.
[30] “Vehicle safety communications project,” U.S. Dept. Transp., Nat. High-
way Traffic Safety Admin., Washington, DC, 2006.
[31] F. Wang, D. Zeng, and L. Yang, “Smart cars on smart roads: An IEEE in-
telligent transportation systems society update,” IEEE Pervasive Comput.,
vol. 5, no. 4, pp. 68–69, Oct.–Dec. 2006.
[32] Wave Syst. Corp. EMBASSY 2100 cryptographic controller. [Online].
Available: http://www.wave.com/about/datasheets/03-000139MBASSY
2100.pdf
[33] H. J. Yoon, J. H. Cheon, and Y. Kim, “Batch verification with ID-based
signatures,” in Proc. ICISC, vol. 3506, LNCS, 2005, pp. 233–248.
[34] C. Zhang, R. Lu, X. Lin, P. H. Ho, and X. Shen, “An efficient identity-
based batch verification scheme for vehicular sensor networks,” in Proc.
IEEE INFOCOM, 2008, pp. 246–250.
Kyung-Ah Shim received the Ph.D. degree in
mathematics from Ewha Womans University, Seoul,
Korea.
From 2000 to 2008, she was a Senior Re-
searcher with the Korea Information Security
Agency and then a Research Professor with the
Department of Mathematics, Ewha Womans Uni-
versity. In September 2008, she joined the Division
of Fusion and Convergence of Mathematical Sci-
ences, National Institute for Mathematical Sciences,
Daejeon, Korea, as a Senior Researcher. Her research
interest is cryptography.