Received July 12, 2021, accepted August 11, 2021, date of publication August 16, 2021, date of current

version August 31, 2021.

Digital Object Identifier 10.1109/ACCESS.2021.3104861

Efficient Short Group Signatures for Conditional

Privacy in Vehicular Ad Hoc Networks via ID
Caching and Timed Revocation
L. ELLEN FUNDERBURG AND IM-YEONG LEE
Department of Software Convergence, Soonchunhyang University, Asan 31538, South Korea
Corresponding author: Im-Yeong Lee ([email protected])
This work was supported in part by the Basic Science Research Program through the National Research Foundation of Korea (NRF)
funded by the Ministry of Education under Grant NRF-019R1A2C1085718, in part by the Soonchunhyang University Research Fund, and
in part by the Brain Korea 21 (BK21) FOUR (Fostering Outstanding Universities for Research) under Grant 5199990914048.

ABSTRACT Vehicular Ad hoc Networks (VANETs) are a subset of the Internet of Things (IoT) that are
used in smart traffic applications. Due to their high speed, mobility, and exposure to the environment,
the security requirements for VANETs result in the conflicting design goals of protecting member privacy
while also ensuring non-repudiation. Group signature schemes can fulfill these requirements, but often at the
cost of expensive bilinear pairing operations. Furthermore, the cost of updating the group key information
can be costly. Accordingly, this paper has two goals. First, it presents a group signature scheme that has
been modified to remove pairing operations by caching computed values, while still preserving the critical
requirement of conditional privacy. Second, this paper presents an argument for the abandonment of perfect
forward and backward secrecy in VANET schemes in order to prevent the generation of keys that are never
used, or used only once, and reduce the twin burdens of excessive key recalculation and key redistribution
on the system.

INDEX TERMS Short group signatures, conditional privacy, revocation, forward secrecy, backward secrecy,
elliptic curve caching, VANET, timed key updates.

I. INTRODUCTION While VANET is an application of Internet of Things (IoT),

Vehicular Ad hoc Networks (VANETs) are a specialization of
Mobile Ad hoc Networks (MANETs) [1] connecting vehicles
with other vehicles as well as roadside infrastructure [2]. The
goals of a VANET may include maintaining smooth traffic
flow, improving safety for traffic as well as pedestrians, and
providing comfort, entertainment, or quality of life services
to drivers and passengers [3]. In a typical VANET, vehi-
cles communicate via wireless connections with neighboring
vehicles, vehicle-to-vehicle (V2V), as well as fixed-location
devices located along the roadways, vehicle-to-infrastructure
(V2I) [3]. The latter are typically called Road Side Units
(RSUs). In general, VANETs usually consist of a top-level,
fully-trusted server, known as a Trusted Authority (TA) or
Service Provider (SP), a middle level of semi-trusted RSUs,
and a final level of vehicles containing computers known as
On-Board Units (OBUs).
The associate editor coordinating the review of this manuscript and
approving it for publication was Zhe Xiao . groups based on RSU locations. Accordingly, there are many
the security requirements of VANET are a bit different than
other IoT systems. Most of the data collected from vehicles
in a VANET does not contain sensitive information [4] and
has low value for attackers. In general, the data are publicly
observable quantities such as vehicle speed, heading, break-
ing status, etc. Additionally, the data are usually ephemeral
so protecting access to previously collected data is also not
a priority. A much more costly, and potentially dangerous,
class of attacks on VANET involve the injection of false
data into the system, and in particular Sybil attacks [5]. This
places a high priority on securing the identity and authenti-
cation of message sources [6]. Conversely, another attack of
significant concern is malicious entities tracking individual
vehicles, which places a seemingly contradictory importance
on privacy [7]. Finally, the highly dynamic nature of the
system makes efficiency even more important than usual as
algorithms must execute quickly to ensure the updates do not
arrive too late to be of use.
As a practical matter, VANETs often divide vehicles into

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
VOLUME 9, 2021 118065
 L. E. Funderburg, I.-Y. Lee: Efficient Short Group Signatures for Conditional Privacy in VANETs
VANET schemes using group key sharing or group signa-
tures [8]. In these schemes, the questions of how and when to
update the group keys are critical. In many IoT applications,
such as smart factories or smart power grids, the groups are
static or change only slowly over time. However, in the case
of VANET, group membership is highly dynamic. Depending
on the traffic situation, group membership may change as,
or possibly even more, frequently than the standard rate of
safety message updates [9].
When groups change, group key and group signature
schemes must concern themselves with the issues of for-
ward secrecy, joining members can’t read old messages,
and backward secrecy, departed members can’t read new
messages [10]. The concept of backward secrecy can be
extended in the case of group signatures to be departed
members can’t sign future messages. The decision of when
and when not to update the group keys is critical for perfor-
mance, but not often closely examined by VANET group key
schemes. In particular, some schemes assume group keys will
update every time a vehicle leaves [2], or even every time
group membership changes [11], [12], which may be imprac-
tical given the highly-dynamic nature of VANET group
membership.
This paper has two main goals: 1) We present a scheme
increasing the efficiency of group signatures via a method
of caching pairing calculations, as pairings are a relatively
slow mathematical operation. 2) We propose to use a fixed
interval for triggering group key updates instead of perfectly
preserving forward and backward secrecy, and provide a
thorough analysis in support of this proposition over other
methods.
The remainder of the paper is organized as follows.
Section II presents a summary of recent work on the topic.
Section III contains the proposed scheme. Section IV gives
an analysis of our scheme and evidence in support of fixed
interval group key updates. Section V concludes the paper.
II. RELATED WORK
VANET schemes can be primarily divided into schemes using
group keys and schemes using group signatures. Group key
schemes focus on efficient group key agreement and rekeying
algorithms. They often use symmetric group keys without
verification of the sender’s true identity, only verifying that
they are in possession of the current group key. Group sig-
nature schemes, on the other hand, attempt to also track
the identity of the message sender and frequently use zero-
knowledge proofs, where the sender proves possession of
a secret without revealing anything about that secret, with
bilinear pairings in order to provide conditional privacy. The
sender’s identity is protected from other group members, but
the possessor of the tracing key can reveal the identity in cases
of malicious behavior or disputes.
As noted above, many VANET schemes propose to use
symmetric group keys following vehicle authentication.
While using symmetric group keys makes for quick encryp-
tion and decryption times, there is no way to guarantee
118066
non-repudiation. All vehicles in the system have identical
keys and any identifying information included in the mes-
sage could have been forged or stolen. This results in a
system that is highly vulnerable to the injection of bad data,
without a reliable way to trace and remove the offending
vehicles even in the case such data is detected. For exam-
ple, among recently proposed group key schemes, schemes
by Cui et al. [13], Islam et al. [14], Liu et al. [15], and
Paliwal and Chandrakar [16] assign traceable pseudo-IDs to
vehicles, but the identities are only authenticated when the
vehicle joins (and for some schemes when it leaves) a group.
When the vehicles are within the system, they are free to
create mayhem. Without per-message pseudo-ID authentica-
tion, malicious vehicles could use fake identities to appear
as multiple vehicles or copy the identities of other vehicles
for use in impersonation attacks. While join-time authenti-
cation is an important layer of security, it is reasonable to
expect that a malicious entity may obtain valid credentials
through offline theft or forgery. Therefore, non-repudiation
and traceability are important features of VANET systems,
and vehicles should not be considered fully-trusted even after
their credentials have been authenticated.
In order to provide authentication, privacy, and non-
repudiation for messages by vehicles after they have joined
the system, some VANET schemes use group signatures with
conditional privacy. With conditional privacy, vehicle identi-
ties are protected from other vehicles but may be revealed by
a trusted entity. Many of these schemes use bilinear pairing
operations. One scheme using pairings for privacy preserving
authentication is the DIKE scheme by Lu et al. [2]. Unfor-
tunately, this scheme contains no tracing key, and it is not
possible to entirely revoke the privacy for a vehicle and reveal
its true identity. In this case, the scheme can only reveal if
a malicious entity is attempting to join the group multiple
times using the same private key or after being previously
revoked. The Alimohammadi & Pouyan scheme [17] uses the
same basic algorithm, but applies it to detecting duplicated
messages rather than duplicated join request. This scheme
shares the same problem that there is no mechanism for
tracing the true identity of the offending entity, only detecting
the attempt.
Zhang et al. proposed a different scheme using pairings
for privacy preserving signatures [18]. In this scheme, RSUs
can trace the identity of malicious nodes, however the trace
requires up to n pairing operations, where n is the num-
ber of vehicles in the group. Signature verification also
requires 3 pairing operations, although the verifications may
be batched.
Another scheme using pairings was proposed by
Azees et al. in [19]. Certificates containing pseudo-IDs are
sent along with each message to provide authentication.
There is only one pseudo-ID per vehicle and the IDs are
included on the certificates, so it is easy for other vehicles
to link messages from the same sender. In addition, while
pairings are not used for authentication, they are used for
checking message integrity and n + 1 pairings are required for
VOLUME 9, 2021
L. E. Funderburg, I.-Y. Lee: Efficient Short Group Signatures for Conditional Privacy in VANETs
n messages. Finally, while the TA can reveal the true identity
of a malicious node, there is no mechanism for revoking the
certificates of such nodes.
The short group signature algorithm proposed by Boneh,
Boyen, and Shacham (BBS) [20] provides conditional pri-
vacy preservation and forms the basis of the Lim et al. [21]
and Hao et al. [22] group signature schemes. These BBS
signatures have the advantage of providing a tracing key
that may be used to reveal the identities of message sign-
ers. However, they require pairing operations to authenticate
the signatures, which are relatively expensive mathematical
operations.
While many VANET signature schemes use elliptic
curve pairings to provide authenticated conditional privacy,
Zhong et al. [23] proposed a scheme without them. In the
Zhong scheme, the RSU for the group authenticates the sig-
natures and broadcasts a Bloom filter list of valid and invalid
messages to the vehicles. This method requires RSUs to issue
validation messages for every vehicle message before other
vehicles will process it, which increases message traffic and
creates a delay in time-critical V2V message processing as
vehicles wait for the message confirmation. The use of a
Bloom filter also introduces the problem of false positives.
Another set of schemes uses individual signatures, rather
than group signatures, to validate the messages. These
schemes use traceable pseudo-IDs in order to hide the ori-
gin of the messages from other vehicles in the system.
Two schemes using similar signatures were proposed by
Zhang et al. [24] and Cui et al. [25]. The Zhang scheme uses
the Chinese Remainder Theorem in order to quickly and
efficiently handle both initial key distribution and key updates
when group members change. The Cui scheme focuses on
the use of content sharing among neighboring vehicles in
order to reduce the network burden of accessing content from
distant servers. In both schemes, vehicles create traceable
pseudo-IDs for message signing, but there is no authentica-
tion in the signatures of the real IDs used to create the pseudo-
IDs. Malicious vehicles could use random numbers in place
of their real identifiers in order to create untraceable pseudo-
IDs. The schemes assume a theoretical tamper-proof device
in order to prevent this behavior.
Zhang et al. [26] present another scheme in this cate-
gory. Their scheme involves a future-facing system that uses
selected vehicles as edge nodes in order to take advantage
of 5G technology and remove the need for cumbersome
RSUs. As with the previous two schemes, this scheme does
not validate the real IDs (5G_ID) during the signature ver-
ification phase. Therefore, a malicious vehicle could sign a
message using a random value for its ‘‘real’’ identifier and
remain untraceable. This scheme does have an advantage over
the previous two in that it is possible for the TA to detect a
fake real ID given a message signature. However, the mes-
sages would still have been received and processed by the
vehicles in the group before the TA could detect the problem.
In addition, this requires the TA to check all messages from all
vehicles in the system to detect a problem. Finally, the TA can
VOLUME 9, 2021
only detect fake IDs by looping through a database of stored
identity tuples in order to confirm that none of the real IDs
stored match the ‘‘real’’ ID used for signing. As the number
of registered vehicles in the system grows, it will become
increasingly difficult to detect fake identities in real-time.
A final category of VANET schemes uses methods that pre-
clude broadcast messaging, such as asymmetric encryption or
1:1 symmetric keys for communication between each vehicle
pair. One example is signcryption schemes such as those
proposed in Zhou et al. [27] and Ali et al. [28], which require
the public key of the receiver. Schemes using 1:1 symmetric
keys include Xiong and Tang [29] and Li et al. [30]. Due to
the large group sizes, high speeds, and time criticality of the
data, schemes that lack support for broadcast communication
to anonymous receivers are impractical for VANET applica-
tions. Furthermore, the above schemes require unique keys
for every member of the system, which presents a risk to
privacy.
To overcome the shortcomings of the schemes discussed in
this section, we propose a new scheme that uses the caching
of pre-computed bilinear pairing values and restricts routine
group secret updates to timed intervals. These modifications
preserve the advantages of existing schemes with regards
to message authentication and conditional privacy while
providing increased efficiency. A table comparing the pro-
posed scheme with recent similar schemes is included in the
Analysis section.
III. PROPOSED SCHEME
The basis of our scheme is a system using Boneh, Boyen, and
Shacham short group signatures [20] that has been configured
for detecting Sybil attacks as described in [9]. In a Sybil
attack a vehicle sends messages appearing to come from
many different vehicles in order to create the illusion of addi-
tional traffic or out-vote honest vehicles to create erroneous
condition reports [31].
The system used in this scheme consists of 3 levels as
shown in Fig. 1: a top level with one or more TAs that control
the group master keys, a middle level of more numerous
FIGURE 1. System Hierarchy.
118067
 L. E. Funderburg, I.-Y. Lee: Efficient Short Group Signatures for Conditional Privacy in VANETs

FIGURE 2. Messaging.

Regional Traffic Monitors (RTMs) that manage and moni-
tor the vehicles within their respective geographic coverage
areas, and a final level for the OBUs. In this system, the RSUs
are only semi-trusted relay nodes that convey the short-range
wireless communications of the vehicles to the RTMs or TAs..
All OBUs within a single RTM’s geographic coverage
area form a group. The OBUs communicate with each other
and that RTM using privacy-preserving group signatures via
a Dedicated Short-Range Communication (DSRC) standard
such as IEEE 802.11p for Wireless Access in Vehicular
Environments (WAVE) [32]. The RTM is responsible for
monitoring the group to detect Sybil attacks, as well as other
malicious behavior, and reporting traffic and road conditions
to other parts of the system.
signature verification. In this scheme, a single pairing oper-
ation is required the first time an OBU signature is verified,
but all subsequent signature verifications for that OBU are
pairing free.
The proposed scheme consists of 8 steps, as can be seen
in Fig. 2: 1) The TA generates the group public parameters
as well as the master and tracing keys. 2) The tracing key is
sent to the RTM in charge of the group. 3) An OBU wishing
to join the group sends its identification to the TA via an
RSU relay or direct 5G connection to the internet. 4) The
TA authenticates the OBU, and 5) generates a private group
signing key for that OBU. 6) The TA informs the RTM of the
OBU joining the group. 7) The TA sends the signing key to
the OBU. 8) The OBU sends messages to the RTM and other
group members signed with its signing key.

A. OVERVIEW B. DETAILS
The TA initially generates the group public, master, and The notations used in this paper are shown in Table 1.
tracing keys for each RTM. Each tracing key is distributed to
the corresponding RTM, but the master keys are held by the
TABLE 1. Notations.
TA so that semi-trusted RTMs may not generate group keys.
When an OBU enters the coverage area of an RTM, the OBU
contacts the TA in order to authenticate its identity and receive
a group secret key to use for signing messages within that
RTM group. The TA notifies the appropriate RTM of the new
group member, and sends the pseudo-ID for that OBU to
that RTM. The RTM can then use the tracing key to monitor
message signatures and detect when an OBU is sending more
messages than it should in an attempt to perform a Sybil
attack. In the event a Sybil attack, or any other malicious
behavior is detected, the RTM can report the pseudo-ID of the
malicious node to the TA, which can regenerate group keys to
exclude the malicious node as well as map the pseudo-ID of
the OBU to its real-world ID for reporting to law enforcement
or other authorities.
The scheme presented here differs from the system in [9] 1) BILINEAR MAPS
and other schemes using BBS signatures because it caches For each RTM, G1 and G2 are two bilinear, multiplicative,
some of the pairing calculations to reduce the cost of cyclic groups of prime order p. g1 is a generator of G1 and g2

118068 VOLUME 9, 2021

L. E. Funderburg, I.-Y. Lee: Efficient Short Group Signatures for Conditional Privacy in VANETs

is a generator of G2 . e is a computable map e : G1 ×G2 → GT 4) SIGNATURE GENERATION

and e(g1 , g2 ) 6 = 1. Following the BBS short group signature algorithm, when an
OBU wants to send a message, it signs the message using its
2) INITIALIZATION private signing key as follows:
For each RTM, the TA configures a signature group. The TA 1. Choose random values for α, β ← Zp .
randomly selects hj ← G1 \{1G1 } and ζ1j , ζ2j ← Z∗p and sets β
2. Compute T1 ← uαj , T2 ← vj , T3 ← Aji hj , δ1 ←
α+β
uj , vj ∈ G1 such that xji α, and δ2 ← xji β.
ζ ζ 3. Choose random values for rα , rβ , rx , rδ1 , rδ2 ← Zp .
uj 1j = vj 2j = hj . (1) r
4. Compute R1 ← urj α , R2 ← vj β , R3 ← e (T3 , g2 )rx ·
−rδ
Then it randomly selects the group master key γj ← Z∗p

−r −r
−r −r
e hj , wj α β · e hj , g2 δ1 δ2 , R4 ← T1rx · uj 1 ,
and sets −rδ
and R5 ← T2rx · vj 2 .
γ
wj = g2j . (2) 5. Construct a challenge value using a publicly known
hash function and the values computed above: c ←
In order to reduce pairing computations when generating H (M , T1 , T2 , T3 , R1 , R2 , R3 , R4 , R5 ) ∈ Zp .
and evaluating signatures, the TA also precomputes the pair- 6. Compute sα = rα + cα, sβ = rβ + cβ, sx = rx + cxji ,
ings [20] sδ1 = rδ1 + cδ1 , and sδ2 = rδ2 + cδ2 .
p1j = e hj , wj ,


(3) 7. Set the final signature value as σ ← (T1 , T2 , T3 , c, sα ,
sβ , sx , sδ1 , sδ2 ).
p2j = e hj , g2 ,


(4)
This creates a zero-knowledge proof of signature. Without
pg = e (g1 , g2 ) . (5) access to the tracing key, verifiers cannot know the pseudo-ID
The public parameters for group j are (g1 , g2 , pg , hj , uj , vj , of the OBU that signed the message. They can only know that
wj , p1j , p2j ) and the tracing key is (ζ1j , ζ2j ). The public param- the message was signed by an OBU with a valid private key.
eters are distributed to all entities in the group, as well as new This prevents malicious OBUs from impersonating the signer
OBUs on joining. The tracing key is sent to the RTM in charge by reusing its pseudo-ID, as well as providing some privacy
of group j, RTMj . to the OBU.
The pairing calculations can be completely eliminated
3) OBU JOINING from message signing [20]. The pairings using g2 , hj , and wj
were included in the public parameters, so the R3 calculation
When an OBU enters an RTM coverage area, the OBU
becomes
contacts the TA to obtain its group signature key for that
−r −rβ −rδ1 −rδ2
RTM. The TA authenticates the real identity of the OBU via a R3 ← e (T3 , g2 )rx · p1j α · p2j . (7)
Public Key Infrastructure (PKI). Offline, each OBU receives
an identity certificate signed by an issuing authority when Furthermore, the e (T3 , g2 ) pairing can also be eliminated
the vehicle is registered with the government. When an OBU by using the precomputed pairing provided as part of the
α+β
contacts the TA in order to join an RTM’s group, the TA private signing key [20]. Substitute Aji hj for T3 to get
checks the signature of that certificate in order to verify the 
α+β

real identity of the OBU. If the certificate is valid, the TA e Aji hj , g2 (8)
uses the public key included with the certificate to establish and separate the terms into
a secure channel with the OBU. Note that this certificate is
 α+β 
used only for the initial authentication step. e Aji , g2 e hj , g2 . (9)
After the OBU’s real identity is verified as being allowed
to join the system, the TA generates a private signing key for Then it can be seen that both pairings can be done using
the OBU by randomly selecting xji ← Z∗p then calculating precomputed values
the pseudo-ID for the OBU as
α+β
e Aji , g2 e hj , g2 .


(10)
1/(γj +xji )
Aji ← g1 , (6) This makes the final R3 calculation
α+β rx −rδ −rδ
 
where j is the RTM group and i is the OBU. Additionally, −r −r
R3 ← pji · p2j · p1j α β · p2j 1 2 . (11)
pji = e Aji , g2 will be precomputed. The private signing

key for OBUi is then (Aji , xji , pji ).
The private signing key and group public parameters are
then encrypted with the public key from the OBU’s PKI
certificate and sent securely to the OBU. The pseudo-ID for
the OBU, Aji , is also sent to the RTM via a secure channel.
The second component of the OBU’s signing key, xji , will not
be known by the RTM.
For reasons detailed in the next section, Signature Verifi-
cation, in this scheme random values of α and β will only
be used for the initial signature. Subsequent signatures will
reuse the same α and β values. This will greatly increase the
efficiency of the algorithm at the potential cost of some loss
of privacy due to the values of the T parameters remaining
constant across all messages signed by the same OBU. This

VOLUME 9, 2021 118069

 L. E. Funderburg, I.-Y. Lee: Efficient Short Group Signatures for Conditional Privacy in VANETs
trade-off, including the reasons that this weakening of privacy
is not as consequential as might be feared at first glance,
is discussed further in the Analysis section.
5) SIGNATURE VERIFICATION
When group members receive a message, they can verify the
signature as follows:
s ephemeral nature of groups in VANET makes it extremely
1. Compute R̃1 ← usj α /T1c , R̃2 ← vj β /T2c , R̃3 ←

−s −s
−s −s
e (T3 , g2 )sx · e hj , wj α β · e hj , g2 δ1 δ2 ·
e(T3 ,wj ) c sδ sδ
e(g1 ,g2 ) , R̃4 ← T1sx /uj 1 , and R̃5 ← T2sx /vj 2 .
2. Verify the challenge by checking c = H (M , T1 , T2 , T3 ,
R̃1 , R̃2 , R̃3 , R̃4 , R̃5 ).
As in the case of signature generation, several pairings
can be eliminated from the verification process by using the
precomputed values provided as part of the public parameters.
However, unlike in the case of signature generation, two
pairings remain, e (T3 , g2 ) and e T3 , wj . These pairings can

its access to the system will be immediately removed. The
be combined into a single pairing [20],
 
e T3 , wcj gs2x . (12)
sx

This can be seen by rewriting the pairings as e T3 , g2 and
e T3 , wcj then combining them. The R̃3 calculation can then
be written as
 
−s −s −sδ −sδ
e T3 , wcj gs2x · p1j α β · p2j 1 2 · p−c
g . (13)
While a single pairing is much better than five, pairings
are still very expensive compared to other mathematical
operations [13], [23], [33]. In order to achieve performance
similar to a pairing-free algorithm, while retaining the critical
security features provided by group signatures, we propose to
cache the T3 pairing.
In the original BBS short group signature scheme,
T3 changed with every signature. In the proposed scheme,
signers will use constant values for T3 . With T3 constant,
verifiers can compute the T3 pairing just once, the first time
a message is received from that signer, and cache that value.
Subsequent messages from the same signer can accordingly
be verified without any pairing calculations.
6) TRACING
When malicious activity is detected, an RTM can use the
tracing key to unmask the pseudo-ID of the offending node
as shown:
ζ ζ
Aji ← T3 /(T1 1j · T2 2j ). (14)
The pseudo-ID is reported to the TA, which regenerates
the group keys using the steps above for Initialization and
OBU Joining, maps the pseudo-ID to a real-world ID, and
reports the real-world ID to the appropriate agencies. A list
of banned IDs is maintained by the TAs and these IDs will
not be allowed to rejoin the system.
118070
7) OBU LEAVING
When an OBU leaves the group naturally, i.e. by exiting
the area or disconnecting from the system, no action is
taken. Instead, the group keys will be periodically updated at
rate tre−key , which can be determined according to the traffic
density and infrastructure capabilities in an installed area.
As discussed below in the Analysis section, the highly
inefficient to perfectly preserve forward and backward
secrecy, and the nature of the message contents makes it
unnecessary. The main goal of a VANET group key scheme
should be to prevent malicious nodes from injecting false data
or otherwise corrupting the system. Accordingly, valuable
bandwidth and computation time should not be expended to
immediately remove group privileges from OBUs that tra-
versed the region without exhibiting any malicious behavior.
On the other hand, when a malicious node is detected
RTM will notify the TA of the malicious node and the TA
will regenerate and reissue group keys for all other OBUs
following the same steps described above in Initialization and
OBU Joining.
IV. ANALYSIS
A. SCHEME SECURITY AND EFFICIENCY
VANET security schemes should seek to balance the oppos-
ing needs of authentication/non-repudiation and privacy.
Authentication and non-repudiation prevent the injection of
potentially dangerous false data into the system, while pro-
tecting privacy is necessary to prevent the stalking or targeting
of individual users. In addition, efficiency is particularly
important in VANET applications due to the time-sensitive
nature and volume of the data. Table 2 shows a comparison of
the proposed scheme with other recently proposed schemes.
1) AUTHENTICATION
In order to forge a signature, an attacker must create a valid

signature with an arbitrary value for one half of the Aji , xji
pair without knowing the master key. If an attacker chooses
an arbitrary value for Aji . In order to obtain a matching xji
the attacker must invert (6), but without knowing the master
key, the value of xji that successfully completes the challenge
cannot be distinguished from a random member of the set Zp .
The same holds if the attacker chooses an arbitrary xji and
attempts to obtain the corresponding Aji . If the value of γj
used to compute Aji does not match the value of γj used to
compute wj the R̃3 challenge will fail and the signature will
be flagged as invalid. Furthermore, obtaining the γj from (2)
requires solving the Discrete Logarithm Problem.
2) NON-REPUDIATION
The property of non-repudiation holds for the signatures.
After a valid signature has been produced and authenticated,
a vehicle cannot plausibly deny producing that signature
when its pseudo-ID, Aji , has been revealed via the tracing key.
VOLUME 9, 2021
L. E. Funderburg, I.-Y. Lee: Efficient Short Group Signatures for Conditional Privacy in VANETs
TABLE 2. Comparison of proposed scheme with existing schemes N/A = not applicable.
First, a vehicle cannot produce a valid signature without
including an Aji value calculated using the master key, γj . If a
random value is used for Aji , the R̃3 portion of the challenge
will fail. In order to pass the R̃3 challenge,
 x
 values Aji and xji to compute the value of the TA’s master key
e Aji , wj g2ji (15)
must equal
e (g1 , g2 ) . [20]
For the first pairing, substitution yields
 1/(γ +x ) γ x 
e g1 j ji , g2j g2 ,
ji
and by rearranging the terms to
 −γ −x γ +x 
e g1 j ji , g2j ji
it can be seen that value of γj used to compute Aji must equal
the value of γj used to compute wj .
Second, a vehicle cannot reuse the T1 , T2 , T3 values
from another vehicle’s signature. Computing the value of Aji
from T1 , T2 , T3 without the tracing key requires solving the
Decision Linear Problem [20]. Furthermore, even if a mali-
cious vehicle were able to obtain the Aji for another vehicle,
the challenge will fail without the corresponding value of xji ,
as seen from the R̃3 challenge above in (17) where the value
x
of xji in g2ji must match the xji used to compute Aji .
Third, a vehicle cannot reuse the signature of another
vehicle. The challenge hash calculation includes the message
contents, M ; therefore, the signature value will change for
each message. A malicious vehicle can merely replay an
identical message, which is easily detected through the use
of timestamps or incrementing message serial numbers, for
example.
Fourth, a malicious vehicle cannot collude with a malicious
RSU in order to steal the Aji of another vehicle (via the
VOLUME 9, 2021
RSU’s access to the tracing key) and use that to create a valid
signature. The challenge will fail without knowledge of the
corresponding xji value as discussed in the second point.
Finally, a vehicle cannot use its own private signature key
from (6) because that requires solving the Discrete Logarithm
Problem to obtain a value for 1/(γj +xji ) before solving for γj .
(16) 3) PRIVACY
The proposed scheme preserves the over-all privacy of the
vehicles. The pseudo-ID contains no information about the
(17) real-world identity of the vehicle. The mapping of pseudo-
ID to real-world identity is stored in a table accessible only
to the TA, which is fully trusted. An RTM may easily obtain
(18) a vehicle’s pseudo-ID from its signature via the tracing key,
but it cannot associate that pseudo-ID with the vehicle’s
real-world identity. In addition, as discussed above in Non-
Repudiation, vehicles cannot trace the pseudo-IDs of other
vehicles without solving the Decision Linear Problem.
Although knowledge of a vehicle’s real-world identity as
well as its pseudo-ID is protected in the proposed scheme,
the scheme does allow some tracking of a vehicle in exchange
for an increase in efficiency compared to similar schemes.
Because the T3 value for a vehicle is fixed, other members of
the group can use the T3 value to track a vehicle within the
group until the group key updates. However, the T3 values are
not linked following group key updates, so the tracking will
not continue beyond the specified group key update rate.
Another consideration is that vehicles may be tracked using
some combination of known physical factors such as position,
heading, speed, etc. [34]. In fact, the contents of the standard
messages of intelligent transportation systems, for example
the Cooperative Awareness Message (CAM) [35] from the
European Telecommunications Standards Institute (ETSI)
and the Basic Safety Message (BSM) [36] of the SAE J2735
118071
 L. E. Funderburg, I.-Y. Lee: Efficient Short Group Signatures for Conditional Privacy in VANETs
TABLE 3. Execution times for cryptographic operations.
standard, are designed to aid trajectory prediction. While the
intention is to allow vehicles to predict the future positions of
other vehicles in order to avoid collisions, this means that by
design it should be easy to track the position of a target vehicle
in a VANET without any identifying information. Therefore,
the ability to track vehicles due to the use of fixed values for
T3 is of minimal impact.
4) EFFICIENCY
By using a mixture of pre-computed and cached pairing
results, the proposed scheme gains an efficiency advantage
during signature verification over other schemes. Moreover,
this efficiency is not gained at the price of conditional privacy
preservation. In the proposed scheme it is still possible for the
group manager to quickly trace the identities of any nodes
exhibiting malicious behavior. At the same time, vehicles
in the group cannot determine the pseudo-IDs of any other
vehicles in the group from their signatures.
The performance of the proposed scheme was compared to
existing schemes [18] and [21] as these schemes are the only
schemes reviewed that also provide tracing and authentication
of vehicle’s real identities. The estimated times required for
message signing and verification for the three schemes are
presented in Fig. 3. Timings for the non-negligible constituent
operations are presented in Table 3. The operation times
were measured using the C MIRACL Core Cryptographic
Library [37] on an Intel Core i7-8700 CPU @ 3.2 GHz
with 32 GB of RAM running the Windows 10 operating
system, averaged over many iterations in order to account for
interrupts due to background system operations.
FIGURE 3. Comparison of execution times.
A Barreto-Naehrig curve, BN462, was used for all three
schemes. This curve provides 128-bit security [38]. Both the
Zhang et al. scheme and Lim et al. scheme state isomorphism
118072
FIGURE 4. Tracing times for various group sizes.
between groups as a requirement, so as written they are not
compatible with BN462, which is a Type 3 curve [38]. How-
ever, the isomorphism requirement was originally included
by Boneh et al. in order to satisfy their definition of the
Strong Diffie-Hellmann (SDH) assumption given in [20]. In a
later paper, Boneh and Boyen introduced an updated defini-
tion of SDH that does not require isomorphism [39], [40].
This revised definition allows the use of the faster Type 3
curves with short group signature schemes, and therefore the
BN462 curve may be safely used in this analysis.
As can be seen from Fig. 3, the proposed scheme has a
performance advantage over the Lim scheme for all actions
and the Zhang scheme for unbatched signature verification
and tracing. In cases where message batching is possible,
the Zhang scheme will outperform the proposed scheme for
signature verification as the time remains essentially constant
regardless of the number of messages verified. However,
there may be many times in VANETs where message caching
is undesirable, for example in the cases of time-critical safety
or emergency messages.
The main disadvantage of the Zhang scheme compared
to the other two schemes lies in its message tracing algo-
rithm. The Zhang scheme traces message senders by looping
through a table of stored tracing and identity parameters with
one entry for each member of the group. Fig. 4 shows the
effect of this iteration on tracing time in relation to group
size, assuming that on average the tracing will find the correct
vehicle after searching half of the table. The tracing times of
the other two schemes remain constant as the identities are
computed directly and not dependent on the size of the group.
The ability to revoke privacy and trace a message signer
is an important part of identifying and removing malicious
vehicles in VANETs. For example, in order to detect Sybil
attacks, it must be possible for some monitoring authority to
quickly link messages sent by the same vehicle using different
pseudo-IDs. As traffic density grows, the Zhang scheme’s
tracing algorithm quickly becomes inadequate for detecting
these kinds of attacks.
VOLUME 9, 2021
L. E. Funderburg, I.-Y. Lee: Efficient Short Group Signatures for Conditional Privacy in VANETs
FIGURE 5. Houston (I-45/610).
FIGURE 6. Seattle (I-5/405).
Finally, our scheme proposes to restrict group key updates
to timed intervals in the case of normal operation. This would
greatly reduce group key updates compared to other schemes,
and therefore also provide increased efficiency by reducing
the messaging and calculations associated with updating the
group keys. A detailed analysis of group key update fre-
quency is presented below.
B. ANALYSIS OF FORWARD & BACKWARD SECRECY
Some schemes propose to preserve forward and backward
secrecy perfectly by updating the group secret for every
vehicle that leaves and, in many current schemes, also for
joining members [2], [11]–[13], [15], [16], [18], [24], [26].
In order to investigate the required update frequency for such
a strategy under some common traffic conditions, publicly
available traffic count data for three US cities: Houston [41],
Seattle [42], and New York [43] were analyzed.
In each city, a busy interchange was chosen for the inves-
tigation. Sample locations are shown in Figs. 5, 6, and 7.
A 1km radius was used to mark the group boundaries as that
is typically defined to be the area covered by a single RSU
as it is the maximum transmission distance in the WAVE
standard [6].
VOLUME 9, 2021
FIGURE 7. New York (Queens-Midtown Tunnel).
Traffic counts were obtained for morning and evening rush
hour periods. Rush hour is often not the busiest time of day for
each of the interchanges analyzed, but it represents a typical
period of heavy traffic in US cities. Traffic counts were
taken from 2019 in order to avoid undercounts in 2020 due
to a dramatic, and atypical, reduction in traffic during the
COVID-19 pandemic [44].
A few assumptions were made due to the limited availabil-
ity of data samples, which were generally only measured on
major roads. First, only traffic on major roads was considered.
Traffic entering or leaving the group on side streets was
considered negligible. Second, traffic on major roads was
assumed to continue on the major roads without exiting.
This assumption was necessary due to the distance of some
count sensors from the 1km radius. A comparison of Annual
Average Daily Traffic (AADT) counts, which were often
closer to the group boundary modeled but do not report the
required fine-grained hourly data, supported this assumption.
Finally, in several cases hourly traffic counts were not avail-
able for one of the routes included. In those cases, an hourly
estimate was made using the 2019 AADT for that route. It’s
important to note that the first and third assumptions almost
certainly lead to an undercount, which means the required
group rekeying time would likely be somewhat greater than
these calculations show.
Tables 4, 5, and 6 show the traffic counts leaving the
1 km radius circle for each metropolitan area, and Table 7
shows the resulting calculations of the required frequency of
group secret updates in order to perfectly maintain forward or
backward secrecy. In the case of Houston, between 7am and
8am 24040 vehicles cross the RSU boundary at the studied
intersection to leave the group. This is the highest volume of
traffic that occurs at that intersection during the three hours
we investigated. With 24040 vehicles leaving the area over
the course of an hour, just over 6 vehicles will leave the
area per second. The group key schemes referenced in this
paper define their groups based on geographical location.
This means that around 6 cars will leave the group per second.
If the group keys are updated every time a car leaves the
118073
 L. E. Funderburg, I.-Y. Lee: Efficient Short Group Signatures for Conditional Privacy in VANETs
TABLE 4. Houston traffic counts.
TABLE 5. Seattle traffic counts.
TABLE 6. New York City traffic counts.
TABLE 7. Total traffic counts and rate of group exit at peak traffic.
group, the group keys will change at a rate of 150ms. The
worst case rate of our sampled locations requires the group
key to update every 139ms.
The BSM of the SAE J2735 standard should be sent about
every 100ms [36]. Using actual traffic counts, in all of the
sampled cases, at most two BSMs could be sent before a car
departed the group. In fact, it can clearly be seen that two
messages would be a best case scenario. At almost all of the
sample times and locations, keys could only be guaranteed to
be used to send at most one BSM. Additionally, these random
samples do not even represent worst-case scenarios. At all
locations there were times of day and days of the year that
exceeded the traffic counts used in our analysis. Furthermore,
there is no reason to think these samples capture the busiest
traffic locations in the US, or the world.
Given the calculated rate of group change, updating group
keys for every vehicle that leaves or joins a group is a waste
118074
of the work done to calculate and distribute the keys in the
first place, and may even be impossible with real-world trans-
mission times and processor loads. Similarly, attempting to
preserve forward and backward secrecy by alternative meth-
ods, such as maintaining some form of revocation list, would
require those structures to grow and change at an impracti-
cal rate. When real-world traffic conditions are considered,
it makes sense that some forward and backward secrecy is
sacrificed in the absence of known malicious VANET mem-
bers in order to allow the use of group keys for more than a
single message before regenerating and redistributing a new
shared secret. The appropriate timing of the updates will
likely vary given the traffic and network characteristics of any
given area.
While relaxing forward and backward secrecy introduces
some security risks, these risks should be minimal. In the
case of vehicles that join a group, access to previously sent
VOLUME 9, 2021
L. E. Funderburg, I.-Y. Lee: Efficient Short Group Signatures for Conditional Privacy in VANETs
messages is of little use in VANET due to the ephemeral and
open nature of the data. In the case of vehicles that leave a
group, vehicles that leave the group by crossing a geographic
boundary have already had access to the group keys and could
have attempted insider attacks at any time. When a vehicle
leaves a group without having committed any attacks against
the group, it is reasonable to continue trusting that vehicle
for some short time more until the next scheduled group key
update. On the other hand, if a malicious vehicle is detected,
the group secret should be updated immediately in order to
preserve secrecy in the presence of a known bad actor.
At this point, it is reasonable to question why the group
key should ever be updated barring malicious activity. There
are several arguments in favor of periodic group key updates.
First, pseudo-IDs will remain the same until the group key
updates. This makes it easier to track vehicles by their
pseudo-IDs, although as discussed above there are other,
physical means of tracking vehicles. A second argument is
that the longer the group keys remain the same, the more time
an attacker has to amass a set of valid keys in order to perform
a Sybil attack, for example. Finally, changing the group key
‘‘resets’’ the group, which clears old data from tables and
memory caches in order to prevent them from growing too
large and slowing down the system as vehicles that have
departed the geographic area need no longer be monitored
or processed by the RTM.
V. CONCLUSION
In this paper, we presented an improved VANET security
scheme using short group signatures which increases signing
and signature validation efficiency by reducing pairing oper-
ations through the use of cached calculation results. In addi-
tion, the scheme also improves overall system efficiency by
using timed group key updates instead of changing the keys
in response to members departing the group. This extends
the life of the group keys, which reduces the computation
and communication burdens present in other schemes due to
the wasteful key updates that would result under real-world
traffic conditions.
In the future, we plan to explore methods to completely
eliminate pairings and other costly operations from both
message signing and signature validation operations with-
out sacrificing the benefits of short group signatures which
include conditional privacy, non-repudiation, and broadcast
messaging ability. Furthermore, traffic and network simu-
lations could be created using real-world traffic count data
to better model the actual performance issues involved with
VANET and group keys.
REFERENCES
[1] R. Vishwakarma, R. Barskar, and M. Ahirwar, ‘‘Secure key management
in vehicular ad-hoc network: A review,’’ in Proc. SCOPES, Odisha, India,
2016, pp. 1688–1694.
[2] R. Lu, X. Lin, X. Liang, and X. Shen, ‘‘A dynamic privacy-preserving
key management scheme for location-based services in VANETs,’’ IEEE
Trans. Intell. Transp. Syst., vol. 13, no. 1, pp. 127–138, Mar. 2012, doi:
10.1109/TITS.2011.2164068.
VOLUME 9, 2021
[3] M. S. Sheikh, J. Liang, and W. Wang, ‘‘A survey of security services,
attacks, and applications for vehicular ad hoc networks (VANETs),’’ Sen-
sors, vol. 19, no. 16, p. 3589, Aug. 2019, doi: 10.3390/s19163589.
[4] M. Raya and J.-P. Hubaux, ‘‘Securing vehicular ad hoc networks,’’ J. Com-
put. Secur., vol. 15, no. 1, pp. 39–68, 2007.
[5] F. Sakiz and S. Sen, ‘‘A survey of attacks and detection mechanisms
on intelligent transportation systems: VANETs and IoV,’’ Ad Hoc Netw.,
vol. 61, pp. 33–50, Jun. 2017, doi: 10.1016/j.adhoc.2017.03.006.
[6] M. N. Mejri, J. Ben-Othman, and M. Hamdi, ‘‘Survey on VANET security
challenges and possible cryptographic solutions,’’ Veh. Commun., vol. 1,
no. 2, pp. 53–66, Apr. 2014, doi: 10.1016/j.vehcom.2014.05.001.
[7] B. Parno and A. Perrig, ‘‘Challenges in securing vehicular networks,’’ in
Proc. HotNets, College Park, MD, USA, 2005, pp. 1–6.
[8] D. Manivannan, S. S. Moni, and S. Zeadally, ‘‘Secure authentica-
tion and privacy-preserving techniques in vehicular ad-hoc NETworks
(VANETs),’’ Veh. Commun., vol. 25, Oct. 2020, Art. no. 100247, doi:
10.1016/j.vehcom.2020.100247.
[9] L. E. Funderburg and I.-Y. Lee, ‘‘A privacy-preserving key management
scheme with support for sybil attack detection in VANETs,’’ Sensors,
vol. 21, no. 4, p. 1063, Feb. 2021, doi: 10.3390/s21041063.
[10] H. Alzaid, D. Park, J. G. Nieto, C. Boyd, and E. Foo, ‘‘A forward
and backward secure key management in wireless sensor networks for
PCS/SCADA,’’ in Proc. S-CUBE, Pisa, Italy, vol. 24, 2009, pp. 66–82, doi:
10.1007/978-3-642-11528-8_6.
[11] K. K. Chauhan, S. Kumar, and S. Kumar, ‘‘The design of a secure key
management system in vehicular ad hoc networks,’’ in Proc. Conf. Inf.
Commun. Technol. (CICT), Gwalior, India, Nov. 2017, doi: 10.1109/INFO-
COMTECH.2017.8340636.
[12] A. Mansour, K. M. Malik, A. Alkaff, and H. Kanaan, ‘‘ALMS: Asymmetric
lightweight centralized group key management protocol for VANETs,’’
IEEE Trans. Intell. Transp. Syst., vol. 22, no. 3, pp. 1663–1678, Mar. 2021,
doi: 10.1109/TITS.2020.2975226.
[13] J. Cui, X. Tao, J. Zhang, Y. Xu, and H. Zhong, ‘‘HCPA-GKA: A hash
function-based conditional privacy-preserving authentication and group-
key agreement scheme for VANETs,’’ Veh. Commun., vol. 14, pp. 15–25,
Oct. 2018, doi: 10.1016/j.vehcom.2018.09.003.
[14] S. H. Islam, M. S. Obaidat, P. Vijayakumar, E. Abdulhay, F. Li,
and M. K. C. Reddy, ‘‘A robust and efficient password-based condi-
tional privacy preserving authentication and group-key agreement proto-
col for VANETs,’’ Future Gener. Comput. Syst., vol. 84, pp. 216–227,
Jul. 2018, doi: 10.1016/j.future.2017.07.002.
[15] L. Liu, Y. Wang, J. Zhang, and Q. Yang, ‘‘A secure and efficient group key
agreement scheme for VANET,’’ Sensors, vol. 19, no. 3, p. 482, Jan. 2019,
doi: 10.3390/s19030482.
[16] S. Paliwal and A. Chandrakar, ‘‘A conditional privacy preserving authen-
tication and multi party group key establishment scheme for real-time
application in VANETs,’’ Cryptol. ePrint Arch., pp. 1–27, Sep. 2019.
[Online]. Available: http://ia.cr/2019/1041
[17] M. Alimohammadi and A. A. Pouyan, ‘‘Sybil attack detection using a low
cost short group signature in VANET,’’ in Proc. ISCISC, Rasht, Iran, 2015,
pp. 23–28.
[18] C. Zhang, X. Xue, L. Feng, X. Zeng, and J. Ma, ‘‘Group-signature and
group session key combined safety message authentication protocol for
VANETs,’’ IEEE Access, vol. 7, pp. 178310–178320, Dec. 2019, doi:
10.1109/ACCESS.2019.2958356.
[19] M. Azees, P. Vijayakumar, and L. J. Deboarh, ‘‘EAAP: Efficient anony-
mous authentication with conditional privacy-preserving scheme for vehic-
ular ad hoc networks,’’ IEEE Trans. Intell. Transp. Syst., vol. 18, no. 9,
pp. 2467–2476, Sep. 2017, doi: 10.1109/TITS.2016.2634623.
[20] D. Boneh, X. Boyen, and H. Shacham, ‘‘Short group signatures,’’ in Proc.
CRYPTO, Santa Barbara, CA, USA, 2004, pp. 41–55, doi: 10.1007/978-3-
540-28628-8_3.
[21] K. Lim, W. Liu, X. Wang, and J. Joung, ‘‘SSKM: Scalable and secure
key management scheme for group signature based authentication and
CRL in VANET,’’ Electronics, vol. 8, no. 11, p. 1330, Nov. 2019, doi:
10.3390/electronics8111330.
[22] Y. Hao, Y. Cheng, C. Zhou, and W. Song, ‘‘A distributed key management
framework with cooperative message authentication in VANETs,’’ IEEE
J. Sel. Areas Commun., vol. 29, no. 3, pp. 616–629, Mar. 2011, doi:
10.1109/JSAC.2011.110311.
[23] H. Zhong, B. Huang, J. Cui, Y. Xu, and L. Liu, ‘‘Conditional
privacy-preserving authentication using registration list in vehicular ad
hoc networks,’’ IEEE Access, vol. 6, pp. 2241–2250, Dec. 2018, doi:
10.1109/ACCESS.2017.2782672.
118075
 L. E. Funderburg, I.-Y. Lee: Efficient Short Group Signatures for Conditional Privacy in VANETs
[24] J. Zhang, J. Cui, H. Zhong, Z. Chen, and L. Liu, ‘‘PA-CRT: Chi-
nese remainder theorem based conditional privacy-preserving authen-
tication scheme in vehicular ad-hoc networks,’’ IEEE Trans. Depend-
able Secure Comput., vol. 18, no. 2, pp. 722–735, Mar. 2021, doi:
10.1109/TDSC.2019.2904274.
[25] J. Cui, J. Chen, H. Zhong, J. Zhang, and L. Liu, ‘‘Reliable and
efficient content sharing for 5G-enabled vehicular networks,’’
IEEE Trans. Intell. Transp. Syst., early access, Sep. 24, 2020, doi:
10.1109/TITS.2020.3023797.
[26] J. Zhang, H. Zhong, J. Cui, M. Tian, Y. Xu, and L. Liu, ‘‘Edge computing-
based privacy-preserving authentication framework and protocol for 5G-
enabled vehicular networks,’’ IEEE Trans. Veh. Technol., vol. 69, no. 7,
pp. 7940–7954, Jul. 2020, doi: 10.1109/TVT.2020.2994144.
[27] F. Zhou, Y. Li, and Y. Ding, ‘‘Practical V2I secure communication schemes
for heterogeneous VANETs,’’ Appl. Sci., vol. 9, no. 15, p. 3131, Aug. 2019,
doi: 10.3390/app9153131.
[28] I. Ali, T. Lawrence, A. A. Omala, and F. Li, ‘‘An efficient hybrid sign-
cryption scheme with conditional privacy-preservation for heterogeneous
vehicular communication in VANETs,’’ IEEE Trans. Veh. Technol., vol. 69,
no. 10, pp. 11266–11280, Oct. 2020, doi: 10.1109/TVT.2020.3008781.
[29] W. Xiong and B. Tang, ‘‘A cloud based three layer key management scheme
for VANET,’’ in Proc GSKI, Chiang Mai, Thailand, 2017, pp. 574–587,
doi: 10.1007/978-981-13-0896-3_57.
[30] Q. Li, C.-F. Hsu, K.-K. Raymond Choo, and D. He, ‘‘A provably secure
and lightweight identity-based two-party authenticated key agreement pro-
tocol for vehicular ad hoc networks,’’ Secur. Commun. Netw., vol. 2019,
pp. 1–13, Dec. 2019, doi: 10.1155/2019/7871067.
[31] T. Zhou, R. R. Choudhury, P. Ning, and K. Chakrabarty, ‘‘Privacy-
preserving detection of Sybil attacks in vehicular ad hoc networks,’’
in Proc. MobiQuitous, Philadelphia, PA, USA, 2007, doi:
10.1109/MOBIQ.2007.4451013.
[32] J. B. Kenney, ‘‘Dedicated short-range communications (DSRC) Standards
in the United States,’’ Proc. IEEE, vol. 99, no. 7, pp. 1162–1182, Jul. 2011,
doi: 10.1109/JPROC.2011.2132790.
[33] D. He, S. Zeadally, B. Xu, and X. Huang, ‘‘An efficient identity-based
conditional privacy-preserving authentication scheme for vehicular ad
hoc networks,’’ IEEE Trans. Inf. Forensics Security, vol. 10, no. 12,
pp. 2681–2691, Dec. 2015, doi: 10.1109/TIFS.2015.2473820.
[34] J. Petit, S. Dietzel, and F. Kargl, ‘‘Privacy of connected vehicles,’’ in
Handbook Mobile Data Privacy, 1st ed. A. Gkoulalas-Divanis C. Bettini,
eds. Berlin, Germany: Springer, 2018, pp. 229–251.
[35] Intelligent Transport Systems (ITS) Vehicular Communications Basic Set
of Applications Part 2: Specification of Cooperative Awareness Basic
Service, document ETSI Technical Specification 102 637-2, V1.2.1,
2011.
[36] B. Cronin, ‘‘Vehicle based data and availability,’’ in Proc. ITSPAC.
Washington, DC, USA: United States Department of Transportation,
Oct. 2012, pp. 1–13. Accessed: May 8, 2021. [Online]. Available:
https://www.its.dot.gov/itspac/october2012/PDF/data_availability.pdf
[37] MIRACL Core Cryptographic Library. Accessed: Jul. 6, 2021. [Online].
Available: https://github.com/miracl/core
118076
[38] H. Okano, K. Emura, T. Ishibashi, T. Ohigashi, and T. Suzuki, ‘‘Implemen-
tation of a strongly robust identity-based encryption scheme over type-3
pairings,’’ in Proc. CANDAR, Nagasaki, Japan, 2019, pp. 191–196, doi:
10.1109/CANDAR.2019.00032.
[39] D. Boneh and X. Boyen, ‘‘Short signatures without random oracles and
the SDH assumption in bilinear groups,’’ J. Cryptol., vol. 21, no. 2,
pp. 149–177, Apr. 2008, doi: 10.1007/s00145-007-9005-7.
[40] A. L. Ferrara, M. Green, S. Hohenberger, and M. Pedersen, ‘‘Practical short
signature batch verification,’’ in Proc. CT-RSA, San Francisco, CA, USA,
2009, pp. 309–324, doi: 10.1007/978-3-642-00862-7_21.
[41] Texas Statewide Traffic Analysis and Reporting System (STARS II).
Accessed: Apr. 28, 2021. [Online]. Available: https://www.txdot.
gov/inside-txdot/division/transportation-planning/stars.html
[42] Washington State Traffic Data GeoPortal. Accessed: Apr. 28,
2021. [Online]. Available: https://www.wsdot.wa.gov/mapsdata/
tools/trafficplanningtrends.htm
[43] New York State Traffic Data Viewer. Accessed: Apr. 19, 2021. [Online].
Available: https://www.dot.ny.gov/tdv
[44] J. Du, H. A. Rakha, F. Filali, and H. Eldardiry, ‘‘COVID-19 pandemic
impacts on traffic system delay, fuel consumption and emissions,’’ Int.
J. Transp. Sci. Technol., vol. 10, no. 2, pp. 184–196, Jun. 2021, doi:
10.1016/j.ijtst.2020.11.003.
L. ELLEN FUNDERBURG received the B.S.
degree in computer and systems engineering from
Rensselaer Polytechnic Institute, Troy, NY, USA,
in 1999, and the M.S. degree in electrical and com-
puter engineering from The University of Texas at
Austin, Austin, TX, USA, in 2001. She is currently
pursuing the Ph.D. degree with the Department
of Software Convergence, Soonchunhyang Uni-
versity, Asan, South Korea.
She worked as a senior software engineer, from
2001 to 2010. She has been a Lecturer with the Department of Software
Convergence, Soonchunhyang University, since 2013. Her research interests
include applications of the Internet of Things, group signature schemes,
security of wireless communications, and VANET security.
IM-YEONG LEE was born in Busan, Republic of
Korea, in 1958. He received the B.S. degree from
Hongik University, Seoul, South Korea, in 1981,
and the M.S. and Ph.D. degrees from Osaka Uni-
versity, Osaka, Japan, in 1986 and 1989, respec-
tively. His research interests include information
security, cryptographic protocols, information the-
ory, and data communications.
VOLUME 9, 2021