Message Authentication Using Proxy Vehicles inVehicular Ad Hoc Networks

Yiliang Liu, Liangmin Wang, Member, IEEE, and Hsiao-Hwa Chen, Fellow, IEEE

Abstract—Normally, authentication in vehicular ad-hoc net-works (VANETs) uses Public Key Infrastructure (PKI) to verifythe integrity of messages and the identity of message senders. Theissues considered in the authentication schemes include the levelof security and computational efficiency in verification processes.Most existing schemes focus mainly on assuring the securityand privacy of VANET information. However, these schemesmay not work well in VANET scenarios. For instance, it isdifficult for a RoadSide Unit (RSU) to verify each vehicle’ssignature sequentially when a large number of vehicles emergein the coverage areas of an RSU. To reduce the computationaloverhead of RSUs, we propose a Proxy Based AuthenticationScheme (PBAS) using distributed computing. In PBAS, proxyvehicles are used to authenticate multiple messages with averification function at the same time. In addition, RSU is ableto independently verify the outputs from the verification functionof the proxy vehicles. We also design an expedite key negotiationscheme for transmitting sensitive messages. It is shown from theanalysis and simulations that an RSU can verify 26500 signaturesper second simultaneously with the help of the proxy vehicles. Thetime needed to verify 3000 signatures in PBAS can be reduced by88% if compared to existing batch-based authentication schemes.

Index Terms—Proxy vehicle; Proxy based authentication; Keynegotiation; Privacy preservation; Vehicular ad-hoc network.

I. INTRODUCTION

VANETs have attracted a lot of attention due to its potentialto offer better driving experience and road safety, as well asmany other value-added services [1] [2]. Security issue [3] [4]is critical in VANETs because many different forms of attacks[3] against VANETs may emerge due to the use of wirelessdevices in VANET communications. Such security attacks maylead to bad user experience (thus causing the loss of revenuefor those value-added service providers) or create even more

Copyright (c) 2013 IEEE. Personal use of this material is permitted.However, permission to use this material for any other purposes must beobtained from the IEEE by sending a request to pubs-permissions@ieee.org.

This work was supported in part by the National Natural Science Foundationof China under Grants 61272074, 61472001, and Taiwan Ministry of Scienceand Technology under Grand 102-2221-E-006-008-MY3.

Yiliang Liu (email: alanliuyiliang@gmail.com) (who is currentlya visiting research student in the Department of Engineering Science,National Cheng Kung University, Taiwan) and Liangmin Wang (email:Jasonwanglm@gmail.com) are with the Department of Internet ofThings Engineering, Jiangsu University, China. Hsiao-Hwa Chen (email:hshwchen@mail.ncku.edu.tw) (the corresponding author) is with theDepartment of Engineering Science, National Cheng Kung University, TainanCity, 70101 Taiwan.

The paper was submitted on May 20, 2014, and revised on September 14,2014.

catastrophic consequences such as the loss of lives due to thetraffic accidents due to the failure of VANET communications.

Some sophisticated security schemes have been proposedin the literature as an effort to ensure that all informationexchanged in VANETs is authenticated and thus can befully trusted. In particular, Raya et al. presented a Public-Key Infrastructure (PKI) based scheme for vehicular signatureapplications [1], where an RSU verifies received messages oneafter another. Because vehicles normally forward messageson the fly at any time, it may not be able to be predictedand known by RSU. Also, those PKI-based schemes [1] [5][6] are time-consuming processes and may fail to satisfy thecomputational efficiency requirement under dynamic trafficpatterns, where the computational complexity and transmis-sion overhead of RSUs increase linearly with the number ofvehicles that need to be authenticated.

Zhang et al. in their work published in [7] introduced anefficient batch signature verification scheme for the communi-cations between vehicles and RSUs, in which an RSU canverify multiple received signatures at the same time, suchthat the total verification time required can be significantlyreduced. In their proposed scheme, an RSU can simultaneouslyverify approximately 1600 messages per second, which isnot bad but still not fast enough to meet the requirementof VANET authentication speed. According to the DedicatedShort Range Communications (DSRC) protocol [8] [9], eachvehicle broadcasts a traffic safety message every 100⇠300ms. This implies that an RSU must verify around 2500⇠5000messages per second when there are 500 vehicles within thecoverage of an RSU, which is indeed a great challenge forany current batch-based digital signature scheme reported inthe literature [10] [11] [12] [13].

In this paper, our goal is to tackle the aforementionedefficiency problem of the existing authentication schemes.In particular, we will propose a Proxy Based AuthenticationScheme (PBAS) for this purpose. In this proposed scheme,each proxy vehicle plays an important role, which is adoptedto authenticate multiple messages with the help of a verifi-cation function at the same time. In this way, the distributedcomputing can be used to shed the time-consuming centralizedcomputing loads at RSUs. We also design a systematic andindependent mechanism for RSUs to verify the output of theverification function from different proxy vehicles, by whichan RSU can evaluate the validity levels of different messagesin the same way as done in separate verification schemes. Inaddition, batch key negotiations can also be accomplished inthe proposed scheme, in which an RSU can complete the batchprocess of vehicles’ key negotiations by broadcasting a single

IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY VOL:PP NO:99 YEAR 2014

1

RSU

Verify output

AB

CProxy

Verify signatures of A, B, C

Output

Fig. 1. PBAS reduces the computation load of RSUs via the cooperationamongst proxy vehicles, where a proxy vehicle verifies the signatures of A,B, and C with a verification function, and then it transmits its output tonearby RSU. The RSU verifies the output only, thus consuming less computingresource. Note that the verification functions perform cryptographic operationsin an authentication scheme, and these operations are executed in RSUs usingtraditional authentication schemes.

message. Fig. 1 shows the main characteristic features of theproposed PBAS scheme.

Specifically, the design requirements of the proposed PBAScan be summarized as follows:

1) The scheme should be designed to meet the computa-tional efficiency requirements of VANETs (see SectionIV).

2) The scheme should be designed to meet the generalsecurity requirements of VANETs, such as messageintegrity and authentication, privacy preservation, etc.(see Section V).

3) The scheme has the property that enables the verificationprocess to continue even in the event that a small numberof proxy vehicles have been compromised in VANETs(see Section V).

The remainders of this paper can be outlined as follows.Section II surveys the related works in the literature. SectionIII introduces the system and security models, together withthe related preliminaries. Section IV is to discuss the issueson proxy based batch authentication scheme (PBAS). SectionV is to conduct security performance analysis. Section VI isdedicated for complexity evaluation and simulations for PBASand the other existing authentication schemes, followed by theconclusions made in Section VII.

II. RELATED WORKSIn the current IEEE 1609.2 standard [9], vehicular commu-

nication messages should be authenticated using the EllipticCurve Digital Signature Algorithm (ECDSA) [14]. Each mes-sage also includes a certificate. As shown by the analyticalstudy conducted in [15], a major challenge that remains to betackled is to find a way to reduce the resource consumptionsin computation and transmission. In the text followed, we willdiscuss about the two authentication schemes that have beenproposed in the literature.

A. Conventional AuthenticationLet us start with the discussions about the prior works on

the ECDSA-based schemes, and will take this scheme as anexample to explain the important relationship between the

integrity of messages and the validity of sender’s identities.Studer et al. pointed out in their work [5] that a VANETuser needs to verify the validity of the identity of a messagesender before verifying the integrity of the messages it sendsout. If the system designers focus only on the mechanismsto verify messages and ignore the importance associated withthe verification of valid entities, a malicious participant couldexploit many forged identities to disable VANET communi-cations. Therefore, they particularly proposed TESLA++ [5]as a modified version of TESLA [16], which combines theadvantages of ECDSA signatures and TESLA. Compared withTESLA, TESLA++ takes the advantage of relatively shorterHash Message Authentication Code (HMAC) to verify the in-tegrity of messages, which helps to cut down the transmissionoverhead of RSUs. If compared with TESLA, TESLA++ signson each message before its transmission, which is to performthe identity authentication that provides on-repudiation ofattribution in multi-hop communications. Any receiver can usethe signer’s public key to verify the identity of the message.To verify the messages from the vehicles outside the coverageof an RSU, the authors in [6] suggested that the neighboringvehicles could work cooperatively to probabilistically verifyonly a small percentage of these message signatures.

B. Batch AuthenticationOn the other hand, batch verification offers an efficient way

for verifying signatures in VANETs. Zhang et al. in [7] in-troduced an Identity-based Batch signature Verification (IBV)scheme for vehicular-to-infrastructure (V2I) communications,which works based on identity-based encryption algorithms[17] [18] proposed by Boneh et al. In the IBV scheme, an RSUcan also verify multiple received signatures at the same timesuch that the computation time can be significantly reduced.Meanwhile, the certificates are not needed in the verificationprocesses, and thus the transmission overhead can be reducedsubstantially. The IBV scheme can achieve conditional privacypreservation using pseudo identities, and a Trust Authority(TA) is capable of tracing a vehicle’s real identity fromits pseudo identity. In [19], Zhang et al. made their effortto enhance the IBV scheme via adopting a group testingtechnique. The objective of the group testing is to find invalidsignatures with a minimal batch verification workload. In [10],Huang et al. proposed an Anonymous Batch Authenticatedand Key Agreement (ABAKA) scheme for different value-added services, which can authenticate multiple messages sentfrom different vehicles and establish different session keysfor different vehicles at the same time. The security of theABAKA scheme is ensured based also on ECDSA. Comparedwith the basic ECDSA scheme, relatively short signatures areadopted by the ABAKA scheme to reduce the computationand transmission overheads of RSUs. In [20], Chim et al.introduced a Secure and Privacy Enhancing CommunicationsScheme (SPECS), where any vehicle can form a group with theother vehicles after batch authenticating and can communicatewith one another securely without RSUs. However, in [11],Shi-Jinn Horng et al. found out that SPECS is vulnerable toimpersonation attacks, and a malicious vehicle can act as an ar-bitrary vehicle to broadcast fake messages or even counterfeits

another group member to send fake messages securely amongthemselves. To deal with this issue, they proposed b-SPECS+to overcome the weaknesses of SPECS. In [12], Shim etal. proposed a Conditional Privacy preserving AuthenticationScheme (CPAS), which is based on Computational Diffie-Hellman (CDH), to bridge the gap between the privacy andnon-repudiation requirements. In [13], Li et al. proposed aRapid Certification Scheme (RCS), in which a VANET leaderis responsible to collect the messages of n distinct vehicles,and then sends them to RSU. The RSU verifies the batchof messages. The RCS is able to reduce the transmissionoverhead of RSUs by integrating messages into batches.

C. Certificate RevocationBased on the discussions made in the previous paragraphs,

we understand that the optimized certificate update schemes[24] [22] [23] [24] are promising approaches for efficientauthentication in VANETs, but the revocation list will get verylong when it is needed to check the time-consuming CertificateRevocation Lists (CRLs). Albert et al. in their work [25]introduced a protocol for V2V communications, called Ex-pedite Message Authentication Protocol (EMAP), which useskeyed Hash Message Authentication Code (HMAC) techniqueto replace the CRL checking process. It can help to reduce thecomputation overhead compared to the conventional schemesemploying CRL.

D. Tradeoff between Privacy and Non-RepudiationThe authentication schemes require that vehicles in

VANETs should publish their certificates or public keys. Evenin identify-based signature algorithms, their identificationsshould be send to destination together with their messages.The privacy issues have attracted much attention becausethese identity materials are revealed in VANETs. [26] [27]proposed pseudonym changing based authentication schemesto achieve conditional privacy. The term ”conditional” heremeans that, when car attacks occur, the identity informationhas to be revealed by TA to establish the liability of the attacks.[28] considered that the TA has all cryptographic materialsand may abuse its access ability, and thus they proposeda security framework with non-repudiation and conditionalprivacy, in which TA never knows the user’s private key.The authors in [29] [30] employed a lightweight conditionalprivacy-preservation scheme with a simple hash-chain tech-nique, which attributes to the reduction of the computationaloverhead while achieving conditional privacy.

E. Medium Access ControlFuture vehicles will the functions of Medium Access Con-

trol (MAC) protocols so that the passengers can surf theInternet in the vehicles, [31] provided a secure MAC protocolto access DSRC channels. The secure communication protocolis designed based on authentication scheme to satisfy therequirements of message authentication and integrity, togetherwith non-repudiation and privacy of senders. The protocoltakes advantage of time-stamp mechanism to guarantee thefreshness of messages.

III. PRELIMINARIES

Before introducing the PBAS scheme proposed in this paper,we would like to offer a brief review on the preliminaryknowledge on VANET security in the subsections followed,to facilitate the discussions and performance analysis on theproposed scheme, which will be presented in Section IV.

A. Bilinear PairingLet G1 denote an additive group of prime order q, and G2

denote a multiplicative group of the same prime order. Let Pbe a generator of G1, and e : G1 ⇥ G1 ! G2 be a bilinearmapping with the following properties:

• Bilinear: For all P , R, Q 2 G1 and a, b 2 Z⇤q

, we havee(Q,P + R) = e(P + R,Q) = e(Q,P ) ⇥ e(Q,R). Inparticular, e(aP, bQ) = e(P,Q)

ab.• Non-degeneracy: e(P,Q) 6= 1.• Computability: The map e is efficiently computable.

Next, we state the following two underlying problems asthe basis for our proposed scheme.

• CDH (Computational Diffie-Hellman) problem: For un-known a, b 2 Z⇤

q

, and for the given aP, bP 2 G1,compute P ab.

• DDH (Decisional Diffie-Hellman) problem: For unknowna, b 2 Z⇤

q

, and for the given aP, bP, abP 2 G1, check ife(aP, bP )

?= e(abP, P ).

It is easy to show that the DDH problem is easy to solve,while the CDH problem is extremely hard to solve.

OBU

TASP

RSU

Broadcast RSU

V2V V2I

Fig. 2. A VANET communication system is supported by Dedicated ShortRange Communications (DSRC), which offers Vehicle-to-Vehicle (V2V) andVehicle-to-Infrastructure (V2I) communications. The system should meet thesecurity requirements to ensure that all information data exchanged areauthenticated and can be trusted [9].

B. System ModelFig. 2 introduces a two-layer network model of VANETs

with its underlined security layer and communication layer.

The security layer is comprised of a Trust Authority (TA) andtamper proof devices. The TA is trusted by all entities in thesystem, it is in charge of distributing the secret keys to allentities, and it has an ability for tracing back to the real identityof a vehicle whenever any uncertainty occurs. According to theVANET standard [8] [9], a tamper proof device installed in theOBU of a vehicle is responsible for storing security materialsand implementing all crypto operations. On the other hand, thecommunication layer is comprised of V2I and V2V modules.The V2V communication system provides a 360-degree viewof all its peer vehicles within the communication range. TheV2I communication and broadcast systems provide traffic andentertainment information for the drivers.

C. Security Model

In [1], Raya et al. defined five basic attacks, including bogusinformation, cheating with sensor information, ID disclosureof the other vehicles in order to track their locations, Denialof Service (DoS), and masquerading. [32] [33] extended theattack types by introducing replay attack. In this section, wetake all those basic attacks into consideration in a VANET ofinterest, except for ”cheating by sensor information” becausethe research on this particular topic belongs to data-centrictrust establishment [34] [35] [36].

The work reported in [37] indicated that security mech-anisms of the VANET framework should support differentapplications and services. Hence, before discussing the se-curity requirements of our scheme, we first consider twoapplication scenarios, namely safety related applications andvalue-added applications. For the safety related applications,vehicles in danger will send (broadcast or unicast) safetyrelated messages to other entities in VANETs. The entitiesneed to authenticate these messages before utilizing them. Inthe safety related applications, there are typically no confiden-tiality requirements on these safety related messages. For thevalue-added applications, the confidentiality is required. RSUsare registered as the gateways for Internet access, via whichthe vehicles that request for the services can establish secrecylinks with Internet Service Provider (ISP) because most ofthe services levy charges. Hence, the messages from ISPcan satisfy confidentiality through the key generation processbetween vehicles and RSUs. In summary, the following foursecurity requirements are needed in PBAS:

1) Message integrity and authentication: Messages sent byvehicles can be authenticated to prove that they areindeed sent by authorized entities without being mod-ified or forged. Moreover, RSUs should have an abilityto authenticate a large amount of signatures for manyvehicles.

2) Identity privacy preserving and traceability: The realidentity of a vehicle should be kept anonymous, whichis heterogeneous with the other pseudo identities. Anythird party should not be able to reveal the real identityof a vehicle by analyzing multiple messages sent from it.However, when the vehicles send malicious information,TA has an ability to reveal the real identities from thepseudo identities of the misbehaved vehicles.

3) Resisting signature replay attacks: Signature replay at-tacks can be prevented by such a carefully designedscheme. The definition of a signature replay attack canbe generalized as an attack that replays the signaturesfrom a different vehicle for the intended or expectedRSUs, thereby to fool the RSUs to believe that they havesuccessfully completed the verification of the owner ofthese signatures.

4) Confidentiality: A server can establish a secure commu-nication link with a requesting vehicle for subsequentcommunications. For instance, ISP and parking pay-ments systems require that the session key negotiationprocess generates the keys for confidentiality of theirtransmitted messages.

IV. PROXY BASED BATCH AUTHENTICATION

In this section, we introduce PBAS, whose algorithm con-sists of the following four phases, 1) system initializationphase; 2) message signing phase; 3) batch verification byproxy vehicles; and 4) verification by an RSU at the outputsfrom proxy vehicles. In addition, a key negotiation phase isincluded if confidentiality is required. The notations used inthis section are listed and defined in Table I.

TABLE INOTATIONS AND THEIR DEFINITIONS.

Notation DefinitionVi

The ith vehicle.sj

The jth private master key of the tamper proof device,where j 2 {1, 2, 3}.

sr

The private master key of the RSU.PK

k

The public key of the system, where k 2 {1, 2, r}.ID

i

The pseudo identity of the vehicle Vi

, whereID

i

= (ID1i

, ID2i

).SK

i

The private key of the vehicle Vi

, whereSK

i

= (SK1i

, SK2i

).RID

i

The real identity of the vehicle Vi

, where RIDi

2 G.R

r

The real identity of the RSU, where Rr

2 G.SK

r

The private key of the RSU, whereSK

r

= (SK1r

, SK2r

).T The time stamp of messages.M

i

A message from vehicle Vi

.h(·) A one-way hash function such as SHA-1, SHA-2.H(·) A MapToPoint hash function such as H : {0, 1}⇤ ! G.

A. System Initialization

The TA (as shown in Fig. 2) initializes the system parame-ters for each registered VANET member. Each vehicle gener-ates its pseudo identity and the corresponding key. Accordingto the IEEE standard for VANETs [9], each vehicle should beequipped with a tamper proof device, and no adversary canattain any data stored in the tamper-proof device. The systeminitialization phase can be modeled mathematically as follows.

• System parameters generation:1) The TA stores U

V

= {RIDi

|1 i n}.2) Given the bilinear parameters (P, q,G1,G2, e),

the TA chooses four random numbers, i.e.,s1, s2, s3, sr 2 Z⇤

q

.

3) The TA computes PK1 = s1P , PK2 = s2P , andSK2

r

= s3P .4) The tamper proof device of each vehicle is secretly

preloaded with the parameters {s1, s2, s3}.5) The RSUs are secretly preloaded with the parame-

ters {SK2r

, sr

}.• Pseudonym and key generation:

1) The RSU computes SK1r

= sr

Rr

and PKr

= sr

P .Therefore, the private key of the RSU can bemodeled as (SK1

r

, SK2r

).2) A vehicle, denoted by V

i

, chooses a random numberri

2 Z⇤q

.3) V

i

computes ID1i

= ri

P and ID2i

= RIDi

�H(r

i

PK1).4) V

i

computes SK1i

= s1ID1i

and SK2i

=

s2H(ID1i

||ID2i

).• Publishing the system parameters:

1) The system parameters(P, q,G1,G2, e, PK1, PK2, PK

r

) are preloadedby each VANET member.

The system initialization phase should keep private mate-rials confidentiality. First, the private master keys {s1, s2, s3}are loaded into the vehicle’s tamper proof device in the systemparameters generation process. Any adversary can not extractany data stored in the device. Second, the tamper-proof deviceis responsible for generating the identity (ID1

i

, ID2i

) and thecorresponding privacy key (SK1

i

, SK2i

) in the pseudonym andkey generation process. Their security is ensured based on theCyclic Group Discrete Logarithm Problem (CGDLP), so thatnone can get s1 and s2 from the private key.

The identity information (ID1i

, ID2i

) is pseudonym that canachieve privacy preservation, because vehicle V

i

will generatea new pseudo identity when entering into the communicationrange of another RSU, where ID1

i

= ri

· P , ID2i

= RIDi

�H(r

i

·PK1), and ri

should be different in different areas. Theprivate keys (SK1

r

, SK2r

) are used as the verifiers by RSU,which are calculated without r

i

. Hence, when a vehicle leavesthe coverage area of an RSU and enters the coverage areaof another RSU, the new RSU can continue to verify theirmessages with the primary system parameters.

B. Message SigningThe vehicles in a VANET will periodically broadcast mes-

sages. To ensure the integrity of messages and the validityof the originators, each messages sent by a vehicle should besigned with its private key. The message signing phase can bemodeled as

1) Vehicle Vi

, where i 2 (1, 2, 3, . . . , n), generates a relatedinformation M

i

, where Mi

= M k T .2) V

i

picks up a pseudo identity IDi

and the correspondingprivate key SK

i

from the tamper proof device. Then,Vi

signs on the message Mi

, where �1i

= SK1i

+

h(Mi

)SK21 .

3) The tamper proof device of Vi

generates �2i

with s3,where �2

i

= (ri

+ s3(h(Mi

) + �1i

))PKr

.4) Then, V

i

sends the message {IDi

,Mi

,�1i

,�2i

} to theother participants in vicinity.

From the above discussions, one can see that, compared toconventional signatures generated by private keys, we combinePK

r

and the private keys of vehicles to sign vehicularmessages.

Given a message from a vehicle, the signature attachedwithin the message is shorter than the current standard ECDSAof IEEE1609.2 [9]. With a 160-bit q cyclic group G1, thelength of a signature in PBAS is only an half of that ofECDSA, i.e., | �1

i

|= 21 bytes2. Similarly, �2i

has the samelength, i.e., | �2

i

|= 21 bytes. In addition, our signature schemeis an identity-based encryption algorithm, which makes themapping between identities publicly available. Therefore, thecertificate is unnecessary when verifying messages. In otherwords, only a short-length pseudo identity is sent, i.e., |ID

i

|=| ID1i

| + | ID2i

|= 42 bytes. Conclusively,the signature size of a vehicular message is 84 bytes, i.e,| ID

i

| + | �1i

| + | �2i

|= 84 bytes. Nevertheless, thecurrent standard ECDSA uses 256-byte signature.

C. Batch Verification by Proxy VehiclesProxy vehicles can efficiently authenticate multiple mes-

sages sent from the other vehicles, then output the result oftheir authentication process and send it to the entities that haverelatively low computing capabilities.

First of all, we propose an efficient proxy vehicle selectionstrategy. It is crucial to make sure that vehicles have extracomputation resources to serve for the others. We considerthat u vehicles in the area can communicate with each otherdirectly. Each of them needs to sign and send a messages. Weassume that C

v

is the cost of authenticating one signature inPBAS, which is undertaken by the proxy vehicles. C

s

is thecost of generating one signature. The total computation load ofeach vehicle V

i

is Ci

, i 2 {0, u}. The proxy vehicle selectionstrategy is explained as follows.

1) When extra resource Ci

r

= Ci

� aCs

satisfies Ci

r

> 0,Vi

is qualified to be a candidate of a proxy vehicle.2) According to Ci

r

, denote these extra resources by{c1, c2, ...cv

r,0} in a descending order, and the cor-responding vehicles by {p1, p2, ..., pv

r,0}, where 0 vr,0 u.

3) Use the median Cme

of {c1, c2, ...cr,0} as a threshold,and select the proxy vehicles based on Ci

r

> Cme

. Theproxy vehicles are defined as {p1, p2, ..., pv}, where vis the number of proxy vehicles.

4) Each proxy vehicle authenticates the same number ofsignatures based on the threshold C

me

, which is definedas (C

me

� aCs

)/Cv

.The above selection strategy can be implemented in every

vehicles without TA. Based on (Cv

, Cs

, Ci

), vehicles canbecome proxy vehicles spontaneously to authenticate receivedsignatures. When there are no computation resources in thevehicles, PBAS degenerates to normal authentication schemes.The signature scheme is based on ID-cryptography, and RSUs

1Every finite cyclic group G is isomorphic to a group Z⇤q

, where q is theorder of the group, and the security of a signature is based on Z⇤

q

.2We use an MNT curve with 160-bit q, which has the same security level

with IBV, b-SPECS+, and CPAS.

are not required to pre-store the certificates of proxy vehicles.Hence, there is no upper limitation in the number of proxyvehicles that could be governed by an RSU.

The verification phase in a proxy vehicle can be describedas follows.

1) The messages {IDi

,Mi

,�1i

,�2i

} sent by Vi

, i 2(1, 2, 3, . . . , n), is received by a proxy vehicle V

proxy

.Then, V

proxy

verifies the signatures in batch, i.e., �1i

,i 2 (1, 2, 3, . . . , n), is valid if the following equationholds.

e

✓nX

i=1

�1i

, P

◆= e

✓nX

i=1

ID1i

, PK1

◆e

✓nX

i=1

h(Mi

)H(ID1i

k ID2i

), PK2

◆.

(1)

Before the verification process, the proxy vehiclehas obtained the public key (PK1, PK2), receivedthe message M

i

, the signature �i

of Mi

, andthe pseudo identity (ID1

i

, ID1i

) from eachsurrounding vehicle V

i

. Then, e(P

n

i=1 �1i

, P )

and e(P

n

i=1 ID1i

, PK1)e(P

n

i=1 h(Mi

)H(ID1i

kID2

i

), PK2) can be calculated by the proxy vehicle,respectively. If these two terms are indeed identical, theintegrity of all messages and the identities of sendersof these messages are verified. The validity of Eqn. (1)can be verified as follows:

e

✓nX

i=1

�1i

, P

◆= e

✓nX

i=1

⇣SK1

i

+ h(Mi

)SK2i

⌘, P

◆

= e

✓nX

i=1

SK1i

, P

◆e

✓nX

i=1

h(Mi

)SK2i

, P

◆

= e

✓nX

i=1

s1ID1i

, P

◆e

✓nX

i=1

s2h(Mi

)H⇣ID1

i

k ID2i

⌘, P

◆

= e

✓nX

i=1

ID1i

, s1P

◆e

✓nX

i=1

h(Mi

)H⇣ID1

i

k ID2i

⌘, s2P

◆

= e

✓nX

i=1

ID1i

, PK1

◆e

✓nX

i=1

h(Mi

)H⇣ID1

i

k ID2i

⌘, PK2

◆.

(2)

2) Then, Vproxy

computes ⌃

n

i=1�1i

2 Z⇤q

, ⇧

n

i=1�2i

2 Z⇤q

,and sends {M

proxy

, IDproxy

,�1proxy

} to an RSU, wherethe output denotes M

proxy

= M k ⌃

n

i=1�1i

k ⇧

n

i=1�2i

kT k ID

i

, i 2 (1, 2, 3, . . . , n), and the verification resultis generated by the proxy vehicle and included in M.Here, {M = a} indicates the batch of messages is valid,and {M = b} indicates the batch of messages is invalid.The signature �1

prxoy

is generated with Vproxy

’s privacykey, (SK1

proxy

, SK2proxy

).Given n distinct messages authenticated by a proxy

vehicle, an RSU does not need to receive all the sig-natures because these signatures have been calculated as⌃

n

i=1�1i

and ⇧

n

i=1�2i

. Each proxy vehicle sends the message{M

proxy

, IDproxy

,�1proxy

} to the RSU. The length of thepacket is 126+42n bytes, where |ID

proxy

| = 42 bytes,|�1

proxy

| = 21 bytes, and |Mproxy

| = |⌃n

i=1�1i

|+ |⇧n

i=1�2i

|+

Vehicle(Vi)

Tamper proof device (Di)

Proxy(Vproxy)

RSU(rsu)

C

S3 A2

A1S1

S2

Message signing Signature verification Output verification1,i iM V

2iV

1,proxy proxyM V

2iVE

S1: Vi

generates message Mi

, and signs it, i.e., �1i

.

S2: Meanwhile, Di

generates �2i

.

A1: Vproxy

verifies the batch of signatures through Equation (1).

S3: Vproxy

outputs the batch verification result Mproxy

, and

signs it, i.e.,�1proxy

.

A2: rsu verifies the signature of Vproxy

.

C: rsu checks output provided by Vproxy

through Equation (3).

E: Vi

is equipped with a tamper proof device.

Fig. 3. The proxy-based authentication scheme, where the proxy vehicles areused for verifying the messages of nearby vehicles to replace time-consumingcentralized verification in one RSU.

|IDi

| = 42 + 42n bytes. Thus, the signature size sent to theRSU can be significantly reduced compared to IBV, whosesignature size is 63n when sending n messages [7].

D. Verification by an RSU at Outputs from Proxy Vehicles

RSUs can independently verify the results from the previousverification processes of the proxy vehicles, and then systemcan exclude false results and revoke malicious proxy vehicles.The verification in an RSU at the outputs from the proxyvehicles includes the following three tasks. Task (1) ensuresthat the originators of the messages is indeed the real proxyvehicle and there are no forwarding nodes actively modifyingmessages; Task (2) guarantees that the result from a proxyvehicle contains correct verification output through their batchverification phase; Task (3) revokes the proxy vehicle whenRSU finds that it fails the process.

This process can be described as follows.1) When receiving {M

proxy

, IDproxy

,�1proxy

}, the RSUinitiates Task (1) to verify if single signature �1

prxoy

isvalid. The single signature verification process has beenproposed and proved in [7]. If it is valid, then TA tracesthe real identities of this batch of vehicles by computingRID

i

= ID2i

�H(s1 · ID1i

), where i 2 (1, 2, 3, . . . , n).2) If Task (1) is passed, the RSU goes to Task (2) to check

the authentication result sent by a proxy vehicle. Theresult is valid and the batch of message is authenticatedif the following equation holds, or

e

✓nY

i=1

�2i

, Rr

◆

= e

⇢nY

i=1

ID1i

nX

i=1

⇣h(M

i

) + �1i

⌘�SK2

r

, SK1r

�. (3)

As the RSU has already obtained its private key(SK1

r

, SK2r

) and extracted ⌃

n

i=1�1i

, ⇧

n

i=1�2i

from themessage M

proxy

before, in the verification processthe RSU calculates e(

Qn

i=1 �2i

, Rr

) with Rr

, and

e{Q

n

i=1 ID1i

[

Pn

i=1(h(Mi

) + �1i

)]SK2r

, SK1r

}, respec-tively. If these two terms are identical, the result is validand the batch of messages is authenticated correctlyby proxy vehicle. The related details of proxy-basedauthentication scheme are shown in Fig. 3.

3) If Eqn. (3) is not held, the proxy vehicle is consideredmalicious by RSU. The TA receiving the feedback fromthe RSU will revoke the malicious proxy, which canprevent it from disturbing the authentication processeslater. The algorithm to identify malicious proxy vehiclesis showed in Algorithm 1. The security explanation ofSteps. 8-13 is given in Section V, A. Security Analysis.

Algorithm 1 The algorithm to identify malicious proxy vehi-cles.

1: The batch of messages is marked as valid by {M = a}.2: The batch of messages is marked as invalid by {M = b}.3: Task (1): verify the message M

proxy

from the proxy vehicle:4: if M

proxy

is valid then5: Task (2): verify the result of the proxy vehicle:6: if M = a k Eqn. (3) is held then7: The batch of messages is valid and the proxy vehicle is

trusted.8: else if M = a k Eqn. (3) is not held then9: The batch of messages is invalid and the proxy vehicle is

untrusted.10: TA revokes the proxy vehicle.11: else if M = b k Eqn. (3) is held then12: The batch of messages is valid and the proxy vehicle is

untrusted.13: TA revokes the proxy vehicle.14: else15: The validity of the batch of messages is hard to determine

and the proxy vehicle is untrusted.16: TA revokes the proxy vehicle.17: else18: The result message is not from the authentic proxy vehicle.

The validity of Eqn. (3) can be verified as follows:

e

✓nY

i=1

�2i

, Rr

◆

= e

⇢nX

i=1

ri

+ s3

✓nX

i=1

h(Mi

) +

nX

i=1

�1i

◆�PK

r

, Rr

�

= e

⇢nX

i=1

ri

+ s3

✓nX

i=1

h(Mi

) +

nX

i=1

�1i

◆�sr

P,Rr

�

= e

⇢nX

i=1

ri

+ s3

✓nX

i=1

h(Mi

) +

nX

i=1

�1i

◆�P, s

r

Rr

�

= e

⇢✓nX

i=1

ri

◆P · s3

nX

i=1

✓h(M

i

) + �1i

◆�P, s

r

Rr

�

= e

✓nY

i=1

ID1i

nX

i=1

⇣h(M

i

) + �1i

⌘�SK2

r

, SK1r

◆. (4)

The computation cost that an RSU spends on verifying nsignatures is equivalent to that spent on checking a proxyvehicle’s operation. From the above discussions, the total costconsists of two pairing operations and one multiplication.However, in IBV [7], the cost that an RSU spends on verifyingn signatures is comprised of n multiplications, and threepairing operations.

Batch key generation process is used when some of vehicleswant to establish secrecy links with an RSU. This process canbe described as follows.

1) If confidentiality is required, the RSU chooses a randomnumber z 2 Z⇤

q

, and then computes Pubr

= zP and�r

= sigSK

1r

(Pubr

k T ). The RSU calculates thesession key, i.e., K

r

i

= z · ID1i

, i 2 (1, 2, 3, . . . , n),for each vehicle.

2) The RSU broadcasts a single message, i.e.,{Pub

r

, T,�r

}. Vehicles that apply for establishingconfidentially communications will verify the signaturesent by the RSU with PK

r

, to ensure the validity ofthe RSU and the integrity of the broadcast messages.

3) Finally, Vi

calculates the session key, i.e., Kr

i

= ri

·Pub

r

.The RSU just needs to generate only one single message to

broadcast for a batch of key negotiations. Note that the sessionkeys are distinct because of different vehicles’ contributionson r

i

. The broadcast message {Pubr

, T,�r

} by the RSUconsists of 21-byte public parameter, 21-byte signature, i.e.,|Pub

r

|+ |�r

| = 42 bytes. It is noted that the key negotiationsand traceability process can be generated offline in a server.Therefore, the key negotiation process will not impose muchcomputational burden on the RSU.

V. SECURITY PERFORMANCEIn this section, we analyze the security and fault toler-

ance performance of PBAS. The security analysis of PBASincludes the following four aspects, i.e., message integrityand authentication, replay attack resistance, non-repudiation,and privacy preservation. Particularly, the message integrityand authentication is one of the basic security requirementsin VANETs. The fault-tolerance of PBAS is defined as theproperty that enables the verification process to continueoperating properly even in the presence of a small numberof compromised proxy vehicles in VANETs. If its operationalquality degrades, the degradation is proportional to the numberof compromised proxy vehicles, as compared to a naively-designed system, in which even a very small failure can causethe breakdown of an entire system.

A. Security Analysis1) Message integrity and mutual identity authentication:

PBAS achieves mutual identity authentication between RSUsand vehicles. To be authenticated by RSUs, V

i

generatessignature �1

i

of the message Mi

with its privacy key SKi

. Andanother signature �2

i

is generated by a tamper proof device ofVi

. Without knowing SKi

and s3, any attacker can not forgea message and the corresponding signature. Similarly, with-out knowing RSU’s privacy key SK1

r

, it is computationallyinfeasible to forge a valid pair (�

r

, (Pubr

, T )).Let us consider a scenario, where the attackers are divided

into external and internal attackers. The external attackers arenon-authorized entities and can only attain public parametersand public keys. The internal attackers are authorized vehicles

(such as Vi

), each of which knows its own privacy key(SK1

i

, SK2i

) but it can not extract s1, s2, s3 stored in thetamper proof device.

In PBAS, (SK1i

, SK2i

) of Vi

is changed when the ve-hicle enters into another coverage area. Without knowing(SK1

i

, SK2i

), it is impossible to forge a valid signature�i

= SK1i

+h(Mi

)SK2i

. Due to the CDH problem in G, it isinfeasible to obtain s1 and s2 from PK1 and PK2. Therefore,any attacker can not obtain the privacy keys of the others.

If malicious proxy vehicles send bogus results to an RSU,PBAS is secure against these additional attacks as listed inChallenge 1 and Challenge 2.

Challenge 1: A proxy vehicle may fool RSUs using thefollowing two possible ways: 1) All messages in a batch arevalid but a proxy vehicle claims that there are messages invalidin the batch; 2) There are some messages invalid in a batch,but a proxy vehicle claims that they are all valid.

Resistance: In both cases, {Mproxy

, IDproxy

,�1proxy

} isstill sent to an RSU under the mechanism of PBAS, where theoutput denotes M

proxy

= M k ⌃

n

i=1�1i

k ⇧

n

i=1�2i

k T k IDi

,where i 2 (1, 2, 3, . . . , n). It is difficult to forge a valid sig-nature �1

i

and its corresponding �2i

by cryptography analysis.In addition, without s3 the attacker is impossible to calculate⇧

n

i=1�2i

. It is also infeasible to obtain s3 from the formula�2i

= (ri

+s3(h(Mi

)+�1i

))PKr

because of the CDH problemin G. On the other hand, without (SK1

r

, SK2r

), a maliciousproxy vehicle can not calculate ⌃

n

i=1�1i

and ⇧

n

i=1�2i

from theformula (2) directly, as it is an NP-hard problem. Therefore,PBAS is secure against the attacks of forging bogus resultsand the corresponding signatures, i.e., ⌃

n

i=1�1i

and ⇧

n

i=1�2i

.The RSU verifies whether the output of the batch verificationby a proxy vehicle is valid with formula (2).

Challenge 2: Given the pseudo identity of Vi

, i.e.,(ID1

i

, ID2i

), and the pseudo identity of Vj

, i.e., (ID1j

, ID2j

),a malicious attacker attempts to confuse the sequence ofthese authorized vehicles’ identities, i.e., (ID1

i

, ID2j

) and(ID1

j

, ID2i

), to prevent the TA from tracing the vehicle’s realidentity.

Resistance: In this case, the formula (2) still holds, butthe TA should compute RID

i

= ID2i

� H(s1 · ID1i

),i 2 (1, 2, 3, . . . , n), to trace the real identities in the server,The TA will not attain a valid RID

i

if the relationship betweenID1

i

and ID2i

is confused.

2) Replay attack resistance: In order to guarantee thefreshness of messages, T

R

denotes the arrival time of areceived message, and T denotes the message departure time.�t1 denotes the time difference between vehicle’s clock andlocal clock, and �t2 denotes the expected network delay. Uponreceiving a message, PBAS first checks whether the followinginequality is valid, or

��TR

� T�� <M t1+ M t2. (5)

If T is lapsed, then the receivers drop the message.

3) Non-repudiation: Given the pseudo identity(ID1

i

, ID2i

), only the TA can trace the real identity ofa vehicle by s1, or

ID2i

�H�s1 · ID1

i

�

= RIDi

�H�ri

· PK1

��H

�s1ri · P

�

= RIDi

. (6)

Finally, the real identity RIDi

of a vehicle is obtained. TheTA will store (RID

i

,Kr

i

) to encrypt the subsequent sensitivemessages of services. When a traffic accident occurs, the lawenforcement departments can punish the driver of the vehicle.

4) Privacy preservation: In PBAS, a vehicle takes advan-tage of its identity as the public key to reduce the size ofsignatures, but the disclosure of identity may cause privacyviolations. Thus, the real identity RID

i

of vehicle Vi

isconverted into two area-sensitive pseudo identity (ID1

i

, ID2i

)

for privacy preservation, where ID1i

= ri

· P , and ID2i

=

RIDi

� H(ri

· PK1). Because Vi

will regenerate the secretkey r

i

when entering into a new communication area ofanother RSU, the pseudo identity and signature, �1

i

, �2i

, willdynamically change with the secret key. Without knowing s1,it is impossible to calculate the real identity.

0 2 4 6 8 10 12 14 16 18 200

0.2

0.4

0.6

0.8

1

PA(n) = 1/n

PP (n) = 1/nk

Number of vehicles

Successprobab

ility

oftracing

ABAKAPBAS

Fig. 4. Comparison of the authentication schemes (ABAKA and PBAS)in terms of the probabilities for an attacker to successfully trace a vehiclefrom the pseudo identities of n vehicles. The pseudo identity of a vehiclein PBAS will dynamically change k times in a specified period, while thepseudo identity of a vehicle in ABAKA is static. Here k = 10.

We use a probability model to analyze the relationshipbetween the probability that an attacker can successfully tracea vehicle and the number of vehicles in the range of an RSU.The successful traceability probability denotes the capability todistinguish one vehicle from the pseudo identities of vehiclesin a given period. As shown in Fig. 4, we assume that thenumber of vehicles is n. In ABKBA [10], the attacker shouldtrace a vehicle by selecting the static pseudo identities, wherethe probability is P

A

(n) = 1/n. In our scheme, the probabilityto trace a certain vehicle is P

P

(n) = 1/nk, where k is thefrequency of changing pseudo identities. If a vehicle passesten different coverage areas, then we have k=10.

B. Fault Tolerance AnalysisPBAS takes advantages of the proxy vehicles to realize ef-

ficient verification. However, the limitation of the proxy based

verification is that, once a proxy vehicle is compromised, itssecurity performance decreases such that the entire verificationprocess in a batch through the compromised proxy vehiclesmay lose its efficiency.

The compromised proxy vehicle may come from a varietyof ways, such as a loss or misconfigured device, as well asattackers. According to the simulations conducted in SectionIV, the average packet loss ratio is generally lower than0.1%. If a proxy vehicle sends an inaccurate message througha misconfigured device, an RSU can detect it when theverification process fails and then can revoke the vehicle’scertificate. Another situation is that a malicious proxy vehicleforges or tampers several verification messages in order to passthe batch authentication. This behavior can also be detectedwith the help of our scheme, as mentioned in Section V. Oncea malicious proxy vehicle is detected by RSU, the TA willalso revoke the malicious proxy vehicle’s certificate, and thiscan prevent the malicious proxy vehicle from disturbing theauthentication processes later.

Although a compromised vehicle can not obtain any sen-sitive information, such as others’ secret keys and secretparameters, the server will spend some amount of time onlocating the misbehaving nodes, which leads to degrade theperformance for our scheme. Considering the above threecases, we assume that at most r percent of proxy vehiclesare compromised and send invalid messages. N

v

denotes thenumber of vehicles, and N

p

denotes the number of proxyvehicles. Thus, N

c

= Np

⇥ r denotes the largest numberof compromised vehicles in a batch period. We also assumethat a proxy vehicle can verify at most n messages, and eachvehicle sends only one message in a batch period. In order togenerate an appropriate formula, the number of proxy vehiclesthat verify more than n messages is denoted as i. The numberof cases that N

v

vehicles are authenticated through Np

proxyvehicles is equal to

�N

p

�N

v �bN

v

/ncX

i=1

i�1X

x=0

(�1)

xP x

i

�✓N

p

i

◆�N

p

�N

v

�i(n+1). (7)

When Nv

� n, the eqn. (5) is approaching to (Np

)

N

v .Similarly, The number of cases that vehicles are authenticatedthrough compromised vehicles is equal to (N

c

)

k. Also, thenumber of cases that vehicles are authenticated through trustedproxy vehicles is equal to (N

p

�Nc

)

N

v

�k, where k denotes thenumber of vehicles that are authenticated by a compromisedproxy vehicle. P{X = k} represents the probability thatthe verification processes of k vehicles fail. The probabilitydistribution function conforms to the following formula, or

P�X = k

⇡

�N

v

k

�(N

c

)

k

�N

p

�Nc

�N

v

�k

�N

p

�N

v

. (8)

Fig. 5 shows an example of fault tolerance that there are100 vehicles in the coverage area of an RSU in a period, thenumber of proxy vehicles is 20 in this area, and each proxyvehicle can verify 30 messages simultaneously. When thenumber of compromised vehicles is two, where (r = 0.1), theprobability that the verification processes of ten vehicles fail isapproximately 0.132. And a backup server must immediately

10 20 30 40 500

0.04

0.08

0.12

0.16

0.2

Number of authentication failed vehicles in the coverage of RSU

Failure

probab

ility

P{X

=k}

r=0.05

r=0.1

r=0.2

r=0.3

1 compromised proxy vehicles2 compromised proxy vehicles4 compromised proxy vehicles6 compromised proxy vehicles

0.1

0.132

Fig. 5. Probability that the verification processes of k vehicles fail in the eventthat a small number of compromised proxy vehicles exist in VANETs. Eachcurve has a peak as the lowest probability. For instance, the lowest probabilityof r = 0.1 is 0.132 when k = 10, which means that the authentication failureof ten vehicles is most likely to occur when there are two compromised proxyvehicles in the coverage area, where N

v

= 100 and Np

= 20.

take over these ten failed vehicles. The failure probability of15 failed vehicles dramatically drops to 0.06. We also observethat there are more failed vehicles as r increases. Fortunately,the worst probability of this case is much lower. For instance,the probability that the verification processes of 20 vehiclesfail is approximately 0.1 when r=0.2.

The result shows that PBAS can achieve fault-toleranceand continue its verification operation, possibly with a bitreduced performance, rather than failed completely. With theprotection mechanisms of PBAS, RSUs can detect that thereare some messages invalid when some compromised proxyvehicles exist. If so, the TA will revoke the compromised proxyvehicle’s certificate. In this way, the number of compromisedproxy vehicles is well controlled below 10%3. They can onlymake up to 20 failed vehicles, and the failure probability islow enough to be negligible.

VI. PERFORMANCE EVALUATION ANDSIMULATIONS

In this section, we evaluate the performance of the proposedPBAS and compare it with the related schemes, such asTESLA++ [5], IBV [6], ABAKA [10], b-SPECS+ [11], andCPAS [12], in terms of computation and transmission over-heads. It is noted that TESLA++ uses the standard signaturealgorithm ECDSA adopted by IEEE 1609.2 [9]. In the simula-tions, we used ns-2 [39] and a mobility model generation toolcalled VanetMobiSim [40] to estimate the average messagesdelays and the average loss ratios of these schemes in a realenvironment.

A. Computation Overhead AnalysisHere, we evaluate the performance of PBAS and the other

schemes in terms of the computation overhead in an RSU.

3In [10], it was even believed that the attacker can compromise at most 1%entities subordinated by a TA.

TABLE IICOMPARISON OF COMPUTATION OVERHEADS IN AN RSU.

Scheme Verify a single message Verify n messagesTESLA++ 4T

mul

4Tmul

IBV 2Tmul

+ 3Tpar

+ Tmtp

nTmul

+ 3Tpar

+ nTmtp

CPAS 3Tpar

+ Tmul

(n+ 1)Tmul

+ 3Tpar

b-SPECS+ 2Tmul

+ 2Tpar

+ Tmtp

(2n+ 1)Tmul

+ 2Tpar

+ nTmtp

ABAKA 3Tmul

(2n+ 1)Tmul

Our scheme 4Tmul

+ 5Tpar

+ Tmtp

2mTmul

+ (2m+ 3)Tpar

+ Tmtp

,m = b n

300 c

Tmtp

denotes the time needed to perform a MapToPoint hashoperation, T

mul

denotes the time for performing one pointmultiplication, and T

par

denotes the time to perform a pairingoperation. The experiments run on an Intel i7 3.07 GHZmachine. The computation times of the following parametersin [11], i.e., T

mul

, Tmtp

, and Tpar

, are 0.39 ms, 0.09 ms,and 3.21 ms, respectively. Therefore, we can know that theoperation times of T

mul

and Tmtp

are in general much lowerthan T

par

. For the other operations, such as one-way hashfunction calculation, the operation time is negligible becauseits computation time is only 0.23 µsec [25]. Thus, we considerthe aforementioned three parameters as the main computingcosts.

Table II shows the comparison of all schemes for thecomputation overhead of an RSU in terms of signing a singlemessage and n messages. TESLA++ uses the current standardsignature scheme ECDSA, and the total computational timein terms of authenticating n messages is 4nT

mul

. Since IBV,CPAS, and b-SPECS+ are used for authenticating safety-related messages, the key negotiation session is excluded inthese schemes. To be fair, the computing time in ABAKAspent on key negotiation was not considered.

First, we assume that the traffic density is equal to thenumber of signatures in a verification period, and each vehicleperiodically broadcasts a traffic related message every 300 ms.At least m vehicles should work as the proxy vehicles to verifythe messages, and a proxy vehicle can act on at most 300messages. Thus, m = b n

300c. In addition, we assume that thecommunication coverage of an RSU is one square kilometer.

Fig. 6 illustrates the relationship between the number ofmessages within an RSU’s coverage area and the computationoverhead of the RSU. We can see from the figure that thecomputation overhead increases as the number of messagesincreases. In addition, we can also see that the computationaloverhead of TESLA++ is the highest when the number ofmessages is larger than ten. In other words, the currentstandard ECDSA scheme is incompatible with the dynamictraffic patterns. PBAS is more efficient when verifying alarge number of signatures: when there are more than 40messages, the computation overhead of PBAS in a RSU ismuch lower than the others. For instance, in one second, themaximum number of signatures that can be verified by theRSU is approximately 2450, 1000, 1100, and 2000 for CPAS,b-SPECS+, ABAKA, and IBV, respectively. In PBAS, thisnumber reaches 26500.

0 300 600 900 1200 1500 1800 2100 2400 2700 30000

0.5

1

1.5

2

2.5

3

3.5

4

4.5

5

Number of messages

Com

putation

overhead(secon

d)

TESLA++IBVABAKAb−SPECS+CPASPBAS

0 50 100 150 2000

0.1

0.2

0.3

0.4

Fig. 6. Performance comparison of these schemes in terms of the computationoverhead in an RSU. The computation overhead is defined as the computationtime spent on verifying signatures, which are signed by 300 vehicles, and eachvehicle periodically broadcasts a traffic related message and its signature every300 ms.

B. Transmission Overhead Analysis

Next, let us analyze the transmission overhead of PBASwhen compared with IBV, ABAKA, and CPAS. The com-parison is made in terms of two aspects: the transmissionoverhead from vehicles to RSUs and the transmission overheadfrom RSUs to vehicles. We exclude b-SPECS+ and TESLA++because the transmission overhead of TESLA++ with 125-byte certificates is intolerable when the number of vehicles isrelatively large, and b-SPECS+ needs large overhead in initialhandshaking of the scheme. PBAS, IBV, ABAKA, and CPASwork based on identity-based cryptography, in which only ashort 42-byte pseudo identity is transmitted along with anoriginal message. The transmission overhead only considersa pseudo identity and a signature appended to the originalmessage, while the message itself is not considered.

According to the analysis in Section IV, the packet sizeof {M

proxy

, IDproxy

,�1proxy

} sent by the proxy vehiclesto an RSU is 126+42n bytes, while the packet size of{Pub

sp

, T,�sp

} sent by an RSU is 42 bytes. The packet sizefrom vehicles to RSU (RSU to vehicles) of IBV, ABAKA,and CPAS costs 63 bytes, 84 bytes, and 101 bytes, (N/A, 80bytes, 70 bytes), respectively. Table III shows the comparisonof transmission overhead.

Fig. 7 shows the relationship between the transmissionoverhead and the number of messages received by an RSU inthree seconds. Obviously, because each signature of CPAS has

TABLE IIICOMPARISON OF TRANSMISSION OVERHEAD.

Scheme A single message n messagesOBU! RSU RSU! OBU OBU! RSU RSU! OBU

CPAS 174 bytes 143 bytes 174n bytes 143n bytesIBV 63 bytes N/A 63n bytes N/A

ABAKA 63 bytes 80 bytes 63n bytes 80 bytesOur scheme 84 bytes 105 bytes 126m+42n bytes 42 bytes

three parts, a 42-byte pseudo identity and the other necessaryparameters, and each part uses a 160-bit cyclic group (21bytes), the total signature size of CPAS is 174 bytes. Thetransmission overhead of CPAS is the largest among theseschemes as the number of message increases. While thetransmission overhead of ABAKA is smaller because eachsignature has only a 21-byte parameter and a 42-byte pseudoidentity. Also, the total signature size of ABAKA is 63 bytes.The transmission overhead of IBV is the same as ABAKA,i.e., 63 bytes.

0 300 600 900 1200 1500 1800 2100 2400 2700 30000

1

2

3

4

5

6

7

8

9

10x 105

Number of messages

Transm

ission

overhead(bytes)

CPASABAKAIBVPBAS

IBV and ABAKA is overlapped

Fig. 7. Performance comparison of these schemes in terms of transmissionoverhead in an RSU. Transmission overhead is produced mainly by the sizeof signatures, which are signed by 300 vehicles, and each vehicle periodicallybroadcasts a traffic related message and its signature every 300 ms.

Through the aggregation operation, i.e., (�11+�1

2+· · ·+�1n

)

and (�21 · �2

2 · · · · · �2n

), in the proxy vehicles, each proxyvehicle sends only a 126-byte packet to RSU to authenticate abatch of messages. The transmission overhead is the smallestif compared with CPAS and ABAKA.

Obviously, the figure shows that the transmission overheadincreases linearly with increasing number of messages. Thetransmission overhead of CPAS is the largest among theseschemes, and that of PBAS is much smaller than the others.When the number of messages increases up to 1000, PBASsaves 241 Mbytes and 48 Mbytes of bandwidth comparedwith CPAS and ABAKA (IBV), respectively. Here, 1000 isthe number of messages sent by 300 vehicles in one second.

C. Simulations

In order to perform a more realistic performance evaluationin simulations, the mobility traces adopted in the simulations

were generated using VanetMobiSim [40]. The road scenarioof the mobility model for simulations is shown in Fig. 8.

16 m

500 m 500 m 500 m 500 m

Fig. 8. Road scenario for simulations. The simulation scenario area length is8000 meters, which includes four lanes, and each lane is 2000 meters long,four meters wide. The road deploys five RSUs because the transmission rangeof each vehicle is only 300 meters.

TABLE IVSIMULATION PARAMETERS.

Parameter ValueSimulation area 8000 ⇥ 16 m2

No. of traffic lane 4No. of RSUs 5Maximum No. of proxy vehicles 20Simulation time 100 sMAC protocol 802.11pChannel bandwidth 6 MbpsTransmission range of OBU 300 mTransmission range of RSU 1000 mMinimum inter-vehicle distance 40 mRoute protocol AODVSlot-time 13 µsSIFS 32 µsAIFS (high priority) 58 µsContention window size (CW) 15⇠1023

The ns-2.35 [39] was used to simulate the average messagesdelays and the average loss ratios in RSUs to assess theperformance of PBAS. The adopted simulation parameters ofDSRC are given in Table IV. The hidden terminal problemis naturally reflected in these two performance parameters inthe simulation processes. Especially, the first phase of PBASis that vehicles broadcast messages in the area. The hiddenterminal problem in the broadcast scenario is more severethan that in the second phase of PBAS, in which the proxyvehicles communicate with RSU. To observe and discuss theseperformance parameters, the average message delay of PBASis defined as the time to transmit messages from vehicles toan RSU, which can be expressed as

ADMsg

=

1

NV

Msent m

·RSUn · pronN

VX

n=1

M

sent mX

m=1

pro

nX

p=1

RSU

nX

r=1

✓Tn m

sign

+ Tn m n

pro

trans

+ Tn

pro

m RSU

trans

+ Tn m n

pro

verify

+ Tn

pro

n RSU

verify

◆,

(9)

in which ADMsg

denotes the average message delay, Vdenotes the sample area in the simulations, N

V

denotes thenumber of vehicles in V , M

sent m

denotes the number ofmessages sent by vehicle n, RSUn is the number of RSUsin the area, and pron denotes the number of proxy vehicles.In addition, Tn m

sign

denotes the time required for vehicle n tosign message m, Tn m n

pro

trans

is the time that vehicle n spendson transmitting message m to the proxy vehicle npro, whileTn

pro

m RSU

trans

designates the time that the proxy vehicle npro

spends on transmitting message m to RSU, Tn m n

pro

verify

is thetime that the proxy vehicle npro authenticates message m, andTn

pro

n RSU

verify

denotes the time that the RSU checks the resultfrom the proxy vehicle npro.

The average loss ratio is defined as the ratio between thenumber of messages dropped and the total number of messagesreceived in every 100 second by an RSU, which can beexpressed as

ALR =

1

100 ·RSUn

RSU

nX

r=1

Mn

arrived

N

VX

n=1

Msen n

, (10)

where Mn

arrived

denotes the number of messages received byRSUs. We run 100 times for each simulation, which lasts 100s to authenticate messages using the current schemes CPAS,ABAKA, IBV or our proposed scheme PBAS, respectively.For reliability of the simulations, we set 0.95 confidencecoefficient as an observed interval.

25 50 75 100 125 150 175 2000

0.05

0.1

0.15

0.2

0.25

0.3

Number of vehicles

Average

message

delay

AD

msg

(secon

d)

IBVABAKACPASPBAS

Fig. 9. Performance comparison via simulations for different authenticationschemes in terms of the relationship between the average message delaysin RSUs and the number of vehicles. Vehicles are evenly distributed overdifferent lanes. The speeds of vehicles in each lane are approximately 10⇠30m/s.

Fig. 9 shows the first set of simulation results to revealthe relationship between the average message delays and thenumber of vehicles. In general, the more vehicles appear, thelarger the average message delay appears at RSUs. PBASoutperforms ABAKA, IBV, and CPAS, because the proxyvehicles in PBAS reduce the number of handshakes betweenvehicles and RSUs. From the figure, it is seen that the average

25 50 75 100 125 150 175 2000.01

0.015

0.02

0.025

0.03

0.035

0.04

0.045

0.05

0.055

0.06

Number of vehicles

Average

message

loss

ratioALR

IBVABAKACPASPBAS

Fig. 10. Performance comparison via simulations for different authenticationschemes to show the relationship between the average message loss ratiosin RSUs and the number of vehicles. Vehicles are evenly distributed overdifferent lanes. The speeds of vehicles in each lane are approximately 10s30m/s.

0 5 10 15 20 25 30 35 40 450.02

0.03

0.04

0.05

0.06

0.07

0.08

0.09

0.1

0.11

0.12

Average speed of vehicles (m/s)

Average

message

delay

AD

msg

(secon

d)

IBVABAKACPASPBAS

Fig. 11. Performance comparison via simulations for different authenticationschemes to reveal the relationship between the average message delays inRSUs and the average speed of vehicles, where the number of vehicles is100.

message delay of CPAS increases from 50 ms to 110 ms,and that of ABAKA increases from 31 ms to 73 ms whenthe vehicle density increases from 50 to 100. PBAS performsbetter than CPAS and ABAKA, whose average message delayincreases from 25 ms to 50 ms. From the simulations, wecan see that the performance of PBAS is slightly affected byvehicle density.

Fig. 10 shows the second set of simulation results to revealthe relationship between the average message loss ratios andthe number of vehicles. Note that the transmission range of avehicle is only 300 m. In AODV, the relay vehicles can helpthe other vehicles to forward messages. If a vehicular messagecan not find a suitable relay within its range to forward tothe destination, it will give up the messages. We can seefrom Fig. 10 that the message loss ratios of all the schemesdecrease at the beginning of the frame when the number of

0 5 10 15 20 25 30 35 40 450

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

Average speed of vehicles (m/s)

Average

message

loss

ratioALR

IBVABAKACPASPBAS

Fig. 12. Performance comparison via simulations for different authenticationschemes in RSUs to show the relationship between the average message lossratios and the average speed of vehicles, where the number of vehicles is 100.

vehicles increases, because the number of relays increasesas the number of vehicles increases. After the number ofvehicles exceeds 100 and increases sequentially, we observethat the hidden terminal problem degrades the average messageloss ratios significantly due to the frequent occurrence ofmessage collisions. Actually, in addition to collisions causedby the hidden vehicle node, frequent transmissions of RSUsynchronized with the vehicles in the same communicationarea may also cause collisions. Unfortunately, usually thereare more than 100 vehicles in VANETs, which cause theperformance degradation of VANETs. However, PBAS stillshows its advantages if compared with ABAKA, IBV, andCPAS.

Fig. 11 shows the third set of simulations to show the rela-tionship between the average message delays and the averagespeed of vehicles. From Fig. 11, we can see that the averagemessage delay of each scheme approaches to a constant,which is only slightly affected by the speed of the vehicles.However, in Fig. 12, the last simulation result illustrates thatthe message loss ratios for all schemes increase with theincreasing number of vehicles, because the transmissions havea higher probability of being interrupted when the vehicles aremoving fast. On the other hand, PBAS has the lowest messageloss ratio even when the speed increases, because the directtransmission time between RSUs and vehicles is the shortestin PBAS with the help of the proxy vehicles.

VII. CONCLUSIONPBAS makes use of vehicles’ computational capacity to

reduce the burden of RSUs, where the proxy vehicles canauthenticate multiple messages from the other vehicles. PBASalso provides RSUs with a systematic and independent mech-anism to verify the messages from the proxy vehicles. Inaddition, PBAS can negotiate a session key with every othervehicle for the confidentiality of sensitive information. Theevaluation model of PBAS showed that PBAS offers fault

tolerance, which enables the scheme to continue operatingproperly even if a small number of proxy vehicles are compro-mised in VANETs. Moreover, we analyzed and compared theperformance of PBAS with the other authentication schemesin terms of their computation and transmission overheads.We also used simulations to verify the efficiency of PBASin realistic environments, showing that PBAS is a promisingsecurity scheme for efficient VANET authentication.

In this work on PBAS, we focused on cryptography algo-rithm under an assumption that any vehicle having completedsystem initialization can act as a proxy vehicle. However, itis crucial to make sure that these vehicles have incentives toserve for the others under the condition of efficient messagedelivery. In the future, we will exploit the game theory to studyincentives mechanism. The redundant authentication is anotherissue, in which different proxy vehicles may work on the samemessage. To minimize the redundant authentication events,we should design a selection strategy that combines extracomputation resource utilization optimization and redundantauthentication reduction.

ACKNOWLEDGMENT

The authors would like to thank the anonymous reviewersfor their helpful comments to improve this paper.

REFERENCES

[1] M. Raya and J. P. Hubaux, “Securing vehicular ad hoc networks”,Journal of Computer Security, vol. 15, pp. 39-68, 2007.

[2] T. W. Chim, S. M. Yiu, C. K. Hui, and O.K. Li, “VSPN: VANET-basedsecure and privacy-preserving navigation”, IEEE Trans. on Computers,vol. 63, pp. 510-524, 2014.

[3] J. T. Isaac, S. Zeadally, and J. S. Camara, “Security attacks and solutionsfor vehicular ad hoc networks”, IET, Communications, vol. 4, pp. 894-903, 2010.

[4] S. Zeadally, R. Hunt, Y. S. Chen, A. Irwin, and A. Hassan, “Vehicularad hoc networks (VANETS): status, results, and challenges”, Telecom-munication Systems, vol. 50, pp. 217-241, 2012.

[5] A. Studer, F. Bai, B. Bellur, and A. Perrig, “Flexible, extensible,and efficient VANET authentication”, Journal of Communications andNetworks, pp. 574-588, 2009.

[6] C. Zhang, X. Lin, R. Lu, P. Ho, and X. Shen, “An efficient messageauthentication scheme for vehicular communications”, IEEE Trans. onVehicular Technology, vol. 57, pp. 3357-3368, 2008.

[7] C. Zhang, R. Lu, X. Lin, P. Ho, and X. Shen, “An efficient identity-basedbatch verification scheme for vehicular sensor networks”, in Proc. IEEEINFOCOM 2008, pp. 246-250, 2008.

[8] Dedicated Short Range Communications (DSRC), [Online]. Available:http://grouper.ieee.org/groups/scc32/dsrc/index.html

[9] 1609.2-2013-IEEE standard for wireless access in vehicularenvironments-security services for applications and managementmessages, IEEE Std 1609, 2013.

[10] J. L. Huang, L. Y. Yeh, and H. Y. Chien, “ABAKA: An anonymousbatch authenticated and key agreement scheme for value-added servicesin vehicular ad hoc networks”, IEEE Trans. on Vehicular Technology,vol. 60, pp. 248-262, 2011.

[11] S. J. Horng, S. F. Tzeng, Y. Pan, P. Fan, X. Wang, T. Li, and M. K. Khan,“b-SPECS+: Batch verification for secure pseudonymous authenticationin VANET”, IEEE Trans. on Information Forensics and Security, vol.8, pp. 1860-1875, 2013.

[12] K. A. Shim, “CPAS: An efficient conditional privacy-preserving au-thentication scheme for vehicular sensor networks”, IEEE Trans. onVehicular Technology, vol. 61, pp. 1874-1883, 2012.

[13] X. Li and L. Wang, “A rapid certification protocol from bilinear pairingfor vehicular ad hoc networks”, in IEEE Conf. Trust, Security andPrivacy in Computing and Communcations (TrustCOM) 2012, pp. 890-895, 2012.

[14] D. Johnson and A. Menezes, “The elliptic curve digital signaturealgorithm (ECDSA)”, International Journal of Information Security, vol.1, pp. 36-63, 2001.

[15] J. Petit, “Analysis of ECDSA authentication processing in VANETs”,in IEEE Conf. New Technologies, Mobility and Security (NTMS) 2009,vol. 1, pp. 1-5, 2009.

[16] A. Perring, R. Canetti, D. Song, and D. Tygar, “Efficient and securesource authentication for multicast”, in Proc. Network and DistributedSystems Security (NDSS), pp. 35-46, 2001.

[17] D. Boneh and M. Franklin, “Identity-based encryption from the weilpairing”, Springer-Verlag, pp. 213-229, 2001.

[18] H. Yoon, J. H. Cheon, and Y. Kim, “Batch verification with ID-basedsignatures”, in Proc. Information Security and Cryptology, pp. 233-248,2004.

[19] C. Zhang, P. Ho, and J. Tapolcai, “On batch verification with grouptesting for vehicular communications”, Wireless Networks, vol. 17, pp.1851-1865, 2011.

[20] T. W. Chim, S. M. Yiu, C. K. Hui, and O. K. Li, “SPECS: Secureand privacy enhancing communications schemes for VANETs”, Ad HocNetworks, vol. 12, pp. 189-203, 2011.

[21] A. Wasef, R. Lu, X. Lin, and X. Shen, “Complementing public keyinfrastructure to secure vehicular ad hoc networks [Security and Privacyin Emerging Wireless Networks]”, IEEE Wireless Communications, vol.17, pp. 22-28, 2010.

[22] A. Boldyreva, V. Goyal, and V. Kumar, “Identity-based encryption withefficient revocation”, in Proc. ACM conf. Computer and communicationssecurity, pp. 417-426, 2008.

[23] A. Wasef and X. Shen, “EDR: Efficient decentralized revocation protocolfor vehicular ad hoc networks”, IEEE Trans. on Vehicular Technology,vol. 58, pp. 5214-5224, 2009.

[24] A. Wasef, Y. Jiang, and X. Shen, “DCS: An efficient distributed-certificate-service scheme for vehicular networks”, IEEE Trans. onVehicular Technology, vol. 59, pp. 533-549, 2010.

[25] A. Wasef and X. Shen, “EMAP: Expedite message authentication proto-col for vehicular ad hoc networks”, IEEE Trans. on Mobile Computing,vol. 12, pp. 78-89, 2013.

[26] R. Lu, X. Lin, H. Luan, “Pseudonym changing at social spots: aneffective strategy for location privacy in VANETs”, IEEE Trans. onVehicular Technology, vol. 61, pp. 86-96, 2012.

[27] Y. Sun, R. Lu, X. Lin, X. Shen, and J. Su, “An efficient pseudonymousauthentication scheme with strong privacy preservation for vehicularcommunications”, IEEE Trans. on Vehicular Technology, vol. 59, pp.3589-3603, 2010.

[28] J. Choi, S. Jung, “A security framework with strong non-repudiationand privacy in VANETs”, in IEEE Conf. Consumer Communicationsand Networking Conference (CCNC) 2009, pp.1-5, 2009.

[29] R. Lu, X. Lin, Z. Shi, and X. Shen, “A lightweight conditional privacy-preservation protocol for vehicular traffic-monitoring systems”, IEEEIntelligent Systems, vol. 28, pp. 62-65, 2013.

[30] X. Zhu, S. Jiang, L. Wang, and H. Li, “Efficient privacy-preservingauthentication for vehicular ad hoc networks”, IEEE Trans. on VehicularTechnology, vol. 63, pp. 907-919, 2014.

[31] Y. Qian, K. Lu, and N. Moayeri, “A secure VANET MAC protocol forDSRC applications, in Proc. IEEE GLOBECOM 2008, 2008.

[32] G. Samara, W. A. H. A. Salihy, R. Sures, “Security analysis of vehicularad hoc networks (VANET)”, in IEEE Conf. Network ApplicationsProtocols and Services (NETAPPS) 2010, pp.55-60, 2010.

[33] P. Papadimitratos, J. P. Hubaux, “Report on the “secure vehicularcommunications: results and challenges ahead” workshop”, ACM SIG-MOBILE Mobile Computing and Communications Review, vol. 12 no.2, 2008.

[34] M. Raya, P. Papadimitratos, V. D. Gligory, and J. P. Hubaux, “On data-centric trust establishment in ephemeral ad hoc networks”, in IEEEAnnual Joint Conf. Computer and Communications Societies, pp. 1238-1246, 2008.

[35] S. Dietzel, J. Petit, G. Heijenk, and F. Kargl, “Graph-based metricsfor insider attack detection in VANET multihop data disseminationprotocols”, IEEE Trans. on Vehicular Technology, vol. 62, pp. 1505-1518, 2013.

[36] R. G. Engoulou, M. Bellaiche, S. Pierre, A. Quintero “VANET securitysurveys”, Computer Communications, 2014.

[37] Y. Qian, and N. Moayeri, “Design of secure and application-orientedVANETs”, in Proc. IEEE VTC Spring 2008, 2008.

[38] X. Lin and X. Li, “Achieving efficient cooperative message authen-tication in vehicular ad hoc networks”, IEEE Trans. on VehicularTechnology, vol. 62, pp. 3339-3348, 2013.

[39] The Network Simulator NS-2, [Online]. Available:http://www.isi.edu/nsnam/ns.

[40] VanetMobiSim Project Home Page, [Online]. Available: http://vanet.eurecom.fr.

Yi-liang Liu received the B.E. degree in Com-puter Science and Communication Engineering fromJiangsu University, Zhenjiang, China, in 2012. Heis currently working toward the M.E. degree inComputer Science and Communication Engineeringfrom Jiangsu University, Zhenjiang, China. He iscurrently a visiting research student in the Depart-ment of Engineering Science, National Cheng KungUniversity, Tainan, Taiwan, since January 2014. Hisresearch interests include security for wireless net-works, vehicular ad hoc network.

Liang-min WANG received his B. S. degreein computational mathematics in Jilin University,Changchun, China, in 1999, and the Ph.D degreein Cryptology from Xidian University, Xi’an, China,in 2007. He has been an associate professor of theSchool of Computer Science and CommunicationEngineering, Jiangsu University, Zhenjiang, China,from 2008 to 2013. He has also worked as a visitingscholar with Prof. Alex KOT from 2009 to 2010in the School of Electrical & Electronic Engineer-ing, Nanyang Technological University, Singapore.

Currently, he is a specially engaged professor with an honor of “WanjiangScholar” in the School of Computer Science and Technology, Ahui University,Hefei, China. Now his research interests include internet of things and wirelesssecurity. Dr. WANG is a senior member of Chinese Computer Federationand a member of Chinese Cryptology Federation. He is also a member ofACM(Since 2009) and IEEE(Since 2011).

Hsiao-Hwa Chen is currently a DistinguishedProfessor in the Department of EngineeringScience, National Cheng Kung University,Taiwan. He obtained his BSc and MSc degreesfrom Zhejiang University, China, and a PhDdegree from the University of Oulu, Finland,in 1982, 1985 and 1991, respectively. Heis the founding Editor-in-Chief of Wiley’sSecurity and Communication Networks Journal(http://www.interscience.wiley.com/security).Currently, he is also serving as the Editor-in-Chief

for IEEE Wireless Communications. He is a Fellow of IEEE, a Fellow ofIET, and an elected Member at Large of IEEE ComSoc.