A Novel Identity-Based Privacy-Preserving Anonymous Authentication Scheme for Vehicle-to-Vehicle Communication

1 Abstract —This paper proposes a novel bilinear pairing-free identity-based privacy-preserving anonymous authentication scheme for vehicle-to-vehicle (V2V) communication, called “NIBPA”. Today, vehicular ad hoc networks (VANETs) offer important solutions for traffic safety and efficiency. However, VANETs are vulnerable to cyberattacks due to their use of wireless communication. Therefore, authentication schemes are used to solve security and privacy issues in VANETs. The NIBPA satisfies the security and privacy requirements and is robust to cyberattacks. It is also a pairing-free elliptic curve cryptography (ECC)-based lightweight authentication scheme. The bilinear pairing operation and the map-to-point hash function in cryptography have not been used because of their high computational costs. Moreover, it provides batch message verification to improve VANETs performance. The NIBPA is compared to existing schemes in terms of computational cost and communication cost. It is also a test for security in the random oracle model (ROM). As a result of security and performance analysis, NIBPA gives better results compared to existing schemes.


I. INTRODUCTION
Intelligent transportation systems (ITS) that increase traffic efficiency and provide traffic safety are important parts of smart cities. Communication from vehicle-tovehicle (V2V) and vehicle-to-infrastructure (V2I), such as vehicle-to-network (V2N) and vehicle-to-grid (V2G), has become widespread thanks to the development of 5G and beyond, and the internet of things (IoT) technologies.VANET is a vehicular network that enables vehicles to communicate with each other and with the infrastructure.It provides V2V and V2I communication using dedicated to provide privacy and security and increase efficiency in VANETs or IoV [3]- [13], [15]- [18].Raya and Hubaux [8] proposed an anonymous authentication scheme based on the public-key infrastructure (PKI).Key pairs and certificates are uploaded to the on-board unit (OBU) to create an anonymous identity.However, this requires high storage and is inefficient.Lu, Lin, Zhu, Ho, and Shen [9] proposed a new solution based on the temporary distribution of anonymous certificates to vehicles by road-side unit (RSU).But this scheme is inefficient because it requires temporary certificates for every vehicle in the broadcast domain of RSUs.In the PKI, vehicles use public-key, private-key, and certificates from the central authority for authorisation.Certificates are used for public-key distribution, which is one of the important issues of public-key cryptography methods.Certificate management incurs additional costs.Using user identity information as a public-key with identity-based cryptography offers a solution to this problem.The identity information of the users, IP address, MAC address, email address, phone number, IMEI number [19], and private, non-repudiation information that will identify them can be a public-key, such as vehicle chassis and licence plate numbers.Therefore, the identity-based scheme significantly decreases the communication cost and computational cost by eliminating the need for certification.Zhang, Lu, Lin, Ho, and Shen [10] proposed a PPA scheme that uses identity-based cryptography.In this scheme, neither the vehicle nor the RSU needs a certificate.Also, it can perform batch verification for many messages.However, this scheme is insecure against repudiation and replay attacks [16].Ali and Li [17] and others [3], [11], [12], [18] also proposed an identity-based PPA scheme for VANETs.The PPA scheme has also been proposed in IoV [13].These schemes use bilinear pairing operations and/or map-to-point hash functions.But these operations are very costly regarding computation processes.As a solution to this problem, He, Zeadally, Xu, and Huang [7] proposed the identity-based bilinear pairing-free PPA scheme using ECC.Similarly, in [4]- [6], ECC-based bilinear pairing-free schemes have been proposed.Xiong, Wang, Wang, Zhou, and Luo [4] proposed a conditional PPA scheme for VANETs, called "CPPA-D".This scheme provides double insurance for private keys.Li et al. [5] proposed an efficient and provably-secure PPA scheme.In this scheme, the message signing performance is quite good, but the message verification performance is low.Ali, Lawrence, and Li [20] proposed an identity-based signature scheme for V2V communication.It has high performance and is pairing-free.However, in [21], it was proved that this scheme is not secure.Alazzawi, Lu, Yassin, and Chen [22] proposed an authentication scheme for VANETs.This scheme does not support unlinkability.Cui, Zhang, Zhong, and Xu [15] proposed the ECC-based scheme (SPACF) using a cuckoo filter and binary search.They tried to increase the efficiency of batch verification.As a result, the motivation for this paper is to propose a high-performance PPA scheme for VANETs without sacrificing security.

B. Our Contributions
The contributions of the NIBPA scheme for V2V communication in VANET are as follows.
 NIBPA is a novel identity-based anonymous bilinear pairing-free PPA scheme using ECC.It can also perform batch verification. In addition, it is secure against adaptive selected messages in ROM and satisfies other security requirements.
 Finally, it is a lightweight scheme that provides high performance compared to existing schemes.

C. Organisation
The remainder of this paper is organised as follows.In Section II, ECC, bilinear pairing, VANETs, and security and privacy requirements are explained.In Section III, the proposed NIBPA scheme is designed.In Section IV, the implementation of the NIBPA scheme is carried out.In Section V, we perform a security analysis of the NIBPA.In Section VI, a performance analysis is realised and the computation cost and communication cost are compared with other existing schemes.Finally, in Section VII, results and future work are given.

II. DEFINITIONS AND BACKGROUND
In this section, ECC, bilinear pairing, VANETs, and security and privacy requirements are briefly introduced.

A. Elliptic Curve Cryptography (ECC)
ECC is a public-key cryptography method that uses two keys: the public-key and the private-key.The security of ECC is based on the difficulty of elliptic curve discrete logarithm problem (ECDLP).Mathematical operations in the ECC are performed on finite fields because they give more efficient and accurate results [23].
Let us define a non-singular elliptic curve ( , ) E a b over a finite field p denoted as / p E where p is a large prime number and ,  p ab constant integers less than .p a and b satisfy in (2)   32 Suppose G is a cyclic additive group.The number of all points on ( , ) E a b and infinity point () O forms an additive elliptic curve group G with generator point P and of order .q There are three main mathematical operations used in ECC on points: point addition, point doubling, and scalar multiplication.

C. Vehicular Ad Hoc Networks (VANETs)
VANETs are used in ITS for many purposes such as connection between vehicles (V2V), connection of vehicles with infrastructure (V2I), safety, and optimisation in traffic.It consists of three basic units: RSU, OBU, and central authority (CA) [2], [25].A basic VANET model is shown in Fig. 1.Let us explain the basic units of VANET below.

Road-Side Unit (RSU)
RSUs are roadside wireless communication devices that provide communication between vehicles and the central unit.V2I communication is established between roadside units and vehicles [6].RSUs send information to vehicles within communication ranges to provide better traffic safety and management [7].It also collects routine information such as road condition, weather condition, direction of other vehicles with sensors and transmits this information to vehicles within range [5], [7], [17].

On-Board Unit (OBU)
An OBU is a tamper-proof device (TPD) that can perform cryptographic operations and store secret information [7].Thanks to OBU, vehicles communicate with other vehicles (V2V) and roadside units (V2I) with the help of the DSRC protocol [12].This device is the black box of the vehicle.OBUs regularly broadcast some useful information to other vehicles and RSUs, such as locations, directions, speeds, and traffic accidents [3].

Central Authority (CA)
CA is the centre of management for VANETs [11].Vehicles and RSUs that want to be included in VANET are registered in the network structure by the CA [6], [12].It gives them an anonymous identity and private key.The real identity of the vehicles is known only to the CA.

D. Security and Privacy Requirements
We define the security and privacy requirements for secure communication in VANETs.

Message authentication and integrity
When the vehicle or RSU receives a message, it checks the integrity of the message and the identity of the sender.The integrity of the message guarantees that no third parties have made changes to the message [17].Identity check is used to determine whether it is sent by the vehicle or RSU in VANET [6].

Non-repudiation
A RSU and a vehicle cannot reject messages they have sent [4].In this way, malicious messages can be detected and the sender can be determined.

Identity privacy-preserving
Vehicle identities must be anonymous.Any other vehicle, RSU and attackers should not be able to determine the real identities of other vehicles based on the messages sent.

Traceability and revocability
Even if the identities of the vehicles are to be covered, in some cases, such as fines or cancellation of identity, the real identity of the vehicles may be needed.The real identities of the vehicles can only be uncovered by the CA.

Unlinkability
Vehicles, RSU, and attackers should not be able to detect if two or more of the sent messages are from the same vehicle [16].
6. Impersonation attack Vehicles, RSU, and attackers should not be able to legally create a signature on behalf of another vehicle.

Man in the middle attack
Vehicles, RSU, and attackers should not be able to manipulate messages between two vehicles.

III. THE PROPOSED NIBPA SCHEME
The proposed NIBPA scheme consists of four phases: system setup phase, anonymous identity generation and registration phase, message signing phase, and single and batch message verification phase.The flow chart of the proposed NIBPA scheme is shown in Fig. 2. The notation and descriptions used in the design of the NIBPA are shown in Table I.Let us examine in detail the four phases of the NIBPA scheme that follow.H is used to identify vehicles, so it is used only by the CA.

B. Anonymous Identity Generation and Register Phase
In this phase, the vehicles are registered by the CA.The registration of vehicles to the central unit (CU) is done using licence plates.Based on the licence plate number, which is the real identity of the vehicles, an anonymous identity is created and delivered to the vehicles.Let us examine these phases below.
1.The vehicle i V applies to the CA for registration with 4. The vehicle i V generates its digital signature  x i as in (7).In this equation,  x i is multiplied by the signature private key i s and the result is summed with the vehicle's private key 5. Finally, the vehicle i V that wants to send a message to the vehicles around it sends the parameters { , , , , } AID P Q Ts along with the .i message

D. Message Verification Phase
When the vehicle i V receives a message from other vehicles, it is checked if the message is sent from a registered vehicle and whether the integrity of the message is satisfactory.The message verification phase is proved for single message and batch message.
1. First, the timestamp () i Ts is checked.If it is not within the specified time range , T the message is rejected.Thus, messages that do not arrive on time are rejected before the message verification phase.

The vehicle j
V that receives the message checks whether it provides (8) using the parameters { , , , , , } message AID P Q Ts sent with the single message.If not, the message is rejected Let us prove the correctness of ( Thus, single message verification has been proven.When the vehicle receives multiple messages, it performs the verification of the messages very quickly thanks to batch verification. 3. If a batch message is sent to the vehicle, it is checked whether (10) is satisfied or not ?
Let us prove the correctness of ( 10) Thus, batch message verification has been proven.

IV. IMPLEMENTATION
In this section, the implementation of the message signing and message verification phase of the proposed NIBPA scheme is performed.In this process, the real-value NIST P-256 elliptic curve parameters and the SHA-256 hash function are used.
 Vehicle i V computes  x i using the following parameters: x i AID = (9906948770886992088055187922065272003505 3029167298784326783672825474250044361);  i message Attention there is an accident!!!!;  i Ts Thus, the signature is generated and sent to the receiving vehicle j V along with other parameters { , , , }.

V. SECURITY ANALYSIS
In this section, the security analysis of the NIBPA scheme is performed.Firstly, we will analyse the security of it in the ROM.The following steps are performed to check the security and privacy of NIBPA according to the security and privacy requirements explained in Section II.

A. Random Oracle Analysis
A game is set up to perform the security analysis of the NIBPA scheme and to measure the proficiency of the adversary against this scheme.This game is played between the challenger and the adversary .Adv If the adversary Adv wins this game, the authentication security of the NIBPA will be disabled.
Suppose that the NIBPA scheme is secure against the adaptive chosen message in the random oracle model.Let us prove this assumption in the following.  If ( 8) and ( 12) are arranged as follows, ( 13) and ( 14) are obtained: Equation ( 14) is quite difficult to solve because of ECDLP ( ).  Q x P Thus, the proposed NIBPA scheme proves to be robust against the adaptive chosen message in the ROM.

B. Message Authentication and Integrity
The authentication and integrity of the message is checked by the vehicle .
i V Using the parameters { , , , , } AID P Q Ts sent with the received message, it is checked whether (8) is provided or not.If ( 8) is satisfied, the authentication of the message and the integrity of the message are ensured.Thus, the NIBPA provides message authentication and integrity.

C. Non-Repudiation
Even if their anonymous identity () is used in messages broadcast by vehicles, vehicles cannot deny their identity.If any vehicle rejects the message it produces, its real identity () i ID is revealed by the CA calculation with the 1 ( || ).
ID AID H P   Thus, the NIBPA provides non-repudiation.

D. Identity Privacy-Preserving
The real identities of the vehicles are anonymised by the CA calculation with the 1 ( || ).
Vehicles send messages with their anonymous identities; therefore, their real identities are not known to other vehicles.Since the vehicle cannot be identified, it is protected against malicious intentions.The real identity of the vehicles can only be revealed by the CA.Thus, the NIBPA provides identity privacy-preserving.

E. Traceability and Revocability
The use of anonymous identity by vehicles does not mean that they will not be tracked.The vehicles that send fake messages that will endanger the security are determined, and the authorisation to send messages is cancelled.The CA tracks suspicious vehicles and reveals their true identities.Thus, these vehicles are removed from VANET, which prevents it from transmitting messages.The vehicle anonymous identity, 1 ( || ), using the CA private key  and the vehicle public-key .
x i

P
The real identity of the vehicle i V is revealed by calculating 1 ( || ).
ID AID H P Thus, the NIBPA provides traceability and revocability.

F. Unlinkability
message AID P Q Ts to other vehicles along with the message.The anonymous identity used by the vehicle changes with each message.The parameters P AID k are sent to the registered vehicle i V via a secure channel and preloaded into the TPD for use in signature generation.The digital signature and anonymous identity are different from each other in each message.Thus, the attacker cannot link the signature and the anonymous identity-based on messages.

G. Impersonation Attack
An attacker would need to create parameters { , , , , } AID P Q Ts for a vehicle to impersonate.

However, since
i k and i s are the private keys of the vehicle , i V the attacker cannot do it.Thus, the NIBPA scheme is robust to impersonation attack.

H. Man in the Middle Attack
Since communication between vehicles is based on i ID authentication, an attacker who is not registered with the CU cannot perform a man-in-the-middle attack.

VI. PERFORMANCE ANALYSIS
In this section, we analyse the performance of the NIBPA scheme in terms of computational cost and communication cost.We compare NIBPA with other schemes in [3]- [7] for performance analysis.NIBPA and the schemes in [4]- [7] are based on ECC and the scheme presented in [3] is based on bilinear pairing.

A. Computation Cost Analysis
The execution times and definitions of cryptographic operations used to determine the computational costs of the NIBPA scheme and other schemes are shown in Table II (ms: millisecond).The execution times of the concatenate and XOR operations in computation are quite low, so these operators can be negligible in the computation cost analysis.For these calculations, computer platform running on Linux operating system with Intel (R) Core (TM) i7-7500U CPU processor and 8 GB RAM, PBC, and GMP cryptographic libraries in C++ programming language are used.The PBC and GMP cryptographic libraries are used together for pairing operations.The execution of each operation is repeated 100 times and the average value of the execution time of cryptographic operations is computed.
MS, OMV, and BMV denote message signing, single message verification, and batch message verification, respectively.In the scheme of Bayat, Barmshoory, Rahimi, and Aref in [3], the computational cost of MS consists of five scalar multiplications in bilinear pairing, one point addition in bilinear pairing, one map-to-point hash function, and two one-way hash functions.Thus, the execution time of MS is 5T sm-bp + T pa-bp + T mtp + 2T h = 8.9731 ms.The computational cost of OMV consists of three bilinear pairing operations: one-scalar multiplication on bilinear pairing, one map-to-point hash function, and one one-way hash function.Thus, the execution time of OMV is 3T bp + T sm-bp + T mtp + T h = 17.9244 ms.The computational cost of BMV consists of three bilinear pairing operations: (n) scalar multiplication in bilinear pairing, (3n -3) point addition in bilinear pairing, (n) map-to-point hash function, and (n) one-way hash function.Thus, the execution time of the BMV is 3T bp + (n)T sm-bp + (3n -3)T pa-bp + (n)T mtp + (n)T h = 4.2183n + 13.7061 ms.In the same way, the execution times of MS, OMV, and BMV in [4]- [7] are computed.Finally, in the proposed NIBPA scheme, the computational cost of MS consists of one-scalar multiplication and one-way secure hash functions.Therefore, the execution time of MS is T smecc + T h = 0.3704 ms.The cost of OMV computation consists of two-scalar multiplication, one point addition, and a oneway hash function.Therefore, the execution time of OMV is 2T sm-ecc + T pa-ecc + T h = 0.7429 ms.The computation cost of BMV consists of (n + 1) scalar multiplication, (2n -1) point addition, and (n) one-way hash functions.Thus, the execution time of BMV is (n + 1)T sm-ecc + (2n -1)T pa-ecc + (n)T h = 0.375n + 0.3679 ms.The comparison of the calculation costs analysis of the proposed NIBPA scheme and the other five schemes is shown in Table III.In Fig. 3, the computation costs of the NIBPA scheme and other schemes in MS and OMV are compared.The proposed NIBPA scheme provides 95.87 %, 50 %, 0.054 %, 0 %, and 66.67 % less execution time in MS compared to the schemes in [3]- [7], respectively.If we do the same comparison for OMV, it provides 95.86 %, 34.30 %, 49.92 %, 33.41 %, and 33.41 % less execution time than the schemes in [3]- [7], respectively.The improvement calculation as percentage for the scheme in [3]    The proposed NIBPA scheme performs batch message verification in less time than other schemes.It gives better results as the number of messages increases.

B. Communication Cost Analysis
Let us compare the communication cost of the NIBPA with the other five schemes.In computing the communication cost, let us assume the size of the elements in * , q Z the one-way hash function as 20 bytes and the size of the timestamp i Ts as 4 bytes.At the same time, let us assume that the sizes of the elements in the multiplicative group 1 G and the addition cycle group G are 128 and 40 bytes, respectively.In the scheme in [3], the total communication cost of the  As seen in Table IV, the communication cost of the NIBPA is lower than the schemes in [3]- [7].

VII. CONCLUSIONS
In this paper, a novel identity-based privacy-preserving anonymous authentication scheme with ECC called "NIBPA" is proposed.It is used for V2V communication in VANETs.The proposed NIBPA scheme provides low computation cost and communication cost thanks to its pairing-free nature.
It can also perform batch message verification.Thus, it is a lightweight scheme that confirms a large number of messages faster.As a result of security analysis, it has been proven to satisfy privacy and security requirements.It has also proven to be a more cost-effective scheme compared to other existing schemes in terms of computation and communication costs.Message verification time is improved by 33.41 % to 95.86 % compared to existing schemes.Thus, the proposed NIBPA scheme is suitable for V2V communication in VANETs as it is efficient and secure.In future work, we are considering designing vehicle-toeverything (V2X) communication for 5G-enabled vehicular networks.We also plan to use technologies such as homomorphic encryption and blockchain in VANETs.

Fig. 2 .
Fig. 2. The flow chart of the proposed NIBPA scheme.
T parameters sent by the vehicle is 128 × 3 + 4 = 388 bytes.In the same way, the total communication cost is computed in the schemes in[4]-[7].Finally, in the proposed NIBPA scheme, the total communication cost of the parameters Si T sent by the vehicle is 20 × 2 + 40 × 2 + 4 = 124 bytes.The comparison of the communication cost analysis of the NIBPA and the other five schemes is shown in TableIV.
Setup Phase1.The CA selects a non-singular elliptic curve ( , ) p If the equation is not satisfied, the values of a and b are reselected.Later, a generation point P with order q is chosen for ( , ).CA E p q P P H to all vehicles.The one-way hash function 1

TABLE I .
NOTATIONS USED AND DESCRIPTION.
j The i th and j th vehicle ID i V i 's real identity, licence plate number AID i Anonymous identity of vehicle V i E (a, b) p Prime finite field P Generator point 21.09.2022, 10:55 PM;  i V computes the signature     [26]ot, then play over.As a result, the NIBPA is secure.But if the forgery lemma[26]is taken into account, the adversary Adv can generate a different valid message ** ()

TABLE II .
EXECUTION TIME OF CRYPTOGRAPHIC OPERATIONS.

TABLE III .
COMPARISON OF THE COMPUTATION COST ANALYSIS.

TABLE IV .
COMPARISION OF THE COMMUNICATION COST ANALYSIS.