An Efficient Conditional Privacy-Preserving Authentication for VANETs

1. Introduction

As a significant research area within mobile ad hoc networks, Vehicular Ad Hoc Networks (VANETs) facilitates communication between vehicles and between vehicles and road-side infrastructure(RSU). Their primary objective is to ensure safer and more efficient road transportation by providing real-time information on traffic conditions, potential hazards, and vehicle statuses. As vehicles become increasingly interconnected, the importance of VANETs rises, opening avenues for innovative applications, ranging from collision warnings to dynamic route planning.As a result, the VANET has always been a research area focused on security and privacy, especially with the increasing information dissemination and exchange. In VANETs, each vehicle transmits traffic information to neighboring vehicles at intervals of 100-300 milliseconds using the Dedicated Short-Range Communication (DSRC) protocol. The beacon messages sent by vehicles contain safety-related information such as position, speed, and driving behavior [1].

While this communication protocol enables vehicles to receive real-time traffic information and enhance traffic management efficiency, it also presents vulnerabilities in an open environment. The transmitted plaintext data can be easily intercepted, monitored, or even tampered with by malicious third parties, resulting in the exposure of users’ private information and irreversible harm [2].To address security and privacy concerns, numerous research papers have proposed CPPA schemes [3,4,5,6,7,8,9,10,11,12,13,14,15,16,17]. However,these schemes face limitations in terms of security and efficiency, with these schemes either imposing higher computational overhead for enhanced security or compromising some level of security to reduce overhead. In scheme [4],OBU requires large storage capacity to store pseudonyms and the authentication process involves complex bilinear mapping operations, which increases high-cost overhead. In scheme [8], the TA’s involvement in the entire process results in a heavy workload and increases the risk of a single point of failure. In scheme [3], the inadequate management of pseudonyms exposes the system to vulnerabilities against Sybil attacks and the scheme [6] lacks mechanisms for revocation and mutual authentication.The insufficiencies of current solutions have served as our inspiration to design efficient solutions that achieve an enhanced equilibrium between safety and efficiency.The lightweight authentication scheme we developed is based on ECC and incorporates a token mechanism for achieving mutual authentication. This ensures minimal information leakage, with only the vehicle itself and TA being aware of the true identity of the vehicle. Furthermore, the lists maintained by the TA and RSUs facilitate efficient revocation of vehicles and prevent the reuse of pseudonyms by vehicles, effectively mitigating the risk of Sybil attacks.

Here are the main contributions of this paper:

• The token mechanism implemented ensures minimal privacy disclosure, wherein only the vehicle and TA possess the true identity of the vehicle.
• By enabling the RSU to centrally manage pseudonyms, it significantly alleviates the burden on TA and effectively safeguards against pseudonym abuse through a well-maintained revocation list, and make revocation easier.
• The performance analysis demonstrates that our scheme can achieve a reduced overhead, with the generation of a pseudonym for a vehicle requiring only 0.0039ms.

The remaining sections of this paper are organized as follows: Section 2 provides a comprehensive survey of related works in the field, while Section 3 presents the preliminaries, system model, and security requirements of the proposed scheme. In Section 4, we elaborate on the details of the proposed CPPA scheme, followed by an extensive security analysis in Section 5 and a thorough performance evaluation in Section 6. Finally, concluding remarks are presented in the last section.

2. Related Works

In the field of conditional privacy-preserving authentication(CPPA), numerous contributions have been made, and existing anonymous authentication schemes can be roughly categorized into four types: PKI-based [18,19,20], ID-based [21,22,23], group signature-based [24,25], and pseudonymous-based [4,5,6,8,11],and according to the management of anonymous identities, the main entities involved are the Trusted Authority (TA), Roadside Units (RSUs), and the vehicles themselves.Raya et al. [18] proposed a PKI-based scheme where the TA pre-generates numbers of anonymous certificates for vehicles, which are used for message authentication. This scheme successfully addresses privacy leakage concerns. However, it still has some drawbacks. For instance, vehicles need sufficient storage space to store all the anonymous certificates, which imposes storage overhead. There is also a key escrow issue and the TA manages certificates for all vehicles, leading to an increased workload. Moreover, certificate management becomes complex and challenging.Subsequently, to improve efficiency, Lin et al. [19] proposed a PKI-based blockchain authentication scheme in which blockchain technology is combined with key derivation algorithms to achieve effective certificate management.In [20]’scheme, they used smart contract-based trust chain to replace traditional CA trust chain, thereby reducing certificate transmission and management costs. However, with an increasing number of vehicles, certificate management still faces challenges. Furthermore, blockchain, as a relatively new technology, is not yet matured and has high throughput and latency, making it less suitable for high-speed moving vehicles and presenting limitations. Additionally, the size of the blockchain may restrict its practicality in resource-constrained vehicular systems.

Considering the certificate management issues in PKI-based solutions, Shamir et al. [21] firstly introduced the ID-based scheme. According to their scheme, the public key of a vehicle is derived from its publicly available information. As a result, the vehicle’s identity and public key can be associated without relying on any certificates. In this way, the issues related to certificate management are eliminated.Wang et al. [22] proposed a LIAP scheme, which simplifies the complexity of revocation. However, it introduces bilinear pairing algorithms that require significant computational overhead. Additionally, in both [21,22] schemes, the signing key pairs required by the vehicles are obtained from the third party, resulting in key escrow issues.To address this issue, Wang et al. [23] proposed an novel identity-based scheme. In the scheme, the key pair is generated collaboratively by TA, RSU, and the vehicle, effectively avoiding key leakage problems. However, the process of generating the key pair relies on the involvement of the TA and RSUs. This means that vehicles cannot independently generate their own keys and instead require support from external entities. This introduces increased complexity and dependency in the system, as well as requirements for trust and security in the TA and RSUs. Additionally, there is a risk of the single-point of failure.

Regarding group signature schemes, a group administrator generates the public key, enabling vehicles within the group to generate signatures which can be verified using the group public key. Privacy is ensured in this scheme as the signers maintain anonymity within the group.In [24], Nath et al. proposed a mutual authentication scheme. In this scheme, To enhance security, pseudonyms are used to protect users’ privacy, and messages are encrypted before they are sent. However, in the pseudonym generation phase, vehicles need to frequently interact with both the TA and RSU, which introduces additional communication overhead. Furthermore, the frequent joining and leaving of vehicles result in large group management overhead. Additionally, tracking malicious vehicles becomes more challenging.To achieve greater flexibility and improved traceability, Guo et al. [25] proposed an efficient ring-based signature scheme. In this scheme, they devised a tracking algorithm that integrates tracking tags into messages, allowing trusted entities to easily find the malicious vehicle from ring list. However, these two schemes do not delve into the revocation of vehicles in detail.

There are numerous CPPA schemes based on pseudonyms, such as [3,4,5,6,7,8,9,10,11,12,13,14,15,16,17]. In the fog-based scheme proposed by Zhong et al. [3], vehicles generate pseudonyms using two seed values, which partially alleviates the burden on the Trusted Authority (TA) and reduces the storage overhead for vehicles. However, there are also some drawbacks. If malicious vehicles continuously generate and use new pseudonyms, they can launch Sybil attacks.There are also certificateless schemes based on pseudonyms, such as [4,6,12]. Qi et al. [12] proposed a certificateless conditional privacy-preservation scheme (CPPS) using bilinear mapping. In their scheme, a part of the vehicle’s keys is generated by a Key Generation Center (KGC), while the remaining keys are randomly chosen by the KGC itself.However, the bilinear pairing operation is a computationally expensive operation, which leads to low efficiency in schemes like the one proposed in [4,12]. Although [6] avoids the use of bilinear mapping, its communication overhead is still not highly efficient. Ye et al. [11] proposed a CPPA scheme based on pseudonyms with (t,n) threshold secret sharing, optimizing the revocation overhead of pseudonyms. However, the scheme involves bilinear mapping, resulting in high computational costs. Additionally, the TA needs to be online for a long duration to generate pseudonyms, which poses a big challenge for its workload.

In general, the proposed scheme provides better security and functionality compared to the existing schemes mentioned in Table 1.

3. Preliminaries

In this section, we will introduce a network system that encompasses the Internet of Vehicles (IoV), security requirements, and elliptic curve cryptography.

3.1. System Model

Figure 1 illustrates the standard architecture model of the vehicular ad hoc networks (VANETs) which primarily contains three entities: TA (Trust Authority), RSU (Roadside Unit), and V (Vehicle).

• TA: As a Authority which is trusted and cannot be compromised, TA possesses strong computing and storage resources and is responsible for the initialization operations of the entire system, as well as the registration of V and RSU within the system. Besides, TA also can track malicious vehicles.
• RSU: RSU serves as the roadside infrastructure and is also a trusted entity. It provides services to the communicating vehicles and acts as an intermediary between TA and V. RSU is responsible for managing the pseudonyms of vehicles.
• V: Vehicles are the communication entities in the system and are equipped with TPD and OBU. The OBU is responsible for generating key pair, while the TPD can store the key pair and other sensitive datas.

3.2. Security Requirements

In this system, we have designed several security requirements that the vehicular network should achieve.

• Anonymity: The true identity of a vehicle must be transmitted in an anonymous manner, preventing a malicious adversary from analyzing the original sender’s identity.
• Traceability: If deception occurs, the true identity of the malicious vehicle can be traced.
• Message authentication and integrity: The recipient can verify the legitimacy of the sender’s identity and the validity of the message.
• Revocability: If a vehicle engages in malicious behavior, both RSU and TA can collaborate to revoke the credentials or privileges of that vehicle.
• Unlinkability: Vehicles periodically change their pseudonyms to prevent malicious third parties or vehicles from determining whether the messages originate from the same vehicle.
• Resist other attacks: The Scheme could resist typical attacks such as replay attacks, Sybil attacks, man-in-the-middle attacks, key escrow, etc.

3.3. Elliptic Curve Cryptography

Let ${\mathbb{F}}_p$ represent a finite field where p is a large prime number.An elliptic curve E can be defined over ${\mathbb{F}}_p$ as $y^2=x^3+ax+b\left(\mathrm{mod}p\right)$,where $a,b\in {\mathbb{F}}_p$ and $(4a^3+27b^2)modp\ne 0$. Let’s assume O is an infinity point on E, The set of points on the elliptic curve, including the point O, form an additive elliptic curve group $\mathbb{G}$ which has an order of q and generator P.

4. The Proposed Scheme

The proposed scheme will be comprehensively described in detail in this section.The scheme consists of five stages: system initialization stage, registration stage (which further includes vehicle registration and RSU registration), pseudonym generation stage, message signature stage, and message verification stage. The symbols employed in this scheme are illustrated in Table 2, providing a comprehensive overview of their meanings, usage, and other symbols that are described when used.

4.1. System Initialization Stage

• Initially, the TA chooses an elliptic curve E, defined as $y^2=x^3+ax+b\left(\mathrm{mod}p\right)$ over a finite field of prime order p,where p is a large prime number, and $a,b\in {\mathbb{F}}_p$.Subsequently, the TA chooses an additive group $\mathbb{G}$ that has an order of q. And P serves as the generator for $\mathbb{G}$.
• Then the TA selects randomly a number $s\in {\mathbb{Z}}_q^{*}$ ,which serves as the master key of the system, and then computes $P_{pub}=sP$,which serves as the public key of the system.
• Afterward, Four general one-way hash functions are selected by TA, which include $H:{\left\{0,1\right\}}^{*}\to {\mathbb{Z}}_q^{*}$, $H_0:\mathbb{G}\to {\mathbb{Z}}_q^{*}$, $H_1:\mathbb{G}\times {\left\{0,1\right\}}^{*}\to {\mathbb{Z}}_q^{*}$, $H_2:{\left\{0,1\right\}}^{*}\times \mathbb{G}\times {\left\{0,1\right\}}^{*}$ $\to {\mathbb{Z}}_q^{*}$.
• Lastly, TA disseminates the public parameters $Param{s}_{pub}=\left\{a,b,P,\mathbb{G},H,H_0,H_1,H_2\right\}$ to all vehicles and RSUs, then, TA keeps s for itself.

4.2. Registration Stage

• The registration of Vehicle
  During the vehicle registration stage, all vehicles register offline. The registration process is as follows:

  (a)

  V generates its own private key $V_{SK}\in {\mathbb{Z}}_q^{*}$, then computes the public key $V_{PK}=V_{SK}P$.

  (b)

  V provides its real identity $VID$ and public key $V_{PK}$ to TA.

  (c)

  TA first checks the registration list to determine if V has already registered. If V is already registered, TA rejects the registration. If V is not registered, then TA chooses a number $\alpha \in {\mathbb{Z}}_q^{*}$ randomly, and TA generates $V_{token}$ for V and adds it to the list, setting the status of V as $legal$.

  (d)

  Each row in the form is formatted as follows:$V_{ID},V_{PK},V_{token},legal$.

  (e)

  The process of TA generating $V_{token}$ for V is as follows:

  $$\begin{array}{cc}\hfill & P_1=\alpha P,R_v=P_1\left(x\right)\hfill \\ \hfill & F_1=H_0\left(V_{PK}\right)\hfill \\ \hfill & S_V={\alpha }^{-1}(F_1+s{R}_v)(modq)\hfill \end{array}$$

  (1)

  (f)

  Finally, TA gets $V_{token}=(R_v,S_V)$ and sends it to the V.

• The registration of RSU
  In this stage, the RSU obtains two seeds $S_1,S_2$ for generating pseudonyms, along with the corresponding token. The entire process is as follows:

  (a)

  RSU generates its own private key $R_{SK}\in {\mathbb{Z}}_q^{*}$, then computes $R_{PK}=R_{SK}P$ which serves as its public key.

  (b)

  RSU provides its real identity $R_{ID}$ and public key $R_{PK}$ to TA.

  (c)

  TA randomly picks a number $\beta \in {\mathbb{Z}}_q^{*}$,then TA generates $R_{token}$ for RSU, the process is as follows:

  $$\begin{array}{cc}\hfill & P_2=\beta P,A=P_2\left(x\right)\hfill \\ \hfill & F_2=H_1(R_{PK}\parallel H_0(S_1\parallel S_2\left)\right)\hfill \\ \hfill & S_R={\beta }^{-1}(F_2+sA)(modq)\hfill \end{array}$$

  (2)

  (d)

  Lastly, TA generates $R_{token}=(A,S_R)$ for the RSU and selects two random seed values $S_1\in {\mathbb{Z}}_q^{*},S_2\in {\mathbb{Z}}_q^{*}$, which are used for pseudonym derivation. TA then sends these values to the RSU.

  (e)

  TA sends $\left\{R_{token},S_1,S_2\right\}$ to the RSU via a protected channel.

4.3. Pseudonym Generation Stage

When V enters the RSU’s domain and needs to request a service, the detailed procedure is outlined below.

• V sends a service request =$\left\{V_{PK},V_{token},T\right\}$ to the RSU where $V_{token}=(R_v,S_v)$.
• After receiving the request, The RSU will proceed with the verification.
  • Firstly, The RSU checks the valid of T.If it is valid, the process continues; Otherwise, the RSU rejects the request.
  • Secondly, The RSU checks if $V_{PK}$ is in the revocation list (RL). If it is not in the RL, the process continues, otherwise the RSU rejects the request.
  • Finally, the RSU verifies the $V_{token}$.It computes the value of ${S_v}^{-1}{F}_{1}P+{S_v}^{-1}{R}_v{P}_{pub}$, gets the x-coordinate value of the value and checks if it equals $R_v$.
• If the verification not success, then the RSU refuses to provide services to the vehicle, otherwise, the RSU uses $\left\{S_1,S_2\right\}$ to generate pseudonyms, taking $V_i$ as an example.

  $$\begin{array}{cc}\hfill & S_{i,1}=S_1⨁V_{P{K}_i}\hfill \\ \hfill & S_{i,j}=H^j\left(S_{i,1}\right)\hfill \\ \hfill & S_{i,2}=S_2⨁V_{PKi}\hfill \\ \hfill & S_{i,w-j+1}=H^{w-j+1}\left(S_{i,2}\right)\hfill \\ \hfill & PI{D}_{i,j}=H(S_{i,j}⨁S_{i,w-j+1}⨁T_j⨁{\zeta }_{i,j})\hfill \end{array}$$

  (3)

  where w represents the number of time periods in a day, ${\zeta }_{i,j}\in {\mathbb{Z}}_q^{*}$ is a number selected by RSU randomly in the j-th time interval,$j\in \left[1,w\right]$.
• After generating the pseudonym, the RSU updates the information in the revocation list. For example, it adds a new row of information $\left\{V_{VPKi},PID,available\right\}$, where $available$ means the pseudonym of the $V_i$ is avaiable. The RSU then selects a random number $\theta \in {\mathbb{Z}}_q^{*}$,and generates a signature ${\epsilon }_R$ for $(PID,R_{PK},T_2)$. It responds to $V_i$ with $response=\left\{PID,R_{token},R_{PK},H\left(S_1{S}_2\right),T_2,{\epsilon }_R\right\}$, where ${\epsilon }_R=(C,X),R_{token}=(A,S_R)$.
• The process of generating ${\epsilon }_R$ is as follows:

  $$\begin{array}{cc}\hfill & P_3=\theta P,C=P_3\left(x\right)\hfill \\ \hfill & F_3=H_2(PID\parallel R_{PK}\parallel T_2)\hfill \\ \hfill & X={\theta }^{-1}(H_2+R_{SK}C)modq\hfill \end{array}$$

  (4)
• Upon receiving the $response$, $V_i$ performs necessary operations to verify the RSU’s identity and the information’s legitimacy. The specific steps are as follows:
  • Firstly, $V_i$ checks whether $T_2$ is fresh. If that is the case, the process continues, or else the $V_i$ rejects the request.
  • Then $V_i$ verifies the legitimacy of the RSU. It computes the value of $S_R^{-1}{F}_{2}P+S_R^{-1}A{P}_{pub}$ and gets the x-coordinate value of that value and checks if it is equal to A.
  • Lastly,$V_i$ verifies the information by computing the value of $X^{-1}{F}_{3}P+X^{-1}C{R}_{PK}$, gets the x-coordinate value of that value, and checks if it is equal to C.
  • If all the above equations hold true, then $V_i$ accepts the information and uses the pseudonym for subsequent communication.

4.4. Message Signature Stage

After obtaining the pseudonym, the vehicle will use it for subsequent communication in this stage and the detailed steps are as follows:

• For communication, $V_i$ selects firstly a number ${\omega }_i\in {\mathbb{Z}}_q^{*}$ randomly.
• Then, the $V_i$ calculates the following formulas:

  $$\begin{array}{cc}\hfill & P_4={\omega }_{i}P,Y=P_4\left(x\right)\hfill \\ \hfill & F_4=H_2(m\parallel PID\parallel V_{PK}\parallel T_3)\hfill \\ \hfill & U={\omega }_i^{-1}(F_4+V_{SK}Y)modq\hfill \end{array}$$

  (5)
• Lastly, the $V_i$ sends $\left\{e=(Y,U),m,PID,V_{PK},T_3\right\}$ to $V_j$.

4.5. Message Verification Stage

Upon receiving the tuple, $V_j$ performs relevant verification and determine if it is false information, where $tuple=\left\{e=(Y,U),m,PID,V_{PK},T_3\right\}$.

• Firtly,$V_j$ validates the validity of $T_2$. If it is valid, the process continues, otherwise, $V_j$ rejects.
• Then $V_j$ accesses the revocation list and checks the legitimacy of $PID$. If it is marked as $available$, the process continue, but if it is marked as $revoked$, $V_j$ rejects.
• Next $V_j$ computes $H_2(m\parallel PID\parallel V_{PK}\parallel T_3)$ and the value of $U^{-1}{F}_{4}P+U^{-1}Y{V}_{PK}$,and checks if the x-coordinate value of the value is equal to Y.
• If the equation holds true, it indicates the reliability of the message.Otherwise $V_j$ finds that m is fake message, it will report to the RSU, which will report it to the TA by sending $V_{PK}$. Then the TA will update the status of $V_{token}$ corresponding to $VI{D}_i$ as $illegal$. At the same time, the RSU will update the status of $PID$ corresponding to $V_{PKi}$ in the revocation list as $revoked$.The RSU will no longer distribute pseudonyms to $V_i$ and remove it from the system.

5. Security Analysis

We introduce how proposed scheme could achieve the following security requirements in this section:

• Anonymity: The anonymous identity $PI{D}_{i,j}=H(S_{i,j}⨁S_{i,w-j+1}⨁T_j⨁{\zeta }_{i,j})$ serves to conceal the true identity, where ${\zeta }_{i,j}$ is a number selected randomly by RSU in the j-th time interval.Therefore, an Adv can never extract the real identity of the vehicle.In addition to that, when an RSU wants to check the validity of the generated pseudonym, it bases on $(S_1,S_2)$. It does not require knowing the real identity of the vehicle, which satisfies conditional privacy preservation.
• Traceability: The message $tuple=\left\{e=(Y,U),m,PID,V_{PK},T\right\}$ that sent by the vehicle includes the $V_{PKi}$. When the RSU sends $V_{PKi}$ of a malicious vehicle to the TA, the TA can get the true identity of the vehicle by check the registration list.
• Message authentication and integrity: Upon receiving the message $tuple=\left\{e=(Y,U),\right.$
  $\left.m,PID,V_{PK},T_3\right\}$, the receiver will compute $H_2(m\Vert PID\Vert V_{PK}\Vert T_3)$ and then verify the authenticity by checking if the result of the equation $U^{-1}{F}_{4}P+U^{-1}Y{V}_{PK}$ is equal to Y. If the equation holds true, it indicates a successful authentication.
• Revocation: If a vehicle engages in malicious behavior, both the RSU and TA will revoke the vehicle by following these steps: When the $V_j$ detects that m is false information, they report it to the RSU, which in turn reports it to the TA by sending the $VPK$. The TA updates the status of $V_{t}oken$ corresponding to $VI{D}_i$ as $illegal$. Simultaneously, the RSU updates the status of $PID$ corresponding to $V_{PKi}$ in the revocation list as $revoked$. The RSU will cease distributing pseudonyms to $V_i$ and remove it from the system.
• Confidentiality: In the RSU registration phase, the TA sends to the RSU a pair $(S_1,S_2)$ to generate pseudonyms. $S_1$ and $S_2$ are sent via a secure channel and are known only by the TA, RSU. In the pseudonym generation stage, $S_1$ and $S_2$ are used for the generation of pseudonyms and they will never be sent. An Adv who tries to analyze a pseudonym to extract $S_1$ and $S_2$ will never succeed due to the one-way hash function used and the random number.
• Key escrow resilience:the vehicle is the only entity who knows its private key. No one else is capable of imitating the vehicle.
• Unlinkability: The pseudonyms are updated frequently by the RSU. But the pair $(S_1,S_2)$ remains unmodifiable and is only known by the TA and RSU. An malicious adversary cannot distinguish whether two messages sent at time j and $j+1$ are sent by the same vehicle or not.
• Mutual authentication:In the pseudonym generation stage, when the vehicle initially requests service from the RSU, the RSU will authenticate the vehicle’s legal identity based on its $V_{token}$. Upon successful authentication, the RSU transmits a pseudonym , $R_{token}$ and signature to the vehicle, which then verifies the validity of the information and the legitimacy of the RSU’s identity based on the $R_{token}$ and signature. During inter-vehicle communication, the receiver will check the revocation list according to the pk and pseudonym of the sender to determine whether the other party is legitimate and the message is authentic by calculating $Sig(V_{pk},e)$.
• Replay attacks: There is a system timestamp T in each message. The recipient can prevent replay attacks by verifying the validity of T.
• Sybil attack: The RSU not only imposes time and quantity limits on pseudonyms but also enforces strict restrictions. Specifically, the RSU only allocates a single new pseudonym to each vehicle within a given time period. It updates and stores the current list of valid pseudonyms. Any requests with invalid pseudonyms are directly rejected.
• Man-in-the-middle attack: Even if a malicious third party intercepts the message, they do not possess the sender’s private key. Therefore, they can’t forge the signature. The receiver can verify the authenticity of the message using sender’s public key.

6. Performance Evaluation

In this section, We assess the efficiency of our approach considering both the computational expense and the communication overhead. We contrast the proposed scheme with others [5,6,8], and Ali et al. [4] used the bilinear pairing operation, which can be represented as $\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$ where ${\mathbb{G}}_1$ is an additive group.Similarly, we use another additive group $\mathbb{G}$ based on ECC and an elliptic curve E.We utilized the well-known Miracl library to measure the execution time of all encryption operations. The corresponding operation execution times are displayed in Table 3.

6.1. Computational Cost

Considering the overhead of computation, we primarily consider the cryptographic operations involved in pseudonym generation, message signing, and verification.

In the pseudonym generation phase, scheme [5] requires three hash operations and three point multiplication operations.Therefore, the time is $3T_h+3T_{ecc-pm}\approx 1.2249ms$.In schemes [4,6,8], both of them require two point multiplication operations and one hash operation, so the time is $T_h+2T_{ecc-pm}\approx 0.8153ms$.However, in our proposed scheme, we only require three hash operations, resulting in a time of $3T_h\approx 0.0039ms$.

In the individual message signing phase, scheme [5] requires one hash operation and two point multiplication operations.Thus, the execution time of the signature is $T_h+2T_{ecc-pm}\approx 0.8153ms$.Scheme [8] needs one hash operation and one point multiplication operation, so the time is $T_h+T_{ecc-pm}\approx 0.4083ms$.In scheme [6], it requires two hash operations and one point multiplication operation.The verification needs time $2T_h+T_{ecc-pm}\approx 0.4096ms$. [4]’scheme, signing a message executes one hash operation and two point multiplication operations.Thus signing a message needs $T_h+2T_{ecc-pm}\approx 0.8153ms$.In our proposed scheme, however, we only require one hash operation and one point multiplication operation.And the total time is $T_h+T_{ecc-pm}\approx 0.4083ms$.

In single message verification phase,scheme [5] requires two hash operations, one point addition operation, and three point multiplication operations. So the execution time is $2T_h+T_{ecc-pa}+2T_{ecc-pm}\approx 1.2257ms$.In scheme [8], it requires three point multiplication operations and two point addition operations.So the execution time is $2T_{ecc-pa}+3T_{ecc-pm}\approx 1.2252ms$.In scheme [6], it requires four point multiplication operations, three point addition operations, and three hash operations.Thus the execution time is $3T_h+3T_{ecc-pa}+4T_{ecc-pm}\approx 1.6382ms$.In scheme [4], it requires one bilinear pairing operation, one point multiplication operon, and one point addition operation,which needs whole time is $T_{pb}+T_{ecc-pm}+T_{ecc-pa}\approx 4.613ms$.In our proposed scheme, we require one hash operation and one point multiplication operation.So the time is $T_h+T_{ecc-pm}\approx 0.4083ms$.

As shown in Figure 2, compared to several relevant schemes [4,5,6,8], Our scheme exhibits relatively lower computational cost.

6.2. Communication Cost

We have conducted a detailed assessment of the communication expenditure of the aforementioned schemes in this phase.Let an element in $\mathbb{G}1$ has a size of 128 bytes, the element in $\mathbb{G}$ has a size of 40 bytes, and the $\mathbb{Z}{q}^{*}$ has a size of 20 bytes. Additionally, we assume that the hash function has a size of 20 bytes, the timestamp has a size of 4 bytes, the a pseudonym has a size of 20 bytes, and the message m has a size of 20 bytes.

In scheme [5], A message $\left\{AI{D}_i=(AI{D}_{i,1},AI{D}_{i,2},{\sigma }_i=(f_i,g_i),B_i,\right.$$\left.K_i,R_i,T_1,M_i)\right\}$ is transmitted by $V_i$, where $AI{D}_{i,2},f_i,g_i\in {\mathbb{Z}}_q^{*}$, $AI{D}_{i,1},B_i,K_i,R_i\in \mathbb{G}$, thus, the communication cost is (40 × 4 + 20 × 3 + 4 + 20) = 244 bytes. In scheme [8],the tuple sent from a vehicle is $\left\{PI{D}_i,{\sigma }_i,M_i,T_i,R_i\right\}$, where $PI{D}_i=(PI{D}_{i,1},PI{D}_{i,2})$. $PI{D}_{i,1},R_i\in \mathbb{G},PI{D}_{i,2},{\sigma }_i\in {\mathbb{Z}}_q^{*}$, Hence, the cost of communication is (40 × 2 + 20 × 2 + 4 × 1 + 20) = 144 bytes. In the paper [6], the message is $\left\{AI{D}_{i,1},AI{D}_{i,2},T_i,X_i,U_i,{\eta }_i,A_i,t_i,m_i\right\}$,where $AI{D}_{i,1},X_i,U_i,A_i\in \mathbb{G}$, $AI{D}_{i,2},{\eta }_i\in {\mathbb{Z}}_q^{*}$, and $(T_i,t_i)$ is timestamp.So the communication overhead needs 40 × 4 + 20 × 2 + 4 × 2 + 20 = 228 bytes. In the paper [4],the tuple of messages sent by the vehicle is $\left\{PI{D}_i=(PI{D}_{i,1},PI{D}_{i,2}),P{K}_i=(R_i,U_i),T_i,{\sigma }_i,m_i\right\}$, where $PI{D}_{i,1},R_i,U_i,{\sigma }_i\in {\mathbb{G}}_1,PI{D}_{i,2}\in {\mathbb{Z}}_q^{*}$. Therefore, the communication overhead needs 128 × 4 + 20 × 1 + 4 × 1 + 20 × 1 = 556 bytes. In our scheme, the vehicle broadcasts $\left\{e=(Y,U),m,PID,\right.$ $\left.T_3,V_{PK}\right\}$ to Neighboring vehicles, where $Y,U\in {\mathbb{Z}}_q^{*},V_{PK}\in \mathbb{G}$. Thus,the communication overhead is 20 × 2 + 40 × 1 + 4 × 1 + 20 × 1 + 20 = 124 bytes.

From Table 4, it can be observed that the our scheme has lower communication overhead compared to other schemes [4,5,6,8]. [5,6,8].

7. Conclusions

This paper compares the limitations of existing schemes and proposes an efficient CPPA scheme that achieve a better balance between safety and efficiency.Furthermore, a comprehensive security analysis has demonstrated that our scheme successfully fulfills the essential security and privacy criteria for VANETs. Moreover, the evaluation of computational and communication overhead validates the enhanced efficiency offered by our proposed approach, rendering it more suitable for VANETs.