An Efficient Lightweight Mutual Authentication and Key Exchange Protocol for Roaming Vehicle

Intelligent vehicles and their infrastructure have been a booming topic that requires attention towards grooming security services and providing a safe-secure drive experience to users worldwide. Authentication of these vehicles within and away from the home network plays an essential role in maintaining seamless service access, especially for users moving away from the home network. Traditional schemes are centralized and primarily focus on vehicle authentication within a home network. Very few studies have been conducted on vehicle authentication during roaming. The trusted authority (TA) must authenticate its vehicle along with the one in roaming, which increases the communication and computational load on the TA as scalability increases. This article presents a lightweight authentication scheme, especially for roaming vehicles, and focuses on sharing the authentication load. A vehicle, along with its home TA (HTA) identity, sends an authentication request to a nearby roadside unit (RSU) during roaming. After receiving an authentication request from the RSU, the foreign TA (FTA) connects to the HTA. Vehicle authenticity was confirmed as a session key generated for communication with a roaming vehicle, ensuring seamless service access. The proposed scheme was tested against standard BAN logic to prove that it meets the required security standards and authentication requirements. Furthermore, the communication and computation cost analysis proves that this scheme is lightweight compared with other traditional schemes. Security analysis proves that the proposed scheme can successfully prevent major attacks, such as anonymity, unlinkability, replay attack, message tampering, and malicious vehicle tracking.


I. INTRODUCTION
An arbitrarily distributed network with a self-organizing behaviour is popularly known as a vehicular ad-hoc network (VANET), an integral subgroup of an intelligent transport system (ITS). Vehicles within this network exchange emergency messages, safety-related information, and traffic awareness data. Studies have proven that when these messages are effectively and securely transmitted through legitimate vehicles, road accidents can be avoided by approximately 60% [1]. Therefore, vehicles must be authenticated, and a legitimate link of communication throughout the environment is created to protect the network from the exchange of false messages.
The associate editor coordinating the review of this manuscript and approving it for publication was Giovanni Pau .
Simultaneously, it is necessary to provide lightweight authentication to enhance and meet the speed requirements of VANET [2], [3]. The majority of VANET environment consists of three elements: trusted authority (TA), roadside unit (RSU), and onboard unit (OBU). The TA is responsible for registering the vehicle and its authentication within the home network. The TA is also responsible for providing vehiclespecific certificates, storing vehicle information to track malicious nodes in the case required in the future, as well as for vehicle roaming authentication. A vehicle always registers with its home TA (HTA). Any vehicle that is out of range of the HTA communicates with a foreign TA (FTA). The HTA plays a role registers a vehicle in a home network, and the FTA plays a role to communicate with the HTA and obtain the authenticated roaming vehicle. The RSU is a fixed unit placed across the road, which helps transfer messages connecting vehicles while communicating with the HTA or FTA. It also acts as a base station for vehicles and serves as a message carrier. To communicate with the entities in the VANET, a special unit called the OBU is mounted on each vehicle. This is the only vehicle responsible for a communicating with other network entities in the VANET. Figure 1 illustrates the architectural framework of the VANET environment [4]. A survey mentioned in [5] states that by 2027, almost all 100% of vehicles will be manufactured with OBUs. The communication medium using which the vehicle, RSU, and TA in the network communicate is either through wireless access to the vehicular environment (WAVE) or dedicated short-range communication (DSRC). Wireless communication is more susceptible to malicious attacks, which can cause information tampering, and integrity failure, especially during emergencies and traffic awareness where the scalability of vehicles within the network is greater. Our previous study [4] explains how a secure lightweight authentication mechanism can be initiated for vehicles in home network. It is an efficient algorithms compared to traditional schemes. However, it does not incorporate any mechanism for a vehicle entering the roaming environment, which is an extension of previous study, to authenticate vehicles in a roaming environment. Considering the above factors and the need to authenticate a vehicle, particularly during roaming, this study contributes to the development of lightweight authentication for vehicles in roaming. Our proposed lightweight roaming authentication scheme considers the registration of a vehicle under its HTA to be the same as that in our previous work [4]. During vehicle registration, vehicle-specific digital signatures were generated using an elliptic curve digital signature algorithm (ECDSA). Using its identity and signature, a vehicle registers itself with the HTA. Every registered vehicle receives public parameters of the system and certain vehicle-specific parameters. These are then stored as copies of the vehicle's signature and identity with HTA. When this vehicle moves away from the HTA, the stored parameters play an important role in authenticating the roaming vehicle by the FTA. To decrease the load on FTA, the proposed scheme attempts to share the computational load within the RSU and FTA when vehicle roaming authentication is requested. Thus, the weight of the computational overhead of FTA is reduced, generating a lightweight roaming authentication scheme that enhances the performance of the system.
To provide an efficient lightweight roaming authentication solution, our proposed scheme contributes as follows: • First, the proposed scheme contributes to downsizing the computational overhead on FTA compared to the traditional scheme. This is achieved by sharing the roaming authentication burden with RSU. To incorporate the lightweight mechanism, it fetches lightweight ECC parameters. It uses an elliptic curve Diffie-Hellman (ECDH) key exchange protocol to generate a shared secret through which the roaming vehicle can access the services.
• Second, it efficiently controls crucial security attacks such as anonymity, unlinkability, replay attack, and message tampering. Thus, it contributes to reducing the security threat factor in a wireless environment of VANET. Adding to this, a formal security investigation proves that the proposed scheme is trustworthy and secure.
• Third, it also provides an efficient way to trace any malicious behaviour of a vehicle and can stop the inference of malicious activity in the system.
• Fourth, it successfully provides a lightweight vehicle roaming authentication framework. When compared to other traditional VANET roaming authentication schemes, our proposed scheme reduces the computational cost of FTA.
The remainder of this paper is organized as follows. Section II describes various authentication protocols developed in recent years, that are mainly used to preserve privacy. Section III explains all necessary preliminaries and technical acronyms used when proposing lightweight authentication for roaming vehicles. In section IV derives the proposed authentication algorithm and explains the necessary flow. Section V describes the manner in which the proposed authentication is secured through formal and informal analysis. It also ensures that the proposed algorithm satisfies the security requirements by analyzing it against the standard Burrows-Abadi-Needham (BAN) logic. Section VI discusses the proposed protocol is lightweight and efficient nature of the proposed protocol in terms of the communication and computational overhead. Section VII presents the conclusions of the study

II. RELATED WORK
Various security protocols have been developed to provide secure authentication to vehicles in VANET. Very few studies have contributed to the authentication of vehicles entering roaming environment. Table 1 compares a few available vehicle authentication schemes for the home and roaming networks. VOLUME 11, 2023  Zhou et al. [7] proposed an authentication and keyagreement protocol for vehicles during roaming. However, in their protocol, all authentication loads are handled only by FTA, which might overburden it when scalability increases. Shashidhara proposed an approach similar to roaming authentication [8]. Jyothi and Patil [9] proposed a fuzzy-based trust evaluation model for vehicle authentication in VANET. In their scheme, the load is shared between the RSU and TA; however, no solution is provided if the vehicle moves away from the home network. Wang, et al. proposed bilinear pairing based on a secure and efficient message authentication protocol (SEMA) for vehicles within the home network [10]. Bilinear pairing adds complex processing to memory-constrained devices such as VANETS [4]. The storage overhead for a vehicle mentioned in [11] is 4 K bytes for every device in a vehicular ad hoc networks. Reference Cheng et al. [12] proposed an RSU-based authentication scheme using a combination of a Symmetric Key and Chebyshev chaotic map. This proposal can also be improved to authenticate vehicles during roaming. In 2019 Zhou, Jun, et al. proposed a location-based lightweight privacy preservation scheme [14]. It authenticates vehicles and sustains the location-based service information. Sandou et al. [15] proposed a new key agreement and authentication protocol that uses SHA-896 to generate an 896-bit one-way hash function. This adds to an increase in communication overload, and can simultaneously affect the delay in message communication to entities that provide authentication. Similar to the aforementioned schemes, [4], [13], and [16] provided home network authentication for vehicles with ECC and bilinear pairing. In terms of energy efficiency, VANET have reached a new level of experimentation to obtain Energy Internet-Based Vehicle-to-Grid Technology authentication as mentioned in [17]. One way to drive energy to and from vehicles using grid power is to authenticate the vehicle and grid network. However, neither scheme mentions the scope of vehicle authentication during roaming. In addition, the use of a bilinear pairing operation increases the computational cost for all the entities participating in the authentication process.
Most research on VANET has contributed to their work in producing secure authentication for vehicles in the home network within the HTA. However, when a vehicle moves away from the HTA, it still requires access to all services, traffic messages, and other emergency services. Therefore, a vehicle must be securely authenticated [18], [19]. This study proposes an efficient, lightweight mutual authentication and key-exchange protocol for vehicles during roaming.

III. PRELIMINARIES AND BACKGROUND
• The registration of vehicles with the home network is considered from our previous work [4] and slightly updated to meet the roaming constraints.
• When a message is received at any entity(vehicle, OBU, RSU, HTA, FTA), timestamp T C x , where x belongs to respective entity participating, is analyzed with the current timestamp T . If the difference between them (T − T C x ) > δT , and δT is the threshold, then any received message is rejected. If this difference (T − T S ) < δT , i.e, within the defined threshold, the message is accepted and proceeds further.
• Timestamp gets synchronized within the entity, whenever it connects to the network.
• A One-way hash h(.) is particularly used to generate a fixed-length message for any given message x. If a given message x i spassed through a hash function, we can easily generate y = h(x). However, when y is known, we cannot compute x ′ = h −1 (y) and due to which x ′ ̸ = x. • ECC and ECDH key exchange: If a, b are two elements in ∈ Z n that belong to members Alice and Bob of a group. Assuming, P is the point of an elliptic curve C, so we have P A = a * P ∈ C and P B = b * P ∈ C, both P A and P B will be called as public keys of Alice and Bob, respectively. When Alice wants to initiate a communication with Bob and Alice knows Bob's public key P B , Alice can send a message to Bob with the help of Bob's public key P B but using Alice's private key a. Thus, Alice will send a * P B with the message to be communicated to Bob. When Bob receives this message, he will decode it with its own private key b and Alice's public key and Bob will calculate b * P A . Due to the properties of ECDH, b * P A = a * b * P = a * P B , which will be the same key used by Alice to initially encode the message. In this way, the shared secret is sustained by both them using ECDH key exchange.
• Table 2 mentions the definitions used in the proposed lightweight authentication scheme for vehicles during roaming.

IV. PROPOSED AN EFFICIENT LIGHTWEIGHT MUTUAL AUTHENTICATION AND KEY EXCHANGE PROTOCOL FOR VEHICLE DURING ROAMING
The proposed scheme uses effective and lightweight ECC and ECDSA parameters to incorporate lightweight vehicle authentication during the roaming. It attempts to reduce both computational and communication costs during roaming authentication, particularly in FTA. The authentication load is shared between the FTA and RSU. It generates a shared secret using an effective ECDH key agreement protocol [6]. Figure 2 illustrates the occurrence of a roaming In this phase, the HTA and FTA publish the initial public parameters and share the session key between them HTA and FTA through a secure channel. The vehicle and RSU were registered during this phase with the HTA. The following steps were performed during the initialization and registration phase; S1. HTA selects a random number d HA as its private key, calculates publishes its public key P HA = d HA * P. Similarly, the FTA selects its private key d FA , and generates and publishes its public key P FA = d FA * P. S2. Session key K FH between HTA and FTA and be shared through a secure channel. All public system parameters were published at the time of initialization. S3. During registration, every vehicle generates its signature (s i ,r i ) using ECDSA. It shares its identity ID i and signature (s i ,r i ) with HTA through a secure channel. S4. After receiving the registration request from the vehicle, HTA selects the connection to secrete a i , and After successful registration, the HTA sends the tuple < PID i , PID ′ i , S i , h() > and its identity ID HA to vehicle V i in addition to the system public parameters and stores < ID i , PID i , h(s i , r i ) > in its registered vehicle list. S5. Every RSU also registers with its HTA and gets its pseudoidentity back. S6. RSU selects r as its private key and generates P RSU = r * P. S7. It registers its ID Ri and P RSU . S8. HTA then calculates PID Ri for each registered RSU.
All RSU broadcasts their P RSU and PID Ri , so that nearby vehicle can communicate [4] B. AUTHENTICATION AND KEY AGREEMENT At vehicle: During this phase, the roaming vehicle sends an authentication request to a nearby RSU within its range. The RSU then forwards the authentication request to the FTA. With the help of the received parameters, the FTA requests that the respective HTA authenticate the roaming vehicle. Once authentication is confirmed, the shared session key is generated and shared between the RSU, FTA, and the vehicle during roaming. Mentioned below are the steps performed during the authentication and key agreement phase. S1. Vehicle selects a random number x i and calculates P V = x i * P. S2. To communicate with the nearby RSU it generates S5. If the timestamp is within the expectable range, RSU decodes the requests by calculating P R = r * P V S6. Using P R , RSU calculates PID i = M V h(P R , T CVi ) S7. To forward the authentication request it calculates P ′ R = r * P FA S8. M R1 = PID i h(P ′ R , T C R). S9. RSU keeps the calculated PID i and sends < ID HA , M R1 , M i , P V , P RSU , T CR , TC Vi > to FTA. S10. At FTA: On receiving the authentication request from the RSU, the FTA checks if the timestamp is within the acceptable range i.e T CS − T CR < δT S11. It then decodes authentication request using its private key d FTA and calculates P F = d FTA * P RSU S12. To keep the psuedoidentity of the vehicle for which it is requesting the authentication, FTA calculates PID i = M R1 h(P F , T CR ), and keeps PID i , with itself. S13. TO forward the authentication request to HTA, FTA then P ′ F = d FA * P HA S14. It then calculates M F1 = PID i h(P ′ F , T CF ) K FH and sends < ID HA , M F1 , M i , P FA , T CF , T CVi >to HTA as an authentication request for the roaming vehicle. S15. At HTA: Here, the HTA has to decode the received request from FTA and check the valid registration entry of the vehicle in the database. S16. If the requested vehicle registration is valid, HTA will generate a successful message to send to FTA. S17. HTA first checks if the timestamp is valid i.e T CS − T CF < δT S18. If the timestamp is valid, HTA decodes the authentication request, HTA finds the respective shared key K FH in the database matching to received P FA . S19. HTA calculates P H = d HTA * P FA S20.  Figure 3 illustrates the overall flow of the proposed authentication protocol for the vehicles during roaming.

V. SECURITY ANALYSIS
This section emphasizes analyzing the formal and informal security of the proposed lightweight authentication scheme of vehicles during roaming. First, we elaborate on the formal security analysis between the main entities OBU, RSU, and TA using Burrows-Abadi-Needham logic (BAN) for the proposed scheme. Furthermore, the proposed scheme meets the desired security requirements and prevents the system from significant security attacks through informal security analysis. Thus, the proposed scheme is sufficiently robust to resist attacks such as impersonation, identity disclosure, replay, repudiation, and message tampering.

A. FORMAL SECURITY PROOF
The proposed scheme of lightweight roaming authentication between the HTA and OBU is robust and proven secure using the standard BAN logic technique. It is a standard security analysis architecture called Burrows-Abadi-Needham logic.
It is mainly used in information exchange protocols to analyze whether it meets security requirements. The logic mentioned in this technique helps determine whether the proposed scheme is secure against eavesdropping [21] and trustworthy. An examination of the proposed scheme using BAN logic shows that it fulfils the goals required to satisfy secure authentication and thus makes the system trustworthy and secure. Table 3 lists the definitions used for BAN logic.  The rules considered in the analysis of the BAN logic are as follows: Rules: • R 1 : Message meaning rule: Goals: If the proposed protocol for the authentication of vehicles during roaming achieves the following goals, then it is proven to satisfy the authentication requirements for VANETs. The goals set for the proposed protocol: The idealized form: The protocol transformation are as follows: With the help of our protocol derivation, following are the assumptions considered: From PM 4 , From Equation 6, Assumption 9 and applying Rule 1 we have According to Equation 7, Assumption 5 and applying Rule 1, From Equation 8 and Assumption 9, it can be proved that FTA believes M H 1 , as it can be decoded with only the shared key K F H between the FTA and HTA which has already been shared between them. Thus we achieve goal G3 that is FTA| ≡ ID HA From PM 6 , we have According to Equation 9, Assumption 11 and applying Rule 1 we have According to Formula 10, Assumption 6 and apply Rule 2 we Therefore, according to Equation 12 and Assumption 11 we Thus we achieve goal G5 that is, ←--→ FTA In addition, E KS is generated from the private key of vehicle V i , and accoring to the Assumption 12, FTA| ≡ P v . Thus we can achieve goal G6, that is FTA| ≡ V i K S ←--→ FTA From the above derivations, all the set security goals are achieved and our protocols appears to meet the desired security requirements.

B. INFORMAL ANALYSIS
The proposed lightweight roaming authentication scheme meets the desired security requirements, is robust against significant security attacks, and is analysed using informal security analysis. This section describes how the proposed scheme achieves the required security requirements.

1) ANONYMITY OF USER IDENTITY
In the proposed scheme, the anonymity of user identities can be preserved. When an adversary A attempts to disclose any information about the original identity of the user vehicle V i , even if adversary A can obstruct the message M i , ID HA , M F1 , T CF , P FA , the first challenge for A is to find d HA to obtain PID i , where d HA is the private key of HTA. Thus, by calculating d HA through P H = d HA * P FA , adversary A must solve the ECDLP problem; thus, the anonymity of the user identity is protected and preserved.

2) MALICIOUS VEHICLE TRACEABILITY
When the trusted foreign authority FTA detects any suspicious behaviour of vehicle V i , and knows that it has deviated from its regular activity, the real identity of vehicle V i can be extracted using home trusted authority HTA. However, FTA can send the message ID HA , M i , M F1 , T CF , P FA , which is associated with vehicle V i to the HTA to track the original identity. Next, the HTA parses the vehicle's PID i and obtains the real identity of the malicious vehicle V i by examining its specific record in the registration list.

3) UNLINKABILITY
Unlinkability can be associated with the sessions. This means that an adversary should not be able to link or relate a specific vehicle to altogether different sessions by only knowing the seized messages during the communication. Every message sequence indicates that each message is associated with the timestamp for each session and the communication between the entities, which also resists the replay attack. Thus, the adversary can not link the user vehicle to V i at any timestamp T . Therefore, the unlinkability of the sessions is differentiated using the proposed scheme.

4) IMPERSONATION ATTACK
In such attacks, the false identity of a legitimate user can be used to deliver a false message. An adversary can assume any vehicle identity and successfully enter a network. However, the proposed protocol prevents this illegal entry because the vehicle's signature is verified every time a vehicle tries to enter a network. The valid pseudoidentity PID i and its signature M i were compared to confirm the authentication phase. This signature is formed using the secret parameters of the vehicle that can not be replicated. Thus, an adversary can only send the signature through the system if the signature is verified.

5) DENIAL OF SERVICE (DoS)
In this attack, an adversary can attempt to exhaust the system with unwanted or repeated messages, which can create unnecessary chaos. However, in the proposed protocol, no vehicle could send messages without authentication. Once the HTA authenticates a vehicle, it sends a legitimate message. Therefore, for any adversary to bombard a system with its messages, it must be authenticated. Thus, the proposed protocol prevents denial-of-service attacks.

6) MESSAGE TAMPERING
An adversary can attempt to modify or manipulate messages during a communication. This can lead to false message transfers in legitimate systems. This type of attack is known as message tampering. To prevent this, the proposed scheme uses cryptography generated by a SHA-256 hash function. SHA-256, is a message digest with a fixed length generated from the parameters during the active session. This ensures that the message is unmodified and that it can be safely communicated to the destination in the proposed scheme.

7) PERFECT FORWARD SECRECY
We assume that adversary A successfully extracts the pseudoidentity of the vehicle. However, the adversary must provide a solution for the untraceable problem, that is, ECDH, and determine the shared key K s = h(P V , P RSU , P FA ) PID i , as mentioned in S29 of section IV-B. Only by the respective vehicle V i whose psudoidentity is PID i and its secret parameter can decode this. Thus, perfect forward secrecy is maintained while generating the shared secrete key.

VI. PERFORMANCE ANALYSIS
The following hardware platform was used to test the proposed scheme against the traditional scheme: CPU: Intel I5-82655U @ 1.80 GHz; OS: Windows 10, 64-bit operating system, Memory: 8 GB. MATLAB R2018b was used to analyze cryptographic operations. Cryptographic operations take some time, as shown in Table 5 using the above-mentioned software and hardware.

A. COMMUNICATION COSTS
The communication cost slightly increased in the proposed protocol compared with the traditional vehicle roaming authentication protocol. This is because the load is shared with the RSU, which is not the case with traditional protocol. This results in additional communication bits for the RSU.     Table 6 compares the figures of communication cost between the traditional and proposed schemes.

B. COMPUTATIONAL COMPLEXITY COST
Compared with the [7] scheme for roaming, our proposed protocol seems better by reducing the computational cost. The proposed protocol enhances the speed of operation, and our shared authentication load reduce the burden on the TA. Table 7 compares the overall computational costs of the traditional and the proposed authentication schemes. With the help of the proposed scheme, lightweight authentication is accomplished compared to the traditional roaming protocol.

VII. CONCLUSION AND FUTURE SCOPE
The scheme uses lightweight ECC parameters, a particular SHA-256 hash function, and the Diffie-Hellman algorithm for key exchange to generate a lightweight framework. Vehicle authentication focuses mainly on distributing the computational load between an RSU and FTA. Traditionally, roaming authentication is handled solely through FTA. Consequently, it becomes difficult for one FTA to simultaneously manage the authentication of all vehicles in the system. In the proposed protocol, the FTA authenticates the vehicles; however, the RSU shares the computational load. Thus, the computational load of the FTA is shared and downsized.
Compared with the performance analysis of the proposed and traditional schemes, the computational complexity of the proposed method is reduced, making the system more efficient, However, the communication cost increases as the RSU is also involved in communication. The system performance using the proposed scheme is improved by reducing the computational complexity by 24% compared with the traditional [7]. The proposed method efficiently traces malicious behaviour and can restrict false messages by eliminating malicious activity. The primary security requirements are also satisfied in informal security analysis, which enhances the system security and prevents significant security attacks. In VANET environments, the proposed lightweight authentication scheme for roaming vehicle is robust and efficient. Although the correctness of the proposed method satisfies the standard BAN logic goals and proves to be efficient and secure in terms of security analysis, this scheme can be analyzed and improved using tools such as AVISPA in the future.