Anonymous Authentication and Key Agreement Scheme Combining the Group Key for Vehicular Ad Hoc Networks

,


Introduction
With the development of network technology, there are many forms of network and new technologies [1,2].Vehicular ad hoc network (VANET) is a highly mobile selforganizing wireless communication network.By using VANET, vehicles in front can in a timely manner report the road condition information to the rear vehicles; this can improve the travel efficiency and reduce road congestion and traffic accidents.VANET plays a significant role in traffic optimization and safety [3].Since VANET mainly adopts a wireless communication mode, messages are vulnerable to various attacks, such as counterfeiting, interception, tampering, tracking, and other attacks [4,5].
ese attacks seriously threaten the safety of vehicles and the privacy of users.erefore, security authentication and privacy protection are important research directions of VANET.VANET generally has the following main components: road side unit (RSU), trust agency (TA), and on-board unit (OBU) [6].OBU is installed in the vehicle and can realize the communication between the vehicle and RSU or other vehicles.e communication between OBU and RSU adopts dedicated short range communication (DSRC) [7].e communication with vehicles requires authenticating one another and negotiating the communication key to prevent attacks such as tracking, privacy exposure, and message counterfeiting.Authentication and key agreement in VANETs are anonymous.Hence, even if an attacker intercepts the message, the specific source of the message cannot be determined.Additionally, the authority of VANET can identify every message sent by vehicles, and this can prevent vehicles from sending false messages maliciously.
1.1.Related Works.In recent years, some authentication protocols based on public key infrastructure (PKI) [8][9][10] have been proposed.In these works, some anonymous authentication and key agreement schemes are proposed, in which a large number of certificates are assigned to vehicles.However, these schemes require vehicles to be equipped with many anonymous certificates in advance; this leads to many problems such as certificate storage and certificate management.Lu et al. [11] proposed a key agreement and authentication scheme for generating a short-term key and certificate between the vehicle and RSU.However, the communication efficiency of the scheme is low due to the frequent interaction between the vehicle and RSU for changing the authenticated group.Rajput et al. [12] proposed an anonymous authentication scheme with hierarchical privacy protection to solve the defects based on PKI.
is protocol does not need to manage the certificate revocation list (CRL), and each vehicle uses two pseudonyms to complete anonymous authentication, but once the pseudonym expires, the vehicle needs to acquire the pseudonym from TA or RSU again; this increased the number of communications.Wang [13] proposed a local identity-based anonymous authentication protocol for VANET (LIAP).In this method, each vehicle and RSU are assigned a unique long-term certificate from the certification authority (CA) in the registration phase.e vehicle and RSU complete mutual authentication through certificates.After successful authentication, RSU distributes a local-master key to the vehicle.
e vehicle randomly generates a pseudonym to communicate with the RSU through the local-master key.
e use of the local-master key improves the communication efficiency and system security.But this scheme needs to manage CRL.
e storage and management of certificates restrict the development of authentication schemes based on PKI.To overcome the problems caused by authentication certificates, some identity-based public key cryptosystems are introduced into authentication of VANET [4,[14][15][16][17][18][19].In 1984, Miller first proposed an identity cryptosystem [14].In this cryptosystem, the user's public key is calculated by the user's identity, and the user's private key is generated by the authentication center through the system key according to the user's identity.In 2008, Zhang et al. [15] proposed an authentication protocol for VANET using the identity of the vehicle user, solving the certificate storage and management problem and supporting batch authentication.In 2011, Huang [16] proposed an anonymous batch authenticated and key agreement scheme based on identity authentication for VANET.Shim et al. [17] noted that the scheme [15] was vulnerable to replay attack and did not achieve the nonrepudiation of signature and proposed a vehicle-toinfrastructure (V2I) authentication scheme.However, the scheme is vulnerable to tampering attacks [18] and cannot satisfy its claimed chosen message attack resistance [17].
Wang et al. [20] mentioned that Huang et al. [16] could not resist a collusion attack, and therefore, they proposed an improved scheme.And, in [20], it is indicated that the scheme [18] cannot resist replay attacks and cannot track the real identity of the message sender.In 2016, Azees and Vijayakumar [21] proposed a novel key distribution scheme for secure group communication using Lagrange polynomials.e limitation of the scheme is that it only provides one-way authentication from vehicle to TA. en, Vijayakumar et al. [22] proposed a privacy-preserving anonymous mutual and batch authentication scheme for vehicleto-vehicle. is scheme implements the authentication of message source and message integrity and has the mechanism of tracking and revoking vehicles.In 2017, Azees et al. [23] proposed an anonymous authentication scheme to avoid malicious vehicles into the VANET based on bilinear pairing.Each user computes multiple temporary short time certificates to realize anonymous authentication in the scheme.e scheme has high computing performance and security.However, the dummy identity (DIU ui ) in each certificate is the same, and the scheme does not consider the unlinkability of different sessions.In 2018, Pournaghi et al. [24].proposed an anonymous authentication and key agreement scheme combining TPD and RSU. e scheme saves the system master key in the TPD of RSU instead of the TPD of each vehicle, which improves the security and authentication efficiency of the system.In 2019, Ikram et al. [25] proposed a conditional privacy-preserving authentication scheme for V2I. is scheme uses general one-way hash functions instead of map-to-point hash functions to achieve high efficiency.
e identity-based authentication schemes for VANET address the problems presented by the schemes based on PKI. e existing schemes [21][22][23][24][25] are novel in design and have good security.However, the bilinear pairing operations of elliptic curve are used, and the computational efficiency of bilinear pairing operation is low.e works [26][27][28] based on pseudonym on elliptic curve, which do not use bilinear pairing operation and have achieved high computational efficiency.However, TA is required to participate in authentication, this increases communication times and communication burden.He et al. [29] proposed a privacy protection authentication scheme based on identity.is scheme also uses elliptic curve instead of bilinear pairing operations and achieves satisfactory performance in both computation and communication.However, the scheme is based on ideal TPD, and the master key is stored on the TPD of each vehicle.Islam et al. [30] proposed a conditional privacy-preserving authentication scheme based on hash function.And the scheme offers group-key generation, user leaving, user join, and password change facilities.e scheme does not need bilinear pairing mapping or elliptic curve operation and is lightweight in terms computation and communication.However, TA is required to participate in each authentication between the vehicle and RSU.Wu et al. [6] proposed an effective location-based conditional secret authentication scheme.e scheme does not require bilinear pairing operations or TPDs.However, when RSU is certified by vehicle, TA needs to query the database and return the 2 Complexity results.Cui et al. [31] proposed a scheme without relying on any special hardware such as TPD.e scheme is based on elliptic discrete logarithm and has high computational performance.e cuckoo filter and binary tree search method are used to achieve a higher success rate in batch authentication.However, TA is required to generate communication key for the vehicle and RSU.Zhong et al. [32] proposed an authentication and key agreement scheme based on hash function and registration list.And the scheme does not require the strong security assumptions of TPD.Xiong Li et al. [33] proposed a lightweight authentication scheme for VANETs with only hash functions and exclusive-OR operations.Compared with previous schemes, the computational cost of the schemes [32,33] has been greatly improved.However, the schemes also need TA to participate in the authentication.In recent years, there are some authentication schemes using group key, which can reduce the authentication burden of TA. e works [34,35] introduce group key management schemes based on Chinese remainder theorem, which reduces computation complexity of the key server.In 2019, Jing Zhang et al. [36] proposed a message authentication scheme based on the group key using Chinese remainder theorem.e TPD of the vehicle only save the real identity and the group key.So the proposed scheme only requires realistic TPDs and ensures higher security for the entire system.In 2020, Wei et al. [37] proposed tow privacy-preserving multimodal implicit authentication protocols for Internet of connected vehicles.
e proposed protocols use the password and vehicle owner's behavior features as the authentication factors skillfully and do not reveal any information about vehicle owner's behavior.e protocols have advantages in computational cost and accuracy.However, the protocols do not consider the unlinkability of sessions.Vinoth et al. [38] proposed a multifactor authenticated key agreement scheme for industrial Internet of things (IoT).e scheme implements authentication and key agreement between the user and multiple sensing devices at the same time.e scheme only used hash function, bit-wise XOR operation, and symmetric cryptography.It has less communication cost and computational cost compared with other correlative schemes.However, the scheme does not consider internal attack.

Our Contributions.
In this study, an anonymous authentication and key agreement scheme based on elliptic curve for VANET is proposed.Each vehicle is equipped with a TPD. e TPD saves the private key of the vehicle and the group key for multivehicle communication.e vehicle can authenticate with RSU anonymously by combining a private key with a group key.After successful authentication, the session key can be negotiated for both parties.e scheme can also implement message signature and anonymous verification.In this scheme, the TPD only saves the private key of the vehicle and the group key instead of the system key.e attack on the TPD will not affect other nodes in VANET.So, we only need realistic TPD instead of ideal TPD.ere is no need for the third party to participate in the authentication and key agreement between vehicle and RSU compared with the works [6,[30][31][32][33], and there is no need to query the database in the scheme.In addition, the use of group key in this scheme can help RSU resist certain denial of service (DoS) attacks.
e main contributions of this study are summarized as follows.
(1) In order to optimize the computational cost and key management, we present an efficient anonymous authentication and key agreement scheme for RSUs and vehicles using the private key of the vehicle and the group key (2) In order to reduce the communication time and storage space, we implement independent authentication and key agreement between vehicle and RSU, and RSU does not need to save vehicle information or query database.(3) In this scheme, we also implement anonymous signature and verification of messages (4) In this scheme, we use realistic TPDs instead of ideal TPDs, which is more suitable for VANET

Organization of is Article.
e rest of the study is structured as follows: Section 2 describes the preliminaries of the proposed scheme, Section 3 gives the working of the proposed scheme, Sections 4 and 5 present a security analysis and a performance analysis, respectively.Our study is concluded in Section 6.

Preliminaries
In this section, we introduce the related background information of VANET and the proposed scheme.1, the network model of VANET mainly includes TA, RSU, OBU, TPD, and application server (AS).TA is a trusted service center.It is responsible for generating the private and public keys for RSU and vehicle and the group key for multivehicle communication.TA is an entity with the highest level of security protection and is completely trusted.RSU is the communication equipment installed on both sides of the road, with high security, thus providing access service for vehicles.e RSU communicates with the vehicle using DSRC protocol.Each vehicle is equipped with an OBU. e OBU of the vehicle realizes short distance communication with RSU and OBUs of other vehicles.TA allocates a TPD to each vehicle.TPD has high security, and other attackers cannot obtain sensitive information from the device [39].AS is an application server and provides data service for TA.AS has high security and is credible.

Elliptic Curve.
Suppose that F P denotes a finite field of order p, where p is a large prime number.E denotes an elliptic curve over F P.
e curve E is defined as Complexity cyclic additive group of order q on E, and P is the generator and O is the infinite point.
Two difficult problems are defined as follows: Definition 1. Elliptic curve discrete logarithm problem (ECDLP).Let Q be a random point on G and calculate a solution x which satisfies Q � xP, where x ∈ Z * q .
Definition 2. Elliptic curve computational Diffie-Hellman problem (ECCDH).Assume a generator P of G, aP, bP ∈ G, where a, b ∈ Z * q are unknown.e ECCDH problem is to compute abP ∈ G.
If ECDLP or ECCDH on a group G cannot be solved with nonnegligible probability ε in time t, then ECDLP or ECCDH is said to be a difficult problem on elliptic curve.

Security Requirements.
e open multihop wireless network is vulnerable to various attacks.erefore, the authentication and key agreement for VANET need to meet the following security requirements [29,39]: (1) Authentication and integrity.After receiving the message, VANET needs to determine whether the source of the message is reliable and whether the message has been tampered by others (2) Privacy protection.When users are communicating, VANET should protect the confidential information such as user's identity, session record, location, and driving path.VANET provides privacy protection by imparting anonymity.(3) Session key agreement.When the vehicle transmits data with RSU, the session key should be used to encrypt the data to protect the session privacy (4) Traceability.To prevent malicious users from sending false messages by anonymity, the authentication scheme should trace the real identity of the sender when the message is in dispute (5) Resistance to attacks.VANET is vulnerable to various attacks, such as replay attacks and forgery attacks.Authentication and key agreement of VANET needs to be able to resist all kinds of attacks to ensure the security and reliability of the scheme.( 6) Unlinkability.In order to protect privacy, attackers or other vehicles cannot link different sessions of the same vehicle via the public channel.

Proposed Authentication Scheme for VANET
Our scheme includes the following phases: initialization, RSU and vehicle registration, authentication and communication key agreement, message signing, signature verification, identity extraction, and updating the group key.e mutual authentication and the key agreement process between RSU and the vehicle is shown in Figure 2. e main notations used in the scheme are given in Table 1.

Initialization Phase.
TA selects random numbers s, x ∈ Z * q , s is the private key of the system, x is the group key for multivehicle communication, and it can be used to compute the public key P pub � sP ∈ G. Furthermore, P x � xP ∈ G. TA selects five secure hash functions: TA also broadcasts the system parameters: Paras � E, a, b, p, q, P,  P pub , P x , h 0 , h 1 , h 2 , h 3 , h 4 , h 5 }.

RSU and Vehicle Registration Phase.
Roadside unit RSU j applies to TA for registration.After TA verifies the information of RSU j successfully, it allocates the identity ID j to RSU j .en, TA selects a random number r j , computes h rj � h 0 (ID j , R j ) and R j � r j P. TA also generates the private key s j � r j + h rj s and then returns R j , s j to RSU j .RSU j computes P j � s j P and verifies whether the following equation holds.
P j � R j + h rj P pub , ∵ P j � s j P � r j P + h rj sP � R j + h rj P pub . (1) If (1) holds, RSU j broadcasts R j , ID j , and P j .Otherwise, the message is rejected.After RSU broadcasts the public key P j , the vehicle can use P j to compute the pseudonym of the vehicle.e detailed process is shown in Section 3.3.
During the registration process, the vehicle users go to TA directly.e vehicle users submit the required information such as identification, phone number, and license, etc., to TA. TA checks whether the vehicle user is qualified.If the vehicle user is qualified, TA allocates a TPD to the vehicle V i and assigns a unique identity RID i to the vehicle V i .TA allows users to set a username and password for TPD.en, TA chooses a random number r i and computes R i � r i P, h vi � h 0 (RID i , R i ), s i � r i + h vi s, and P i � s i P. TA saves s i , x, RID i , R i , and P i in the TPD of the vehicle V i .At the same time, the vehicle information such as RID i , R i , and P i is saved in AS.

Authentication and Communication Key Agreement
Phase.RSU j broadcasts R j , ID j and P j ; the OBU of the vehicle receives them and verifies whether (1) holds.If it holds, the OBU forwards them to the TPD of the vehicle.e TPD selects the random numbers u i , l i ∈ Z * q , and the timestamp T i .e TPD computes the pseudonymPID i � RID i ⊕h 1 (l i P j ) and generates the signatures R j , ID j , P j R j , ID j , P j Figure 2: Mutual authentication and key agreement.RSU j receives (δ i1 , δ i2 , U i , PID i , P R ,L i , T i ), and then, it computes h i1 � h 2 (ID j , PID i , U i , T i ) and verifies whether the following equation holds. (2) and h i2 �h 3 (ID j , PID i , P R , L i , T i ) and verifies whether the following equation holds.
if both ( 2) and (3) hold, the vehicle is legal.RSU j chooses a random number u j ∈ Z * q and computes U j � u j P, sk � h 2 (ID j , RID i , u j U i , T i ), h j � h 4 (ID j , RID i , U j , sk, T i ), and δ j � h j s j + u j .RSU j sends (δ j , U j , PID i , ID j , R j ) to the vehicle V i .
e vehicle V i receives(δ j , U j , PID i , ID j , R j ), and then, it computes h rj � h 0 (ID j , R j ) and h j � h 4 (ID j , RID i , U j , sk, T i ) and verifies whether the following equation holds.
δ j P � h j R j + h j h rj P pub + U j , ∵ δ j P � h j s j P + u j P � h j P j + U j , � h j R j + h j h rj P pub + U j .

(4)
If (4) holds, the vehicle V i computes sk � h 2 (ID j , RID i , u i U j , T i ), which is the session key between V i and RSU j .
e process of authentication and key agreement between vehicle and RSU is shown in Figure 2.

Message Signing
Phase.When a vehicle needs to send a message M i in the area covered by the roadside unit RSU j , the TPD of the vehicle chooses a random number v i ∈ Z * q and the timestamp T m and computes and σ ). e TPD then broadcasts the signature (σ i , M i , PID i , V i , P v , R vi , T m ).
3.5.Signature Verification.RSU j receives (σ i , M i , PID i , V i , P v , R vi , T m ), and then, it checks whether the timestamp T m is within the valid time.If it is, RSU j extracts the real identity of the vehicle R vi , T m ), and verifies whether (5) holds. (5) If it holds, RSU j accepts the message.If it does not, it means that the TPD of the vehicle is damaged.For example, suppose the attackers stole the private and group keys of the TPD, faked the identity RID i ′ , generated the pseudonym PID i ′ , forged the signature (σ i , M i , PID i ′ , V i ′ , P v ′ , R vi ′ , T m ), and enabled it to satisfy (6).However, according to the TPD security assumption, this situation is extremely rare.If RSU j detects that the TPD has been attacked, it immediately broadcasts that the signature Other vehicles receive (σ i , M i , PID i , V i , P v , R vi , T m ), and then, they check whether the timestamp T m is within the valid time.If it is, the vehicles compute h rv � h 2 (M i , PID i , R vi , T m ) and h mi �h 5 (M i , PID i , P v , V i , R vi , T m ) and verify whether the following equation holds.
If it does and the vehicles do not receive an invalid signature broadcasted by RSU j within the specified time, the vehicles accept the message M i .

Identity Extraction.
When a valid message signature (σ i , M i , PID i , V i , P v , R vi , T m ) is in dispute, it is necessary to track the real identity of a vehicle.RSU j can extract the real identity of the vehicle through computing RID i � PID i ⊕h 1 (s j V i ).

Updating the Group Key
Phase.TA chooses a random number w i ∈ Z * q and the timestamp T v and computes W i � xw i P, δ t � sh 0 (xw i P, T v ) + xw i , P x � h 3 (w i P, xP, T v )P, where P x is as a new group public key.TA broadcasts the signature (δ t , W i , T v , P x ).
After the vehicles receive(δ t , W i , T v , P x ), they compute x − 1 W i and verify whether the following equation holds.If it does, the vehicles update the group key as

Security Analysis
Under the random oracle model, the security model of [39] is used to prove the security of our scheme.

Lemma 1. e authentication request message of the vehicle cannot be forged. When ECDLP is a difficult problem, our scheme can resist the forgery attack of adaptive chosen message.
Proof.We assume that there is an attacker Ad who can successfully forge the request message of a vehicle in polynomial time ε.Given an ECDLP instance (P, Q � xP, P, Q ∈ G, x ∈ Z * q ), the challenger Ch can solve the ECDLP in polynomial time ε.
e challenger Ch sets system parameters paras � E p (a, b), p, q, G, P, P pub , P x , h 0 , h 1 , h 2 , h 3 , h 4 , h 5  .Ch randomly chooses RID i of a vehicle as the identity of the challenger Ch.Ch builds and maintains six hash lists: L hl , where l � 0, 1, 2, . . ., 5. Finally, Ch sends params to Ad. h 1 -Oracle.When Ad makes a query with θ, Ch checks whether the tuple (θ, τ h1 ) is already in L h1 or not.If it is, Ch sends τ h1 to Ad.Otherwise, Ch randomly selects τ h1 ∈ Z * q and adds (θ, τ h1 )to L h1 .Finally, Ch sends τ h1 � h 1 (θ) to Ad. h 2 -Oracle.When Ad makes a query with (ID j , PID i , U i , T i ), Ch checks whether the tuple (ID j , PID i , U i , T i , τ h2 ) is already in L h2 or not.If it is, Ch sends τ h2 to Ad.Otherwise, Ch randomly selects τ h2 ∈ Z * q and adds (ID j , PID i , U i , T i , τ h2 )to L h2 .Finally, Ch sends τ h2 � h 2 (ID j , PID i , U i , T i ) to Ad. h 3 -Oracle.When Ad makes a query with (ID j , PID i , P R , L i , T i ), Ch checks whether the tuple (ID j , PID i , P R , L i , T i , τ h3 ) is already in L h3 or not.If it is, Ch sends τ h3 to Ad.Otherwise, Ch randomly selectsτ h3 ∈ Z q * and adds (ID j , PID i , P R , L i , T i , τ h3 ) to L h3 .Finally, Ch sends τ h3 � h 3 (ID j , PID i , P R , L i , T i ) to Ad.
Extract (RID i ).Ch builds and maintains the list L v � (RID i , R i , s i ).When Ad makes a query with RID i and R i , Ch checks whether the tuple (RID i , R i , s i ) is in L v .If it is, Ch sends s i to Ad.Otherwise, Ch randomly selects s i , h vi ∈ Z * q , lets R i � s i P − h vi P, and adds them to L v .Finally, Ch sends L v � (RID i , R i , s i ) to Ad.
Sign-Oracle.When Ad makes a query with Output.Finally, Ad outputs an authentication request message (δ i1 , δ i2 , U i , PID i , P R , L i , T i ) with nonnegligible probability.According to the forgery lemma [40],.Ad chooses different h i1 ′ andh vi ′ and generates another valid authentication request message (δ i1 ′ , δ i2 ′ , U i , PID i , P R , L i , T i ) in polynomial time.At this time, the two authentication request messages satisfy the following: From ( 8)-( 11), we can obtain Now, according to ( 12) and ( 13), Ad outputsx However, solving x or s is an ECDLP problem.Furthermore, it is impossible for an adversary to solve the ECDLP problem in polynomial time.

□ Lemma 2.
e authentication response message cannot be forged.Since ECDLP is difficult to solve, our scheme can resist the forgery attack of adaptive chosen message.
Proof.We assume that there is an attacker Ad who can successfully forge an authentication response message in polynomial time.Given an ECDLP instance , then the challenger Ch can solve the ECDLP with nonnegligible probability.e challenger Ch sets system parameters paras � E p (a, b), p, q, G, P, P pub , P x , h 0 , h 1 , h 2 , h 3 , h 4 , h 5  .Ch builds and maintains six lists: L hl , where l � 0, 1, 2, . . ., 5. Finally, Ch sends params to Ad.
h 2 -Oracle.When Ad makes a query with (ID j , RID i , u j U i , T i ), Ch checks whether the tuple (ID j , RID i , u j U i , T i , τ h2 ) is already in L h2 or not.If it is, Ch sends τ h2 to Ad.Otherwise, Ch randomly selects τ h2 ∈ Z * q and adds (ID j , RID i , u j U i , T i , τ h2 ) to h h22 .Finally, Ch sends τ h2 � h 2 (ID j , RID i , u j U i , T i ) to Ad.
Extract (ID j ).Ch builds and maintains the list L R � (ID j , R j , s j ).When Ad makes a query with ID j , Ch checks whether the tuple (ID j , R j , s j ) is in L R .If it is, Ch sends s j to Ad.Otherwise, Ch randomly selectss j , h rj ∈ Z * q , lets R j � s j P − h rj P pub , and adds (ID j , R j , s j )to L R .Finally, Ch sends L R � (ID j , R j , s j ) to Ad.
Sign -Oracle.When Ad makes a query with (PID i , T i ), Ch randomly chooses sk, h rj , h j , δ j ∈ Z * q and setsU j � δ j P − h j R j − h j h rj P pub .Finally, Ch sends (δ j , U j , PID i , ID j , R j ) to Ad.
Output.Finally, Ad outputs an authentication request message (δ j , U j , PID i , ID j , R j ) with nonnegligible probability.According to the forgery lemma [40].Ad chooses different h rj ′ and generates another valid authentication request message (δ j ′ , U j , PID i , ID j , R j ) in polynomial time.Now, the two authentication request messages satisfy the following: Complexity δ j P � h j R j + h j h rj P pub + U j , (14) δ j ′ P � h j R j + h j h rj ′ P pub + U j .(15) From ( 14) and ( 15), we can deduce the following expression: Next, Ch can output s � (δ j − δ j ′ )(h j (h rj − h rj ′ )) − 1 mod q.However, solving s is an ECDLP, which is impossible for an adversary to solve in polynomial time.

□
Theorem 1. From Lemma 1 and Lemma 2, we know that when the ECDLP problem is difficult to solve, and the adversary cannot forge the authentication request message and response message, that is, our authentication scheme can resist adaptive chosen message forgery attack.

Theorem 2.
e message signature cannot be forged.Since ECDLP is hard to solve, our scheme can resist the forgery attack of adaptive chosen message attack.
Proof.We assume that there is an attacker Ad who can successfully forge an authentication response message in polynomial time.Given an ECDLP instance , the challenger Ch can solve the ECDLP in polynomial time ε.
en, Ad adaptively queries the oracle machine to Ch, and Ch replies to Ad in the following way.
When Ad makes a query with (PID i , M i , T m ), Ch randomly chooses h rv , h mi , σ i ∈ Z * q , and V i , P v ∈ G; furthermore, it sets R vi �h −1 rv (σ i P − h rv P pub − h mi P x ).Finally, Ch sends (σ i , M i , V i , P v , R vi , T m ) to Ad.
Subsequently, Ad outputs a valid signature (σ i , M i , V i , P v , R vi , T m ) with a nonnegligible probability.According to the forgery lemma [40], Ad chooses different h mi ′ and generates another valid signature (σ i ′ , M i , V i , P v , R vi , T m ) in polynomial time.At this time, the two signatures satisfy the following relationships: From ( 17) and ( 18), we can obtain the following equation: Now, according to (19), Ch can output x � (σ i − σ i ′ )(h mi − h mi ′ ) − 1 mod q.However, solving for x is an ECDLP problem, which is impossible for an adversary to solve in polynomial time.us, our proposed signature scheme under the random oracle model is resistant against a chosen adaptive message attack.

□ Theorem 3.
e key agreement of our scheme is secure under the ECCDH problem.
Proof.Given an ECCDH instance, Q 1 � x 1 P, Q 2 � x 2 P, and Q 3 � x 1 x 2 P, where x 1 , x 2 ∈ Z * q .In our key agreement, we let Q 1 ⟵U i � u i P, Q 2 ⟵U j � u j P,Q 3 ⟵u i u j P. In this method, if the attacker Ad gets u i u j P according to U i , U j , the key negotiated between the vehicle and RSU can be obtained.However, it is impossible for the adversary to solve the ECCDH problem in polynomial time, implying that the key agreement proposed in this study is secure.

□ Theorem 4.
In the random oracle model, we can achieve conditional anonymity and traceability.
Proof.In the proposed scheme, the authentication request message uses the pseudonym PID i � RID i ⊕h 1 (l i P j ), where L i � l i P, l i ∈ Z * q .According to ECDLP, it is not feasible for the adversary to solve l i P j without knowing l i .e request authentication signatures q are the random numbers.Every time a vehicle is certified, it can produce unrelated pseudonyms and different authentication requests.Similarly, the pseudonym is also used in message signature e message signature is ). e pseudonym used in the signature is different every time.
erefore, the scheme can provide anonymity for vehicle users in authentication and message signature.In addition, this scheme can also realize the traceability of the real identity; RSU can calculate the real identity of the vehicle RID i � PID i ⊕h 1 (s j L i ) through the private key.Similarly, through pseudonym of signature message PID i � RID i ⊕h(v i P j ), RSU can also calculate RID i � PID i ⊕h 1 (s j V i ) using the private key.erefore, this scheme can realize the traceability of identity.

□
Theorem 5.In the proposed scheme, we can achieve unlinkability.
Proof.In our scheme, the authentication request message of the vehicle (δ i1 , δ i2 , U i , PID i , P R , L i , T i ) is different for each session.
Meanwhile, the signature message (σ i , M i , PID i , V i , P v , R vi , T m ) is also different for each message.erefore, all elements from the message of the vehicle are different, and any attacker cannot tell apart if two different messages from the same vehicle.us, our proposed scheme supports unlinkability.[13,24] keep the system key in the TPD of each vehicle; this requires a strong TPD security assumption.If a single TPD is successfully attacked, the whole system will not be secure.Table 2 provides the features comparison with other schemes.It can be seen from Table 2 that the proposed scheme has strong advantages in security and communication efficiency.

Performance Analysis
In this section, we analyze the computation cost and communication cost of message authentication.

Computation Performance Analysis.
In this study, nonsingular elliptic curve cryptography is used, whereas bilinear pairing construction scheme is utilized in works [13,24].To compare at the same security level, we construct two 80 bit security level cryptographic operation schemes.Bilinear pairing cryptographic schemes are set as follows: e: G 1 × G 1 ⟶ G 2 .E: y 2 � x 3 + ax + b mod p is a hyper singular curve with degree 2, where p is a 512 bit prime.G 1 is an additive group based on E with order q and P is the generator of G 1 with order q. e elliptic curve cryptography of the same security level is set as follows: E: y 2 � x 3 + ax + b mod p is a nonsuper singular elliptic curve, where p and q are 160 bit primes, a, b ∈ Z * p .G is an additive group on E. P is the generator of G with order q.Let T bp , T bm , and T ba denote the execution time of bilinear pairing operation, scalar multiplication operation, and scalar addition operation, respectively.T em and T ea denote the execution time of scalar multiplication and scalar addition on elliptic curve cryptography, and T H denotes the hash operation time of mapto-point.We use MIRACL cryptographic library, an i5-7200U processor with 2.5 GHz clock frequency and 8 GB memory in our experiment.e operating system is Windows 10.Table 3 provides the average execution time of cryptographic operations.
Next, we analyze the computation cost of the message signature and verification with the protocols given in Table 4. Message signature of LIAP [13] requires five bilinear scalar multiplication operations, one bilinear scalar addition operation, and one map-to-point operation; signature verification requires three bilinear pair operations, one bilinear scalar multiplication operation, and one map-to-point operation.Similarly, we can calculate the computation cost of message signature and signature verification for NECPPA [24], Wu et al.' scheme [6], and our scheme.As given in Table 4, the message signature cost of the vehicle is 2.475 ms in our scheme.Compared with LIAP and NECPPA, the message signature computation cost of our scheme is reduced by 74% and 87%, respectively.However, compared with Wu et al., it costs 1.65 ms more.Compared with LIAP and NECPPA, the cost of signature verification is reduced by 69% and 87%, and it is equal to Wu et al.'s scheme.
Figure 3 presents the comparisons of these computational costs graphically.[6] for each vehicle.When there are too many vehicles, it will cause a heavy burden on the memory of RSU.Similarly, each TPD also needs additional 60t bytes of storage space.e communication cost of message signature is provided in Table 5.

Communication
Figure 4 presents the comparisons graphically.

Comparison with Other Authentication Protocols.
Wei et al.' protocols [37] use cosine similarity to realize the authentication for the intelligent and the authentication server.ey have less computation cost and better accuracy compared with other implicit authentication schemes.e optimized computation complexity of two protocols is 3O(n 2.3 ) and 3O(n 2.3 ) + 2Enc p + Dec p , respectively, where n is the dimension of the multimodal behavior feature vector, and Enc p and Dec p are Pailler operations; our scheme is based on elliptic curve.Elliptic curve can achieve high security in 160-bit finite field.e complex operation used in our scheme is scalar multiplication operation.e complexity of scalar multiplication operation can be optimized to O (k), where k is the length of the coefficient, which is 160bit in our scheme.In the process of mutual authentication Complexity between the vehicle and RSU, there are 15 scalar multiplication operations, and the computation complexity is 15O (160).It can be seen from the above analysis that when n is small, the work [37] has an advantage in computation cost, and when n is large, our scheme is better.In addition, in Wei et al.' protocols, the identity of the vehicle U i is the same in different sessions, so they do not consider the unlinkability of sessions.In our scheme, we use different pseudonyms to realize unlinkability of the sessions.
Vinoth et at.' scheme [38] is a lightweight authentication and key agreement scheme, which is better than our scheme in terms of computation cost, communication cost, and storage cost.However, the scheme does not consider the internal attack.If one sensing device is attacked, the  e attacker can monitor the communication between the user and the gateway node as well as between the user and other sensing devices.In our scheme, the vehicle is equipped with TPD, which stores the private key of the vehicle and the group key.Even if a single TPD is attacked, the attacker can only intercept the group key and the private key of the vehicle.e authentication, key agreement, and message signature all need the private key of the vehicle.us, the attacker can only forge the signature of a single vehicle, without affecting the communication security of other VANET nodes.

Conclusion
e instantaneous characteristic of VANET communication requires high efficiency in authentication and key agreement.erefore, this study proposes an efficient anonymous authentication and key agreement scheme.e scheme includes mutual authentication and key agreement between vehicle and RSU, as well as signature and verification of the vehicle message.In the proposed scheme, an elliptic curve is used to improve the efficiency of computation and communication.Our authentication and key agreement scheme does not need to communicate with the third party authority or establish a local database, and furthermore, it avoids database query operation.It can effectively save the communication time and storage space of related nodes and is more suitable for VANET.Compared with other schemes, this scheme also has strong computing and communication advantages in message authentication.However, we do not address key negotiation and authentication between vehicles and vehicles.Lightweight and effective encryption methods to achieve anonymous authentication and communication between vehicles and vehicles is a worthy research direction.
e implementation of anonymous authentication and key agreement based on channel condition is also one of the directions worthy of discussion [41,42].
In this study, the authentication technology combined with cryptography is mainly presented.At present, deep learning and cloud computing are increasingly used in network applications.In the next step, more technologies such as deep learning [43,44] and cloud computing can be combined into authentication and privacy protection of VANET.

Table 1 :
Notations used.Group key and group public key pairs h 0 , h 1 , h 2 , h 3, h 4, h 5 i2 � l i + h i2 s i , where U i � u i P, h i1 � h 2 (ID j , PID i , U i , T i ), L i � l i P, P R �R i + l i P j , and h i2 � h 3 (ID j , PID i , P R , L i , T i ).It sends (δ i1 , δ i2 , U i , PID i , P R , L i , T i ) to RSU j through the OBU.
certification table or TA to participate in the certification between vehicle and RSU.Both authentication and message signature use timestamp, which can resist replay attack.In the authentication process, RSU first checks whether the group key signature is legal, and then, it verifies the vehicle private key signature.If the group key signature is illegal, the signature is discarded directly, which can resist DoS attack to a certain extent.In this scheme, the vehicle is equipped with a TPD, which stores the private key of the vehicle and the group key.Even if a single TPD is attacked, the attacker can only intercept the group key and the private key of the vehicle.eauthentication, key agreement, and message signature all need the private key of the vehicle.us, the attacker can only forge the signature of a single vehicle, without affecting the communication security of other VANET nodes.e schemes Overhead.It can be seen from the analysis in the previous section that p is 64 bytes, G 1 is 128 bytes, and p is 20 bytes, G is 40 bytes.Suppose the timestamp is 4 bytes, the hash function value is 20 bytes, and the other nongroup elements have a value of 20 bytes.e signature message of the proposed method is(σ i , M i , PID i , V i , P v , R vi , T m ),and the communication length is 20 + 20 + 20 + 40 + 40 + 40 + 4 � 184 bytes.e signature message of LIAP is (PID i , M s , PK Ri , σ i ), and the communication length is 128 + 20 + 20 + 128 + 128 � 424 bytes.e signature message of NECPPA is (PID i , δ i , M i , ID RSU j ), and the communication length is 128 + 20 + 128 + 20 + 20 � 316 bytes.e signature message of Wu et al.' scheme is (m i , PID vi , T i , T vi , h ki , R i , δ i ), and the communication length is 20 + 40 + 4 + 4 + 20 + 40 + 20 � 148 bytes.Compared with LIAP and NECPPA, the proposed scheme can save 57% and 42% of the communication cost, respectively.Compared with Wu et al.' scheme, the communication length is slightly increased by 40 bytes.However, in the scheme proposed by Wu et al., RSU needs to store t pairs of the pseudonyms and local private keys (PID vi , k vi )

Table 3 :
Execution time of cryptographic operations.

Table 5 :
Communication cost of message signature in each scheme.PK Ri , σ i 424 NECPPA PID i , δ i , M i , ID RSU j 316 Wu et al. m i , PID vi , T i , T vi , h ki , R i , δ i 148 Our scheme σ i , M i , PID i , V i , P v , R vi , T m 184