An Efficient Pairing-free Batch Verification Scheme for VANET

- An intelligent traffic system, which can flexibly allocate traffic resources, serves as a good assistant to help us improve traffic safety and efficiency of controlling traffic volume, providing instant traffic information and giving priority to ambulances. Although such system is powerful, it could be misused without proper protection. For example, malicious drivers might forge the message of the ambulance so that they can quickly pass through intersections. In addition, because traffic information is huge and needs to be processed immediately, traditional schemes that process the information one by one are not competent. For this issue, a lot of batch schemes have been proposed. Most of them adopt the algorithm of Bilinear pairing while the others tries to avoid it since pairing operations are complex. However, such pairing-free schemes are not applicable because their calculation time will explode when there are more data waiting to be processed. In this article, we briefly describe those schemes and propose a more effective one to solve the problems mentioned above.


INTRODUCTION
Nowadays, people crowd to metropolitan cities to pursue more job opportunities, living facilities, and better living quality. However, it is a big challenge to maintain the quality of traffic as more and more people move in.
Since the existing urban road nets are hard to be improved, such as widening, increasing, and extending, a smarter traffic scheme is needed to fully utilize the traffic network. A combination of intelligent traffic system (ITS) and Vehicular Ad-Hoc networks (VANET, which also called wireless access in vehicular environments (WAVE)), will be a good assistant. VANET allows vehicles to communicate with other neighboring objects, such as other vehicles or road-side units (RSU), by Dedicated Short Range Communications (DSRC) [1] Among that, RSU helps ITS collect information about local area. With that information, ITS can form an overview of local traffic and appropriately adjust the traffic resources. For example, ITS can flexibly reduce the time of stoplight when there are too many waiting vehicles. Compared with the traditional method, i.e., controlling by manpower, ITS can adjust not only a single intersection but all of them in the area. Single intersection adjustments will sometimes make a huge impact on other intersections, because they will receive additional traffic flows which are not expected. From another viewpoint, man-control can only involve after congestion has occurred. In contrast, ITS can collect traffic data through RSU to predict which road will be crowded and adjust holistic traffic signs appropriately in the early stage. Besides, the collected data can be shared to drivers to help them plan their own paths. During the rush hours, more people tend to avoid the traffic jam in heavy-loaded road sections. In this case, ITS can help arrange traffic overload and keep the region from being impeded. Although the ITS system looks ideal, it may be misused if the system collects the data unconditionally. For example, a malicious user may generate a lot of signals or repeat expired legal signals to forge a lot of cars waiting for a traffic light. Under this scenario, normal signals will be covered and ITS will misjudge and make wrong resource allocation. To avoid this case, verifying the received data is necessary. However, traditional verification methods face a bottleneck caused by two major features of traffic environment, i.e., immediate demand and huge volumes. Because traffic conditions change rapidly, information loses worth if the execution time of message verification is too long. On the other hand, the number of vehicles under the same area will be very large during the peak traffic hours [2,3], and the amount of information will increase accordingly. To overcome the bottleneck, batch verification will be a good solution. In 1989, Fiat proposed a novel scheme based on RSA batch verification [4]. After that, Lin et al. introduce their batch verification for VANET environment based on bilinear pairing in 2007 [5]. Thereafter, other researchers also propose relevant schemes [2,3,6]. These schemes are designed to significantly reduce the complex calculation caused by bilinear pairing, i.e., map-to-point operation, point multiplication, and pairing operations. In 2014, Lee and Lai proposed their scheme which further reduces the amount of point multiplication operation to a constant [7]. It means that even though the number of messages waiting for verification becomes larger, the time and cost of the verification protocol still can be kept in a manageable scale. We can say that the scheme has good scalability. However, Lee and Lai's scheme suffers from some security risks. Tzeng et al. show the weaknesses of Lee and Lai's scheme and proposed their scheme in 2017 [8].
Although the bilinear pairing algorithm is powerful and easy to use, some researchers think that pairing operating is a complex calculation and thus trying to propose novel schemes without pairing [9][10][11][12][13]. Unfortunately, most of the pairing-free schemes we found have a basic problem -complex calculations will grow linearly as the number of verified information increases, so as required time. Thus, it cannot be called an improvement when the total costs are more, even if it avoids the pairing operation. As a result, to achieve the pairing-free requirement and good scalability, we propose a novel scheme in this article.
Our contributions are shown as follows. First, we analyze the feature of two proposed schemes to tell whether it is good at scalable or not. After that, we propose a novel pairing-free scheme for VANET environment, which satisfies the following security requirements: message authentication, integrity, freshness, user privacy, and traceability. The necessities of those security requirements shall be presented in Section 2-1. Finally, we prove that the the amount of complex point multiplication calculations of our scheme is constant even when verified messages increase. It is also more suitable for batch verification when compared with previous schemes.
Before explaining the proposed scheme, we briefly introduce the used preliminaries including communication model, elliptic curve cryptography (ECC), and bilinear pairing in Section 2. In Section 3 we will talk about schemes which are pairing-free but not scalable. Then, we present the novel scheme we propose in Section 4. After that, we provide a security analysis and a performance analysis of the proposed scheme in Section 5 and Section 6, respectively. Finally, the conclusion will be in Section 7. II.

METHODS
In this section, we introduce the used methods in this paper, including communication model, ECC, and bilinear pairing.

A.
Communication model and security requirements Many previous VANET verification schemes' communication models are based on a two-layer model [7][8][9]13]. The model includes three roles, the trusted authority (TA), road side unit (RSU), and onboard unit (OBU), which is deployed on vehicles and gives vehicles the ability to communicate. In some schemes, there is a tamper-proof device (TPD) in OBU, and those schemes suppose the TPD is ideally secure, i.e. the secure value is safe and the calculation cannot be interfered in TPD [3,7,8]. In the top layer, TA is responsible for the system parameter generation, key management, and new entity registration. Most of the time, TA doesn't communicate with other roles, except key issuance and malicious user response. The bottom layer consists of RSU and OBU, and they exchange messages frequently by DSRC. RSU collects nearby information or provides other services to vehicle users. Vehicles can also commutate with each other.
We classify communication into V2V (Vehicle to Vehicle) and V2R/V2I (Vehicle to RSU or Vehicle to Infrastructure) by its participants. When classified by security requirement, they can be divided into safe and unsafe communication. Notice that unsafe communication is not directly explained by its literal meaning. In general, safe communication is used for transferring private information, such as messages between two drivers. So, it has to ensure the confidentiality of the message. Unsafe communication is used for submitting local information, such as vehicle status or reporting traffic accidents. Contrast with safe communication, those messages' confidentiality is not important because people can easily observe those states if they are present. Without building a secret channel, which includes protocol deciding, key exchanging, and encrypting/decrypting the message, the time for processing received information can be shortened.
For this reason, unsafe communication is suitable for local information collecting of ITS, and we focus on it in this paper.
However, unsafety communication still needs to keep some security requirements [3,[7][8][9]13]: The first one is message authentication. No authentication mechanism will open the door of ITS for malicious attackers; a well-established authentication mechanism cannot only eliminate malicious attackers but also terminate the legitimate users' right when they become the evil.
The next is integrity. It means the receiver has the ability to judge if the transferred information has been distorted or not.
The freshness of the received message has the same importance. An undistorted message still misleads ITS if the local state has changed. The sources of out-of-date messages include delayed reception, repeated messages, and messages not processed in time due to inefficient protocol. In addition, during peak traffic periods, it processes very large amounts of information per unit of time. Therefore, WAVE faces more severe problems of system performance compared to other environments.
Next one is to ensure user privacy. Although local information can be revealed to others, the sender's privacy still needs to be protected.
The following requirement is how to trace the malicious users behind user privacy, and it is also an important requirement. If the system only provides user privacy protection, malicious users will be able to hide and spread a lot of information for their benefits. It can be as small as defrauding the ITS so that it can quickly cross the intersection, or as large as threatening the government and getting a ransom. For the reason, the system needs the ability to catch malicious users and revoke their right. This concept is called conditional privacy. In ITS, the jurisdiction is owned by TA, and reporting malicious messages to TA is the major content between the top and bottom layers.

B.
Elliptic curve cryptography In the field of VANET batch verification, elliptic curve cryptography (ECC) is a recommended cryptosystem [9][10][11]. Compared with RSA, it only needs the obviously shorter key to achieve the same security strength. An ECC secret key with 160-bits order is considered as strong as a RSA secret key with 1024-bits modulus [14,15]. The advantage allows ECC to require less transferring cost and calculating time. For this reason, ECC become a popular tool for the novel or new version methods, such as Transport Layer Security (TLS) 1.3 [16].
We slightly present ECC as follows. In 1986 and 1987, Miller [17] and Koblitz [18] proposed their study for using ECC as a crypto tool respectively. In this cryptosystem, it defines an elliptic curve : ! = ( " + + ) , where , ∈ {1, } over a finite field. We let all solutions ( , ) belong to a point set , and choose a generator ∈ . When operating a point addition, we can obtain a result 2 = + , and 2 is another entity of G. If we continue to do the point addition, the result will come to a point, which is at infinity. We define the infinitely far away point as , + = , and − = . When the generator adds itself times, it comes back to origin . It means that there are entities in the cycle generated by . It says that the order of is , and the length of decides the secret strength of ECC cryptosystem.
Because ECC point multiplication, e.g., • , is actually the generator adds itself ( − 1) times by point addition for each ∈ # and point addition is very time-consuming compared to real number additions. Therefore, finding unknown form • is very hard if is large enough, which is called Elliptic Curve Discrete Logarithm Problem (ECDLP); on the other hand, if we know , we can use 2 = + , 4 = 2 + 2 … or other faster method to fast obtain .

C.
Bilinear pairing Bilinear pairing [19] is good at checking coefficient conversion without a known coefficient in some cryptosystems, such as ECC [19] and ElGamal [20]. Hence, it is popular for designing a scheme which needs to hide its private key from the verifier and the verifier has insufficient permissions for holding the system master key [21]. In this cryptosystem, Weil pairing and Tate pairing are more famous, and we use Weil pairing and ECC to introduce this tool in the following subsection.
When defining a bilinear map ê: × → $ , we need to prepare two groups and $ . In the two groups, is an additive group and $ is a multiplicative group, and they have the same order. In this ê, we can use an ECC point set as . Here we do not introduce the complete operations of Weil pairing, but explain its properties as follows [3,7,8,19,22].

Computable
There is an efficient algorithm to compute ê( , ) for each , ∈ .
The same as ECC, security of the pairingbased scheme is also ensured by hard mathematical problems. There are other wellknown hard problems, such as Bilinear Diffie-Hellman problem (BDHP) [21,22]. However, most of proposed pairing-based schemes in VANET batch verification only transfer the entities of ECC and the pairing calculation is used for verification, because ECDLP is enough of guaranteeing the system security.
III. RELATED WORK In this session, we briefly introduce two proposed schemes to explain and show the scalability of the scheme. We will present the pairing-based scheme proposed by Tzeng et al. [8] as a positive example. After that, we reveal another scheme that we regard as not suitable for an environment that requires scalability. Please notice that we only briefly describe their schemes, and will not explain how those schemes satisfy their security requirements.
Before presenting those schemes, we define some general conditions.
TA selects an elliptic curve , and a bilinear map ê: × → $ as aforementioned if the scheme is pairing based.
We choose two generators , ∈ , where and have the same order and the descriptions may only use one of them.
All used hash functions must satisfy semantic security.
Those schemes will be divided into two phases: the key generation and predistribution phase and the message signing/verification phase.
In following schemes, ) is a random integer that is small enough to ignore its calculation cost, such as smaller than 1,000. Its function is to fix the order of the verified message to prevent attackers from exchanging ) and ) from different received messages in batch verification.

A.
Tzeng et al.'s scheme Tzeng et al.'s scheme was proposed in 2017 [8]. The scheme is pairing-based and scalable.
In the key generation and pre-distribution phase Step 1: TA selects ∈ # * as the system's master key, and computes *+' = .
In the message signing/verification phase When ) wants to send state of its public message ) to RSU in a normal situation, ) 's TPD generates { ) , ) , ) , ) } with the following steps and sends them to RSU.
Step 2: TPD calculates Step 3: TPD calculates increase as the number of verified messages grows. Therefore, we can know that the scheme is scalable.

B.
Lo and Tsai's scheme Lo and Tsai think that pairing operation and MapToPoint operation are not applied in an authentication scheme of VANET because of their computing time, so they proposed their solution in 2016 [9]. In terms of the results, their method is not more effective if the amount of waiting information is huge.
Step 3: For each vehicle ( ) ), TA generates its ) and secret key ) ∈ # * , and preload Step 4: In message signing/verification phase When ) wants to send state of its public message ) to RSU in a normal situation, ) 's TPD generates { ) , . , ) , ) , ) } with the following steps and sends them to RSU.
Step 2: TPD calculates Notice that there are two schemes in Lo and Tsai's study. Broadcasted message in one of the schemes doesn't involve ) while the other one involves a pseudo ID ) in Lo and Tsai's description. Their scheme cannot operate if ) is unknown. For the convenience of explanation, we integrated their scheme and assume that the broadcasted message involves ) .
Upon message reception, RSU can operate single verification or batch verification depending on the amount of message to be verified. The batch verification of Lo and Tsai's scheme is shown as follows.
Lo and Tsai's scheme doesn't use any pairing operation indeed. However, the necessary calculation of the verification phase, i.e., ℎ ! Z ) || ),, || ) || ) \ ),, , causes a problem that cannot be ignored. Because ),, and ℎ ! Z ) || ),, || ) || ) \ depend on different messages, the verifier cannot summarize them before doing point multiplication operation. According to Miyaji et al.'s study [23] and He et al.'s study [13], the ratio of a point multiplication operation and a pairing operation is about 1:7.5-10.5, which is not a gap that cannot be recovered. It means Lo and Tsai's will easily lag behind other methods that use a fixed number of pairing operations if there are dozens of messages to be verified. Thus, we know why Lo and Tsai's scheme is not scalable.
IV. THE PROPOSED SCHEME Although Lo and Tsai's scheme is not good at scalability, their viewpoint is commendable. Based on the pairing free idea, we propose our scheme in this section.
The proposed scheme also follows the general conditions of Section 3. We also introduce the proposed scheme from two phases -the key generation and pre-distribution phase and the message signing/verification phase.

Key generation and pre-distribution phase
In the key generation and pre-distribution phase, TA selects a random ∈ # * as the system's master key and computes *+' = .
When ) wants to send the state of its public message ) to RSU in a normal situation, the following steps are necessary.
Step 3: TPD calculates Step 4: Note that the ),, = • , ) • calculation can be operated before receiving the broadcasted 1 . After obtaining the current 1 , the final step is executed.
Step 5: TPD calculates Upon message reception, RSU can operate single verification or batch verification depending on the amount of message to be verified. The verification phase of the proposed scheme is shown as follows.
Step 1: RSU checks the 1 . If the 1 is not kept by itself, RSU drops the message.
Step 2: If the amount of verified message is not enough, RSU operates single verification for different 1 as follows.
The proof of the proposed batch verification is shown as follows. Proof:

RESULTS: SECURITY ANALYSIS
In this section, we analyze the proposed scheme mentioned before in respect of security requirements -message authentication, integrity, freshness, user privacy, and traceability. We analyze the security of the proposed scheme as follows and prove that it is secure for VANET.

A.
Message authentication We prove that the legal message is sent only from the legal user firstly. Based on the proposed scheme and the adversaries' ability, we design a game played by an adversary A and the challenger C as [8,13] to prove the security of the scheme. In this game, we assume that ECDLP can be solved, and C tries to reveal the master key . There are two oracles in the game as follows. ℎ(. )-Oracle: In this oracle, C maintains a list ℎ 4 , which consists of the tuples ( , ) and it is initialized to be emptied. Upon receiving or generating a query # , C checks if Z # , #+567 \ exists in ℎ 4 . If Z # , #+567 \ exists in ℎ 4 , C retunes #+567 to inquirer; otherwise, C randomly generates a #+567 ∈ , inserts Z # , #+567 \ into ℎ 4 , and returns #+567 to inquirer.
Sign-Oracle: Upon receiving a sign query from A, C shall generate a new signature as following steps even if C doesn't keep master key .
According to Forking Lemma [24], A can build another valid message by selecting another ) * ∈ # and YZ ),! * , 1 , ) * \, = ℏ ) * ] . The following formula is generated by A: \ And it can also be verified as follows: According to the above formulas, we can know that Then C outputs 89 " * 29 " : : as the answer of . However, it is hard to solve the coefficients of ECC, which is according to ECDLP. Another hard problem is generating the match ),, and ℏ ) * . In the simulation, we let YZ ) , ) , 1 \, = ℏ ) ] be an established result, but an ideal cryptography hash is unpredictable. For the reason, the proposed scheme is secure.
According to the above proof, we know that the master key cannot be revealed in polynomial time, and the proposed scheme's security strength is based on this NP problem. Because only the legal user's TPD keeps the master key , we can say that a valid signature is surly sent from a legal user. Note that an adversary may tries to broadcast his/her < to feign a RSU, but the attack is worthless. Each message is in plaintext, and the adversary can easily receive them if he/she is really interested in that information.

B.
Integrity In the proposed scheme, 1 prevents the adversary from making a fake signature at will, and , ) provides further protection. If it is without , ) , i.e., ) = • Yℎ ! Z ) , ) , 1 \] • 1 , the adversary can use the following formula to generates a legal signature without the master key: And the proposed scheme resists this attack now.

C.
Freshness In the proposed scheme, there is no timestamp. Instead, time-limited parameter 1 ensures the freshness of the transferred message, and the immediate advantage of the design is avoiding the synchronize problem. Although, it cannot resist the replay attack in the same time interval, the same problem also exists in the timestamp-based scheme. On the other hand, if the replay attack can only affect the system in the same time interval, RSU can resist it by holding the received messages and drop the stale received messages to reduce the cost. Overall, the timelimited parameter is better than timestamp-based scheme.

D.
User privacy Even though the transferred messages are plaintext, the system still needs to hold user privacy, because it is personal information and it may cause damages if an adversary gets it.
To protect the privacy of the user, the scheme should possess two properties -user anonymity and message unlink-ability. The user anonymity means the third party cannot obtain the real identity from transferred messages. However, it is not enough because the adversary can find the relationship from different messages sent from the same user and take them as target. The adversary may not know the relation between messages and the user, but he/she can always find the target user after comparing the collected information with the tracking information in real world. In the proposed scheme, there are two parameters which provide protection by frequent value changing. The first is the random parameter , ) , which is different between each message even from the same ) . The second is timelimited 1 , which is changed over time. In addition, there isn't any fixed information in the transferred message. For the above reasons, the third party can't link different messages sent from the same user, hence achieving real user privacy in the proposed scheme.

E.
Traceability In the proposed scheme, TA can trace an anonymous user = by the following formula if a RSU reports the misleading information V = , = , 1 , 1 , = X and the corresponding 1 .
Upon message reception, TA verifies 1 and 1 =? 1 • 1 • firstly for ensuring that the report is sent from a legal RSU. After that, TA obtains the real ID = as the following formula: = = =,! ⨁ℎ , Z • =,, , 1 \ Afterward, TA shall inform the management for proper legal processing. In the proposed scheme, we add a design which lets TA verify the reporter for resisting a compromised RSU attempting to frame innocent user. If RSU always reports innocent users, TA can find the RSU by 1 and revoke its permission.

VI. RESULTS: PERFORMANCE ANALYSIS
In this section, we analyze the performance of the proposed scheme. According to He et al.'s study [13], we list the following operations and show the execution time for each of them in Table 1. After obtaining the execution times of different operations, we can compare the performance of the proposed scheme with other related, recently proposed schemes. Note that we focus on the verification step because the step needs the most execution time and is the most influential when the count of the verified message becomes more. When calculating the operations, we shall try to reduce the timeconsuming steps as much as possible. Table 2 shows the optimized steps of the batch verification of the proposed scheme, which let the execution time become the shortest with the same result. Note that the "ignored" in the cumulative calculation time column means that the previous steps use only simple operations, such as one-way function, integer addition, and integer multiplication, etc. The time of those executions are small enough to be ignored.
Finally, all execution times of the verification of the proposed scheme is 2 9=2533 + (2 ) 9=253329 + (2 − 1) *&2533 ≈ 0.8422 + 0.0588 . The unit is milliseconds (ms). Except the schemes presented in related works, we also compare four other schemes: Asaar [26]. Note that their schemes also use other ideas, such as proxy vehicles, Cuckoo filter, and certificateless, to solve other relevant situations. We only compare the batch verification phase of those schemes. Table 3 shows the necessary operators and execution time of different schemes when verifying messages. Figure 1 shows the line chart, which presents the trend of from 1 to 110. According to the table, the proposed scheme has the least expansion coefficient 0.0588 . Compared with the second-ranked one of the pairing-free scheme, Cui et al.'s scheme's 0.4438 [11], the proposed scheme has an expansion rate of only 13%. It means that the proposed scheme can verify more messages in the same time and will not be outdated. On the other hand, the proposed scheme also has the shortest execution time of single verification. For the above reasons, we claim the proposed scheme is the most efficient. [25] VII. CONCLUSIONS AND DISCUSSION We propose an efficient batch verification scheme for VANET in this paper. Different from the previous schemes, the proposed scheme not only achieves pairing-free, but also keeps the amount of the complex operations a constant even if the number of verified messages is large. In addition to that, we also prove that the proposed scheme holds the following security requirements: message authentication, integrity, freshness, user privacy, and traceability via the security analysis. By evaluating other schemes, the results show that the proposed scheme has the shortest execution time of verification phase in both of signal verification and batch verification. Therefore, we prove that the proposed scheme has the advantage in this field of batch verification.
In the future, we can extend the work. Some studies suggest that TPD still has potential risks even if we all hope that it is secure. If the TPD were broken, the master key would be retrieved by the adversary. Maybe the proposed scheme can be modified to a scheme which doesn't rely on TPD and still keeps effectiveness, such as using pairing or letting TA generate pseudo-ID lists for each vehicle. On the other hand, batch verification always needs to face a problem: illegal messages discrimination. If one or more illegal message is hidden in the batch verified messages, it will make the verification fail. Therefore, distinguishing illegal messages from all received messages is a crucial task for the verifier. It is a daunting problem related to this work, and we will challenge it in the near future.

Authors Contribution
Y-M Lai: providing the major idea, designing the protocol, designing analysis methods, and writing the manuscript P-J Cheng: Advising the detail idea's completeness, article structure, text smooth, and grammatical modification.

Availability of data and materials
Open Access This article is published under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.