A Chebyshev polynomial-based conditional privacy-preserving authentication and group-key agreement scheme for VANET

Vehicle ad hoc network (VANET) is an open communication environment. Any user can broadcast messages, which means that it can be easily attacked by malicious users. Therefore, the authentication of vehicles is needed. In this paper, we propose a Chebyshev polynomial-based conditional privacy-preserving authentication and group-key agreement scheme for VANET. Specifically, we solve three problems in VANET: (1) we improve the effectiveness of TA by using Chebyshev polynomial to authenticate vehicles; (2) we reduce the computational burden of TA by using Chinese remainder theorem to manage group members; (3) we provide conditional privacy for users by using traceable pseudonym scheme. Theoretical and experimental results show that the proposed scheme is more efficient than most existing schemes.

traffic accidents occur frequently. The modern intelligent transportation system (ITS) is a most promising direction to provide an efficient way to manage cars in the city [1]. As a cornerstone of ITS, vehicular ad hoc network (VANET), which is a special mobile self-organizing network, allows vehicles to communicate with each other via vehicle-to-vehicle (V2V) communications and communicate with roadside units (RSUs) via vehicle-to-infrastructure (V2I) communications. Both V2V and V2I communications are based on a dedicated short range communication (DSRC) protocol [2,3].
Among many in-vehicle applications, safety applications (such as coordinated driving, collision avoidance, lane change warning, congestion avoidance) are one of the most concerned and important applications in VANET. To implement this application, real-time traffic-related information needs to be collected and processed in a timely manner. According to the DSRC protocol, vehicles broadcast its own traffic status information, such as speed, direction and road conditions every 100 to 300 ms during driving [4]. Using this type of information, vehicles, RSUs and traffic control application centers can achieve collision avoidance and road optimization, thereby improving road safety and traffic efficiency.
However, in this form of wireless communication, VANET may receive various attacks such as malicious detection, interception, modification and replay. Message authentication is an effective defense against mali-cious attacks, yet many types of existing authentication schemes still have various problems in terms of efficiency and security.
In this paper, we propose a conditional privacypreserving authentication scheme based on Chebyshev chaotic mapping. Our method has following two advantages. First, it satisfies various security requirements including conditional privacy and can resist modification attack, replay attack and so on. Second, it reduces the computational overhead compared with methods based on elliptic cryptosystems or bilinear pairing and, as a result, it improves the effectiveness of authentication.
In addition, we propose a group key distribution method. Vehicles can communicate freely after authentication. Our proposed method is based on the Chinese residual theorem, which can effectively manage vehicles' entering and leaving the group. It also ensures forward and backward security.
The main contributions of this paper are summarized as follows.
(1) A novel conditional privacy-preserving authentication scheme is proposed, which is implemented using Chebyshev polynomial instead of bilinear pairing or elliptic cryptosystems with high computational cost. (2) An efficient group key distribution method based on the Chinese residual theorem is proposed for legitimate vehicles to join and leave a group, which achieves V2V communications while providing location privacy. (3) We provide a formal proof based on BAN Logic to prove the security of our scheme and conduct comprehensive analysis of the performance of our scheme in terms of computation and communication costs.
The remainder of this paper is organized as follows. Section 2 summarizes the previous works in the literature. Section 3 describes the relevant preliminary knowledge. Section 4 presents system model and security requirements. Section 5 describes our proposed scheme in detail. Section 6 analyzes the security strength of our proposed scheme. Section 7 analyzes the performance of the proposed scheme in comparison with other existing schemes. Finally, a concluding remark of the scheme is provided in Sect. 8.

Related works
In order to provide security, efficiency and conditional privacy for VANET, many available techniques about authentication in VANET are designed. We briefly introduce some representative related works from the following two aspects.

Authentication mechanism
In order to solve the security and privacy issues in VANET, authentication mechanism has been widely researched. Symmetric cryptography-based authentication has high computational efficiency and low communication overhead; however, the key management and key distribution are vulnerable [5], and this scheme is lack of non-repudiation property. Public-key certificates are used in public key infrastructure (PKI) as a secure and reliable method to authenticate a vehicle, which can solve the problem of symmetric encryption key distribution and ensured the security of the encryption algorithm [6]. Raya et al. [7] designed a conditional privacy-preserving model based on public key infrastructure (PKI). In this scheme, message receiver cannot track the owner of the keys. However, a large storage space is needed. OBU needs to be equipped with a large number of public and private key pairs and corresponding anonymous certificates. Moreover, it requires a large number of CRL checks. Zhang et al. [8] proposed an identity-based PKI conditional privacy authentication scheme, in which vehicles and RSUs do not need to store any certificates. However, the scheme is vulnerable to replay attacks and could not satisfy non-repudiation. He et al. [9] proposed a conditional privacy preserving authentication scheme that does not rely on bilinear pairing, greatly reducing computational overhead. Lo et al. [10] proposed an identity-based conditional privacy preserving authentication scheme that uses elliptic curves to meet privacy requirements; however, the computation cost is unsatisfactory. Vijayakumar et al. [11] proposed an efficient anonymous authentication scheme using bilinear pairing to achieve conditional privacy. However, the efficiency of this scheme is relatively low.
Chebyshev polynomials have good cryptographic properties, and Chebyshev chaotic maps are widely used in authentication and key agreement. Several studies [12,13] have proposed chaotic map-based authenticated key agreement protocols to enhance computational efficiency. Our scheme adopts Chebyshev for authentication instead of time-consuming bilin-ear pairing operation and mapping to point operation, which not only provides conditional privacy preserving authentication and satisfies various security requirements but also improves the effectiveness of authentication.
Group key agreement To provide secure channel for V2V communication in VANET, many group key management protocols are proposed. Zheng et al. [14] proposed two centralized group-key management protocols based on the Chinese remainder theorem (CRT). This method not only minimizes the overload of messages for distributing the group key but also minimize the user side computation complexity. However, the main limitation of this approach is that computation complexity of the server side is relatively high. Vijayakumar et al. [15] proposed a Greatest Common Divisor (GCD)-based key distribution protocol which focuses on two dimensions. The first dimension deals with the reduction in computation complexity. The second dimension aims at reducing the amount of information stored in the group center and group members. However, the main limitation of this work is that the high computation complexity and high memory requirement involved in rekeying operations. Vijayakumar et al. [16] proposed a dual authentication and key management protocol that uses the Chinese residual theorem to manage the entry and departure of vehicles within the scope of the RSU. The scheme only needs to update a small amount of information and has high computational efficiency. However, it does not implement non-repudiation. Using a pseudonym or digital signature can provide a way to implement nonrepudiation authentication. Li et al. [17] proposed an anonymous conditional privacy protection authentication scheme for VANET based on message authentication code (MAC). With verifiable secret sharing (VSS), a vehicle can obtain a group key for message generation and authentication. However, it cannot implement the key update operation, and it always uses the same group key. Therefore, the forward and backward security is not guaranteed.
The group key management scheme proposed in this paper is more efficient compared with most of existing schemes. We adopt CRT-based key management scheme combined with pseudonym mechanism for vehicles to communicate in group. Vehicles use their generation key of group key U SK i to get group key and then use the group key and pseudonym to send messages, which can realize non-repudiation and the forward and backward security. The computation complexity of the TA and vehicles is reduced substantially by minimizing the number of arithmetic operations taken by the TA and vehicles. Moreover, the number of key values stored by VANET users is minimized.

Preliminary
In this section, we briefly introduce some preliminaries that will be used in this paper.

Chebyshev Polynomial and Its Properties For integer n and a variable
(1) The recursive formulation is (2) Definition 1 One of most important property from cryptographic perspective is that the Chebyshev polynomial exhibits the semi-group property [18], as follows: where r and s are two positive integers, s, r ∈ Z * p .

Hash function based on chaotic map
Chaotic maps can be used in constructing hash function because of their properties, such as parametersensitivity and random-similarity. The process of algorithm is as following [19]: INPUT: bit string y of arbitrary length. OUTPUT: 128-bit hash value. The advantage of Chaos hash is that it can reduce basic operations. We use Chebyshev-based sequences to construct Hash to reduce the computational storage complexity of OBU, thereby improving the operation effectiveness.

Chinese remainder theorem
The Chinese remainder theorem states that if one knows the remainders of the Euclidean division of an integer n by several integers, then one can determine uniquely the remainder of the division of n by the product of these integers, under the condition that the divisors are pairwise coprime [14].
Let k 1 , k 2 , k 3 , ..., k n be pairwise relatively prime positive integers, and let a 1 , a 2 , a 3 , ..., a n be positive integers. Then, CRT states that the pair of congruences X ≡ a n mod k n has a unique solution mod ∂ g = n i=1 (k i ) To compute the unique solution, the TA can compute the value as shown in Eq. (3). Where,

System model
The system model of our proposed scheme is illustrated in Fig. 1. There are three main components: a TA, OBUs and RSUs. TA: Generally, TA is considered as a highly trusted and powerful component in the proposed authentication scheme. Moreover, TA may generate and distribute group key for vehicles for secure V2V communications. Once emergencies happen, TA may track the malicious vehicles with the vehicle's pseudonym [20,21].
RSU: RSUs are fixed infrastructures deployed on the roadside or some installations. RSU is not completely trusted. Therefore, it must be authenticated by vehicles. In the proposed scheme, they are relay nodes between vehicles and TA [20,21].
OBU: Each vehicle is equipped with an on-board unit (OBU) with tamper-proof equipment. The OBU is responsible for data collection and processing. It stores secret parameters, which are used for message generation and authentication [20,21].

Security requirements
Our scheme should satisfy the following security requirements.
(1) Message authentication: Vehicle must be able to check the validity of the message before receiving it to protect it from false message attack.
Public key of R j s System private key selected by TA sk r j Secret key shared between the R j and the TA The Chebyshev polynomial repeats them for unauthorized access to the security key or message. (5) Resistance to modification attack: The adversary may modify, delete, or change a specific part of the message and broadcast the modified message to achieve some selfish purposes.

Proposed scheme
In this section, we present our proposed scheme. We list frequently used notations in Table 1, and the overall flowchart of the scheme is briefly described in Fig. 2.
We use Chebyshev chaotic map to do authentication when vehicles join the range of a RSU and provide a key agreement scheme. The detailed process of the proposed scheme will be described as follows.

System initialization phase
Prior to the deployment of the VANET, TA needs to generate some public and private parameters for the system. These parameters are preloaded into the OBU Fig. 2 The system model of VANET of the vehicle at vehicle registration and sent to the RSU at RSU registration. This phase is described below.
(1) TA choose a positive integer r and an odd prime number p, then compute q = p r , we assume that computations over G F(q) are carried out modulo an irreducible polynomial f (y) [22].

Offline registration phase
In this stage, vehicles and RSUs need to provide the essential information like name, address, phone number, email id, etc., to TA to make offline registration.

Registration of OBU
(1) Vehicle V i first approaches the TA office directly to make offline registration and provide the essential information such as name, address, phone number and email to the TA. (2) After completing the registration process, the TA provides the generation key of group key U SK i for each V i and store {I D V i , U SK i } in its tracking list database.

Registration of RSU
(1) RSU R j sends privacy information (such as identity I D R j and location information) to TA. (2) After checking the legitimacy of R j , TA selects an integer SK R j ∈ Z , SK R j = 0, 1 and selects a random number x R j ∈ G F(q), x R j = 0, 1 and computes T SK R j (x R j ), where the SK R j means the secret key of R j and (x R j , T SK R j (x R j )) represents the public key of R j . (3) TA assign R j a secret key sk r j through a secure channel, where sk r j is shared by R j and TA. (4) TA store {I D R j , sk r j } in its RSU list. In order to get a group key for message generation and authentication within the same RSU range, vehicles must be authenticated to ensure the reliability of group key. The process is described as follows.

Authentication message generation
The process of authentication phase is shown in Fig. 3 (1) Vehicles send authentication message to TA when joining in the group within the range of R j .
) and represents the message as Then, it selects a random number r ∈ Z , r = 0, 1, computes T r (x R j ), (y))) to R j through an open channel. (4) R j decrypts the message with its secret key SK R j and gets the message from vehicle V i , R j checks the validity of timestamp. (5) R j selects the current timestamp T ii , computes via a secure channel.

Authentication message verification
In this phase, TA validates the received authentication message through R j .
(1) TA verifies the timestamp T ii when it receives the then check whether I D V i is in the tracking list, the vehicle is legal. TA get U SK i to compute group key.
Group key distribution In order to ensure the communication within the same RSU range, vehicles must obtain a group key for message generation and verification. In this phase, a mutual authentication process must be conducted to ensure the reliability of group key, as shown in Fig. 4. The process is described as follows.
(1) When V i enters the range of R j , R j receives V i 's broadcast with P I D V i,l , then R j transmits the message to TA. TA can compute I D V i , and get U SK i by tracking list {I D V i , U SK i }.
(2) TA multiplies all U SK i in the range of R j , i = 1, 2, 3, . . . , n, ∂g = n i=1 U SK i . It then computes (3) V i gets the group secret key from the TA via R j . Group key updating When a vehicle leaves the range of RSU, the following steps are performed.

Message authentication phase
(1) Once receiving a message, receiver V j firstly compares the time stamp T v i in the message with the current time stamp where Δt means permissible time delay for message transmission, the message is valid. Otherwise, the message will be abandoned.  and message are authenticated successfully. Otherwise, the message may has been modified. In this case, receiver may send a message to TA and report the situation. The process is illustrated in Fig. 5.

Pseudonym changing
When a vehicle reaches the social spot, it can change its pseudonym P I D V i,l to protect its location privacy. Vehicle can choose random number x i,l , l = 1, 2, 3......k and publish T x i,l (x) , then generate a different pseudonym

Security analysis
A secure conditional privacy-preserving authentication scheme for VANET should be able to withstand various attacks mentioned in Sect. 4. In this section, we firstly demonstrate that our scheme achieves security goals by providing an authentication proof based on BAN Logic [23]. Then, we state that our scheme satisfies security requirements by informal security discussion.

Formal security proof
In this subsection, we use BAN logic [23] to formally analyze our scheme. Fundamental rules for BAN logic are listed as follows. There are four goals need to be proved: For the formal analysis, the message exchanged among V i , R j , and T A is idealized as follows.
Prerequisites for the formal proof are as follows.
Based on the aforementioned assumptions and logical postulates of BAN logic, we provide formal proof of our proposed scheme as follows.
From the above-mentioned analysis, it can be seen that our protocol achieves all the goals 1-4, which guarantee a mutual authentication between nodes. Besides, it shows that vehicles can get correct group key after a mutual authentication process and vehicles within the same RSU range with same group key can communicate with each other securely.

D V i = P I D V i,l T s x i,l (x)(mod f (y)). (3) Forward and backward security
When a vehicle leaves a group, the group key will be updated, and the vehicle which leaves the group is impossible to compute the new group key. Therefore, our scheme satisfies the forward security. When a vehicle joins a group, if it wants to get previous information, it needs the previous group key. Because The message cannot be authenticated and accepted. Therefore, our scheme can resist modification attack.

Performance analysis
In this section, we perform a performance analysis of our scheme from both computational overhead and communication overhead. Then, compare it with existing schemes. Our implementation is performed on a laptop consisting of an Intel Core i5-8400 CPU@2.80 GHz, 8G RAM, and Windows 10 OS. Some notations about execution time are defined in Table 2.

Computation cost and comparison
To give an overall analysis of computational cost, we will compute the time overhead of the following process: user authentication, group key distribution, message generation and message authentication. The execution time of related cryptographic operations are listed in Table 3.   In the scheme proposed by He et al. [9], for a vehicle to generate a message, 3 scale multiplication operations on elliptic curve T em and 3 hash function operations T h are required. Moreover, 3 scale multiplication operations on elliptic curve T em , 2 point addition operations on elliptic curve 2T ea and 2 hash function operations T h are required for a vehicle to authenticate a message.
In the scheme proposed by Azees et al. [11], 1 exponentiation operation on point T ep and 1 hash function operation T h are needed to generate a message. Besides, 2 bilinear pairing operations T bp , 5 exponentiation operations on point T ep and 2 point addition operations on elliptic curve T ea are needed to authenticate a message.
The scheme of Lo et al. [10] needs 2 scale multiplication operations on elliptic curve T em and 2 hash function operations T h to generate a message. 3 scale multiplication operations on elliptic curve T em , 2 point addition operations on elliptic curve T ea and 2 hash function operations T h to authenticate a message.
In our scheme, for a vehicle to generate a message, 4 Chebyshev encryption operations T ch , 2 hash function operations T h and a keyed hash function operation using chaos map T H key are required. Similarly, for a vehicle to authenticate a message, 4 Chebyshev encryption operations T ch , 2 hash function operations T h and a keyed hash function operation using chaos map T H key are required. Table 4 lists the comparison of the computation cost between several related schemes and our proposed scheme. It can be seen from Table 4 that the computational cost of the proposed scheme is superior to other schemes.

Communication overhead
In this part, we compare the communication overhead of the proposed scheme with several existing schemes.
We assume that the sizes of the elements in G 1 and G are 128 bytes and 40 bytes, respectively. In addition, let the output of a hash function and the size of the time stamp are 20 bytes and 4 bytes, respectively. Moreover, we assume that the origin messages are included in the finite field Z * p and have a size of 20 bytes. We focus on the analysis of the communication overhead in the following three processes: authentication message generation, authentication message verification, and group-key generation. The communication overhead of several schemes is listed in Table 5. In the scheme proposed by He et al. [9], the authentication message is T i is the timestamp, so the size of the authentication message is 40 × 3 + 20 × 2 + 4 = 164 bytes.
In our scheme, the authentication message is {P I D i , M, T i , M V }, M V = H kug (P I D i , M, T i ). Therefore, the total communication overhead is 40+20+20+4 = 84 bytes. We can see that the overall communication overhead of our solution is relatively low.

Conclusion
In this paper, we have proposed a high-efficient authentication and group-key agreement scheme for VANET. The proposed scheme uses Chebyshev chaotic mapping instead of the time-consuming elliptic curve and bilinear pairing technique to do authentication, which increases the efficiency. While ensuring security, the overall computation and communication overhead are reduced. Moreover, our solution contains a group key distribution scheme that allows group members to access the group key while providing forward and backward security. Meanwhile, location privacy is provided by adopting pseudonym changing at social spot strategy.