Professional Documents
Culture Documents
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2019.2948053, IEEE
Transactions on Industrial Informatics
JOURNAL OF LATEX CLASS FILES, VOL. 6, NO. 1, APIRL 2019 1
Abstract—If all vehicles are connected together through a wireless communication channel, vehicular ad-hoc networks (VANETs) can
support a wide range of real-time traffic information services such as intelligent routing, weather monitoring, emergency call. However,
the accuracy and credibility of the transmitted messages among the VANETs is of paramount importance as life may depend on it. We
introduce a novel framework called blockchain-assisted privacy-preserving authentication system (BPAS) that provides authentication
automatically in VANETs and preserves vehicle privacy at the same time. This design is highly efficient and scalable. It does not require
any online registration centre (except for system initialization and vehicle registration), and allows conditional tracing and dynamic
revocation of misbehaving vehicles. We conduct an in-depth security analysis and a comprehensive performance evaluation (which
is based on the Hyperledger Fabric platform) for our proposed framework. The results demonstrate that our framework is an efficient
solution for the development of a decentralized authentication system in VANETs.
(No.2017B030301004).
• Q. Feng is with the Key Laboratory of Aerospace Information Security
and Trusted Computing, Ministry of Education, School of Cyber Science
and Engineering, Wuhan University, Wuhan, China and the Cyberspace
Security Research Center, Peng Cheng Laboratory, Shenzhen, China
E-mail: fengqi.whu@whu.edn.cn
• D. He (Corresponding author) is with the Key Laboratory of Aerospace Fig. 1: A typical structure of a vehicular ad-hoc network
Information Security and Trusted Computing, Ministry of Education,
School of Cyber Science and Engineering, Wuhan University, Wuhan,
China and the Guangdong Key Laboratory of Data Security and Privacy
In this way, a vehicle can act as an information collector.
Protection, Guangzhou, China It informs others of what it perceives to help vehicles dy-
E-mail: hedebiao@163.com namically update driving route for fuel saving, congestion
• S. Zeadally is with the College of Communication and Information at the or accident avoidance. Besides, an RSU also relays these
University of Kentucky, USA.
E-mail: szeadally@uky.edu messages to the traffic control centre for further traffic
• K. Liang is with the Department of Computer Science, University of management and consultation services. For example, in the
Surrey, Guildford, U.K. eSafety Support project [2], an emergency call is made once
E-mail: ktliang88@gmail.com
in-vehicle sensors detect that an accident has occurred. Such
1551-3203 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2019.2948053, IEEE
Transactions on Industrial Informatics
JOURNAL OF LATEX CLASS FILES, VOL. 6, NO. 1, APIRL 2019 2
information exchanged in the VANET context must be accu- and privacy requirements of VANETs, specifically, the
rate, trustful and truthful, as lives and important decisions conditional privacy preservation.
may depend on it. However, due to the openness of wireless • Finally, we implement a prototype of BPAS using smart
communications, malicious entities may intercept, relay, and contracts and we deploy it on the well-known con-
even tamper the transmitted messages. If an attacker reports sortium blockchain platform, Hyperledger Fabric. The
fraudulent information about the traffic condition or vehicle performance evaluation results obtained demonstrate
position, this may result in bad consequences such as traf- that BPAS has great potential to become a practical
fic chaotic or road accidents [3]–[5]. Furthermore, similar component for VANETs.
to other networks, the nodes of VANETs may misbehave
toward those honest ones.
1.2 Organization of the Paper
Therefore, secure authentication on the transmitted mes-
sages is an important requirement in VANETs. Another The rest of the paper is organized as follows. Section 2
essential issue for VANETs is conditional anonymity, i.e., discusses some related works on privacy-preserving au-
a vehicle’s private information (e.g., physical serial number) thentication schemes for VANETs. In Section 3, we define
should only be visible to trusted authority and any third- the system model and design goals. We present the funda-
party observer cannot violate driver privacy [6], [7]. This mental building blocks of BPAS in Section 4. The proposed
feature emphasizes both privacy and accountability when blockchain-assisted privacy-preserving authentication sys-
fake messages result in crimes or accidents. Over the past tem for VANETs is described in Section 5. Section 6 focuses
few years, many privacy-preserving authentication proto- on the security of BPAS. In Section 7, we provide an experi-
cols [8]–[13] have been proposed in the literature. How- mental evaluation of the proposed system. Finally, we make
ever, we observe that the previously proposed protocols some concluding remarks in Section 8.
are highly dependent on a centralized server. For example,
public key infrastructure (PKI)-based solutions require a
certificate authority whereas ID-based solutions rely on a
2 R ELATED W ORKS
key generation centre. The former suffers from cumbersome In recent years, many researchers have focused on secu-
certificate management while the latter is vulnerable to the rity and privacy issues in VANETs [16]–[24]. Raya and
key escrow problem. A hybrid-based scheme combining the Hubaux [17] employed PKI to meet the authentication re-
two types of the solutions may mitigate the drawbacks, but quirement for VANETs. They used anonymous certificate
it is still not scalable enough in practice. (AC), issued by a trust third authority, to hide a vehicle’s
Blockchain technology, originally proposed in [14], has real identity. Therefore, each time the vehicle communicates
been seen as a potential solution to bring “trust” and “auto- with others, the validity of the transmitted messages and
check” to VANET. A blockchain platform is an append-only the privacy of the sender can be guaranteed simultaneously.
database maintained by the nodes of a peer-to-peer (P2P) After that, Lu et al. [19] enhanced the unlinkability property
network, where the nodes are geographically dispersed but by using temporary AC for each session. Calandriello et
being equally privileged participants in the application. al. [18] simplified the certificate management procedure
Each node engages in the routing process of the entire net- via a group signature and baseline pseudonym mechanis-
work, maintaining the connections to neighboring peers, the m. Wasef et al. [20] presented a scheme called expedite
propagation and verification of signed messages, as well as message authentication protocol (EMAP) which adopts PKI
the synchronization of data blocks (that are chained by hash for vehicle authentication and hash-based authentication
pointers in chronological order and synchronized using a code to optimize the integrity check process. However, all
cost-effective consensus mechanism). The “flat” topology of the PKI-based authentication schemes suffer from similar
blockchain, therefore, offers network users autonomous, de- weaknesses: 1) The vehicle needs to hold a fair number of
centralized, immutable and contractual “benefits” [15]. With secret keys and certificates in order to protect its privacy;
the purpose of injecting auto-trust into VANET, blockchain 2) The trusted third-party requires a large space to store
may be considered as a powerful and scalable tool that all the certificates; 3) The management of these certificates
can automatically check message credibility, monitor vehi- (e.g., query or revocation) incurs high computation and
cle behavior and further trace immutable communication communication costs.
record. This paper is motivated by the security and privacy Another option for the authentication process is identity-
challenges of VANETs and explores the question of “could based cryptography (IBC), which can efficiently reduce
we build a blockchain-assisted distributed authentication system the communication cost of VANETs. IBC was designed by
for VANETs with privacy-preserving feature?”. Shamir [25] where each user private key is issued by the key
generation center (KGC) based on his/her identity (e.g., e-
mail address) which is also his/her public key. The natural
1.1 Our Research Contributions
connection between identity and public key makes entity
We summarize our key research contributions as follows. identification easier. Therefore, Zhang et al. [21] employed
• By leveraging the blockchain technology, we design IBC in VANETs for lightweight message authentication.
a novel authentication system BPAS for VANETs to Chim et al. [22] enhanced the privacy of Zhang et al.’s
guarantee that the transmitted messages are verified scheme by using two shared secrets, but their method is
credibly in the absence of a centralized third party. still vulnerable to impersonation attack as pointed out by
• We perform a comprehensive security analysis to show Horng et al. [9]. To overcome the security flaw of the
that the proposed BPAS framework satisfies security previous works, He et al. [24] and Li et al. [10] applied IBC
1551-3203 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2019.2948053, IEEE
Transactions on Industrial Informatics
JOURNAL OF LATEX CLASS FILES, VOL. 6, NO. 1, APIRL 2019 3
for secure and extendable communications in VANETs. Al- from malicious attacks. Furthermore, the vehicle com-
though these schemes make better improvement compared municates with other parties wirelessly via the OBU.
with PKI-based frameworks, they suffer from the inherent • Road side unit (RSU): It is the infrastructure located
drawbacks of the key escrow issue and the need of secure at the roadside and can communicate wirelessly with
communication channel. vehicles within a specific range. To be more specific, it
Recently, with the emergence of blockchain technology, can receive instant messages from vehicles, verify, and
some research efforts have been exploring to apply it in relay them to the traffic management center or to other
VANETs to build a decentralized trust model. For exam- vehicles.
ple, in [26], Rowan et al. leveraged blockchain-based PKI • Smart contract: It loads a vehicle public key table
with physical side-channel for secure V2V communication. (VPKT) to aggregate references to all of the vehicles’
However, their scheme suffers from some security issues “identity-public key” relationships, thus providing au-
due to the requirement of autonomous vehicle. Dorri et tomatic and timely feedback on vehicles’ public key
al. [27] proposed another privacy-preserving authentication queries. In particularly, they are on-chain codes that
based on blockchain and changeable public keys which are stored in the blockchain, executed and verified by
also suffers from limitations, such as membership manage- the blockchain managers. Therefore, the smart contract
ment and scalability. Lu et al. [28] and Kchaou et al. [29] ensures reliable computed results.
used blockchain to optimize the VANET trust managemen- • Blockchain: It is instanced using a consortium
t framework and designed the privacy-aware reputation blockchain as the decentralized underlying architecture
models. The transaction in both schemes are assumed to of BPAS. It securely handles the states of transactions
securely record the events around the vehicles. Such events and smart contracts among several consensus nodes
could act as persistent evidence later for vehicle’s reputation (named blockchain managers) based on the consensus
evaluation. Although their schemes support strong account- algorithm. Permitted nodes could query these states at
ability, they cannot prevent malicious behaviors beforehand. any time to obtain a result verified by the majority of
the blockchain managers.
We assume that the TA authenticates the vehicles’ own-
3 P ROBLEM F ORMULATION ers and preloads authenticators in the OBU offline. The
3.1 System Architecture vehicles and RSUs communicate with each other based
on the DSRC protocol. Only the TA can deploy, update
Fig. 2 describes the network model of our proposed BPAS
and revoke the smart contracts via transactions, and any
framework which consists of three components, namely, the
permitted parties can access information using transaction-
upper layer (i.e., trusted authority), the bottom layer (i.e.,
s. Synchronously, blockchain managers can verify all the
vehicle and road side unit), and the extended layer (i.e.,
transactions and the new states of smart contracts, and
smart contract and blockchain). We are going to define five
can upload them in the blockchain based on the consensus
participants below.
mechanism.
1551-3203 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2019.2948053, IEEE
Transactions on Industrial Informatics
JOURNAL OF LATEX CLASS FILES, VOL. 6, NO. 1, APIRL 2019 4
• No online registration center: To relieve the overhead of integrity and confidentiality), it can further provide fine-
the registration center, an authentication system should grained access control. We use the well-known construc-
not rely on the online registration center during the tion [31] for the BPAS. Let Ψ denote the access tree where
authentication phase. each non-leaf node represents a threshold gate and a leaf
• Resistance to cyber attacks: Generally, a blockchain- node is described as an attribute. Let L be the set of leaf
assisted authentication system for VANETs should be nodes in Ψ with the length of `. Let att(x) denote the
able to resist the offline password guessing attack, function that returns the attribute associated with leaf node
replay attack, vehicle impersonation attack, and dis- x ∈ L and tx denote its threshold value. The attribute-based
tributed denial of service attack. encryption scheme is defined as follows.
• ABE.TSetup: This algorithm outputs the master secret
key M SK and the public parameters ABEParams =
4 B UILDING B LOCKS {G0 , G1 , p, H, g, M P K}, where G0 , G1 are two cyclic
Here, we introduce some fundamental primitives used in groups with same order of prime number p and sat-
BPAS and we present a vehicle public key table deployed isfy a bilinear pairing mapping e : G0 × G0 →
with fine-grained access control. G1 , H is a cryptographic hash function defined as
H : {0, 1}∗ → G0 , g is a random generator of G0 ,
M SK = {β, g α } is the master secret key defined by
4.1 Fuzzy Extractor two random numbers α, β ∈ Zp , M P K = {h, f, Γ }
In order to enhance the security of authentication, we is the master public key defined by the equations of
−1
leverage fuzzy extractor presented by Dodis et al. [30] as h = g β , f = g β , Γ = e(g, g)α . Remark that the master
a fundamental component. It is one of the most popular secret key M SK should be kept securely.
biometrics extraction techniques based on a fuzzy extractor. • ABE.AttrEnc: Upon receiving the inputs of message M
Specifically, the fuzzy extractor is formalized by a tuple along with the master public key M P K and the access
of {me , l, τ, ε} and two algorithms {Gen, Rep}, where me tree structure Ψ, this algorithm outputs the ciphertexts
denotes the min-entropy of collected biometrics data distri- CT = (Ψ, R, T, S1 , . . . , S` , P1 , . . . , P` ), where R = M ·
bution, l denotes the fixed length of output, τ and ε define Γ r , T = hr , Si = g pi (0) , Pi = H(att(i))pi (0) for all the
the tolerable threshold of sample distance and statistical i ∈ L , with the unique polynomial px for each node x
distance respectively. If we assume that BiO is a biometrics (including the leaves) in Ψ and random number r ∈ Zp
sample, then the algorithms {Gen, Rep} are defined as (It is worth noting that for the root R of Ψ, we set
follows: pR (0) = r ).
• Gen(BiO) = (σ, ρ): It denotes a probability extraction • ABE.AKeyGen: Upon receiving the inputs of attribute
function with the input of a biometrics sample, and the set A and master secret key M SK , this algorithm out-
outputs of a high-entropy secret string σ ∈ {0, 1}l and puts the secret key SKA = {K0 , {Ki , Ki0 |i ∈ A}} where
−1
a public string ρ. The statistical distance, denoted as K0 = g (α+µ)·β , Ki = g µ · H(i)µi , Ki0 = g µi for all
SD((σ, ρ), (θ, ρ)), is assumed to be smaller than the i ∈ A, with the random numbers µ, µ1 , . . . , µ|A| ∈ Zp .
pre-defined threshold ε, where θ is an l-bit length of • ABE.AKeyDel: Upon receiving the inputs of secret
random string. key SKA along with a subset of attributes A ⊆ A,
• Rep(BiO0 , ρ) = σ : It denotes a deterministic retrieve this algorithm delegates a new secret key SKA =
function with the inputs of a biometrics sample, the {K̃0 , {K̃i , K̃i0 |i ∈ A}} where K̃00 = K0 · f µ̃ , K̃i =
public string. It is assumed to be error-tolerated that Ki · g µ̃ · H(i)µ̃i , K̃i0 = Ki0 · g µ̃i for all the i ∈ A , with
the secret string σ could be recovered correctly if and the random numbers µ̃, µ̃1 , . . . , µ̃|A | ∈ Zp .
only if the sample distance dis(BiO, BiO0 ) < τ . • ABE.Decrypt: Upon receiving the ciphertext CT along
It should be noted that: with the secret key SKA associated with the attribute
set A and a node x ∈ Ψ, the recursive algorithm
1) If the BiO and BiO0 are collected from the same
DecryptNode(CT, SKA , x) is defined as follows:
user, there is a high possibility that the distance
between them is lower than the threshold, i.e., 1) If x ∈ L, i.e., x is a leaf node, let i = att(x), then
Pr[dis(BiO, BiO0 ) < τ ] > 1 − εf n , where εf n is the DecryptNode(CT, SKA , x) =
possibility of a “false negative”. ( e(K ,S )
2) If the BiO1 and BiO2 are collected from differen-
i x
e(K 0 ,Px ) e(g, g)
µ·px (0)
, if i ∈ A ;
i
t users, there is a high possibility that the distance ⊥, / A.
if i ∈
between them is far larger than the threshold, i.e.,
Pr[dis(BiO1 , BiO2 ) >> τ ] > 1 − εf p , where εf p is 2) If x ∈ / L, i.e., x is a non-leaf node, let ζ de-
the possibility of a “false positive”. note the children of x and Oζ be the output of
DecryptNode(CT, SKA , ζ), Ax be an arbitrary tx -
sized sub-set of child ζ such that Oζ 6= ⊥, then
4.2 Attribute-Based Encryption (ABE) DecryptNode(CT, SKA , x) =
ABE is a scheme where an authority issues an attribute
secret key for a user based on a set of attributes that can be ⊥, if no such Ax exists;
used to identify this user. In addition to the general features λi,A 0 (0)
Q
ζ∈Ax Oζ
x
= e(g, g)µ·px (0) , otherwise.
of the public key encryption (e.g., correctness, message
1551-3203 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2019.2948053, IEEE
Transactions on Industrial Informatics
JOURNAL OF LATEX CLASS FILES, VOL. 6, NO. 1, APIRL 2019 5
0
where i = index(ζ), Ax = {index(ζ) Q : ζ ∈ Ax } and Algorithm 1. Vehicle public key table (VPKT) initialization
−j % This declares the structure of elements in VPKT.
the Lagrange coefficient λi,A 0 (0) = j∈A 0 ,j6=i i−j .
x x asset VPKT identified by AID {
The result can be deduced using polynomial interpo-
o string AID;
lation. o address VPK;
Now the ciphertext can be decrypted by calling δ = }
DecryptNode(CT, SKA , R) on the root of Ψ. Once % This defines the structure of the transactions in the Hyperledger
the tree is satisfied by A , i.e., δ = e(g, g)µ·pR(0) = transaction insertTransaction {
e(g, g)µ·r , then we have o string newAID;
o address newVPK;
R·δ M · Γr · δ }
M= =
e(T, K0 ) e(hr , g (α+µ)·β −1 ) transaction updateTransaction {
−− > VPKT asset; % Loading the VPKT.
The security of this scheme has been proven in the o address newVPK;
generic group model. A more in-depth description is given }
in [31]. transaction removeTransaction {
o string AID;
}
4.3 Blockchain and Smart Contract
Blockchain is the core data storage structure of BPAS. In its Algorithm 2. Update VPKT
most general form, blockchain can be seen as a distributed, function updateVPKT (tx) {
transparent, and secure data ledger, where the data (as well % This ABI is invoked by the TA to update VPKT.
as any change of the data) can be recorded in an append- const assetRegistry = await getAssetRegistry(VPKT);
only chain of blocks chronologically. Based on the differ- if Exist(VPKT, tx.AID) then {
ent requirements of access control, blockchain platforms tx.asset.VPK = tx.newVPK;
await assetRegistry.update(entry);
can provide three types of application instances: private
return succ; }
blockchain, consortium blockchain and public blockchain.
else
In BPAS, we choose the open source platform Hyperledger
return err;
Fabric, which is one of the classic consortium blockchain }
applications, as the basic network architecture. The rea-
son for the choice is because the Hyperledger Fabric can
handle transactions efficiently and support Turing-complete can submit general transactions to managers when asking
contracts. Furthermore, the Hyperledger Fabric naturally for a public key and the latter (acting as the distributed
enables access control strategies (authorized endorser peers agents) search the result for them. This setting fully relies on
can keep the chain codes while both committer and endorser the characteristic of the consortium blockchain, which can
peers can synchronize the ledger) provide fast query of the vehicle’s public key and protect
Smart contract, firstly coined by Nick Szabo in the 1990s, the privacy.
‘‘is a computerized transaction protocol that executes the terms
of a contract. The general objective is to satisfy common contrac- 5 D ESIGN OF BPAS
tual conditions”. Generally, it, coupled with the blockchain
This section mainly introduces the design of our BPAS
technology, provides some attracting features, i.e., self-
which consists of five modules: system initialization, smart
executing, immutable, self-verifying, auto-enforcing, and
contract deployment, vehicle registration, login and mes-
decentralization. That is why smart contract can be auto-
sage authentication, and vehicle revocation.
executed and deployed in decentralized network. In our
BPAS design, we make use of smart contract which provides
application binary interfaces (ABIs) for vehicle public key 5.1 System Initialization
table (VPKT) management services. These ABIs support In this phase, the TA generates the system parameters and
inserting, uploading, revoking of the public keys. Algorithm initializes a consortium blockchain.
1∼4 shows the smart contracts that are deployed in BPAS. - ECC initialization: TA generates the system parameters
The Algorithm 1 declares the structure of elements in VPKT of ECParams = {q, a, b, n, P, Ppub , H1 , H2 } where q ,
and the transactions that are initialized in the Hyperledger and a, b ∈ Fq (satisfying 4a3 + 27b2 6= 0) are the
Fabric to specific the query format; the Algorithm 2 declares parameters with which to define a non-singular elliptic
the functionality when the TA intends to update some curve E(q) by the equation y 2 = x3 + ax + b mod q ; P
vehicles’ public keys that already exist in the VPKT; the is the generator of an additive group GEC with the order
Algorithm 3 shows the insert function for the TA when new of n (it is worth noting that GEC consists of all the points
vehicle has been registered and a new item is waiting to be over E and the point at infinity O.); Ppub = s · P is the
added in VPKT; finally, the Algorithm 4 defines the ABI for system public key associating with the system secret
the TA to remove an item of VPKT when the associating key s ∈ Z∗n ; H1 : {0, 1}∗ → {0, 1}λ , H2 : {0, 1}∗ → Zn
vehicle waits to be revoked. are two cryptographic hash functions with a fixed range
We note that the VPKT maintained in the smart contract of output.
can be queried with suitable pre-defined permissions. As - ABE Initialization: TA defines a suitable access
for BPAS, we require that only managers and TA can query structure Ψ and attribute set A, then it in-
the VPKT, while other entities (such as RSUs or vehicles) vokes ABE.TSetup and ABE.AKeyGen to generate
1551-3203 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2019.2948053, IEEE
Transactions on Industrial Informatics
JOURNAL OF LATEX CLASS FILES, VOL. 6, NO. 1, APIRL 2019 6
Algorithm 3. Insert VPKT to the smart contract via the insert ABI, i.e.,
function insertVPKT (tx) { insertVPKT(AID, V P K), by using a private transac-
% This ABI is invoked by the TA to insert a new VPK. tion.
const assetRegistry = await getAssetRegistry(VPKT);
if Exist(VPKT, tx.AID) then
return err;
5.4 Login and Authentication
var entry = newResource(VPKT, tx.newAID);
entry.APK = tx.newVPK; await assetRegistry.add(entry); When a vehicle intends to send some traffic messages to
return succ; nearby RSUs and vehicles, the following steps are executed.
}
1) The vehicle’s owner inputs pw0 and imprints his/her
Algorithm 4. Revoke VPKT biometrics BiO0 at the sensor. The OBU computes σ 0 ←
function revokeVPKT (tx) { Rep(BiO0 , ρ) and checks if K = H1 (V ID||pw0 ||σ 0 )
% This ABI is invoked by the TA to revoke a vehicle. holds. If this verification fails, the OBU rejects the re-
const assetRegistry = await getAssetRegistry(VPKT); quest. Otherwise, it encrypts the blinding identity AID
if Exist(VPKT[i].AID == tx.AID) then { as Υ ← ABE.AttrEnc(AID) to guarantee that only the
assetRegistry.remove(VPKT[i].AID); blockchain managers could decrypt it. It further gener-
return succ; } ates a random number r ∈ Zn and computes R = r · P ,
else α = H2 (Υ ||R||M ||T1 ) and ω = r + α · sk mod n,
return err; where M is the instant message being valid during the
} timestamp T1 . Finally, the OBU broadcasts the message
{Υ, M, R, T1 , ω} to nearby RSUs and vehicles.
2) The receiver (an RSU or a vehicle) checks the freshness
ABEParams = {G0 , G1 , p, H, g, M P K}, the master se- of the received message using the timestamp T1 . If it
cret key M SK and the master attribute key SKA based is valid, the receiver launches a transaction with Υ to
on Ψ and A. When each blockchain manager registers the blockchain managers for the request of associating
in this system, TA will invoke ABE.AKeyDel to issue a public key.
sub-key SKA based on its entity’s attributes A . 3) The blockchain managers (who satisfy the attributes
- Blockchain initialization: TA starts up a consortium that appear in Ψ) can invoke the ABE.Decrypt to de-
blockchain among the preset network nodes following crypt it to AID. They further search the VPKT iden-
the PBFT (i.e., Practical Byzantine Fault Tolerance) con- tified by AID to get the suitable public key V P K or
sensus mechanism to maintain the blockchain. It should err.
be noted that TA has authenticated all the blockchain 4) Upon seeing the V P K from the blockchain manager-
managers in advance and authorized them to engage s, the receiver computes α0 = h2 (Υ ||R||M ||T1 ) and
in the consensus process. In addition, it will deploy an accepts the message if and only if ω · P equals to
access control list in the Hyperledger Fabric, such as R + α0 · V P K ; otherwise, it rejects this message.
READ, RECORD.
Due to V P K = sk · P , ω = r + α · sk mod q , we have
1551-3203 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2019.2948053, IEEE
Transactions on Industrial Informatics
JOURNAL OF LATEX CLASS FILES, VOL. 6, NO. 1, APIRL 2019 7
1551-3203 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2019.2948053, IEEE
Transactions on Industrial Informatics
JOURNAL OF LATEX CLASS FILES, VOL. 6, NO. 1, APIRL 2019 8
the relic library [32]. The ABE scheme is instantiated based TABLE 1: Time cost of basic operations (in microsecond)
on the cpabe-toolkit [33]
Operation Average time
Table 1 and Table 2 present the results obtained. Here,
Point addition 0.184
we can approximately calculate the execution times related
to the cryptographic operations during a successful authen- Scalar multiplication 64.99
tication. It should be noted that the TA is offline for the Integer Multiplication 0.179
authentication phase. Hash 0.296
1551-3203 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2019.2948053, IEEE
Transactions on Industrial Informatics
JOURNAL OF LATEX CLASS FILES, VOL. 6, NO. 1, APIRL 2019 9
TABLE 3: Running time cost in BPAS (in second) Proceedings of the fourth ACM international workshop on Vehicular ad
hoc networks, pp. 19–28, ACM, 2007.
Step Running time [19] R. Lu, X. Lin, H. Zhu, P.-H. Ho, and X. Shen, “Ecpp: Efficient
conditional privacy preservation protocol for secure vehicular
Registration (TA) 2.466 communications,” in IEEE INFOCOM 2008-The 27th Conference on
Login and message signing (Vehicles) 0.457 Computer Communications, pp. 1229–1237, IEEE, 2008.
[20] A. Wasef and X. Shen, “Emap: Expedite message authentication
Query public key (RSU) 0.302 protocol for vehicular ad hoc networks,” IEEE transactions on
Message authentication (Vechicles) 0.130 Mobile Computing, vol. 12, no. 1, pp. 78–89, 2013.
[21] C. Zhang, P.-H. Ho, and J. Tapolcai, “On batch verification with
Revocation (TA) 2.338 group testing for vehicular communications,” Wireless Networks,
vol. 17, no. 8, pp. 1851–1865, 2011.
[22] T. W. Chim, S.-M. Yiu, L. C. Hui, and V. O. Li, “Specs: Secure and
privacy enhancing communications schemes for vanets,” Ad Hoc
Performance evaluation of BPAS (in seconds) Networks, vol. 9, no. 2, pp. 189–203, 2011.
Basic ops. ABE ops. Hyperledger ops. [23] Q. Feng, D. He, S. Zeadally, and H. Wang, “Anonymous
biometrics-based authentication scheme with key distribution for
mobile multi-server environment,” Future Generation Computer
Revocation Systems, vol. 84, pp. 239 – 251, 2018.
Message [24] D. He, S. Zeadally, B. Xu, and X. Huang, “An efficient identity-
authentication based conditional privacy-preserving authentication scheme for
vehicular ad hoc networks,” IEEE Transactions on Information Foren-
Query public key sics and Security, vol. 10, pp. 2681–2691, Dec 2015.
Login & [25] A. Shamir, “Identity-based cryptosystems and signature schemes,”
message signing in Workshop on the theory and application of cryptographic techniques,
pp. 47–53, Springer, 1984.
Registration [26] S. Rowan, M. Clear, M. Gerla, M. Huggard, and C. M. Goldrick,
“Securing vehicle to vehicle communications using blockchain
0 0.5 1 1.5 2 2.5
through visible light and acoustic side-channels,” arXiv preprint
Login & Message
Registration
message signing
Query public key
authentication
Revocation arXiv:1704.02553, 2017.
Basic ops. 0.131 0.065 0 0.13 0 [27] A. Dorri, M. Steger, S. S. Kanhere, and R. Jurdak, “Blockchain:
ABE ops. 0 0.39 0.077 0 0
Hyperledger ops. 2.335 0 0.225 0 2.338
A distributed solution to automotive security and privacy,” IEEE
Communications Magazine, vol. 55, no. 12, pp. 119–125, 2017.
[28] Z. Lu, Q. Wang, G. Qu, and Z. Liu, “Bars: a blockchain-based
Fig. 3: Performance evaluation of BPAS anonymous reputation system for trust management in vanets,” in
2018 17th IEEE International Conference On Trust, Security And Pri-
vacy In Computing And Communications/12th IEEE International Con-
ference On Big Data Science And Engineering (TrustCom/BigDataSE),
[7] J. Lin, W. Yu, N. Zhang, X. Yang, H. Zhang, and W. Zhao, “A pp. 98–103, IEEE, 2018.
survey on internet of things: Architecture, enabling technologies, [29] A. Kchaou, R. Abassi, and S. Guemara, “Toward a distributed
security and privacy, and applications,” IEEE Internet of Things trust management scheme for vanet,” in Proceedings of the 13th
Journal, vol. 4, no. 5, pp. 1125–1142, 2017. International Conference on Availability, Reliability and Security, p. 53,
[8] Q. Feng, D. He, S. Zeadally, N. Kumar, and K. Liang, “Ideal lattice- ACM, 2018.
based anonymous authentication protocol for mobile devices,” [30] Y. Dodis, L. Reyzin, and A. Smith, “Fuzzy extractors: How to
IEEE Systems Journal, pp. 1–11, 2018. generate strong keys from biometrics and other noisy data,” in
[9] S.-J. Horng, S.-F. Tzeng, Y. Pan, P. Fan, X. Wang, T. Li, and M. K. International conference on the theory and applications of cryptographic
Khan, “b-specs+: Batch verification for secure pseudonymous techniques, pp. 523–540, Springer, 2004.
authentication in vanet,” IEEE Transactions on Information Forensics [31] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy
and Security, vol. 8, no. 11, pp. 1860–1875, 2013. attribute-based encryption,” in 2007 IEEE Symposium on Security
[10] J. Li, Y. Liu, Z. Zhang, B. Li, H. Liu, and J. Cheng, “Efficient id- and Privacy (SP ’07), pp. 321–334, May 2007.
based message authentication with enhanced privacy in wireless [32] D. F. Aranha and C. P. L. Gouvêa, “RELIC is an Efficient LIbrary
ad-hoc networks,” in 2018 International Conference on Computing, for Cryptography.” https://github.com/relic-toolkit/relic.
Networking and Communications (ICNC), pp. 322–326, IEEE, 2018. [33] J. Bethencourt, A. Sahai, and B. Waters, “Advanced crypto soft-
ware collection: the cpabe toolkit,” 2011.
[11] D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipfs law in
passwords,” IEEE Transactions on Information Forensics and Security,
vol. 12, no. 11, pp. 2776–2791, 2017.
[12] D. Wang and P. Wang, “Two birds with one stone: Two-factor
authentication with security beyond conventional bound,” IEEE
transactions on dependable and secure computing, vol. 15, no. 4,
pp. 708–722, 2016.
[13] B. Chen, L. Wu, N. Kumar, K.-K. R. Choo, and D. He, “Lightweight
searchable public-key encryption with forward privacy over iiot
outsourced data,” IEEE Transactions on Emerging Topics in Comput- Qi Feng received the Bachelor degree in 2016
ing, 2019. and the Master degree in 2018, both from the
[14] S. Nakamoto et al., “Bitcoin: A peer-to-peer electronic cash sys- School of Computer Science, Wuhan University,
tem,” 2008. China. She is currently working toward a Ph.D.
[15] Q. Feng, D. He, S. Zeadally, M. K. Khan, and N. Kumar, “A survey degree at the School of Cyber Science and Engi-
on privacy protection in blockchain system,” Journal of Network and neering, Wuhan University, China. Her research
Computer Applications, vol. 126, pp. 45 – 58, 2019. interests include cryptographic protocols.
[16] D. Wang, W. Li, and P. Wang, “Measuring two-factor authentica-
tion schemes for real-time data access in industrial wireless sensor
networks,” IEEE Transactions on Industrial Informatics, vol. 14, no. 9,
pp. 4081–4092, 2018.
[17] M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,”
Journal of computer security, vol. 15, no. 1, pp. 39–68, 2007.
[18] G. Calandriello, P. Papadimitratos, J.-P. Hubaux, and A. Lioy,
“Efficient and robust pseudonymous authentication in vanet,” in
1551-3203 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2019.2948053, IEEE
Transactions on Industrial Informatics
JOURNAL OF LATEX CLASS FILES, VOL. 6, NO. 1, APIRL 2019 10
tion scheme
tem,” IEEE SheraliZeadally
Sherali Zeadallyis earned his bachelors
an Associate Professordegree
with the
p. 632-637, in computer
College science fromand
of Communication the University
Information,of University
Cam-
ofbridge, England.
Kentucky, He also
Lexington, KY,received
USA. Hea received
doctoral the
ss control in degree in computer science from the Universi-
bachelor’s and Doctorate degrees in computer science
l. 10, no. 3, ty of Buckingham, England. He is currently an
from the University
Associate ProfessorofinCambridge,
the CollegeEngland,
of Commu-and the
University of Buckingham,
nication and Information,England respectively.
University He is a
of Kentucky.
ecure media fellow of the British Computer Society and the Institution
His research interests include Cybersecurity, pri-
imedia, vol. ofvacy,
Engineering
InternetTechnology, England. networks, and
of Things, computer
energy-efficient networking. He is a Fellow of the
hierarchical British Computer Society and the Institution of
dcast,” IEEE Engineering Technology, England.
p. 225-230, Neeraj Kumar received his Ph.D. in CSE from Shri Mata
Vaishno Devi University, Katra, India. He is now an
time-bound Assistant Professor in the Department of Computer
ting,” IEEE Science and Engineering, Thapar University, Patiala,
5, no. 2, pp. Punjab (India). He is a senior member of ACEEE and
IACSIT. His research is focused on mobile computing,
vel user key parallel/distributed computing, multi-agent systems,
15th IEEE service oriented computing, routing and security issues in mobile ad hoc,
sensor and mesh networks.
for Access
Systems, vol. Jong-Hyouk Lee (M’07-SM’12) received the M.S. and
Ph.D. degrees in Computer Engineering from
Hierarchical Sungkyunkwan University, Suwon, Korea. Dr. Lee was a
ng,” IEEE researcher at INRIA, France and was an Assistant
9, no. 2, pp. Professor at TELECOM Bretagne, France. He is now an
Kaitai Liang
Assistant received
Professor the Ph.D. University,
at Sangmyung degree from the
Cheonan,
mmeasurable Department
Korea. Dr. Lee ofwon
Computer
the BestScience, the City
Paper Award Uni-IEEE
at the
nference on versity2012
WiMob of Hong
andKong,
was aChina, in 2014.
tutorial Heat
speaker is athe
lec-IEEE
WCNC 2013 and IEEE turer at Department
VTC 2014 Spring.ofHe Computing,
was selectedMathematics
as the Young
c. 810. and Digital Technology, Manchester Metropoli-
Researcher of the Month by the National Research Foundation of Korea in
tan University, UK. His research interests are
tems,” IEEE November 2014. Hecyber-security,
is an associate editor
privacy and of Wiley in Security
security informa- and
20-27, 2000. Communication Networks and IEEE TRANSACTIONS CONSUMER
ON security,
tion technology; in particular, big data
cy and non- ELECTRONICS. Researchprivacy
interests include authentication,
enhancing privacy, privacy,
technology, genomic and Internet
Electronics, mobility management. cloud security, privacy in Internet of Things and
lightweight secure systems.
protocol for
cations, vol.
orwell, MA:
on Protocol
4, no. 4, pp.
e for access
Multimedia,
tion Scheme
Transactions
1551-3203 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.