Anonymous Counting Problem in Trust Level

34 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 68, NO.
1, JANUARY 2019
Anonymous Counting Problem in Trust Level

Warning System for VANET
Cheuk Yu Yeung , Lucas Chi Kwong Hui, Senior Member, IEEE, Tat Wing Chim, Siu-Ming Yiu ,
Gongxian Zeng , and Jingyue Chen
Abstract—Using vehicular ad-hoc network, smart vehicles can

detect dangerous events on the road and announce warnings to
other vehicles to ensure road safety. The other vehicles nearby
may receive the warning messages and accordingly choose a dif-
ferent route. But, because of the presence of malicious users on the
road and errors in the detection system, some warning messages
may prove dubious. Therefore, to distinguish between genuine and
dubious messages, an element of trust has to be infused into the
warning system. One common approach for this is to enable the
receivers count the popularity of the reports of a warning event,
i.e., the trust level. Once the trust level meets a predefined threshold,
the vehicle’s on-board unit will trust the warning event and warn
the driver. Yet, owing to security and privacy concerns, anony-
mous counting problem does exist, because it is hard to fulfill both Fig. 1. General scenario in trust level warning system.
anonymity and counting requirements. In this paper, the authors
define the anonymous counting problem and then propose a condi- whose vehicle has detected a dangerous event and broadcast a
tional distinguishable pseudo identities scheme that achieves con-
ditional anonymity to overcome the counting problem. To achieve warning message (see Fig. 1, adopted from [1]). The drivers
this feature of pseudo identities, time slot was added to minimize in the vehicles around Ada may receive the warning message,
the influence of the adversary. Randomized batch verification was attempt to detect the event and relay the warning with a posi-
applied to enhance efficiency. Furthermore, it is shown how to tive, neutral or negative report. As the event is real, the reports
achieve those features and provide proof on pairing equations. Fi- tend to be positive. However, a malicious driver may relay the
nally, the time complexity of the proposed scheme was analyzed
and its performance evaluated by Simulation of Urban Mobility. warning with an intentionally negative report, whereas a legiti-
mate driver may give a neutral report when it fails to detect the
Index Terms—Anonymous counting problem, trust level warn- event [2]. Another driver, Bob, is arriving at the event’s area.
ing system, conditional anonymity, time slot, pseudo identity.
His vehicle has received warning messages from all the vehi-
I. INTRODUCTION cles ahead, but not all of them are positive. So, Bob needs to
know whether the warning event is real or not, before arriving
A. Scenario at the warning event’s area. In such a scenario as this, the driver
HE following is a description of trust level warning sce- will be confronted with two major problems. 1) Counting: How
T nario, which starts with a legitimate driver, by name Ada, can Bob’s vehicle count the popularity of received reports pre-
cisely? Is it based on the identity of the warning message? 2)
Anonymity: Warning messages are broadcast on wireless chan-
Manuscript received March 31, 2017; revised December 8, 2017, April
25, 2018, and September 8, 2018; accepted November 6, 2018. Date of nel and everyone can read those messages. Should the identities
publication December 4, 2018; date of current version January 15, 2019. of the warning messages be hidden to prevent the eavesdropper
This work was partially supported in part by the HKU Seed Fundings for from tracing any of those messages? Before discussing these
Applied Research 201409160030, in part by the HKU Seed Fundings for
Basic Research 201311159149 and 201411159122, in part by the National questions in detail, it is necessary to give some background in-
Natural Science Foundation of China (61572157 and 61401176), PRC, in formation of VANET and then use this scenario as an example
part by the Shenzhen Strategic Emerging Industry Development Foundations to define the anonymous counting problem.
(JCYJ20150403161923509 and JCYJ20150617155357681), PRC, and in part
by the RGC CRF project fund (CityU C1008-16G). The review of this paper
was coordinated by Prof. Y. P. Fallah. (Corresponding author: Cheuk Yu Yeung.) B. Background
C. Y. Yeung, T. W. Chim, S. M. Yiu, G. Zeng, and J. Chen are with the
Department of Computer Science, The University of Hong Kong, Hong Kong Vehicular Ad-hoc Network (VANET) has, of late, been gain-
(e-mail:, leocyyeung@connect.hku.hk; twchim@cs.hku.hk; smyiu@cs.hku.hk; ing more popularity in many countries. In a typical VANET, one
naksi@hku.hk; jychen93@connect.hku.hk).
L. C. K. Hui was with the Department of Computer Science, The University On-board Unit (OBU) is installed on each vehicle, which is sup-
of Hong Kong, Hong Kong, and he is now with the Hong Kong Applied Science ported by a Road-Side Unit (RSU), installed along the road. A
and Technology Research Institute, Hong Kong (e-mail:,hui@cs.hku.hk). Trusted Authority (TA), or some other application server, is in-
Color versions of one or more of the figures in this paper are available online
at http://ieeexplore.ieee.org. stalled at the backend. OBU and RSU can communicate among
Digital Object Identifier 10.1109/TVT.2018.2884899 themselves, using the Dedicated Short Range Communications
0018-9545 © 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Lancaster University. Downloaded on February 28,2021 at 02:16:39 UTC from IEEE Xplore. Restrictions apply.
YEUNG et al.: ANONYMOUS COUNTING PROBLEM IN TRUST LEVEL WARNING SYSTEM FOR VANET 35
(DSRC) protocol [3] over the wireless channel. Some applica- vehicles nearby to divert from their chosen routes by sending
tions of VANET arbitrarily allow certain vehicles to broadcast them fake messages, and thus secure a rather traffic-free road,
safety messages (e.g. Vehicle speed, traffic accident infor- which enables him or her to drive faster. If the warning system is
mation) to other vehicles nearby (denoted as vehicle-vehicle vulnerable to attacks by malicious users, then the accuracy in the
or V2V communications) and to RSU (denoted as vehicle- calculation of its trust level decreases, and thus the trust level
infrastructure or V2I communications). The intelligent trans- becomes unreliable. Experienced drivers would learn how to
portation system (ITS) is served by an International Standard ignore the fake warning messages generated by such systems.
IEEE 802.11p that works in the 5.9 GHz band, reserved for it Improper handling of message transmissions also can lead to
[4]. ITS ensures road safety by sharing information among the different kinds of attacks, besides leading to leaking driver’s
other devices deployed for this task. Once the driver receives sensitive data (e.g. driving habit, traveling route, etc.). Thus,
any warning message from any party, he or she may suitably both security and privacy are important concerns in designing
reschedule his or her traveling routes. VANET’s applications.
Recently, the systems involved in issuing warning message Anonymous Counting Problem: In the scenario, shown in
have been discussed in [5]. If the detection unit is made more Fig. 1, two initial problems are pointed out in the trust level warn-
sensitive to detecting the warning event, its acceptance rate of ing system: counting and anonymity. Counting, which means
false positive reports may increase. However, at the same time, counting the popularity of the warning messages, received on
it is also possible that a malicious user injects false data and the same event, is one of the main features of trust level calcula-
generates a fake warning. Applying trust may be a good solution tion. Once the counting feature is achieved, the other statistical
for solving the problems caused by malicious user and the errors calculations (e.g. sum and average) can be accomplished.
in the detection unit. In [6], the authors establish trust level as In the Unfixed Identity Signing (UIS) (e.g. pseudo identity)
a measure of confidence in warning message system. They also approach, each warning message is signed by a randomly picked
define trust and enumerate the reasons that necessitate trust. pseudo identity. And, if the same source reports multiple warn-
In the reputation-based mechanism, presented in [7], two ing messages on the same event, it results in over counting.
challenges are identified: 1) RQ1 - How and which parame- To achieve exact counting, Fixed Identity Signing (FIS) can be
ters are to be used in evaluating reputation and 2) RQ2 - How to used to sign warning messages generated from the same source,
assign the initial trust values. In warning systems, the trust level but it leaks driver’s identity through eavesdropping. There-
can be calculated by using all the warning information, reported fore, conventional UIS and FIS cannot achieve counting and
on a particular event. It is to be noted that the contents of two anonymity simultaneously. FIS includes two approaches: Real
warning messages need not be identical, even though they refer Identity Signing (RIS) and One Pseudonym Signing (OPS). RIS
to the same warning event. Even then, they can be linked, based can be rejected straight away, because signing by a real iden-
on the message contents (e.g. event type, location and time). tity leads to leaking driver’s identity. OPS can mask the real
The trust level of a warning is considered high if many nodes identity, but if the pseudonym is misused, a malicious outsider
send positive reports, and this is possible when the majority of can still track it. If an adversary can eavesdrop all the traffic
the users are legitimate. Alert warnings are generated only when throughout an area [12] and link up any specific pseudonym to
the trust level meets the assigned threshold. The nearby drivers the target driver’s identity (e.g. by capturing car plate number
can react to such warnings and take decisions, depending on through a camera), the adversary can trace the targeted driver’s
their needs. Researchers had put in a lot of effort in finding traveling route under OPS. Therefore, the challenge taken up for
ways for achieving meaningful trust levels [6], [8], [9]. Their this study is to design a secure and privacy-preserving solution
approaches are broadly of two categories: 1) statistical formula that can 1) achieve exact counting that enables precise trust level
and 2) decision flow. For statistical approach, the researchers calculation and simultaneously 2) protect drivers’ privacy from
suggest different factors, such as node reputation, event type, such high-level eavesdroppers. This challenge is termed here
event location, entity location, time, etc. For decision flow ap- as Anonymous Counting Problem. To the best of the authors’
proach, they suggest different kinds of logical decisions. For knowledge, this is the first that an attempt is made to overcome
example, if the vehicle and RSU report positive, the warning anonymous counting problem in the background of trust level
event is always to be trusted. warning system in VANET.
In the same reputation-based mechanism, three more chal-
lenges are identified: 1) RQ3 - How do the trust values adopt
to the changes in dynamic factors; 2) RQ4 - How to protect the C. Contributions
trust/reputation values from collusion and deception problems; This novel scheme is called Conditional Distinguishable
and 3) RQ9 - How to evaluate the reputation of a community in Pseudo Identities (CDPD) scheme. In summary, this study has
a dynamic environment. These are the main challenges that are led to four major contributions: 1) Security: CDPD achieves
discussed in this paper. Most of the existing reputation schemes properties of integrity, authentication, and non-repudiation; 2)
on VANET do not consider the security and privacy concerns. Privacy: CDPD overcomes the anonymous counting problem by
VANET inherits all the discovered and undiscovered perfor- conditional anonymity, which has the benefits of distinguishabil-
mance hurdles and security threats from distributed networks ity of OPS and avoiding the possibility of eavesdropper tracking,
[10], [11]. A selfish user may perform some malicious acts to as in the UIS. The same source produces different hash digests in
derive certain benefits. For example, a selfish user may prod the the warning message. All this becomes possible by embedding a
36 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 68, NO. 1, JANUARY 2019
unique credential into all pseudo identities of the user. Besides, to follow similar preloading strategy and found that it works
there are three restricted privacy levels and abilities, which are efficiently, because it uses bilinear mapping [23]. An efficient
delivered in three types. 3) Efficiency: For efficiency, CDPD conditional privacy protocol, using bilinear map pairing, is pro-
relies on bilinear map property. Randomized batch verification posed in [24]. In addition to these, there are several other ways
enhances security level and effectiveness. Proof of pairing equa- to further protect driver’s privacy, e.g. shuffling keys to hide
tion is also given. 4) Time-slotted Feature: CDPD’s time-slotted drivers’ identity [25], [26]. No doubt, these schemes achieve
feature constrains the influence of the malicious user. a high standard of privacy, but they require an RSU nearby
to work. A preloading pseudo identities strategy is suggested
D. Organization to provide mobility. Besides, the design proposed here provides
conditional privacy feature [27], assuming that the RSU is semi-
The remaining part of the paper is organized as follows:
trusted.
Section II summarizes some of the existing security and
Three existing cryptographic approaches are proposed for
privacy-preserving approaches, relating to anonymous counting
achieving threshold property. The first and second approaches
problem; Section III presents the system model and the
can be considered threshold-security-based approaches, in that
assumptions made for trust level warning system, following
they generate a warning message only when enough number of
the adversary model, system requirements and definition of
users’ reports agree. The first approach is Threshold Security
bilinear map; Section IV explains in detail the methodology
(TS), a.k.a. Threshold cryptography [28]. The (t, n)-threshold
adopted in designing the proposed scheme; Section V explains
signature scheme requires that at least t vehicles among n au-
how security requirements are achieved; Section VI analyzes
thenticated vehicles be available for creating the signature to
the time complexity of the proposed scheme; Section VII
sign a warning message. However, this approach cannot give
evaluates the trust level accuracy by simulation and comparison
flexibility in calculating trust level; in other words, it fixes a
of the results of this study with those of two existing secure
threshold that cannot be changed. Also, it carries out threshold
threshold-based approaches; Finally, Section VIII presents the
checking on the generator side. The second approach is Parallel
conclusions drawn from this study.
Threshold Security (PTS) approach [28]. In which the system
administrator may set multiple thresholds, for example, three
II. RELATED WORK thresholds, instead of only one, as in the case of TS. The ap-
Drivers usually need a summary of road situation, not a spe- proach can therefore present low, medium and high trust levels
cific individual report. The summary of road situation motivates of a warning event. But the disadvantage of this approach is that
data aggregation issues in the vehicular network. Secure data the drivers cannot set up the thresholds, and thus the approach
aggregation scheme, with probabilistic counting, can generate is not flexible enough to suit different users’ preferences. Also,
cooperative collision warning [13], [14], but such a scheme in practice, it is difficult to set too many thresholds, as they re-
rigidly requires that the messages are identical, to form a multi- quire too much computation and network bandwidth. Also, the
signature. The probabilistic counting feature also requires that a threshold checking is done on the generator side. The third ap-
sufficient number of nodes agree with the aggregated data. This proach is the announcement-based approach, which usually uses
method allows the receiver to roughly estimate the popularity of a pseudonym to hide the driver’s identity in broadcasting an an-
the reports, but not the precisely counted value. Therefore, data nouncement. The authors of [1] provide a scheme, which is both
aggregation may not suit all the trust level warning systems. threshold- and announcement-based. In this scheme, threshold
Some recent surveys summarize the general problems and checking is done on the receiver side. The drawback of this
solutions, relating to VANET security, privacy, and trust approach is that it cannot overcome anonymous counting prob-
[15]–[18]. One of the highlighted notorious trust-related attacks lem, because the same source produces the same hash value in
on ad hoc network is the Sybil Attack. The malicious node pre- one part of the vehicular messages, each time the identity leaks.
tends itself as several nodes that try to sign a warning event twice To overcome this problem, this paper proposes a conditional
[17]. One of the solutions proposed can detect Sybil Attack, if distinguishable pseudo-identities scheme.
malicious vehicle pretends as multiple and distinct vehicles [19]. Another problem that may arise in warning systems is net-
A similar concept is adopted for the scheme proposed here to work flooding, which may occur if there is multi-hopping com-
check whether two messages are linkable. RSU can perform munication between many nodes. In such situations, flooding-
same source testing to ascertain, whether or not two warning resilient broadcast [29] can be applied, but their designs should
messages are generated from the same source, while preserving not overlap the one in use, because each of them serves a differ-
driver’s privacy. ent purpose.
General privacy problems and requirements of VANET are
investigated in [20]. It is found that two privacy-aware crypto-
graphic primitives are commonly applied in VANET, namely III. PROBLEM STATEMENTS
group signature and pseudonyms techniques [21], [22]. Both of In this section, the system model and assumptions are ex-
them provide anonymity. A pseudonym is commonly used, be- plained first and then possible adversary attacks highlighted.
cause group signature cannot meet the high-efficiency require- After that, the requirements to overcome anonymous count-
ment. The scheme proposed here adopts the privacy-preserving ing problem in a secure and privacy-preserving scheme are
technique, based on pseudonyms. Many researchers proposed summarized.
the related information to the tamperproof OBU for a cryp-

tographic procedure. Within the MAC layer of IEEE802.11p,
a packet queue exists to avoid collision among packets. The
encrypted and signed messages generated from OBUs need to
queue up for transmission through the wireless channel. An in-
sider is known as a member node, who can communicate with
other members in the system and attack in various ways. On
Fig. 2. Attacks on trust level warning system. the other hand, an outsider can be any node, who is not au-
thenticated to communicate directly with other members in the
system, and has only a limited capacity to perform an attack (i.e.
A. System Model and Assumptions they have fewer varieties of attacks) [11]. Figure 2 depicts four
VANET consists of OBUs installed on vehicles, RSUs along major types of trust level attacks:
the roads and a TA at the backend. The following are the as- 1) Fake Message Attack: Adversary creates a fake warning
sumptions: message, say by injecting false data or changing some
1) TA (e.g. traffic control center) is fully trusted. The real bits of the output, to mislead other drivers. This kind of
identity of a vehicle is originally known only through TA and malicious act may enable the selfish user or the accomplice
driver. For simplicity, the methodology of the proposed scheme to create a traffic-free road and drive fast.
is explained, based on one TA situation. In practice, a secret 2) Impersonation Attack: The adversary impersonates an-
sharing scheme can be applied to the situation of multi-TAs other vehicle driver to save himself or herself from the
for redundancy purpose. The secret sharing scheme helps in liability of generating a fake warning. This is because
avoiding the single point failure problem of TA. each warning message has to be signed by an authen-
2) RSUs are semi-trusted, because of their placement along ticated user, and if a fake warning is observed, TA can
the road, which renders them vulnerable to get crashed or com- investigate the fake message’s owner by using the mes-
promised. All RSUs remain linked up with the TA they com- sage’s signature. However, impersonation attack breaks
municate through conventional secure transmission protocol by this usage.
a wired network. RSU communicates with vehicles through 3) Sybil Attack [30]: Active insider makes use of his or her
the wireless channel, VANET. The secret key, stored inside the multiple pseudo identities to generate multiple warning
tamper-proof processing unit of RSU, is unreadable for outside messages to other vehicles. This attack creates a high
users. The tamper-proof feature can be achieved in many differ- trust level, enabling the adversary achieve his or her ob-
ent ways, such as tamper-resistance and tamper-responsive. The jective (e.g. cheating other vehicles to give way). Thus,
interface of RSU’s processing unit is limited because of which the reliability of system is broken.
cryptographic functions cannot be used for an arbitrary input. 4) Tracking Attack: The outsider can capture all the messages
3) Vehicle’s OBU’s processing unit is tamper-proof. The se- that were broadcast on air [12]. The adversary can track
cret key, stored inside the processing unit of OBU, is unreadable any target vehicle by digging out the hash digest that may
for outside users. The limited interface of OBU connects with be available in any part of the vehicular message, created
some standard detection units. It may send a few false warn- by the same source and link it up with the identity of its
ing messages because of detection errors. OBU can link two target driver (e.g. car plate number). The traveling route of
messages, overcoming the problem of semantics, by analyzing any target vehicle can thus be traced, resulting eventually
the contents of the warning messages (e.g. event type, location, in the leakage of driver’s identity.
time), referring to the same warning event [1]. Besides these, other kinds of attack that may destroy the trust
4) All network entities keep loose time synchronization, which level warning system do exist, such as jamming attack, which
can be supported by GPS system. The processing power of these can be tackled by jamming defenses [31], [32]. As these types
entities is adequate for cryptography-related functions. Tamper- of attacks can be dealt with by the existing techniques, they are
proof RSU’s and OBU’s storage is adequate for storing all keys not discussed further in this paper, but it is stressed here that
and system secrets. Moreover, all warning message records can attacks of any type cannot be overlooked.
be stored in a local database within a reasonable time (e.g. a
month).
C. System Requirements
According to the requirements of trust and reputation pro-
B. Adversary Model
posed in [33], the scheme should be i) simple, light and fast, ii)
Figure 2 shows a warning message system from which a accurate, iii) scalable, iv) resilient to security and privacy threats
warning message is generated by three major components in a and v) independent of mobility patterns. The focus of this study
vehicle: detection unit, tamperproof OBU and VANET Mod- is mainly on achieving resilience to security and privacy threats.
ule. The detection unit (e.g. camera, radar sensor) first detects In brief, to achieve a simple, light and fast scheme, the solution
environmental data, if any. After analyzing that data, the infor- must rely on bilinear map cryptography. The simulation results
mation is used to verify, whether any warning event exists. If the show that the trust level of the system can satisfy the requirement
verification leads to a positive result, the detection unit sends of accuracy under appropriate setup conditions. To achieve iii),
the maximum number of the supported users depends on the it can be verified if the identity belongs to the current time
maximum possible bit pattern of pseudo identity and number of slot, because no other time slot can be used for the current
pseudo identity to be assigned to each user. These parameters time slot. The time-slot feature diminishes the number of
can be set up by the system administrator. Besides, pseudo iden- valid identities for a given time slot, and thus reduces Sybil
tity can be updated over time, i.e., each vehicle receives a new attack. Thus, the time-slot feature limits the influence of
set of pseudo identities per month. The scheme thus achieves malicious insider on trust level calculation.
scalability. To achieve independence of mobility patterns, the All attacks mentioned in Section III-B can be resolved or
scheme presented here is not proposed to rely on any of the minimized by the system’s features, detailed above.
existing RSUs.
To achieve trust level calculation under anonymous counting
problem, the general requirements are expanded to five security D. Bilinear Map
and privacy concerns as detailed below: The scheme proposed here relies on a cryptographic opera-
1) Integrity and Authentication: Not all messages received tion, called pairing, and this operation is defined on two cyclic
by the system are automatically modified to verify data groups, using a bilinear map [34]. A brief explanation is pre-
accuracy and completeness; only those messages received sented below on what bilinear map is.
from authenticated parties (including vehicles, RSU and Let G be a cyclic additive group and GT be a cyclic multi-
TA) are verified and stored. Also, all authenticated recip- plicative group. Both groups G and GT have the same prime
ients can verify that the messages they receive are gen- order q. Bilinear pairing on (G, GT ) is a map ê : G × G → GT ,
erated from authenticated parties. Thus, integrity and au- which is called the bilinear map that satisfies the following prop-
thentication requirement of the warning system saves the erties:
end users from forged and impersonated attacks. 1) Bilinear: ∀R, S, T ∈ G and ∀a, b ∈ Z, ê(R + S, T ) =
2) Non-Repudiation: This requirement refers to the provi- ê(R, T ) · ê(S, T ) = ê(R, S + T ). Also ê(aR, bR) =
sion of proof of origin. The sender cannot deny sending ê(R, bR)a = ê(aR, R)b = ê(R, R)ab .
the warning message, because it bears his or her signa- 2) Non-Degenerate: There exists R, S ∈ G such that
ture. But, it is hard to ascertain whether a wrong warning ê(R, S) = 1GT .
message is caused by a forged message or by an error in 3) Computable: ê can be efficiently computed.
detection unit in real-time. Therefore, the system cannot The objective of using bilinear map is to enhance the effi-
straight away blacklist malicious vehicles identity, with- ciency. In this paper, the format of pseudo identity is designed
out due investigation. Thus, the warning system requires for using bilinear map. It relies on a discrete logarithm prob-
non-repudiation. lem (DLP), which is computationally hard, i.e. given that the
3) Privacy: The identity of warning message sender should point S = aR, there exists no efficient algorithm that can yield
be kept anonymous from eavesdroppers. Therefore, not a, from the given R and S. Both R and S can be transferred
all the hash values of any part of the vehicular messages in public without worrying about the exposure of a to any at-
sent from the same source should be the same. Once this tacker. In terms of property 3 and in this kind of cryptographic
guideline is followed, outsiders or even authenticated ve- scheme, computing ê(R, S) is the most expensive operation in
hicles will have no way for linking two or more warning each pairing operation.
messages, if they are from the same source. Thus, tracking
attack can be avoided.
4) Conditional Anonymity: There are three anonymity lev- IV. PROPOSED SOLUTIONS
els on three different authenticated network entities; from This section presents the proposed secure and privacy-
the highest to the lowest, they are as follows: a) TA can preserving announcement-based scheme, using conditional dis-
trace, distinguish and verify messages; b) RSU can only tinguishable pseudo identities (CDPD), to overcome anonymous
distinguish and verify messages; c) vehicle can only ver- counting problem. The scheme relies on a cryptographic oper-
ify messages. Traceability, distinguishability, and veri- ation, called pairing. This operation is defined on two cyclic
fiability are defined as follows: Traceability means the groups with a map, called bilinear map [34]. By virtue of bilin-
recipient can trace any message by revealing the real ear property, pseudo identity and signature can be verified by
identity of the sender, so that the driver cannot avoid pairing. In wireless networks, bilinear map pairing is adopted
liability; distinguishability means the recipient can ascer- commonly, because it is more efficient than the traditional en-
tain whether two or more warning messages are sent by cryption method (e.g. RSA). Also, randomized batch verifi-
the same source; this ability can minimize the influence of cation can verify messages from different owners at once to
Sybil attack, because the recipient can check whether the enhance security level and efficiency. Proofs of pairing equa-
received messages (even those signed by using different tions are given. For the sake of clarity, multiplication sign ×
pseudo identities) are generated from the same sender, and is included between two points, instead of point multiplication.
thus blacklist the sender of the messages, if necessary. H(M ) is a MapToPoint [35] hash value on message M . h(M )
5) Time-Slotted Feature: The malicious user may perform is a one-way hash value of message M . All notations are listed
Sybil attack using all possible identities to create warning in Table I. The proposed scheme contains the following six
messages of a fake warning event. By applying time slot, modules:
TABLE I test, RSU broadcasts a system-generated warning message

NOTATIONS USED IN THIS STUDY
to all vehicles nearby, informing them that this warning
message is invalid.
A. System Setup
The TA sets up a conventional public key infrastructure (PKI)
scheme for TA, RSU, and vehicle to facilitate initial communi-
cation among them. An RSU and a vehicle OBU can get initial
system parameters, a pair of public and private keys pair, and
certificates through the PKI. The TA chooses bilinear groups G,
GT that satisfy bilinear map properties. Assuming that P is the
generator of G. TA randomly picks sen c ∈ Zq as encryption-
based system master secret, where Zq is a large integer. Only
RSUs preload this secret through TA for the use of the cre-
dential. TA picks another ssig ∈ Zq as signature-based system
master secret and computes Ppu b = ssig P as public parameter.
This secret is used for verifying identity and signature. Both
OBUs and RSUs preload this secret through TA. The TA sets
its secret key T SK and assigns itself the identity T RID:
r T RID = T SK × P
T RID and P are preloaded into every OBUs and RSUs from
TA through conventional PKI.
B. RSU Setup
Each RSU Ri , it communicates with TA through conven-
tional PKI. Ri transfers its location RLi to TA. The sys-
tem assigns Ri the secret key RSKi and identity RRIDi ,
and the TA generates its certificate RCi . Any entity can use
TA’s public key to verify this RSU’s credential in the future.
1) System Setup: TA sets up a conventional public key infras- TA replies to Ri with sen c , ssig , P, RSKi , RCi and all other
tructure (PKI) scheme for all parties, including RSU and RSUs’ credentials through conventional PKI. The following are
vehicle OBU. It sets up parameters and generates system the mathematical equations of some components used in this
master secrets, besides assigning itself the identity and subsection:
preloads to all RSUs and vehicles. r RRIDi = RSKi × P
2) RSU Setup: RSU communicates with TA through conven- r RCi = < RRIDi , RLi , T SIGT S K (RRIDi ||RLi ) >,
tional PKI; TA generates RSU credential and its secret where TA’s signature is T SIGT S K (RRIDi ||RLi ) =
key, and transfers them, along with system master secrets, H(RRIDi ||RLi ) × T SK.
to RSU.
3) Vehicle Startup: Vehicle OBU communicates with TA
C. Vehicle Startup
through conventional PKI. It receives RSUs’ credential,
the system master secrets and the pool of pseudo identities In vehicle Vi startup, the driver inputs the real identity V RIDi
from TA. and password to Vi ’s OBU. Vi ’s network module transfers the
4) Warning Message Generation: After detecting a warning, real identity and password to TA through conventional PKI. If
vehicle OBU randomly picks a pseudo identity within the they are found valid, TA can generate unique credential and
time slot and generates a warning. Then, it broadcasts the time-slotted pseudo identities for Vi , following the steps shown
warning with signature to the nodes nearby. below.
5) Warning Message Verification: After receiving the warn- To generate unique credential U Ci for Vi , TA picks a random
ing, the recipient (driver) verifies it and calculates the number rcr e and generates TA’s signature on the credential U Ci :
trust level of the warning event; the driver then reacts to r U Ci = < U Ci1 , U Ci2 > = < rcr e P , T SIGT S K (rcr e P )
the warning, based on the trust level. >, where T SIGT S K (rcr e P ) = H(rcr e P ) × T SK
6) Same Source Testing by RSU: After verifying the warning TA ensures that the random number rcr e is not used in gen-
message, RSU tests this warning message with all the erating another credential. Each vehicle is assigned only one
other received warning messages, relating to the same unique credential, embedded into pseudo identities, to achieve
warning event to check if they are all generated from non-repudiation property. So, this credential can be used for
the same source. If the warning message fails to pass the same source testing by RSU.
In each pseudo identity V P IDij of Vi , the embedded U Ci , ing message, such that all authenticated parties, which contains
which is asymmetric, is encrypted by using a random session ssig , can verify the warning message. Then, warning message’s
key K, to avoid tracking attack. To perform the encryption, TA signature σi on Ti and Mi , is signed as:
generates a random session key K to symmetrically encrypt r σi = V SKij 1 + V SKij 2 + h(Ti ||Mi )V SKij 3
(denoted as S EN C) U Ci . Another random number x is then The broadcast warning message is < V P IDij , Mi , Ti , σi >.
generated for encrypting K. The following is the definition of
encrypted credential ECij : E. Warning Message Verification
r ECij = < ECij 1 , ECij 2 , ECij 3 > = < xP, K + xP ×
Any recipient (vehicle or RSU), close to the warning owner
sen c , S EN CK (U Ci ) >
may receive the warning message < V P IDij , Mi , Ti , σi >.
Each pseudo identity V P IDij is assigned an encrypted cre-
Before calculating the trust level of the warning message, the
dential ECij , using bilinear map property. As U Ci is encrypted
recipient needs to verify it, following the steps given below.
by sen c , TA transfers sen c to RSUs only, and thus only RSUs and
Warning message can be ignored if timestamp Ti is outdated or
TA can obtain U Ci from ECij . It is to be noted that TA needs to
Ti is not in the range of T Sq . To verify pseudo identity V P IDij ,
ensure that, for counting purpose, each ECij is unique for each
encrypted credential ECij and time slot T Sq are verified by
time slot. This can be verified by checking if S EN CK (U Ci )
checking whether equality (1) holds:
is repeatedly used.
Now, it will be explained how to add a time-slotted feature to ê(V P IDij 3 , P ) = ê(H(ECij ||T Sq P ), T RID) (1)
each pseudo identity. For example, to add a (k, q) time-slotted
feature to an M -long pseudo identity approach, the M length Proof of correctness:
of time (e.g. a month) can be divided into time-slots of a valid L.H.S.
period of ΔT . Once can get q = M ÷ ΔT number of time slots. = ê(T SK × H(ECij ||T Sq P ), P )
The time range of any time slot T Sq is as follows: = ê(H(ECij ||T Sq P ), T SK × P )
r T Sq =< q × ΔT, (q + 1) × ΔT > = R.H.S.
T Sq is stored as the number q. For each q time slot of Vi , It is to be noted that the recipient can verify more than one
TA assigns k pseudo identities. A pool of pseudo identities pseudo identity in a batch [22], [36]. For this study, the idea of
is generated in size D, where D = k × q is the total number randomized batch verification is adopted [37]–[39] by adding
of pseudo identities for each vehicle Vi . TA generates pseudo a set of small value vectors V eca = (V eca1 , V eca2 , ..., V ecan )
identity V P IDij thus: into batch verification, where each vector is a small random
r VP IDij = < VP IDij 1, VP IDij 2 , VP IDij 3 > = < ECij, value. They are applied into a randomized batch for n pseudo
T Sq , T SIGT S K (ECij ||T Sq P ) >, where TA’s signature identities verification. Such verification involves the checking
on the pseudo identity V P IDij is T SIGT S K (ECij whether equality (2) below holds:
||T Sq P ) = H(ECij ||T Sq P ) × T SK n

It is to be noted that encrypted credential ECij and time ê (V ecai × V P IDij 3 ), P
slot T Sq are embedded and signed together. An unbreak- i=1
able linkage between encrypted credential ECij and time slot n

T Sq is maintained in the pseudo identity V P IDij . While = ê (V ecai × H(ECij ||T Sq P )), T RID (2)
generating pseudo identities, TA records the matching be- i=1
tween real identities, unique credential and pseudo identities as
< V RIDi , U Ci , V P IDij > and stores it in its local database. Proof of correctness:
L.H.S.
It gives traceability of TA. TA replies vehicle with Vi , ssig , P ,
= ê( ni=1 (V ecai × T SIGT S K (ECij ||T Sq P )), P )
a pool of pseudo identities V P IDij and all RSUs’ certificates
through conventional PKI. = ê( ni=1 (T SK × V ecai × H(ECij ||T Sq P )), P )

= ê(T SK × ni=1 (V ecai × H(ECij ||T Sq P )), P )
n
= ê( i=1 (V ecai × H(ECij ||T Sq P )), T SK × P )
D. Warning Message Generation = R.H.S.
If vehicle Vi detects a warning event, it creates a warn- Random small value vectors are generated on the recipient
ing message Mi . For example, if the format of Mi is side. With randomized property, the adversary cannot prepare
< T ype, Content, Location, T ime, SuggestionIf Exists > some fake pseudo identities or signatures that can cancel those
and the warning is generated with a current Timestamp Ti , then random values. Thus, the randomized solution can defend adap-
Vi randomly picks a pseudo identity V P IDij in T Sq where tive chosen-identity and chosen-message attack (CID-CMA).
Ti is in the time range of T Sq . Vi and generates signing key CID-CMA attack is considered to be the strongest security no-
V SKij : tion of Identity-based Security (IBS) scheme. CID-CMA secu-
r V SKij = < V SKij 1 , V SKij 2 , V SKij 3 > = < ssig rity means that the adversary is allowed to ask for the private
V P IDij 1 , ssig V P IDij 2 , ssig H(V P IDij3) > keys of arbitrary identities and signatures of arbitrary messages
Vi should avoid using the same pseudo identity repeatedly [37]. In batch verification of CDPD, the adversary wins if he
to sign warning message to hide Vi ’s identity. It is to be noted or she can output pseudo-identity-based signatures for warning
that signature-based system secret ssig is used in signing warn- messages and pseudo identities, such that neither the private
keys of those pseudo identities nor the signatures on those mes- areas, without any RSUs nearby, when the recipient receives two
sages for those pseudo identities are asked for. different warning messages, he or she has to assume that they
After validating pseudo identities, the recipient can continue are from different sources. But, without same source testing,
to verify the signature of one warning message by checking the trust level calculation may go wrong, if any Sybil attack is
whether equality (3) below holds: impending. However, the situation is still acceptable because, in
rural areas, the vehicles are generally so few that they would not
ê(σi , P ) = affect the trust level calculation much. If the recipient finds any
ê(V P IDij 1 + V P IDij 2 + h(Ti ||Mi )H(V P IDij 3 ), Ppu b ) suspicious warning messages, he or she can request the RSU,
(3) whenever he or she comes across one, to perform the same
source testing to ensure message’s reliability.
Proof of correctness: Extension 1 - Action Report: Announcement of driver’s action
L.H.S. may also be useful to the vehicles nearby, or the central system,
= ê(V SKi1 + V SKi2 + h(Ti ||Mi )V SKi3 , P ) to analyze the current road situations. In this case, driver’s
= ê(V SKi1 , P )ê(V SKi2 , P )ê(h(Ti ||Mi )V SKi3 , P ) action can be broadcast in the same way as a warning message,
= ê(sV P IDij 1 , P )ê(sV P IDij 2 , P ) except for changing the content of the message. The action
ê(h(Ti ||Mi )sH(V P IDij 3 ), P ) record can be in the following format: < T ype, Location,
= ê(V P IDij 1 , P pub)ê(V P IDij 2 , P pub) T ime, DriverActionDone >. In this case, the system needs
ê(h(Ti ||Mi )H(V P IDij 3 ), P pub) to reserve more pseudo identities for the vehicle.
= R.H.S.
Similar to verifying pseudo identities verification, the recipi- F. Same Source Testing by RSU
ent can verify the signature of n warning message by randomized When the RSU Ri receives a warning message, it first carries
batch verification. The recipient generates another set of small out the warning verification steps, just as OBU does. Now, it
value vectors V ecb = (V ecb1 , V ecb2 , ..., V ecbn ). This verifica- will be shown how Ri performs same source testing, after the
tion involves the checking whether equality (4) below holds. above checking. Same source testing is a test to ascertain if two
n n warning messages are generated from the same source. First, it

ê (V ecbi × σi ), P = ê (V ecbi × (V P IDij 1 is assumed that Ri has already stored all the previously verified
i=1 i=1
warning records, which are not outdated, in its local database.
To decrypt credential ECij , which is V P IDij 1 , ECij 1 is multi-
plied by Ri , which is xP by its encryption-based system master
+ V P IDij 2 + h(T i||M i)H(V P IDij 3 ))), P pub (4)
secret sen c (i.e. to obtain xP × sen c ), and then the product is
subtracted from ECij 2 to obtain session key K:
Proof of correctness: r K = K + xP × sen c −ECij 2
L.H.S. Then, U Ci can be obtained. To protect vehicle’s identity, RSU

= ê( ni=1 (V ecbi V SKi1 + V ecbi V SKi2 should not store the credential but use it only for same source
+V ecbi h(T i||M i)V SKi3 ), P ) testing.

= ê( ni=1 (V ecbi sV P IDij 1 ), P ) It may please be recalled that U Ci = < U Ci1 , U Ci2 > =
n
ê( i=1 (V ecbi sV P IDij 2 ), P ) < rcr e P, T SIGT S K (rcr e P ) >, Ri verifies credential U Ci by

ê( ni=1 (V ecbi h(T i||M i)sH(V P IDij 3 )), P ) checking whether equality (5) below holds:

= ê( ni=1 (V ecbi V P IDij 1 ), P pub) ê(T SIGT S K (rcr e P ), P ) = ê(H(rcr e P ), T RID)
n (5)
ê( i=1 (V ecbi V P IDij 2 ), P pub)
Proof of correctness:
ê( ni=1 (V ecbi h(T i||M i)H(V P IDij 3 )), P pub)
L.H.S.
= R.H.S.
= ê(T SK × H(rcr e P ), P )
Trust Level Calculation: If the signature also is valid, the
= ê(H(rcr e P ), T SK × P )
OBU trusts this warning message. The recipient stores the warn-
= R.H.S.
ing message as a record in its local database. All vehicles keep
Similar to pseudo identities and signatures, recipient can pick
receiving different warning messages while traveling, and each
a set of small value vectors V ecc = (V ecc1 , V ecc2 , ..., V eccn )
warning message corresponds to one warning event. So, when
to verify more than one credential by randomized batch verifi-
a vehicle receives a new warning message, OBU updates trust
cation. Such verification involves the checking whether equality
level accordingly. Once the trust level meets the threshold (e.g.
(6) below holds:
five positive warning messages for a particular warning event), n
the car-alert system will warn the driver. The design proposed
here allows various methods to calculate the trust level, and ê (V ecci × T SIGT S K (rcr e P )), P
counting is one of them. The threshold can be set up by the i=1

driver or the system. If any received warning message con-
n
tains an embedded suggestion, e.g., change the route, then the = ê (V ecci × H(rcr e P )), T RID (6)
alert system may also suggest this action to the driver. In rural i=1
Proof of correctness: Extension 2 Warning triggered by RSU or TA: RSU’s detect-

L.H.S. ing ability is usually so powerful on current road condition that

= ê( ni=1 (T SK × V ecci × H(rcr e P )), P ) it can capture the event in a wider or clearer vision. Also, TA

= ê(T SK × ni=1 (V ecci × H(rcr e P )), P ) may instruct RSU to generate a centralized system-generated
warning after gathering and analyzing the road conditions over
= ê( ni=1 (V ecci × H(rcr e P )), T SK × P )
= R.H.S. a larger area [40]. Therefore, RSU may generate a warning.
After verifying U Ci , Ri can check if this warning record Those system-generated warnings can be announced the same
< U Ci , Mi , Ti > matches with the other record having the same way as the system-generated warnings are broadcast for same
U Ci and Mi but different timestamp (e.g. within 1 minute, this source testing.
time threshold can be predefined by system administrator for
each type of warning). If the warning message CANNOT pass V. SECURITY ANALYSIS
the same source testing, which means Ri can find two or more
warning messages signed by the same source, Ri can broadcast a Trust level attacks described in Section III-B can be resolved
system-generated warning message to warn the vehicles nearby by by the system’s features, described in Section III-C. There-
that these warnings be ignored and the trust level updated. Ri fore, this section will explain only how the proposed scheme
generates a system-generated warning message SW Mi : can achieve the following system requirements:
r SW Mi = < M1 , M2 , ..., Mn , T1 , T2 , ..., Tn , V P ID1 , 1) Integrity and Authentication: Vehicle requires pseudo
V P ID2 , ..., V P IDn > identities and signature-based system’s master secret to
M1 , M2 , ..., Mn are n warning messages generated from the sign a warning message, which can be received only by
same source with corresponding timestamps T1 , T2 , ..., Tn and TA during vehicle startup. A system-generated warning
pseudo identities V P ID1 , V P ID2 , ..., V P IDn . Tr is the cur- message is signed by RSU’s real identity, that RSU’s se-
rent timestamp and Ri signs SW Mi with its secret key RSKi . cret key is retrieved by TA during RSU setup. Thus, the
Signature of system-generated warning message SW M σi : message sent by authenticated parties can pass verifica-
r SW M σi = H(Tr ||SW Mi ) × RSKi tion, and their signatures ensure the integrity of messages.
The broadcast system-generated warning message is Besides, pseudo identities and RSU’s real identity can be
< RCi , Tr , SW Mi , SW M σi >. verified by TA’s public key. So, it ensures that the identities
When vehicle Vi receives system-generated warning message are authenticated by TA. Besides, all authenticated parties
SW Mi , it verifies if the timestamp Tr is outdated and checks contain signature-based system’s master secret that can
if RCi is valid. If Vi has stored RCi in local database during verify the pseudo-identity-signed message signature. The
vehicle startup and has already done verification, verification of integrity is thus ensured.
RCi can be omitted. Otherwise, Vi has to verify RCi by check- 2) Non-Repudiation: Once the pseudo-identity-based signa-
ing whether equality (7) holds (Proof of correctness similar to ture of a message is received, the sender cannot deny
equation (1)): having sent the warning message. Each pseudo identity
matches to only one credential, and each credential to one
ê(T SIGT S K (RRIDi ||RLi ), P real identity. TA keeps the matching of all real identities,
= ê(H(RRIDi ||RLi ), T RID) (7) credentials, and pseudo identities. Further investigation of
TA can be done if needed.
If it is valid, it verifies the signature SW M σi using RSU’s 3) Privacy: Even though all pseudo identities of a vehicle
identity RRIDi , shown in RCi . It can be done by check- embed the same credential, the proposed design still en-
ing whether equality (8) holds (Proof of correctness similar to sures that the vehicle generates different hash digests. The
equation (1): same source produces different hash digests in its vehic-
ular message each time to avoid tracking attack. This can
ê(SW M σi , P ) = ê(H(SW Mi ), RRIDi ) (8)
be done by encrypting the credential, using a different
To improve efficiency, vehicle Vi can verify RSU credential random session key for each pseudo identity, because of
and the signature of system-generated warning message by ran- which only authenticated parties (e.g. RSUs) can decrypt
domized batch verification by following the same procedure as the random session key and reveal the credential. Even
the one used for validating pseudo identities and signatures. In when the RSU compromises, the adversary can get only
general, this may not be required frequently if the majority of the result of same source testing, but not the unique cre-
the credentials and warnings are legitimate. dential. The credential cannot be accessed, because RSU’s
Trust Level Update: If the system-generated warning message processing unit is made tamper-proof in such a way that
is valid, vehicle Vi collects all the warnings shown in SW Mi . If the secret key stored inside the unit is not readable to
any of these messages M1 , M2 , ..., Mn matches with the stored users. Even when a credential is found compromised, the
records, the vehicle Vi can ignore them and update the trust level credential’s owner can still update all pseudo identities
accordingly. However, if the driver of Vi has already passed with a new credential to preserve driver’s privacy.
through the warning event or taken the action, suggested by this 4) Conditional Anonymity: Real identity is the identity
warning event, then updating trust level may be redundant and of the vehicle, which can be known only by TA and
meaningless to the driver. the owner. The credential is a unique identity of the
vehicle, which can be revealed by RSU, but can be TABLE II

NOTATIONS USED IN EQUATIONS IN THIS SECTION
changed too, any time. Pseudo identity is the identity that
hides vehicle’s identity from the other authenticated users,
but the signature of its message can still be verified. There
are three anonymity levels, which provide three levels of
abilities to different parties. They are a) traceability of
TA, b) distinguishability of RSU and TA and c) verifiabil-
ity of vehicle, RSU, and TA. For traceability of TA, only
TA and message ownerkeep the real identity. TA stores
the linkage between real identity, credential and vehicle’s
pseudo identities in its database. Therefore, only TA can
trace warning message’s identity. For distinguishability
of RSU and TA, only RSU and TA can reveal the unique
credential of the vehicle from the received message, em-
bedded with vehicle’s pseudo identity, because only they
receive the encryption-based system master secret. The
verifiability of vehicle, RSU, and TA can be carried out
by these three authenticated parties, because they have
the signature-based system’s master secret that can ver- message can be generated, only if there are enough number of
ify the pseudo-identity-signed message signature. With feedback-warning-messages that meet a pre-defined threshold.
RSU, the system can achieve high privacy standard that TS[n] can only support one threshold, while PTS can support
can avoid tracking attack and simultaneously calculate multiple thresholds. CDPD is an announcement-based approach
accurate trust level. Without RSU, the warning messages that allows the vehicle to generate a warning message once it
can be trusted only after verification by OBU. If there detects a dangerous event. In CDPD, the generator has no role
are any suspicious warning messages, say if there are any to play. The counting is done by OBU of different recipients,
messages that do not match to the real situation, then independently. The recipient counts popularity, based on the re-
the OBU can send them to TA to investigate for possible ceived messages, and thus the trust level of the warning event
malicious act. varies whenever a new warning message is received. These three
5) Time-Slotted Feature: (k, q) time-slotted and M-long approaches were taken up for evaluation, as their mechanisms
pseudo identity approach is defined in Section IV-C. k are quite different from each other. The mechanism of TS and
number of pseudo identity is limited to each q time-slot, PTS discussed in this paper may refer to what is presented
and thus it achieves time-slot feature. in [2].
VI. ANALYSIS ON TIME COMPLEXITY

B. Total Time Required to Generate Warning Message
In this section, the proposed scheme, conditional distinguish-
Assumptions: Dedicated Short Range Communications
able pseudo identities (CDPD) scheme, is compared with two
(DSRC) and IEEE802.11p refer to wireless communications
threshold-security-based approaches, namely Threshold Secu-
protocol and medium access control protocol, respectively. The
rity (TS) scheme and Parallel Threshold Security (PTS) scheme.
vehicle-vehicle communication range is about 300m, and the
For this, the total time required to generate a warning was to be
network bandwidth 6 Mbps. Detection time, event verification
calculated. And, the calculation should be done so fast that the
time and encryption time are ignored here, because they are
driver can react in time for safety. It is found that the perfor-
application independent and can be determined in a short time.
mances of the other announcement-based approaches are similar
Warning message size is assumed to be 26 bytes. As regards
to that of CDPD because of they are all announcement-based
the details, the event information may include event type, event
schemes [1] and [28].
timestamp, the location of the event and the location of the gen-
erator. It was assumed that event type needs 2 bytes, and Times-
A. Definition of TS and PTS
tamp (Year, Month, Day, Hour, Minute, Second) and location
TS[n] is a threshold-security-based approach, e.g., a content (latitude and longitude) 6 bytes each. Thus, warning message
reputation system (CoRS) [2]. The parameter n means that if overhead was estimated as 20 bytes. Also, to avoid replay attack,
there are n verifiers or more, which meet the threshold, the gen- the timestamp for sending out the message is also required, and
erator can generate the warning message. PTS[n1 , n2 , ..., nm ] thus the transmission message without security overhead needs
is similar to TS[n], but PTS supports more than one threshold, 26 bytes in total. For TS and PTS, assuming that authentication
unlike TS[n]. The threshold values n1 , n2 , ..., nm are different relies on certificates, and signature generation on ECDSA-192
from each other, and hence the generator has to generate more algorithm, security overhead of transmission message is 137
than one warning message, each with a different trust level, bytes. Signing and verification time are 0.5 ms for TS and 3 ms
which matches with that of an identical warning event. Un- for PTS. All notations used in the following equations are listed
der the schemes of TS[n] and PTS[n1 , n2 , ..., nm ], a warning in Table II.
For TS[n], total time is T1 + T2 + T3 .
T1 [n] = Gsig n + Nbr o (9)

T2 = Vv er if y + Vthr sig n + Vsig n + Nr eply (10)
T3 = Gv er if y + Gthr sig n + Gsig n + Nbr o (11)
T1 is the total time required for the generator to prepare

the initial message for requesting feedback and corresponding
transmission delay; T2 is the time required for the verifier to Fig. 3. Simulation model.
verify generator request and to reply accordingly; T3 is the
total time required for the generator to create and broadcast is TP T S [n 1 ,n 2 ,n 3 ] = (3 + 4) × 0.5 + 2 × 3 + 2 × 30 + 40 =
a warning message when the number of verifiers’ reply meets 109.5 ms.
the threshold. In practice, since generator can verify the received For CDPD, no generator is required. The vehicle detects warn-
signature while waiting for verifiers’ reply, one needs to look for ing event and broadcast warning message directly. Total time of
only the time delay involved in receiving the last verifier’s reply CDPD is:
(meets threshold) from the generator. Thus, in T3 , one needs to
count the time of verifying the signature by the generator only TC D P D = Vsig n + Nbr o (15)
once.
For a fair comparison, the sizes of pseudo identity, ECC-
To calculate the time required for TS[n], one needs to estimate
type signature and ECC-type public key are assumed to be 50
the message overhead in finding out the transmission delay. Gen-
bytes, 25 bytes, and 25 bytes, respectively. The warning message
erator detects an event and collects information about it. By us-
overhead is 101 bytes. Thus, the transmission delay is about N20
ing certificates for authentication and ECDSA-192 algorithm for
= 20 ms [41]. For estimating signing time of bilinear map, it
signature, the security overhead of the transmission message is
is assumed that each point multiplication over an elliptic curve
estimated as 137 bytes, including what is required for the signa-
takes 0.8 ms [42], whereas each signature takes thrice that time.
ture (48 bytes), the certificate (64 bytes) and the size of the pub-
However, two of them can be pre-computed. So, it would take
lic key (25 bytes) [41]. Therefore, the size of the total message,
0.8 ms to generate a signature. Thus, the total time required
transmitted through wireless network, is about 200 bytes, and
for CDPD would be TC D P D = ECCsig n + N20 = 0.8 + 20 =
thus the maximum message delay is about 30 ms (which is the
20.8 ms.
same in both highway and congestion scenarios) [41]. Thus, the
To sum up, CDPD needs only around 1/6 time required for
total time required for TS[n] is TT S [n ] = 5 × ECDSAsig n +
TS[n] and PTS[n1 , n2 , ..., nm ] to create a warning message.
2 × ECDSAv er if y + 3 × N30 = 5 × 0.5 + 2 × 3 + 3 × 30 =
This is because TS and PTS require more time for transmission
98.5 ms.
between generator and verifier, unlike CDPD, which is decen-
For PTS[n1 , n2 , ..., nm ], total time is P1 + P2 + P3 .
tralized.
P1 = Gsig n + Nbr o (12)
VII. SIMLUATION RESULT
P2 = Vv er if y + m × Vthr sig n + Vsig n + Nr eply (13)
This section compares the proposed CDPD scheme with two
P3 = Gv er if y + Gthr sig n + Gsig n + Nbr o (14) threshold-security-based schemes, namely the Threshold Se-
curity (TS) scheme and the Parallel Threshold Security (PTS)
Just as T1 , P1 is the total time required for generator to
scheme. The results of Section VI, without network simulation,
prepare the initial message, including the time delay in trans-
show an obvious difference in the time required between CDPD
mission, and the time needed to request for feedback. P2 is
and the two threshold-security-based schemes. Therefore, eval-
different from T2 because the verifiers have to generate m
uating the trust level accuracy by simulation, instead of network
number of thresholds signatures. P3 is similar to T3 because
performance, has been the focus of this study. The effective-
the generator can create the warning message by only one
ness of trust level was evaluated by using a traffic simulation
ni in n1 , n2 , ..., nm , wherein ni is the largest threshold that
suite, Simulation of Urban Mobility (SUMO) [43]. Accurate
achieves a number of verifiers’ replies. All warning messages,
trust level is important as it enables the drivers to take correct
with threshold nj of n1 , n2 , ..., nm , which are smaller than ni ,
decisions. The performances of other announcement-based ap-
become meaningless to other drivers. The total time required
proaches, such as those in [1] and [28], are similar to that of
for PTS[n1 , n2 , ..., nm ] is TP T S [n 1 ,n 2 ,...,n m ] = (m + 4) ×
CDPD, because they are all announcement-based schemes.
ECDSAsig n +2 × ECDSAv er if y +2 × N30 +Tdelay . Tdelay
is the transmission delay that is induced by message over-
head of multiple threshold signatures. It is to be noted that A. Simulation Model
PTS[n1 , n2 , ..., nm ] always requires more time than TS[n] be- Figure 3 shows the road setup of the simulation. In each ex-
cause of multiple thresholds. If m = 3, as suggested in [2], periment, 100 vehicles are generated, one after the other, from
Tdelay will be 40 ms [41]. Then, the total time required the starting point of the one-way main road (700 m). A one-way
TABLE III
SIMULATION OF THREE SECURITY METHODS
Fig. 4. Number of victims in terms of distance between the crash spot and the
pathway (400 m) joins the main road at 350 m away from the intersection.
starting point of the main road. A traffic accident (e.g. car crash)
occurs at the end point of the main road. Each vehicle has its
random entering time and traveling route. By default, 80% of
the drivers keep driving along the main road to reach their desti-
nation, considering that as the shortest path, whereas 20% of the
drivers prefer to drive along the pathway. Each vehicle is 4.5 m
long, and its maximum speed is 50 km/hr. Each vehicle can
detect the warning accident within 40 m by its detection unit,
based on some real detection systems and publication [44]–[46].
Each simulation starts with the occurrence of a traffic accident
at the end point of the road. Each normal vehicle travels along
its default traveling route. The vehicles obey the system and try
to detect the warning event, broadcast warning message, and
warn the vehicles behind. However, as the road is a one-way Fig. 5. The first beneficiary in terms of the distance between the crash spot
one, the drivers cannot drive back to the intersection, and hence and the intersection.
they will just stop one behind the other, in front of the crash spot.
Their warning messages can benefit only those vehicles, which
are behind them. Each of those vehicles, behind them, tries to was used to simulate the warning accident event and to han-
collect all the warning messages and calculate the trust level dle the warning message transmission accordingly. TRACI was
of the warning event. Once the trust level meets the threshold, chosen as the interface of SUMO in generating and modifying
the driver trusts the warning event and reacts suitably (e.g. if the dynamically the behavior of cars for different road conditions.
driver trusts the warning, he or she changes the traveling route to The simulation was repeated 10 times for 10 different random
the pathway to avoid getting stuck in a traffic jam). The specific cases in each of the following sets of experiments and the values
percentage of the warning event depends on the driver’s decision obtained were averaged for each measure.
on trust level. The performances of the three security methods- where,
TS, PTS and CDPD-were compared in each set of experiments. p = Number of Positive Verification Messages
Six set-ups of driver’s trust decision on the three security meth- n = Counting Threshold of Threshold Security
ods were evaluated and the results are shown in Table III. Three d = Percentage-based Threshold
different thresholds-3, 5 and 8-were picked up for TS scheme, m = Minimum Counting Threshold
based on the suggestion in [2] that the reasonable number of
verifiers could be between 3 and 10. These three set-ups are
designated as TS[3], TS[5], TS[8]. The 4th set-up is from Par- B. First Set of Experiment - Real Warning Evaluation Without
allel Threshold Security method with three thresholds, as in the Malicious Users
case of TS, and this is designated as PTS[3,5,8] [2]. To eval- In the first set of experiment, there is no malicious user. As-
uate the performance of CDPD, two thresholds are picked up: suming that a real warning event existed, the number of victims
threshold 70% CDPD[5,0.7] and threshold 90% CDPD[5,0.9], (i.e. the number of vehicles that were caught up in the traffic
the Minimum Counting Threshold being 5. As CDPD calculates jam) was evaluated (see Fig. 4) and similarly the ID number of
trust level by percentage, the scheme would be effective only the first beneficiary (i.e. the first vehicle that changed the orig-
when there are enough vehicles, which is assumed to be 5 for inal route from the main road to the pathway)(see Fig. 5), by
this study. Simulation was applied to these 6 set-ups. Traffic modifying the distance between the intersection and the crash
simulation suite, Simulation of Urban Mobility (SUMO) [43], spot. The performance of a security method is considered to be
better if the number of victims and the ID number of the first

beneficiary are small. The distance from 40 m to 320 m was
simulated in steps of 40 m.
Figure 4 shows the number of victims traveling along the
main road. The mean of the confidence intervals is 2.2974. It
is found that the performances of all the 6 set-ups are similar,
excepting TS[8], because it requires 8 verifiers to detect the
warning event for meeting the threshold, and a longer time to
make a valid alert to normal vehicles. The number of victims
keeps increasing until the threshold is met. TS[3] and PTS[3,5,8]
require a minimum of only 3 verifiers to generate a valid alert,
whereas TS [5], CDPD [5, 0.7] and CDPD [5, 0.9], they require
a minimum of 5 verifiers. So, TS [8] gives a higher number
of victims for a long distance (from 240 to 320). Besides, if Fig. 6. Number of victims vs. the number of malicious users.
the distance between crash and intersection is small (i.e. 40 to
120), the number of victims generated would be more. This is
the fake alert is canceled. Without any loss of generality, it may
because when the vehicles queue up before the accident spot,
be stated that the number of malicious users should not be too
the queue may block the way to the pathway at the intersection
high, and it should preferably be 3 to 10.
spot. So, all the vehicles that need to stop at the end of the queue
Figure 6 shows the number of victims vs the number of ma-
are identified as Victims. Longer distances can accommodate
licious users. The mean confidence interval is 2.0630. The TS
longer queues.
methods result in no victims until some malicious users meet
Figure 5 shows the ID number of the first beneficiary who en-
their threshold. Once the threshold is met, the number of victims
ters the pathway. The mean of the confidence intervals is 1.0006.
remains the same, regardless of the increase in the number of
It is observed that the performances of all security methods are
malicious users. As the threshold is fixed in TS methods, the
stable, excepting that of TS [8]. The performances of TS [3]
increase in the number of malicious users does not affect the
and PTS [3, 5, 8] are slightly better, because they could create
trust level of alert message. For this reason, PTS performance
warning earlier by virtue of their smaller thresholds. TS [8] re-
is divided into three levels, such that the number of victims in
quires extra time to meet the threshold for generating an alert.
each level is likely to be the same. This division is based on the
The ID number of the first beneficiary of TS [8] is larger in
number of malicious users in each level: 4 to 5 in one level, 6 to
general. Also, when the distance is long (from 240 to 320), TS
8 in the second level and 9 to 10 in the third level. It should be
[8] makes a significant increase in the ID number of the first
noted that the assumption of driver’s trust decisions are differ-
beneficiary, because it produces more victims in general. The
ent between PTS [3, 5, 8] and TS. PTS [3, 5, 8]’s percentage is
pattern reflected in Fig. 5 is similar to the one shown in Fig. 4.
30%, if threshold 3 is met and 50% if threshold 5 is met. As the
percentage of PTS is lower than that of TS, PTS performs better
C. Second Set of Experiment - Fake Warning Evaluation With in the case of 4 to 8 malicious users. Over all, CDPD gives a
Malicious Users stable performance, because it is easier to make the trust per-
centage lower than the percentage threshold of CDPD, which
In the second set of experiment, it was assumed that some may require only 1 to 4 negative feedback messages, when the
malicious users existed and they all colluded. All the colluding number of malicious users increases from 4 to 10. The ID num-
members try to create positive message on a non-existing, fake ber of the first beneficiary in the second set of experiment was
warning event. Comparison of the 6 set-ups was attempted by also evaluated. As the result is similar to the number of victims,
varying the number of malicious users. Based on the outcome and because of space constraint, it is not discussed here further.
of the first set of experiment, the distance between the points Although there are many factors on the road that may affect
of crash and the intersection was fixed at 200 m to minimize the performance of the trust methods, it can be concluded that
the influence of distance on the result. The number of victims CDPD’s precise counting enables a more accurate trust level
that trust the alert generated from the colluding parties and then calculation and stable performance than does TS or PTS.
change their traveling route from the main road to the pathway
was counted. Any vehicle that does not trust the alert will go
VIII. CONCLUSION
along the main road, detect that the warning event is a faked
one, and then generate a negative feedback-warning message. This paper defines anonymous counting problem, induced by
The fake warning will become invalid if the number of negative trust level warning system, and proposes Conditional Distin-
feedbacks is equal to or larger than 1) the threshold (for TS or guishable Pseudo Identities (CDPD) scheme to solve the prob-
PTS), or 2) the number of malicious users (for CDPD). Once the lem. The proposed scheme is secure, privacy-preserving, condi-
fake warning becomes invalid, the vehicles behind will go along tionally achieves traceability, distinguishability, and verifiability
their default traveling routes. The first beneficiary is defined as under different settings. Time slot design limits the influence of
the first vehicle that goes along its default traveling route after trust level calculation, affected by malicious users. The proposed
scheme relies on bilinear-map and corresponding randomized [15] H. Hasrouny, A. E. Samhat, C. Bassil, and A. Laouiti, “VANET security
batch verification to enhance its security and effectiveness. The challenges and solutions: A survey,” Veh. Commun., vol. 7, pp. 7–20,
2017.
performance of CDPD was compared with that of threshold se- [16] M. N. Mejri, J. Ben-Othman, and M. Hamdi, “Survey on VANET security
curity and parallel threshold security methods. CDPD’s decen- challenges and possible cryptographic solutions,” Veh. Commun., vol. 1,
tralization and precise counting features contribute to an overall no. 2, pp. 53–66, 2014.
[17] R. Mishra, A. Singh, and R. Kumar, “VANET security: Issues, chal-
better performance, in terms of processing time and trust level lenges and solutions,” in Proc. Int. Conf. Elect., Electron., Optim. Techn.,
accuracy. It thus helps the drivers in reacting quickly to warning Mar. 2016, pp. 1050–1055.
events and taking appropriate decisions. In future work, it is [18] L. Bariah, D. Shehada, E. Salahat, and C. Y. Yeun, “Recent advances in
VANET security: A survey,” in Proc. IEEE 82nd Veh. Technol. Conf.,
proposed to simulate a real map situation and evaluate the effec- Sep. 2015, pp. 1–7.
tiveness of different trust methods. To achieve a higher privacy [19] X. Lin, “LSR: Mitigating zero-day sybil vulnerability in privacy-
standard, a new approach that does not rely on the assumption preserving vehicular peer-to-peer networks,” IEEE J. Sel. Areas Commun.,
vol. 31, no. 9, pp. 237–246, Sep. 2013.
of trusted authority (TA) may be needed. Some users may not [20] J. Petit, F. Schaub, M. Feiri, and F. Kargl, “Pseudonym schemes in ve-
trust any party, as though no TA exists, but they still insist on hicular networks: A survey,” IEEE Commun. Surv. Tut., vol. 17, no. 1,
ensuring road safety. A de-centralized approach is needed to pp. 228–255, Jan.–Mar. 2015.
[21] T. W. Chim, S.-M. Yiu, L. C. K. Hui, and V. O. K. Li, “MLAS: Multiple
defend this kind of traffic surveillance by TA. level authentication scheme for VANETs,” Ad Hoc Netw., vol. 10, no. 7,
pp. 1445–1456, 2012.
[22] T. W. Chim, S. M. Yiu, L. C. K. Hui, Z. L. Jiang, and V. O. K. Li, “Specs:
Secure and privacy enhancing communications schemes for VANETs,”
in Ad Hoc Networks (Lecture Notes of the Institute for Computer Sci-
REFERENCES ences, Social Informatics and Telecommunications Engineering 28), Jun
[1] L. Chen, S.-L. Ng, and G. Wang, “Threshold anonymous announcement Zheng, Shiwen Mao, ScottF. Midkiff, and Hua Zhu, Eds., Berlin, Ger-
in VANETs,” IEEE J. Sel. Areas Commun., vol. 29, no. 3, pp. 605–615, many: Springer, 2010, pp. 160–175.
Mar. 2011. [23] C.-I. Fan, R.-H. Hsu, and C.-H. Tseng, “Pairing-based message authenti-
[2] C. S. Eichler, “Solutions for scalable communication and system security cation scheme with privacy protection in vehicular ad hoc networks,” in
in vehicular network architectures,” Ph.D. dissertation, Technical Univer- Proc. Int. Conf. Mobile Technol., Appl., Syst., 2008, Paper 82.
sity of Munich, München, Germany, 2009. [24] D. Huang, S. Misra, M. Verma, and G. Xue, “PACP: An efficient pseudony-
[3] H. Oh, C. Yae, D. Ahn, and H. Cho, “5.8 GHz DSRC packet communi- mous authentication-based conditional privacy protocol for VANETs,”
cation system for ITS services,” in Proc. IEEE 50th Veh. Technol. Conf., IEEE Trans. Intell. Transp. Syst., vol. 12, no. 3, pp. 736–746, Sep. 2011.
Sep. 1999, pp. 2223–2227. [25] A. Tomandl, H. Federrath, and F. Scheuer, “VANET privacy by ‘defending
[4] IEEE Standard For Information Technology—Local and Metropolitan and attacking’,” in Proc. 6th Joint IFIP Wireless Mobile Netw. Conf.,
Area Networks—Specific Requirements—Part 11: Wireless Lan Medium Apr. 2013, pp. 1–7.
Access Control (mac) and physical layer (phy) specifications amendment [26] H. Artail and N. Abbani, “A pseudonym management system to achieve
6: WirelessAccess in Vehicular Environments, IEEE Standard 802.11p- anonymity in vehicular ad hoc networks,” IEEE Trans. Dependable Secure
2010 (Amendment to IEEE Standard 802.11-2007 as amended by Comput., vol. 13, no. 1, pp. 106–119, Jan. 2016.
IEEE Standard 802.11k-2008, IEEE Standard 802.11r-2008, IEEE Stan- [27] U. Rajput, F. Abbas, and H. Oh, “A hierarchical privacy preserving
dard 802.11y-2008, IEEE Standard 802.11n-2009, and IEEE Standard pseudonymous authentication protocol for VANET,” IEEE Access, vol. 4,
802.11w-2009), pp. 1–51, Jul. 2010. pp. 7770–7784, 2016.
[5] A. Buchenscheit, F. Schaub, F. Kargl, and M. Weber, “A VANET-based [28] L. Chen, Q. Lit, K. M. Martin, and S.-L. Ng, “A privacy-aware reputation-
emergency vehicle warning system,” in Proc. IEEE Veh. Netw. Conf., based announcement scheme for VANETs,” in Proc. IEEE 5tj Int. Symp.
Oct. 2009, pp. 1–8. Wireless Veh. Commun., Jun. 2013, pp. 1–5.
[6] M. Mejia and R. Chaparro-Vargas, “Distributed trust and reputation [29] H.-C. Hsiao et al., “Flooding-resilient broadcast authentication for
mechanisms for vehicular ad-hoc networks,” in Vehicular Technologies— VANETs,” in Proc. 17th Annu. Int. Conf. Mobile Comput. Netw., New
Deployment and Applications, Dr. Lorenzo Galati Giordano (Ed.), York, NY, USA, 2011, pp. 193–204.
London, U.K.: Intech, 2013. [30] J. R. Douceur, “The sybil attack,” in Proc. Int. Workshop Peer-to-Peer
[7] O. A. Wahab, J. Bentahar, H. Otrok, and A. Mourad, “A survey on trust and Syst., 2002, pp. 251–260.
reputation models for web services: Single, composite, and communities,” [31] J. T. Chiang and Y. C. Hu, “Cross-layer jamming detection and mitigation
Decis. Support Syst., vol. 74, pp. 121–134, 2015. in wireless broadcast networks,” IEEE/ACM Trans. Netw., vol. 19, no. 1,
[8] M. Fogue, P. Garrido, F. J. Martinez, J.-C. Cano, C. T. Calafate, and pp. 286–298, Feb. 2011.
P. Manzoni, “Analysis of the most representative factors affecting warn- [32] Y. Liu, P. Ning, H. Dai, and A. Liu, “Randomized differential DSSS:
ing message dissemination in VANETs under real roadmaps,” in Proc. Jamming-resistant wireless broadcast communication,” in Proc. IEEE IN-
IEEE 19th Int. Symp. Model., Anal. Simul. Comput. Telecommun. Syst., FOCOM, Mar. 2010, pp. 1–9.
Jul. 2011, pp. 197–204. [33] F. G. Mrmol and G. M. Prez, “Trip, a trust and reputation infrastructure-
[9] A. J. Sophia, “A score based trustworthy declaration scheme for VANETs,” based proposal for vehicular ad hoc networks,” J. Netw. Comput. Appl.,
Int. J. Eng. Res. Appl., vol. 4, pp. 542–544, Mar. 2014. vol. 35, no. 3, pp. 934–941, 2012.
[10] M. Raya, P. Papadimitratos, and J.-P. Hubaux, “Securing vehicu- [34] A. Menezes, “An introduction to pairing-based cryptography,” Mathemat-
lar communications—assumptions, requirements, and principles,” Proc. ics Subject Classification, Primary 94A60, 1991.
IEEE, vol. 13, no. 5, pp. 8–15, Oct. 2006. [35] D. Boneh, B. Lynn, and H. Shacham, “Short Signatures from the Weil
[11] V. H. LA and A. CAVALLI, “Security attacks and solutions in vehicular Pairing,” in Proc. 7th Int. Conf. Theory Appl. Cryptol. Inf. Sec., Adv.
Ad hoc networks: a survey,” in Proc. Int. J. AdHoc Netw. Syst., vol. 4, Cryptol., 2001, pp. 514–532.
no. 2, pp. 1–5, Apr. 2014. [36] C. Zhang, R. Lu, X. Lin, P. H. Ho, and X. Shen, “An efficient identity-
[12] B. Wiedersheim, Z. Ma, F. Kargl, and P. Papadimitratos, “Privacy in inter- based batch verification scheme for vehicular sensor networks,” in Proc.
vehicular networks: Why simple pseudonym change is not enough,” in IEEE 27th Conf. Comput. Commun., Apr. 2008, pp. 816–824.
Proc. 7th Int. Conf. Wireless On-demand Netw. Syst. Serv., Feb. 2010, [37] J. K. Liu, T. H. Yuen, M. H. Au, and W. Susilo, “Improvements on an
pp. 176–183. authentication scheme for vehicular sensor networks,” Expert Syst. Appl.,
[13] Q. Han, S. Du, D. Ren, and H. Zhu, “SAS: A secure data aggregation vol. 41, pp. 2559–2564, 2014.
scheme in vehicular sensing networks,” in Proc. IEEE Int. Conf. Commun., [38] J. Zhang, M. Xu, and L. Liu, “On the security of a secure batch verification
May 2010, pp. 1–5. with group testing for VANET,” Int. J. Netw. Secur., vol. 16, pp. 313–320,
[14] R. W. van der Heijden, “Sedya: Secure dynamic aggregation 2014.
in VANETs,” Aug. 2012. [Online]. Available: https://dl.acm.org/ [39] R. Xue, T. Cao, and D. Lin, “Security analysis of some batch verifying
citation.cfm?id=2462119 signatures from pairings,” Int. J. Netw. Secur., vol. 3, pp. 138–143, 2006.
[40] Q. Wu, L. C. K. Hui, C. Y. Yeung, and T. W. Chim, “Early car colli- Tat Wing Chim received the B.Eng., M.Phil., and
sion prediction in VANET,” in Proc. Int. Conf. Connected Vehicles Expo, Ph.D. degrees in information engineering, electri-
Oct. 2015, pp. 94–99. cal and electronic engineering and computer science
[41] A. Kalam and K. Aboobaker, “Performance analysis of authentication from The University of Hong Kong, Hong Kong, in
protocols in vehicular ad hoc networks (VANET),” Royal Holloway, Uni- 2002, 2004, and 2011, respectively. From 2011 to
versity of London, Egham, U.K., Tech. Rep. 2010. 2013, he was a Post-doctoral Fellow, funded by Prof.
[42] T. W. Chim, S.-M. Yiu, L. C. Kwong Hui, and V. O. K. Li, “OPQ: Victor O.K. Li, with the Department of Computer
OT-based private querying in VANETs,” IEEE Trans. Intell. Transp. Science, The University of Hong Kong. He is cur-
Syst., vol. 12, no. 4, pp. 1413–1422, Dec. 2011. [Online]. Available: rently a Lecturer in the same department. His research
https://ieeexplore.ieee.org/document/5898413 interests include information security and network
[43] D. Krajzewicz, G. Hertkorn, C. Rössel, and P. Wagner, “Sumo (Simulation routing.
of Urban Mobility)-an open-source traffic simulation,” in Proc. 4th Middle
East Symp. Simul. Model., 2002, pp. 183–187.
[44] S. Tanaka, K. Yamada, T. Ito, and T. Ohkawa, “Vehicle detection based on
perspective transformation using rear-view camera,” vol. 2011, Art. no.
279739.
[45] A. O. Ors, “RADAR, camera, LiDAR and V2X for autonomous cars,”
[Online]. Available: https://blog.nxp.com/automotive/radar-camera-and-
lidar-for-autonomous-cars, Accessed on: Jan. 12, 2018.
[46] Banner Engineering Corp, “Vehicle Detection Sensors,”
[Online]. Availbale: https://www.bannerengineering.com/us/en/products/ Siu Ming Yiu received the Ph.D. degree in computer
capabilities/vehicle-detection.html, Accessed on: Nov. 1, 2017. science from The University of Hong Kong, Hong
Kong. He is currently an Assistant Professor in the
same department. His research interests include in-
formation security, cryptography, and bioinformatics.
He was the recipient of the Best Teacher Award of
Checuk Yu Yeung received the B.Eng. and Ph.D. the department as well as the university.
degrees in computer science from The University
of Hong Kong, Hong Kong. His research interests
include information security and data analytic. He
is currently carrying out research in VANET and
e-learning.
Gongxian Zeng received the B.Sc. degree from

the Huazhong University of Science and Technol-
ogy, Wuhan, China, in 2015. He is currently working
Lucas Chi Kwong Hui received the B.Sc. and toward the Ph.D. degree with the Department of Com-
M.Phil. degrees in computer science from The Uni- puter Science, The University of Hong Kong, Hong
versity of Hong Kong (HKU), Hong Kong, and the Kong. His research interests include blochchain and
M.Sc. and Ph.D. degrees in computer science from lattice-based encryption.
the University of California, Davis, Davis, CA, USA.
He is the Senior Director in Security and Data Sci-
ences with the Hong Kong Applied Science and Tech-
nology Research Institute (ASTRI), Hong Kong. His
research interests include cybersecurity, cryptogra-
phy, authentication, and security technologies. Be-
fore joining ASTRI, he was teaching with the HKU,
where he founded the Center for Information Security and Cryptography, HKU. Jingyue Chen received the M.Sc. degree with the Department of Computer
He is a member of HKIE. Science from The University of Hong Kong, Hong Kong.

Anonymous Counting Problem in Trust Level

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Anonymous Counting Problem in Trust Level

Uploaded by

Copyright:

Available Formats

34 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 68, NO.

Anonymous Counting Problem in Trust Level

Abstract—Using vehicular ad-hoc network, smart vehicles can

the related information to the tamperproof OBU for a cryp-

TABLE I test, RSU broadcasts a system-generated warning message

Proof of correctness: Extension 2 Warning triggered by RSU or TA: RSU’s detect-

vehicle, which can be revealed by RSU, but can be TABLE II

VI. ANALYSIS ON TIME COMPLEXITY

For TS[n], total time is T1 + T2 + T3 .

T1 [n] = Gsig n + Nbr o (9)

T1 is the total time required for the generator to prepare

better if the number of victims and the ID number of the first

Gongxian Zeng received the B.Sc. degree from

You might also like