2792 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 27, NO.
12, DECEMBER 2019
A Blockchain-Based Privacy-Preserving
Authentication Scheme for VANETs
Zhaojun Lu , Qian Wang , Gang Qu , Senior Member, IEEE, Haichun Zhang, and Zhenglin Liu
Abstract— The privacy-preserving authentication is considered
as the first line of defense against the attacks in addition to
preserving the identity privacy of the vehicles in the vehicular
ad hoc networks (VANETs). However, the existing authentication
schemes suffer from drawbacks such as nontransparency of the
trusted authorities (TAs), heavy workload to revoke certificates,
and high computation overhead to authenticate identities and
messages. In this paper, we propose a blockchain-based privacy-
preserving authentication (BPPA) scheme for VANETs. In BPPA,
all the certificates and transactions are recorded permanently
and immutably in the blockchain to make the activities of the
semi-TAs transparent and verifiable. However, it remains a chal-
lenge how to use such blockchain effectively for authentication
in real driving scenarios (e.g., high speed or large amount of
messages during congestion). With a novel data structure named
the Merkle Patricia tree (MPT), we extend the conventional
blockchain structure to provide a distributed authentication
scheme without the revocation list. To achieve conditional privacy,
we allow a vehicle to use multiple certificates. The linkability
between the certificates and real identity is encrypted and
stored in the blockchain and can only be revealed in case of
disputes. We evaluate the validity and performance of BPPA
on the Hyperledger Fabric (HLF) platform for each entity. The
experimental results show that the distributed authentication can
be processed by individual vehicles within 1 ms, which meets
the real-time requirement and is much more efficient, in terms
of the processing time and storage requirement, than existing
approaches.
Index Terms— Blockchain, privacy-preserving authentication,
semitrusted authority, transparency, vehicular ad hoc networks
(VANETs).
I. I NTRODUCTION
A S THE basic technology of the intelligent transportation
systems (ITSs), the vehicular ad hoc networks (VANETs)
have attracted much attention from both academia and indus-
try. With the main goal of improving road safety and
driving conditions, VANETs are established with two types
Manuscript received January 21, 2019; revised May 10, 2019 and July 10,
2019; accepted July 15, 2019. Date of publication August 1, 2019; date
of current version November 22, 2019. This work was supported in part
by the National Science Foundation of China under Grant 61874047 and
Grant 61376026. The work of Z. Lu, Q. Wang, and G. Qu was supported
in part by the National Science Foundation under Grant CNS1745466 and
in part by the Air Force Office of Scientific Research (AFOSR) through
the Multidisciplinary Research Program of the University Research Ini-
tiative (MURI) under Award FA9550-14-1-0351. (Corresponding author:
Zhenglin Liu.)
Z. Lu, Q. Wang, are G. Qu are with the Department of Electrical and Com-
puter Engineering, University of Maryland, College Park, MD 20742 USA
(e-mail: lzj77521@umd.edu).
H. Zhang and Z. Liu are with the School of Optical and Electronic Infor-
mation, Huazhong University of Science and Technology, Wuhan 430074,
China.
Color versions of one or more of the figures in this article are available
online at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TVLSI.2019.2929420
1063-8210 © 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
of communications, namely, the vehicle-to-vehicle (V2V)
communication and the vehicles-to-infrastructure (V2I)
communication [1]. Through the dedicated short-range com-
munication (DSRC), the vehicles can exchange safety mes-
sages in V2V and communicate directly with the roadside
units (RSUs) in V2I [1]. Due to the open nature of VANETs,
a privacy-preserving authentication scheme should be pro-
vided against potential attacks [2]. Without authentication,
a malicious vehicle may impersonate any authorized vehicle to
broadcast forged messages. Moreover, if the identity privacy is
not preserved, the adversary can easily track the target vehicle
by analyzing the broadcasted messages, which could be a
serious threat to the drivers.
Many research efforts have been dedicated to designing
the privacy-preserving authentication schemes for VANETs
based on the basic idea of using a digital pseudonym as
a unique identifier for authentication without any personally
identifiable information [1]. In the conventional public key
infrastructure (PKI)-based schemes [3], a certificate issued by
the certificate authority (CA) consists of a vehicle’s public
key and CA’s digital signature. A vehicle uses its private key
to generate the signature for each message. The public key
is used for verification by the receivers without revealing the
sender’s real identity. In the identity-based signature (IBS)-
based schemes [4], the private key generator (PKG) acts as
the trusted authority (TA) to generate and assign the private
keys to the vehicles. Then, each vehicle uses an identifier as
a pseudonym and signs messages with the private key from
PKG. In order to solve the escrow problem in IBS that PKG
knows the private keys of each vehicle, the certificateless
signature (CLS)-based schemes [5] are proposed to rely on
the key generation center (KGC) for supplying each vehicle
with a partial private key computed from the vehicle’s identity.
Then, the vehicle generates the actual private key using a secret
value and the partial private key.
However, these existing privacy-preserving authentication
schemes suffer from several drawbacks. First, the activities
of TA are not transparent to all the vehicles. The TA may
arbitrarily authorize any vehicle to join VANETs without being
monitored. Second, the receivers need to query a certificate
revocation list (CRL) prior to the message authentication to
check whether the sender’s public key has been revoked or
not. With the rapid increase in the number of vehicles, CRL
requires a large amount of storage space and such query incurs
high computation overhead. Third, since a vehicle may receive
up to a thousand messages per second during traffic congestion
and runs 70+ mi per hour on a traffic-free highway, how to
process the identity and message authentication efficiently and
timely is another critical concern.
LU et al.: BLOCKCHAIN-BASED PRIVACY-PRESERVING AUTHENTICATION SCHEME 2793

This paper is motivated by these challenges, which we do

not believe can be adequately addressed by current approaches.
Therefore, we propose a blockchain-based privacy-preserving
authentication (BPPA) scheme to integrate the semi-TAs with
the emerging blockchain technology using carefully designed
data structures. More precisely, we make the following con-
tributions in this paper.
1) To achieve the certificate and revocation transparency,
we use the blockchain to record the activities of the semi-
TAs. All the entities in VANETs can monitor the author-
ities by verifying their signatures in each transaction and
checking the corresponding update in the consistent and
public database.
2) We adopt a novel data structure named the Merkle
Patricia tree (MPT) to extend the conventional
blockchain. A distributed authentication scheme is
designed to eliminate the space and computation
intensive CRL. By several hash calculations, a receiver
can verify whether the sender’s certificate is issued and
has not been revoked by the authorities. This saves the Fig. 1. System model of the proposed BPPA scheme.
time and storage requirements of CRL so it can be
accessible by individual vehicles.
3) To preserve the conditional privacy, we allow a vehicle
2) Transaction: The semi-TAs broadcast two kinds of
to have several certificates at the same time. The link-
transactions [7]. The issuance transaction contains the issued
ability between the certificates and the real identity is
certificate, the timestamp, and the signatures of the semi-TAs,
encrypted and stored in the blockchain. In case of dis-
while the revocation transaction contains the revoked certifi-
putes, the authorities are able to reveal the real identities
cate. A transaction in our proposed scheme will only update
of the involved vehicles.
the public database, which is different from a transaction in
4) We implement BPPA on the Hyperledger Fabric (HLF)
the permissionless blockchain like Bitcoin [8] that involves the
platform and carry out an extensive analysis to
exchange of the cryptocurrency.
demonstrate the high efficiency of the certificate
issuance and revocation for the authorities and the 3) Certificate: The certificate contains the public key,
distributed authentication process for the individual the expiration time, the timestamp, and encrypted linkability
vehicles. between the certificate and the vehicle’s real identity.
The remainder of this paper is organized as follows. Section II 4) Law Enforcement Authority: The main responsibilities of
briefly introduces the main components in the system and the law enforcement authority (LEA) include the vehicle registra-
design goals. The preliminaries of blockchain are introduced tion, handling the requests from the vehicles, monitoring the
in Section III. We elaborate on the proposed scheme in behaviors of the vehicles, and arbitrating the disputes. LEA
Section IV and present the security analysis in Section V. authorizes the CA for the certificate issuance and revocation.
In Section VI, we implement BPPA and evaluate the perfor- Then, LEA orders the transactions from CA to generate a
mance for each entity. Finally, we summarize our work in the block and delivers the block to all RSUs for verification.
conclusion section. The linkability between a vehicle’s certificates and its real
identity is encrypted using LEA’s secret key and is stored in
the blockchain. In case of disputes, LEA is able to reveal the
II. S YSTEM OVERVIEW real identities of the involved vehicles.
In this section, we first briefly introduce the system model 5) Certificate Authority: CA broadcasts transactions to issue
with the main components and give an example to explain or revoke certificates under the authorization of LEA and
the transaction flow. Then, we present the design goals of the updates the public database according to the transactions.
proposed scheme. Since all the transactions with signatures are recorded trans-
parently and permanently in the blockchain, the activities of
CA and LEA are transparent and verifiable for each entity in
A. System Model
VANETs [7].
Fig. 1 illustrates the system model of BPPA with an example 6) Roadside Unit: Each RSU has a public–private key pair
on how to run the blockchain. from LEA. All the RSUs will verify the transactions broad-
1) Blockchain: Considering that each entity in the system casted by CA and record the new block into the blockchain
has a cryptographically authenticated identity, we deploy the to guarantee the global consensus. In addition, RSUs are
permissioned blockchain [6] proposed by HLF to record the responsible for sending the updated data for the distributed
activities of the semi-TAs. authentication to each vehicle through V2I communication.

Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
2794 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 27, NO. 12, DECEMBER 2019
7) Vehicle: A vehicle will receive the latest version of the
blockchain and the data for the distributed authentication from
RSUs. A vehicle can query the public database to monitor the
activities of the authorities.
The edges labeled with 1–5 in Fig. 1 illustrate the transac-
tion flow in the proposed scheme.
1) LEA sends CA an authorization to issue or revoke a
certificate.
2) CA broadcasts a transaction and updates the public data-
base according to the received authorization.
3) LEA collects and orders the transactions from CA to
generate a block, and then LEA delivers this block to
all RSUs for verification.
4) After RSUs verifying the signatures in each transaction
and the correctness of the updated database, a new block
is recorded into the blockchain.
5) RSUs broadcast the latest version of blockchain and send
the data to each vehicle for the distributed authentication.
B. Design Goals
1) Authentication Security: In order to resist the man-in-the-
middle attack, the replay attack, and the forgery attack, the pro-
posed scheme is required to provide the security services,
including authentication, integrity, and nonrepudiation [9].
When receiving a message, the receiver needs to verify that
the sender’s certificate is issued but has not been revoked
by the authority and the message is not forged or replayed.
In addition, the sender cannot repudiate that he has sent the
message.
2) Conditional Privacy: On the one hand, the vehicle’s
privacy should be preserved so that the adversary cannot
obtain the real identity of the target vehicle by analyzing the
broadcasted messages and the public database. On the other
hand, the privacy should be conditional. In case of disputes,
the authority can reveal the real identity of the involved
vehicles.
3) Certificate and Revocation Transparency: The authori-
ties are necessities in the specific scenario of VANETs because
they are responsible for the vehicle registration, the network
maintenance, and the dispute arbitration [10]. Our proposed
scheme aims to make the activities of the semi-TAs transparent
rather than eliminate the authorities completely. In other
words, each entity is able to check when a specific certificate
is issued or revoked by verifying the broadcasted transactions
from the authorities.
4) Efficiency and Scalability: On the one hand, the cost and
latency to issuance and revoke certificates should be acceptable
in the large-scale VANETs. On the other hand, the distributed
authentication process for the individual vehicles should be
efficient in terms of time consumption and communication
overhead.
III. P RELIMINARIES OF B LOCKCHAIN
We only introduce the chronological Merkle tree (CMT)
with the proof of presence, the MPT, and the main operations
of the data structure. We do not present the details of the clas-
sical cryptographic primitives, including the secure hashing
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
Fig. 2. Chronological Merkle tree [10].
algorithm (SHA), the advanced encryption standard (AES),
the elliptic curve cryptography (ECC), and the elliptic curve
digital signature (ECDSA).
A. Chronological Merkle Tree
As shown in Fig. 2, CMT is the underlying data structure
of the conventional blockchain [8]. All the transactions are
hashed and chronologically stored in CMT. Only the root hash
value is included in the blockchain so that the old blocks can
be compacted by stubbing off branches of the tree and the
interior hashes do not need to be stored [11].
Fig. 2 illustrates how to efficiently prove that TX4 is present
in CMT. A tupleC = (Dirs, Hashes) is enough for the proof
of presence for TX4 , in which Dirs = (left, left, right) and
Hashes = (hash3 , hash12 , hash58 ) [10]. The verifier can calcu-
late the root hash using this tupleC . If this root hash is equal to
that recorded in the blockchain, it means that TX4 is present
in the blockchain. In our proposed scheme, the issuance
transactions and the revocation transactions broadcasted by
CA are recorded in CMT permanently and immutably, which
makes the activities of the authorities transparent and verifiable
for each entity in VANETs.
B. Merkle Patricia Tree
Generally, MPT is a combination of the Patricia tree and
the Merkle tree with additional optimizations, which pro-
vides a cryptographically authenticated data structure for the
Ethereum [12], [13]. Every node in MPT can be expressed as
a key–value pair. The value is the content of an MPT node,
while the key is the hash of this node. The nibble is the unit
used to compose the path to each key–value pair. There are
three kinds of nodes in MPT, i.e., leaf node, branch node, and
extension node.
1) Leaf Node: A node without a child node is called a
leaf node. In BPPA, a leaf node represents a certificate that
contains the public key and the encrypted linkability between
the certificate and the real identity. A leaf node can be accessed
by traversing the nibbles of the key.
2) Branch Node: A branch node can have up to 16 branches
from 0 to f . Each branch stores the hash of the next node
(if exists).
3) Extension Node: An extension node has a series of
nibbles of size greater than one that either are shared by at
LU et al.: BLOCKCHAIN-BASED PRIVACY-PRESERVING AUTHENTICATION SCHEME
Fig. 3. Merkle Patricia tree.
least two distinct nodes or are the last nibbles of a single public
key.
Fig. 3 shows the example of an MPT that consists of four
key–value pairs. Since all the keys share the nibbles 0xa7,
the root node is an extension node with two nibbles 0xa7. The
third nibble of key0 and key2 differs, Branch Node 0 has three
branches to store the hashes of Extension Node 1, Extension
Node 2, and Extension Node 3, respectively. Since the sixth
nibble of key1 and key3 differs after the shared nibbles 0xd3,
the child node of Extension Node 2 is Branch Node 1. Finally,
the value associated with its key is stored in the corresponding
leaf node.
MPT provides a form of cryptographic authentication to the
data structure [14]. If the root hash of a given MPT is public
and secure, then anyone can provide a proof that MPT contains
a given leaf node by providing the nodes going up each
step along a specific path. It is impossible for an adversary
to provide a proof of a nonexistent leaf node because the
root hash is ultimately based on all hashes below it that any
modification would change the root hash. For example, given
a tuple M = (Extension Node 0, Branch Node 0, Extension
Node 2, Branch Node 1, Extension Node 4, and Leaf Node 1),
the presence and integrity of the key1 -value1 pair can be
verified by calculating several hashes.
C. Operations
Two MPTs with the same leaf nodes are guaranteed to be
exactly the same down to the last bit and, therefore, have
the same root hash value [12]. It provides the holy grail
of O(log N ) efficiency for the lookup operation, the insert
operation, and the delete operation. N is the total number of
the leaf nodes in MPT.
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
2795
TABLE I
N OTATIONS AND D EFINITIONS
In our proposed scheme, the key of a leaf node is the hash
of its public key and the value is the certificate. The lookup
operation is to traverse the nodes by comparing the shared
nibbles and the hashes along the key. We explain the insert
operation of MPT in Algorithm 1. In order to insert a new
leaf node into MPT, we should first get the type of the current
node (curr_node) and its nibble(s). If the current node is a
branch node, we check whether it is vacant in the nibble
according to the current index (curr_index). If so, we generate
a new leaf node (line 7) or a new extension node (line 9) and
insert its hash into the nibble of the branch node. If not,
we traverse down to the next node (line 12). If the current node
is an extension node, we first figure out how many nibbles
are shared after the curr_index and get the equal_nibbles.
According to the equal_nibbles and the left nibbles in the key,
there are five cases associated with five approaches (lines 16,
19, 21, 25, and 27). After completing the above iteration
process, we should recalculate the hashes of the modified
nodes and store the updated key-value pairs in the database.
The delete operation is the reverse operation of the insert
operation. More details can be found in the yellow paper of
the Ethereum [12].
IV. B LOCKCHAIN -BASED P RIVACY-P RESERVING
AUTHENTICATION
In this section, we elaborate on how to use the CMT and
the MPT to extend the conventional blockchain and propose
the privacy-preserving authentication scheme based on the
extended blockchain. The notations and definitions are listed
in Table I.
A. Extended Blockchain
As shown in Fig. 4, the extended blockchain is composed
of a CMT and an MPT. When an issuance transaction or
2796 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 27, NO. 12, DECEMBER 2019
Algorithm 1 Insert a Leaf Node N(key, Value)
a revocation transaction is broadcasted by CA, a leaf node
will be inserted or deleted, respectively, and the root of MPT
will be updated. The transaction and the corresponding root
of MPT will be recorded chronologically in CMT. We take
the root of CMT as the Transaction Root and take the root of
MPT as the Certificate Root. The Transaction Root and the
Certificate Root will be written immutably in the blockchain.
The significance of the extended blockchain lies in two
aspects. First, it provides a simplified verification method
whether a specific certificate is in MPT or not. Given the
Certificate Root and a tuple M containing the nodes along the
path, the verifier can calculate a hash using the tuple M . If this
hash is equal to the Certificate Root in the blockchain, it is
proven that the certificate is in MPT. Second, it makes the
activities of the authorities transparent. Given the Transaction
Root and a tupleC , it can be verified when a specific certificate
is issued or revoked.
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
Fig. 4. Extended blockchain.
B. Initialization
An elliptic curve E is set for the system, where
y 2 = x 3 +ax+b mod p (a and b ∈ Z q∗ , p is a large prime num-
ber). The system chooses the elliptic group of points Eq (a, b),
where q is the order and G is the generator. Respectively,
LEA and CA randomly selects their private keys PRLEA and
PRCA , then computes their public keys PU LEA = PRLEA ×G
and PU CA = PRCA × G. We choose the SHA as the
hash function (H: {0, 1}∗ → Z q∗ ), the AES as the symmetric
cryptographic algorithm (Ekey and Dkey ), the ECC as the
asymmetric cryptographic algorithm (AEPU and ADPR ), and
the ECDSA as the digital signature algorithm (SigPR ).
Finally, the system parameters are published as par am =
(G, PU LEA , PU CA , H, Ekey , Dkey , AEPU , ADPR , SigPR ).
The vehicle initialization is similar to the certificate
issuance. When a brand new vehicle Vi joins VANETs,
it computes its initial public key using its initial private key
and requests LEA for the initial certificate. Then, LEA sends
CA the authorization to issue an initial certificate to Vi .
After verifying the authorization from LEA, CA broadcasts an
issuance transaction and writes the initial certificate into MPT
as a new leaf node. Finally, Vi receives its initial certificate.
The detailed process of the certificate issuance is explained in
Section IV-C.
C. Certificate Issuance
When the current certificate is about to expire or a new
certificate is required due to the security and privacy reasons,
Vi should send a request to LEA for a new certificate. There
are five steps for the certificate issuance.
LU et al.: BLOCKCHAIN-BASED PRIVACY-PRESERVING AUTHENTICATION SCHEME 2797

1) Step 1: Vi randomly selects its (n + 1)th private key

PRn+1
i and computes its (n + 1)th public key
PU n+1
i = PRn+1
i × G.
2) Step 2: Vi sends LEA the certificate issuance request
r eqiss that is encrypted using LEA’s public key
 
reqini = AEPU LEA PU n+1
i , PU ni , t, SigPRni
where PU ni is Vi ’s current public key, and t is the
timestamp.
3) Step 3: First, LEA looks up MPT to check that PU ni is
not revoked or expired. Second, LEA updates the random
number in Link ni = ELEA (IDi ||rLEA ) that is stored in the

leaf node to generate Li nkin+1 = ELEA (IDi ||rLEA ). Then,
LEA sends CA the authorization auth iss to issue a new
certificate to Vi
  
 
authiss = PU n+1
i , T, t, ELEA IDi ||rLEA , SigPRLEA
where T is the expiration time of PU n+1 i , rLEA and

rLEA are the random numbers selected by LEA, and Fig. 5. Distributed authentication process.

ELEA (IDi ||rLEA ) is the encrypted linkability between Vi ’s
certificate and its real identity. E. Distributed Authentication Process
4) Step 4: CA broadcasts a issuance transaction T X iss
Our proposed scheme allows the receiver to authenticate
containing the authorization from LEA
  the sender’s certificate in a distributed and efficient fashion.
TXiss = PU n+1 i , t, authiss , SigPRCA . The sender Vi should provide the receivers the r mT uple for
the distributed authentication, which consists of Vi ’s certificate
5) Step 5: CA writes the new certificate Cin+1 into MPT as Ci (a leaf node in MPT), tuple M that contains the associated
a new leaf node nodes in MPT, and the digital signature. As shown in Fig. 5,
  

Cin+1 = PU n+1
i , T, t, ELEA IDi ||rLEA . there are three steps for the distributed authentication process
as follows.
In the certificate issuance, only LEA knows Vi ’s real
Step 1) The receiver checks whether Ci is expired.
identity. We assume that LEA is semitrusted and will not
Step 2) The receiver extracts the nibbles from the associated
maliciously track or reveal the linkability between a vehicle’s
nodes to check whether they can join together into
public keys and its real identity. Without LEA’s secret key,
the hash of Vi ’s public key PU i . Then, the receiver
CA and other vehicles cannot get Vi ’s real identity from
  calculates the hashes from Ci to the root node. If the
ELEA (IDi ||rLEA ). Moreover, since the random number rLEA
root hash is equal to the Certificate Root stored in the
is updated by LEA, it prevents the adversary from tracking
latest block, it is proven that Ci is present in MPT,
the linkability between PU ni and PU n+1 .
i which means that PU i is issued but has not been
revoked by CA.
D. Certificate Revocation Step 3) The receiver verifies the signature to make sure that
A certificate will be revoked prior to its expiration time if it PU i is not used by a malicious vehicle.
is caught performing misbehaviors. There are three steps for The distributed authentication process in our proposed
the certificate revocation as follows. scheme is of O(log N ) efficiency in terms of the time consump-
Step 1) LEA sends CA the authorization authrev to revoke a tion and the storage overhead, which will be demonstrated in
public key PU i Section VI. Then, the receiver will use PU i for the message
authrev = (PU i , t, SigPRLEA ). authentication.

Step 2) CA broadcasts a revocation transaction TXrev con- V. S ECURITY A NALYSIS

taining the authorization from LEA
TXrev = (PU i , t, authrev , SigPRCA ).
Step 3) LEA first looks up PU i in MPT to obtain Link i .
Then LEA decrypts Link i and reveals IDi . Finally,
CA deletes the leaf node associated with PU i .
This paper does not attempt to give details to all the issues
such as under what circumstances a certificate should be issued
or revoked [10].
In this section, we analyze BPPA with respect to the authen-
tication security, the conditional privacy, and the certificate and
revocation transparency.
A. Attack Models
The following attacks might be applied to BPPA.
1) Forgery Attack: The adversary attempts to fake signatures
of an authorized vehicle and sends to other entities.

Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
2798 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 27, NO. 12, DECEMBER 2019
2) Man-in-the-Middle Attack: The adversary intercepts
messages and performs data tampering using a forged
certificate. The two sides of the communication are
unaware of the facts.
3) Replay Attack: The adversary replays the previously
obtained legitimate signature to the receiver.
4) Identity Revealing Attack: The adversary attempts to
reveal the real identity of a target vehicle. Then the
adversary can illegally gather the personal data about the
vehicle, which will threaten the privacy of the drive.
5) Authority Abuse Attack: The semi-TAs arbitrarily issue
certificates to illegal vehicles or revoke certificates of
legal vehicles.
B. Security Proof
We assume the security of the blockchain itself, the classical
cryptographic primitives, and the secret key and the private
key of each entity. The security of BPPA is guaranteed by the
following theorems.
Theorem 1: The authentication in the proposed scheme is
secure against the forgery attack, the man-in-the-middle attack,
and the replay attack.
Proof: In the distributed authentication, the sender Vi
provides the Tuple = (Ci , tuple M , SigPRi ). The receiver
calculates the root hash using the certificate Ci and the tuple M .
If this root hash is equal to the Certificate Root stored in
the latest block, it is proved that Vi ’s certificate is present in
MPT, which means the Vi ’s certificate is issued but has not
been revoked by CA. Since the SHA used in the proposed
scheme is collision-resistant, it is infeasible for the adversary
to forge a certificate and find a tuple M whose root hash is
equal to the Certificate Root in the blockchain. The security
of ECDSA guarantees that it is infeasible to forge a valid
signature SigPRi without knowing the private key PRi of
Vi . Therefore, the forgery attack and the man-in-the-middle
attack are thwarted by the identity authentication and the
signature verification. Moreover, each broadcasted message
has the timestamp to meet the real-time requirement of the
applications in VANETs. The replay attack is thwarted since
the adversary cannot provide a valid signature if the timestamp
is changed.
Theorem 2: No entities except LEA is able to reveal the
real identity of a target vehicle from the public database and
the broadcasted messages.
Proof: The identity privacy of the vehicles is enhanced in
two ways. First, the public keys are used as the pseudonyms in
V2V and V2I communications to preserve the real identities
of the vehicles. Second, the linkability between the certificates
of a vehicle and its real identity is encrypted to prevent
the adversary from tracking a target vehicle. Vi ’s certificate
Ci = (PU i , T, t, ELEA (IDi ||rLEA )) is recorded as a Leaf
Node in the public MPT. Without the secret key PRLEA of
LEA, it is infeasible for the adversary to decipher Li nki =
ELEA (IDi ||rLEA ) to reveal IDi . Moreover, the random number
rLEA makes the Li nks in Vi ’s certificates totally different,
which makes it infeasible for the adversary to get the link-
ability between Vi ’s previous certificates. In case of disputes,
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
LEA is able to decrypt Li nki and reveal the real identity IDi
of the target vehicle Vi .
Theorem 3: All the activities of semi-TAs are transparent
and verifiable for each entity in VANETs.
Proof: Since the CMT and the MPT are built with SHA,
the data of the blockchain cannot be tampered with by the
adversary. All the transactions broadcasted by CA as well
as the certificates are recorded publicly and immutably in
the database. Each transaction contains the signatures of CA
and LEA, it is nonrepudiable that LEA has sent CA an
authorization to issue or revoke a certificate. The root of the
MPT that changes due to the insert or delete operation by
CA is attached to the corresponding transaction, which is
recorded chronologically in the CMT. To verify the validity
of MPT, the verifier can perform the inverse operation and
compare the changed root of MPT with the root attached
to the previous transaction. For example, given two adjacent
transactions in the CMT, transaction0 with root0 of MPT0 and
transaction1 with root1 of MPT1 , the verifier either inserts the
certificate into MPT1 if transaction1 is a revocation transaction
or deletes the certificate from MPT1 if transaction1 is an
issuance transaction. If the changed root1 is equal to the
root0 of MPT0 , it means that MPT1 is valid. Therefore,
CA cannot arbitrarily issue or revoke a certificate without the
authorization from LEA.
VI. P ERFORMANCE E VALUATION
In this section, we provide details of the experiment settings,
the cost and latency of the certificate issuance and revocation,
and the overhead of the distributed authentication process.
We compare BPPA with the state-of-the-art approaches to
demonstrate its practical viability.
A. Experiment Settings
Since each entity in BPPA uses a specific certificate in
the communications, we conduct a set of experiments on the
IBM’s HLF platform v1.1, which is a permissioned blockchain
that securely tracks the execution history in an append-only
replicated data structure without build-in cryptocurrency [6].
The public MPT and the classical cryptographic primitives
are implemented using Python. We have eight laptops with
2.5-GHz Intel Core i5 CPU and 8-GB RAM to simulate the
entities in the system. All the laptops are connected to each
other through 1-Gb/s switch.
The experiment setting for the certificate issuance and
revocation process is shown in Fig. 6(a). To harmonize the
terminology of HLF, we use the ordering service node (OSN)
instead of LEA, the client instead of CA, and the endorsing
peers instead of RSUs. We have three organizations, and each
contributes two endorsing peers to the blockchain network.
The endorsement policy on transactions is set that a transaction
will be successfully committed on the blockchain if it has
signatures from at least one peer from each organization. The
OSN is run in the solo mode. The transaction flow is illustrated
in Fig. 1. As shown in Fig. 6(b), two laptops are used for
RSUs and six laptops are used for vehicles in the distributed
authentication process. A sender vehicle is randomly selected
LU et al.: BLOCKCHAIN-BASED PRIVACY-PRESERVING AUTHENTICATION SCHEME
Fig. 6. Experiment settings. (a) Certificate issuance and revocation. (b) Dis-
tributed authentication.
TABLE II
C OST OF C ERTIFICATE I SSUANCE AND R EVOCATION
and provides the receivers a Tuple = (Ci , tuple M , SigPRi )
for the certificate authentication.
B. Certificate Issuance and Revocation
When an endorsing peer receives a transaction broadcasted
by the client, it should verify the validity of the public
MPT and the signatures of the OSN and the client. We set
the number N of certificates in the MPT as 104 , 105 , 106 ,
and 107 . Without losing generality, the i th public key is the
256-bit hash of number i . First, we construct an MPT that
consists of N leaf nodes. Then, we randomly choose 104
different numbers larger than N to perform the verification
of the issuance transactions and the revocation transactions.
The results in Table II demonstrate that the complexity to
verify a transaction is O(log N ). Moreover, in VANETs with
107 certificates, the maximal time consumption to verify an
issuance transaction is 12.236 ms and the average is 1.762 ms,
and the maximal time consumption to verify a revocation
transaction is 15.152 ms and the average is 1.738 ms.
Transaction throughput is defined as the rate at which
transactions are committed to the blockchain, and transaction
latency is defined as the time taken from when the transac-
tion is broadcasted to when the transaction is successfully
committed [6]. When either a maximum number of new trans-
actions are broadcasted by the client or a configured timeout
since the last block has been generated, the OSN will generate
a new block and send it to all the endorsing peers. Let the
client broadcast the transactions at the highest rate, we evaluate
the impact of the block size on the transaction throughput and
the transaction latency. For uniformity, we set the transaction
size as 5 KB. We run experiments varying the block size
from 1 to 4 MB. The peak throughput and the average latency
are shown in Fig. 7. The results show that when the block size
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
2799
Fig. 7. Transaction throughput and latency.
Fig. 8. Time consumption and communication overhead to authenticate one
certificate.
is larger than 3 MB, the peak throughput for the two kinds of
transactions does not increase significantly, while the average
latency increases as the block grows larger. If we set the block
size as 3 MB, the peak throughput for the issuance transaction
and the revocation transaction is 187 and 191 tps, respectively,
and the average latencies for the issuance transaction and
the revocation transaction are 1475 and 1445 ms, respec-
tively, which is acceptable for the certificate issuance and
revocation.
Singh et al. [15] made use of the dynamic bilinear-map
accumulators to achieve the certificate and revocation trans-
parency with low verification cost. However, the cost of
revocation is O(m) (m is the total number of active cer-
tificates present in the log structure) for the bilinear-map
accumulator [15], which will incur huge computational cost
for the semi-TAs. Moreover, the communication overhead and
the hours of latency to update the log are unacceptable for the
individual vehicles. Madala et al. [16] leveraged the chaincode
in HLF to modify the world state in the blockchain for the
certificate and revocation transparency. The main drawback is
that the database used in the scheme is not a cryptographically
authenticated data structure as the MPT. The modification of a
tuple in the public database cannot be monitored or verified if
the adversary does not invoke a chaincode. Therefore, it does
not achieve true transparency. Compared with the existing
approaches, BPPA adopts the novel MPT to make the activities
of the semi-TAs transparent and verifiable for all the entities
and solves the bottleneck in terms of cost and latency for the
certificate issuance and revocation.
C. Distributed Authentication
We set N as 104 , 105 , 106 , and 107 and randomly
choose 104 different certificates to perform the distributed
authentication. Fig. 8 shows the time consumption and the
2800 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 27, NO. 12, DECEMBER 2019
TABLE III
C ERTIFICATE AUTHENTICATION C OST OF VARIOUS S CHEMES
communication overhead to authenticate a certificate. The
results show that the complexity of the distributed authentica-
tion is O(log N ). In VANETs with 107 authorized certificates,
the maximal time consumption for the distributed authentica-
tion process is 0.734 ms and the average is 0.672 ms and the
maximal communication overhead is 9.21 KB and the average
is 8.17 KB.
The communication overhead has no significant difference
among the existing approaches because it mainly comes
from the transmission of the sender’s certificate [17]. Thus,
our main concern is the time consumption to authenticate
either one certificate or n certificates. We compare BPPA
with the state-of-the-art schemes, including the key-insulated
pseudonym self-delegation (KPSD) scheme [18], the identity-
based conditional privacy-preserving authentication (IBCPPA)
scheme [19], the efficient anonymous authentication scheme
with conditional privacy-preserving (EAAP) [20], and the
computationally efficient privacy-preserving authentication
scheme for VANETs (CPAV) [21]. The cryptographic prim-
itives in these schemes are implemented using the Python
Charm-Crypto library [22]. Here, we give the average exe-
cution time of different cryptographic operations.
1) Tbp is the execution time for performing a bilinear pairing
operation [23]. Tbd ≈ 18.427 ms.
2) Tep1 is the execution time for performing an exponentia-
tion in G1 of the bilinear pairing [23]. Tep1 ≈ 9.171 ms.
3) Tep2 is the execution time for performing an exponentia-
tion in G2 of the bilinear pairing [23]. Tep2 ≈ 7.928 ms.
4) Tpm is the execution time for performing an elliptic curve
point multiplication. Tpm ≈ 0.273 ms.
5) Tpa is the execution time for performing an elliptic curve
point addition. Tpa ≈ 0.019 ms.
6) Th is the execution time for performing a hash function.
Th ≈ 0.001 ms.
The computational costs of various schemes in the certificate
authentication process are listed in Table III. Since the hash
function and the elliptic curve point operations have much less
computational cost than the bilinear pairing operation [17],
our proposed BPPA is most efficient among the existing
schemes. As shown in Fig. 9, BPPA takes only 59 ms to
authenticate 100 certificates, which means it is able to perform
normally in the scenario of heavy traffic congestion. Therefore,
BPPA achieves scalability and efficiency in the distributed
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
Fig. 9. Computational cost for certificate authentication.
authentication by eliminating the CRL and the bilinear pairing
operations.
VII. C ONCLUSION
In this paper, we employ the CMT and the MPT to
extend the conventional blockchain structure and propose a
novel privacy-preserving authentication scheme for VANETs.
Our proposed BPPA scheme is featured with authentication
security, conditional privacy, certificate and revocation trans-
parency, and efficiency and scalability. First, the transactions
are recorded in the blockchain that makes the activities of the
semi-TAs transparent and verifiable for each entity. Second,
the global consensus mechanism of the blockchain and the
classical cryptographic primitives provide a secure authenti-
cation scheme against the attack models. Third, the linka-
bility between a vehicle’s certificates and its real identity is
encrypted using the secret key of the authority. Thus, the real
identity of a target vehicle can be revealed if and only if
there are disputes. Finally, we implement the proposed scheme
on a permissioned blockchain platform. The experimental
results demonstrate that it is of high throughput and low
latency for the authorities to issue or revoke a certificate. For
the resource-limited vehicles, the computational cost of the
distributed authentication is definitely acceptable. In summary,
the proposed BPPA scheme provides an effective solution to
address the trust and privacy issues of VANETs.
R EFERENCES
[1] Z. Lu, G. Qu, and Z. Liu, “A survey on recent advances in vehicular
network security, trust, and privacy,” IEEE Trans. Intell. Transp. Syst.,
vol. 20, no. 2, pp. 760–776, Feb. 2019.
[2] M. Azees, P. Vijayakumar, and L. J. Deborah, “Comprehensive survey
on security services in vehicular ad-hoc networks,” IET Intell. Transp.
Syst., vol. 10, no. 6, pp. 379–388, 2016.
[3] R. Canetti, D. Shahaf, and M. Vald, “Universally composable authenti-
cation and key-exchange with global PKI,” in Public-Key Cryptography–
PKC. Berlin, Germany: Springer, 2016, pp. 265–296.
[4] A. Yang, X. Tan, J. Baek, and D. S. Wong, “A new ADS-B authentication
framework based on efficient hierarchical identity-based signature with
batch verification,” IEEE Trans. Services Comput., vol. 10, no. 2,
pp. 165–175, Mar./Apr. 2017.
[5] A. Karati, S. H. Islam, and M. Karuppiah, “Provably secure and
lightweight certificateless signature scheme for IIoT environments,”
IEEE Trans. Ind. Informat., vol. 14, no. 8, pp. 3701–3711, Aug. 2018.
[6] E. Androulaki et al., “Hyperledger fabric: A distributed operating system
for permissioned blockchains,” in Proc. 13th EuroSys Conf., Apr. 2018,
p. 30.
LU et al.: BLOCKCHAIN-BASED PRIVACY-PRESERVING AUTHENTICATION SCHEME 2801

[7] Z. Lu, Q. Wang, G. Qu, and Z. Liu, “BARS: A blockchain-based Qian Wang received the M.S. degree in electri-
anonymous reputation system for trust management in VANETs,” in cal engineering from Tsinghua University, Beijing,
Proc. 17th IEEE Int. Conf. Trust, Secur. Privacy Comput. Commun./12th China, in 2014. She is currently working toward the
IEEE Int. Conf. Big Data Sci. Eng. (TrustCom/BigDataSE), Aug. 2018, Ph.D. degree at the Maryland Embedded Systems
pp. 98–103. and Hardware Security Laboratory, University of
[8] S. Nakamoto. (2008). Bitcoin: A Peer-To-Peer Electronic Cash System. Maryland, College Park, MD, USA.
[Online]. Available: http: //bitcoin.org/bitcoin.pdf Her current research interests include embedded
[9] H. Li, Q. Liu, and F. Chen, “Signal word-level statistical properties- system, hardware security, and vehicular ad hoc
based activation approach for hardware Trojan detection in DSP networks (VANETs) security.
circuits,” IET Comput. Digit. Techn., vol. 12, no. 6, pp. 258–267,
Nov. 2018.
[10] Z. Lu, W. Liu, Q. Wang, G. Qu, and Z. Liu, “A privacy-preserving
trust model based on blockchain for VANETs,” IEEE Access, vol. 6,
pp. 45655–45664, 2018.
[11] Y. Zhang, R. H. Deng, X. Liu, and D. Zheng, “Blockchain based efficient
and robust fair payment for outsourcing services in cloud computing,”
Inf. Sci., vol. 462, pp. 262–277, Sep. 2018.
[12] G. Wood, “Ethereum: A secure decentralised generalised transaction Gang Qu (SM’07) received the Ph.D. degree in
ledger,” Ethereum Project Yellow Paper, vol. 151, pp. 1–32, Apr. 2014. computer science from the University of Cali-
[13] J. Bonneau, “Ethiks: Using ethereum to audit a coniks key transparency fornia at Los Angeles, Los Angeles, CA, USA,
log,” in Proc. Int. Conf. Financial Cryptogr. Data Secur. Berlin, Ger- in 2000.
many: Springer, 2016, pp. 95–105. He is currently a Professor at the Department of
[14] J. Zhu, Q. Li, C. Wang, X. Yuan, Q. Wang, and K. Ren, “Enabling Electrical and Computer Engineering and the Insti-
generic, verifiable, and secure data search in cloud services,” IEEE tute for Systems Research, University of Maryland,
Trans. Parallel Distrib. Syst., vol. 29, no. 8, pp. 1721–1735, Aug. 2018. College Park, MD, USA, where he is the Direc-
[15] A. Singh, B. Sengupta, and S. Ruj, “Certificate transparency with tor of the Maryland Embedded Systems and Hard-
enhancements and short proofs,” in Proc. Australas. Conf. Inf. Secur. ware Security Laboratory and the Wireless Sensors
Privacy. Cham, Switzerland: Springer, 2017, pp. 381–389. Laboratory. His current research interests include
[16] D. S. V. Madala, M. P. Jhanwar, and A. Chattopadhyay, “Certificate embedded systems and VLSI computer-aided design (CAD) with a focus on
transparency using blockchain,” in Proc. IEEE Int. Conf. Data Mining low-power system design and hardware-related security and trust.
Workshops (ICDMW), Nov. 2018, pp. 71–80.
[17] S. H. Islam, M. S. Obaidat, P. Vijayakumar, E. Abdulhay, F. Li, and
M. K. C. Reddy, “A robust and efficient password-based conditional
privacy preserving authentication and group-key agreement protocol for
VANETs,” Future Gener. Comput. Syst., vol. 84, pp. 216–227, Jul. 2018.
[18] R. Lu, X. Lin, T. Luan, X. Liang, and X. Shen, “Pseudonym changing
at social spots: An effective strategy for location privacy in VANETs,”
IEEE Trans. Veh. Technol., vol. 61, no. 1, pp. 86–96, Jan. 2012.
Haichun Zhang received the B.S. degree in elec-
[19] J. Shao, X. Lin, R. Lu, and C. Zuo, “A threshold anonymous authenti-
tronic science and technology from the Huazhong
cation protocol for VANETs,” IEEE Trans. Veh. Technol., vol. 65, no. 3,
University of Science and Technology, Wuhan,
pp. 1711–1720, Mar. 2016.
China, in 2016, where he is currently working
[20] M. Azees, P. Vijayakumar, and L. J. Deboarh, “EAAP: Efficient anony-
toward the Ph.D. degree in microelectronic and
mous authentication with conditional privacy-preserving scheme for
solid-state electronics.
vehicular ad hoc networks,” IEEE Trans. Intell. Transp. Syst., vol. 18,
His current research interests include embedded
no. 9, pp. 2467–2476, Sep. 2017.
system security, VLSI design, vehicular security, and
[21] P. Vijayakumar, V. Chang, L. J. Deborah, B. Balusamy, and
physical unclonable function (PUF).
P. G. Shynu, “Computationally efficient privacy preserving anonymous
mutual and batch authentication schemes for vehicular ad hoc networks,”
Future Generat. Comput. Syst., vol. 78, pp. 943–955, Jan. 2016.
[22] J. A. Akinyele et al., “Charm: A framework for rapidly prototyping
cryptosystems,” J. Cryptograph. Eng., vol. 3, no. 2, pp. 111–128, 2013.
[23] P. Vijayakumar, M. Azees, and L. J. Deborah, “CPAV: Computation-
ally efficient privacy preserving anonymous authentication scheme for
vehicular Ad hoc networks,” in Proc. IEEE 2nd Int. Conf. Cyber Secur.
Cloud Comput., Nov. 2015, pp. 62–67.

Zhaojun Lu received the Ph.D. degree in microelec-
tronic and solid-state electronics from the Huazhong
University of Science and Technology, Wuhan,
China, in 2018.
He is currently a Postdoctoral Researcher at the
Department of Electrical and Computer Engineering,
University of Maryland, College Park, MD, USA.
His current research interests include embedded sys-
tem security, VLSI design, and vehicular ad hoc
networks (VANETs) security and privacy.
Zhenglin Liu received the Ph.D. degree from the
Department of Electronic Science and Technology,
Huazhong University of Science and Technology,
Wuhan, China, in 2001.
He is currently a Professor at the School of Optical
and Electronic Information, Huazhong University of
Science and Technology. His current research inter-
ests include embedded system security and VLSI
design.

Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.