Professional Documents
Culture Documents
A Blockchain-Based Privacy-Preserving
Authentication Scheme for VANETs
Zhaojun Lu , Qian Wang , Gang Qu , Senior Member, IEEE, Haichun Zhang, and Zhenglin Liu
Abstract— The privacy-preserving authentication is considered of communications, namely, the vehicle-to-vehicle (V2V)
as the first line of defense against the attacks in addition to communication and the vehicles-to-infrastructure (V2I)
preserving the identity privacy of the vehicles in the vehicular communication [1]. Through the dedicated short-range com-
ad hoc networks (VANETs). However, the existing authentication
schemes suffer from drawbacks such as nontransparency of the munication (DSRC), the vehicles can exchange safety mes-
trusted authorities (TAs), heavy workload to revoke certificates, sages in V2V and communicate directly with the roadside
and high computation overhead to authenticate identities and units (RSUs) in V2I [1]. Due to the open nature of VANETs,
messages. In this paper, we propose a blockchain-based privacy- a privacy-preserving authentication scheme should be pro-
preserving authentication (BPPA) scheme for VANETs. In BPPA, vided against potential attacks [2]. Without authentication,
all the certificates and transactions are recorded permanently
and immutably in the blockchain to make the activities of the a malicious vehicle may impersonate any authorized vehicle to
semi-TAs transparent and verifiable. However, it remains a chal- broadcast forged messages. Moreover, if the identity privacy is
lenge how to use such blockchain effectively for authentication not preserved, the adversary can easily track the target vehicle
in real driving scenarios (e.g., high speed or large amount of by analyzing the broadcasted messages, which could be a
messages during congestion). With a novel data structure named serious threat to the drivers.
the Merkle Patricia tree (MPT), we extend the conventional
blockchain structure to provide a distributed authentication Many research efforts have been dedicated to designing
scheme without the revocation list. To achieve conditional privacy, the privacy-preserving authentication schemes for VANETs
we allow a vehicle to use multiple certificates. The linkability based on the basic idea of using a digital pseudonym as
between the certificates and real identity is encrypted and a unique identifier for authentication without any personally
stored in the blockchain and can only be revealed in case of identifiable information [1]. In the conventional public key
disputes. We evaluate the validity and performance of BPPA
on the Hyperledger Fabric (HLF) platform for each entity. The infrastructure (PKI)-based schemes [3], a certificate issued by
experimental results show that the distributed authentication can the certificate authority (CA) consists of a vehicle’s public
be processed by individual vehicles within 1 ms, which meets key and CA’s digital signature. A vehicle uses its private key
the real-time requirement and is much more efficient, in terms to generate the signature for each message. The public key
of the processing time and storage requirement, than existing is used for verification by the receivers without revealing the
approaches.
sender’s real identity. In the identity-based signature (IBS)-
Index Terms— Blockchain, privacy-preserving authentication, based schemes [4], the private key generator (PKG) acts as
semitrusted authority, transparency, vehicular ad hoc networks the trusted authority (TA) to generate and assign the private
(VANETs).
keys to the vehicles. Then, each vehicle uses an identifier as
a pseudonym and signs messages with the private key from
I. I NTRODUCTION PKG. In order to solve the escrow problem in IBS that PKG
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
LU et al.: BLOCKCHAIN-BASED PRIVACY-PRESERVING AUTHENTICATION SCHEME 2793
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
2794 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 27, NO. 12, DECEMBER 2019
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
LU et al.: BLOCKCHAIN-BASED PRIVACY-PRESERVING AUTHENTICATION SCHEME 2795
TABLE I
N OTATIONS AND D EFINITIONS
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
2796 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 27, NO. 12, DECEMBER 2019
B. Initialization
An elliptic curve E is set for the system, where
y 2 = x 3 +ax+b mod p (a and b ∈ Z q∗ , p is a large prime num-
ber). The system chooses the elliptic group of points Eq (a, b),
where q is the order and G is the generator. Respectively,
LEA and CA randomly selects their private keys PRLEA and
PRCA , then computes their public keys PU LEA = PRLEA ×G
and PU CA = PRCA × G. We choose the SHA as the
hash function (H: {0, 1}∗ → Z q∗ ), the AES as the symmetric
cryptographic algorithm (Ekey and Dkey ), the ECC as the
asymmetric cryptographic algorithm (AEPU and ADPR ), and
the ECDSA as the digital signature algorithm (SigPR ).
Finally, the system parameters are published as par am =
(G, PU LEA , PU CA , H, Ekey , Dkey , AEPU , ADPR , SigPR ).
a revocation transaction is broadcasted by CA, a leaf node The vehicle initialization is similar to the certificate
will be inserted or deleted, respectively, and the root of MPT issuance. When a brand new vehicle Vi joins VANETs,
will be updated. The transaction and the corresponding root it computes its initial public key using its initial private key
of MPT will be recorded chronologically in CMT. We take and requests LEA for the initial certificate. Then, LEA sends
the root of CMT as the Transaction Root and take the root of CA the authorization to issue an initial certificate to Vi .
MPT as the Certificate Root. The Transaction Root and the After verifying the authorization from LEA, CA broadcasts an
Certificate Root will be written immutably in the blockchain. issuance transaction and writes the initial certificate into MPT
The significance of the extended blockchain lies in two as a new leaf node. Finally, Vi receives its initial certificate.
aspects. First, it provides a simplified verification method The detailed process of the certificate issuance is explained in
whether a specific certificate is in MPT or not. Given the Section IV-C.
Certificate Root and a tuple M containing the nodes along the
path, the verifier can calculate a hash using the tuple M . If this
hash is equal to the Certificate Root in the blockchain, it is C. Certificate Issuance
proven that the certificate is in MPT. Second, it makes the When the current certificate is about to expire or a new
activities of the authorities transparent. Given the Transaction certificate is required due to the security and privacy reasons,
Root and a tupleC , it can be verified when a specific certificate Vi should send a request to LEA for a new certificate. There
is issued or revoked. are five steps for the certificate issuance.
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
LU et al.: BLOCKCHAIN-BASED PRIVACY-PRESERVING AUTHENTICATION SCHEME 2797
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
2798 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 27, NO. 12, DECEMBER 2019
2) Man-in-the-Middle Attack: The adversary intercepts LEA is able to decrypt Li nki and reveal the real identity IDi
messages and performs data tampering using a forged of the target vehicle Vi .
certificate. The two sides of the communication are Theorem 3: All the activities of semi-TAs are transparent
unaware of the facts. and verifiable for each entity in VANETs.
3) Replay Attack: The adversary replays the previously Proof: Since the CMT and the MPT are built with SHA,
obtained legitimate signature to the receiver. the data of the blockchain cannot be tampered with by the
4) Identity Revealing Attack: The adversary attempts to adversary. All the transactions broadcasted by CA as well
reveal the real identity of a target vehicle. Then the as the certificates are recorded publicly and immutably in
adversary can illegally gather the personal data about the the database. Each transaction contains the signatures of CA
vehicle, which will threaten the privacy of the drive. and LEA, it is nonrepudiable that LEA has sent CA an
5) Authority Abuse Attack: The semi-TAs arbitrarily issue authorization to issue or revoke a certificate. The root of the
certificates to illegal vehicles or revoke certificates of MPT that changes due to the insert or delete operation by
legal vehicles. CA is attached to the corresponding transaction, which is
recorded chronologically in the CMT. To verify the validity
of MPT, the verifier can perform the inverse operation and
B. Security Proof compare the changed root of MPT with the root attached
We assume the security of the blockchain itself, the classical to the previous transaction. For example, given two adjacent
cryptographic primitives, and the secret key and the private transactions in the CMT, transaction0 with root0 of MPT0 and
key of each entity. The security of BPPA is guaranteed by the transaction1 with root1 of MPT1 , the verifier either inserts the
following theorems. certificate into MPT1 if transaction1 is a revocation transaction
Theorem 1: The authentication in the proposed scheme is or deletes the certificate from MPT1 if transaction1 is an
secure against the forgery attack, the man-in-the-middle attack, issuance transaction. If the changed root1 is equal to the
and the replay attack. root0 of MPT0 , it means that MPT1 is valid. Therefore,
Proof: In the distributed authentication, the sender Vi CA cannot arbitrarily issue or revoke a certificate without the
provides the Tuple = (Ci , tuple M , SigPRi ). The receiver authorization from LEA.
calculates the root hash using the certificate Ci and the tuple M .
If this root hash is equal to the Certificate Root stored in VI. P ERFORMANCE E VALUATION
the latest block, it is proved that Vi ’s certificate is present in In this section, we provide details of the experiment settings,
MPT, which means the Vi ’s certificate is issued but has not the cost and latency of the certificate issuance and revocation,
been revoked by CA. Since the SHA used in the proposed and the overhead of the distributed authentication process.
scheme is collision-resistant, it is infeasible for the adversary We compare BPPA with the state-of-the-art approaches to
to forge a certificate and find a tuple M whose root hash is demonstrate its practical viability.
equal to the Certificate Root in the blockchain. The security
of ECDSA guarantees that it is infeasible to forge a valid
signature SigPRi without knowing the private key PRi of A. Experiment Settings
Vi . Therefore, the forgery attack and the man-in-the-middle Since each entity in BPPA uses a specific certificate in
attack are thwarted by the identity authentication and the the communications, we conduct a set of experiments on the
signature verification. Moreover, each broadcasted message IBM’s HLF platform v1.1, which is a permissioned blockchain
has the timestamp to meet the real-time requirement of the that securely tracks the execution history in an append-only
applications in VANETs. The replay attack is thwarted since replicated data structure without build-in cryptocurrency [6].
the adversary cannot provide a valid signature if the timestamp The public MPT and the classical cryptographic primitives
is changed. are implemented using Python. We have eight laptops with
Theorem 2: No entities except LEA is able to reveal the 2.5-GHz Intel Core i5 CPU and 8-GB RAM to simulate the
real identity of a target vehicle from the public database and entities in the system. All the laptops are connected to each
the broadcasted messages. other through 1-Gb/s switch.
Proof: The identity privacy of the vehicles is enhanced in The experiment setting for the certificate issuance and
two ways. First, the public keys are used as the pseudonyms in revocation process is shown in Fig. 6(a). To harmonize the
V2V and V2I communications to preserve the real identities terminology of HLF, we use the ordering service node (OSN)
of the vehicles. Second, the linkability between the certificates instead of LEA, the client instead of CA, and the endorsing
of a vehicle and its real identity is encrypted to prevent peers instead of RSUs. We have three organizations, and each
the adversary from tracking a target vehicle. Vi ’s certificate contributes two endorsing peers to the blockchain network.
Ci = (PU i , T, t, ELEA (IDi ||rLEA )) is recorded as a Leaf The endorsement policy on transactions is set that a transaction
Node in the public MPT. Without the secret key PRLEA of will be successfully committed on the blockchain if it has
LEA, it is infeasible for the adversary to decipher Li nki = signatures from at least one peer from each organization. The
ELEA (IDi ||rLEA ) to reveal IDi . Moreover, the random number OSN is run in the solo mode. The transaction flow is illustrated
rLEA makes the Li nks in Vi ’s certificates totally different, in Fig. 1. As shown in Fig. 6(b), two laptops are used for
which makes it infeasible for the adversary to get the link- RSUs and six laptops are used for vehicles in the distributed
ability between Vi ’s previous certificates. In case of disputes, authentication process. A sender vehicle is randomly selected
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
LU et al.: BLOCKCHAIN-BASED PRIVACY-PRESERVING AUTHENTICATION SCHEME 2799
Fig. 6. Experiment settings. (a) Certificate issuance and revocation. (b) Dis-
tributed authentication.
TABLE II
C OST OF C ERTIFICATE I SSUANCE AND R EVOCATION
is larger than 3 MB, the peak throughput for the two kinds of
and provides the receivers a Tuple = (Ci , tuple M , SigPRi ) transactions does not increase significantly, while the average
for the certificate authentication. latency increases as the block grows larger. If we set the block
size as 3 MB, the peak throughput for the issuance transaction
B. Certificate Issuance and Revocation and the revocation transaction is 187 and 191 tps, respectively,
and the average latencies for the issuance transaction and
When an endorsing peer receives a transaction broadcasted the revocation transaction are 1475 and 1445 ms, respec-
by the client, it should verify the validity of the public tively, which is acceptable for the certificate issuance and
MPT and the signatures of the OSN and the client. We set revocation.
the number N of certificates in the MPT as 104 , 105 , 106 , Singh et al. [15] made use of the dynamic bilinear-map
and 107 . Without losing generality, the i th public key is the accumulators to achieve the certificate and revocation trans-
256-bit hash of number i . First, we construct an MPT that parency with low verification cost. However, the cost of
consists of N leaf nodes. Then, we randomly choose 104 revocation is O(m) (m is the total number of active cer-
different numbers larger than N to perform the verification tificates present in the log structure) for the bilinear-map
of the issuance transactions and the revocation transactions. accumulator [15], which will incur huge computational cost
The results in Table II demonstrate that the complexity to for the semi-TAs. Moreover, the communication overhead and
verify a transaction is O(log N ). Moreover, in VANETs with the hours of latency to update the log are unacceptable for the
107 certificates, the maximal time consumption to verify an individual vehicles. Madala et al. [16] leveraged the chaincode
issuance transaction is 12.236 ms and the average is 1.762 ms, in HLF to modify the world state in the blockchain for the
and the maximal time consumption to verify a revocation certificate and revocation transparency. The main drawback is
transaction is 15.152 ms and the average is 1.738 ms. that the database used in the scheme is not a cryptographically
Transaction throughput is defined as the rate at which authenticated data structure as the MPT. The modification of a
transactions are committed to the blockchain, and transaction tuple in the public database cannot be monitored or verified if
latency is defined as the time taken from when the transac- the adversary does not invoke a chaincode. Therefore, it does
tion is broadcasted to when the transaction is successfully not achieve true transparency. Compared with the existing
committed [6]. When either a maximum number of new trans- approaches, BPPA adopts the novel MPT to make the activities
actions are broadcasted by the client or a configured timeout of the semi-TAs transparent and verifiable for all the entities
since the last block has been generated, the OSN will generate and solves the bottleneck in terms of cost and latency for the
a new block and send it to all the endorsing peers. Let the certificate issuance and revocation.
client broadcast the transactions at the highest rate, we evaluate
the impact of the block size on the transaction throughput and
the transaction latency. For uniformity, we set the transaction C. Distributed Authentication
size as 5 KB. We run experiments varying the block size We set N as 104 , 105 , 106 , and 107 and randomly
from 1 to 4 MB. The peak throughput and the average latency choose 104 different certificates to perform the distributed
are shown in Fig. 7. The results show that when the block size authentication. Fig. 8 shows the time consumption and the
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
2800 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 27, NO. 12, DECEMBER 2019
TABLE III
C ERTIFICATE AUTHENTICATION C OST OF VARIOUS S CHEMES
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.
LU et al.: BLOCKCHAIN-BASED PRIVACY-PRESERVING AUTHENTICATION SCHEME 2801
[7] Z. Lu, Q. Wang, G. Qu, and Z. Liu, “BARS: A blockchain-based Qian Wang received the M.S. degree in electri-
anonymous reputation system for trust management in VANETs,” in cal engineering from Tsinghua University, Beijing,
Proc. 17th IEEE Int. Conf. Trust, Secur. Privacy Comput. Commun./12th China, in 2014. She is currently working toward the
IEEE Int. Conf. Big Data Sci. Eng. (TrustCom/BigDataSE), Aug. 2018, Ph.D. degree at the Maryland Embedded Systems
pp. 98–103. and Hardware Security Laboratory, University of
[8] S. Nakamoto. (2008). Bitcoin: A Peer-To-Peer Electronic Cash System. Maryland, College Park, MD, USA.
[Online]. Available: http: //bitcoin.org/bitcoin.pdf Her current research interests include embedded
[9] H. Li, Q. Liu, and F. Chen, “Signal word-level statistical properties- system, hardware security, and vehicular ad hoc
based activation approach for hardware Trojan detection in DSP networks (VANETs) security.
circuits,” IET Comput. Digit. Techn., vol. 12, no. 6, pp. 258–267,
Nov. 2018.
[10] Z. Lu, W. Liu, Q. Wang, G. Qu, and Z. Liu, “A privacy-preserving
trust model based on blockchain for VANETs,” IEEE Access, vol. 6,
pp. 45655–45664, 2018.
[11] Y. Zhang, R. H. Deng, X. Liu, and D. Zheng, “Blockchain based efficient
and robust fair payment for outsourcing services in cloud computing,”
Inf. Sci., vol. 462, pp. 262–277, Sep. 2018.
[12] G. Wood, “Ethereum: A secure decentralised generalised transaction Gang Qu (SM’07) received the Ph.D. degree in
ledger,” Ethereum Project Yellow Paper, vol. 151, pp. 1–32, Apr. 2014. computer science from the University of Cali-
[13] J. Bonneau, “Ethiks: Using ethereum to audit a coniks key transparency fornia at Los Angeles, Los Angeles, CA, USA,
log,” in Proc. Int. Conf. Financial Cryptogr. Data Secur. Berlin, Ger- in 2000.
many: Springer, 2016, pp. 95–105. He is currently a Professor at the Department of
[14] J. Zhu, Q. Li, C. Wang, X. Yuan, Q. Wang, and K. Ren, “Enabling Electrical and Computer Engineering and the Insti-
generic, verifiable, and secure data search in cloud services,” IEEE tute for Systems Research, University of Maryland,
Trans. Parallel Distrib. Syst., vol. 29, no. 8, pp. 1721–1735, Aug. 2018. College Park, MD, USA, where he is the Direc-
[15] A. Singh, B. Sengupta, and S. Ruj, “Certificate transparency with tor of the Maryland Embedded Systems and Hard-
enhancements and short proofs,” in Proc. Australas. Conf. Inf. Secur. ware Security Laboratory and the Wireless Sensors
Privacy. Cham, Switzerland: Springer, 2017, pp. 381–389. Laboratory. His current research interests include
[16] D. S. V. Madala, M. P. Jhanwar, and A. Chattopadhyay, “Certificate embedded systems and VLSI computer-aided design (CAD) with a focus on
transparency using blockchain,” in Proc. IEEE Int. Conf. Data Mining low-power system design and hardware-related security and trust.
Workshops (ICDMW), Nov. 2018, pp. 71–80.
[17] S. H. Islam, M. S. Obaidat, P. Vijayakumar, E. Abdulhay, F. Li, and
M. K. C. Reddy, “A robust and efficient password-based conditional
privacy preserving authentication and group-key agreement protocol for
VANETs,” Future Gener. Comput. Syst., vol. 84, pp. 216–227, Jul. 2018.
[18] R. Lu, X. Lin, T. Luan, X. Liang, and X. Shen, “Pseudonym changing
at social spots: An effective strategy for location privacy in VANETs,”
IEEE Trans. Veh. Technol., vol. 61, no. 1, pp. 86–96, Jan. 2012.
Haichun Zhang received the B.S. degree in elec-
[19] J. Shao, X. Lin, R. Lu, and C. Zuo, “A threshold anonymous authenti-
tronic science and technology from the Huazhong
cation protocol for VANETs,” IEEE Trans. Veh. Technol., vol. 65, no. 3,
University of Science and Technology, Wuhan,
pp. 1711–1720, Mar. 2016.
China, in 2016, where he is currently working
[20] M. Azees, P. Vijayakumar, and L. J. Deboarh, “EAAP: Efficient anony-
toward the Ph.D. degree in microelectronic and
mous authentication with conditional privacy-preserving scheme for
solid-state electronics.
vehicular ad hoc networks,” IEEE Trans. Intell. Transp. Syst., vol. 18,
His current research interests include embedded
no. 9, pp. 2467–2476, Sep. 2017.
system security, VLSI design, vehicular security, and
[21] P. Vijayakumar, V. Chang, L. J. Deborah, B. Balusamy, and
physical unclonable function (PUF).
P. G. Shynu, “Computationally efficient privacy preserving anonymous
mutual and batch authentication schemes for vehicular ad hoc networks,”
Future Generat. Comput. Syst., vol. 78, pp. 943–955, Jan. 2016.
[22] J. A. Akinyele et al., “Charm: A framework for rapidly prototyping
cryptosystems,” J. Cryptograph. Eng., vol. 3, no. 2, pp. 111–128, 2013.
[23] P. Vijayakumar, M. Azees, and L. J. Deborah, “CPAV: Computation-
ally efficient privacy preserving anonymous authentication scheme for
vehicular Ad hoc networks,” in Proc. IEEE 2nd Int. Conf. Cyber Secur.
Cloud Comput., Nov. 2015, pp. 62–67.
Zhaojun Lu received the Ph.D. degree in microelec- Zhenglin Liu received the Ph.D. degree from the
tronic and solid-state electronics from the Huazhong Department of Electronic Science and Technology,
University of Science and Technology, Wuhan, Huazhong University of Science and Technology,
China, in 2018. Wuhan, China, in 2001.
He is currently a Postdoctoral Researcher at the He is currently a Professor at the School of Optical
Department of Electrical and Computer Engineering, and Electronic Information, Huazhong University of
University of Maryland, College Park, MD, USA. Science and Technology. His current research inter-
His current research interests include embedded sys- ests include embedded system security and VLSI
tem security, VLSI design, and vehicular ad hoc design.
networks (VANETs) security and privacy.
Authorized licensed use limited to: G.Pulla Reddy Engineering College. Downloaded on April 08,2021 at 13:08:05 UTC from IEEE Xplore. Restrictions apply.