IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 68, NO.
12, DECEMBER 2019
Broadcast Authentication in Latency-Critical
Applications: On the Efficiency of IEEE 1609.2
Mir Ali Rezazadeh Baee , Leonie Simpson , Ernest Foo , and Josef Pieprzyk
Abstract—Standards such as the American IEEE 1609, Euro-
pean ETSI ITS-G5, and Japanese ARIB STD-T109 aim to es-
tablish Cooperative Intelligent Transportation Systems (C-ITS)
by enabling Vehicular Ad-Hoc Networks (VANETs). In VANETs,
vehicles communicate with other vehicles and roadside infrastruc-
ture to support latency-critical applications which increase driver
awareness of the surroundings. This should result in improved
safety and possibly optimizing traffic. However, to secure VANET
communications against message manipulation or replaying, se-
curity standards such as IEEE 1609.2 and ETSI TS 103 097 are
proposed. In this work, we implement the cryptographic primi-
tives recommended in the IEEE 1609.2 standard to authenticate
low latency safety critical messages. We evaluate the effect of
the implementation using metrics such as CPU clock cycles per
operation, average computation time in milliseconds, and message
size in bits. We perform a simulation presenting a high-density
highway scenario for the above mentioned C-ITS standards. For
each standard, we evaluate the number of safety messages that
can be successfully received within 100 ms latency. We show how
and to what extent the authentication overhead of latency-critical
messages may impact on driver safety. Under an assumed traffic
scenario, we show that a crash is possible, as a result of the evaluated
authentication delay. We show that the recommended algorithms
with specific parameters can be a potential solution for low latency
safety-critical applications in a large scale scenario.
Index Terms—Cryptography, VANETs broadcast authen-
tication, scalability, ECDSA, ECQV.
I. INTRODUCTION
ISTORICALLY, road vehicles were independent and
H mostly mechanical systems. Current vehicles increasingly
use built-in networks of sensors, actuators and electronic control
systems. Automated highway systems and Cooperative Intelli-
gent Transportation Systems (C-ITS) are further advances that
permit integration of the operations of multiple vehicles. The
Manuscript received June 12, 2019; accepted September 28, 2019. Date
of publication October 4, 2019; date of current version December 17, 2019.
The work of J. Pieprzyk was supported by the Australian Research Council
under Grant DP180102199 and the Polish National Science Centre (Narodowe
Centrum Nauki) under Grant 2018/31/B/ST6/03003. The work of M. A. R.
Baee was supported by the Queensland University of Technology Postgraduate
Research Award scholarship. The review of this article was coordinated by Dr.
F. Bai. (Corresponding author: Mir Ali Rezazadeh Baee.)
M. A. R. Baee, L. Simpson, and E. Foo are with the School of Electrical
Engineering and Computer Science, Queensland University of Technology, QLD
4000, Australia (e-mail: mirali.rezazadeh@qut.edu.au; lr.simpson@qut.edu.au;
e.foo@qut.edu.au).
J. Pieprzyk is with the Commonwealth Scientific and Industrial Research
Organization, Data61, 1466 Sydney, NSW, Australia with Institute of Computer
Science, Polish Academy of Sciences, 01-248 Warsaw, Poland, and also with
School of Electrical Engineering and Computer Science, Queensland University
of Technology, QLD 4000, Australia (e-mail: josef.pieprzyk@csiro.au).
Digital Object Identifier 10.1109/TVT.2019.2945339
0018-9545 © 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Technische Hochschule Ingolstadt. Downloaded on April 27,2022 at 08:11:33 UTC from IEEE Xplore. Restrictions apply.
11577
term C-ITS refers to use of information and communication
technologies (ICT) intelligently. C-ITS comprises a wide range
of technologies, controls, systems, and applications. These have
the potential to save lives, time, and money by preventing crashes
using applications like pre-crash sensing and intersection colli-
sion avoidance [1].
One of the main elements of C-ITS is the capability for
heterogeneous vehicles to communicate with one another in
an interoperable manner. To establish such Vehicle-to-Vehicle
(V2V) communication, car manufacturers embed devices using
IEEE 802.11p, called Wireless Access in Vehicular Environment
(WAVE).
Equipped vehicles with WAVE can synchronize and hand-
shake via beacon messages which periodically share the
vehicle’s mobility characteristics with its neighbours [2]. The
detected data, such as road conditions, driving status, and traf-
fic info, is processed and shared with vehicles using beacons
within required latency for different purposes such as collision
avoidance. Latency defines an allowable time frame from when
information is generated for transmission and when it is received.
Intelligent transportation system (ITS) platforms are now
being established around the world. The primary advancements
come from United States (U.S.), Europe, and Japan [3]. Each
of these territories has defined a group of new standards that
specify different aspects of the C-ITS communications such as
Physical (PHY) and Medium Access Control (MAC) layers, data
structures, and security. Standards are necessary for the C-ITS
elements created by different companies to operate together.
The Institute of Electrical and Electronics Engineers (IEEE)
in United States, the European Telecommunications Standards
Institute (ETSI) in Europe, and Association of Radio Industries
and Businesses (ARIB) in Japan are well known sources with
defined C-ITS standards.
A significant potential advantage of V2V technology is the
capability for very low latency broadcast (point-to-multipoint)
communications for use in hazardous situations. Most safety-
critical applications have latency requirements of 100 millisec-
onds (minimum update rate of 10 hertz) in a communication
range of 150 to 500 meters [1]. Such low latency applications
must access the communication channel with the highest priority
and reliability. Vehicles should process all incoming messages
within the required latency before they send out a new safety
message, otherwise the system efficiency is questionable. That
is, a vehicle needs to receive and process updated information
from surrounding vehicles within the required time-frame to
obtain the safety advantage of V2V technology.
11578
To keep C-ITS and Vehicular Ad-hoc Networks (VANETs)
applications secure, mechanisms shall be provided to ensure
both authenticity and the integrity of the data transmitted in
beacon messages. Authentication is a necessary feature to ensure
that a legitimate VANET entity is the source of data commu-
nicated [4]. It is crucial to verify message integrity to detect
manipulation of vehicular communications. To meet these goals,
the IEEE 1609.2 standard [5] describes security services for ap-
plications and management messages. It specifies the algorithms
to be used for authentication and cryptographic procedures.
Clause 5 of the IEEE 1609.2 standard specifies use of the El-
liptic Curve Digital Signature Algorithm (ECDSA) [6] specified
in Federal Information Processing Standard (FIPS) 186-4 [7]
to sign and verify messages. In the same clause, the standard
specifies use of ECDSA or Elliptic Curve Qu-Vanstone (ECQV)
[8] to ensure that a legitimate entity of VANET is the source of
data communicated. Both of the ECDSA and ECQV algorithms
rely on Elliptic Curve Cryptography (ECC), as described in [9]
and [10]. There are several different standards covering the
selection of curves to use in ECC. National Institute of Standards
and Technology (NIST) and Brainpool Standard Curves and
Curve Generation (Brainpool) are well-known examples. In
IEEE 1609.2, three elliptic curves for the cryptographic pro-
cesses are defined: NIST P-256, BrainpoolP256r1, and Brain-
poolP384r1 [11], [12]. These curves restrict the secret key
size to become 256 bits for NIST P-256 and BrainpoolP256r1,
and 384 bits for BrainpoolP384r1. Other standards such as the
European ETSI TS 103 097 [13] reference IEEE 1609.2 to ensure
that the connected vehicles will operate safely, securely and
efficiently.
Different vehicles may have different computing capabilities
to support emerging applications such as safety. In-car com-
putation is limited due to the requirements of small-scale and
low-cost hardware to make VANETs economically viable. These
limitations manifest in the cost-driven to secure modern vehicles
against cyber attacks, and make the complex cryptographic
procedures economically unattractive [14], [15]. Considering
the limited computation resources of vehicles, the IEEE 1609.2
recommendations for authentication should have low computa-
tional overhead such that a large number of signed messages
received in a short time period can be processed before their
dedicated deadline, while other applications can be operated
normally.
In 2011, it was determined that a typical automotive embedded
processor has a clock rate of 400 MHz [16]. Currently, semi-
conductor companies such as the NXP Semiconductors offer
a high-performance automotive single chip Dedicated Short
Range Communications (DSRC) modem for vehicular commu-
nictions. For example, the RoadLINK SAF5400 [17] can relay
up to 2000 safety message verifications per second on chip using
ECDSA with NIST curves 256 bits. That is, it can process 200
authentication request every 100 ms.
The purpose of this paper is to evaluate the performance
impact of applying the authentication procedures described in
IEEE 1609.2 for each of the three different C-ITS standards. We
investigate message size, and determine the average computation
time and the number of CPU clock cycles per cryptographic
Authorized licensed use limited to: Technische Hochschule Ingolstadt. Downloaded on April 27,2022 at 08:11:33 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 68, NO. 12, DECEMBER 2019
operation to be performed by a vehicle for broadcast authenti-
cation. We analyze and discuss the relationship with handling
low latency and time-critical messages for a real world scenario
at scale. In the final step, we identify the challenges revealed
by our experimental results and provide suggestions for future
development.
The contribution of this paper is fourfold:
1) The cryptographic overhead of IEEE 1609.2 recom-
mended algorithms for certificate and message verification
is theoretically and practically analyzed.
2) By means of simulations, the number of beacons suc-
cessfully received in the required interval (for safety-
critical applications) within American IEEE 1609, Euro-
pean ETSI ITS-G5, and Japanese ARIB STD-T109 ITS
standards is evaluated in a realistic traffic scenario.
3) To reduce the number of certificate validations, we apply a
certificate list in our simulation scenario to check whether
a received certificate is verified during last one second or
not. We estimate the number of certificates that can be
subject to renewal in 100 ms.
4) The impact of the verification overhead on latency-critical
applications is analyzed, evaluated, and discussed. Under
an assumed traffic scenario, we show how and to what
extent the IEEE 1609.2 recommended authentication al-
gorithms result in delay that may impact driver safety.
We calculate vehicle displacement during authentication
operations to determine a possible crash, as a result of the
delay. Recommendations for mitigation are given.
The manuscript is organized as follows. Section II summa-
rizes the current C-ITS standards. In Section III, we describe the
IEEE 1609.2 security standard and its recommended authentica-
tion algorithms. Section IV overviews the related work. Section
V explains the simulation scenarios to evaluate the performance.
In Section VI, we review the metrics used in our simulation
application layer. Section VII provides the simulation results.
In Section VIII, we discuss the results, and conclusions are
presented in Section IX. Please note that all the abbreviations
used throughout the paper are summarized in Table I.
II. STANDARDIZATION
The IEEE 802.11p [18] is an amendment to the IEEE 802.11
Wireless Local Area Network (WLAN) standard, to support
vehicular communications. It has different characteristics than
the usual wireless communications. For example, the connection
times are shorter. IEEE 802.11p protocol uses the Enhanced
Distributed Channel Access (EDCA) MAC sub-layer protocol
designed based on IEEE 802.11e with some modifications. It
extends Orthogonal Frequency Division Multiplexing (OFDM)
PHY as used in IEEE 802.11a.
The IEEE 1609.4 standard defined the first version of WAVE
protocol stack using IEEE 802.11p. The WAVE protocol [19]
reserves bandwidth of 75 MHz (in frequency range 5.850 to
5.925 GHz) to use in the U.S. DSRC spectrum band, known
as Intelligent Transportation Systems Radio Service (ITS-RS).
The 75 MHz band includes one central Control Channel (CCH)
and six Service Channels (SCH).
BAEE et al.: BROADCAST AUTHENTICATION IN LATENCY-CRITICAL APPLICATIONS: ON THE EFFICIENCY OF IEEE 1609.2
TABLE I
LIST OF ABBREVIATIONS
Similarly, IEEE 802.11p as an access layer is used in the Euro-
pean ETSI ITS-G5 family of standards [20] to provide vehicular
communications. It describes the PHY and MAC sub-layer of
ITS stations operating in the 5.9 GHz frequency band, covering
the G5A in frequency range 5.875 GHz to 5.905 GHz (dedicated
for safety and safety related applications), the G5B in frequency
range 5.855 GHz to 5.875 GHz, and the G5C in frequency range
5.470 GHz to 5.725 GHz (for other applications). The PHY layer
of G5A defines three 10 MHz channels including CCH, SCH1
and SCH2. Unlike IEEE 1609, ITS G5 uses a model including
state machines and different tunable parameters to control MAC.
In parallel to the American and European C-ITS standards,
the Japanese ARIB STD-T109 [21] mandates operating of ITS
in the 700 MHz frequency band to inform vehicles and drivers
about traffic status in order to reduce the number of traffic
accidents. ARIB STD-T109 specifies a PHY similar to IEEE
802.11p, but operating on a center frequency of 760 MHz. The
MAC layer described in this standard employs Time Division
Multiple Access (TDMA) protocol to ensure that all the vehicles
have enough time to send safety messages without collisions and
delay.
III. AUTHENTICITY AND INTEGRITY IN
VEHICULAR COMMUNICATION
To keep VANET applications secure against message manip-
ulation or replaying, the IEEE 1609.2 standard recommends
algorithms to ensure both authenticity and integrity of the
Authorized licensed use limited to: Technische Hochschule Ingolstadt. Downloaded on April 27,2022 at 08:11:33 UTC from IEEE Xplore. Restrictions apply.
11579
data broadcast in beacon messages. A safety message has to
be authenticated at two levels: node level and the message
level. Node level authentication refers to entity authentication
(identification), and ensures that the safety message received is
from a legitimate vehicle. The message level authentication or
data-origin authentication ensures the integrity of a message, and
plays an important role in enhancing security in VANET. IEEE
1609.2 specifies the algorithms to be used for authentication
and cryptographic procedures. It recommends ECDSA [6] as
the sole permitted algorithm to sign and verify messages.
Entity authentication is enabled through the use of asymmetric
cryptography. A sender vehicle signs a message using its own
private key. Each recipient vehicle needs to discover the sender’s
public key for signature verification purpose (identification).
The most common approach to discover public keys is to use
digital certificates. In IEEE 1609.2, a certificate can be verified
by ECDSA or ECQV [8], considering the mechanism (implicity
or explicity) that a verification key is given to a certificate. An
explicit certificate is a data structure composed of two different
parts: a data part and a signature part. They can be used to
store, distribute, or forward public keys over unsecured network
without concern for undetectable manipulation. Thus, others can
verify the true of public key of that entity and its validity. The
data part consists of at least a public key and a unique string
identifying the associated real-world entity. The signature part
of the certificate contains a signature belonging to a trusted
authority that binds the subject entity’s unique identity to the
specified public key. An implicit certificate is another variation
of digital certificates, in which an explicit user’s public key
can be implicitly-certified. The main difference is that here a
public key must be reconstructed from public data, rather than
included directly as in explicit certificates. Hence, ECDSA is
used to explicity verify a certificate which includes public key
and digital signature, where as ECQV is used to implicity verify
a certificate which includes public key reconstruction data [8].
For any offered data, the hash algorithms approved to use in
this standard are SHA-256 and SHA-384 as specified in the FIPS
180-4 [22].
Both of the ECDSA and ECQV algorithms rely on ECC [9],
[10]. ECC is an approach to public-key cryptography based
on the algebraic structure of elliptic curves over finite fields.
To generate an elliptic curve to use in ECC, all parties must
agree on all the elements defining the curve, that are domain
parameters of the scheme. An elliptic curve E over finite field
Fp2 is the set of points (x, y) ∈ Fp , defined to satisfy the equation
y 2 = x3 + ax + b, where prime p > 3, and 4a3 + 27b2 = 0.
The set (x, y) together with a point at infinity O (acting as
the identity element), and a special addition operation define
an Abelian group, called the Elliptic Curve group. Thus, elliptic
curve operations such as scalar multiplication, field multipli-
cation and field inverse multiplication are required. The most
important operation is scalar multiplication: given a point P and
a positive integer a, compute aP . The scalar multiplication deals
with point doubling (adding P (x, y) to itself) and point addition
(adding two different points (P (x, y), Q(X, Y )). These point
doubling and additions, fundamentally, further deal with addi-
tions, squaring, multiplications, and inversion operations. The
11580 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 68, NO. 12, DECEMBER 2019

interested reader may find additional information in e.g., [23],

Algorithm 1: ECDSA.
[24].
procedure Key Generation
Each message broadcast is signed. Recipients must verify
1: Select random base point generator G
the signatures before accepting the messages. We note that
such that G = (xg, yg) on elliptic curve E(Fp ).
vehicles broadcast one beacon in each short time-frame, however
2: Select a random integer d from [1, n − 1],
they receive many beacons in that same time. Hence, for any
where n is order of point G,
applied algorithm, the signature verification speed is far more
and the smallest positive integer such that nG = O.
important than signature generation speed. Therefore, we review
3: Compute Q = dG.
the verification time complexity of both ECDSA and ECQV
4: Return public key Q and private key d.
algorithms.
procedure Signature Generation
1: Select a random integer k from [1, n − 1].
A. ECDSA
2: Compute kG = (x1 , y1 ) and r = x1 (mod n).
In ECDSA (for message m using order n of the base point 3: If r = 0 then go to step 1.
generator G on the elliptic curve E), the message sender gen- 4: Compute k −1 (mod n).
erates a signature with its own private key d and the receiver 5: Compute s = k −1 (Hash(m) + dr)(mod n).
verifies the signature (r, s) with the sender’s public key Q. The 6: If s = 0 then go to step 1.
signature verification requires two scalar multiplications, one 7: Return message m and its signature (r, s).
hash function, two modular multiplications, one inversion, and procedure Signature Verification
one addition mathematical operations. Algorithm. 1 shows pseu- 1: Verify that r and s are integers in [1, n − 1].
docode of ECDSA key generation, signature generation, and 2: Compute e = Hash(m).
signature verification in three separate procedures. Overall, the 3: Compute w = s−1 (mod n).
most time consuming process for elliptic curve cryptosystems 4: Compute u1 = e × w(mod n) and u2 =
is scalar multiplication operation [25]. The signature verifica- r × w(mod n).
tion operation time complexity is mathematically explained in 5: Compute u1 G + u2 Q = (x1 , y1 ) and v = x1 (mod n)
Equation 1. 6: If s = 0 then go to step 1.
7: Return signature accepted if and only if v = r.
TV erif y = 2TM odularM ultiplication + THash
+ 2TScalarM ultiplication
Algorithm 2: ECQV.
+ TM odularInversion + TAddition (1)
procedure Certificate Generation
1: Select random base point generator G such that
B. ECQV G = (xg, yg) on elliptic curve E(Fp ).
ECQV provides a more efficient alternative to traditional 2: Provide a private key dCA .
certificates, as described in the document Standards for Efficient 3: Compute public key QCA = dCA .G.
Cryptography 4 [8]. The ECQV implicit certificate scheme 4: Receive a certificate request (IDuser , Ruser = kuser .G),
is particularly well suited for application environments where where kuser is a random integer from [1, n − 1],
resources such as bandwidth, computing power and storage IDuser is users identity, and n is order of point G,
are limited. Using ECQV, a user generates a certificate request and the smallest positive integer such that nG = O.
(using order n of the base point generator G on elliptic curve E) 5: Select a random integer k from [1, n − 1].
and sends that to the Certificate Authority (CA) for certificate 6: Compute kG.
generation. Algorithm. 2 shows pseudocode of certificate gen- 7: Compute public key reconstruction data:
eration, public key computation, and private key computation Puser = Ruser + kG.
in three separate procedures. A user public key Quser can be 8: Compute Certuser = Encode(Puser , IDuser ).
computed by any party that knows the user’s certificate CertU ser 9: Compute e = Hash(Certuser ).
and CA’s public key QCA . Public key computation requires one 10: Compute private key reconstruction data:
scalar multiplication, one hash function, and one addition. Public r = (ek + dCA )(mod n).
key computation time is given in Equation 2. 11: Return (r, CertU ser ).
procedure Public Key Computation
TP ub = TScalarM ultiplication + THash + TAddition (2) 1: Compute e = Hash(CertU ser ).
2: Compute Quser = (ePuser + QCA ).
IV. RELATED WORK 3: Return public key Quser .
In this section, we review the most relevant state-of-the-art re- procedure Private Key Computation
search into IEEE 1609.2 authentication algorithms performance. 1: Compute e = Hash(Certuser ).
The use of digital signatures for authentication in vehicular 2: Compute duser = (ekuser + r)(mod n).
environment is discussed in [26] and [27]. There are very few 3: Return private key duser .

Authorized licensed use limited to: Technische Hochschule Ingolstadt. Downloaded on April 27,2022 at 08:11:33 UTC from IEEE Xplore. Restrictions apply.
BAEE et al.: BROADCAST AUTHENTICATION IN LATENCY-CRITICAL APPLICATIONS: ON THE EFFICIENCY OF IEEE 1609.2
academic publications evaluating ECDSA authentication per-
formance in high-density VANET scenarios. In [28] researchers
proposed a security architecture along with the related protocols
and analyzed performance and robustness of their proposal.
They have shown that public key cryptography is fit for the
considered problem, and proposed a mechanism to reduce the
number of certificate verifications by only verifying certificates
after every specific period (such as one second). Unfortunately,
they did not provide performance evaluation for this particular
proposal. In [29], [30], and [31] the authors investigated the
total overhead of ECDSA, combining the packet size, processing
and communication overheads. They described the impact of
using ECDSA on VANET performance, including the impact
of authentication processing on vehicle braking distance. How-
ever, they did not extend the investigation to include potential
accident scenarios. In [32] the effect of security on vehicular
communications has been studied. The main achievement was
identifying key design choices for the deployment of efficient,
effective, and secure vehicular communication systems. Authors
in [33] presented the first performance comparison between the
U.S./European IEEE 802.11p and Japanese ARIB STD-T109
standards and demonstrated that the transmissions following the
latter standard reached many more. However, their simulation
scenario is based on an average of 92 vehicles traveling on an
urban environment, with beaconing update rate of 1 Hz.
None of the above studies evaluated verification performance
of ECQV implicit certificate in C-ITS for the various curves
specified in IEEE 1609.2 standard. We fill this gap in this
research. Additionally, we estimate the approximate number of
beacons received within the latency using a specific MAC layer
in a realistic high-density scenario before applying authentica-
tion. All of the beacons must be generated in accordance with
their related standards. We perform the investigations through
computer simulations.
V. SIMULATION
In this study, we use Veins [34], an open source vehicular
network simulation framework. It utilizes the models provided
in the OMNeT++ discrete event simulator [35] and SUMO
simulation of urban mobility [36] for network simulation and
vehicular movement respectively. Veins contains a fully func-
tioning implementation of IEEE 802.11p [37], and is frequently
used in academic research.
We focus on a scenario representing the case of safety-critical
message broadcasting to support coordination and awareness
between vehicles on the highway. In the scenario we consider
a uniform presence of vehicles moving on a highway with the
number of lanes Nl = 12 (6 in each direction), where each lane
is 3 m wide (as shown in Fig. 1). We assume vehicles have
fixed speed u = 30 m/s (108 Km/h) with an inter-vehicle space
Gap = 30 m. Moving vehicles generate, sign, and transmit
safety-critical messages every 100 ms (update rate of 10 hertz)
over a 300 m communication range. To avoid the severity of a
collision, vehicles are equipped with Anti-lock Braking System
(ABS) with a maximum deceleration value a = −9 m/s2 [38].
Consider the two vehicles, vA and vB , located in the middle of
Authorized licensed use limited to: Technische Hochschule Ingolstadt. Downloaded on April 27,2022 at 08:11:33 UTC from IEEE Xplore. Restrictions apply.
11581
Fig. 1. Simulation scenario.
the highway in this scenario. They correspond to a maximum of
received messages from Nv = 240 vehicles in their communi-
cation range.
Before vA sends a new message, it should be able to verify
all incoming messages within 100 ms. During movement, vA
applies its brakes, and soon (after processing current received
messages) should generate, sign, and broadcast a safety-critical
message over the network. As soon as the message is received,
vB must authenticate both the message and identifier of vA
before responding to the situation (assuming the last received
beacon belongs to vA ). This requires one message verification
operation and one certificate (implicit or explicit) validation
operation to authenticate each received beacon. For the two ve-
hicles, vA and vB , we consider that the safety-critical messages
and certificates (implicit or explicit) are generated and validated
only over NIST-P256. We assume that the drivers highly rely on
the received safety-critical messages to react on-time.
We investigate the number of clock cycles for ECC digital sig-
nature generation/verification and ECQV certificate verification
operations performed over NIST P-256, BrainpoolP256r1, and
BrainpoolP384r1 curves using the newest stable release branch
(1.1.1 series) of OpenSSL software library [39] in Debian Linux
distribution running on a Pentium 4 machine operating at Intel
Core 2 Duo CPU T6570@2.10 GHz and 4 GB RAM. As the
TSCs on different cores are not synchronized with each other, we
use CP U _SET function to prevent operations from executing
on multiple cores (to run on a single CPU core). To have
more useful results, we practically estimate the cryptographic
overhead of ECDSA and ECQV algorithms on packet size.
We generate a cryptographic library called MyCrypt for
ECDSA signature generation/verification, and ECQV certificate
validation. MyCrypt uses OpenSSL functions to perform ECC
operations. In our simulation study, each vehicle has access to its
own initialized MyCrypt to perform cryptographic operations.
To reduce the number of certificate validations, we apply a
certificate list in our simulation scenario to check whether a
received certificate is verified during last one second or not. We
estimate the number of certificates that can be subject to renewal
in 100 ms.
We implement the scenario in each of the three C-ITS stan-
dards including American IEEE 1609, European ETSI ITS-G5,
and Japanese ARIB STD-T109 using the detailed models pub-
lished in [33]and [40]. We evaluate authentication overhead of
the transmitted messages and measure effects of the overhead
11582
TABLE II
SIMULATION PARAMETERS
on a possible crash. Table II lists IEEE 1609, ETSI ITS-G5, and
ARIB STD-T109 application layers and simulation parameters.
Depending on the C-ITS standard, each vehicle performs one
of the following steps to generate and broadcast safety messages:
1) For IEEE 1609 standard, generate beacons in accordance
with DOT HS 809 859 [1] and DOT HS 811 492D [41]
specifications.
2) For ETSI ITS-G5 standard, generate cooperative aware-
ness messages (European implementation of the beacons
for ITS-G5) in accordance with ETSI TR 102 638 [42],
ETSI TR 102 861 [43], and ETSI EN 302 637-2 [44]
specifications, and transmit them on a dedicated channel
in accordance with IEEE 802.11p MAC specification [45].
3) For ARIB STD-T109 standard, generate beacons in ac-
cordance with DOT HS 809 859 [1] and DOT HS 811
492D [41] specifications.
VI. EVALUATION METRICS
We apply the following metrics in the simulation application
layer:
1) Time Stamp Counter (TSC): The TSC is a hardware
counter found in all contemporary x86 processors. The
counter is implemented as a 64-bit Model-Specific Reg-
ister (MSR) that is incremented at every clock cycle. The
Read Time Stamp Counter (RDTSC) register has been
present since the original Pentium. It is the most precise
counter available on x86 architecture [46]. A processor
requires a fixed number of clock ticks (or clock cycles)
to execute each instruction. The faster the clock, the more
instructions the processor can execute per second. Clock
cycles are useful, because we can more fairly compare
the execution time across processors of different speeds
by calculating how many cycles it takes to process each
operation [47]. Using a given TSC (number of clock
cycles) and Equation 3 we calculate execution time of an
Authorized licensed use limited to: Technische Hochschule Ingolstadt. Downloaded on April 27,2022 at 08:11:33 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 68, NO. 12, DECEMBER 2019
operation for different speed processors.
 
number of clock cycles
TExecution = (3)
processor clock f requency
2) Average Computation Time: This metric is used to cal-
culate average computation time for signing TSignAV G
(refer to Equation 4) and average computation time for
verifying TV erif yAV G (refer to Equation 5) during one
second. We use number of signatures generated NSign
and number of signatures verified NV erif y for above
mentioned calculations.
 
Duration
TSignAV G = (4)
NSign
 
Duration
TV erif yAV G = (5)
NV erif y
3) Distance Traveled: When responding to a dangerous situa-
tion, drivers need an average mental reaction time or think-
ing time TT hinking (in seconds), which is the duration
between the occurrence of an event and starting to touch
the brake pedal. According to experimental measurements
studied in [48], an average thinking time of a driver to be
TT hinking = 0.63 s. The average time between reacting
the driver’s muscle and receiving the first braking response
is given to be TBraking = 0.2 s. Added together, an aver-
age reaction time TReaction = 0.83 s is required before
a braking process happens. According to the constant
power equations of motion [49], we have v = u + at, x =
ut + 21 at2 , x = vt − 21 at2 , and v 2 = u2 + 2ax, where u
(m/s) is the initial velocity, v (m/s) is the final velocity, a
(m/s2 ) is the constant acceleration/deceleration, t (s) is the
time of motion, and x (m) is the distance traveled. When
the car stops, final velocity is v = 0, and so:
u2
db = , (6)
2a
solving for dr , we have:
dr = u × TReaction = u × 0.83, (7)
hence, we obtain the final stopping distance ds = dr + db ,
where dr is the distance traveled before receiving the first
braking response, and db is the distance the car then travels
before coming to rest. Vehicles continuously move, while
process received authentication requests before sending
a new message. During each verification operation a dis-
tance dV erif y with speed u will be passed. To calculate
total distance traveled T otaldV erif y during verification of
all received beacons Nb from Nv vehicles in communica-
tion range, we have:

Nb
T otaldV erif y = u × TV erif y(i) . (8)
i=1
VII. RESULTS
In this section we present the outcomes of our performance
and simulation study. We report on the RDTSC, the impact
BAEE et al.: BROADCAST AUTHENTICATION IN LATENCY-CRITICAL APPLICATIONS: ON THE EFFICIENCY OF IEEE 1609.2 11583

TABLE III
ECC PERFORMANCE (ECDSA SIGNATURE GENERATION/VERIFICATION AND ECQV CERTIFICATE VERIFICATION OPERATIONS, SINGLE CORE)


The curves NIST P-256, BrainpoolP256r1, and BrainpoolP384r1 are shown as P-256, P256r1, and P384r1 respectively.

TABLE IV
ECC OVERHEAD ON PACKET SIZE (ECC PUBLIC KEY, ECDSA SIGNATURE, AND ECQV PUBLIC KEY RECONSTRUCTION DATA)


The curves NIST P-256, BrainpoolP256r1, and BrainpoolP384r1 are shown as P-256, P256r1, and P384r1 respectively.

Fig. 2. Number of received beacons by vehicle v in the three different C-ITS Fig. 3. Total traveled distance by vehicle v during ECDSA verification using
standards. the three different curves.

of authentication on packet size, the average computation time beacon, a vehicle v passes distance dV erif y . Figs. 3 and 4 show
for signing/verifying, the number of received beacons in every distance traveled T otaldV erif y (in meters) during verification
100 ms for three different C-ITS standards, the number of of Nb beacons from Nv vehicles in communication range, when
renewed certificates in latency, and total distance traveled during vehicle speed u = 1 m/s.
verification that may impact on driver safety. The ECC operations over different curves have different
First, we investigated the number of clock cycles for ECC computation times. The sum of all computation times for both
digital signature generation/verification and ECQV certificate vehicles results an extra delay, which will be added to the driver’s
verification operations (Table III). We practically estimated the reaction time and gives total delay as follows:
cryptographic overhead of ECDSA and ECQV algorithms on
packet size (Table IV). 
Nb
 
T otalDelay = 2 TV erif y(M i) + TV erif y(Ci)
Secondly, we calculated the average number of genera-
i=1
tions/verifications per second by continuously call to signature
generation/validation and ECQV certificate verification func- + TReaction .
tions during one-second. We also evaluated the execution time
for each single run. Table III lists the results of our first and Let t be the time in seconds from when vA brakes. We measure
second evaluation metrics. distance in meters, and take xB (t) to be the position of the front
For the third investigation, we estimated the number of certifi- of vB at time t, where the position of the back of vA at time t is
cates that need to be verified in latency. Results show that up to xA (t). Fig. 6 shows the situation at time t = 0. For vehicle speed
167 certificates can be subject to renewal, and must be validated of u = 30 m/s (108 Km/h), inter-vehicle space Gap = 30 m, and
again in every 100 ms. deceleration value a = 9 m/s2 , we have:
Lastly, we estimated the number of beacons received in every
1000
100 ms by a vehicle v, which is moving in the middle of highway u= × 108 = 30 m/s.
(Fig. 2). During signature/certificate validation of each received 3600

Authorized licensed use limited to: Technische Hochschule Ingolstadt. Downloaded on April 27,2022 at 08:11:33 UTC from IEEE Xplore. Restrictions apply.
11584 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 68, NO. 12, DECEMBER 2019

Fig. 4. Total traveled distance by vehicle v during ECQV verification using the three different curves.

Fig. 5. Effect of verification delay on a potential accident.

VIII. DISCUSSION
Enabling safety-critical applications in VANETs requires ex-
tensive beaconing exchange between vehicles. Our performance
comparison demonstrates that the maximum number of beacons
received by vehicle v under the application of Japanese ARIB
Fig. 6. Scenario at time t = 0. STD-T109 standard is 222 beacons per 100 ms, many more than
the American IEEE 1609 and European ETSI ITS-G5 standards,
The velocity and position of the back of vA at time t is given by: with 158 and 154 beacons respectively. Processing a greater
number of beacons has obvious benefits for safety applica-
9 tions. The U.S./European IEEE 802.11p suffer much more from
uA (t) = 30 − 9t, xA (t) = 30t − t2 + Gap, shadow fading comparing to Japanese ARIB STD-T109 due to
2
differences in terms of physical layer (5.9 GHz vs. 700 MHz
and the velocity and position of the front of vB at time t is given band), as well as their very different MAC characteristics [33].
by: Therefore, we consider the upper bound to be 222 beacons for
our calculations.
⎧
⎨30, Our results have shown that care is needed when using the
if t ≤ T otalDelay
uB (t) = algorithms recommended by IEEE 1609.2 for authentication of
⎩30 − 9 (t − T otal
Delay ) , if t > T otalDelay , the high amount of received beacons. The verification results in
⎧ a delay in driver notification and allows insufficient driver re-
⎨30t, if t ≤ T otalDelay action time, resulting in potential collisions and serious injuries
xB (t) = (assuming the driver does not react independently). According
⎩30t − 9 (t − T otal 2
2 Delay ) , if t > T otalDelay . to experimental measurements studied in [48], 2% and 5% of
the drivers have thinking times of 0.36 s and 0.43 s respectively,
We solve the equation xA (t) and xB (t) to find any possible which are very close to the T otalDelay calculated in our study.
crash, where vB runs into vA at time t due to verification For a scenario where a driver is relying completely on the safety
overhead of Nb = 222 beacons (upper bound). Fig. 5 shows messages to react on-time, the verification time must be less than
position and speed of vB at accident time. driver reaction time.

Authorized licensed use limited to: Technische Hochschule Ingolstadt. Downloaded on April 27,2022 at 08:11:33 UTC from IEEE Xplore. Restrictions apply.
BAEE et al.: BROADCAST AUTHENTICATION IN LATENCY-CRITICAL APPLICATIONS: ON THE EFFICIENCY OF IEEE 1609.2
The RoadLINK SAF5400 [17] can process up to 200 authen-
tication request every 100 ms on chip using ECDSA with NIST
curves 256 bits. The upper bound of the received beacons (222
beacons) in our simulation scenario shows that any possible
solution should address verification of 222 messages and 222
certificates: a total of 444 verifications to be performed every
100 ms. Thus, vehicles need faster processors by more than a
factor of two to handle the scenario simulated in this study.
There are efficient software implementations of public key
signature systems that significantly reduce the computation
overhead of authentication procedures. One widely used public
key high-speed signature scheme is Ed25519 [50]. It is a specific
instance of the EdDSA family of signature schemes, and speci-
fied in RFC 8032 [51]. The designers of Ed25519 signature claim
that their scheme beats almost all of the signature generation
and verification times by more than a factor of two. The scheme
takes only 273364 cycles to verify a signature on Intel’s widely
deployed Nehalem/Westmere lines of CPUs, approximately
three times faster than ECDSA signature verification over NIST
P-256 with 715460 cycles measured and evaluated in this study.
Therefore, we strongly recommend amendment to include this
signature scheme in IEEE 1609.2 standard for use in vehicular
communications.
Results show that if we apply a certificate list to reduce the
number of certificate validations, up to 167 certificates (out
of 222 certificates) can be subject to renewal, in 100 ms. A
check must be performed to determine whether a certificate was
validated in the last one second or not. For each of these 167
certificates, an extra computation. Note that this extra checking
time during verification process extends the drivers reaction
time.
VANETs are highly dynamic environments and vehicles peri-
odically join and leave highways using enter and exit ways. The
distance between vehicles continuously changes and they join
different networks unpredictably. Thus, verifying certificates
after a specific period (such as one second) alone is not enough.
Results show that in terms of efficiency, the ECDSA and
ECQV are good mix for ensuring authenticity and integrity
where they use NIST P-256 curve comparing to Brain-
poolP256r1 and BrainpoolP384r1 curves which are computa-
tionally heavy for a resource constrained device.
IX. CONCLUSION
C-ITS uses ICT intelligently with the potential to increase
road safety and reduce the number of accidents. For security,
the IEEE 1609.2 standard recommends ECDSA and ECQV
authentication algorithms to ensure authenticity and integrity
of received messages. Most latency-critical applications have
beaconing update rate of 100 ms. Vehicles should validate all
the received beacons within latency, before reaching their next
beaconning event. As these authentication mechanisms rely
on mathematical equations, performance of V2V communi-
cations and safety-critical applications drops significantly, as
vehicle numbers increase. In this paper, we investigated the CPU
RDTSC and average computation time for ECDSA signature
generation/verification, and ECQV certificate validation. During
Authorized licensed use limited to: Technische Hochschule Ingolstadt. Downloaded on April 27,2022 at 08:11:33 UTC from IEEE Xplore. Restrictions apply.
11585
investigation of ECDSA and EVQV, we used three different
curves including, NIST P-256, BrainpoolP256r1, and Brain-
poolP384r1. In addition, we performed a simulation presenting
a high-density highway scenario for three different C-ITS stan-
dards including IEEE 1609, ETSI ITS-G5, and ARIB STD-T109
to evaluate the number of received beacons within 100 ms
latency. We generated safety messages in accordance with the re-
lated C-ITS standard. We showed how and to what extent the in-
clusion of IEEE 1609.2 recommended authentication algorithms
affects driver reaction time. Finally, we determined whether the
evaluated authentication delay could result in insufficient time
for a driver to receive an alert and react, resulting in a crash. We
showed that using ECDSA and ECQV together over NIST P-256
curve while verifying certificates after every specific period can
be a potential solution for low latency safety-critical applications
in the above mentioned scenario based on current standard. We
also recommend amendment of faster signature schemes such
as the Ed25519 in IEEE 1609.2 standard to use in vehicular
communications.
REFERENCES
[1] “Vehicle safety communications project: Task 3 final report - identify
intelligent vehicle safety applications enabled by DSRC,” Nat. Highway
Traffic Safety Admin. - U. S. Dept. Transp. (USDOT), Tech. Rep. DOT
HS 809 859, Mar. 2005.
[2] K. Z. Ghafoor, J. Lloret, K. A. Bakar, A. S. Sadiq, and S. A. B. Mussa,
“Beaconing approaches in vehicular ad hoc networks: A survey,” Wireless
Pers. Commun., vol. 73, pp. 885–912, Dec. 2013.
[3] M. Annoni and B. Williams, The History of Vehicular Networks. Cham,
Switzerland: Springer International Publishing, 2015, pp. 3–21.
[4] M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,” J.
Comput. Secur., vol. 15, pp. 39–68, Jan. 2007.
[5] IEEE Standard for Wireless Access in Vehicular Environments–Security
Services for Applications and Management Messages - Amendment
1, IEEE Std 1609.2a-2017 (Amendment to IEEE Std 1609.2-2016),
pp. 1–123, Oct. 2017.
[6] D. Johnson, A. Menezes, and S. Vanstone, “The elliptic curve digital
signature algorithm (ECDSA),” Int. J. Inform. Secur., vol. 1, pp. 36–63,
Aug. 2001.
[7] Federal Information Processing Standard (FIPS) 186-4, National Institute
of Science and Technology, Jul. 2013.
[8] Standards for Efficient Cryptography Group (secg), Sec4 Elliptic
Curve Qu-vanstone Implicit Certificate Scheme (ECQV). v1.0, Jan.
2013.
[9] N. Koblitz, “Elliptic curve cryptosystems,” Math. Comput., vol. 48,
pp. 203–209, 1987.
[10] V. S. Miller, “Use of elliptic curves in cryptography,” in Proc. Ad-
vances in Cryptology, Berlin, Heidelberg, pp. 417–426, Springer-Verlag,
1986.
[11] S. Turner, D. Brown, K. Yiu, R. Housley, and T. Polk, Elliptic Curve
Cryptography Subject Public Key Information, RFC 5480, RFC Editor,
Mar. 2009.
[12] M. Lochter and J. Merkle, Elliptic Curve Cryptography ECC Brainpool
Standard Curves and Curve Generation, RFC 5639, RFC Editor, Mar.
2010.
[13] Intelligent Transport Systems (ITS); Security; Security Header and Cer-
tificate Formats, Standard ETSI TS 103 097 V1.3.1, European Telecom-
munications Standards Institute, Oct. 2017.
[14] K. Han, A. Weimerskirch, and K. G. Shin, “Automotive cybersecurity
for in-vehicle communication,” IQT QUARTERLY, vol. 6, pp. 22–25,
2014.
[15] J. Siegel, D. Erb, and S. Sarma, “Algorithms and architectures: A case
study in when, where and how to connect vehicles,” IEEE Intell. Transp.
Syst. Mag., vol. 10, no. 1, pp. 74–87, Jan. 2018.
[16] T. Schütze, “Automotive security: Cryptography for car2X communica-
tion,” in Proc. Embedded World Conf., 2011, vol. 3, pp. 4–24.
[17] “NXP Semiconductors; RoadLINK SAF5400 single chip modem.” Ac-
cessed: Aug. 10, 2018. https://www.nxp.com
11586 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 68, NO. 12, DECEMBER 2019

[18] IEEE Standard for Information Technology– Local and Metropolitan Area [44] Intelligent Transport Systems (ITS); Vehicular Communications; Basic
Networks– Specific Requirements– Part 11: Wireless Lan Medium Access Set of Applications; Part 2: Specification of Cooperative Awareness Basic
Control (MAC) and Physical Layer (PHY) Specifications Amendment Service, Standard ETSI EN 302 637-2, European Telecommunications
6: Wireless Access in Vehicular Environments, IEEE Std 802.11p-2010 Standards Institute, Sep. 2014.
(Amendment to IEEE Std 802.11-2007), pp. 1–51, Jul. 2010. [45] IEEE Standard for Information Technology–Telecommunications and
[19] R. A. Uzcategui, A. J. D. Sucre, and G. Acosta-Marum, “Wave: A tutorial,” Information Exchange Between Systems Local and Metropolitan Area
IEEE Commun. Mag., vol. 47, no. 5, pp. 126–133, May 2009. Networks–Specific Requirements - Part 11: Wireless Lan Medium Ac-
[20] Intelligent Transport Systems (ITS); European Profile Standard for the cess Control (MAC) and Physical Layer (PHY) Specifications, IEEE Std
Physical and Medium Access Control Layer of Intelligent Transport Sys- 802.11-2016 (Revision of IEEE Std 802.11-2012), pp. 1–3534, Dec. 2016.
tems Operating in the 5 GHz Frequency Band, Standard ETSI - ES 202 [46] G. S. Tian, Y. C. Tian, and C. Fidge, “High-precision relative clock
663, European Telecommunications Standards Institute, Jan. 2010. synchronization using time stamp counters,” in Proc. 13th IEEE Int. Conf.
[21] 700 MHz Band Intelligent Transport Systems, Standard ARIB STD-T109, Eng. Complex Comput. Syst.), Mar. 2008, pp. 69–78.
Association of Radio Industries and Businesses, Jul. 2017. [47] J. Viega and M. Messier, Secure Programming Cookbook for C and
[22] “Federal Information Processing Standard (FIPS) 180-4, National Insti- C++: Recipes for Cryptography, Authentication, Input Validation & More.
tute of Science and Technology, Aug. 2015. O’Reilly Media, 2003.
[23] I. F. Blake, G. Seroussi, and N. P. Smart, Elliptic Curves in Cryptography. [48] W. Hugemann, “Driver reaction times in road traffic,” in Proc. Eur. Assoc.
New York, NY, USA: Cambridge Univ. Press, 1999. Accident Res. Anal. Annu. Conv., Portoro, Slovenija, September 2002.
[24] J. H. Silverman, The Arithmetic of Elliptic Curves, vol. 106. New York, [49] R. Stephenson, “Constant power equations of motion,” Amer. J. Phys.,
NY, USA: Springer Science & Business Media, 2009. vol. 50, no. 12, pp. 1150–1155, 1982.
[25] S. S. Kumar, “Elliptic curve cryptography for constrained devices,” Ph.D. [50] D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang, “High-
dissertation, Ruhr Univ. Bochum, Bochum, Germany, 2006. speed high-security signatures,” J. Cryptographic Eng., vol. 2, pp. 77–89,
[26] P. Dr and C. Meinel, “Digital signatures for automobiles?!,” Mar. 2002. Sep. 2012.
[27] P. Papadimitratos et al., “Secure vehicular communication systems: design [51] S. Josefsson and I. Liusvaara, “RFC 8032: Edwards-curve digital signature
and architecture,” IEEE Commun. Mag., vol. 46, no. 11, pp. 100–109, algorithm (EdDSA),” Request Comments, IETF, Jan. 2017.
Nov. 2008.
[28] M. Raya and J.-P. Hubaux, “The security of vehicular ad hoc networks,”
in Proc. 3rd ACM Workshop Secur. Ad Hoc Sensor Netw. New York, NY,
USA: ACM, 2005, pp. 11–21.
[29] J. Petit, “Analysis of ecdsa authentication processing in vanets,” in Proc.
3rd Int. Conf. New Technol., Mobility Secur., Dec. 2009, pp. 1–5.
[30] J. Petit and Z. Mammeri, “Analysis of authentication overhead in vehicular
networks,” in Proc. Wireless Mobile Netw. Conf, Oct. 2010, pp. 1–6.
[31] J. Petit and Z. Mammeri, “Authentication and consensus overhead in
vehicular ad hoc networks,” Telecommun. Syst., vol. 52, pp. 2699–2712,
Apr. 2013.
Mir Ali Rezazadeh Baee received the B.Sc. de-
[32] G. Calandriello, P. Papadimitratos, J. P. Hubaux, and A. Lioy, “On
gree in computer software engineering from the
the performance of secure vehicular communication systems,” IEEE
Mazandaran University of Science and Technology,
Trans. Dependable Secure Comput., vol. 8, no. 6, pp. 898–912, Nov.
Babol, Mazandaran, Iran, in 2010, and the M.Sc.
2011.
degree in computer science information security from
[33] J. Heinovski, F. Klingler, F. Dressler, and C. Sommer, “Performance
the Universiti Teknologi Malaysia, Skudai, Johor,
comparison of IEEE 802.11p and ARIB STD-T109,” in Proc. IEEE Veh.
Malaysia, in 2014. He is a Sessional Academic
Netw. Conf., Dec. 2016, pp. 1–8.
and Doctoral Candidate, designing authentication
[34] C. Sommer, Z. Yao, R. German, and F. Dressler, “Simulating the influence
and key-management protocols for secure vehicular
of IVC on road traffic using bidirectionally coupled simulators,” in Proc.
communications at the Information Security Disci-
IEEE Comput. Commun. Workshops, INFOCOM Workshops, Apr. 2008,
pline, Queensland University of Technology, Bris-
pp. 1–6.
bane, QLD, Australia. He has over 15 years of experience working in computer
[35] A. Varga, “The omnet++ discrete event simulation system,” in Proc. Eur.
science. His research interests include applied cryptography, complexity and
Simulation Multiconference, 2001.
performance evaluation, network security, and privacy.
[36] D. Krajzewicz, J. Erdmann, M. Behrisch, and L. Bieker, “Recent devel-
opment and applications of SUMO - Simulation of Urban MObility,” Int.
J. Adv. Syst. Meas., vol. 5, pp. 128–138, Dec. 2012.
[37] D. Eckhoff, C. Sommer, and F. Dressler, “On the necessity of
accurate IEEE 802.11p models for IVC protocol simulation,” in
Proc. 75th IEEE Veh. Technol. Conf., Yokohama, Japan, May 2012,
pp. 1–5,.
[38] N. Kudarauskas, “Analysis of emergency braking of a vehicle,” Transport,
vol. 22, no. 3, pp. 154–159, 2007.
[39] The OpenSSL Project, “OpenSSL: The open source toolkit for SSL/TLS.”
www.openssl.org, Apr. 2003.
[40] D. Eckhoff and C. Sommer, “A multi-channel IEEE 1609.4 and 802.11p
EDCA model for the veins framework,” in Proc. 5th ACM/ICST Int. Conf. Leonie Simpson is a Senior Lecturer and Informa-
Simul. Tools Techn. Commun., Netw. Syst. (SIMUTools): 5th ACM/ICST tion Security Researcher at the Information Security
Int. Workshop OMNeT++ (OMNeT++ 2012), Poster Session, Desenzano, Discipline, Queensland University of Technology,
Italy, ACM, Mar. 2012. Brisbane, QLD, Australia. She has been involved in
[41] “Vehicle safety communications applications (VSC-A) final report: Ap- information security research for over 20 years. Her
pendix volume 3 security,” Tech. Rep. DOT HS 811 492D, Nat. High- main research interests include symmetric cryptol-
way Traffic Safety Admin. - U. S. Dept. Transp. (USDOT), Sep. ogy, widely used for data protection. She has exten-
2011. sive experience analysing cryptographic algorithms
[42] Intelligent Transport Systems (ITS); Vehicular Communications; Basic and finding weaknesses that reduce the security pro-
Set of Applications; Definitions, Standard ETSI TR 102 638, European vided. She has applied her knowledge of design flaws
Telecommunications Standards Institute, Jun. 2009. in algorithms to help develop more secure ciphers,
[43] Intelligent Transport Systems (ITS); STDMA Recommended Parameters working in teams with Australian and international researchers. She currently
and Settings for Cooperative ITS; Access Layer Part, Standard ETSI TR studies efficient encryption methods for use in securing data transmissions
102 861, European Telecommunications Standards Institute, Jan. 2012. between small, low-power devices in the rapidly growing Internet of Things.

Authorized licensed use limited to: Technische Hochschule Ingolstadt. Downloaded on April 27,2022 at 08:11:33 UTC from IEEE Xplore. Restrictions apply.
BAEE et al.: BROADCAST AUTHENTICATION IN LATENCY-CRITICAL APPLICATIONS: ON THE EFFICIENCY OF IEEE 1609.2
Ernest Foo received the Ph.D. degree from the
Queensland University of Technology, Brisbane,
QLD, Australia, in 2000. He is an Associate Profes-
sor with School of Information and Communication
Technology, the Griffith University, Brisbane, QLD,
Australia. From 2007 to 2019, he has been a Senior
Lecturer and Researcher at the Information Security
Discipline, Queensland University of Technology,
Brisbane, QLD, Australia. His research interests can
be broadly grouped into the field of secure network
protocols with an active interest in the security of
industrial controls systems employing machine learning and data mining as
well as cryptographic protocols and network simulations. He has authored or
coauthored over 90 refereed papers including 20 journal papers.
Authorized licensed use limited to: Technische Hochschule Ingolstadt. Downloaded on April 27,2022 at 08:11:33 UTC from IEEE Xplore. Restrictions apply.
11587
Josef Pieprzyk is a Senior Principal Research
Scientist with the Commonwealth Scientific and
Industrial Research Organization, Data61, Sydney,
NSW, Australia, a Professor with Institute of Com-
puter Science, Polish Academy of Sciences, and an
Adjunct Professor with the Queensland University
of Technology, Brisbane, QLD, Australia. His main
research interests include cryptology and information
security. He has authored or coauthored five books,
edited ten books (conference proceedings), six book
chapters, and more than 300 papers in refereed jour-
nals and refereed international conferences. He is a member of the editorial
boards for International Journal of Information Security (Springer), Journal
of Mathematical Cryptology (De Gruyter), Open Access Journal of Cryptog-
raphy (MDPI), International Journal of Applied Cryptography (Inderscience
Publishers), Fundamenta Informaticae (IOS Press), International Journal of
Security and Networks (Inderscience Publishers), and International Journal of
Information and Computer Security (Inderscience Publishers).