Using one-way hash chains for a scalable VANET communication

AbstractThe successful deployment of vehicular communi-cation depends on the both Vehicle-to-Vehicle communications(V2V) and Vehicle to Infrastructure communication(V2I). Se-curity and privacy are the two main factors to be consideredduring this deployment. Though several researches have beenconducted on the issuance of pseudonyms to deal with theabove said issues, the traditional PKI based schemes usedfor the generation of these pseudonyms produce an enormoussigning and verification costs. In order to address this problem,we propose a novel one-way hash chain based scheme togenerate a series of public/private key pairs by the RoadSide Units (RSUs) and distribute them along with an nbit hash code H and a proof cipher C to the vehicles inits range. Anytime a vehicle can verify another vehicle bycombining the vehicles public key and its n bit hash code,which should prove the same cryptographic hash functionof the receiving vehicle. Through this proposed Hash-Chainbased Authentication Protocol (HCAP), the certificate costs ofmessages are immensely reduced. Moreover, it will be infeasibleif an attacker tries to compromise a public key, as the vehiclefrequently changes its public/private keys in a random fashion.We evaluated the proposed protocol extensively to validate itsbetter performance when compared to its counterparts.

Keywords-VANET; V2V; V2I; Vehicular Communication;One-Way Hash Chain; Cryptographic Hash Function;

I. INTRODUCTIONIn VANET applications that enable vehicles to commu-

nicate with each other via ad-hoc network the driver com-munity is really benefited with safety messages and trafficrelated messages. VANETs can also provide some additionalapplications such as electronic advertisements [3], localinformation acquisition (e.g., road maps, restaurant, hotel,gas station information, etc.,) and downloading or uploadingentertainment related information through the Internet. Acomprehensive summary of potential VANET applicationscan be found in [1].By being equipped with communicationdevices such as On Board Units (OBUs), vehicles in aVANET can communicate with each other as well as withthe roadside units (RSUs) located at some critical points ofthe road, such as the traffic signals or intersections.

According to DSRC [2], a vehicle sends a messagewithin the time interval of 100-300ms. Every message inthe network should be signed and carry a certificate toattest valid network participants for security reasons. Though

creating a signature every 100 ms is not a big issue, verifyingsignatures of neighboring vehicles every 100 ms certainlymatters, when the traffic density is high. Therefore, theremust be a solution that can enable vehicles to vehicle com-munication with improved scalability by not compromisingthe security and privacy of the system. In this paper, wepropose a scheme that allows a significant improvementin the scalability and a low message loss ratio for highdensity traffic situations. In HAP, the RSUs (Road SideUnits) generates a large set of public/ private key pairsusing an one-way hash chain function and distributes mnumber of keys per vehicle along with their correspondingn bit hash code value H . When a vehicle wants to send amessage to other vehicles it randomly picks a public keyfrom m number of keys provided by the RSU . These mkeys could be reused in a random fashion as long as thevehicle is inside the RSUs range. In order to authenticatethe sender, the receiving vehicle uses the senders public keyand its corresponding hash code value comes along withthe message to compute the proof cipher, which shouldprove that of its own it already received from the RSU .Compared with previous schemes, our proposed schemesupports both V2I and V2V communications by greatlyreducing the computational overhead of the vehicles.

II. SYSTEM MODEL & PRELIMINARIES

A. System Parameters

The system model of this paper is shown in Figure 1.The TA generates system parameters during the registrationprocess. We adopt the system parameters as proposed in [5]and, these TA generated system parameters must be agreedby all the parties of the system:

G= (G,) is a finite cyclic group of order q (for some largeq), g 2 G is a generator of G, and we assume that computingdiscrete logarithms in G with respect to g is computationallyinfeasible. For example, G might be a large multiplicativesubgroup of Zp with symmetric properties, for some largeprime p, where q is a large prime dividing p1; alternatively,G could be the group of points on an elliptic curve. An

Table INOTATIONS

Notation Descriptions Secret IntegerVx Vehicle xR the Road Side Unit (RSU )RIDR real ID of the RSURRIDvx real ID of the vehicle VxPKvx long term public key of Vxskvx corresponding private key of PKvxCertTA[PKvx ] TAs certificate on public key of VxPKR long term public key of RSURskR corresponding private key of PKRCertTA[PKR] TAs certificate on the public key of RPrvx Signature of Vx using skvxPrR Signature of RSUR using skRSSRVx Shared session key between Vx and REx Encryption using the key xDx Decryption using the key xF (.) one way hash function SHA-1[8]h one way hash function SHA-1[8]H hash function such that {0, 1} 2 ZpPuj Anonymous public key jPrj Corresponding private key for PujH Hash code valueC Proof Cipher

admissible bilinear map is a map e : GG! G satisfyingthe following properties.

Bilinearity: For all a, b 2 G, and for all a, b 2Zp , e(ga, hb) = e(g, h)ab In particular 8(a, b, c) 2G, e(a, b+ c) = e(b+ c, a) = e(b, a).e(c, a)

Nondegeneracy: e(a, b) 6= 1G Computability: There exists an efficient algorithm toe(a, b), 8(a, b) 2 G.

F is a cryptographic (one way) hash function mappingarbitrary length binary strings to strings of a fixed lengthln (where a typical value for ln might be 224).

h is a cryptographic (one way) hash function mappingthe set {0, 1, , q 1} onto itself; in practice, h might bederived from F .

k 1 is a positive integer that determines the maximumnumber of key pairs that can be generated by a vehicle. Inthe rest of the paper, we use the notations that are describedin Table 1.

B. The one-way hash chainsOne-way hash chains are recognized applications used

in computer security to produce many one-time keys fora single key or password. The interesting property of hashchain is it is computationally infeasible to invert, in spite

Figure 1. System Model

of its ease and efficiency to compute. One-way hash chaincan be used for vehicular ad-hoc networks for the purpose ofreducing the authentication overhead of a series of messages.Unfortunately, the traditional one-way hash chains do notpermit the verifiable binding of public/private key pairs to asingle hash code. If a hash chain can uniquely links a seriesof public and private key pairs using a cryptographic hashfunction, it is possible to verify that a public key is linkedto the hash chain by applying a cryptographic hash functionthe right number of times to that disclosed public key [5].

III. PROPOSED APPROACH

We propose a novel RSU based one-way hash chainscheme inspiring by the work proposed by G.Kounga etal., in [5]. Our solution relies on a verifiable binding ofpublic/private key pairs to a single hash code with an ex-tremely low storage overhead and a very negligible amountof computational overhead to the vehicles.In this approach, the anonymous public/private key pairs

are generated by the RSU using a one-way hash chainmethod and distributed m pairs per vehicle at once whenthey enter in its communication range. The vehicles use thiskey pairs one by one in a repeated random fashion to sendmessages to other vehicles inside that RSUs communicationrange. Every time a message is sent, the sender picksa public key Pu and its corresponding n bit hash codevalue H from the m keys provided by the RSU . Alongwith, the sender generates a signature on the message usingthe corresponding secret key pr of the chosen public keyPu. The signature generation in HAP is derived from thesignature schemes proposed in [10]. During the verificationprocess, the receiving vehicle will be able to authenticate the

sender by calculating the proof cipher C from the providedvalues. Only the public key and its corresponding hashcode value H together can form the same proof cipher Cas they are computed from a single hash chain function.Moreover, by knowing one public key or hash code value,the other public keys cannot be computed which guaranteesthe trustworthiness of the public keys.

A. Vehicle and RSU Registration

During the initialization stage, the TA issues a set of basiccryptographic materials such as a long-term public key PKand its corresponding private key sk for all OBUs and RSUsafter verifying the real identities RID in order to participatein the network.

B. Key Management using one-way hash chains

With the cryptographic materials provided by the TA,RSUR chooses a secret integer s 2 {0, 1..q 1} andcomputes a one-way hash function on the secret s for a largek as shown in eq(1). The R then computes a total of k 1anonymous private/public key pairs and their correspondinghash code values from the generated one-way hash chain.For example, the jth anonymous private key Prj and itscorresponding public key Puj (where 0 < j < k) arecalculated as shown in eq(3&4).

The one-way hash chain function on secret

s = hk(s) hk1(s)hki(s)h2(s) h(s) s (1)

=kYi=0

hi(s) (2)

jth private key

Prj =jY

i=0

hi(s) (3)

and its public key

Puj = gPrj = g

Qji=0 h

i(s) (4)

where, hi(s) means that the cryptographic one way hashfunction h is applied on s for i number of times. The k 1anonymous private/public key pairs and their correspondingn bit hash code value H are calculated by the RSU as shownin eq(6) and eq(7) until hk(s). RSUR also generates a proofcipher C as shown in eq(5).

C = FgQk

i=0 hi(s)

(5)

where, FgQk

i=0 hi(s)means the cryptographic one-way

hash function F is applied once to gQk

i=0 hi(s).

Figure 2. Key establishment and distribution protocol

hk(s) hk1(s) hkj(s)) h2| {z }H1=

Qki=2 h

i(s)

h(s) s| {z }Pr1=

Q1i=0 h

i(s),Pu1=gQ1i=0 h

i(s)

(6)

hk(s) hkj(s) h3| {z }H2=

Qki=3 h

i(s)

h2(s) s| {z }Pr2=

Q2i=0 h

i(s),Pu2=gQ2i=0 h

i(s)

(7)

C. Vehicle-to-Infrastructure (V2I) communicationWhen the vehicle Vx enters into the RSURs communica-

tion range, it would detect the existence of a RSUR throughthe periodic hello message of R. Once Vx receives thatmessage, it immediately verifies the location information andthe validity of the pubic key certificate of the R. If they arevalid, the vehicle begins the mutual authentication processusing the Diffie-Hellman key establishment protocol [6] andestablishes a shared session key between R and Vx. Themutual authentication and key-establishment processes aredetailed in Figure 2.

D. Vehicle-to-Vehicle (V2V) communicationWhen a vehicle wants to participate in V2V communi-

cation, it picks a public/private key pair from the m pairsit obtained from the R. The detailed process of the V2Vcommunication will be as follows: By the time of sendingmessages vehicle Vx sends the following to Vy :

msg||Pul||Hl||(msg||Pul||Hl)Prl where, 1 l mThe receiving vehicle Vy can authenticate Vx by first

verifying its signature and continue to calculate the proofcipher Cx of Vx from the provided Pun and Hn in themessage if the signature is valid. In time t, if the computedCx of Vx matches with the Cy of Vy . (proof cipher given tovehicle Vy by R) then the receiving vehicle Vy trusts Vx asa genuine vehicle and consumes the message sent by it.

E. Batch verification

Verifying multiple signatures at once is an effective way toimprove the system performance. According to J. Camenisch[9], verifying n signatures takes the same time as thatof verifying a single signature. For example, if 3 pairingoperations are required to verify a single signature, verifyingn signatures also takes 3 paring operations instead of 3npairing operations. Therefore, the time spent on verifyinga large number of signatures can extensively decrease withbatch verification. In the proposed scheme, the signatures ofall the message senders are batch verified at every 300 ms.A vehicle Vx who wants to send a message with the publickey Pul generates a valid signature Prl which is composedof (!,) for a given message M as follows.

OBU selects a random number b 2 Zp . It then computes !, and such that ! = gb, =Prl + b, = H(M ||Pul||||TS)

(!,) is a valid signature on message M

Any receiving vehicle can verify the above signature if

e(g,!) = e(!, Pul !) (8)as verified below:

e(g,!)

=e(g,!)(Prl + b)

=e(g,!)(Prl) e(g,!)b=e(g(Prl),!) e(gb,!)=e(!, Pul) e(!,!)=e(!, Pul !)

(9)

Consider the receiver receives (!1,1)(!2,2)(!d,d)which are the signatures on the messages M1,M2, Mdrespectively. Then, batch verification can be done on thereceived signatures as follows.

The receiving vehicle calculates 1,2 d and !0 ,0such that

!0=

dYi=1

i!i,0=

dXi=1

i (10)

The receiving vehicle then accepts the message if thefollowing equation holds:

e(g,!0)

0= e(!

0,

dYi=1

Puli!ii ) (11)

IV. DISCUSSION & EVALUATION

A. Security Analysis

Source Authentication and Message Integrity: In HAP,a message source is authenticated by verifying the signaturein the message and then by computing the cipher poof Cfrom the disclosed hash code value H and the short livedanonymous public key. If the signature is valid, it is certainthat the message is from the source that poses the public key.Moreover, every public is provided with its unique H andonly that public key and its H can produce the same C withthe RSU range. This proves the reliability of the public key.In V2I communication both the vehicle and the RSU sendtheir messages by encrypting them with the public keys ofeach other (see Figure 2). Therefore, only the entity that hasthe corresponding private key can decrypt the message. Atthe same time, each message is signed by the private keysof the respective anonymous public key.

Fast Verification: During V2V communication thesender sends a short lived public key, its correspondinghash code value H along with every message. Because thereattached no certificate that occupies a large packet size ina message, the total data packet size of the message istremendously reduced which eventually results in a quickverification process.

Traceability: Because each vehicle is given m differentsets of public key and hash code value and also shares asession key with the RSU , the RSU can find the sessionkey of the misbehaved vehicle by maintaining an index ofthe given public keys with their corresponding session key.Through this process, the RSU can retrieve the long-termpublic key of the vehicle and can sanction penalties throughthe TA.

B. Performance Evaluation

We measured the computational overhead of the proposedscheme by concerning the signing and verification of mes-sages during V2V communication. We also discussed theverification delay of HAP with three other popular protocolssuch as ECDSA, BLS, and ECPP.

Since HAP relies upon the one-way hash chain method,we implemented a Java based one-way hash chain schemeand evaluated its performance on a computer with 2.7 GHzIntel Core i7 CPU, 4 GB RAM and MAC OS X Lion 10.7.4.1) Signature generation and verification delay: In this

section, we compared the signing and verification delay ofHAP with other most popular schemes such as ECDSA [14],BLS [15], and ECPP [4]. Here, the ECDSA scheme is the

Table IISIGNING AND VERIFICATION DELAYS OF THE COMPARED SCHEMES

Scheme Verifying 1 message Verifying n messagesECDSA 4Tmul 4nTmulBLS 4Tpair + 2Tmtp (2n+2)Tpair + 2nTmtpECPP 3Tpair + 11Tmul 3nTpair + 11nTmulHAP 2Tpair + Tmul 2Tpair + (2n-1)Tmul

signature algorithm adopted by IEEE 1609.2 standard, BLSis a short signature scheme and ECPP is an RSU basedauthentication scheme. According to MIRACLE [11] library,for an MNT elliptic curve with embedding degree 6 andthe order q is represented by 160 bits, the group order ofG is 4.5 1030, which qualifies the bilinear pairing as apractical choice for securing the large scale VANETs [10].We considered the implementation of Tate pairing on anMNT curve [12] with embedding degree 6, where G isrepresented by 161 bits, and the order q is represented by160 bits. We denote Tmul as the time to perform one pointmultiplication over an elliptic curve, Tmtp as the time fora MapToPoint hash operation, and Tpair as the time for apairing operation. As the above said are the three dominantoperations that determine the speed of signature verification,we ignored other operations such as additive and one-wayhash function operations. Tmtp is found for an MNT curveto be 3.9 ms [13] while Tmul and Tpair are 0.6 and 4.5msrespectively on an Intel Core 2 Duo @ 3.2 GHz with 2GBRAM machine

Table 2 shows the summary of verification delays of thefour signature schemes in terms of verifying a single signa-ture and n signatures, respectively. During message verifi-cation, a single message requires 2Tpair + Tmul operationsand n messages require 2Tpair + (2n 1)Tmul operationsregardless of the addition and exponential operations. Figure3 shows the verification delay in milliseconds vs. the numberof the received messages. It can be seen that the proposedscheme has the lowest verification delay among all othercompared protocols. This is mainly because HAP does notrequire any certificate to be sent with each message. Ac-cording to IEEE 1609.2 Standard [7], including a certificateadds an additional overhead of 125 bytes to every messageand eventually hinders the process of verification in thereceiving end. Rather, in our scheme verification of a publickey certificate of a vehicle happens at the first introductionof the vehicle into the communication range of the RSU (i.e.during V2I communication). Apart from that, the networkdoes not require any certificate neither from the TA norfrom the RSU to be verified by another vehicle (duringV2V communication). This is because; the computation ofthe proof cipher (of the sender) alone is enough to prove theauthenticity of the sender.

Table IIINS-2 SIMULATION PARAMETERS

Description Valuessimulation area 7.5 7.5 Kmsimulation time 30000msmaximum speed of vehicles 60Km/hOBU transmission range 300mMAC protocol 802.11aOBU data dissemination interval 300mswired channel capacity 100Mbpswireless channel capacity 6 Mbpsnumber of RSUs 600distribution of RSUs Uniform

Figure 3. Verification delay vs. number of messages received

2) Message Loss Ratio: To further evaluate the proposedprotocol, we conducted ns-2 [16] simulation using the pa-rameters in Table 3. In this simulation, we estimated themessage loss incurred by OBUs due to V2V communica-tions only, i.e., we did not consider the implementation ofRSUs as the communication between and RSU is infrequentin HAP. The average message loss ratio is defined as theaverage ratio between the number of messages droppedevery 300ms due to cryptographic delays, and the totalnumber of messages received every 300ms This can becalculated from the maximum number of signatures andcertificates that can be verified by a protocol in 300msThe ECDSA, BLS, ECPP and HAP verifies a maximum of125, 17, 14 and 240 messages respectively. Figure 4 showsthe average message loss ratio of ECDSA, BLS, ECPPand HAP when the average number of messages receivedby each OBU from its neighbors reaches up to 300. Itcan be seen that HAP provides the lowest message lossratio when compared to all other studied schemes. This ismainly because our scheme batch verifies the signatures ofall received messages and also do not possess the additionaloverhead of certificate verification.

Figure 4. Message Loss Ratio vs. number of messages received

V. CONCLUSION

In this paper, we proposed an efficient and secure au-thentication scheme for an infrastructure based vehicularcommunication. The proposed scheme supports a certificateless verification process by promising a secure communi-cation channel as well. In our scheme the one-way hashchain method is used by the RSU to generate anonymouspublic/private key pairs for the vehicles. These keys can beverified by other vehicles by computing the proof cipher Cfrom the disclosed public key and its n bit hash code value Hthat comes along with every message. The important featureof this scheme is, it significantly reduces the computationaloverhead and message loss of the vehicles and drasticallyimproves the efficiency and scalability of the system. Ourfuture work includes further exploration of mechanisms forthe reduction of communication overhead between the RSUand the vehicles and to reduce the redundancy of similartraffic messages being sent from different vehicles at thesame time.

REFERENCES

[1] Car to Car Communication Consortium Manifesto - Overviewof the C2C-CC System, C2C-CC, Tech. Rep.,(Aug. 2007).

[2] Dedicated Short Range Communications (DSRC), [Online].Available: http://grouper.ieee.org/groups/scc32/dsrc/index.html

[3] S.Lee, G. Pan, J. Park, M. Gerla, and S. Lu, Secure incentivesfor commercial ad dissemination in vehicular networks, inProceedings of the ACM International Symposium on MobileAd Hoc Networking and Computing (MobiHoc07), ( Montreal,Canada, 2007).

[4] R. Lu, X. Lin, H. Zhu, P.-H. Ho, and X. Shen, ECPP: efficientconditional privacy preservation protocol for secure vehicularcommunications, in Proceedings of the IEEE InternationalConference on Computer Communications (INFOCOM08), (Phoenix, Arizona, 2008).

[5] G.Kounga, C. J. Mitchell and T. Walter, Generating Certifica-tion Authority Authenticated Public Keys in Ad Hoc Networks,Security and Communication Networks, ( 2009) 00: 120.

[6] R. Rivest and A. Shamir, PayWord and MicroMint: two simplemicropayment schemes, in Proc. SPW, LNCS, Springer-Verlag,(Berlin, 1996) vol. 1189, pp. 69-87.

[7] IEEE Standard 1609.2 - IEEE Trial-Use Standard for WirelessAccess in Vehicular Environments Security Services for Appli-cations and Management Messages, ( 2006).

[8] H. Yoon, J. H. Cheon, and Y. Kim, Batch verification with ID-based signatures, in Proceedings of Information Security andCryptology, (2004), pp.233-248.

[9] J. Camenisch, S. Hohenberger, and M. Pedersen, Batch ver-ification of short signatures, in Proceedings of EUROCRYPT,(LNCS, 2007), Vol. 4514, pp. 246-263.

[10] Albert Wasef, Yixin Jiang, Xuemin (Sherman) Shen, DCS:An Efficient Distributed Certificate Service Scheme for Vehic-ular Networks, , IEEE Transactions on Vehicular Technology,(2010), vol. 59,no. 2, pp. 533.

[11] Multiprecision Integer and Rational Arithmetic C/C++ Li-brary (MIRACL). (Online). Available: http://www.shamus.ie

[12] A. Miyaji, M. Nakabayashi, and S. Takano, New explicit con-ditions of elliptic curve traces for FR-Reductions.IEIC TechnicalReport, (2000), vol. 100, no. 323(ISEC2000 58-67), pp. 99108.

[13] R. Lu, X. Lin, H. Zhu, P. Ho, and X. Shen, A novel anony-mous mutual authentication protocol with provable link-Layerlocation privacy, IEEE Transactions on Vehicular Technology,(2009), vol. 58, no. 3, pp. 14541466.

[14] D. Boneh, B. Lynn, and H. Shacham, Short signatures fromthe weil pairing, in Proceedings of Asiacrypt, (2001), Vol. 2248,pp. 514-532.

[15] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, Aggregateand verifiably encrypted signatures from bilinear maps, InProceedings of Eurocrypt, (LNCS, 2003), Vol. 2656, pp. 416-432.

[16] The network simulator - ns-2.[Online]. Available:http://nsnam.isi.edu/nsnam/index.php/User Information