Anonymous Authentication Protocols for Vehicular Ad Hoc Networks: An Overview

Cryptography will continue to play important roles in developing of new security solutions which will be in great demand with the advent of high-speed next-generation communication systems and networks. This book discusses some of the critical security challenges faced by today's computing world and provides insights to possible mechanisms to defend against these attacks. The book contains sixteen chapters which deal with security and privacy issues in computing and communication networks, quantum cryptography and the evolutionary concepts of cryptography and their applications like chaos-based cryptography and DNA cryptography. It will be useful for researchers, engineers, graduate and doctoral students working in cryptography and security related areas. It will also be useful for faculty members of graduate schools and universities


Introduction
According to car crash statistics, over six million motor vehicle crashes occur on U.S. highways each year.More than 42,000 people are killed in these accidents which injure three million others, and cost more than $230 billion each year.Astonishingly, five people die every hour in these crashes in the United States which is about one death every 12 minutes IVI (2001).In order to alleviate the threats of these crashes and improve the driving experience, car manufactures and the telecommunication industry have made great efforts to equip each vehicle with wireless devices that allow vehicles to communicate with each other as well as with the roadside infrastructure located in critical points of the road, such as intersections or construction sites.Misener (2005); VII (2011).Technologies built on 802.11p and IEEE 1609 standards, 5.9 GHz Dedicated Short Range Communications (DSRC) protocols1 DSRC (1999), are proposed to support these advanced vehicle safety applications such as secure and effective vehicle-to-vehicle (V2V) (also known as Inter-Vehicle Communica-tion (IVC)) and vehicle-to-infrastructure (V2I) communications, which are also known as Vehicle Safety Communications (VSC) technologies.As shown in Fig. 1, the wireless communication devices installed on vehicles, also known as onboard units (OBUs), and the roadside units (RSUs), form a self-organized Vehicular Ad Hoc Network (VANET) Lin (2008); Sun (2007).Furthermore, the RSUs are connected to the backbone network via the high speed network connections.In this way, VANETs inherently provide a way to collect traffic and road information from vehicles, and to deliver road services including warnings and traffic information to users in the vehicles.Thus, an increasing interest has been raised recently on the VANETs-based applications Bishop (2000), aiming to improve driving safety and traffic management by the method of providing drivers and passengers with Internet access.
It is natural to observe that achieving privacy and liability simultaneously is conflicting goal.On one aspect, a well-meaning OBU is willing to offer as much local information as possible to RSUs and other OBUs to create a safer driving environment so long as its locations cannot be tracked.And on the other, a misbehaving OBU may abuse the privacy protection mechanism to avoid legal responsibility when it involved in a dispute involving safety messages2 attempts.Therefore, the conditional privacy-preserving authentication should be fulfilled in VANETs where a trusted authority can reveal the real identity of targeted OBU in case of a traffic event dispute, even though the OBU itself is not traceable by the public.
This chapter surveys the literature on privacy issues in VANETs from different perspectives, and thus provides researchers with a better understanding of this primitive.This chapter does not propose or advocate any specific anonymous authentication mechanisms.Even though some sections might point out vulnerabilities in certain classes of authentication protocols, our purpose is not to criticize, but to draw attention to these problems so that they might be solved.
The remainder of this chapter is organized as follows.Section 2 presents attack model, security requirements and related VANETs network architecture.All previous privacy-preserving protocols for VANETs are classified in Section 3, together with the basic cryptographic primitives.An example of Ring-signature based anonymous authentication protocol based on bilinear pairing are given in Section 4. Section 5 discusses how to use the taxonomies.Section 6 concludes the paper by stating some possible future research directions.

Attack model
According to Lin (2008); Lin et al. (2007); Raya & Hubaux (2005;2007); Sun et al. (2007), several possible security attacks in VANETs have been defined and listed as follows: • Fake information attack: The adversary may diffuse bogus messages to affect the behavior of others.For instance, in order to divert traffic from a given road, one may send a fake traffic jam message to the others.
• Message replay attack: The adversary replays the valid messages sent by a legitimate user some time before in order to disturb the traffic.

Fig. 1. Vehicular Ad Hoc Networks
• Message modification attack: A message is altered during or after transmission.The adversary may wish to change the source or content of the message in terms of the position and/or time information that had been sent and saved in its device notably in the case of an accident.
• Impersonation attack: The adversary may pretend to be another vehicle or even an RSU by using false identities to fool the others.
• RSU preemption/replication attack: An RSU may be compromised such that the adversary can relocate the compromised RSU to launch any malicious attack, such as broadcasting fake traffic information.Moreover, the adversary may illegally interrupt and manipulate traffic lights which is controlled by the corrupted RSU to get a better traffic condition • Denial of service (DoS) attack: The adversary injects irrelevant jamming and aggressive dummy messages to take up the channels and consume the computational resources of the other nodes, such as RF interference or jamming or layer 2 packet flooding.
• Movement tracking: Since wireless communication is on an openly shared medium, an adversary can easily eavesdrop on any traffic.After the adversary intercepts a significant amount of messages in a certain region, the adversary may trace a vehicle in terms of its physical position and moving patterns simply through information analysis.Assuming that the attacker does not make use of cameras, physical pursuit, or onboard tracking devices to reveal the identity of his target; otherwise, the tracking problem becomes simpler but also more expensive and limited to few specific targets.

Security requirements
To countermeasure and mitigate the potential threats in the aforementioned attack models, a security system for safety messaging in a VANET should satisfy the following requirements.
1. Efficient anonymous authentication of safety messages: The security system should provide an efficient and anonymous message authentication mechanism.First of all, all accepted messages should be delivered unaltered, and the origin of the messages should be authenticated to guard against impersonation attacks.Meanwhile, from the point of vehicle owners, it may not be acceptable to leak personal information, including identity and location, to unauthorized observers while authenticating messages.Therefore, providing a secure yet anonymous message authentication is critical to the applicability of VANETs.Furthermore, considering the limited storage and computation resource of OBUs, the authentication scheme should have low overheads for safety message verification and storage.
2. Efficient tracking of the source of a disputed safety message: An important and challenging issue in these conditions is enabling a trusted third party (such as police officers) to retrieve a vehicle's real identity from its pseudo identity.If this feature is not provided, anonymous authentication can only prevent an outside attack, but cannot deal with an inside one.Furthermore, the system should not only provide safety message traceability to prevent inside attacks, but also have reasonable overheads for the revealing the identity of a message sender.(2007); Xi et al. (2007;2008); Xiong et al. (2010a;b); Zhang et al. (2008a;b), the security system should include at least three types of entities: the top Trusted authority (TA), the immobile RSUs at the roadside, and the moving vehicles equipped with on-board units (OBUs).

Threshold authentication
• OBU: A vehicle can not join the VANETs unless it registers its own public system parameters and corresponding private key to the TA.The secret information such as

56
Applied Cryptography and Network Security www.intechopen.comprivate keys to be used generates the need for a tamper-proof device in each vehicle.
According to existing works, only the authorized parties can access to this tamper-proof device.OBUs are mobile and moving most of the time.When the OBUs are on the road, they regularly broadcast routine safety messages, such as position, current time, direction, speed, traffic conditions, traffic events.The information system on each vehicle aggregates and diffuses these messages to enable drivers form a better awareness of their environment (Fig. 2).The assumed communication protocol between neighboring OBUs (IVC) or between an OBU and a RSU (V2I) is 5.9 GHz Dedicated Short Range Communication (DSRC) DSRC (1999) IEEE 802.11p.
• RSU: The RSUs, which are subordinated by the TA, form a wireless multi-hop mesh network (mesh mode in WiMax) aiming to extend the wireless coverage and increase the network robustness and throughput.Some of these RSUs are connected to the backbone networks with wired connections or to the WiMax base stations with wireless connections.
Vehicles and passengers can gain access to the Internet for a short moment when passing through any of the RSUs by communicating with it.Thus, the RSUs should be able to perform fast handoff in order to support basic Internet services such as e-mail and TCP applications.We remark that the handoff process should be predictive when the moving pattern and speed of the vehicle are given.In addition, the RSUs should work as gateways which also support the 802.11p protocol and can transform the safety messages broadcasted by the vehicles into IP packets.With the support from RSUs, the workload of the vehicles is reduced.Otherwise, the vehicles need to send multiple copies of safety messages in different formats: one to the other vehicles with 802.11p, and one to the base stations with 802.16e.Different from the vehicles, we assume that RSUs have neither computation and energy constraints nor buffer size constraints.
• TA: The TA is in charge of the registration of all RSUs and OBUs each vehicle is equipped with.The TA can reveal the real identity of a safety message sender by incorporating with its subordinate RSUs.To the end, the TA requires ample computation and storage capability, and the TA cannot be compromised and is fully trusted by all parties in the system.
The network dynamics are characterized by quasi-permanent mobility, high speed, and (in most cases) short connection times between neighboring vehicles or between a vehicle and a roadside infrastructure network access point.

RSU-based approach
Zhang et al.Zhang et al. (2008a;b) presented a novel RSU-aided message authentication scheme (RSUB), in which the RSUs are responsible for validating the authenticity of messages sent from vehicles and for sending the results back to peer vehicles.Compared to the solutions without support from RSUs, this kind of schemes enables lower computation and communication overheads for each vehicle.Independently, Lu et al.Luet al. (2008) introduced another anonymous authentication protocol for VANETs based on generating on-the-fly short-lived anonymous keys for the communication between vehicles and RSUs.These keys enable fast anonymous authentication and conditional privacy.All of these schemes employ RSUs to assist vehicles in authenticating messages.Fig. 2. VANETs Architecture being a bottleneck, an RSU is allowed to issue certificates for the vehicles.However, it brings a privacy risk when an RSU is compromised by the adversaries.Once the service records of an RSU are leaked, it is easy for the adversary to link the pseudonymous certificates that a vehicle has obtained from the compromised RSU.In particular, when the number of compromised RSUs increases, it possibly provides a solution for the adversaries to revert the mobile trace of the target vehicles.However, relying on the roadside infrastructure for safety message authentication is a precarious solution: while these messages enable critical assisted driving features the roadside infrastructure will likely offer only partial coverage (for example during the deployment stage, for economic considerations, or simply due to physical damage).

Group signature-based scheme
In Chaum & Hevst (1991), Chaum and Heyst proposed a new type of signature scheme for a group of entities, called group signatures.Such a scheme allows a group member to sign a message on the group's behalf such that everybody can verify the signature but no one can find out which group member provided it.However, there is a trusted third party, called the group manager, who can reveal the identity of the originator of a signature in the case of later dispute.This act is referred to as "opening" a signature or also as revocation of a signer's anonymity.Boneh et al. (2004).With GSB, each vehicle stores only a private key and a group public key.Messages are signed using the group signature scheme without revealing any identity information to the public.Thus privacy is preserved while the trusted authority is able to expose the identity of a sender.However, the time for safety message verification grows linearly with the number of revoked vehicles in the revocation list in the entire network.Hence, each vehicle has to spend additional time on safety message verification.Furthermore, when the number of revoked vehicles in the revocation list is larger than some threshold, the protocol requires every remaining vehicle to calculate a new private key and group public key based on the exhaustive list of revoked vehicles whenever a vehicle is revoked.Lin et al.L i n et al. (2007;2008a); Sun et al. (2007) do not explore solutions to effectively updated the system parameters for the participating to vehicles in a timely, reliable and scalable fashion.This issue is not explored and represents an important obstacle to the success of this scheme.

Ring signature-based scheme
Ring signature scheme, introduced by Rivest, Shamir and Tauman Rivest et al. (2001), offers two main properties: anonymity and spontaneity.In practice, anonymity in a ring signature means 1-out-of-n signer verifiability, which enables the signer to keep anonymous in these "rings" of diverse signers.Spontaneity is a property which makes the distinction between ring signatures and group signatures Boneh et al. (2004); Chaum & Hevst (1991).Different from group signatures which allow the anonymity of a real signer in a group can be revoked by a group manager, the ring signature only gives the group manager the absolute power to control the formation of the group, and does not allow anyone to revoke the signer anonymity, while allowing the real signer to form a ring arbitrarily without being controlled by any other party.Since Rivest el al.'s scheme, many ring signature schemes have been proposed Abe et al. (2002); Bresson et al. (2002); Dodis et al. (2004); Wong et al. (2003); Xiong et al. (2009;2011).In 2007, Liu et al.Liu et al. (2007) have introduced a new variant for the ring signature, called revocable ring signature.This scheme allows a real signer to form a ring arbitrarily while allowing a set of authorities to revoke the anonymity of the real signer.In other words, the real signer will be responsible for what has signed as the anonymity is revocable by authorities while the real signer still has full freedom on ring formation.
To address the scalability concern in Lin et al. (2007), Xiong et al.Xiong et al. (2010a) proposed a spontaneous protocol based on the revocable ring signature Liu et al. (2007), which allows the vehicle to generate the message without requiring online assistance from the RSUs or the other vehicles.In this solution, the remaining vehicles are not required to update their system parameters regardless of the number of revoked vehicles.However, this protocol suffers larger communication overhead than that of other protocols because the length of ring signature depends on the size of the ring.Furthermore, Xi et al.Xi et al. (2007;2008) also introduced a random key-set-based authentication protocol to preserve the vehicle's privacy based on ring signature.However, this solution only provides unconditional anonymity without an effective and efficient mechanism to reveal message sender's identities when necessary.

59
Anonymous Authentication Protocols for Vehicular Ad Hoc Networks: An Overview www.intechopen.com

k-TAA-based scheme
In a k-times anonymous authentication (k-TAA) system Teranisi et al. (2004), participants are a group manager (GM), a number of application providers (AP) and a group of users.The GM registers users into the group and each AP independently announces the number of times a user can access his application.A registered user can then be anonymously authenticated by APs within their allowed numbers of times (k times) and without the need to contact the GM.Dishonest users can be traced by anyone while no one, even the GM or APs, can identify honest users or link two authentication executions performed by the same user.Finally no one, even the GM, is able to successfully impersonate an honest user to an AP.In dynamic k-TAA Nguyen & Safavi-Naini (2005), APs have more control over granting and revoking access to their services and so have the required control on their clients.
Sun et al.Sun & Fang (2009); Sun et al. (2010c) proposed a new misbehavior defense technique leveraging the idea of dynamic revocation, to provide a means of limiting the impact of misbehavior by adjusting it to an acceptable level during the vulnerable period existing in the automatic revocation technique based on dynamic k-TAA.However, the downside of Sun et al.'s scheme is obviously the lack of capability to trace misbehaving users.

Basic scheme
Raya et al.Raya & Hubaux (2005;2007) introduced the large number of anonymous key based (LAB) protocol.Their key idea is to install on each OBU a large number of private keys and their corresponding anonymous certificates.To sign each launched message, a vehicle randomly selects one of its anonymous certificates and uses its corresponding private key.
The other vehicles use the public key of the sender enclosed with the anonymous certificate to authenticate the source of the message.These anonymous certificates are generated by employing the pseudo-identity of the vehicles, instead of taking any real identity information of the drivers.Each certificate has a short life time to meet the drivers'privacy requirement.
Although LAB protocol can effectively meet the conditional privacy requirement, it is inefficient and may become a scalability bottleneck.The reason is that a sufficient numbers of certificates must be issued to each vehicle to maintain anonymity over a significant period of time.(Raya et al.Raya & Hubaux (2005;2007) suggest using large pseudo certificates for each vehicle).As a result, the certificate database to be searched by the TRC in order to match a compromised certificate to its owner's identity is huge.In addition, the protocols of Raya & Hubaux (2007) are extended for providing confidentiality in specific scenarios of VANET implementations in Wang et al. (2008).

TESLA-based scheme
TESLA is an efficient and message-loss tolerant protocol for broadcast authentication with low communication and computation overhead Perrig et al. (2002a).It is widely used in areas of sensor networks Perrig et al. (2002b).It uses one-way hash chain where the chain elements are the secret keys to compute message authentication code (MAC).With TESLA, a sender sends data packets at a predefined schedule, which has been known in advance to the receivers as well as the commitment to a hash chain as a key commitment.Each hash chain element as a MAC key corresponds to a certain time interval.For each packet, the sender attaches a 60 Applied Cryptography and Network Security www.intechopen.comMAC tag to it.This MAC tag is derived using the next corresponding MAC key in the hash chain based on negotiated key disclosure delay schedule between the sender and the receiver.Obviously, upon receiving the packet, the receiver can ąŕt verify the authenticity of the packet yet.After key disclosure delay, the sender discloses MAC key, and then the receiver is able to authenticate the message after verifying the released MAC key is indeed the corresponding element of the chain.One requirement for TESLA scheme is the loose synchronization among the nodes.The disadvantage is the delayed message authentication.(2002a).With TSVC, a vehicle first broadcasts a commitment of hash chain to its neighbors and then uses the elements of the hash chain to generate a message authentication code (MAC) with which other neighbors can authenticate this vehicles' following messages.Because of the fast speed of MAC verification, the computation overhead of TSVC is reduced significantly.However, TSVC also requires a huge set of anonymous public/private key pairs as well as their corresponding public key certificates to be preloaded in each vehicle.Furthermore, TSVC may not be robust when the traffic becomes extremely dynamic as a vehicle should broadcast its key chain commitment much more frequently.

Proxy re-signature-based scheme
Proxy re-signature schemes, introduced by Blaze, Bleumer, and Strauss Blaze et al. (1998), and formalized later by Ateniese and Hohenberger Ateniese & Hohenberger ( 2005), allow a semi-trusted proxy to transform a delegatee ąŕs signature into a delegator ąŕs signature on the same message by using some additional information.Proxy re-signature can be used to implement anonymizable signatures in which outgoing messages are first signed by specific users.Before releasing them to the outside world, a proxy translates signatures into ones that verify under a system's public key so as to conceal the original issuer's identity and the internal structure of the organization.Recently, Libert et al. Libert & Vergnaud (2008) have introduced the first multi-hop unidirectional proxy re-signature scheme wherein the proxy can only translate signatures in one direction and messages can be resigned a polynomial number of times.
The size of the certificate revocation list (CRL) and the checking cost are two important performance metrics for the revocation mechanism in VANETs.
Unfortunately, the pseudonymous authentication schemes are prone to generating a huge CRL, whereas the checking cost in the group-signature-based schemes is unacceptable for the vehicles with limited computation power.Since the CRL is usually transmitted by vehicle-to-vehicle communication, the quick increase of the CRL in the pseudonymous authentication schemes brings large communication cost.Moreover, the larger the CRL size, the longer the transmission delay to all vehicles, and during this period, the misbehaving vehicles can compromise VANETs continually.Sun et al. Sun et al. (2010a;b) proposed an efficient authentication protocol which supports RSU-aided distribution certificate service that allows a vehicle to update its certificate set from an RSU on the road based on the proxy re-signature Libert & Vergnaud (2008).In their scheme, the vehicle only needs to request the re-signature keys from an RSU and re-sign numbers of the certificates issued by the TA to be the same as those issued by the RSU itself, and thus significantly reduces the revocation cost and the 61 Anonymous Authentication Protocols for Vehicular Ad Hoc Networks: An Overview www.intechopen.comcertificate updating overhead.However, their scheme also rely on the RSUs which only cover partial high-way or city roads during the deployment stage.

Confidentiality-oriented scheme
The need for confidentiality in specific scenarios of VANET implementations has also been discussed in recent works Kamat et al. (2006); Li et al. (2008);Plöβl & Federrath (2008); Wang et al. (2008).Specifically in Wang et al. (2008), the protocols of Raya & Hubaux (2007) are extended: session keys for pairs of vehicles are established by using the Diffie-Hellman key agreement protocol while group session keys are established using the key transfer approach.These keys are used for both message authentication and confidentiality Wang et al. (2008).A lightweight authenticated key establishment scheme with privacy preservation and confidentiality to secure the communications in VANET is proposed by Li et al. Li et al. (2008).Meantime, two security frameworks for VANETs to provide authentication, confidentiality, non-repudiation and message integrity have also been proposed by Plöβl & Federrath (2008) and Kamat et al. (2006) independently.Nevertheless, all of these works Kamat et al. (2006); Li et al. (2008);Plöβl & Federrath (2008); Wang et al. (2008) suffer from the same criticism in LAB, in other words, each OBU has to take a large storage space to store a huge number of anonymous key pairs.

Priori-based approach
By taking strict punitive action, a posteriori countermeasures can exclude some rational attackers, but they are ineffective against irrational attackers such as terrorists.Even for rational attackers, damage has already occurred when punitive action is taken.To reduce the damage to a bare minimum, the priori countermeasures have been proposed to prevent the generation of fake messages.In this approach, a message is not considered valid unless it has been endorsed by a number of vehicles above a certain threshold.

Basic scheme
Most recently, Kounga et al.Kounga et al. (2009) proposed a solution that permits vehicles to verify the reliability of information received from anonymous origins.In this solution, each vehicle can generate the public/private key pairs by itself.However, the assumption in this solution is very restricted in that additional hardware is needed on the OBU.However, Chen and Ng Chen & Ng (2010) showd that the Kounga et al.'s scheme does not achieve the goals of authenticity of a message, privacy of drivers and vehicles, reliability of distributed information, and revocation of illegitimate vehicles.
After that, a proposal is also presented following the priori protection paradigm based on threshold signature by Daza et al.Daza et al. (2009).Nevertheless, to obtain the anonymity, this protocol assumes that the OBU installed on the vehicle can be removable and multi OBUs could alternatively be used with the same vehicle (like several cards can be used within a cell phone in the same time).Thus, this assumption may enable malicious adversary to mount the so-called Sybil attack: vehicles using different anonymous key pairs from corresponding OBUs can sign multiple messages to pretend that these messages were sent by different vehicles.Since multi OBUs can be installed on the same vehicle, no one can find out whether all of these signatures come from the same vehicle or not.GSBS: Group-oriented signature based scheme; RSUS: RSU based scheme; PBS: Pseudonyms-based scheme Table 1.Summary of related protocols

Group signature-based scheme
A linkable group signature Nakanishi et al. (1999) is a variant of group signatures.In a linkable group signature, it is easy to distinguish the group signatures produced by the same signer, even though the signer is anonymous.Linkable group signatures can thwart the Sybil attack but are not compatible with vehicle privacy due to the linkability of signer identities, i.e., the various message endorsements signed by a certain vehicle can be linked.Wu et al. Wu et al. (2010) proposed a novel protocol based on linkable group signature, which is equipped with both priori and posteriori countermeasures.However, they face the same adverse conditions in GSB protocol in which the verification time grows linearly with the number of revoked vehicles and every remaining vehicle need to update its private key and group public key when the number of revoked vehicles is larger than some threshold.

An example of ring-signature based anonymous authentication protocols
In order to be self-contained, we give an example of Ring-signature based authentication protocol along with the notion of bilinear pairing Xiong et al. (2010a) as follows.

Bilinear pairing
Note that the publication of an identity based encryption scheme Boneh & Franklin (2001) built on bilinear pairings has triggered a real upsurge in the popularity of pairings among

63
Anonymous Authentication Protocols for Vehicular Ad Hoc Networks: An Overview www.intechopen.comcryptographers.Following Boneh and Franklin, a lot of cryptosystems based on pairings have been proposed which would be hard to construct using more conventional cryptographic primitives.At this moment, pairing-based cryptography is a highly active field of research, with several hundreds of publications.
Let G 1 denote an additive group of prime order q and G 2 be a multiplicative group of the same order.Let P be a generator of G 1 ,a n d ê be a bilinear map such that ê : G 1 × G 1 → G 2 with the following properties: 1. Bilinearity: For all P, Q ∈ G 1 ,anda, b ∈ Z q , ê(aP, bQ)= ê(P, Q) ab .

System initialization
Firstly, as described in section 2.3, we assume each vehicle is equipped with a tamper-proof device, which is secure against any compromise attempt in any circumstance.With the tamper-proof device on vehicles, an adversary cannot extract any data stored in the device including key material, data, and codes.We assume that there is a trusted Transportation Regulation Center (TRC) which is in charge of checking the vehicle's identity, and generating and pre-distributing the private keys of the vehicles.Prior to the network deployment, the TRC sets up the system parameters for each OBU as follows: •L e t G 1 , G 2 be two cyclic groups of same order q.Letê : G 1 × G 1 → G 2 be a bilinear map.
• The TRC first randomly chooses x TRC ∈ R Z q as its private key, and computes y TRC = x TRC P as its public key.The TRC also chooses a secure cryptographic hash function H : {0, 1} * → Z q .
• Each vehicle V i with real identity RID i generates its public/private key pair as follows: -The vehicle V i first chooses x i ∈ R Z q as its private key, and computes y i = x i P as its public key.
-V i randomly selects an integer t i ∈ R Z q to determine the verification information of y i : a i = H(t i P RID i ) and b i =(t i + x i • a i ).Th e nV i sends {y i , RID i , a i , b i } to TRC. -After receiving {y i , RID i , a i , b i }, TRC checks whether the following equation holds: If it holds, then {y i , RID i } is identified as the valid public key and identity.Otherwise, it will be rejected.In the end, the TRC stores the (y i , RID i ) in its records.
• Each vehicle is preloaded with the public parameters {G 1 , G 2 , q, y TRC , H}.In addition, the tamper-proof device of each vehicle is preloaded with its private/public key pairs (x i , y i ) and corresponding anonymous certificates (these certificates are generated by taking the vehicle's pseudo-identity ID i ).Finally, the vehicle will preload the revocation list (RL) from the TRC.

64
Applied Cryptography and Network Security www.intechopen.com

OBU safety message generation
Ve hi c l e V π signs the message M before sending it out.Suppose S = {y 1 , ••• , y n } is the set of public keys collected by vehicle V π and it defines the ring of unrevoked public keys.Note that the public key set S, collected and stored temporarily by V π , is dynamic.We assume that all public keys y i ,1≤ i ≤ n and their corresponding private keys x i 's are generated by TRC, and π (1 ≤ π ≤ n) is the index of the actual message sender.In other words, as V π travels through the road network, the set of public keys collected by it keeps changing over time.Otherwise, a unique set of public keys used by a vehicle may enable the adversary to infer its traveling trajectory.The signature generation algorithm Sig(S, x π , y TRC , M) is carried out as follows.
1. Randomly select r ∈ R Z q and compute R = rP.
3. Generate a non-interactive proof SPK(1) as follows: The signature σ of M with respect to S and y TRC is (R, E TRC )andthe transcript of SPK(1).
For clear presentation, we divide SPK(1) into two components: To generate a transcript of SPK(1a),givenE TRC , R, y TRC , the actual message sender indexed by π proves the knowledge of x π such that E TRC = ê(R, y TRC ) x π by releasing (s, c) as the transcript such that c = H(y TRC R E TRC ê(R, y TRC ) s E c TRC M) Thiscanbedonebyrandomlypickingl ∈ R Z q and computing c = H(y TRC R E TRC ê(R, y TRC ) l M) and then setting s = l − cx π mod q.
To generate the transcript of SPK(1b),g i v e nS, the actual message sender indexed by π, for some 1 ≤ π ≤ n,p r o v e st h ek n o w l e d g eo fx π out of n discrete logarithms x i ,w h e r e y i = x i P,f o r1 ≤ i ≤ n, without revealing the value of π.This can be done by releasing To generate this transcript, the actual message sender first picks randomly l ∈ R Z q and s i , Finally the actual message sender sets s π = l − c π x π mod q.
Now we combine the constructions of SPK(1a) and SPK(1b) together.First, the actual message sender randomly picks l 1 , l 2 ∈ R Z q and s i , After that, the actual message sender sets s = l 1 − cx π mod q,fi n d sc π such that c = c 1 + •••+ c n mod q,a n ds e t ss π = l 2 − c π x π mod q.The transcript of SPK( 1) is therefore (s, According to DoT (2006), the payload of a safety message is 100 bytes.The first two fields are signed by the vehicle, by which the "signature" field can be derived.A timestamp is used to prevent the message replay attack.The last field is the public key sets, which records the public key pairs employed by the OBU.The format of messages in our protocol is defined in Table 2.

Message verification
Once a message is received, the receiving vehicle first checks if the RL S After that, the receiving vehicle updates its own public key set by randomly choosing public keys from S.

OBU fast tracing
A membership tracing operation is performed when solving a dispute, where the real ID of the signature generator is desired.The TRC first checks the validity of the signature and then uses its private key x TRC and determines if E TRC ?= ê(y i , R) x TRC for some i,1≤ i ≤ n.
If the equation holds at, say when i = π, then the TRC looks up the record (y π , RID π ) to find the corresponding identity RID π meaning that vehicle with identity RID π is the actual 66 Applied Cryptography and Network Security www.intechopen.com

Conclusion
The anonymous authentication protocols for VANETs can be constructed based on a multitude of cryptographic primitives, which obscures a global view of this field.This chapter is an attempt to cut through the obscurity and structure the knowledge in this field.The proposed taxonomies are intended to help the community think about the constrains of existing works and the possible countermeasures.

Lin
et al.L i net al. (2008b) developed the 'time-efficient and secure vehicular communication' scheme (TSVC) based on the Timed Efficient Stream Loss-tolerant Authentication (TESLA) standard (RFC 4082) Perrig et al.

?=
∅.I fs o ,t h e receiver performs signature verification by verifying of SPK(1) as follows:S y TRC R E TRC ê(R, y TRC ) s E ∑ n i=1 c i TRC s 1 P + c 1 y 1 ••• s n P + c n y n

Table 2 .
Message Format for OBU and finds c π such that c 0

Timed Efficient Stream Loss-tolerant Authentication MAC: Message Authentication Code CRL: Certificate Revocation List TSVC: Time-efficient and Secure Vehicular Communication
This work is partially supported by National Natural Science Foundation of China under Grant No. 61003230, China Postdoctoral Science Foundation under Grant No. 20100480130, Chongqing Key Lab of Computer Network and Communication Technology under Grant No. CY-CNCL-2010-01 and National Research Foundation for the Doctoral Program of Higher Education of China under Grant No. 200806140010. .Abe, M. Ohkubo, K. Suzuki.(2002).1-out-of-n signatures from a variety of keys, In Proc.ASIACRYPT 2002, New Zealand, Lecture Notes in Computer Science, 2501, Springer-Verlag, pp.415 432.G. Ateniese, S. Hohenberger.(2005).Proxy Re-Signatures: New Definitions, Algorithms, and Applications, In: ACM Conference on Computer and Communications Security (CCS 2005), pp.310-319.R. Bishop.(2000).A survey of intelligent vehicle applications worldwide, in Proceedings of the IEEE Intelligent Vehicles Symposium 2000, Dearborn, MI, USA, Oct. pp.25-30.
M68 Applied Cryptography and Network Security www.intechopen.com