Keywords

1 Introduction

With the rapid development of wireless communication, ad hoc networks and Internet of things technology, in recent years, vehicular ad hoc networks have been widely concerned by academia, industry and government departments. In order to improve the traffic situation, vehicles need to periodically perceive the relevant information of their own driving process, such as the position, speed and direction of the vehicle, and broadcast these information to the surrounding vehicles by wireless communication, so as to realize the sharing of traffic-related information between them, so that drivers and traffic managers can obtain the vehicles of other vehicles beyond the visual range. Real-time and comprehensive road condition information can effectively improve traffic safety and efficiency, and fundamentally solve the existing road traffic accidents and congestion problems [1]. In the vehicular ad hoc network, between the vehicle and the vehicle, the vehicle and the roadside unit communicate wirelessly. Once the user’s hidden information, such as identity, trajectory and references are not well protected [2], the attacker can easily get this information.

In order to achieve efficient anonymous authentication in vehicular ad hoc networks, group signature technology is widely used in vehicular ad hoc networks [3]. Because it allows group members to sign messages in the name of the group, while not revealing the true identity of the signer. In order to verify a group signature, it takes 11 ms [8], which means that only 91 messages can be authenticated per second. However, when there is 180 vehicles in the communication range of a roadside unit [1], it needs to authenticate 600 safety-related messages per second. Additional authentication and decryption time will be consumed if the value service is considered again [4]. In addition, before group signature verification, vehicles need to check the revocation list to avoid communication with revoked vehicles. According to the literature [1], it takes 9 ms to check an identity in the revocation list. If there are n vehicles that are revoked in the revocation list, each message takes 9n + 11 ms. In this way, the number of messages that can be authenticated per second is 1000/(9n + 11), which is far from the target 600 messages. Therefore, it is necessary to reduce the delay due to the authentication of the revocation list check and the group signature to achieve fast authentication.

In order to solve the problem of revocation list checking, Wasef et al. [5] and Jiang et al. [6] used the hash message digest code HMAC instead of the revocation list, which greatly reduced the inspection time. In the scheme of Wasef et al., the key for calculating the HMAC is global. Once an illegal vehicle is discovered, a global key update process will be performed, which is another form of revocation list and is difficult to implement. Jiang et al. adopted a distributed approach to further improve the efficiency of HMAC inspection. However, both schemes are based on pseudonym authentication schemes and may not be directly applicable to group signature-based schemes. In order to reduce the time of signature verification, Wasef et al. [7] and Zhang et al. [3] adopted the method of batch verification of group signatures, which made a large number of messages can be authenticated in time. However, the problem is that they do not check the integrity of messages before batch authentication. Once there is an invalid message caused by packet loss or malicious injection in the wireless channel, it will lead to additional authentication delay and loss of efficiency. Even if we do not consider the problem of re-authentication, the computational overhead of group signature batch authentication in document [3] is \( 2T_{pai} + 13nT_{mul} \), while that in document [7] is \( 3T_{pai} + \left( {6n + 7} \right)T_{mul} \). \( T_{pai} \) is the time to perform pairing operation, \( T_{mul} \) is the time to perform point multiplication [7]. According to literature [1], it runs on Intel Pentium IV3.0GHZ main frequency computer. \( T_{pai} \) is 4.5 ms, \( T_{mul} \) is 0.6 ms. Therefore, without considering invalid messages, literature [3] can only authenticate 127 and 274 messages per second, which still fails to meet the requirements of the number of authenticated messages.

The solutions mentioned above focus only on how to achieve fast certification in a single vehicle. However, based on the fact that nearby vehicles require authentication to be almost identical, Zhang et al. [8] and Hao et al. [9] proposed a scheme based on inter-vehicle cooperative certification. By allowing neighboring vehicles to collaborate for certification, their solution allows a vehicle to know the legitimacy of all received messages without having to verify all received messages. Zhang et al.’s scheme uses a Pseudonym-based authentication scheme, while Hao et al.’s scheme is based on group signature. However, although Hao et al.’s scheme can meet the authentication requirement per second, their scheme does not consider revocation list checking. Therefore, the efficiency of their schemes will be reduced in practical application. In order to achieve efficient and anonymous authentication in vehicular ad hoc networks, Zhu et al. [10] proposed an efficient conditional privacy protection authentication scheme. In this scheme, RSUs are assumed to be credible. However, in practical applications, RSUs may want to obtain user’s privacy information. Some existing schemes, such as document [11], consider the security of semi-trusted RSUs in vehicular ad hoc networks.

Under the model of semi-trusted RSUs, by combining distributed management technology, HMAC, batch verification group signature and cooperative authentication, this paper proposes an efficient conditional privacy authentication scheme to realize real-time information sharing during vehicle driving. First, the jurisdictional area is divided into several domains to implement regional management; then, the HMAC is calculated using the key generated by the self-healing group key generation algorithm [12], thereby replacing the time-consuming revocation list checksum. Ensure the integrity of the message before batch verification of the group signature; finally, an example of the Hao et al. cooperative authentication scheme [9] is given to improve its authentication efficiency. Security and performance analysis show that the proposed scheme can achieve higher group signature-based authentication efficiency while achieving conditional concealment.

2 System Model

As shown in Fig. 1, the system model involved in this paper consists of TMC, RSUs fixed to the roadside unit, and OBUs loaded on the moving vehicle:

Fig. 1.
figure 1

System model of vehicular ad hoc network.

Full size image
  1. (1)

    TMC is a trusted management center for the entire network. When joining the network, RSUs and OBUs need to register at the TMC and obtain a certificate. The TMC also divides its entire jurisdiction into several different domains, and generates a corresponding group key and group signature material for each domain, and then the TMC sends these security materials to all RSUs in the domain. In general, assume that the TMC has unlimited communication capabilities, computing power, and storage space, and assumes that the attacker is unable to capture the TMC.

  2. (2)

    RSUs manage vehicles within their communication range. The RSUs connect to the TMC through a wired channel and connect to the OBUs through a wireless channel. They are the bridge between the connecting TMC and the user. In this article, assume that RSUs are semi-trusted [11], for example, they will run as pre-defined by the system, but they may reveal some secret information to the attacker. The RSUs also have the function of distributing the group key material and the group signing key to the legal OBUs entering the domain.

  3. (3)

    The OBUs periodically broadcast traffic-related status information including location, speed, and direction of travel to improve the road environment and traffic safety of drivers and pedestrians. We also assume that each vehicle has a Tamper-Proof Device to store safety-related materials.

Without loss of generality, this paper does not consider sharing secrets between vehicles and other users, because almost all security systems cannot prevent this type of active attack.

3 Solution

3.1 System Initialization

In this paper, SCHNONRR signature algorithm [13] is used as the basic signature algorithms of TMC, RSUs and OBUs. TMC selection:

  1. (1)

    Prime numbers P and g satisfy \( q|p - 1,q \ge 2^{140} ,p \ge 2^{512} \);

  2. (2)

    \( \alpha \in {\mathbb{Z}}_{p} \), and the order is g, for example \( \alpha^{q} = 1(\bmod \,p),\upalpha \ne 1 \);

  3. (3)

    A one-way hash function \( h\left( \cdot \right):\left\{ {0,1} \right\}^{*} \to \left\{ {0,1} \right\}^{l} \);

  4. (4)

    A random number \( {\text{s}} \in {\mathbb{Z}}_{q}^{*} \) as its private key, then \( SK_{TMC} = {\text{s}} \).

Then calculate its public key \( PK_{TMC} = p^{s} \) and expose the system parameter tuple \( \left( {p,q,\upalpha,h\left( \cdot \right),PK_{TMC} } \right) \).

3.2 Certificate Distribution for RSUs

TMC divides the jurisdiction into several domains, each containing several RSUs. For the roadside unit \( R_{x} \) in the domain, the TMC verifies its identity and distributes the certificate \( Cer{\text{t}}_{{TMC,R_{x} }} \) as follows:

  1. (1)

    TMC selects a random number \( Sk_{{R_{x} }} \in {\mathbb{Z}}_{q}^{*} \) as the private key of \( R_{x} \), and calculates the public key \( PK_{{R_{x} }} = p^{{SK_{{R_{x} }} }} \);

  2. (2)

    TMC calculates the signature \( \sigma_{{TA,R_{x} }} = Sig_{{SK_{TA} }} (PK_{{R_{x} }} ||D_{A} ) \);

  3. (3)

    TMC transmits \( SK_{{R_{x} }} \) and \( Cer{\text{t}}_{{TMC,R_{x} }} \) to \( R_{x} \) through the secure channel, where \( Cer{\text{t}}_{{TA,R_{x} }} = (PK_{{R_{x} }} ||D_{A} ,\sigma_{{TA,R_{x} }} ) \).

3.3 Certificate Distribution of Vehicles

For the vehicle \( V_{i} \), after the TMC has verified its identity, the certificate \( Cer{\text{t}}_{{TMC,R_{x} }} \) is distributed as follows:

  1. (1)

    TMC selects a random number \( Sk_{{V_{i} }} \in {\mathbb{Z}}_{q}^{*} \) as the private key of \( V_{i} \), and calculate its corresponding public key \( PK_{{V_{i} }} = p^{{SK_{i} }} \);

  2. (2)

    TMC calculates the certificate \( Cer{\text{t}}_{{TA,V_{i} }} = Sig_{{SK_{TA} }} \left( {PK_{{V_{i} }} } \right) \) of \( V_{i} \);

  3. (3)

    TMC securely transmits \( Sk_{{V_{i} }} \) and \( Cer{\text{t}}_{{TMC,V_{i} }} \) to the vehicle \( V_{i} \).

3.4 Secure Group Key Distribution and Batch Authentication

For the domain \( D_{A} \), the TMC generates the group signature key, the public material and the group public key \( GPK_{{D_{A} }} \). This paper uses the Wasef scheme [7] to implement the batch verification group signature.

Given the linear pair parameters \( \left( {p,{\mathbb{G}}_{1} ,{\mathbb{G}}_{2} ,{\mathbb{G}}_{T} ,e} \right) \), the TMC generates the group public key as follows:

  1. (1)

    TMC selects a random generator \( g_{2} \in {\mathbb{G}}_{2} \) and calculates \( g_{1} \in \psi \left( {g_{2} } \right) \), where \( g_{1} \) is the generator of \( {\mathbb{G}}_{1} \), and the isomorphism from \( {\mathbb{G}}_{2} \) to \( {\mathbb{G}}_{1} \), such as \( g_{1} \in \psi \left( {g_{2} } \right) \);

  2. (2)

    TMC selects the random numbers \( h,u,v \in {\mathbb{G}}_{1} \) and \( s_{1} ,s_{2} \in Z_{p} \), makes \( u^{{s_{1} }} = v^{{s_{2} }} = h \);

  3. (3)

    TMC selects the random numbers \( \upgamma \in {\mathbb{Z}}_{p} \) and \( \uplambda \in {\mathbb{Z}}_{p}^{*} \), makes \( \upomega = g_{2}^{\gamma } \).

Where \( s_{1} \) and \( s_{2} \) are the master private keys of the domain \( D_{A} \) that are managed by the TMC. The public system parameters of the domain \( D_{A} \) are \( \left( {g_{1} ,g_{2} ,u,v,h,\uplambda} \right) \), the group public key is \( GPK_{{D_{A} }} =\upomega \), the TMC sends the system public parameters and the group public key to all RSUs of the domain. Vehicles and roadside units can use these pre-stored information to achieve mutual authentication. When a vehicle \( V_{i} \) joins a new domain \( D_{A} \), it needs the first RSUs registry in the domain \( D_{A} \), which prevents illegal vehicles from joining the domain \( D_{A} \).

Registration: When \( V_{i} \) joins a new domain, a mutual authentication protocol will be executed between \( V_{i} \) and the first roadside unit it encounter. It should be noted that if a roadside unit is captured, the TMC will revoke the roadside unit by broadcasting its domain and its identity, so that all vehicles will also know the revocation information.

  1. (1)

    Each roadside unit periodically broadcasts its certificate, its domain and group public key. For the way unit \( R_{x} \) in the domain \( D_{A} \), it broadcasts the message message 1: \( \left( {PK_{{R_{x} }} ,D_{A} ,Cer{\text{t}}_{{TMC,R_{x} }} ,GPK_{{D_{A} }} ,Sig_{{SK_{{R_{x} }} }} \left( {GPK_{{D_{A} }} } \right)} \right) \). When \( V_{i} \) receives the message, it first verifies whether \( D_{A} \) is a new domain. If \( D_{A} \) is a new domain, \( V_{i} \) will begin the registration process. \( V_{i} \) first authenticates the legitimacy of \( R_{x} \) by running \( Verify(PK_{TMC} ,PK_{{R_{x} }} ||D_{A,} \sigma_{{TMC,R_{x} }} ) \), if \( Cer{\text{t}}_{{TMC,R_{x} }} \) is Legally, \( V_{i} \) will verify \( Sig_{{SK_{{R_{x} }} }} \left( {GPK_{{D_{A} }} } \right) \) by \( PK_{{R_{x} }} \).

  2. (2)

    After authenticating \( R_{x} \) and \( D_{A} \) is a new domain, \( V_{i} \) will reply to the message message 2: \( \left\{ {PK_{{V_{i} }} ,Cer{\text{t}}_{{TMC,V_{i} }} ,x_{i} ,Sig_{{SK_{{V_{i} }} }} \left( {x_{i} } \right)} \right\}_{{PK_{{R_{x} }} }} \) to \( R_{x} \), where \( x_{i} \) is the random number used to calculate the group private key \( GSK_{{D_{A} ,V_{i} }} \). It is worth noting the public key and certificate \( Cer{\text{t}}_{{TA,V_{i} }} \) of \( V_{i} \) is unique throughout the system. Therefore, it is also an identity of \( V_{i} \). In the proposed scheme, the public key and certificate of \( V_{i} \) are encrypted by \( PK_{{R_{x} }} \) of \( R_{x} \), which allows only \( R_{x} \) to obtain the corresponding plaintext, thus protecting the identity privacy of \( R_{x} \).

  3. (3)

    After obtaining \( GSK_{{D_{A} ,V_{i} }} \), \( R_{x} \) will reply \( V_{i} \) message 3: \( \left\{ {H\left( {G{\text{SK}}_{{D_{A} V_{i} }} } \right),Sig_{{SK_{{R_{x} }} }} \left( {H\left( {G{\text{SK}}_{{D_{A} V_{i} }} } \right),x_{i} } \right)} \right\}_{{PK_{{V_{i} }} }} \). When \( V_{i} \) receives the message 3, it first decrypts the message with its private key \( SK_{{V_{i} }} \) and then verifies the signature.

  4. (4)

    If the signature is valid, \( V_{i} \) will reply message 4: \( \{ T,H(V_{i} | |x_{i} ),Sig_{{SK_{{V_{i} }} }} \left( {H(V_{i} | |x_{i} ) ,T} \right)\} \) to \( R_{x} \), where \( T \) is a timestamp. When \( R_{x} \) receives message 4 at \( T^{*} \), Algorithm will be executed. Where, \( f\left( {TID_{i} ,y} \right) \) is such as \( s_{0,0} + s_{1,0} \cdot x + s_{0,1} \cdot y + s_{1,1} \cdot xy + \cdots + s_{t,t} \cdot x^{t} y^{t} \) A binary polynomial, where x and y are two variables and \( s_{i,j} \) is a constant coefficient. \( K_{m - j - l}^{B} \) and \( K_{j}^{F} \) are seeds for calculating the group key, \( l \) is the length of the backward hash chain, and \( LC \) is the life cycle of the group key.

  5. (5)

    Then, \( R_{x} \) sends a message 5 \( \left\{ {GSK_{{D_{A} V_{i} }} ,LC,l,K_{m - j - l}^{B} ,K_{j}^{F} ,TID_{i} ,f\left( {TID_{i} ,y} \right),{\text{Sig}}_{1} } \right\}_{{PK_{{V_{i} }} }} \) to \( V_{i} \). After receiving the message 5 sent from \( R_{x} \), \( V_{i} \) will execute Algorithm to obtain the group key required to calculate the HMAC. We use the formula (1) to calculate the current group key \( GK_{j} \), where \( K_{j}^{F} \) and \( K_{m - j + 1}^{B} \) are the forward keychain and backward key chain respectively.

$$ GK_{j} = H\left( {K_{j}^{F} + K_{m - j + 1}^{B} } \right) $$
(1)

Finally, \( R_{x} \) stores the information shown in Fig. 2, \( V_{i} \) also stores the information shown in Fig. 3.

Fig. 2.
figure 2

Records stored at \( R_{x} \)

Full size image
Fig. 3.
figure 3

Records stored at \( V_{i} \)

Full size image

Batch Verification: According to DSRC [2], vehicles need periodic broadcast security-related messages every 300 ms. In order to ensure the legitimacy of the message source and the integrity of the message, the receiver of the message should verify the received message. Cancellation list checking is a commonly used method to exclude illegal vehicles before authentication. However, according to document [1], group signatures take about 9 ms to check whether an identity is in the revocation list. Therefore, if a vehicle receives n messages and the number of vehicles revoked is m, it takes 9 ms for the vehicle to verify the identity legitimacy of the sender. Obviously, revocation list checking results in a lot of computational overhead, which seriously reduces the performance of the system.

3.5 Periodic Update of Group Key

When \( V_{i} \) is authenticated by an RSUs in the domain \( D_{A} \), it periodically receives a message of the group key update broadcast by the RSUs in the domain \( D_{A} \). The message \( B_{{{\text{j}} + 1}} \) of the \( \left( {j{ + 1}} \right) \)th update period is as shown in the formula (2):

$$ \left\{ {\begin{array}{*{20}l} {B_{{{\text{j}} + 1}} = \left\{ {r_{j + 1} \left( x \right)} \right\} \cup \left\{ {p_{j + 1} \left( x \right)} \right\} } \hfill \\ {r_{j + 1} \left( x \right) = \left( {x - TID_{{r_{1} }} } \right)\left( {x - TID_{{r_{2} }} } \right) \cdots \left( {x - TID_{{r_{w} }} } \right)} \hfill \\ {p_{j + 1} \left( x \right) = r_{j + 1} \left( x \right)K_{m - j}^{B} + f\left( {x,K_{j + 1}^{F} } \right) } \hfill \\ \end{array} } \right. $$
(2)

Where \( TID_{{r_{1} }} , TID_{{r_{2} }} \), …, \( TID_{{r_{w} }} \) is the temporary identity of the vehicle being revoked, It has obtained the group key material \( f\left( {TID_{i} ,y} \right),K_{m - j + 1}^{B} \) and \( K_{j}^{F} \) in the domain \( D_{A} \) before the \( \left( {j + 1} \right) \)th period, and Vehicles that were revoked during the \( \left( {j + 1} \right) \) period. \( r_{j + 1} \left( x \right) \) is the undoing polynomial of the \( \left( {j + 1} \right) \)th cycle, \( p_{j + 1} \left( x \right) \) is a hidden polynomial of the \( \left( {j + 1} \right) \)th cycle.

It is worth noting that only the vehicle that is legally certified by domain \( D_{A} \) can obtain the group key material, and the RSUs only need to manage the vehicles in the domain. Therefore, the vehicles that are revoked are very few, and each vehicle has only one temporary identity to calculate \( f\left( {TID_{i} ,y} \right) \), so \( p_{j + 1} \left( x \right) \) is very small.

After \( V_{i} \) receives the broadcast revocation \( B_{{{\text{j}} + 1}} \), it uses \( K_{j}^{F} \) to calculate \( K_{j + 1}^{F} = H\left( {K_{j}^{F} } \right) \) and \( f\left( {TID_{i} ,K_{j + 1}^{F} } \right) \). Then, \( V_{i} \) calculates \( p_{j + 1} \left( {TID_{i} } \right) \), and obtains \( K_{m - j}^{B} \) by formula (3):

$$ K_{m - j}^{B} = \frac{{p_{j + 1} \left( {TID_{i} } \right) - f\left( {TID_{i} ,K_{j + 1}^{F} } \right)}}{{r_{j + 1} \left( {TID_{i} } \right)}} $$
(3)

After obtaining \( K_{m - j}^{B} \), \( V_{i} \) calculates whether \( H^{l} \left( {K_{m - j - l}^{B} } \right) = K_{m - j}^{B} \) is formed. If it is established, \( V_{i} \) will calculate a new group key according to formula (1).

4 Cooperative Certification

In the basic solution, even if only legal vehicles are added to the domain, and there is no invalid signature at the time of batch verification, the scheme can only verify at most 274 messages per second, and still cannot meet the certification speed requirement. Because of this, we must design new solutions to solve this problem. According to the work of Zhang et al. [8] and Hao et al. [9], the efficiency of certification can be improved by using cooperative authentication. By cooperating with neighboring vehicles, their solution can ensure that the vehicle knows the reliability of the received message without having to verify each message signature. Selecting a co-certifier requires the following requirements:

  1. (1)

    The physical location of a cooperating verifier must precede \( V_{i} \) while the other must be after \( V_{i} \). This means that the selected cooperating verifiers are preferably paired and can broadcast the authentication results to other users;

  2. (2)

    Co-verifiers need to be far enough apart from each other;

  3. (3)

    The number of co-verifiers should be moderate.

Assume that each security-related message contains the sender’s location information. When the vehicle \( V_{i} \) receives a message sent from a different message sender at the same time, it first extracts the location information of the message sender, and then executes a selection procedure of the cooperation certifier that satisfies the above requirements to determine who will be selected as the cooperative certifier.

\( V_{i} \) checks the received message every 300 ms and calculates the distance between the sender of the message and itself based on the location information. Then, create a table as shown in Table 3.2, where the message ID is a random sequential index, the direction is whether the sender of the message before or after the recipient, and the distance is the distance between the receiver and the sender.

Assuming that the vehicles are evenly distributed, as shown in Fig. 3.6, the communication range is divided every 60 m according to the basic needs selected by the collaborators and the number of authenticated messages. We define vehicles from the sender (50 ± 5) m, (110 ± 5) m, (170 ± 5) m, (230 ± 5) m and (290 ± 5) m away. As shown in Fig. 3.6, \( V_{i} \) simultaneously receives 10 messages sent from senders 1 through 10, and then calculates its distance from each sender to obtain Table 3.2. Thus \( V_{i} \) should add messages 1, 2, 3 to the bulk verification. Because the cooperation program can reduce the number of messages verified, thus increasing the speed of authentication. Performance analysis indicates that the cooperative certification can meet the demand for the number of messages authenticated per second in the on-board ad hoc network.

5 Safety Analysis

Considering the problem that the roadside unit is captured, in the process of mutual authentication and group key generation, \( V_{i} \) can obtain the service without revealing its identity to the roadside unit. Therefore, even in the presence of some roadside units being captured, the proposed protocol can still protect the identity of the vehicle. Resist the obituary: If a vehicle is investigated, the TMC will begin an audit process and ask some roadside units for information about the vehicle being surveyed. However, RSUs may be captured to protect the vehicle being investigated by the information of the TA-some other vehicles, and this behavior is called obituary. In the delivery we will show that the proposed solution can resist such attacks.

In the designed protocol, each message sent by the vehicle \( V_{i} \) is signed by its private key \( SK_{{V_{i} }} \), and the group private key and \( V_{i} \) are bound together. Since \( R_{x} \) does not have \( SK_{{V_{i} }} \), it cannot forge the signature of the legal \( V_{i} \). More importantly, the group private key and the private key are bound together, which adds to the falsification difficulty of \( R_{x} \). We also store mutual authentication information in Figs. 2 and 3. When the dispute occurs, the TA can ask the vehicle and the roadside unit to present the information.

The non-repudiation of the vehicle’s group private key: once \( R_{x} \) has distributed the group private key to \( V_{i} \), it cannot be denied. In the message messages, the roadside unitization sends a hash value \( GSK_{{D_{A} V_{i} }} \), and the signature of the group private key. After \( V_{i} \) receives the message message 5 and obtains \( GSK_{{D_{A} V_{i} }} \), it can verify the validity of \( GPR_{{D_{A} V_{i} }} \) by hash value. In order to ensure that the group private key is generated by \( x_{i} \), \( V_{i} \) stores the signature status sent by \( R_{x} \) \( Sig_{{SK_{{R_{x} }} }} \left( {H(GSK_{{D_{A} V_{i} }} } \right),x_{i} \), \( x_{i} \) At the same time, \( R_{x} \) also stores \( x_{i} \) and \( H(V_{i} ||x_{i} ) \). When an argument occurs, \( R_{x} \) can present this information to the TA. Since the public parameters of the group signature are generated by the TA, it can calculate the group of \( V_{i} \). The private key. The TA can obtain the identity of \( V_{i} \) according to \( PK_{{V_{i} }} \), so that \( H(V_{i} ||x_{i} ) \) can be verified. If \( H(V_{i} ||x_{i} ) \) passes the legality verification, the group private key is \( GSK_{{D_{A} V_{i} }} \) is valid, otherwise, \( GSK_{{D_{A} V_{i} }} \) is invalid. For \( V_{i} \), \( V_{i} \) sends \( x_{i} \) to TMC, then TMC can calculate the group private key \( GSK_{{D_{A} V_{i} }} \) of \( V_{i} \). If \( GSK_{{D_{A} V_{i} }} \) is correct, the TMC verifies the signature to ensure that it is generated.

Preventing the collusion of the vehicles: A captured roadside unit may collude with a malicious vehicle and send the group private key of the other vehicle to its colluder. The malicious vehicle can then broadcast a message to represent the behavior of the other vehicle. In order to prevent such attacks, in the designed protocol, the signature of the message contains the identity information. At the same time, \( R_{x} \) and \( V_{i} \) also store this information after completing mutual authentication with each other. In the event of an argument, \( V_{i} \) can send its stored information to the TMC. By calculating the group key \( GSK_{{D_{A} V_{i} }} \) and verifying the signature \( Sig_{{SK_{{R_{x} }} }} \left( {H(GSK_{{D_{A} V_{i} }} } \right),x_{i} \), TMC can confirm The owner of \( GSK_{{D_{A} V_{i} }} \).

6 Conclusion

In this paper, a group signature-based vehicle information sharing scheme for vehicular ad hoc networks with effective privacy protection is proposed. The design goals are achieved by technologies such as distributed management, HMAC, batch signature verification and cooperative authentication. First, divide the entire network into different domains for local management. Second, HMAC is used instead of time-consuming revocation list checking, and the integrity of messages prior to bulk authentication is ensured to avoid the number of invalid messages in bulk verification. Finally, we also use the cooperative certification method to further improve the efficiency of the program. By adopting the above technology, our proposed solution can meet the verification requirements. Security and performance analysis shows that our proposed solution enables efficient group signature-based authentication while maintaining conditional privacy.