AC-SDVN: An Access Control Protocol for Video Multicast in Software Defined Vehicular Networks

The way to use limited bandwidth resources to achieve high-quality video services in vehicular networks is an important research topic. A large number of studies have shown that the fast-growing field of software defined networking (SDN) can provide solutions to the problems encountered by traditional IP networks when implementing video multicasting. However, there is no research addressing the security issues for this scenario. In this paper, we explore the application scenarios of video multicast in software defined vehicular networks (SDVN), and propose a secure and effective access control protocol to solve multicast security issues. This protocol realizes the authentication of multicast video requesting vehicles and RSUs. According to the authentication results, the SDN controller constructs multicast paths that only reach legitimate RSUs and vehicles, and only the vehicle passing the authentication can obtain video decryption keys. The protocol resists common attacks and satisfies the security requirements in vehicular networks. In addition, the scheme supports batch verification, which reduces the time cost of authentication, and adopts broadcast encryption technology to effectively reduce the communication load. Compared with related schemes, our protocol performs better in terms of computation and communication cost, packet loss rate, and time delay.


INTRODUCTION
A S one of the core roles in the construction of intelligent transportation systems, the vehicular network has always been a research hotspot and attracted extensive attention from academia and industry. With the equipped advanced on-board unit (OBU), vehicles can participate in vehicular communications, thereby getting diverse vehicular services. Nowadays, the emerging network communication technology promotes the development of bandwidth-intensive vehicular applications, especially video applications, which bring great benefits. As declared by the third generation partnership project (3GPP) in TR 22.886 [1], road detection videos enable users to more intuitively obtain traffic information to make decisions in advance to effectively avoid traffic congestion or traffic accidents. Infotainment videos can provide more realistic notice and advertisement of nearby shopping malls and gas stations, etc, thus enhancing driving experiences [2]. Moreover, novel immersive video applications, e.g., augmented reality navigation and virtual reality, are emerging [3].
Cisco predicted that mobile video traffic will grow to account for nearly 79% of total mobile data traffic by 2022. And in recent years, connected car applications will be the fastest-growing application type in the Machine-To-Machine connection category [4]. As vehicular video services become popular and essential, it is critical to provide cost-effective and high-quality video service [5]. In vehicular networks, a cluster of nearby vehicles usually tends to manifest similar interests and request similar content. For a repeatedly accessed video in the group-oriented video application scenario, compared with unicast and broadcast, multicast is viewed as a more appropriate choice [6]. Because using unicast to send duplicated video packets will easily lead to redundant content transfers, whereas broadcast will impose high overhead and network congestion [7]. The evolved multimedia broadcast multicast services (eMBMS) specification of the 3GPP has incorporated the multicast functionality [8]. And it has been proved that, under the same network conditions, video multicast can finish the video delivery more rapidly without causing high traffic pressure, thus effectively reducing the negative effects arising from the high mobility of vehicles [9]. However, in the traditional IP multicast architecture, it is difficult to implement video multicast in large-scale dynamic vehicular networks [10]. Because all multicast routers need to support distributed multicast protocols, in addition, the construction, maintenance, and update of multicast trees require a lot of information exchange among them, which will consume a lot of network resources and make it difficult to achieve scalability.
In response to the aforementioned challenges, according to the document [11] presented by the European Telecommunications Standards Institute (ETSI), software defined networking (SDN) is one of the fundamental enablers of 5G and is helpful to provide excellent solutions. Because it supports the separation of the data plane and control plane and has a high degree of flexibility and programmability that are required to satisfy the huge diversity of service requirements. Through the collected status information of the underlying network devices, the SDN controller can formulate multicast strategies and dynamically build multicast trees. And SDN switches only need to forward data packets according to the multicast forwarding rules issued by the control layer in the flow table, without having to perform multicast routing control and decision [12]. Moreover, as the number of high-bandwidth applications in vehicular networks grows, dedicated short-range communication (DSRC) shows obvious limitations, including short transmission range, limited expansion performance, and poor service quality [13]. But some researchers have pointed out that SDN can alleviate the problem by enabling an efficient combination of DSRC and cellular communication. By adding a programmability feature to network devices through external applications, the SDN controller can gain control over networks, thereby addressing the problem of heterogeneity and providing a satisfying network environment for vehicular communications [14], [15].
Existing research shows that the introduction of SDN into multicast applications in vehicular networks can achieve the following three main advantages: 1) simplify the network management of multicast applications and improve the flexibility of vehicular networks [16]; 2) make effective routing decisions and reduce network burden by using the global network information collected from the roadside units (RSUs) and vehicles [17]; 3) improve data distribution efficiency and provide a better quality of service in vehicular networks [18]. But, to realize the largescale application of video multicast in software defined vehicular networks (SDVN), it is necessary to provide access control mechanisms [19]. Because vehicular communication in SDVN is conducted in an open wireless environment, it is vulnerable to network attacks, such as modification attacks, impersonation attacks, and replay attacks [20]. Moreover, in reality, many video services are designed with permissions, such as only registered or authorized users are allowed to access certain content [21]. By deploying an effective access control mechanism, it is possible to realize the authentication of legitimate users and prohibit illegal users from accessing resources.
At present, some cryptography-based access control schemes for vehicular networks have been proposed. Although the schemes achieve effective access control, they are not satisfactory in terms of security or performance. For example, to achieve identity privacy-preserving, many schemes support vehicles dynamically updating pseudo identities, however, the traceability is not realized [22]. The security credential management system (SCMS) can achieve conditional privacy protection, and many research works have been carried out on this basis [23]. However, a series of schemes based on such design requires the vehicle to pre-store pseudonym certificates, which inevitably require additional consideration of the storage, update, and revocation of the pseudonym certificates [24]. Although using Identity (ID)-based public-key cryptography can avoid the problem of certificate management, some schemes that directly store the system private key into every registered vehicle are vulnerable to side-channel attacks [25]. To accelerate the authentication efficiency, some schemes make RSUs directly calculate the real identity of the vehicle [26], however, they rely on the assumption that the RSU is completely trusted and lacks periodic inspection on whether RSUs have been damaged. Even though to realize access control of video multicast in SDVN, broadcast encryption is a good choice, some schemes require high decryption costs of the limited computing ability of vehicles [27]. Therefore, in this paper, we focus on innovating an access control protocol for video multicast in software defined vehicular networks.

Our Motivations and Research Focus
Based on the above analysis, the realization of efficient and flexible vehicular video multicast is inseparable from the support of the 5G network and its fundamental enabler SDN [11], [16], [17], [18]. And there have no corresponding solutions to the security problems. Therefore, relying on such background, i.e., vehicular video multicast should conduct under SDN networks, in this paper, we focus on proposing a secure and efficient access control protocol for video multicast in SDVN. The system model is aligned with that of the existing works on SDVN [28]. And when designing the detailed protocol the system model and characteristics of SDVN, the video multicast process, and security requirements in SDVN will be considered. Specifically, the proposed protocol aims to achieve the following major improvements: 1) clarify the detailed cryptography-based access control protocol, especially the module design and specific responsibilities of the SDN controller in a video multicast scenario; 2) achieve the security objectives, such as providing the conditional privacy protection and resisting common types of attacks; 3) realize cost-efficient access control in terms of storage cost, computation and communication cost, packet loss rate, and time delay, to adapt to the time delay sensitive characteristics of SDVN. We hope that our tentative exploration can inspire relevant researchers.

Our Contributions
To the best of our knowledge, this is the first protocol that specifies detailed operating steps according to the system architecture of SDVN and the video multicast process and security requirements under this architecture. In order to meet the requirements of privacy protection, the protocol adopts Identity (ID)-based public key cryptography [29] rather than public key infrastructure (PKI)-based solutions [24], [30], thereby avoiding the problem of certificate management. And considering the huge number of vehicles and the delay-sensitive characteristics of the vehicular network, we follow a design similar to He et al:'s [31] to realize batch verification in SDVN. In addition, due to the limited computing power of the vehicle and in order to hide the access interest of the vehicle user from the cloud server, we refer to and improve the broadcast encryption scheme of Li et al:'s [32]. The main contributions of this study are summarized as follows.
First, we propose an SDN-based video multicast system model for the vehicular network, where the SDN controller is responsible for building a video multicast path only reaching legitimate vehicles and RSU based on the authentication result. Second, we present an access control protocol for video multicast in SDVN. The protocol realizes the verification of both vehicles and RSUs. It also ensures the anonymous access of multicast members vehicles to video content, and realizes the identity tracking of malicious vehicles. Third, the protocol supports both RSUs and the SDN controller to perform batch verification and employs broadcast encryption. The conducted security proof and the detailed security analyses show that the proposed protocol achieves the security objectives of the vehicular network. In addition, compared with related schemes, this protocol exhibits better performance in computation and communication overhead, packet loss rate, and average transmission delay.

Organization of the Rest Paper
In Section II, the related work is introduced. In Section III, some preliminaries are provided. Then, Section IV presents the system model, security objectives and attack model. The specific process of our protocol is introduced in Section V. And Section VI shows security proof and analysis. Next, in Section VII, the performance analysis is presented. Finally, in Section VIII, we summarize this study and point out future research.

RELATED WORK
SDN paradigm is considered to be the right choice to solve the gap between vehicular application requirements and the limitations of today's vehicular networks. Nowadays, there have been a large number of relevant studies.
In [40], He et al: presented several cases to show that SDVN enables rapid vehicular network innovation, such as in unifying management of heterogeneous wireless devices, deploying adaptive routing protocol, and using network slicing to efficiently isolate multiple tenants. Using the evaluation platform, they validated the feasibility and effectiveness of their system design.
In [41], to tackle the navigation management problem, Oubbati et al: proposed an SDN-enabled approach for dynamic vehicle path-planning. In their three-tier architecture, all the collected information is reported to the SDN controller to build an accurate view of traffic in real-time in each road segment. By predicting and adjusting path-planning, avoid congestion and provide alternative shorter time paths for vehicles.
In [42], to realize stable vehicular communications, Ghafoor et al: presented a cognitive routing protocol for SDVN. In this protocol, they combined a cognitive capability with a routing technique by using SDN, to overcome spectrum scarcity and network connectivity issues in both vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications.
Because it is difficult to program in the traditional network to control the infrastructure and deploy multicast routing protocols, researchers introduce the emerging network paradigm SDN to simplify data traffic forwarding, network resource scheduling, and access policy formulation in vehicular networks [43]. At present, there has been a lot of researches on multicast applications of SDVN [44].
In order to solve the delay problem and achieve multicast benefits in heterogeneous vehicular networks, He et al: [16] designed a multicast protocol and proposed a polynomialtime approximation algorithm for SDVN. Experimental results show that SDVN-based multicast protocol outperforms existing decentralized approaches.
Later, Mendiboure et al: [45] designed a flexible and efficient middleware for location-aware and QoS-aware vehicular network applications by taking advantage of SDN to achieve effective geographic data distribution. Experiments were conducted to evaluate the performance of the proposed intelligent multicast architecture and mechanism in terms of time delay, bandwidth efficiency, packet loss rate, etc.
In [17], Kadhim et al: introduced fog computing and SDN into vehicular networks and proposed an energy-saving multicast routing protocol. The classification and scheduling algorithm is used to arrange multicast requests. And the partition concept is introduced to reduce the complexity and computing overhead of obtaining the best multicast path.
Recently, Hui et al: [46] proposed a collaborative content delivery scheme for SDVN. They introduced a double auction game to motivate cellular base stations to help RSUs with multicast-assisted content delivery. The simulation results show that the scheme is capable of improving the network utilities and efficiency.
The above research and other related work on multicast in SDVN can give a positive and affirmative answer for whether SDN can bring great benefits to multicast applications in vehicular networks. However, none of them considered the security issues. In fact, because vehicular communications are carried out in the wireless network, it is essential to provide security mechanisms [47]. At present, some access control schemes for vehicular networks have been proposed.
Because Li et al:'s scheme [48] lacks scalability and shorts of differentiated access control, Yeh et al: [22] proposed a portable privacy protection authentication and access control protocol for non-safety vehicular applications. The protocol is based on blind signatures. It achieves data confidentiality and integrity while realizing the privacy protection of vehicle users. However, the identity tracking problem of malicious vehicles is not considered. And Horng et al: [33] pointed out that this scheme cannot resist privilege elevation attacks.
In [34], Yeh et al: proposed an attribute-based access control system for emergency situations in vehicular networks. When an emergency occurs, the trusted traffic authority (TTA) will search for suitable vehicles, such as police cars, to deal with the emergency, thus improving the rescue efficiency. To minimize the bandwidth consumption, the TTA sends task assignment messages to RSUs through multicast. But the scheme does not consider the authentication of RSUs.
In [35], using broadcast encryption and key encapsulation mechanism, Weng et al: proposed an access control scheme for SDVN. However, the scheme focuses on the scalability and dynamic access control of the northbound interface, therefore, it only realizes mutual authentication between SDN applications and SDN controllers, without considering the security issue of information interaction with underlying vehicles.
In [36], Kong et al: proposed a querying scheme, which enables the vehicles to acquire local data from the fog storage device (i.e., RSUs). To disrupt the association between a specific request and its origin vehicle, the invertible matrix is used to structure multiple requests from vehicles. Moreover, with the Paillier cryptosystem, the RSU can recover each data request without identifying its origin vehicle. However, the scheme does not realize privacy protection, since the real identity is used during data request generation.
In [37], combined with blockchain technology, Mendiboure et al: proposed an efficient access control mechanism and a cross-sub-networks authentication/revocation mechanism for all SDVN devices (i.e., vehicles, RSUs, and SDN controllers). The scheme achieves scalability, however, although the scheme generates the public key, private key, and corresponding certificate for the vehicle in the registration stage, it does not specify how to update the vehicle's pseudo identity to protect its identity privacy.
To achieve secure and efficient content delivery in the vehicular named data networking, Jiang et al: [38] proposed a proxy re-encryption-based access control scheme. They also designed a hashed certificate-based incentive scheme to encourage vehicles to cache content. This scheme can ensure the integrity of content delivery while supporting anonymous authentication and revocation of illegal vehicles. However, vehicles need to store a large number of pseudo identities, private keys, and certificates generated by service providers (SP) in advance. This not only increases the storage burden of vehicles but also makes the calculation task of SP heavy.
To achieve the secure delivery of cached data in the resource-constrained vehicular environment, Gupta et al: [39] proposed a cooperative caching scheme in the hierarchical network architecture. In this scheme, the probability matrix is used to determine which content to cached, and the modified weighted clustering algorithm is used to select the cluster head of vehicles. In addition, based on publickey cryptography, the authors propose a user authentication mechanism to realize the secure delivery of cached content. However, the implementation details are not given in their paper. Table 1 provides a comparison summary of related access control schemes [22], [34]À [39], as can be seen, the above schemes exist some shortcomings in terms of security and performance. And due to the lack of research on access control issues for multicast applications in SDVN, it is crucial to design a secure and efficient access control protocol to fill the gaps in the existing solutions. For this reason, we focus on proposing a secure and efficient access control protocol, which is designed for the practical application scenarios of video multicast in the SDVN environment. The protocol avoids the pointed limitations of the following schemes and refers to the guiding design ideas among these schemes.
To meet the security requirements in vehicular networks and resist common types of network attacks, the US Department of Transportation (USDOT) developed the SCMS for both V2V and V2I communications [23]. Identity privacy is protected by providing pseudo identities for vehicles, * Not consider the identity tracking problem; * Cannot resist privilege elevation attacks [33]. [34] * Bilinear maps; * Secret sharing scheme.
* Use an attributed-based multicast scheme to minimize the bandwidth consumption.
* Not consider the authentication of RSUs.
* Realize the authentication between SDN applications and controllers.
* RSUs can recover each data request without identifying the original identities of vehicles; * RSU can batch verify the recovered data requests.
* Not provide the privacy protection.
* Use a Blockchain-based approach to achieve effective and reliable access control of the SDVN devices.
* Not specify how to update the vehicle's pseudo identity to protect its identity privacy. [38] * Bilinear maps; * Proxy reencryption.
* Ensure the integrity of content delivery; * Support anonymous authentication and revocation of illegal vehicles.
* The vehicle itself cannot generate pseudonyms; * High storage and computation cost. [39] * Probability matrix; * Public-key cryptography.
* Design a cooperative caching scheme in hierarchical vehicular network architecture.
* Not given a detailed authentication mechanism.
however, one of the main challenges is to efficiently revoke misbehaving vehicles and resist inside attacks. Moreover, in such public key infrastructure (PKI)-based solutions, as presented in the schemes [24] and [30], it is inevitable to consider the storage, update, and management of pseudonym certificates, and the distribution of certificate revocation lists. Therefore, we refer to He et al:'s [31] design of applying Identity (ID)-based public key cryptography (PKC) [29] to the vehicular network authentication scheme. Because there is no need to bind the user's identity to his/her public key, ID-based PKC solves the problem of certificate management in the PKI. In [31], vehicles can generate pseudo identity by themselves and the scheme supports batch verification [49], which efficiently reduces the overall authentication delay. However, it has been pointed out that such a design that direct stores the system private key in each registered vehicle, will seriously threaten the security of the entire system [25].
In Pournaghi et al:'s scheme [50], the system master private key is directly stored in the RSUs, so that the RSUs can directly calculate the vehicles' real identities and accelerate the authentication process. However, the problems with such a design are that it relies on the ideal assumption that the RSUs are completely trusted, requires periodic inspection on whether the RSU has been damaged, and more importantly, needs to consider the update of the system master private key.
Therefore, when designing the access control scheme for SDVN, we refer to the design like Khalid et al:'s [18] and Fiat et al:'s [49]. By deploying the authentication module in the SDN controller and supporting batch verification, realize the efficient authentication of large-scale vehicles and unsupervised RSUs. However, only achieving authentication cannot achieve the complete access control goal of video multicast applications in SDVN. For this reason, we set our sights on broadcast encryption, which was introduced by Fiat and Naor [51] and is suitable for applications such as encrypted video content transmission. Inspired by Li et al:'s [32] anonymous certificate-based broadcast encryption scheme, we are motivated to achieve only designated vehicles that can recover video content and realize constant decryption cost of vehicles, thus making the designed protocol suitable for SDVN.

Bilinear Map
Bilinear pairing has been widely used to construct cryptography protocols since 2001 [52]. Since our protocol involves a bilinear map, here, a brief introduction is presented. Let G and G T be two multiplicative cyclic groups with the same prime order q, and g is one generator of G. Let Z Ã q be a finite field. A map e : G Â G ! G T is a bilinear map if it satisfies the following properties.
3) Computability: eðg; hÞ can be computed in polynomial time for all g 2 G and h 2 G.

Complexity Assumptions
The security of our AC-SDVN relies on hardness assumptions, i.e., discrete logarithm (DL) problem and computational Diffie-Hellman (CDH) problem.
DL Problem: For A 2 G, the DL problem is to compute a 2 Z Ã q , such that A ¼ g a holds. q and g are the order and generator of G, respectively. The DL assumption in G holds if it is computationally infeasible to solve the DL problem in G. CDH Problem: For two elements g a , g b 2 G with two unknown elements a, b 2 Z Ã q , the CDH problem is to compute g ab 2 G. The CDH assumption in G holds if it is computationally infeasible to solve the CDH problem in G.

Batch Verification
Nowadays, communication security in vehicular network environments has attracted more and more attention, as it involves the privacy and security of vehicle users. However, the large number of vehicles and frequent vehicle requests make it increasingly challenging for the base station to verify and respond to requests from high-speed mobile vehicles in time. Because compared with verifying each signature one after the other, batch verification can speed up the process of verification, many cryptography-based solutions that support batch verification have been proposed. The so-called batch verification refers to the one-time verify all signatures received within a certain time window. In 1989, Fiat [49] first introduced the batch cryptography based on RSA. Later, some other batch signature schemes were proposed [53]. And in 2009, Ferrara et al: [54] proved that invalid signatures can be detected using a recursive divideand-conquer approach, and if less than 15% of the signatures are invalid, batch verification is still more efficient than individual verification. Based on previous studies, in this paper, we propose an access control protocol AC-SDVN that supports batch verification.

Broadcast Encryption
Broadcast encryption is a cryptographic primitive, which is introduced by Fiat and Naor [51] in 1993. It enables a broadcaster to transmit encrypted contents to a group of receivers over an insecure public channel efficiently, and only qualified receivers can recover the contents [32]. Over the past decades, broadcast encryption has been widely used as the access control mechanism in many practical applications, such as video conferencing, pay-TV systems, encrypted file systems, cloud storage services, etc. In this paper, we refer to Li et al:'s [32] anonymous certificate-based broadcast encryption scheme which achieves constant decryption cost. And the broadcast encryption part of our protocol inherits the advantages of Li et al:'s [32] scheme, i.e., it is suitable for scenarios where there are many receivers with limited computation ability. The main difference between Li et al:'s [32] broadcast encryption scheme and the broadcast encryption in our protocol is that the broadcaster (i.e., the cloud server) in our protocol performs the broadcast encryption without knowing the real identity of receivers (i.e., the vehicles).

System Model
The following describes the entities involved in the access control protocol for video multicast in software defined vehicular networks (AC-SDVN), and their respective responsibilities. Entities are the trusted authority (TA), the SDN controller (SDN-C), the cloud server (CS), roadside units (RSUs), OpenFlow switches (OF switches), and vehicles. Fig. 1 shows the system model. 1) TA: It has enough communication, computation, and storage capability. It is responsible for initializing the system, providing registration services for both vehicles and RSUs, and verifying the legitimacy of the vehicle. It is the only entity that can calculate the real identity of vehicles. Like many existing schemes, we assume that the TA is a fully trusted entity and will not be compromised [31]. 2) SDN-C: It is mainly implemented with the network monitoring module, multicast group management module, and authentication module [55]. The network monitoring module is responsible for collecting global network status information by periodically querying the switches, and the multicast group management module is responsible for formulating forwarding rules, calculating multicast routes, and managing multicast members. The authentication module is responsible for verifying the received message. The SDN-C is managed by the TA, and multiple SDN controllers with the same functions can be deployed. 3) CS: It has huge storage and computing capabilities.
It is responsible for encrypting video using the symmetric encryption algorithm and encrypting the key by performing broadcast encryption. 4) RSU: It is deployed on the roadside and participates in the verification of messages from vehicles, so as to avoid the transmission of the invalid messages, and reduce the verification burden at the SDN-C. It is connected to the OF switch and communicates with vehicles through the wireless network. 5) OF switch: The switch supports OpenFlow protocol and is responsible for forwarding data packets according to the received flow table sent by the SDN-C. The communication between the SDN-C and OF switches is based on the OpenFlow protocol, and the communication channel between them is protected by the Transport Layer Security (TLS) protocol. 6) Vehicle: The vehicle is equipped with the on-board unit (OBU), which is a tamper-proof device. The OBU will strictly implement the set encryption and decryption operations, and the cryptographic materials stored in it will not be compromised.

Security Objectives
The proposed protocol aims to achieve the following security objectives: 1) Access control: The protocol should ensure that only legal vehicles can pass authentication, and obtain the video content by calculating the corresponding video decryption key. 2) Conditional privacy protection: While realizing the privacy protection of vehicles' real identities, the protocol can also ensure that the TA can inspect vehicles' identities, and uncover the misbehaving vehicle's real identity. 3) Un-linkability: Attackers cannot successfully link intercepted messages to the same vehicle. 4) Resistance to common attacks: The protocol should be able to withstand common types of attacks, e.g., modification attacks, impersonation attacks, and replay attacks to ensure the security of vehicular communications.

Attack Model
In the protocol, we assume that the TA is fully trusted and cannot be compromised. We also assume that vehicles are equipped with tamper-proof devices OBUs and the secret materials stored in OBUs will not be compromised. Most vehicles are honest and some of them are untrusted. The CS, SDN-C, and RSUs are semi-trusted, i.e., they will follow the designated protocols honestly but may be able to infer some sensitive information from content delivery [17]. Attackers can be categorized into external attackers and internal attackers in AC-SDVN. External attackers refer to the entities not directly participating in our protocol and do not have any secret materials [38], [47]. Internal attackers refer to the entities directly involved in our protocol, i.e, vehicles and RSUs. Both internal and external attackers can mount passive and active attacks. For launching passive attacks, an attacker merely keeps eavesdropping on the wireless communication and tries to decipher the message; for launching active attacks, an attacker can access the insured public channel to mount impersonate attacks and may modify or replay the message (as defined in Dolev-Yao threat model [56]).

AC-SDVN
Based on previous studies on cryptographic techniques, including batch verification [49], [57] and broadcast encryption [51], we propose our AC-SDVN, which involves bilinear pairing [52]. And the security of our protocol relies on the mathematical assumptions (i.e., discrete logarithm assumption and computational Diffie-Hellman assumption) that have been proposed for a long time and are widely used in the construction of cryptographic schemes. The AC-SDVN includes the following seven phases. First, the TA performs system setup to generate system parameters.
Next, the RSU and vehicle register with the TA respectively. Then, the vehicle that wants to obtain the multicast video service generates a video request message and a multicast group joining request message. The vehicle sends the signed request message to the neighboring RSU.
Upon receiving the message from the vehicle, the RSU verifies the message. When multiple messages are received, the RSU will perform batch verification to speed up the verification efficiency. And the RSU sends the verified message to the OF switch to which it is connected. The switch encapsulates the received message as a PacketIn message and forwards it to the SDN-C.
The SDN-C verifies the messages from the RSU. Here, the SDN-C can also perform batch verification. Then SDN-C sends the verified messages to the TA. Based on the message from the SDN-C, the TA calculates the vehicles' true identities and sends the valid anonymous identity information of vehicles to the CS and the SDN-C. The SDN-C parses the multicast request, formulates forwarding rules, and constructs multicast paths to the RSU covering the vehicle.
After that, the CS performs video encryption and uses the vehicles' anonymous identity information to encrypt the video decryption key. Then, according to the flow tables which are provided by the SDN-C, OF switches forward the multicast data.
Finally, the vehicle decrypts the received data to obtain the video content.
Our protocol achieves the following advantages: 1) the vehicle itself can dynamically update pseudo identity, thus eliminating the burden of pre-storing a large number of pseudo identities in the vehicle and the workload of the TA generating pseudo identities for the vehicle; 2) both the RSU and the SDN-C can perform batch verification, thus improving the overall authentication efficiency of the system; 3) the CS only needs to perform broadcast encryption once to send the same content to different target receivers.
Notations are listed in Table 2. And Fig. 2 shows the implementation process of the protocol.

System Setup
The TA initializes the system at this phase. The following are the detailed steps.
1) Taking the security parameter c as input, the TA produces two multiplicative cyclic groups G and G T with the order q, and a bilinear map e : G Â G ! G T , where g T ¼ eðg; gÞ, q is a large prime with c bits, and g is one generator of G. Let N denote the number of the largest receivers in our broadcast system. 2) The TA sets the randomly selected a 2 Z Ã q as the system master secret key, and computes the corresponding system public key P pub ¼ g a .
3) Then the TA selects nine cryptographic hash functions: 1g Ã ! G, and H 1 : f0; 1g Ã Â G ! G, where t represents the limited length of bit string. 4) At last, the TA keeps a secretly. And the TA broadcasts system public parameters Para¼ fq; G; G T ; e; g; g T ; P pub ; h i ði ¼ 1; . . .; 7Þ; H 0 ; H 1 g.

Registration
This phase includes the RSU registration and the vehicle registration.
The RSU registration The RSU participating in the provision of video services needs to register with the TA, so as to sign its messages using the private key generated by the TA. The following steps are executed via a secure channel, such as through the TLS protocol [58].
1) The RSU RSU j sends its identity ID rsuj to the TA. . 2) Once receiving this registration request, the TA checks whether ID rsuj has been registered or on the blacklist. If so, this request will be rejected; otherwise, the TA performs the following steps.
3) The TA randomly chooses k rsuj 2 Z Ã q , and computes K rsuj ¼ g k rsuj . Then the TA generates private key sk rsuj for RSU j , where sk rsuj ¼ a þ k rsuj . 4) The TA keeps fID rsuj g into its database and returns fK rsuj ; sk rsuj g to RSU j , and RSU j keeps fK rsuj ; sk rsuj g secretly.
The vehicle registration Each vehicle needs to register with the TA before leaving the factory. After executing the following steps, the vehicle System public key V i The i À th vehicle UID i The real identity of vehicle user ID i The real identity of V i PID i The pseudo identity of V i PW i The password of V i RT i The authorization token of V i M vr The video request message of the vehicle M gi V i 's request to join the multicast group RSU j The j À th RSU ID rsuj The real identity of RSU j t i ; t j ; t cs The current timestamp h i ði ¼ 1; . . .; 7Þ; H 0 ; H 1 Cryptographic hash functions will get a private key. Only by using the private key generated by the TA can the vehicle generate valid pseudo identities to protect its privacy. Unlike the design such as in He et al:'s [31], in our protocol, the system private key is not directly stored in each registered vehicle, so as to avoid the security of the whole system being threatened because the OBU of a single vehicle is compromised.
1) Vehicle user sends its identity UID i and the real identity ID i of vehicle V i to the TA. Then TA randomly chooses k i 2 Z Ã q , and computes K i ¼ g k i and where RT i is used to calculate the video decryption key. The TA generates private key sk i for V i by calculating sk i ¼ a þ k i .
2) The TA keeps fUID i ; ID i g into its database and stores fK i ; Q i ; RT i ; sk i g into the OBU of V i .

Sign the Request Message
The vehicle performs the following steps to sign the request message and sends it to the nearby RSU. Note that, the network state may be unstable, to maintain vehicular communication, different approaches can be adopted. For example, by utilizing the global view of the SDN controller, the paths of vehicles can be made in advance and adjusted in time, thus bypassing the path where the network connection cannot be established [41], [42]. Moreover, if the vehicle is completely isolated and cannot establish communication with RSUs, vehicle-to-vehicle communication can serve as the remedy [59]. The above issue is beyond the scope of this study, for more details, please refer to references [41], [42], [59].
1) The vehicle user enters UID i and ID i into the OBU of V i , and only when H 0 ðID i k UID i Þ is equal to the secret value Q i stored in the OBU, the following steps will be executed; otherwise, this login request will be rejected. 2) V i uses the randomly selected numbers d i 2 Z Ã q and pub . Then V i generates a pseudo identity PID i for hiding its real identity ID i to realize identity privacy protection, where the form of this pseudo identity is

Verify the Message From the Vehicle
In this part, we explain how the RSU verifies a single message received, and how to perform batch verification when multiple messages are received. Then RSU forwards verified messages to the connected OF switch, and discards invalid request messages, such as expired messages or messages that cannot be verified. Because RSUs participate in the authentication of messages from vehicles, it can reduce the authentication burden of the system and avoid transmitting invalid request messages.
Case 1: The RSU verifies a single message 1) Once msg i is received, RSU j inspects the freshness of t i . RSU j performs the next steps only if t i is valid; otherwise, RSU j drops msg i . 2) RSU j checks whether the equation If yes, RSU j performs the next step; otherwise, RSU j drops msg i . 3) RSU j verifies whether the equation If it holds, RSU j accepts msg i ; otherwise, RSU j drops msg i , and the next steps will not be executed. The correctness of this equation is proved as follows.
4) RSU j writes the verified messages into the set S vrj , where S vrj ¼ fM vr k PID i k D i k M gi g. 5) RSU j selects a random number b rsuj 2 Z Ã q , and calculates 6) RSU j transmits msg j to the connected switch, where msg j ¼ fS vrj ; B rsuj ; ID rsuj ; t j ; K Ã rsuj ; s rsuj g. Then the switch encapsulates msg j into a PacketIn message.
1) RSU j first checks whether the timestamp of each message is valid. RSU j drops messages whose timestamps have expired. 2) RSU j checks whether the equation . . .; m. If yes, RSU j performs the next step. 3) To detect the modification of signatures using batch verification, RSU j chooses m ephemeral values u ¼ fu 1 ; u 2 ; . . . ; u m g, where u i 2 ½1; 2 t and t is a small random integer [31], [60]. Then RSU j batch verifies these messages at once by computing g P m If this equation holds, RSU j accepts the messages; otherwise, RSU j rejects them. The correctness of this batch verification equation is proved as follows.
4) RSU j writes the verified messages into the set S vrj , the form of S vrj is S vrj ¼ fM vr k PID 1 k D 1 k M g1 k PID 2 k D 2 k M g2 k . . . k PID m k D m k M gm g. 5) RSU j selects a random number b rsuj 2 Z Ã q , and calculates rsuj . After that, RSU j computes s rsuj ¼ b rsuj þ sk rsuj Á u rsuj . 6) RSU j transmits msg j to the connected switch, where msg j ¼ fS vrj ; B rsuj ; ID rsuj ; t j ; K Ã rsuj ; s rsuj g. Then the switch encapsulates msg j into a PacketIn message. Note that, when invalid signatures appear, instead of verifying signatures one by one or discarding the whole signatures, we can adopt binary search technology as described in our previous work [61].

Verify the Message From the RSU
In this phase, the SDN-C validates the message from the RSU and then sends the authenticated message to the TA. Based on the received message from the SDN-C, the TA calculates the vehicles' true identities and sends the valid anonymous identity information of vehicles to the CS and the SDN-C. Then, the SDN-C constructs multicast paths to the RSU covering the vehicle. 1) The SDN-C checks whether t j is valid. If it has expired, the SDN-C rejects msg j . Otherwise, the SDN-C executes the subsequent step. 2) The SDN-C calculates h 3 ðS vrj Þ and verifies the equation u rsuj ¼ h 4 ðh 3 ðS vrj Þ k B rsuj k ID rsuj k t j Þ. The following steps will only continue when this equation holds.
3) The SDN-C checks whether the equation g s rsuj ¼ B rsuj Á P u rsuj pub Á K Ã rsuj holds. If not, msg j will be rejected; otherwise, the SDN-C performs the next step. The correctness of this equation is proved as follows.
4) The SDN-C sends vehicles' pseudo identities to the TA. The TA computes ID i ¼ PID i È h 1 ðD a i Þ to get the real identity of V i and checks whether V i is legal and registered. For those legal and registered vehicles, the TA generates and sends S V to the CS via a secure channel. Then, upon receiving the valid pseudo identities from the TA, the SDN-C analyzes the multicast request message and extracts relevant information (e.g., datapath ID of the switch, source address, destination multicast address). According to the obtained network state information, the SDN-C formulates forwarding rules and constructs multicast paths to the RSU covering the vehicle.
1) The SDN-C first checks whether the timestamp of each message is valid. And drops messages whose timestamps have expired. 2) The SDN-C computes h 3 ðS vrj Þ and checks if the equation u rsuj ¼ h 4 ðh 3 ðS vrj Þ k B rsuj k ID rsuj k t j Þ holds, for j ¼ 1; 2; . . .; n. The following steps will continue only when it is hold. 3) Similarly, to detect the modification of signatures using batch verification, the SDN-C chooses n ephemeral values i ¼ fi 1 ; i 2 ; . . . ; i n g, where i j 2 ½1; 2 t and t is a small random integer. Then the SDN-C batch verifies these messages by executing g P n j i j Ás rsuj If the equation (4) holds, the SDN-C accepts the messages; otherwise, the SDN-C rejects them. The correctness of this equation is proved as follows.
4) The SDN-C sends vehicles' pseudo identities to the TA. The TA computes . . .; m, to get the real identity of V i in each message msg j , and checks whether V i is legal and registered. For those legal and registered vehicles, the TA generates . . k Q m k PID m g, and sends S V to the CS via a secure channel. Then, upon receiving the valid pseudo identities from the TA, the SDN-C analyzes the multicast request message and extracts relevant information (e.g., datapath ID of the switch, source address, destination multicast address). According to the obtained network state information, the SDN-C formulates forwarding rules and constructs multicast paths to the RSU covering the vehicle.

Encrypt the Video and Perform Broadcast Encryption
When the message S V is received from the TA, the CS performs the broadcast encryption algorithm as follows. Here, we need to make a special note that we refer to Li et al:'s [32] scheme for this part of the broadcast encryption.
1) The CS uses randomly selected key DK 2 Z Ã q to perform the symmetric encryption algorithm on video, thus obtaining the encrypted video EV DK . Note that this step can be performed in advance.
3) The CS selects a random number l 2 Z Ã q and computes w ¼ h 5 ðl k DK k t cs Þ. Then the CS computes . . .; m. 5) The CS generates Hdr ¼ ðA 0 ; C 1 ; C 2 ; . . .; C m Þ ¼ ðA 0 ; C 11 ; C 12 ; C 21 ; C 22 ; . . .; C m1 ; C m2 Þ and sets CT ¼ ðHdr; h; t cs Þ. Then, the CS returns CT and the encrypted video EV DK to the SDN-C. 6) The switch multicasts the received CT and EV DK to the RSU according to the flow table received from the SDN-C. Then the RSU sends the received data to the vehicle.

Decryption
After receiving CT and EV DK from the RSU, vehicles performs the following decryption operations.
1) V i computes F i ¼ H 1 ðPID i k P pub Þ. Note that this step can be performed in advance. 2) V i checks whether t cs is valid. If it has expired, V i rejects CT . Otherwise, V i executes the subsequent steps.
RT i is the authentication token obtained by the vehicle from the TA during registration. And it can be seen that unregistered vehicles cannot decrypt the received data because they do not have the authorization token RT i . The correctness of this equation is proved as follows.
4) Then V i computes h 7 ð i Þ to locate its C i1 and corresponding C i2 in Hdr, due to

SECURITY PROOF AND ANALYSIS
We will argue that our AC-SDVN is secure against existential forgery on adaptively chosen message and identity attack under the random oracle model [62]. And our AC-SDVN achieves the security objectives while resisting common attacks. Note that because the process of authenticating vehicles and RSUs is similar, this section only analyzes the security of the AC-SDVN for vehicles. In addition, as described in Section IV. F, our broadcast encryption is a slight improvement on Li et al:'s [32] scheme. Due to the space limitation, this section will not introduce the security proof of this part. If you are interested, you can refer to the security proof in [32].

Security Model
The security model for the AC-SDVN is defined by a game played between a polynomial-time attacker A and a protocol challenger C. A can execute the following queries to C.
Setup À Oracle: Once the query for this oracle is received, C generates the system master secret key and public parameters. Then, C returns the public parameters to A. Hash À Oracle: C returns the selected random value x i 2 Z Ã q to A and inserts the tuple hm; x i i into corresponding list L H 0 or L h i ði ¼ 1; 2Þ, when A invokes this query with the information m. Extract À Oracle: When A invokes this query using the identity ID i , C returns the generates K i to A, and stores the tuple hID i ; K i i to the list L vehicle . Sign À Oracle: When A invokes this query using M vr , M gi and K i , C returns the generated signature tuple msg i to A. After executing the aforementioned queries, A falsifies a signature s 0 i of a video request message M vr associated with M gi , ID i , K i , and t i . A would win the above game, if the following three conditions are satisfied. is negligible for any polynomial-time adversary A.

Formal Security Proof Using Random Oracle Model
According to Definition 1, the chosen message and identity security of the proposed AC-SDVN for vehicles is argued as follows [62]. Theorem 1 : The proposed AC-SDVN for vehicles is secure in the random oracle model, with the assumption that the underlying DL problem is intractable.
Proof : Suppose that a polynomial-time A can forge a legal msg i ¼ fM vr ; M gi ; D i ; R i ; PID i ; t i ; K Ã i ; s i g with a nonnegligible advantage ", then C is capable of solving the DL problem with a non-negligible advantage by conducting A as a subroutine. Let ðg; A ¼ g a Þ be an instance of DL problem, and the goal of C is to calculate a. A adaptively requests the following oracle queries modeled by C.
Setup À Oracle: C sets P pub A, and then returns the public parameters Para to A, where Para¼ fq; G; G T ; e; g; g T ; P pub ; h i ði ¼ 1; . . .; 7Þ; H 0 ; H 1 g. H 0 À Oracle: C maintains the list L H 0 with the form of hID i ; UID i ; x 0 i, which is initialized empty. Upon receiving A's query with fID i ; UID i g, C inspects whether the tuple hID i ; UID i ; x 0 i exists in L H 0 first. If so, C finds the corresponding x 0 and returns it to A; otherwise, C sends the generated random nonce x 0 2 G to A, where x 0 ¼ H 0 ðID i k UID i Þ, and adds the tuple hID i ; UID i ; x 0 i into L H 0 . h 1 À Oracle: C maintains the list L h 1 with the form of hD Ã i ; x 1 i, which is initialized empty. Upon receiving A's query with D Ã i , C inspects whether the tuple hD Ã i ; x 1 i exists in L h 1 first. If so, C finds the corresponding x 1 and returns it to A; otherwise, C sends the generated random nonce i Þ, and adds hD Ã i ; x 1 i into L h 1 . h 2 À Oracle: C maintains the list L h 2 with the form of hM vr ; M gi ; D i ; R i ; PID i ; t i ; x 2 i, which is initialized empty. Upon receiving A's query with fM vr ; M gi ; D i ; R i ; PID i ; t i g, C inspects whether the tuple hM vr ; M gi ; D i ; R i ; PID i ; t i ; x 2 i exists in L h 2 first. If so, C finds the corresponding x 2 and returns it to A; otherwise, C sends the generated random nonce x 2 2 Z Ã q to A, where x 2 ¼ h 2 ðM vr k M gi k D i k R i k PID i k t i Þ, and adds hM vr ; M gi D i ; R i ; PID i ; t i ; x 2 i into L h 2 . Extract À Oracle: C maintains the list L vehicle with the form of hID i ; K i i, which is initialized empty. Upon A issuing the query, C inspects whether the tuple hID i ; K i i exists in L vehicle first. If so, C finds the corresponding K i and returns it to A; otherwise, C sends the generated random nonce K i 2 G to A, where K i ¼ g k i and k i 2 Z Ã q , and adds hID i ; K i i into L vehicle . Sign À Oracle: When A invokes this query using fM vr ; M gi ; ID i ; K i ; t i g, C generates random numbers , the signature generated in the simulation is indistinguishable from that in the real protocol, so that msg i ¼ fM vr ; M gi ; D i ; R i ; PID i ; t i ; K Ã i ; s i g can be verified successfully by A. Finally, A outputs a signature tuple msg i ¼ fM vr ; M gi ; D i ; R i ; PID i ; t i ; K Ã i ; s i g to C. C inspects if the following equation holds.
If not, C aborts the process. According to the forking lemma in [63], A can obtain another valid msg i ¼ fM vr ; M gi ; D i ; R i ; PID i ; t i ; e u i ; K Ã i ; e s i g with a different choice of h 2 but the same inputs hM vr ; M gi ; D i ; R i ; PID i ; t i i, with the probability " 0 ! ð1=9Þ [60]. In this case, it is easy to get the following equation.
According to equations (6) and (7), we can get: And according to (8), we can get: C outputs ð e s i À s i Þ Á ð e u i À u i Þ À1 À k i as the answer of the DL problem. The probability that C solves the DL problem can be induced through the following events.
1) E ID denotes the event that ID i is equal to g ID i . 2) E forge signifies the event that A could forge two valid signatures. Let N h 1 denote the times of h 1 ÀOracle queries, we can get that Prob½E ID ¼ 1 , Prob½E forge jE ID ! 1 9 Á ", and the probability that C can resolve the DL problem is Therefore, C can solve the DL problem with a non-negligible probability " because of the non-negligible " and bounded N h 1 . However, this finding contradicts the difficulty of DL problem in G.

Informal Theoretical Security Analysis
1) Access control: The system will authenticate the identity of the vehicle and the messages it sends during vehicular communications. In addition, in the protocol, only vehicles with RT i can calculate the video decryption key. Because RT i is stored in the OBU and the message sent by the vehicle does not involve RT i , attackers cannot obtain RT i for decrypting the video. 2) Conditional privacy protection: In this protocol, the vehicle uses pseudo identities to participate in communication and dynamically updates its pseudo identity used in each communication.
, attackers cannot get a or break the CDH problem, therefore attackers cannot get the real identity ID i of vehicle. In addition, the message received by the CS from the TA is Q i and PID i , where PID i is the pseudo identity of the vehicle, and Q i is the encrypted identity information of the vehicle. Therefore, the CS cannot calculate the real identity of the vehicle. But, the TA can track the real identity of the vehicle by computing i Þ using its system master secret key a. Therefore, our protocol achieves conditional privacy protection.
3) Un-linkability: Each encrypted message sent by the vehicle contains its selected random number and the dynamically updated pseudo identity; therefore, attackers cannot successfully connect the intercepted messages to the same vehicle.

4)
Resistance impersonation of vehicle: The vehicle signs the message by computing s i ¼ r i þ sk i Á u i . Because the attacker cannot obtain sk i that is stored in the OBU of the vehicle, the protocol can resist the impersonation of the vehicle. Similarly, because the attacker cannot crack sk rsuj of the RSU, our protocol can resist the impersonation of the RSU. Resistance modification attack: In our protocol, the receiver will verify the received message. Because the modified message cannot be successfully verified, the protocol can resist modification attacks.
Resistance replay attack: Because each encrypted message contains a timestamp, by checking the freshness of the timestamp, receivers can discover and reject the replayed message.

Formal Security Verification Using ProVerif
In this subsection, the result of formal security verification using ProVerif 2.02pl1 is presented. The ProVerif is a broadly-accepted tool for automatically analyzing the security of cryptographic protocols [64]. Using ProVerif, the different cryptographic elements can be modeled and the reachability properties, correspondence assertions, and observational equivalences can be validated. The most important security objectives achieved by the proposed protocol have been formally evaluated using the ProVerif and the results have been summarized in Fig. 3.
Furthermore, due to the limited space, for interested readers, the source code of the protocol in the ProVerif tool has been released as open-source and can be obtained in [65]. In Fig. 3, (1) and (2) are the results of the reachability query that demonstrates the secrecy of the private key of V i and RSU j because the attacker is unable to obtain the private keys sk i and sk rsuj . In Fig. 3, (3) and (4) are the results of two observational equivalences that show the strong anonymity of V i because "Non-interference IDi is true" and "Non-interference UIDi is true". Finally, in the source code, four main events have been identified (i.e., startVi, endRSUj, startRSUj, and endSDNC). In Fig. 3, (5) and (6) are the results of two injective correspondence assertions, and the results prove that the proposed protocol achieves the authentication of RSU j to V i and SDN-C to RSU j .

Comparison of Security and Functionality Features
Let SR 1 , SR 2 , and SR 3 denote access control, conditional privacy protection, and authentication, respectively. At the same time, UP , BV , and BE indicate that the vehicle updates its pseudo identity by itself, batch verification, and broadcast encryption. The comparison results listed in Table 3 show that our protocol achieves more merits.

PERFORMANCE ANALYSIS
In this section, we analyze the performance of the proposed AC-SDVN from three aspects: computation cost, communication cost, packet loss ratio and average transmission delay, and compare it with related schemes [38], [66], [67], [68] and [27]. The reason that we compared our protocol with these schemes is that according to our research, there is no literature proposed for the specific video/SDN/vehicular context for access control as we do. Therefore, to prove the efficiency of our protocol, we compare the AC-SDVN with schemes [38], [66], [67], [68] and [27] published in reputable journals and conferences. Among them, the scheme [38] is also for the purpose of realizing access control in content delivery in the vehicular network, the schemes [66], [67], [68] and [27] are also apply broadcast encryption or batch verification to realize access control.
To analyze the computation and communication overhead of cryptographic operations and realize the security of 80 bits, we use a symmetric bilinear pairs e : G Â G ! G T , where G with order q is generated by a point P on a super singular elliptic curve y 2 ¼ x 3 þ x mod p. Besides, p and q are a 64 bytes prime number and a 20 bytes prime number, respectively.

Computation Cost Analysis
We use the C/C++ cryptographic library called MIRACL to measure the execution time of cryptography operations under the Ubuntu 14.04 environment with Intel i7-6700 CPU and 8GB bytes memory. The execution time of different basic operations is shown in Table 4. Table 5 shows the specific computation time of our protocol and schemes [38], [66], [67], [68] and [27]. Furthermore, to show the comparison results more intuitively, according to Table 5, Fig. 4 is generated to show the time cost for signature generation, signature verification, and content encryption. Figs. 5 and 6 are generated to show the execution time for receiver decryption and batch verification. Note that, the implementation steps of signature generation, signature verification, and batch verification are not explicitly provided in [68], therefore, the specific computation overhead of these three operations in [68] is not calculated.
Here, we analysis the scheme [38] and our protocol in detail only, as the specific computation cost analysis about [66], [67], [68], and [27] can be achieved similarly.
In [38], two scale multiplication operations in G and two hash operations are needed to sign a message, therefore, the signature generation cost is 2T m þ 2T h % 1:908 ms. To verify a single message, two scale multiplication operations in G, five pairing operations, one exponentiation operation in G T and four hash operations are required, so the cost of verifying a single message is 2T m þ 5T p þ T e þ 4T h % 25:78 ms. In their scheme, the vehicle storing the encrypted packets will encrypt the data again before responding to the request of other vehicles, so the total encryption cost is 3T m þ T p þ T e þ 8T h % 7:845 ms. The vehicle obtained the encrypted data required to execute two scale multiplication operations in G, five pairing operations hashes, one exponentiation operation in G T and six hash operations, that is, it needs to take 2T m þ 5T p þ T e þ 6T h % 25:782 ms to decrypt. For batch verifying n messages from different vehicles, the required overhead in their scheme is ð4T a þ T m þ T h Þn þ 3T p þ T e % 0:982n þ 14:424 ms.
In our protocol, four scale multiplication operations in G and two hash operations are needed to sign a message, therefore, the signature generation cost is 4T m þ 2T h % 3:814 ms. To verify a single message, four scale multiplication operations in G and one hash operation are required, so the cost of verifying a single message is 4T m þ T h % 3:813 ms. Moreover, to encrypt a video decryption key, the required overhead executed by the CS is T m þ 2T p þ T e þ T mtp þ 3T h % 13:05 ms. The vehicle needs to execute two pairing operations, two exponentiation operations in G T , one Map-ToPoint hash operation in G and two hash operations, that is, it needs to take 2T p þ 2T e þ T m þ T mtp þ 2T h % 13:304 ms to decrypt. For batch verifying n messages, the required overhead in our protocol is ð2T sm þ T h Þn þ 4T m % 0:255n þ 3:812 ms.
Because in [27], the decryption cost increases linearly with the increase of the number of vehicles (receivers). Therefore, in Fig. 5, we give a comparison of decryption overhead at the receiver in each scheme. As can be seen from Fig. 5, compared with [38] and [27], our protocol presents a relatively good performance in decryption cost.
Additionally, from Fig. 6, it can be seen intuitively that compared with [38], [66], [67], and [27], our protocol achieves the lowest overhead while batch verifying of multiple messages. For verifying 100 messages, the computational cost of [38], [66], [67], [27] and our AC-SDVN is 112.624ms, 230.369ms, 976.257ms, 219.169 and 29.312ms, respectively. That is, when verifying 100 messages, our AC-SDVN has improved 73.97%, 87.28% and 96.99%, 86.62% compared with above schemes. And when there are n messages, if the messages are verified one by one, the verification cost will be ð4T m þ 2T sm þ T h Þn ms, while using batch verification the verification cost is 4T m þ ð2T sm þ T h Þn ms, therefore using batch verification can reduce the verification time cost by 4T m ðn À 1Þ ms.

Communication Cost Analysis
According to the above setting, p is 64 bytes, so the element in G is 64 Â 2 = 128 bytes. Let the timestamp be 4 bytes and the output of the regular hash function be 20 bytes. Fig. 7 shows the total communication cost of our protocol and [38], [66], [67], [68] and [27]. Here, we only conduct a detailed analysis of [38] and our protocol, and the specific communication cost analysis of [66], [67], [68] and [27] can be achieved similarly.
In [38], the service provider (SP) broadcasts fEB i jjT 1 jjSig i;T 1 g to vehicles, where EB i ¼ ðc 1 ; c 2 Þ, so the size of this message is 128 þ 20 Â 2 þ 4 ¼ 172 bytes. The size of Cert V i ;j which SP returns to the vehicle is 44 þ 128 þ 20 Â 2 ¼ 212 bytes, where Cert V i ;j ¼ ðPID Vi;j ; T 1 ; s V i ;j Þ. When V i requests the interest of name In i , it broadcasts an interest packet as fEIn i ; t 1 ; Sig 1 ; Cert V i ;j g, where Sig 1 ¼ ðX 1 ; Y 1 Þ, and the size of this packet is 4 þ 128 Â 2 þ 44 ¼ 304 bytes. The size of message that V j returns to V i is 4 þ 128 Â 3 þ 20 Â 3 þ 44 ¼ 492 bytes, where the form of message is ft 3 ; EB i ; Sig i;T 1 ; i ; Sig 2 ; Cert V j ;i g. V i returns Cer V i ;EIn i to V j , where Cer V i ;EIn i ¼ ðX 3 ; Y 3 Þ, therefore, the size of this message is 128 þ 128 ¼ 256 bytes. The message that V j sends to SP is fPID Vi;j ; EIn i ; t 5 ; g i ; H1ðg i Þ; Cer V i ;EIn i g, and its size is 20 Â 3 þ 4 þ 256 ¼ 320 bytes. The message that V i sends to SP for updating is f=SP =Key=T 2 ; t 7 ; Sig 3 ; Cert V i ;z g, and the size of it is 4 þ 256 þ 44 ¼ 304 bytes. As a responding SP returns ft 8 ; EPK V i ðrk T 1 !T 2 ; SK T 2 ; IK T 2 Þ; Sig 4 g to V i , where the size is 4 þ 20 þ 256 ¼ 280 bytes. And the SP responds V i 's certificate request with fH 1 ðH4ðc1Þjjc2jj H3ðc3ÞÞ; Sig i;T 2 g, where the size is 20 þ 20 ¼ 40 bytes. Therefore, the total cost is 2380 bytes.
In our protocol, V i transmits msg i ¼ fM vr ; M gi ; D i ; R i ; PID i ; t i ; K Ã i ; s i g to the nearby RSU first, where hD i ; R i ; K Ã i i 2 G, hPID i ; s i i are the results of general hash operation, and t i is the timestamp, so the size of msg i is 128Â3+20Â2+4=428   bytes. Then, RSU j transmits msg j to the SDN controller, where msg j ¼ fS vr ; B rsuj ; ID rsuj ; t j ; K Ã rsuj ; s rsuj g, where S vr ¼ fM vr k PID i k D i k M gi g, and because hD i ; B rsuj ; K Ã rsuj i 2 G, hPID i ; ID rsuj ; s rsuj i are the results of general hash operation, and t j is the timestamp, therefore, the size of msg j is 128Â3 +20Â3+4=448 bytes. The size of message that the SDN-C sends to the CS is 128 þ 20 ¼ 148 bytes, where S V ¼ fQ i ; PID i g and Q i ¼ H 1 ðUID i k ID i Þ. The CS returns CT and the encrypted video EV DK to the video requester, where CT ¼ ðHdr; h; t cs Þ; consequently, the size of it is 128 Â 2 þ 20 Â 2 þ 4 ¼ 300 bytes. Therefore, the total cost of our protocol is 1324 bytes.

Packet Loss Ratio and Average Transmission Delay
In order to compare the packet loss ratio and average transmission delay during message transmission under the wireless network environment, three tools are used, i.e., Omnet+ +, Sumo, and Veins 4.6 [69]. Omnet++ is an extensible and component-based C++ simulation library and framework which is used to construct network simulators that support wired networks and wireless ad hoc networks. Sumo is a continuous road traffic simulation package for handling large road networks. Veins is a middleware connecting the first two modules. The scenario considered is a segment of the real road map around Anhui University, and we marked the route, the location of the RSUs, and the direction of the vehicles on the map, as shown in Fig. 8. The IEEE 802.11p communication protocol is utilized in the simulation. And in each time of simulation, the number of vehicles (10 to 100) is varied within that segment. The map comes from OpenStreetMap, which can obtain the attributes of roads in the real world, such as traffic lights, speed limits, etc. The vehicles are on a two-way street and move in the same direction. Relevant parameters are listed in Table 6.
Here, in the same conditions (i.e., communication protocol and the channel conditions), we compare our protocol with Zhong et al.'s scheme [27], which also considered RSU-to-vehicle (R2V) communications and also used broadcast encryption techniques. In our protocol, the size of the encrypted message sent by the RSU is 148m þ 152 bytes (for m vehicles). In Zhong et al.'s scheme [27], the size of the encrypted message sent by the RSU is 484 bytes. In order to guarantee the statistical accuracy of the obtained results, multiple runs of experiments have been performed, and we demonstrate the result values in Figs. 9 and 10 with 95% confidence intervals.

Packet Loss Ratio
The packet loss ratio (P LR ) herein refers to the percentage of lost messages in the total number of messages. P LR is defined as follows, where A vg ð:Þ represents an averaging function and n denotes the number of vehicles. Besides, Num i r and Num i l indicate the number of messages received from the sender (i.e., the RSU) and the number of lost messages, respectively.
Num i l ðNum i r þ Num i l Þ À1 (11) Fig. 9 shows the relationship between the P LR and the number of vehicles. The reason that the P LR of our protocol is more fluctuate than that of Zhong et al.'s [27] is mainly due to the size of the encrypted message sent by the RSU is  increase linearly with the increase of the number of receivers (i.e., the vehicles). As shown in Fig. 9, the P LR of our protocol and [27] are increasing with the increase of the number of receivers (i.e., the vehicles). When the number of vehicles is between 10 and 100, and the P LR of our protocol is between 0.5% and 3.5%, while Zhong et al.'s [27] is between 0.25% and 1%.

Average Transmission Delay
The average transmission delay (A TD ) is defined as follows. Let n represent the number of vehicles, and N j denote the number of messages received from the sender (i.e., the RSU). And T j s , T j r respectively indicate the time at which the message is sent and the time at which the message is received. Moreover, T j r À T j s corresponds to the time required for a round of transmission between the receiver and the sender.
The increase in the number of vehicles leads to the congestion and packet loss increases, which in turn results in a larger average end-to-end delay, therefore, as we can see from Fig. 10, the average transmission delay of our protocol and the scheme [27] are increasing with the number of vehicles. And because the scheme [27] uses broadcast encryption with constant ciphertext size, the average transmission delay is lower than that of ours. And from Fig. 10 we can get that when the number of vehicles is 40, the A TD of our protocol and [27] are nearly 10ms and 2ms, respectively.
It should be noted that although Zhong et al.'s scheme [27] achieves a better packet loss rate and delay, in their scheme, the decryption overhead at the vehicle side will increase linearly with the increase of the number of receivers. In addition, as shown in Table 5, in terms of signature generation, signature verification, content encryption, and batch verification, the computation costs of Zhong et al.' s scheme [27] are high than that of ours.

CONCLUSION
In this study, we explored the application scenario of video multicast in SDN-based vehicular networks and proposed an access control protocol that focused on security issues during video content distribution. The proposed AC-SDVN realized the authentication of multicast video requesting vehicles and RSUs. And the SDN controller constructs multicast paths based on the authentication results, that only reach legitimate RSUs and vehicles, and only the legal vehicle can obtain video decryption keys. The AC-SDVN satisfied the security requirements of the vehicular network and it supported both batch verification and broadcast encryption. The conducted security and performance analyses indicate that our AC-SDVN can be applied to the scenario of video multicast in SDN-based vehicular networks. Our next research will focus on proposing a collaborative download protocol for video applications in SDVN. The protocol will utilize vehicles' storage capacities and realize secure communication between adjacent vehicles, to cope with the situation that the vehicle cannot establish the network connection with the RSU, and improve the experience of video service. Chengjie Gu received the PhD degree from the Nanjing University of Posts and Telecommunications in 2012. From 2012 to 2017, he was an innovation team leader in the 38th Research Institute of CETC and conducted research and development in the communication and networking sector. Currently he is a president with security research institute in new H3C group. He is also currently working toward the postdoctoral fellowship with the USTC. He is a high-level innovation leader of Anhui province and a cybersecurity expert of Zhejiang province in China. His research interests include network security, trusted network architecture, etc.
Irina Bolodurina received the PhD degree from South Ural State University. She is currently a professor and head of department of Applied Mathematics, with the Orenburg State University. She has more than 60 scientific publications in academic journals and international conferences which indexing in Scopus and WoS. She has participated in more than 20 scientific projects supported by the RFBR and other Russian scientific programs. She's current research interests include theory of optimal control, mathematical modeling, information analysis software, control of social and economic systems, decision support systems, data integration, and processing.
Lu Liu (Member, IEEE) received the MSc degree in data communication systems from Brunel University, U.K. and the PhD degree from the University of Surrey, U.K. He is currently the professor of Informatics and head of department of Informatics with the University of Leicester, U.K. His research interests include in areas of cloud computing, service computing, computer networks, and peer-to-peer networking. He is also a fellow of British Computer Society (BCS).