PA-CRT: Chinese Remainder Theorem Based Conditional Privacy-Preserving Authentication Scheme in Vehicular Ad-Hoc Networks

Existing security and identity-based vehicular communication protocols used in Vehicular Ad-hoc Networks (VANETs) to achieve conditional privacy-preserving mostly rely on an ideal hardware device called tamper-proof device (TPD) equipped in vehicles. Achieving fast authentication during the message verification process is usually challenging in such strategies and further they suffer performance constraints from resulting overheads. To address such challenges, this paper proposes a novel Chinese remainder theorem (CRT)-based conditional privacy-preserving authentication scheme for securing vehicular authentication. The proposed protocol only requires realistic TPDs, and eliminates the need for pre-loading the master key onto the vehicle's TPDs. Chinese remainder theorem can dynamically assist the trusted authorities (TAs) whilst generating and broadcasting new group keys to the vehicles in the network. The proposed scheme solves the leakage problem during side channel attacks, and ensures higher level of security for the entire system. In addition, the proposed scheme avoids using the bilinear pairing operation and map-to-point hash operation during the authentication process, which helps achieving faster verification even under increasing number of signature. Moreover, the security analysis shows that our proposed scheme is secure under the random oracle model and the performance analysis shows that our proposed scheme is efficient in reducing computation and communication overheads.


INTRODUCTION
V EHICULAR Ad-hoc networks (VANETs) are a form of ad-hoc networking that encompasses vehicles as nodes for message transmission. In the VANET environment, vehicles are equipped with a module called on-board unit (OBU) which enables communication between the vehicular nodes through communication protocols such as 802.11p, 3G/4G, etc. [1]. Communication in VANETs are usually of two types such as vehicle-to-vehicle (V2V) communication and vehicle-to-infrastructure (V2I) communication. Both of these communications are carried out using the Dedicated Short Range Communications (DSRC) standard [2], [3].
A typical VANET environment consists of OBUs equipped in vehicles, roadside units (RSUs) installed alongside the roads, and trusted authorities (TAs). A system of VANET architecture is shown in Fig. 1. According to the DSRC protocol standard, each vehicle periodically broadcasts traffic related information such as location, traffic accidents records, etc., to nearby vehicles and RSUs every 100-300 milliseconds [4], [5]. RSUs can potentially aid road traffic management by transmitting messages reflecting on-road scenarios. Such messages also benefit on-road drivers by disseminating information about the driving environment.
Given the fact the VANETs exploits wireless communication, obvious security and privacy vulnerabilities of wireless communication cannot be eliminated [6], [7], [8], [9], [10], [11], [12], [13]. For instance, malicious vehicles in the network might broadcast wrong information to mislead and interfere normal operation of the network. Such incorrect information might mislead traffic management department with incorrect decisions. Besides, user's sensitive and private information such as their real identity and driving route etc., should be protected from attacks such as eavesdropping etc.
Moreover, authenticating user identity is one of the core requirements in VANETs in order to effectively identifying and eliminating malicious users in the network. Existing authentication schemes [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24], [25], [26] can be broadly classified into identity management authentication schemes and message authentication schemes. Both the schemes are susceptible under adversarial environments, which can disrupt their function. It is common for a malicious user when involved in accidents to send falsified information, this should be efficiently traced by the TA. Such core requirements necessitate efficient conditional privacy and message authentication schemes as integral components of VANETs.

Related Work
A wide range of research works have previously addressed resolving security and privacy issues in VANETs, which can be divided into five categories. The first category exploits digital signatures based on public key infrastructure (PKI) [9], [17], [27] to ensure message integrity, authentication and non-repudiation. Recently, the Security Credential Management System (SCMS) [28] proposed by USDOT utilizes a Public Key Infrastructure (PKI) approach to support trusted and secure communications. However, each vehicle in the network requires a large number of certificates to achieve privacy. Furthermore, storing the certificates of all the participating vehicles incur higher storage costs for the TAs. Besides, the certificate verification process involving large number of nodes is usually tedious with this approach.
In order to overcome the limitations of the traditional certificate based management methods, the second category used the group signatures technology [18], [23], [29], [30]. However, the member revocation problem of this method incurs a verification and storage/transmission cost higher than most traditional schemes. Such issues restrains the performance of the group signature based schemes under extreme environment.
With the motivation of reducing the verification overheads of the group signature technology, the third category approaches exploited identity-based batch authentication protocols [19], [20], [21], [22], [31]. Batch authentication strategies significantly reduces the time incurred in the authentication process. However, such schemes rely heavily on a dedicated TPD. Given one of the TPDs being compromised by malicious users, such schemes face the risk of single point of failure, leaving the entire network susceptible for privacy attacks.
The fourth category is a software based approach without involving TPDs [23], [24], [25], [26], developed with the motivation of overcoming the fundamental storage issues of hardware based systems. Such software-based schemes only use two shared secrets in order to meet the security and privacy requirement. However, vehicles upon joining the RSUs require access to the shared secret parameters from the TAs. Another factor restraining the efficiencies of the software based schemes is the moving speed of the vehicular nodes, which creates high level of communication overheads.
The final category works [32], [33], [34], [35] based on a trusted authority, TRA, which generates a batch of pseudo identities (pseudo-IDs) for each vehicle. These pseudo-IDs are later sent to another trusted institution called PKG via a secure channel. For a given vehicle, PKG generates a pseudo-ID corresponding to its private key and sends the pseudo-IDs/private keys to the vehicle securely. However, an increasing number of network vehicles will increase the demand for generating more pseudo-IDs. Under this scenario, both the TRA and PKG need to be added at the same time, and multiple TRAs can make the vehicle tracking and revocation process to be more complex and be detrimental for protocol extensions.
Many of the existing schemes available in the above literature are only used to provide authentication. In addition, we need to discuss some existing group key management methods for using CRT in wired and wireless networks [36], [37], [38]. Zheng et al. [36] introduced two centralized group key management protocols based on the CRT. By shifting more computing load onto the key server, they optimize the number of re-key broadcast message, user-side key computation and number of key storages. However, their protocols require more computation power from the key server.
Zhou and Yong [37] proposed a CRT-based static key tree structure for distributing the group key to the members of the group when group membership changes. It deal with the scenario of a pre-defined static prospective user set containing all potential customs of multicast services and concentrate on the stateless receiver case. It can reduce the key server's computation complexity for each group key distribution. However, it also increases the workload of key server by allowing the key server to find a common group key by using CRT for 'n' number of congruential equations.
Vijayakumar et al. [38] proposed a CRT-based group key management scheme that drastically reduces computation complexity of the key server. The computation complexity of key server is reduced to O(1) in this proposed algorithm. Moreover, the computation complexity of group member is also minimised by performing one modulo division operation when a user join or leave operation is performed in a multicast group.

Our Contribution
With the motivation of addressing the aforementioned issues, this paper proposes a CRT-based conditional privacy-preserving authentication (PA-CRT) protocol for the purpose of establishing secure communication between vehicles. The CRT-based domain key management scheme is used to generate a common domain key for each vehicle in the TA side, which has been used in many existing schemes [36], [37], [38]. TA uses the CRT technology to generate a domain key for vehicles in its domain. To prevent an intruder to use other vehicles secret keys, we have included an identity of each authenticated driver in the TPD issued by the TA. The driver inputs his/her fingerprint to verify that it matches the identity, each time the user uses the TPD. Important contributions of this paper are listed as follows: First, a new PA-CRT scheme is proposed for VANETs, which eliminates the need for TPDs to store long-term system secret. With the proposed scheme, fingerprint from a corrupted vehicle will not be validated, so that the TPD is not required to proceed further. The proposed scheme also minimises the number of affected vehicles, even under the cases where the vehicles are compromised after the fingerprint validation. Second, the proposed scheme uses the Chinese remainder theorem, which greatly reduces the computational complexity of the TAs. Besides, the computation complexity of the domain vehicles is also minimised by performing the one modulo division operation upon vehicles joining or leaving in a multicast domain. Third, the efficiencies of the proposed protocol in satisfying the security and privacy requirements are demonstrated. Moreover, the analysis of the computation and the communication overhead shows that the proposed scheme exhibits better performance in comparison with the existing schemes.

Organization of The Rest Paper
The remainder of this paper is organised as follows: Section 2 introduces the preliminaries and background. The proposed CRT-based conditional privacy-preserving authentication (PA-CRT) scheme is described in Section 3. The security analysis and performance evaluation of our scheme are presented in Sections 4 and 5, respectively. Section 6 concludes this paper.

PRELIMINARIES AND BACKGROUND
This section briefly presents a background on cryptography including Chinese remainder theorem [36], [37], [38] and elliptic curve cryptosystem [39], and further describes the network model, security model and security objectives of the PA-CRT scheme for VANETs.

Chinese Remainder Theorem
The Chinese remainder theorem is a theorem of number theory, which states that if one knows the remainders of the euclidean division of an integer n by several integers, then one can determine uniquely the remainder of the division of n by the product of these integers, under the condition that the divisors are pairwise coprime [36], [37], [38].
Let k 1 ; k 2 ; k 3 ; . . . ; k n be pairwise relative prime positive numbers. Let K À1 i be the modular multiplicative inverse of an integer K i mod k i so that the following equation is satisfied.
where i ¼ 1; 2; . . . ; n. Let a 1 ; a 2 ; a 3 ; . . . ; a n be any given n positive integers. Then, CRT states that the pair of congruences, X a 1 mod k 1 ; X a 2 mod k 2 ; . . . ; X a n mod k n ; (2) has a unique solution mod The key server can obtain the solution with the following function.

Elliptic Curve Cryptosystem
Let F p be a finite field, which is determined by a prime number p. Let a set of elliptic curve point E over F p be defined by the equation: y 2 ¼ x 3 þ ax þ bð mod pÞ , where a; b 2 F p and ð4a 3 þ 27b 2 Þ mod p 6 ¼ 0. The main characteristics of Elliptic Curve are listed below: Scalar point multiplication: The scalar multiplication of E is defined as mP ¼ P þ P þ Á Á Á þ P (m times) where m 2 Z Ã q , m > 0. Definition 1. Elliptic Curve Discrete Logarithm problem (ECDLP): Given two random points P; It has been proved that calculating x from Q is difficult. Definition 2. Suppose that an algorithm A solves the ECDLP problem in group G within polynomial time, and the probability of success is defined as: then the ECDLP hypothesis is defined as the algorithm A in any polynomial time, and the Succ ECDLP A;G is negligible.
Trusted authority (TA) 1 : The TA, trusted by RSUs and OBUs, generates the system parameters and the secret key for each vehicle and preloads them into each corresponding vehicle. TA is responsible to generate the security information for each domain.
To avoid issues such as single point of failure and bottlenecks, a set of reliable servers and redundant TAs with identical functionalities and databases are installed in the network. In our scheme, a dedicated TA is assigned for each cities in the country. When a vehicle moves from one city to another, the vehicle's credentials will be verified using the TA of the vehicle's originally registered city. This verification process will be initiated by the TA of the newly entered city. It has been assumed that TAs comprise sufficient storage capacity with a negligible probability to be compromised by an adversary [40]. Roadside units (RSUs): The RSUs are connected to the TA with wired links whilst the vehicles are connected to TA with wireless links. The main function of RSU is tantamount to store and forward the information between the vehicle, the TA and other RSUs. Vehicles: Each vehicle is equipped with a realistic TPD on board units (OBU), and can communicate with other vehicles or RSUs through the DSRC protocol. Each OBU has its own real identity, pseudo identities, and a private key. Every originating message from vehicles needs to be signed before being sent to nearby vehicles or RSUs.

Security Model
In this subsection, we prove that the signature scheme in the PA-CRT protocol (PA-CRT_Sign scheme) is secure under the random oracle model, and the definitions are as follows: Definition 3. The PA-CRT_Sign scheme consists of three steps including setup, sign, and verify. These setups are defined as follows: 1) Setupð1 k Þ: Given the random system security parameter k, the TA outputs public system parameters params, system public key P pub and system master key s. 2) SignðID 1 ; sk; mÞ: Given the system's parameter params, signer's secret key sk, signer's identity ID 1 and the message m to be signed, it outputs the corresponding signature s. 3) VerifyðID 2 ; P pub ; m; sÞ: Given the system's parameter params, the system's public key P pub , the pseudo-identity ID 2 , the signature s and the message m, it outputs 1 if s is a valid signature of the message m and outputs 0 otherwise. Game. Based on the network model and the adversaries' ability, the security model for the PA-CRT scheme is defined through a game played between an adversary A and a challenger B. The game between adversary A and challenger B is defined as follows: 1) Setup: Challenger B runs the Setup step with a security parameter k to obtain the system parameters params, system public key P pub , then it sends P pub ; params À Á to A.
2) Query: The adversary A asks the following questions to the challenger B: Hash query: Adversary A requests the Hash function, challenger B returns the corresponding Hash value, and stores the Hash value. Sign query: Adversary A can request the signature of a message m of its choice. Then, B returns s to A. 3) Output: When the adversary A considers that the above process has been completed, A will return a valid signature m Ã ; s Ã ð Þ. If this output satisfies Verify m Ã ; ð s Ã Þ ¼ Accept, and m Ã has not been requested to the Sign queries, the adversary A is expected to win in the Game.

Security Objectives
Both security and privacy are important for secure communications in VANETs. Based on the state-of-art research achievements [19], [20], [21], [38], [40], [41], [42], a secure PA-CRT scheme for VANETs should satisfy the following requirements: message integrity and authentication, identity privacy preserving, forward and backward secrecy, traceability, un-linkability and resistance to attacks. The combination of identity privacy protection and traceability represents the definition of conditional privacy.

1) Message integrity and authentication: To guarantee
secure communication, the vehicle or RSU should be able to verify the integrity and validity of the received messages, and should be able to detect any modification of the received message. 2) Identity Privacy Preserving: To guarantee users' privacy, the real identity of a vehicle should be maintained anonymous to other vehicles and thirdparties. Any adversary other than the TA should not be able to extract a vehicle's real identity by analysing multiple messages sent by it. 3) Perfect backward secrecy: Backward security is a technology that prevents new vehicles from accessing the communication information of the previous vehicles when the new vehicles join the group. To protect the confidentiality of messages issued in the domain, a new vehicle can join the group and update the old group key, but the old group key cannot be obtained by the newly added vehicle. 4) Perfect forward secrecy: Forward secrecy is a technology that prevents vehicles leaving the group from accessing the communication information of the currently present vehicles. Forward secrecy further guarantees that only the existing vehicles can update the existing group key, so that the modified group key cannot be accessed by the leaving vehicles. 5) Traceability: To prevent malicious vehicles from denying their liability for traffic accidents by sending false messages, the TA should have the ability to find out the real identity of a vehicle from its message in case of any misbehaviour. 6) Un-linkability: To preserve privacy, RSUs and malicious vehicles are not able to link two messages sent by the same vehicle with the same ID.

7)
Resistance to attacks: To resist other known attacks, the PA-CRT scheme should be able to withstand various common attacks such as the impersonation attack, the modification attack, the replay attack and the collusion attack.

THE PROPOSED SCHEME
This section details our proposed PA-CRT protocol developed based on the CRT. Fig. 3 illustrates an authentication process between a single TA and a number of vehicles in PA-CRT for VANETs. This section mainly includes five phases including the system initialisation, secure domain key computation, vehicles pseudo identity generation, message signing, message verification and domain key updating. The notations used in this process are shown in Table 1.

System Initialization
Given the public parameters p; q; E; G; Z Ã q , the TA initialises the system as per the following steps.
1) The TA selects a random number s 2 Z Ã q as the system secret key and computes the corresponding public key P pub ¼ sP ; 2) The TA chooses two large prime numbers p and q, where p > q and q p=4 d e, p is used for defining a multiplicative group z Ã p and q is used for choosing the domain key values; 3) The TA chooses sk i from the multiplicative group z Ã p for 'n' number of vehicles which is given to the vehicle drivers at the time of offline registration; 4) The TA calculates @ g ¼ Q n i¼1 sk i ð Þ, and x i ¼ @g sk i where i ¼ 1; 2; . . . ; n; 5) Then calculates y i such that x i Â y i 1 mod sk i ; 6) TA multiplies all drivers x i and y i values and stores them in the variables var i ¼ x i Â y i , and calculates the value m ¼ P n i var i ; 7) TA selects four secure one-way hash functions H i : Þ . Then, the system parameters will be published, which include q; G; 3) On receiving the g d value from the TA side, an authorised vehicle can gain the new domain key k d through a one modulo division operation g d mod sk i ¼ k d . Since k d < q < sk i < p and m mod sk i ¼ 1, k d gained through the above process must be equal to the value of k d generated in Step 1). When 'i' reaches to n, TA executes the system initialisation algorithm to compute @ g , var i and m for 'm' number of drivers, where m ¼ n Â d, where d is a constant, which satisfies d < 5.

Generation of Pseudo Identity and Message Signature
Each vehicle V i sends its real Fingerprint into TPD to activate it. If the Fingerprint is correct, TPD will generate pseudo identities and signing keys. Then, the vehicle broadcasts its pseudo identities, the message and the corresponding message signature to its nearby vehicles and RSUs. Fig. 4 depicts the message authentication procedure of the realistic TPD.
1) For generating a pseudo identity, the tamper-proof device first generates a random nonce r i 2 Z Ã q . Its pseudo identity ID i contains two parts À ID i;1 and  The ith vehicle D y The yth domain s The master secret key of TA P pub The public key of TA sk Vehicles Secret Key The validity period length of the domain key k d RID Real identity of the vehicle The current timestamp DT The validity period of the pseudo-identity Three secure hash functions È The exclusive-OR operation jj The Concatenation operation 2) Then, the tamper-proof device obtains the new domain key k d through a one modulo division opera- 3) When an OBU needs to send a message M i , it inputs M i to the tamper-proof device, and then computes Þto the nearby RSUs and vehicles every 100-300 ms according to the DSRC standard.

Message Verification
When the verifier collects enough messages from nearby vehicles or when the verification period is expired, the verifier checks the validity of the signatures of the messages as follows.
[Authentication for One Message] Given the final message M i ; ID i ; T i ; s i f g sent by the vehicle V i , the verifier uses the public parameters q; G; E; P; ð P pub ; Z Ã q ; H 1 ; H 2 ; H 3 Þ assigned by TA to execute the following steps.
1) The verifier checks the freshness of T i . Assume that the receiving time is T . If DT ! T À T i , the verifier continues; otherwise, the verifier discards the message. 2) The verifier verifies the signature of the message by checking whether the formula s i Á P ¼ a i Á K pud þ b i Á ID i;1 holds true or not. If not, the verifier will rejects the message; otherwise, the message will be considered legal and unaltered.
the correctness of the verification can be ensured using the below formula.
[Batch Authentication of Multiple Messages] Assume that the verifier receives a batch of message signatures s 1 ; s 2 ; . . . ; s n from the vehicles V 1 ; V 2 ; . . . ; V n on messages .. , M n ; ID n ; f T n ; s n g. The batch authentication process is described as follows.
1) The verifier checks whether T i of message M i is new or not, where i ¼ 1; 2; . . . ; n. If it is not new, the verifier discards the message M i . 2) To ensure non-repudiation and avoid the confusion attack, the small exponent test [25] has been utilised in the batch verification phase. A vector composed of small random integers is used to investigate any modification on multiple signatures during batch verification. The verifier t is a very small integer which increases low computation overhead.
3) The verifier checks the following equation.
If the above equation holds true, all the n messages are considered to be valid. Otherwise, some of the messages in the batch are invalid. The invalid message signature detection algorithm has been proposed in [26], detailing this algorithm is not within the scope of this paper.
Next, we analyse the correctness of the batch messages verification using equation Eq. (5). Due to P pub ¼ s Á P,

Domain Key Updating
Domain key updating operation is performed when a vehicle joins or leaves the network.
2) Then, the TA must choose a new domain key k 0 d and it should be multiplied by m 0 to form the rekeying message as shown 3) The domain key value of the TA broadcast update is delivered as a broadcast message. On receiving the updated domain key value, the existing vehicles in the domain can obtain k 0 d by executing the modulo operation just once. From the received k 0 d , vehicle V i cannot compute the newly updated domain key k 0 d since its secret key is not included in m 0 .

Batch Leave
When some vehicles intends to leave the domain D y , the TA will begin to update the domain key. For instance, if the vehicles V 3 , V 5 , V 7 and V 9 are ready to leave the domain D y , then TA will execute the below steps for updating the domain key. 1) Subtract var 3 , var 5 , var 7 and var 9 from m m 0 ¼ m À var 3 þ var 5 þ var 7 þ var 9 ð Þ : 2) Then, the TA must choose a new domain key k 0 d and it should be multiplied by m 0 to form the rekeying message as shown 3) The domain key value of the TA broadcast update is delivered as a broadcast message. On receiving the updated domain key value, existing vehicles in the domain obtains k 0 d by excuting the modulo operation just once. From k 0 d , the vehicle V i cannot extract the newly updated domain key k 0 d since its secret key is not included in m 0 . Thus, it can be concluded that, when 'n' vehicles are ready to leave the domain, the TA will execute ðn À 1Þ additions and one subtraction operation in order to update the domain key.

Batch Join
When some vehicles intends to enter the domain D y , the TA will perform some addition operations in order to update the domain key. For instance, if four vehicles V 3 , V 5 , V 7 and V 9 intends to join the domain D y , then TA will execute the following steps to update the domain key.
1) Instead of computing x i and y i for all these vehicles, the TA takes the multiplied values of x i and y i from var 3 , var 5 , var 7 and var 9 , which has been pre-computed in the initialisation phase.
2) Then, the TA chooses a new domain key k 0 d and multiplies by m 0 to form the rekeying message as shown in Eq. (10).
3) The domain key value of the TA broadcast update is delivered in a broadcast message. From the received g 0 d , the vehicles can obtain the newly updated domain key k 0 d since var i are included in m 0 , based only on var 3 , var 5 , var 7 and var 9 . Thus, it can be concluded that, when 'n' vehicles try to enter the vehicle's multicast domain, the TA needs to execute 'n' additions in order to update the domain key, which cause Oð1Þ computation complexity for TA. Beyond that, the computational complexity of a multicast vehicle is also minimised by enabling every vehicle to execute the modulo division operation just once. In addition to this, the TA should only broadcast one message to the vehicles in the multicast domin.

SECURITY PROOF AND ANALYSIS
This section demonstrates the efficiencies of our proposed PA-CRT scheme in satisfying the required secure requirements under the presumption that the Elliptic Curve Discrete Logarithm Problem (ECDLP) is difficult to solve.

Security Proof
Since the communication among the vehicular nodes and between vehicles and RSUs is based on wireless media in VANETs, the vulnerabilities of the communication channel to attackers and malicious users are always inevitable. To this end, this section demonstrates that our proposed identity-based scheme is secure against the adaptive chosen message attack.  and wins the game with the probability that the adversary cannot be ignored in the corresponding polynomial time, then the simulator with probabilistic polynomial time solve the ECDLP problem with a probability of no less than " 0 ¼ " q in that polynomial time. Proof. Suppose that the adversary A that can forge the message ðID i ; M i ; T i ; s i Þ. Now, another simulator B has been built based on A, so B characterise the ability to solve the ECDLP problem run by A as a subroutine with a noneligible probability. Given an instance sample G; P; Q ¼ ð xP Þ of the ECDLP problem, B simulates oracles queried by A as follows.
t u Setup. The simulator B sets Q ¼ xP and selects a random number r i 2 Z Ã q to construct a anonymous set S ID ¼ ID 1 ; f ID 2 ; . . . ; ID i Ã ; . . . ; ID n g, where i Ã 2 1; 2; . . . ; n f g .
The simulator B chooses any random number k d , and computes its corresponding public key with K pud ¼ k d P . Then B sends the public parameters Params ¼ ðG; P; k d P; H 1 ; H 2 Þ and the anonymous set S ID to A.  ð T i ; s i Þ has been answered in the game and can satisfy the following.
Otherwise, if i 6 ¼ iÃ, B has a valid signature and outputs a valid signature directly.
Output. A communicates with B until A realises that the process has been completed. A outputs the message M i ; ID i ; T i ; s i f g . B checks whether the equation holds true or not.
If not, B will abort the process. By using the forgery lemma [43], A could output another valid message Hence we can get: According to Eqs. (14) and (15), we can deduce the following: Now, B outputs a i À a Ã i À Á À1 s i À s Ã i À Á as a solution for the given instance of the ECDLP problem. Otherwise the simulation is terminated.
Based on the above simulation, correct answer to the ECDLP problem can be ensured depending on whether the following events occur simultaneously: Event E1: Adversary A returns a valid signature forgery. Event E2: Adversary A can forge a pseudoidentity ID i 6 ¼ ID i Ã . Due to Pr½E 1 ¼ ", Pr½E 2 ¼ 1 q , we obtain Next, we show that B can solve the given instance of the ECDLP problem with advantage Adv B ¼¼ " = q .
As a result, the simulator B calculates x in a polynomial time with an ignorable the advantage of " = q , namely, the solution of the ECDLP problem, that is Theorem 1 is satisfied. However, it is difficult to solve the Elliptic Curve Discrete Logarithm Problem (ECDLP) within a shorter time. Therefore, under the random oracle model, our proposed PA-CRT scheme is secure against forgery under the adaptive chosen message attack.

Security Analysis
This section presents an analysis on various security features of our proposed scheme.

Message Integrity and Authentication
According to the proof of security in the previous section, if the ECDLP problem is difficult to solve, then no adversary can create legitimate messages in a given polynomial time. Therefore, as long as the message and signature satisfies the equation s i Á P ¼ a i Á K pud þ b i Á ID i;1 , the scheme can guarantee authentication and message integrity.

Identity Privacy Preserving
Suppose that vehicle V i broadcasts message M i ; ID i ; T i ; s i h i to other vehicles in the network, where ID i1 ¼ r i P , ID i2 ¼ RID i È H 1 r i Á P pub À Á . In order to retrieve V i 's real identity, the adversary must calculate RID i ¼ ID i2 È H 1 r i Á s Á P ð Þ . However, t i is stored in TA, r i is a random number, so that the adversary cannot obtain RID, due to the complexities of the Computational Diffie Hellman (CDH) problem. Thus, even if the pseudo identity ID i is disclosed, the adversary will be unable to achieve the user's identity privacy.

Perfect Backward Secrecy
When old domain vehicles obtains the newly updated domain key k d , adversaries might intend to access any one of the domain vehicles private key sk i . Moreover, the private keys are randomly chosen from a large set of positive integers with respect to the multiplicative group z Ã p . Because of this property, adversary cannot compute any other vehicle's secret key. Therefore, the adversary cannot access the communication sent prior to their entry into the domain, thus the proposed scheme satisfies the backward secrecy requirement.

Perfect Forward Secrecy
In the proposed algorithm, an adversary cannot compute the current domain key k d after leaving the domain, as discussed earlier in the backward secrecy technique. After a vehicle V i leaves the domain, TA subtracts its share value, which is the multiplication of x i and y i , and extracts var i from m to produce m 0 . The rekeying message g 0 d is formed from the product of updated m 0 and newly generated domain key value k 0 d . It is feasible for a vehicle to obtain the new domain key even after they leave the domain, since the personal keying information is not included. Such vehicles might obtain k 0 d from the rekeying value, which is infeasible to be sent as a broadcast message from TA. Therefore, the vehicle has to multiply its private key value with the numbers from 1 to q, where q is the maximum domain key value. At a certain point, the vehicle will define a value # ¼ g 0 (i.e., sk i Â v ¼ #). On receiving this v value, vehicle V i can obtain a series of number S, which will divide the number v. So the set of numbers v mod 1; v mod 2; . . . ; v mod v f g ¼ 0 represent the value of S. In this serious of numbers, the number k 0 d 2 S is included in the newly generated domain key k 0 d . For this case, we assume that the size of sk i is v bits, then the attacker should perform 2v multiplication. Due to this reason, deriving k 0 d by choosing a large sk i value for each vehicle's secret key incurs significant computation time. Now, the size of sk i is set as 1024 bits, which has been previously set to 128, 256 and 512 bits. In order to obtain the set of S values that divides the number v, the attacker (after leaving the domain) can use brute force attack further to access the new domain key by selecting exploiting values from the set S. If this attempt requires 1ms, then then total time would be 2 SÀ1 ms. Therefore an adversary cannot obtain the domain key for the purpose of accessing to the current communication, which implies that our proposed algorithm satisfies the forward secrecy requirement.

Traceability
TA can extract the vehicle's real identity from the received pseudo identity ID i that contains two parts À ID i;1 and ID i;2 where ID i;1 ¼ r i Á P and ID i;2 ¼ RID i È H 1 r i Á P pub À Á . TA uses the master secret s, and computes Besides, we are not using traditional user's real identity RID and password PWD devices. Instead, our proposed scheme uses Fingerprints for identity verification, so that a given user's identity can be accurately traced out through the Fingerprint. Therefore, TA can trace vehicles based on its any disputed signature.

Un-Linkability
A pseudo identity ID i is used for generating the message signature. In our scheme, the random number used in the identity verification process is not repeated, and each pseudo identity of each signature is unique. Thus, no adversary could relate with any number of signatures sent by the same vehicle. Thus, our proposed scheme supports unlinkability.

Resistance to Impersonation Attack
To impersonate a vehicle to other vehicles or RSUs, the adversary must generate a valid message According to Theorem 1, it is evident that no polynomial adversary can forge a valid message. Therefore, the proposed PA-CRT scheme for VANETs can withstand the impersonation attack.

Resistance to Modification Attack
According to Theorem 1, we know that any modification of the message M i ; ID i ; T i ; s Ã i È É could be identified by checking whether the equation s i Á P ¼ a i Á K pud þ b i Á ID i;1 holds true or not. Therefore, the proposed PA-CRT scheme for VANETs can withstand the modification attack.

Resistance to Replay Attack
The proposed PA-CRT scheme adopts the current timestamp T to compute the message signature Therefore, the timestamp T i is included in the signature and the proposed scheme can withstand replay attacks.

Resistance to Collusion Attack
Collusion attack means that several adversaries collude with each other to extract the secret key. Specifically, the adversaries cooperatively calculate the updated domain key after leaving the domain. Owing to the fact that the value of var i is subtracted from m, several prior vehicle cannot collude to access the updated domain key k d since the used pairwise relative prime number is sufficiently large. Assume a scenario which has two adversaries, adversary A has obtained the key values sk 1 , k d , and adversary B has obtained the key values sk 3 and k d at time 't À 2'. At time 't À 1', the adversary A leaves the domain with two key values, which are sk 1 and k d . At the time 't', the adversary B receives the rekeying message r g from TA, and then calculates k d . At time 't þ 1', the adversary B leaves the domain with the two key values sk 3 and k d . Now adversaries A and B could exchange the keys sk 1 , k d , sk 3 and k d . However, they still cannot collude to obtain the updated domain key k d broadcasted at time 't þ 2' because var 1 and var 3 are excluded from m. Thus, the proposed PA-CRT scheme for VANETs can withstand the collusion attack.
We construct the bilinear pairing on 80 bits security level, as e : G 1 Â G 1 ! G T , where G 1 is an additive group which is generated on a super singular elliptic curve E : y 2 ¼ x 3 þ x mod p with embedding degree 2. We construct the elliptic curve on 80 bits security level as: G is an additive group generated on a non-singular elliptic curve E : y 2 ¼ x 3 þ axþ bð mod pÞ with order q, where p; q are two 160 bits prime number and a; b 2 Z Ã p .

Computation Cost Analysis and Comparison
This section analyses the computation overheads of our proposed scheme against a few existing schemes. We compute the execution time of basic cryptographic operations using the MIRACL library [44]. For ease of comparison between the analysed methods, we employ the same execution time as in the He et al. scheme [20], as shown in Table 2. Besides, some notations about execution time are defined as follows: T bp : The excution time of the bilinear pairing operation e P; Q ð Þ, where P ; Q 2 G 1 ; T bpÁm : The time to execute the scale multiplication operation x Á P which is related to bilinear pairing, where P 2 G 1 and x 2 Z Ã q ; T bpÁsm : The time to execute a small scale multiplication operation v i Á P which is related to bilinear pairing, where P 2 G 1 , v i 2 1; 2 t ½ is a small random integer, and t is a small integer; T bpÁa : The time to execute the point addition operation P þ Q which is related to bilinear pairing, where P ; Q 2 G 1 ; T mtp : The time to execute the MapToPoint; T eÁm : The time to execute the scale multiplication operation x Á P which is related to elliptic curve, where P 2 G and x 2 Z Ã q ; T eÁsm : The time to execute the small scale multiplication operation v i Á P useing the small exponent test technology, where P 2 G, v i 2 1; 2 t ½ , and t is a small integer; T eÁa : The time to execute the point addition operation P þ Q which is related to elliptic curve, where P; Q 2 G; T h : The time to execute a secure hash operation. AIDM denotes the anonymous identity generation and message signing, SVOM denotes the single verification of one message, BVMM denotes the batch verification of multiple messages phases. Table 3 lists the comparison of the computation overhead between several related schemes and our proposed scheme.
We conduct a detailed analysis on Horng et al.'s scheme [25], in order to investigate the bilinear pairing characteristics in VANETs [19], [22], [25], [32]. In Horng et al.'s scheme [25], the computation of AIDM requires four scalar multiplication operations, one point addition operation, two MapToPoint operations and one hash operation. Thus, the total computation cost of this step is 4T bpÁm þ 1T bp:a þ 2T mtp þ 1T h % 15:6552 ms. The computation of SVOM involves two bilinear pairing operations, two scalar multiplication operations, one point addition operation, one MapToPoint operation and one hash operation. Thus the total computation cost of this step is 2T bp þ 2T bpÁm þ 1T bp:a þ 1T mtp þ 1T h % 16:2532 ms. The computation of BVMM requires two bilinear pairing operations, 2n scalar multiplication operations, n point addition operations, n MapToPoint operations and n hash operations. Thus, the total computation cost of this step is 2T bp þ 2nT bpÁm þ nT bpÁa þ nT mtp þ nT h % ð7:8312n þ 8:422Þms.
We conduct a detailed analysis of the proposed scheme to depict the ECC-based characteristic efficiency in VANETs [20], [35]. The computation of AIDM requires two scalar multiplication operations and two hash operations. Thus the total computation overhead is 2T eÁm þ 2T h % 0:8842 ms. The computation of SVOM requires three scalar multiplication operations, two point addition operation and one hash operation. Thus the total computation overhead of this step is 3T eÁm þ 2T eÁa þ 1T h % 1:3297 ms. The computation of BVMM requires ðn þ 2Þ scalar multiplication operations, n small scalar multiplication operations, n point addition operations and 2n hash operations. Thus the computation overhead of this step is n þ 2ÞT eÁm þ nT eÁsm þ nT eÁa þ 2nT h % ð0:4578n þ 0:884Þms.
In order to highlight the benefits of the proposed PA-CRT scheme in the single message verification process, we compare the execution times of single verification in the proposed scheme with six state-of-art schemes [19], [20], [22], [25], [32], [35], as shown in Fig. 5. Based on the results shown in Table 3 and Fig. 5, the proposed PA-CRT scheme for VANET characterises lower computation overhead than the six state-of-art schemes for VANETs. Fig. 6 [35] scheme and the proposed PA-CRT scheme, respectively. Thus, the proposed scheme is more efficient than the others schemes in batch verification phase when the traffic load increases.
The result of the computation costs of the analysed five schemes is listed in Table 3. As shown in Table 3 [35] scheme. The performance of our proposed scheme against the other compared schemes in terms of AIDM, SVOM and BVMM are presented in Table 4.

Communication Overhead Analysis and Comparison
This section focuses on the communication overhead introduced by the pseudo identity, signature and timestamp. As mentioned earlier, the size of p is 64 bytes and the size of p is 20 bytes, hence the size of the elements in G 1 is 128 bytes and the size of elements in G is 40 bytes. In addition, the size of output of a hash function and timestamp are 20 bytes and 4 bytes, respectively. Since the traffic related information is the same in all of the schemes, it is appropriate to analyse the size of the signature. The communication overhead of several schemes is listed in Table 5.

Scheme
Sending one message Sending n messages Horng et al. [25] 384 bytes 384n bytes Bayat et al. [19] 388 bytes 388n bytes Shim et al. [32] 644 bytes 644n bytes Malhi et al. [22] 516 bytes 516n bytes He et al. [20] 144 bytes 144n bytes Wu et al. [35] 148 bytes 148n bytes Our proposed 84 bytes 84n bytes ðID i1 ; ID i2 Þ. Thus, from the above analysis it is clearly evident that our proposed PA-CRT scheme characterise a lower communication overhead. The transmission cost of the studied techniques has been analysed in a network comprising 100 vehicles in a single RSU range. From Fig. 7, it is obvious that the transmission overhead increases linearly with an increasing number of messages received by an RSU within a period of 30s. It can be observed that the transmission overhead of our proposed scheme is better than 21.88 percent to that of Horng [35] respectively, when the number of the messages received by an RSU reaches 30000 within period of 30s.

TA Serving Rate
When a vehicle leaves the coverage range of a domain D y , TA needs to update the domain key in order to prevent old vehicles from accessing the new domain key, which ensures forward secrecy. When a vehicle enters into the range of domain D y , TA will perform some addition operations in order to update the domain key.
Let T gen denote the time required for one TA to generate the domain key and the domain public key for m DOMAIN message. To calculate the TA serving rate, we first estimate the time required for one TA to generate the domain key and the domain public key for m DOMAIN message. In the proposed scheme, the time required for one TA to generate the domain key and the domain public key for one DOMAIN message is as follows: Let y denotes the average speed of a vehicle that varies from 5m/s to 10m/s (or 18 km/h to 36 km/h), and d denotes the communication range of a domain which is considered to be 1000 m and N denotes the density of vehicles that varies from 600 to 800 for a city road highway. Let p Ã denotes the probability of vehicles to successfully receive the DOMAIN messages from TA. Therefore, the TA serving rate r ser can be calculated as Fig. 8 shows the serving rate r ser for various vehicle density N and various average speed y between a vehicle and the TA, for a TA range d ¼ 1000m.
From Fig. 8, it can be observed that the serving rate r ser of the TA gradually decreases when both the vehicle speed y and vehicle density N increases. In addition, it is evident that the TA can effectively generate 679 DOMAIN messages for every 300ms. Therefore, it can be concluded that our proposed scheme characterises a lower range of message loss with an increase in the number of vehicles in the communication domain.

CONCLUSION
This paper proposed a Chinese remainder theorem-based conditional privacy-preserving authentication scheme for securing communications in VANETs. To reduce the probability of personal information including real identity and password being compromised, this paper proposed a scheme using fingerprints instead of real identity and password for identity verification. The proposed scheme eliminates the need for using an ideal TPD, thus avoids the risk of compromising a vehicle's TPD leading to entire system failure. Security analysis proved that the proposed PA-CRT signature scheme is secure under the random oracle model. Besides, the use of the Chinese remainder theorem has been proven to improve transmission efficiency. Furthermore, the proposed scheme characterise an effective signature verification mechanism due to the use of elliptic curve instead of bilinear pairing. The performance analysis demonstrated the  effectiveness of our proposed scheme against the compared existing schemes, which further exhibited the likelihood of our proposed scheme for real-life VANETs deployments. We plan to explore enhancing the security and user privacy in a more dynamic environment comprising 5G network base station, driver handheld devices etc.
Jing Zhang is now working toward the PhD degree in the School of Computer Science and Technology, Anhui University. Her research interest is vehicle ad hoc network.
Jie Cui received the PhD degree from the University of Science and Technology of China, in 2012. He is currently an associate professor and PhD supervisor of the School of Computer Science and Technology at Anhui University. His current research interests include applied cryptography, IoT security, vehicular ad hoc network, cloud computing security and software-defined networking (SDN). He has more than 80 scientific publications in reputable journals (e.g., the IEEE Transactions on Vehicular Technology, the IEEE Transactions on Intelligent Transportation Systems, the IEEE Transactions on Network and Service Management, the IEEE Transactions on Emerging Topics in Computing, the IEEE Transactions on Circuits and Systems, the IEEE Internet of Things Journal, Information Sciences, the Journal of Parallel and Distributed Computing), academic books and international conferences.
Hong Zhong received the PhD degree in computer science from the University of Science and Technology of China, in 2005. She is currently a professor and PhD supervisor of the School of Computer Science and Technology, Anhui University. Her research interests include applied cryptography, IoT security, vehicular ad hoc network, cloud computing security and softwaredefined networking (SDN). She has more than 120 scientific publications in reputable journals (e.g., the IEEE Transactions on Parallel and Distributed Systems, the IEEE Transactions on Vehicular Technology, the IEEE Transactions on Intelligent Transportation Systems, the IEEE Transactions on Network and Service Management, the IEEE Transactions on Big Data, the IEEE Internet of Things Journal, the Journal of Parallel and Distributed Computing), academic books and international conferences.
Zhili Chen received the PhD degree in computer science from the University of Science and Technology of China, in 2009. He is currently a professor and PhD supervisor of School of computer science and technology, Anhui University. He has published more than 40 papers. His main research interests include privacy preservation, secure multiparty computation, information hiding, spectrum auction and game theory in wireless communications.
Lu Liu received the MSc degree in data communication systems from Brunel University, United Kingdom, and the PhD degree from the University of Surrey, United Kingdom. He is the professor of Informatics and head of Department of Informatics in the University of Leicester, United Kingdom. His research interests include areas of cloud computing, service computing, computer networks and peer-to-peer networking. He is a fellow of British Computer Society (BCS).