Improving Location Privacy in Mix-Zones for VANETs

Antonio M. Carianha, Luciano Porto Barreto, George Lima

Federal University of Bahia
Distributed Systems Laboratory (LaSiD) - Computer Science Department
40170-110, Salvador-BA, Brazil
carianha@ymail.com, {lportoba, gmlima}@ufba.br

Abstract
Providing location privacy to users is one of the important issues that must be addressed in Vehicular Ad-Hoc Networks. Recent solutions address it by using cryptographic
mix-zones, which are anonymizing regions where nodes
change their temporary identities (pseudonym) without being tracked. However, existing solutions are vulnerable to
internal attackers since within a mix-zone messages are encrypted using a group secret key. In this paper we improve
location privacy of mix-zones via extensions to the CMIX
protocol. By carrying out extensive simulations, we investigate and compare the effective location privacy provided by
the proposed approach.

1. Introduction
Road safety, traffic efficiency and driving convenience
provided by cooperative applications are some of the benefits that motivate research on Vehicular Ad-Hoc Networks
(VANETs). However, several issues must be solved in order to make VANETs a viable technology. In particular, in
this paper we address the location tracking problem, which
is commonly accepted as a critical security threat that may
prevent the successful deployment of VANETs [9].
Most safety-related applications in VANETs rely on vehicular status information such as GPS position, velocity
and heading angle, which are periodically exchanged in a
vehicular network. Unfortunately, such information might
also be used by eavesdroppers to track users. To prevent the correlation of nodes identity with nodes location, researchers [11, 6] proposed frequently changing the
randomly chosen identifiers of a node, which are called
pseudonyms. However, such a solution is ineffective, since
vehicles can be distinguished by their different status information even if their pseudonyms are changed in the same
time [6, 10].
An approach to achieving unlinkability between the

978-1-4673-0012-4/11/$26.00 2011 IEEE

identifiers of a node and its locations is to change

pseudonyms within anonymizing regions called mixzones [1]. As messages exchanged within mix-zones are
encrypted, monitoring activities from outside is very unlikely. A recent implementation of such a concept has been
developed in [5] by proposing the CMIX protocol. According to this approach, status information messages are encrypted using a group secret key, which is accessible only
to authenticated nodes in the VANET. However, this shared
key turns a mix-zone vulnerable to internal attackers since
an authenticated attacker has access to the status information of all nodes in the vehicular network.
In this paper we describe an approach that extends the
CMIX protocol to address such a vulnerability. In our approach a private key to encrypt status information is assigned to each node. Implementation overheads due to this
scheme are compensated by two communication reduction
strategies, which significantly reduces the overall number
of exchanged messages. By carrying out extensive simulations, we evaluate the effectiveness of the proposed approach and compare it against existing solutions.
The remainder of this paper is organized as follows. Section 2 discusses related work. A vehicular network system
model is described in Section 3. Our approach is presented
in Section 4. Results from simulations are presented in Section 5. Final comments are given in Section 6.

2. Related Work
In the mix-context model proposed in [6], a node
changes its pseudonym when it finds a threshold number of other nodes with similar status, i.e., a mix-context.
This approach has been further extended in [10] by proposing the synchronous pseudonym change algorithm, which
increases the probability that k nodes with similar status
change pseudonyms at the same time. However, the effectiveness of such an approach against attacks based on some
analytical kinematic model that correlate pseudonyms is unknown. In our simulations, we evaluated such effectiveness

for comparison.
The mix-zone concept [1] suits some needs required by
VANETs since mix-zones are anonymizing regions where
mobile nodes change their identifiers in a way that obfuscates location tracking attacks. In the vehicular densitybased location privacy scheme provided in [14] to address
attacks that correlate pseudonyms of vehicles entering and
exiting a mix-zone, a node must change its pseudonym only
when it finds a threshold number of nodes within such a
region.
The only solution to provide an implementation of the
mix-zone concept in VANETs is the CMIX protocol (which
stands for Cryptographic MIX-zones) described in [5]. According to CMIX, when a node enters a mix-zone it receives
a group secret key sent by a Road-Side Unit (RSU). This
key is then used to encrypt heartbeat status messages while
the node is within the mix-zone. It is shared only with authenticated members of the VANET. However, the encryption of status information using a shared key turns such an
approach vulnerable to authenticated attackers. This paper
presents an approach to address such a vulnerability.

3. System Model
In VANETs, on-Board Unit (OBU) devices on vehicles and Roadside Units (RSUs) enable vehicle-tovehicle (V2V) and vehicle-to-roadside (V2R) communication. Safety-related applications in VANETs are mostly
concerned with collision avoidance and driver assistance
systems. Their implementation rely on broadcast messages
that are signed and have the sender certificate attached, but
are not encrypted. We consider the WAVE (1609.2) (Wireless Access in Vehicular Networks) standard [7], which defines secure message formats and services to process secure
messages for applications in VANETs. The message length
defined in WAVE is 251 bytes of which the status information comprises 43 bytes at most.
As in related work [11, 5, 14], we assume that a trustworthy public key operated by governmental organizations and/or car manufacturers that preserve the secrecy of
pseudonyms is available in the vehicular network. Prior
to entering the network, each node i is registered with a
long-term identity in a Certification Authority (CA). A node
uses such an identity to periodically request Pseudonym
Providers (PP) a set of pseudonyms Pi,k , where k {1, ...,
T} and T is the pseudonym set size. For each pseudonym
1
) and the
Pi,k , a unique public/private key pair (Ki,k , Ki,k
corresponding certificate Certi,k (Ki,k ) are generated by
the corresponding CA. Each certificate has a short validity period. Since a malicious node could use its set of
pseudonyms to perform Sybil attacks, namely when a node
illegitimately claims multiple identities, we assume the existence of a mechanism that detects such attacks as in[2].

Further, we assume that identified attackers are prevented

to acquire new pseudonyms at PPs by adding its long-term
identity in certificate revocation lists shared by PPs. In case
of liability issues, the pseudonyms used by a node can be
revealed to authorized personnel.

4. Improving location privacy

An attacker internal to a mix-zone can predict the next
position of a vehicle via the status information (position,
velocity, heading) periodically transmitted by such a vehicle. The attacker can use it to correlate pseudonyms successively used by the same node. In this section, an approach
to address such an attack is described.

4.1. A status forwarding scheme

To avoid location tracking attacks, we propose a status
forwarding scheme where the status information of the periodic messages (status beacons) transmitted by a vehicle are
only delivered to its neighbors. This mechanism is in line
with the requirements of safety-related applications, which
intend to avoid collisions with nearby nodes. We define the
neighborhood of a node as the set of nodes within a threshold distance d.
Mix-zones are managed by a RSU, which periodically
broadcasts a beacon with both the position and the radius
Rmz of its mix-zone [5]. We define that this radius is such
that a RSU can reach a node at Rmz + d. When a node i
reaches the transmission range of a RSU, it runs the key establishment protocol defined in CMIX protocol. We modified it to include the C key as presented by Table 1. We
assume here that Ts is a valid time stamp, Sign() is a function that signs a message and Cert is the certificate of the
message sender.

Table 1. The Key Establishment protocol.

i RSU: Request, Ts , Signi (Request, Ts ), Certi,k
RSU i: EKi,k (i, S, Ci , Ts , SignRSU (i, S, Ci ,
Ts )), CertRSU
i RSU: Ack, Ts , Signi (Ack,Ts ), Certi,k

When a RSU receives the request message from i (first message in Table 1), the RSU replies with the shared key S
and a private key Ci , which are both symmetric keys. The
replied message is encrypted using the public key Ki,k of
node i and is signed. Then, i acknowledges the received
message after decrypting and validating it. The S key is
used by i to encrypt its status beacons while within a mixzone, except the status information, which we propose to

200

100

100

200

300

400

500

Beacon

300

200

100

100

200

Time (ms)

(1.1) Messages sent by a node and by the RSU

if the communication reduction strategies are not
applied.

Message Length (Bytes)

Forwarded State

Message Length (Bytes)

Message Length (Bytes)

Beacon

300

300

400

500

Beacon

300

Forwarded State

200

100

100

200

Time (ms)

300

400

500

Time (ms)

(1.2a) Messages sent by a node in a mix-zone (1.2b) Messages sent by a node in a mix-zone exit
entrance road (only the communication reduction road (both forwarding mechanism and communistrategies are applied).
cation reduction strategies are applied).

Figure 1. Example scenarios for a node with six neighbors (100 ms period)
.
be encrypted using the Ci key. When the RSU receives
such messages, the status information is decrypted and forwarded to the neighborhood of i encrypted by the corresponding private key of is neighbors.
Note that since an internal eavesdropper only has access
to the status information of its neighbors, such an attacker
is not able anymore to track all nodes in a mix-zone using such type of information. However, if only one node
changes its pseudonym at any given time period, this node
can be tracked by comparing the pseudonyms used by each
node in such a period and in the period that succeeds. Fortunately, this kind of vulnerability has a straightforward solution: requiring that nodes change their pseudonyms simultaneously. This can be implemented by making the RSU send
periodic messages to the network nodes requesting them to
immediately change their pseudonyms.

4.2. Overhead compensation

The forwarding scheme used by our approach implies
some source of communication overhead. In this section
we address this issue with two communication reduction
strategies. The first one is based on the scheme described
in [12] to reduce the number of status beacons transmitted
by nodes. In this scheme, nodes use a kinematic model to
estimate the status of its neighbors. A node only transmit
its status when it detects that its neighbors are reaching a
threshold error in their estimate of such a node. To adapt
this scheme to our approach, the RSU must estimate the position of nodes using the same kinematic model when they
are not transmitting. Then, the RSU is able to compute the
neighborhood set of any node in a mix-zone, namely vehicles that are within d apart from a node. When the RSU
receives a status beacon from a node i, it decrypts the status
information using the Ci key to obtain the state of i. Afterwards, the RSU encrypts and forwards it to each node in the
neighborhood set of i by sending a message encrypted with
the private key of the receiving node.

It is worth mentioning that the overhead due to symmetric cryptography is tolerable. Based on the encryption algorithm [4] recommended by [7] and the experiments conducted by [3], our approach would take, e.g., approximately
6 microseconds for both decoding a 251 byte message and
coding a 266 byte message (considering six 43 byte payloads plus a 8 byte time stamp as recommended by [7]).
Also, the accuracy of the status information received by a
neighbor due to a message travel time such as 50 ms do not
compromise safety, since the accuracy will be off by 2.4 cm
at most [12], assuming the maximum acceleration of a vehicle to be limited by 1 g.
We also employ a second strategy to reduce the number
of messages sent by the RSU due to the forwarding mechanism. When this mechanism is only used at exit roads (see
Figure 2), the overhead due to the forwarding of status information at entrance roads is avoided and nodes are still
protected from an internal attacker, since such an attacker is
unable to figure out the exit road chosen by a node. Then,
in entrance roads nodes encrypt their entire broadcast messages using the S key.
Figure 1 shows the evaluation of the forwarding mechanism and the communication reduction strategies in a mixzone where a given node has six neighbors. Figure 1.1
presents a scenario where each status beacon sent produces
six extra encrypted messages every 100 ms. In this scenario, the communication reduction strategies are not applied. On the other hand, Figures 1.2a and 1.2b show how
the overhead can be reduced. As stated in Figure 1.2a, the
number of status beacons is reduced when a node enters a
mix-zone. Figure 1.2b presents the outcome of using the
forwarding mechanism, which happens in a exit road of a
mix-zone due to the second strategy. We performed a few
experiments to evaluate such scenarios, which are presented
in section 5.

4.3. Discussion
First, we must consider how an internal attacker may
track a node within a mix-zone. Since such an attacker only
can access the status information of its neighbors, he could
stop at the crossroad intersection in a mix-zone to discover
the exit roads chosen by each node using their forwarded
status information. To address this attack the RSU can avoid
forwarding status information to a node that remains within
the mix-zone for a given amount of time, which may vary
due to traffic conditions. If a node has stopped, e.g., due
to an engine problem, safety is not compromised since the
neighbors of such a node still avoid collisions by using its
status information. The only option to the attacker is to employ a kinematic model to establish the relation between
nodes entering and leaving a mix-zone. The following section describes an example of such an attack.

5. Experimental evaluation
In this section, we evaluate the location privacy and resulting overhead of the proposed approach. By using the
C++ language we extended the VeinS framework [13] to
implement mix-zones. VeinS is an inter-vehicular communication simulation framework based on a bidirectionallycoupled simulation model. It integrates the OMNeT++ /
INET [15] network simulator and the SUMO [8] road traffic
microsimulation tool. These simulators run in parallel and
status update events of a vehicle in SUMO are forwarded to
their node representation in OMNeT++/INET.

event e with the one used in an exit event o. An enter event

e of a vehicle i that entered by port m is defined in a tuple
(vi , ti , m), where vi is the velocity at time ti when i reaches
the crossroad intersection. An exiting event o is defined in
a tuple (vi , ti , n), where vi is the velocity obtained in the
first status beacon when a vehicle i exits a mix-zone at time
ti by port n. Assuming a constant acceleration, the attacker
can use the Newtonian equation of motion presented in 1 to

compute the variation of space Xn performed in each combination of enter and exit events. Then, the attacker com
pares the estimated distance Xn with the known distance
Xn and decides for the relation where the estimated error is
minimal.

Xn = (ti ti )(vi + vi )/2

(1)

Suppose two vehicles A and B leaving the mix-zone

through port 3 and an attacker that registered events eA
(10,0,4), eB (14,1,1), oA (22.5,6,3), oB (24,6,3). Also, consider that port 3 has two exit lanes (let X3 equals 100 m) and
that A and B exited by different lanes. By applying equation 1 to vehicle A we have the combinations X3 eA oA =
97.5 m, X3 eA oB = 102.1 m. Therefore, X3 eA oB is chosen
because it is closer to X3 . For vehicle B, we have X3 eB oA
= 87.7 m and X3 eB oB = 95 m. Therefore, X3 eB oB is chosen. In this case, the attacker was unable to track vehicle
A, but was successful to correlate the entering and exiting
events for vehicle B. It is worth emphasizing that since an
internal attacker has access to vi in the intersection this analytical attack does not need to consider the time spent in a
semaphore.

5.1. Simulation setup

Figure 2. Simulation environment using the VeinS

framework. The mix-zone model considered has
four ports. Each port has roads entering a crossroad and roads leaving it.
To measure location privacy, we assume an attacker that install radio receivers close to the road to eavesdrop broadcast
messages sent by nodes. The main goal of such an attacker
is to correlate the pseudonym used by a node in an enter

In our mix-zone topology, a semaphore manages a crossroad intersection with four ports, where each road has two
lanes. The semaphore shows 30 seconds of green light for
two ports in the same direction, followed by 30 seconds of
red light (i.e. a 60 second period). The medium access control is IEEE 802.11 with a nominal data rate of 6 Mb/s and
transmission range of 250 meters, as in similar experimental settings [14]. Also, we assume a free-space path loss to
the signal attenuation. The maximum speed and the vehicle size are 30m/s and 5m, respectively. We perform two
kinds of experiments. The first one (Section 5.2) uses a simulation scenario with 2.000 vehicles crossing a single mixzone. The second experiment (Section 5.3) uses a realistic
environment based on data collected in the city of Cologne,
Germany.

5.2. First experiment: single mix-zone

It is worth emphasizing that since an internal attacker is
able to track any car with 100% chance of success in the

Figure 3. Variation of the tracking success rate for

different values of car arrival rate and mix-zone
radius.

original mix-zone scheme, a direct comparison is not possible. We first evaluate how effective our approach is against
such kind of attack based on ten simulation runs. To do
so, we measured the tracking success rate of the attacker,
which is the ratio between the number of successful attacks
and the total number of attacks. We assumed that car arrival events follows a Poisson distribution with arrival rate
within [0.1, 0.7] cars/s. Saturated traffic conditions in our
simulation environment occur when reaches 0.7 cars/s.
Figure 3 shows the effectiveness of attacks when the analytical attack described is used and when the attacker randomly guesses the correlation of pseudonyms. In both scenarios, the more cars enter a mix-zone, the lower the tracking success rate. This is expected since if the attacker registers more events it is less likely that he is able to choose
the correct pseudonyms. The effectiveness of the attacker
decreases when the radius of the mix-zone range increases.
Larger mix-zones are likely to contain more vehicles at a
given time, which contributes to make an attack less effective. It is worth mentioning that the privacy level obtained
for the internal attacker is similar to previous works that
considered only an external attacker [14, 5].
It is worth emphasizing the effectiveness of the proposed approach. The results presented in Figure 3 suggest
that even if we provide the attacker with data concerning
the dynamics of vehicles, his tracking capability does not
seem much improved compared to tracking vehicles at random. Also, considering that since vehicles actually pass
through several mix-zones during their journey, the cumulative probability for them to be tracked tends to be considerably low. For example, if a vehicle passed through four
similar mix-zones, with 0.3 mean arrival rate and radius set
to 200m, the successful tracking probability is around 1%.

Figure 4. Number of messages per second versus

the threshold distance d. Results show message
traffic when communication reduction is not applied and when both strategies are considered. A
mix-zone with 200 m radius and a 100 ms period
was considered.

Our approach requires a number of extra messages to be

sent due to the status forwarding scheme. In order to evaluate this overhead, we observed the number of 43 byte messages sent by the RSU and the number of 251 byte beacons sent by vehicles during the simulation. In the normal behavior, on average 576 messages are sent per second by vehicles. As Figure 4 shows, when the forwarding
mechanism is applied in this context the overhead is high.
However, when the communication reduction strategies are
applied the number of status beacons are reduced at least
by five times and on average a maximum of 90 messages
sent per second by the RSU due to the forwarding mechanism was observed. Since when applied both communication reduction strategies the sum of beacons and forwarded
status messages is less than the number of beacons in the
normal behavior, our proposed approach is validated to the
threshold distances considered. Also, Figure 4 shows that
the message overhead increases almost linearly with the distance d considered. This is expected since cars have larger
neighborhood for higher values of d. The number of status
beacons does not vary with this parameter.

5.3. Second experiment: mix-zone vs. mixcontext

The purpose of this experiment is to evaluate how mixzone and mix-context [6], two distinct approaches, compare
to each other regarding the effectiveness of an attacker that
can register events and launch attacks at any place. Recall
from Section 2 that according to the mix-context approach,

the change of pseudonyms takes place if there are a set of

k vehicles closed to each other and sharing similar status
information. This means that vehicles may change their
pseudonyms anywhere along their journey as opposed to the
mix-zone model, which predefines specific regions (mixzones) for such operations. To implement the mix-context
approach, we used the Synchronous Pseudonym Change Algorithm [10]. A mix-context was considered to occur when
k = 3 vehicles are within 10 meters apart and their speeds
do not differ in more than 0.5m/s.
In this experiment, we used data available from TAPAS
project [16], which offer a realistic scenario for the vehicular traffic in the city of Cologne, Germany. The data used
corresponds to the period between 7:00 am and 7:20 am.
Ten mix-zones were uniformly distributed on crossroads in
this city. The same analytical model was used to implement attacks for both approaches. In the context-mix approach, an entering event is set when k nodes change their
pseudonyms and the exiting event is set in the period that
succeed.

Figure 5. Cars not tracked for both approaches.

The results presented in Figure 5 suggest that the proposed approach improves protection when compared to
mix-context. Furthermore, the total number of cars not
tracked is about 2.4 times greater for the mix-zone approach. It is a significant difference when considering that a
few number of mix-zones was used and a short time interval
was considered.

6. Conclusion
In this paper we described an approach that improves location privacy in the cryptographic mix-zone model used in
vehicular networks by addressing its vulnerability against
internal attackers. Also, communication reduction strategies were provided to compensate communication overheads that result from the proposed solution.
We performed extensive simulations to measure the successful tracking rate achieved by an internal attacker. Our

results showed that location privacy is fairly improved after

users visit a few number of mix-zones. The communication overhead was measured and showed to be tolerable for
VANETs. Furthermore, comparative results allowed to conclude that our approach is significantly more effective than
the mix-context solution.

References
[1] A. R. Beresford and F. Stajano. Location Privacy in Pervasive Comput. IEEE Pervasive Computing, 2, 2003.
[2] C. Chen, X. Wang, W. Han, and B. Zang. A Robust Detection of the Sybil Attack in Urban VANETs. ICDCS Workshops, 0:270276, 2009.
[3] W. Dai.
Crypto++ 5.6.0 Benchmarks. Available:
www.cryptopp.com/benchmarks-amd64.html.
[4] N. Dworkin. NIST Special Publication SP 800-38C. Recommendation for Block Cipher Modes of Operation: the CCM
Mode for Authentication and Confidentiality.
[5] J. Freudiger, M. Raya, M. Feleghhazi, P. Papadimitratos, and
J.-P. Hubaux. Mix-Zones for Location Privacy in Vehicular
Networks. WiN-ITS, 2007.
[6] M. Gerlach and F. Guttler. Privacy in VANETs Using
Changing Pseudonyms - Ideal and Real. In Proc. of the 65th
Vehicular Technology Conference (VTC), pages 25212525,
Dublin, Ireland, 2007.
[7] IEEEP1609.2. Institute of Electrical and Electronics Engineers. IEEE Trial-Use Standard for Wireless Access in Vehicular Environments - Security Services for Applications
and Management Messages, 2006.
[8] D. Krajzewicz and C. Rossel.
Simulation of Urban
MObility (SUMO). German Aerospace Centre. Available:
sumo.sourceforge.net/index.shtml, 2011.
[9] C. Laurendeau and M. Barbeau. Threats to Security in
DSRC/WAVE. In T. Kunz and S. Ravi, editors, Ad-Hoc, Mobile, and Wireless Networks, volume 4104 of Lecture Notes
in Computer Science, pages 266279. 2006.
[10] J. Liao and J. Li. Effectively Changing Pseudonyms for Privacy Protection in VANETs. Int. Symp. on Parallel Architectures, Algorithms and Networks, pages 648652, 2009.
[11] M. Raya and J.-P. Hubaux. The Security of Vehicular Ad
Hoc Networks. In 3rd ACM SASN, 2005.
[12] S. Rezaei, R. Sengupta, H. Krishnan, X. Guan, and R. Bhatia. Tracking the Position of Neighboring Vehicles Using
Wireless Communications. Transportation Research Part C:
Emerging Technologies, 18(3):335 350, 2010.
[13] C. Sommer, R. German, and F. Dressler. Bidirectionally
Coupled Network and Road Traffic Simulation for Improved
IVC Analysis. IEEE Trans. Mobile Comput., 2010.
[14] J.-H. Song, V. W. S. Wong, and V. C. M. Leung. Wireless
Location Privacy Protection in Vehicular Ad-hoc Networks.
In Proceedings of ICC, pages 26992704, 2009.
[15] A. Vargas. Objective Modular Network Testbed in C++
(OMNET++), version 4.0. Available: www.omnetpp.org.
[16] C. Varschen and P. Wagner. Mikroskopische Modellierung
der Personenverkehrsnachfrage auf Basis von Zeitverwendungstagebchern. AMUS, 2006.