9

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2885277, IEEE
Transactions on Information Forensics and Security
SUBMITTED TO IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 1
Privacy-Preserving Cloud-based Road Condition

Monitoring with Source Authentication
in VANETs
Yujue Wang, Yong Ding, Qianhong Wu,Yongzhuang Wei, Bo Qin, and Huiyong Wang
Abstract—The connected vehicular ad-hoc network (VANET) and cloud computing technology allows entities in VANET to enjoy the
advantageous storage and computing services offered by some cloud service provider. However, the advantages do not come free
since their combination brings many new security and privacy requirements for VANET applications. In this article, we investigate the
cloud-based road condition monitoring (RCoM) scenario, where the authority needs to monitor real-time road conditions with the help
of a cloud server so that it could make sound responses to emergency cases timely. When some bad road condition is detected, e.g.,
some geologic hazard or accident happens, vehicles on site are able to report such information to a cloud server engaged by the
authority. We focus on addressing three key issues in RCoM. First, the vehicles have to be authorized by some roadside unit before
generating a road condition report in the domain and uploading it to the cloud server. Second, to guarantee the privacy against the
cloud server, the road condition information should be reported in ciphertext format, which requires that the cloud server should be able
to distinguish the reported data from different vehicles in ciphertext format for the same place without compromising their
confidentiality. Third, the cloud server and authority should be able to validate the report source, i.e., to check whether the road
conditions are reported by legitimate vehicles. To address these issues, we present an efficient RCoM scheme, analyze its efficiency
theoretically, and demonstrate the practicality through experiments.
Index Terms—Data privacy, vehicular ad hoc networks, VANET, cloud computing, authentication, auditability.
1 I NTRODUCTION
V EHICULAR ad-hoc network has been envisioned as a

promising technology to improve the travel efficiency
and safety of transportation systems [1]. In VANET, each ve-
Many efforts have been focused on addressing the se-
curity issues in VANETs, for example, to guarantee the
authentication, non-repudiation, integrity and privacy of
hicle with an embedded on-board unit is able to collect and messages [5]. Especially, message authentication in VANETs
communicate the current road/traffic condition information has been well studied. Chen, Ng and Wang [6] designed
at some location with others with the help of distributed a threshold anonymous announcement system, where a re-
roadside units (RUs). For example, vehicles may broadcast cipient vehicle accepts the reported road/traffic information
warning signals to the nearby vehicles (especially to the be- when at least τ different (anonymous) vehicles report the
hind ones) when detecting some accident, congestion, jam, same information. The recipient can also validate whether
etc. [2]. In this way, every nearby recipient vehicle would the received information are sent from legitimate sources.
be able to get better awareness of driving environment Thus, their solution achieves reliable road/traffic informa-
and change driving plan if needed. Indeed, the VANET tion exchange. By employing the technique of direct anony-
technology has attracted great attentions from both industry mous attestation supporting user-controlled linkability of
and academia [3], [4]. signatures, their proposal also provides distinguishability of
origin by allowing the linking of signatures if a signer signs
a message multiple times.
• Y. Wang, Y. Ding and Y. Wei are with the Guangxi Key Laboratory of
Cryptography and Information Security, School of Computer Science
However, in real-world application scenario, the trust-
and Information Security, Guilin University of Electronic Technology, ed authority (TA) in VANET may need to monitor road
Guilin, 541004, China. Y. Wang is also with the State Key Laboratory of conditions in real-time so that it could respond quickly in
Cryptology, P. O. Box 5159, Beijing, 100878, China emergency cases. Indeed, vehicles or RUs can be enabled to
E-mail: yjwang@guet.edu.cn, stone dingy@126.com, walk-
er wyz@guet.edu.cn directly report the collected road conditions to TA. When
• Q. Wu is with the School of Electronic and Information Engineering, Bei- τ or more road condition reports for the same location are
hang University, Beijing 100191, China, and with Science and Technology received, where τ denotes the threshold in the monitoring
on Information Assurance Laboratory, Beijing, China.
E-mail: qianhong.wu@buaa.edu.cn
system, TA takes it as an emergency case and then makes
• B. Qin is with Key Laboratory of Data Engineering and Knowledge Engi- response. However, this approach requires TA to equip with
neering, Ministry of Education, School of Information, Renmin University powerful computing and storage resources (e.g., hardware
of China, Beijing, China. and software resources), which would bring unaffordable
E-mail: bo.qin@ruc.edu.cn
• H. Wang is with the School of Mathematics and Computing Science, costs to TA. Recently, Liu et al. [7] investigated a simi-
Guilin University of Electronic Technology, Guilin, 541004, China. lar traffic monitoring problem in a vehicle-to-infrastructure
E-mail: why6082015@gmail.com framework. In their scheme, the distributed RUs forward
Manuscript received XXXX, 2018 reports from individual vehicles to the traffic monitoring
1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2885277, IEEE
center. Therefore, the vehicles are unable to directly report • Privacy-preserving monitoring. The cloud server is
the detected traffic information, and the traffic monitoring engaged to perform much of the monitoring work.
center must be powerful enough to process all reported Specifically, all reports are grouped into equivalence
traffic information in real-time as well as to maintain the classes by the cloud server, where the reports in
report data. the same equivalence class are for the same road
Notice that the connected vehicular cloud computing domain and the same road condition information.
(CVCC) has recently been brought out [8], [9], which com- When the cloud server receives a new report from
bines VANET with the cloud computing technology. With some vehicle, it compares this report with existing
CVCC, all entities in VANET are able to enjoy the ad- equivalence classes. In fact, only one report in each
vantages of cloud computing, that is, the computing and equivalence class needs to be compared. If some
storage services offered by some cloud service provider. In comparison returns true, then the fresh report is
this paper, we investigate the above mentioned road condi- inserted into the corresponding equivalence class.
tion monitoring scenario in the CVCC framework. When a When some equivalence class contains at least τ
vehicle gets into the domain of some RU, it should interact reports, then the cloud server informs the root au-
with such RU to obtain a token. If some road condition is thority to process immediately. The root authority
collected within the domain of RU, the vehicle generates a only needs to decrypt one ciphertext report to obtain
report using the issued token, and uploads the report to the the road condition information, and takes actions if
cloud server for processing. needed.
We observe that there remain three critical issues to be • Source authentication. The entities in RCoM system
addressed. First, the cloud server may not be trustworthy such as sub-authorities, vehicles and roadside units
[10] and may be curious about the contents of the stored are recognized with their identities. Thus, our RCoM
road condition reports. Thus, to protect the confidentiality, construction does not rely on complicated crypto-
all reports should be stored at the cloud server in ciphertext graphic certificates. When a vehicle or a RU receives
format such that only the root authority is able to decrypt a secret key from some sub-authority, it is able to val-
reports. Second, the uploaded reports are in fact big data idate the key using the identity of the administrative
with the high volume and velocity characteristics, thus they sub-authority. Moreover, the cloud server can check
cannot be directly forwarded to the trusted root authority whether a report is generated by the claimed vehicle,
for processing due to its limited storage and computing and the root authority can verify whether the report
capabilities. It is preferable to allow the cloud server to is generated with a token issued by the claimed RU.
undertake the most computations, for example, to identify The security of our RCoM scheme is analyzed under the
which road domain has been reported for more than τ Computational Diffie-Hellman assumption, which implies
times for the same condition information. This functionality that malicious vehicles cannot forge a valid road condition
requires that the cloud server should be able to compare report under the selective identity and chosen message
the ciphertext reports without decrypting their values. Note attacks, and the report enjoys one-way confidentiality under
that existing homomorphic encryption [11] is not applicable adaptive chosen ciphertext attack against the cloud server if
here in big data scenario due to its inefficiency. Third, some the order of the message space is larger than any polynomial
malicious vehicles may impersonate others to upload forged function. We also conduct extensive experiments of our
road conditions. Thus, the source of road condition report RCoM scheme. Both theoretical analyses and experimental
should be verifiable by the cloud server and authority. results demonstrate the practicality of our RCoM proposal
in applications.
1.1 Our contributions
1.2 Related techniques
To address the above issues for secure road condition mon-
itoring in the CVCC framework, this paper proposes a In this section, we briefly review some related cryptographic
privacy-preserving cloud-based road condition monitoring system techniques in secure VANET applications and secure cloud
with source authentication (RCoM). We design a concrete storage. We also review some related cryptographic tech-
RCoM scheme in bilinear groups, which provides the fol- niques such as encryption with equality test on ciphertexts
lowing functionalities. and delegated/authorized data processing.
Secure VANET applications. In [12], Wu et al. presented
• Authorized reporting. A vehicle can collect the real- a contributory broadcast encryption scheme, which allows
time road condition information and encrypt it with vehicles in VANET to negotiate a common public encryption
the root authority’s public key, its secret key and key, and meanwhile each vehicle can hold a decryption
the token issued by the administrative RU before key. In this way, only these vehicles are able to exchange
uploading to the cloud server, where the vehicle is traffic information securely with their decryption keys. Guo
currently running in the domain of RU. Without a et al. [13] designed a secure mechanism to collect traffic
valid token from some RU, the vehicle is unable information through the Internet of Vehicles. Particularly,
to generate a road condition report without being there is a trusted certification authority to issue certificates
caught. The report in ciphertext format can be par- for all vehicles. For two types of traffic information such
tially validated by the cloud server without decrypt- as business data and confidential data, the former can be
ing its value, in this way to filter out and discard transferred in plaintext format, whereas the later has to be
invalid reports. encrypted.
Sucasas et al. [14] addressed the issue of guaranteeing 1.3 Paper organization
vehicle location privacy when authenticating the received The remainder of this paper is organized as follows. We in-
messages in intelligent transportation systems. They pro- troduce the RCoM system architecture and security require-
posed an autonomous privacy-preserving authentication ments in Section 2. The RCoM framework and the security
scheme such that the vehicles are able to renew their model are formalized in Section 3. Section 4 introduces our
pseudonyms without interacting with the trusted authority. RCoM scheme and Section 5 proves its security. In Section
Malhi and Batra [15] considered the same authentication 6, we analyze our RCoM scheme both theoretically and
problem, where pseudonyms are used to achieve anony- empirically. Finally, Section 7 concludes the paper.
mous communication. Also, they designed a new privacy-
preserving signature scheme for inter-vehicle communica-
tion, where the verification procedure is further improved 2 A RCHITECTURE AND S ECURITY R EQUIRE -
to support aggregate verification and enhanced with bloom MENTS OF RC O M S YSTEM
filters to prevent message drop in heavy busy traffic hour. In this section, we formalize the architecture of RCoM and
Liu et al. [16] investigated the issue of user privacy pro- summarize its security requirements.
tection in data aggregation without trusted third party, and
designed an efficient scheme in bilinear groups.
2.1 RCoM architecture
Secure cloud storage. Security issues such as data au- The RCoM system consists of five types of entities (see
ditability, confidentiality and provenance for cloud storage Figure 1), that is, a root authority (RA), many sub-authorities
have been well studied in recent years [10], [17], [18]. (SAs), many roadside units (RUs), a cloud server, and
Provable Data Possession [19], Proofs of Retrievability [20], and many vehicles. As in VANET, RA, SAs and RUs are the
Proofs of Storage [21], [22] are introduced to guarantee the trusted participants. In real-world applications, RA can be
integrity of outsourced data in clouds. All these primitives the Department of Transportation. The goal of RA is to
allow an auditor to audit the outsourced data without monitor the real-time road conditions with the help of a
retrieving the entire version from the cloud server. Note cloud server, so that it could make timely response to emer-
that compared to Provable Data Possession and Proofs of gency cases. The cloud server is maintained by some cloud
Storage, Proofs of Retrievability [23] also employs erasure service provider (CSP), which has significant computing
code to support data recoverability to some extent when and storage resources, and provides on-the-move access to
outsourced data was partially lost or corrupted. outsourced data (i.e., road condition information) to end
users. In RCoM, the cloud server is a curious entity, which is
Delegated/Authorized data processing. Wang, He and Tang engaged by RA to maintain and process all road information
[24] studied proxy-oriented data outsourcing in clouds, collected by vehicles.
where the data owner can authorize a proxy to process her
data and upload to the cloud server. Wang et al. [25] con-
Monitoring
sidered the similar problem scenario, where the authorized
proxy can directly process data with his private key, while Cloud server
RA
he has to generate a proxy key before processing data in Token

Delegation
distribution
[24]. Yang et al. [26] and He et al. [27] investigated data
Road
authentication and integrity protection in automatic depen- condition SA Registration
dent surveillance-broadcast system (ADS-B). In their pro- RU
report
posed three-level framework, the top level authority (e.g.,

the International Civil Aviation Organization) issues secret
keys for the second-level authorities (i.e., the airlines), and
every airline is responsible for registration for its affiliated
aircrafts. Different from [26], [27], Baek et al. [28] proposed
a confidentiality framework for ADS-B by designing an Fig. 1. System architecture of RCoM.
efficient staged identity-based encryption scheme.
Initially, to join the system, all vehicles must be autho-
Equality test on ciphertexts. Public key encryption with rized by RA, in this way to get private keys extracted from
equality test on ciphertexts allows users (e.g., the cloud serv- their respective identities. Note that the number of vehicles
er) to check whether two ciphertexts encrypt the same plain- may be significantly large. Thus, RA needs to delegate SAs
text [29], where those ciphertexts may be produced under to authorize vehicles and roadside units. In practice, each SA
different public keys. Considerable efforts have been made has a disjoint management region, which is only responsible
to achieve controlled equality test on ciphertexts [30], [31], for authorizing vehicles in its region. Also, each vehicle can
[32], [33], [34], [35], such that only an authorized/delegated only be authorized by one SA. Every vehicle can collect
tester is able to compare ciphertexts. Particularly, if the and report real-time road condition if a dangerous road
tester in [30], [31], [32] gets the authorization from two data condition is detected. Similarly, every RU also gets a private
owners, then it would be able to compare their ciphertexts. key from some SA, which is extracted from its identity. In
Recently, the functionality of equality test on ciphertexts has applications, SAs can be separated into two categories to
been used in achieving deduplication on encrypted data in respectively deal with the registration of vehicles and RUs.
clouds [36], [37], [38]. In RCoM, all roads are divided into disjoint sections. For
ease of presentation, each road section is represented by the 3 D EFINITIONS

identity of its administrative RU in this paper. When some 3.1 Framework of RCoM system
vehicle gets into a new section, the administrative RU issues
a token which enables the vehicle to report the detected road Formally, a RCoM system consists of eight polynomial-time
condition information in this section. computable algorithms/protocols, that is, Setup, SAdlg,
Vehicles on road can collect road condition information VHreg, RUreg, TKdis, RCrep, CLpro, and RApro.
and report to RA. All poor and dangerous road conditions • Setup(1κ ) → (par, msk): On input 1κ where κ is a
(e.g., accidents, mudslides, etc.) have to be reported. Note security parameter, the RCoM system setup algorith-
that all these reports are uploaded to the cloud server rather m, which is run by the root authority RA, generates
than being directly sent to RA due to its limited computing the public parameter par for the system and a master
and storage capabilities. Also, they should be outsourced secret key msk for itself.
in ciphertext format such that only RA is able to recover • SAdlg(par, msk, SAi ) → sski : On input the public
the information of road conditions. The cloud server is parameter par, the master secret key msk and the
allowed to compare the reported ciphertexts and inform RA identity of some sub-authority SAi , the delegation
to make sound response when the number of the same road algorithm, which is run by RA, generates a secret
conditions reported for the same road section is larger than key sski for SAi . Sub-authority SAi should be able
some predefined threshold. to validate sski before accepting it as secret key.
Note that the RCoM system may confront some tradi-
• VHreg(par, SAi , sski , Vj ) → vskj : On input the pub-
tional attacks such as denial of service attack. However,
lic parameter par, the identity SAi and secret key
since all registered vehicles direct upload road condition
sski of some sub-authority, and the identity of some
information to the cloud server, RA would not become a
vehicle Vj , the vehicle registration algorithm, which
bottleneck to the RCoM system. The cloud server engaged
is run by SAi , generates a secret key vskj for Vj .
by RA is maintained by some CSP. In real-world applica-
Vehicle Vj should be able to validate vskj before
tions, a rational CSP would implement certain measures to
accepting it as secret key.
protect the cloud server from traditional attacks. Thus, the
• RUreg(par, SA` , ssk` , RUl ) → rskl : On input the
remainder of this paper do not focus on the techniques to
public parameter par, the identity SA` and secret key
resist such traditional attacks.
ssk` of some sub-authority, and the identity of some
roadside unit RUl , the roadside unit registration
2.2 Functionalities and design goals
algorithm, which is run by SA` , generates a secret
As a common practice in designing VANET related pro- key rskl for RUl . Roadside unit RUl should be able
tocols, it is assumed that every vehicle contains a tamper- to validate rskl before accepting it as secret key.
resistant black box, which can keep data and perform basic • TKdis(par, (SAi , Vj , vskj ), (SA` , RUl , rskl )) →
cryptographic operations securely. We identify the function- Tl / ⊥: On input the public parameter par, the token
alities and design goals of the RCoM system as follows. distribution protocol, which is jointly run by vehicle
Privacy of road conditions: The cloud server may be cu- Vj and roadside unit RUl with (SAi , vskj ) and
rious about the contents of maintained data, but does not (SA` , rskl ), respectively, outputs an authentication
collude with vehicles or RUs. Thus, all reports of road condi- tuple Tl including a token θl if both sides are
tions should be sent to the cloud server in ciphertext format honest, or ⊥ otherwise. Here, SAi and SA` denote
to guarantee the privacy, where only RA can decrypt the the administrative sub-authorities of Vj and RUl ,
ciphertexts. The road condition information should specify respectively.
the location (i.e., road section or roadside unit) where the • RCrep(par, vskj , Tl , RUl , I) → (U, W ): On input the
condition is collected. Hence, all information regarding the public parameter par, the secret key vskj of vehi-
road section and roadside unit must also be kept secret cle Vj , an authentication tuple Tl , a roadside unit
against the cloud server. identity RUl and some road condition information
Source authentication and token verifiability: In the RCoM I , the road condition report algorithm, which is run
system, malicious vehicles may impersonate some other by vehicle Vj , outputs a ciphertext U and a tuple W .
vehicle in reporting road conditions, and may forge a token • CLpro(par, U, W ) → {0, 1}: On input the public
from some RU. Its goal is to fool RA to accept a false report parameter par and a pair of (U, W ), the cloud pro-
without being caught. To resist this attack, the sources of cessing algorithm, which is run by the cloud server,
reports should be verifiable by the cloud server without outputs “1” if the pair (U, W ) can be inserted into
interacting with RA. If they do not satisfy the verification some group; otherwise it outputs “0”.
conditions, then they would be discarded by the cloud • RApro(par, msk, U, W ) → (RUl , I): On input the
server, which means they would not be further processed public parameter par, the master secret key msk and
and presented to RA. a pair of (U, W ), the RA processing algorithm, which
Road condition classification: In practice, many vehicles is run by the root authority, outputs a decrypted pair
may report the same road condition for the same place in of (RUl , I).
a reasonable period, which requires the cloud server to be
able to distinguish them from the others. In other words, the A secure RCoM scheme must be sound in the sense
cloud server must be able to check whether the ciphertexts that, if all involved entities are honest, then every algo-
encrypt the same road condition information and group rithm/protocol would not output a symbol that denotes
them into equivalence classes accordingly. an error. Formally, for a security parameter κ ∈ N and
any (par, msk) ← Setup(1κ ), the following conditions are been queried for a secret key, then the challenger
satisfied: C first generates ssk` . Then, the challenger C runs
• For any secret key sski ← SAdlg(par, msk, SAi ) the roadside unit registration algorithm and returns
issued by the RA, it can be validated as true and a secret key rskl of RUl with regard to SA` .
accepted by the sub-authority SAi ; • Road condition report: In each query, the adversary A
• For any secret key vskj ← VHreg(par, SAi , sski , Vj ) submits a pair (Vj , Tl , RUl , I) to C . Suppose both Vj
issued by the SAi , it can be validated as true and and RUl have been queried for secret keys before.
accepted by the vehicle Vj ; If Tl is a valid authentication tuple jointly generated
• For any secret key rskl ← RUreg(par, SA` , by Vj and RUl , then the challenger C returns a pair
ssk` , RUl ) issued by the SA` , it can be validated as (U, W ).
true and accepted by the roadside unit RUl ; • RA processing: In each query, the adversary A submits
• For any vehicle Vj and any road section ad- a pair (U, W ) to C . The challenger C returns the
ministrated by some roadside unit RUl , the to- output of the RA processing algorithm.
ken distribution protocol TKdis(par, (SAi , Vj , vskj ), End-Game: Eventually, the adversary A outputs a tuple
(SA` , RUl , rskl )) would output a valid authentica- (U ∗ , W ∗ ) with regard to sub-authority SA∗ , vehicle V ∗ and
tion tuple Tl ; (RU ∗ , T ∗ , I ∗ ). We say that the adversary A succeeds if all
• For any road condition information I collect- the following conditions hold:
ed at RUl and any vehicle Vj with authentica-
tion tuple Tl , both CLpro(par, U, W ) = 1 and • The adversary A has not been made a delegation
(RUl , I) ← RApro(par, msk, U, W ) hold, where query on sub-authority SA∗ to get a secret key;
(U, W ) ← RCrep(par, vskj , Tl , RUl , I). • The adversary A has not been made a registration
query on vehicle V ∗ ;
3.2 Formal security definitions • RApro(par, msk, U ∗ , W ∗ ) = (RU ∗ , I ∗ ), but (U ∗ , W ∗ )
was not generated in a road condition report query
We present formal security definitions to capture the un-
with (V ∗ , T ∗ , RU ∗ , I ∗ ).
forgeability of ciphertexts against selective identity and chosen
message attack (UF-SI-CMA) launched by some malicious Definition 1 A RCoM scheme is UF-SI-CMA secure if any PPT
vehicle, and the one-way confidentiality under adaptive chosen adversary A who plays the above game with C has only negligible
ciphertext attack (OW-CCA2) against curious cloud server. probability in winning the game, that is,
Note that the cloud server should be able to compare the
ciphertexts (i.e., encrypted road condition reports) from
Pr[Awin ] ≤ (κ)
vehicles, so as to group them into equivalence classes, which where the probability is taken over all coin tosses made by C and
means the ciphertexts in RCoM are distinguishable. Thus, A.
the RCoM system cannot offer indistinguishability for road
condition reports under chosen plaintext/ciphertext attacks. Remark 1 Note that Definition 1 also implies that malicious
In [29], Yang et al. have discussed that ciphertext com- vehicles cannot forge secret keys of SAs and vehicles. Otherwise,
parability and indistinguishability are irreconcilable, and the adversary would be able to generate a valid ciphertext for some
indistinguishability-based security notions are not applica- road condition information using the forged secret keys. Moreover,
ble to encryption schemes with ciphertext comparability. since the secret keys of RUs are generated in the same way as that
We first consider the case where malicious vehicles may of vehicles by SAs, the unforgeability of these keys can also be
collude to forge a road condition report (U ∗ , W ∗ ). Let A be implied by Definition 1.
a probabilistic polynomial-time (PPT) adversary, who plays We proceed to define the OW-CCA2 security of RCoM
the following game with a challenger C and tries to forge a scheme against a curious cloud server.
valid pair (U ∗ , W ∗ ). Setup: On input a security parameter κ, the challenger
Setup: The adversary A picks a target sub-authority SA∗ C generates (par, msk) and gives public parameter par to the
and vehicle V ∗ , and sends them to C . With a security param- adversary A.
eter κ, the challenger C generates (par, msk) and publishes Phase 1: The adversary A can adaptively submit queries
the public parameter par. to C as in Definition 1.
Queries: The adversary A can adaptively submit the
following queries to C . • Delegation: Same to Definition 1.
• Vehicle registration: Same to Definition 1.
• Delegation: The adversary A can ask for secret key for
• Roadside unit registration: Same to Definition 1.
any sub-authority SAi . The challenger C generates
• Road condition report: Same to Definition 1.
sski and gives it to A.
• RA processing: Same to Definition 1.
• Vehicle registration: In each query, the adversary A
submits a pair (SAi , Vj ) to C . If SAi has not been Challenge: At the end of Phase 1, the challenger
queried for a secret key, then the challenger C first randomly picks a vehicle V ∗ , a roadside unit RU ∗
generates sski . Then, the challenger C runs the ve- and a road condition I ∗ , and computes (U ∗ , W ∗ ) ←
hicle registration algorithm and returns a secret key RCrep(par, vsk ∗ , T ∗ , RU ∗ , I ∗ ), where V ∗ and RU ∗ are re-
vskj of Vj with regard to SAi . spectively administrated by SA∗ and SA0∗ , and T ∗ ←
• Roadside unit registration: In each query, the adversary TKdis(par, (SA∗ , V ∗ , vsk ∗ ), (SA0∗ , RU ∗ , rsk ∗ )). The chal-
A submits a pair (SA` , RUl ) to C . If SA` has not lenger C gives (U ∗ , W ∗ ) to A.
Phase 2: The adversary A can issue queries to C as in key msk = (x, z), and computes y = g x and w = g z . RA
Phase 1, except that (U ∗ , W ∗ ) cannot be submitted for RA also picks seven cryptographic hash functions such as Hi :
processing. {0, 1}∗ → Zp∗ for 1 ≤ i ≤ 5, H6 : G → {0, 1}λru +λI +2 log p
Guess: At the end of Phase 2, the adversary outputs and H7 : {0, 1}∗ → G, where λru and λI denote the length
a guess (RU ˆ , I)
ˆ and succeeds in the game if (RUˆ , I)
ˆ = of the identities of RU and road condition information I ,
(RU ∗ , I ∗ ). respectively.
RA also generates an alert threshold τ (e.g., τ =
Definition 2 A RCoM scheme is OW-CCA2 secure for reported
10) such that when τ or more vehicles report the same
road conditions if any PPT adversary A has only negligible
road condition at the same place, it would be looked
advantage in κ in winning the above game, that is,
as an emergency case and need fast response from RA.
ˆ , I)
Adv ow−cca2 = Pr[(RU ˆ = (RU ∗ , I ∗ )] ≤ (κ) Finally, RA sets the public system parameters par =
(ê, G, GT , g, h, p, y, w, H1 , H2 , · · · , H7 , τ ).
where the probability is taken over all coin tosses made by C and
A.
4.2 Delegation to sub-authority
Sub-authorities are delegated by RA to authorize vehicles,
4 O UR P ROPOSAL in this way to improve the authorization efficiency. In the
In this section, we propose a concrete RCoM scheme in delegation phase, each SAi would obtain a secret key from
bilinear groups. Table 1 summarizes the frequently used RA, that is, RA picks a random value ri ∈R Zp∗ , calculates
notations, which will be explained as they are used. the secret key

TABLE 1
sski = (sski,1 , sski,2 ) = g ri , hri +xH1 (SAi ksski,1 )
Notation.
and sends sski to SAi securely. Sub-authority SAi can
Symbol Meaning verify sski as follows
G, GT Cyclic groups with bilinear mapping ê : G × G → GT ?

g, h Two generators of G ê(sski,2 , g) = ê h, sski,1 · y H1 (SAi ksski,1 ) (1)
p A large prime, the order of G and GT
x, z The master secret key
y, w The public key of RA 4.3 Vehicle registration
Hi Cryptographic hash functions for 1 ≤ i ≤ 7
τ A threshold to trigger an emergency case In the registration phase, every vehicle Vj gets the au-
sski The secret key of SAi thorization (e.g., a secret key) from its administrative sub-
vskj The secret key of vehicle Vj authority SAi . SAi picks a random value ri,j ∈R Zp∗ , calcu-
rskl The secret key of RUl
lates the secret key vskj = (vskj,1 , vskj,2 , vskj,3 ) where
r, v, s Random values in Zp∗
Tj , Tl The tuples generated by Vj and RUl in TKdis vskj,1 = sski,1 , vskj,2 = g ri,j
θj , θ l The pairs contained in Tj , Tl , respectively
tj , tl Time stamps and
Td Valid period of θl
I Collected road condition information vskj,3 = sski,2 · hri,j H2 (SAi kVj kvskj,1 kvskj,2 )
(U, W ) Encrypted road condition information
G Equivalence class of road condition information and gives vskj to Vj securely. Vehicle Vj is able to verify
vskj as follows
Suppose G = hgi and GT are cyclic groups of prime
order p. The mapping ê : G × G → GT is bilinear if the ?
ê(vskj,3 , g) = ê h, vskj,1 · y H1 (SAi kvskj,1 )
following properties are satisfied:
H (SA kV kvskj,1 kvskj,2 )
·vskj,22 i j (2)
• Bilinearity: ∀µ, ν ∈ G and ∀a, b ∈ Zp∗ , ê(µa , ν b ) =
ê(µ, ν)ab ;
• Non-degeneracy: ê(g, g) 6= 1; 4.4 Roadside unit registration
• Efficiency: The mapping ê is efficiently computable. As in the vehicle registration phase, every roadside unit RUl
obtains a secret key from its administrative sub-authority
Our RCoM scheme will rely on the following complexity
SA` . That is, SA` picks a random value r`,l ∈R Zp∗ , calcu-
assumption.
lates the secret key rskl = (rskl,1 , rskl,2 , rskl,3 ) where
Computational Diffie-Hellman assumption (CDH). Let G =
hgi be a cyclic group of prime order p. Given a tuple rskl,1 = ssk`,1 , rskl,2 = g r`,l
(g, g a , g b ) for some random values a, b ∈R Zp∗ , any PPT
algorithm E would have negligible probability in computing and
g ab ∈ G. rskl,3 = ssk`,2 · hr`,l H2 (SA` kRUl krskl,1 krskl,2 )
and gives rskl to RUl securely. Roadside unit RUl can
4.1 System setup validate rskl as follows
The root authority RA generates a bilinear mapping ê : G × ?

G → GT , where G and GT are cyclic groups with prime ê(rskl,3 , g) = ê h, rskl,1 · y H1 (SA` krskl,1 )
order p, and g, h are two distinct generators of G. RA then

H (SA kRUl krskl,1 krskl,2 )
·rskl,22 ` (3)
selects random values x, z ∈R Zp∗ , sets the master secret
4.5 Token distribution 4.7 Cloud processing

When some vehicle Vj enters into a new road section, it Upon receiving a report from some vehicle, the cloud server
interacts with the administrative roadside unit RUl . Specif- performs the following processing steps.
ically, Vj picks a random value vj ∈R Zp∗ and computes Step 1: Soundness verification. In this step, the cloud
server filters out forged information from some malicious
θj,1 = g vj , θj,2 = vskj,3 · hvj H3 (Vj kRUl ktj kθj,1 ) vehicles. The cloud server checks whether the following
where tj denotes the time stamp. Vehicle Vj sends the tuple equality holds
Tj = (SAi , Vj , vskj,1 , vskj,2 , tj , θj,1 , θj,2 ) to RUl , where ?

H (SA kV kvskj,1 kvskj,2 )
SAi denotes the administrative sub-authority of Vj . This ê(u4 , g) = ê h, vskj,1 · vskj,22 i j
step implies that some malicious vehicle cannot impersonate

H (V kθ ku ku ku kTime)
·y H1 (SAi kvskj,1 ) · u1 5 j l 1 2 3 (6)
Vj to request a token from RUl .
Roadside unit RUl would not respond if Tj does not The cloud server also checks whether the report was gen-
satisfy the following condition erated in period Td . If all conditions are satisfied, then the
received elements in U and V are sound; otherwise, they are

? H (SA kV kvskj,1 kvskj,2 )
ê(θj,2 , g) = ê h, vskj,1 · vskj,22 i j
discarded by the cloud server.
H (V kRUl ktj kθj,1 )
·y H1 (SAi kvskj,1 ) · θj,13 j (4) Step 2: Privacy-preserving monitoring. For all sound tu-
ples, the cloud server groups them into different equiva-
RUl selects a random value vl ∈R Zp∗ and computes a token lence classes such that the tuples in the same class report
θl = (θl,1 , θl,2 ) as follows the same road condition for the same location (road section)
θl,1 = g vl , θl,2 = rskl,3 · hvl H4 (Vj kRUl ktj ktl kTd kθj,1 kθl,1 ) within a reasonable time period. Originally there exists no
any equivalence class. For a new sound tuple (U, W ), the
where tl and Td denote the time stamp and valid period cloud server sequentially compares it with every existing
of token θl , respectively. Roadside unit RUl returns the au- equivalence class. Note that only one element in every
thentication tuple Tl = (SA` , rskl,1 , rskl,2 , tl , Td , θl ), where equivalence class needs to be compared. Suppose (U 0 , W 0 )
SA` is the administrative sub-authority of RUl . is an element in some equivalence class G 0 . The cloud server
Vehicle Vj accepts the authentication tuple Tl if it satisfies checks whether the following condition is satisfied.
the following condition
?
?

H (SA kRUl krskl,1 krskl,2 ) ê(u1 , u03 ) = ê(u01 , u3 ) (7)
ê(θl,2 , g) = ê h, rskl,1 · rskl,22 `
H (V kRUl ktj ktl kTd kθj,1 kθl,1 )
If true, then the tuple (U, W ) is inserted into G 0 ; otherwise,
·y H1 (SA` krskl,1 ) · θl,14 j the cloud server continues to compare it with another
(5) equivalence class. Eventually, if there exists no matching
The procedure of token distribution is shown in Fig. 2. equivalence class, then a new one is constructed with only
one element (U, W ).
Vehicle Vj Roadside unit RUl Step 3: For any equivalence class G , if |G| ≥ τ , then the
Choose vj ∈R Zp∗ and tj cloud server sends an element (i.e., some tuple (U, W )) in
Generate (θj,1 , θj,2 )
Tj = (SAi , Vj , vskj,1 , vskj,2 , tj , θj,1 , θj,2 ) G to RA, which implies that an emergency case is detected
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ and requires RA to make response.
Verify Tj . If true, then do:
Choose vl ∈R Zp∗ , tl and Td
Compute θl = (θl,1 , θl,2 )
Tl = (SA` , rskl,1 , rskl,2 , tl , Td , θl ) 4.8 RA processing
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
Verify Tl . If true, then accept. The root authority runs the following steps to decrypt
Fig. 2. A procedure of token distribution between vehicle Vj and road- ciphertext U with the master secret key msk. RA computes
side unit RUl
RUl kIkrskl,1 krskl,2 ← u2 ⊕ H6 (uz1 )
4.6 Road condition report and checks whether Equality (5) and the following condition
are satisfied
Suppose vehicle Vj collects road condition I on some section
?
administrated by roadside unit RUl at time Time. Then ê(u1 , H7 (RUl kI)) = ê(u3 , g) (8)
vehicle Vj performs as follows to generate a report. It selects
If both are true, then RA accepts the reported road condition
a random value s ∈R Zp∗ and computes the ciphertext
I at RUl , and takes action if needed.
U = (u1 , u2 , u3 , u4 ), where
u1 = g s
5 S OUNDNESS AND S ECURITY
u2 = H6 (ws ) ⊕ (RUl kIkrskl,1 krskl,2 )
In this section, we show that our RCoM is sound and enjoys
u3 = H7 (RUl kI)s the UF-SI-CMA and OW-CCA2 security.
u4 = vskj,3 · hsH5 (Vj kθl ku1 ku2 ku3 kTime)
Theorem 1 In a successful delegation, SA accepts the secret key
Finally, vehicle Vj uploads the ciphertext U and tuple generated by RA; In a successful registration, a vehicle or a RU
W = (SAi , SA` , Vj , vskj,1 , vskj,2 , tl , tj , Td , θl , Time) to the accepts the secret key generated by SA; In a round of successful
cloud server, where SAi and SA` are the administrative token distribution protocol, the vehicle accepts the authentication
sub-authorities of Vj and RUl , respectively. tuple generated by the corresponding RU; For any two ciphertexts
encrypting the same road condition information, the cloud server Theorem 3 Suppose the CDH assumption holds in bilinear
classifies them into the same group; For a sound ciphertext, RA is group G. The proposed RCoM scheme is EU-SI-CMA secure
able to recover the reported road condition information. for the secret keys of sub-authorities, vehicles and roadside units
against adaptive impersonation attacks. That is, any vehicle can-
Proof We only need to show Equations (1)-(8) hold.
not forge a valid secret key of another vehicle, sub-authority or
For a secret key sski of SAi , Equation (1) holds as follows
roadside unit.
ê hri +xH1 (SAi ksski,1 ) , g = ê h, g ri (g x )H1 (SAi ksski,1 ) As noted in Remark 1, the proof directly follows from
Theorem 2.
= ê h, sski,1 · y H1 (SAi ksski,1 )
Theorem 4 Suppose the CDH assumption holds in bilinear
For a secret key vskj of some vehicle Vj issued by SAi , group G. The proposed RCoM scheme offers OW-CCA2 confi-
Equation (2) holds as follows dentiality for road condition reports against the cloud server.
ê(vskj,3 , g) Proof The proof follows the standard framework established in
[29, Theorem 3]. Yang et al.’s scheme [29] is proven OW-CCA2

ri,j H2 (SAi kVj kvskj,1 kvskj,2 )
= ê(sski,2 , g) · ê h ,g
secure assuming that the CDH assumption holds in bilinear group
= ê h, vskj,1 · y H1 (SAi kvskj,1 ) G. Our proof for Theorem 4 in the random oracle model follows
H (SAi kVj kvskj,1 kvskj,2 )
mostly in [29, Theorem 3] except that in the setup phase, the
·vskj,22 challenger C chooses x ∈R Zp∗ and computes y = g x , and in
the query phase, the challenger C needs to answer four more
The correctness of Equation (3) can be proved in a similar way as
types of queries, i.e., delegation, vehicle registration, roadside
Equation (2).
unit registration and road condition report queries. In fact, these
In the token distribution protocol, the correctness of tuple Tj
queries can be answered directly using x and y without leaking
generated by vehicle Vj with regard to the roadside unit RUl
any information about RU ∗ kI ∗ . Thus, our RCoM scheme is OW-
is straightforward, since θj,2 = vskj,3 · hvj H3 (Vj kRUl ktj kθj,1 ) . CCA2 secure if the CDH assumption holds in G.
Similarly, the correctness of Equations (5) and (6) can also be
verified.
For two ciphertext U = (u1 , u2 , u3 , u4 ) and U 0 = 6 C OMPARISON AND A NALYSIS
(u1 , u02 , u03 , u04 ), we have
0
6.1 Functionality comparison
0 0
ê(u1 , u03 ) = ê(g s
, H7 (RUl0 kI 0 )s ) = ê(g, H7 (RUl0 kI 0 ))s·s We now compare our RCoM construction with existing
schemes in Table 2. In [24], [25], the authors studied the del-
and egated data outsourcing scenario, such that the data owner
0 0 is able to authorize a proxy to process her data and upload
ê(u01 , u3 ) = ê(g s , H7 (RUl kI)s ) = ê(g, H7 (RUl kI))s·s
to the cloud server. Particularly, the data owner needs to
Thus, Equation (7) holds if and only if RUl kI = RUl0 kI 0 . generate a warrant and sign it with some signature scheme
For a valid ciphertext U , Equation (8) in the RA processing E, and gives the authorization pair (warrant, signature) to
phase holds as follows the proxy for verification. Note that if the signature scheme
E is secure, then anyone including the designated proxy
ê(u1 , H7 (RUl kI)) = ê(g s , H7 (RUl kI)) cannot forge a (warrant, signature) pair. This authorization
= ê(g, H7 (RUl kI)s ) = ê(u3 , g) mechanism also implies that the delegation/authorization
can be publicly verified in the comprehensive auditing
Theorem 2 Suppose the CDH assumption holds in bilinear phase on outsourced data. Compared with our RCoM
group G. The proposed RCoM scheme is EU-SI-CMA secure scheme, the proposals in [24], [25] did not consider data
for road condition reports against adaptive impersonation attacks. privacy protection, thus they cannot support equality test
That is, any vehicle cannot forge road condition reports of other on ciphertexts without decryption.
vehicles.
Proof The proof follows the standard framework established in TABLE 2
[27, Theorem 1]. He et al.’s scheme [27] is proven existentially Comparison with related techniques.
unforgeable against selective identity and chosen message attacks
assuming that the CDH assumption holds in bilinear group G. Functionality Ours [24] [25] [26] [27] [28]
√ √ √ √ √ √
Our proof for Theorem 2 in the random oracle model follows Delegation √ √ √ √ √ √
mostly in [27, Theorem 1] except that in the setup phase, the Source authentication √ √ √ √ √
Integrity guarantee ×
challenger C chooses z ∈R Zp∗ and computes w = g z , and in the Privacy protection
√
× × × ×
√
query phase, the challenger C needs to answer two more types of √
Third party equality test × × × × ×
queries, i.e., road condition report and RA processing queries. In
fact, the road condition report queries can be answered in a similar
In [26], Yang et al. designed a framework to authenticate
way as in vehicle/roadside unit registration queries since only the
messages in ADS-B system based on the three-level hierar-
public parameter y is involved in generating u1 , u2 , u3 ; whereas
chical identity-based signature scheme. They also noticed
the RA processing queries can be answered directly using z . Thus,
that the verification costs need to be reduced, especially
our RCoM scheme is EU-SI-CMA secure if the CDH assumption
when the recipient receives lots of (message, signature)
holds in G.
pairs. This issue was well addressed in their proposed two
concrete schemes with partial and full batch verification, takes two exponentiations in G to generate such a secret
respectively. He et al. [27] studied the same problem and key, whereas the vehicle (or the roadside unit) takes two
proposed a more efficient construction without using hash- more bilinear pairings to do verification.
to-point operations. Compared with our scheme, there are The protocol TKdis contains four steps between a vehicle
no data privacy protection in the ADS-B authentication Vj and a roadside unit RUl . The tuple Tj is generated by Vj
framework and constructions in [26], [27]. with two exponentiations in G, while it is validated by RUl
Baek et al. [28] presented a confidentiality framework with three exponentiation and two bilinear pairings. If Tj
for ADS-B. They noted that key management and effi- passes the validation, then an authentication tuple Tl would
ciency are two key issues in this framework. To address be produced and verified by RUl and Vj , respectively, with
these issues, a staged identity-based encryption scheme the same computation costs for Tj . In generating a road
(SIBE) is designed from identity-based encryption (IBE) and condition report (U, W ), the vehicle Vj only needs to take
symmetric encryption. IBE does not need complicated key four exponentiations in G to compose the elements in U .
management mechanism as in traditional PKI-based crypto The generation of W does not involve any complicated
systems, however, many IBE schemes may require resource- computation. In the CLpro algorithm, every tuple (U, W ) is
intensive computations such as bilinear mapping. To reduce verified and compared with the stored equivalence classes.
the computation costs, only the symmetric key is transferred As shown in Equation (6), the verification step takes three
as IBE ciphertext in the first stage of SIBE, all the subsequent exponentiations and two bilinear pairings. Suppose there
communication are secured by the symmetric encryption are n equivalence classes at the cloud server side. For a
scheme. Compared with RCoM scheme, their confidentiality new report (U, W ), it is compared with only one element
framework and SIBE scheme do not consider data integrity in each equivalence class. Thus, the second step of equality
protection and the ciphertexts do not allow equality test. test in CLpro takes at most 2n bilinear pairings, that is, this
step enjoys the linear computation complexity. In the RApro
algorithm, RA recovers RUl kI from U , which requires four
6.2 Theoretical analysis
exponentiation and four bilinear pairings.
We analyze the computational complexity of our RCoM
scheme in terms of computation costs of every algorith- 6.3 Experimental analysis
m/protocol at each entity side, which is summarized in We conducted the experiments of our RCoM scheme
Table 3. Our analysis focuses on the most time-consuming using the Pairing Based Cryptography Library (PBC,
operations in the scheme such as exponentiations in group http://crypto.stanford.edu/pbc/). The details of hardware
G and bilinear pairing ê. In the table, Exp and Pair denote and software environments are summarized in Table 4. The
the evaluation times of an exponentiation in G and a bilinear elliptic curve is of Type A (y 2 = x3 + x) such that p is a
pairing, respectively. 160-bit prime and the element size in G is 256 bits.
TABLE 3 TABLE 4
Computational complexity of each algorithm/protocol in RCoM scheme. Experiment environments.
Algorithm/protocol Entity Computations Environment Details

Setup RA 2Exp Intel(R) Pentium(R) G645
RA 2Exp CPU
SAdlg Hardware @ 2.90 GHz
SA 1Exp + 2Pair Memory 2 GB
SA 2Exp Operating system Microsoft Windows 7
VHreg
V 2Exp + 2Pair Programming
SA 2Exp Software C
RUreg language
RU 2Exp + 2Pair Library Pairing Based Cryptography
V 5Exp + 2Pair
TKdis
RU 5Exp + 2Pair The performance of the Setup, SAdlg, VHreg and RUreg
RCrep V 4Exp
CLpro CS 3Exp + (2n + 2)Pair algorithms are shown in Figure 3. The evaluation shows that
RApro RA 4Exp + 4Pair the Setup algorithm can be completed in less than 20 msec,
which is mainly determined by two exponentiations in G.
The computation costs in the table are analyzed for one For a delegation, RA can generate a secret key sski for some
evaluation, that is, one delegation in the SAdlg algorithm, sub-authority SAi in roughly 7 msec, whereas SAi is able
one registration in both VHreg and RUreg algorithms, one to validate sski with less than 8 msec. These two procedures
round of token distribution in the TKdis protocol, and one are presented by DelGen and DelVrf in the figure. The
road condition report is generated and processed in the vehicle registration enjoys the comparable performance of
RCrep, CLpro and RApro algorithms, respectively. In the the roadside unit registration, that is, the secret keys vskj
Setup phase, RA only needs to perform two exponenti- and rskl can be generated by sub-authorities in roughly
ations in G to produce the public parameters y and w. the same time, and the verification at respective sides of
The delegation algorithm SAdlg requires RA to take two vehicle and roadside unit also takes the similar time. This
exponentiations in G to generate a secret key for some SA, is consistent with the theoretical analysis in Section 6.2 that
while SA needs to perform one exponentiation and two both VHreg and RUreg algorithms follow the same approach
bilinear pairings to validate its secret key. For the VHreg and to fulfill the registration. Note that in the figure, VKeyGen
RUreg algorithms, SA follows the same method to generate and VKeyVrf respectively denote the generation and verifi-
a secret key for a vehicle or a roadside unit. In detail, SA cation procedures of vskj for vehicle Vj , and RUKeyGen
and RUKeyVrf represent the generation and verification 0.52

0.48
procedures of rskl for vehicle RUl , respectively. 0.44
0.4
Time (seconds)
0.36
0.32
18 0.28
17
16 0.24
15 0.2
Time (milliseconds) 14 0.16
13 0.12
12
11 8 · 10−2
10 4 · 10−2
9 0
8 10 20 30 40 50 60 70 80 90 100
7
6 No. of equivalence classes
5
4
3
2
1 Fig. 5. Performance evaluation of the CLpro algorithm.
0
p
en
rf
RU en
rf
en
rf
tu
yV
yV
V
yG
yG
G
Se
el
el
Ke
Ke
Ke
Ke
D
D
V
V
RU
7 C ONCLUSION AND R EMARK

Fig. 3. Performance evaluation of the Setup, SAdlg, VHreg and RUreg In this article, we considered the problem of privacy-
algorithms. preserving cloud-based road condition monitoring with
source authentication (RCoM). There are two levels of
Figure 4 plots the performance of the token distribution authorities such that the root authority delegates sub-
TKdis protocol, and the RCrep and RApro algorithms. As authorities to perform registration for vehicles and RUs.
shown in Section 4.5, the vehicle Vj (resp. RUl ) needs to RA monitors real-time road conditions through a third
generate a tuple Tj and validate Tl (resp. to validate Tj party intermediary, that is, vehicles report the detected
and generate Tl ). Thus, in the TKdis protocol, both sides road conditions to the cloud server for verification and
of vehicle Vj and roadside unit RUl require roughly the processing, in this way, only the valid information sent
same computation time, which are shown in Figure 4 with from legitimate vehicles will be picked out for RA to make
TKV and TKRU , respectively. When vehicle Vj collects a response. To protect the privacy against the cloud server,
road condition I , it is able to generate a report in about 15 the road condition report should be uploaded in ciphertext
msec (see RepGen in the figure). The report can be verified format, which brings another challenge for the cloud server
through Equation (6) in roughly 13 msec (see RepVrf), which to distinguish the same road condition for the same place
is run in the first step of the CLpro algorithm. For a sound from lots of reports. In response to these functionalities and
report, RA is able to recover the road condition as shown security and privacy requirements in RCoM, we presented
in Section 4.8 in 22 msec, which is depicted as RepDec an efficient scheme and compared it with related techniques.
in Figure 4. In fact, the computation time of the RApro is Through extensive theoretical and experimental analyses,
determined by the verification time of Equalities (5) and (8). we demonstrate that the proposed RCoM scheme is practical
in application settings.
2.8
2.6
2.4 ACKNOWLEDGMENTS
Time (×10−2 seconds)
2.2
2
1.8
This article is supported in part by the National Key
1.6 R&D Program of China through project 2017YFB0802500,
1.4
1.2 the National Natural Science Foundation of China under
1
0.8 projects 61772150, 61772538, 61672083, 91646203, 61472429,
0.6
0.4 61402029, 61862012, 61862011, and 61602125, the National
0.2
0 Cryptography Development Fund of China under projects
ec
en
rf
U
V
pV
MMJJ20170217 and MMJJ20170106, the Foundation of Sci-

TK
pD
pG
R
TK
Re
Re
Re
ence and Technology on Information Assurance Labora-

Fig. 4. Performance evaluation of the TKdis protocol, and the RCrep and tory through project 61421120305162112006, the Guangxi
RApro algorithms. Natural Science Foundation under Grant 2018JJA170035,
the Guangxi Young Teachers’ Basic Ability Improvement
For the comparison performance between a new sound Program under Grant 2018KY0194, and the open program of
road condition report and each existing equivalence class, Guangxi Key Laboratory of Cryptography and Information
several cases with different number of equivalence classes Security under projects GCIS201622 and GCIS201702. Y. Wei
are considered, that is, the step 2 of Section 4.7 is run to was supported in part by the Natural Science Foundation of
compare 10, 20, · · · , 100 pairs of {(u1 , u3 ), (u01 , u03 )}, where China under Grant 61572148, in part by the Guangxi Natural
(u01 , u03 ) denotes the pair in some equivalence class. The Science Foundation under Grant 2015GXNSFGA139007.
experiment results are shown in Figure 5, which demon-
strate that the performance of the step 2 of Section 4.7 is R EFERENCES
linearly determined by the number of equivalence classes
at the cloud server side. It is easy to see that the average [1] L. Zhang, C. Hu, Q. Wu, J. Domingo-Ferrer, and B. Qin, “Privacy-
preserving vehicular communication authentication with hierar-
execution time of comparing with a single equivalence class chical aggregation and fast response,” IEEE Transactions on Com-
is roughly 4 msec. puters, vol. 65, no. 8, pp. 2562–2574, Aug. 2016.
[2] Q. Wu, J. Domingo-Ferrer, and U. Gonzalez-Nicolas, “Balanced homomorphic signatures,” Peer-to-Peer Networking and Application-
trustworthiness, safety, and privacy in vehicle-to-vehicle commu- s, vol. 11, no. 2, pp. 235–251, Mar 2018.
nications,” IEEE Transactions on Vehicular Technology, vol. 59, no. 2, [23] H. Shacham and B. Waters, “Compact proofs of retrievability,”
pp. 559–573, Feb 2010. Journal of Cryptology, vol. 26, no. 3, pp. 442–483, Jul 2013.
[3] F. Qu, Z. Wu, F. Y. Wang, and W. Cho, “A security and privacy [24] H. Wang, D. He, and S. Tang, “Identity-based proxy-oriented data
review of vanets,” IEEE Transactions on Intelligent Transportation uploading and remote data integrity checking in public cloud,”
Systems, vol. 16, no. 6, pp. 2985–2996, Dec 2015. IEEE Transactions on Information Forensics and Security, vol. 11, no. 6,
[4] “IEEE Standard for Wireless Access in Vehicular Environments– pp. 1165–1176, June 2016.
Security Services for Applications and Management Messages,” [25] Y. Wang, Q. Wu, B. Qin, W. Shi, R. H. Deng, and J. Hu, “Identity-
IEEE Std 1609.2-2016 (Revision of IEEE Std 1609.2-2013), pp. 1–240, based data outsourcing with comprehensive auditing in clouds,”
March 2016. IEEE Transactions on Information Forensics and Security, vol. 12, no. 4,
[5] L. Zhang, Q. Wu, J. Domingo-Ferrer, B. Qin, and C. Hu, “Distribut- pp. 940–952, April 2017.
ed aggregate privacy-preserving authentication in vanets,” IEEE [26] A. Yang, X. Tan, J. Baek, and D. S. Wong, “A new ads-b authen-
Transactions on Intelligent Transportation Systems, vol. 18, no. 3, pp. tication framework based on efficient hierarchical identity-based
516–526, March 2017. signature with batch verification,” IEEE Transactions on Services
[6] L. Chen, S. L. Ng, and G. Wang, “Threshold anonymous announce- Computing, vol. 10, no. 2, pp. 165–175, March 2017.
ment in vanets,” IEEE Journal on Selected Areas in Communications, [27] D. He, N. Kumar, K. K. R. Choo, and W. Wu, “Efficient hierarchical
vol. 29, no. 3, pp. 605–615, March 2011. identity-based signature with batch verification for automatic
dependent surveillance-broadcast system,” IEEE Transactions on
[7] Y. Liu, J. Ling, Q. Wu, and B. Qin, “Scalable privacy-enhanced
Information Forensics and Security, vol. 12, no. 2, pp. 454–464, Feb
traffic monitoring in vehicular ad hoc networks,” Soft Computing,
2017.
vol. 20, no. 8, pp. 3335–3346, Aug 2016.
[28] J. Baek, E. Hableel, Y. J. Byon, D. S. Wong, K. Jang, and H. Yeo,
[8] R. Yu, Y. Zhang, S. Gjessing, W. Xia, and K. Yang, “Toward cloud- “How to protect ads-b: Confidentiality framework and efficien-
based vehicular networks with efficient resource management,” t realization based on staged identity-based encryption,” IEEE
IEEE Network, vol. 27, no. 5, pp. 48–55, September 2013. Transactions on Intelligent Transportation Systems, vol. 18, no. 3, pp.
[9] J. A. Guerrero-ibanez, S. Zeadally, and J. Contreras-Castillo, “In- 690–700, March 2017.
tegration challenges of intelligent transportation systems with [29] G. Yang, C. H. Tan, Q. Huang, and D. S. Wong, “Probabilistic
connected vehicle, cloud computing, and internet of things tech- public key encryption with equality test,” in Topics in Cryptology -
nologies,” IEEE Wireless Communications, vol. 22, no. 6, pp. 122– CT-RSA 2010: The Cryptographers’ Track at the RSA Conference 2010,
128, December 2015. San Francisco, CA, USA, March 1-5, 2010. Proceedings, J. Pieprzyk,
[10] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. Katz, A. Kon- Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010, pp. 119–
winski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, 131.
“A view of cloud computing,” Commun. ACM, vol. 53, no. 4, pp. [30] Q. Tang, “Public key encryption supporting plaintext equality
50–58, Apr. 2010. test and user-specified authorization,” Security and Communication
[11] C. Gentry, “Fully homomorphic encryption using ideal lattices,” Networks, vol. 5, no. 12, pp. 1351–1362, 2012.
in Proceedings of the Forty-first Annual ACM Symposium on Theory of [31] S. Ma, Q. Huang, M. Zhang, and B. Yang, “Efficient public key
Computing, ser. STOC’09. New York, NY, USA: ACM, 2009, pp. encryption with equality test supporting flexible authorization,”
169–178. IEEE Transactions on Information Forensics and Security, vol. 10, no. 3,
[12] Q. Wu, B. Qin, L. Zhang, J. Domingo-Ferrer, O. Farràs, and pp. 458–470, March 2015.
J. A. Manjón, “Contributory broadcast encryption with efficient [32] S. Ma, M. Zhang, Q. Huang, and B. Yang, “Public key encryption
encryption and short ciphertexts,” IEEE Transactions on Computers, with delegated equality test in a multi-user setting,” The Computer
vol. 65, no. 2, pp. 466–479, Feb 2016. Journal, vol. 58, no. 4, pp. 986–1002, 2015.
[13] L. Guo, M. Dong, K. Ota, Q. Li, T. Ye, J. Wu, and J. Li, “A [33] Y. Wang and H. Pang, “Probabilistic public key encryption for
secure mechanism for big data collection in large scale internet of controlled equijoin in relational databases,” The Computer Journal,
vehicle,” IEEE Internet of Things Journal, vol. 4, no. 2, pp. 601–610, vol. 60, no. 4, pp. 600–612, 2017.
April 2017. [34] H. Pang and X. Ding, “Privacy-preserving ad-hoc equi-join on
[14] V. Sucasas, G. Mantas, F. B. Saghezchi, A. Radwan, and outsourced data,” ACM Trans. Database Syst., vol. 39, no. 3, pp.
J. Rodriguez, “An autonomous privacy-preserving authentication 23:1–23:40, Oct. 2014.
scheme for intelligent transportation systems,” Computers & Secu- [35] Y. Wang, H. Pang, N. H. Tran, and R. H. Deng, “Cca secure
rity, vol. 60, pp. 193–205, 2016. encryption supporting authorized equality test on ciphertexts in
[15] A. Malhi and S. Batra, “Privacy-preserving authentication frame- standard model and its applications,” Information Sciences, vol. 414,
work using bloom filter for secure vehicular communications,” pp. 289–305, 2017.
International Journal of Information Security, vol. 15, no. 4, pp. 433– [36] Z. Yan, W. Ding, X. Yu, H. Zhu, and R. H. Deng, “Deduplication on
453, Aug 2016. encrypted big data in cloud,” IEEE Transactions on Big Data, vol. 2,
[16] Y. Liu, W. Guo, C.-I. Fan, L. Chang, and C. Cheng, “A practi- no. 2, pp. 138–150, June 2016.
cal privacy-preserving data aggregation (3pda) scheme for smart [37] H. Cui, R. H. Deng, Y. Li, and G. Wu, “Attribute-based storage
grid,” IEEE Transactions on Industrial Informatics, pp. 1–1, 2018. supporting secure deduplication of encrypted data in cloud,” IEEE
Transactions on Big Data, vol. PP, no. 99, pp. 1–1, 2017.
[17] D. Song, E. Shi, I. Fischer, and U. Shankar, “Cloud data protection
[38] Z. Yan, L. Zhang, W. Ding, and Q. Zheng, “Heterogeneous data
for the masses,” IEEE Computer, vol. 45, no. 1, pp. 39–45, Jan 2012.
storage management with deduplication in cloud computing,”
[18] B. Wang, H. Li, X. Liu, F. Li, and X. Li, “Efficient public verification
IEEE Transactions on Big Data, vol. PP, no. 99, pp. 1–1, 2017.
on the integrity of multi-owner data in the cloud,” Journal of
Communications and Networks, vol. 16, no. 6, pp. 592–599, Dec 2014.
[19] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peter-
son, and D. Song, “Provable data possession at untrusted stores,”
in Proceedings of the 14th ACM Conference on Computer and Commu-
nications Security, ser. CCS’07. New York, NY, USA: ACM, 2007, Yujue Wang received the Ph.D. degrees from
pp. 598–609. the Wuhan University, Wuhan, China, and City
[20] A. Juels and B. S. Kaliski, Jr., “Pors: Proofs of retrievability for University of Hong Kong, Hong Kong, under the
large files,” in Proceedings of the 14th ACM Conference on Computer joint Ph.D. program, in 2015. He was a Research
and Communications Security, ser. CCS’07. New York, NY, USA: Fellow with the School of Information Systems,
ACM, 2007, pp. 584–597. Singapore Management University. He is cur-
[21] G. Ateniese, S. Kamara, and J. Katz, “Proofs of storage from rently with the School of Computer Science and
homomorphic identification protocols,” in Advances in Cryptology– Information Security, Guilin University of Elec-
ASIACRYPT 2009, M. Matsui, Ed. Springer Berlin Heidelberg, tronic Technology, China. His research interests
2009, pp. 319–333. include applied cryptography, database security
[22] Y. Wang, Q. Wu, B. Qin, X. Chen, X. Huang, and J. Lou, and cloud computing security.
“Ownership-hidden group-oriented proofs of storage from pre-
Yong Ding received his PhD in Cryptography Huiyong Wang received his Ph.D. degree in
from the School of Communication Engineering, software theory and applications from Chinese
Xidian University, China, in 2005. He is currently Academy of Sciences in 2017 in China. He is
a Professor at School of Computer Science and currently a Lecture at the School of Mathemat-
Information Security, Guilin University of Elec- ics and Computing Science, Guilin University of
tronic Technology, China. He was a research Electronic Technology, China. His research in-
fellow of Computer Science at City University of terests include privacy-preserving computation,
Hong Kong from April, 2008 to September, 2009. information security, cyber security, multi-party
His research interests include cryptography and computation and homomorphic encryption.
information security.
Qianhong Wu received his Ph.D. in Cryptog-

raphy from Xidian University in 2004. Since
then, he has been with Wollongong Universi-
ty (Australia) as an associate research fellow,
with Wuhan University (China) as an associate
professor, and with Universitat Rovira i Virgili
(Spain) as a research director. He is current-
ly a professor in Beihang University in China.
His research interests include cryptography, in-
formation security and privacy, VANET security
and cloud computing security. He has been a
holder/co-holder of 8 China/Australia/Spain funded projects. He has
authored more than 20 patents and over 120 publications in leading
journals and conferences. He has served in the program committee of
several international conferences in information security and privacy. He
is a member of IACR and IEEE.
Yongzhuang Wei received the M.S. and the

Ph.D. degrees in cryptology from Xidian Univer-
sity, Xian, China, in 2004 and 2009, respectively.
Since July 2011, he has been doing research
with the State Key Laboratory of Information Se-
curity, Institute of Software, Chinese Academy
of Sciences, Beijing, China. Since September
2014, he joined the Guangxi Key Laboratory of
Cryptography and Information Security at Guilin
University of Electronic Technology, where he is
currently employed as a full professor. He is now
a member of Chinese Association for Cryptologic Research (CACR). His
current research interests include Boolean functions, stream ciphers,
block ciphers, and hash functions.
Bo Qin received her Ph.D. degree in Cryptog-

raphy from Xidian University in 2008 in China.
Since then, she has been with Xi’an University
of Technology (China) as a lecturer and with
Universitat Rovira i Virgili (Catalonia) as a post-
doctoral researcher. She is currently a lecturer in
the Renmin University in China. Her research in-
terests include pairing-based cryptography, data
security and privacy, and VANET security. She
has been a holder/co-holder of 5 China/Spain
funded projects. She has authored over 80 pub-
lications in well-recognized journals and conferences and served in
the program committee of a number of international conferences in
information security.

9

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

9

Загружено:

Авторское право:

Доступные форматы

This article has been accepted for publication in a future issue of this journal, but has not been

Privacy-Preserving Cloud-based Road Condition

V EHICULAR ad-hoc network has been envisioned as a

he has to generate a proxy key before processing data in Token

posed three-level framework, the top level authority (e.g.,

ease of presentation, each road section is represented by the 3 D EFINITIONS

4.5 Token distribution 4.7 Cloud processing

Algorithm/protocol Entity Computations Environment Details

and RUKeyVrf represent the generation and verification 0.52

7 C ONCLUSION AND R EMARK

MMJJ20170217 and MMJJ20170106, the Foundation of Sci-

ence and Technology on Information Assurance Labora-

Qianhong Wu received his Ph.D. in Cryptog-

Yongzhuang Wei received the M.S. and the

Bo Qin received her Ph.D. degree in Cryptog-

Вам также может понравиться