Two Forgeable and Untraceable Batch Authentication Schemes
based on Pseudonym
Xiaoming Hu
a
College of Computer and Information Engineering, Shanghai Polytechnic University, Shanghai, China
Keywords: Information Security, Batch Authentication Scheme, Certificateless Signature Scheme, Vehicle Ad Hoc
Networks, Unforgeability.
Abstract: In the fields of intelligent transportation (InTrans) and vehicle ad hoc networks (VEAHT), data exchange
between vehicle and vehicle or between vehicle and RSU (Road Side Unit) or between RSU and RSU or so
on can cause many security problems such as sending a fake data or pretending to be a vehicle node or
others. At the same time, in InTrans and VEAHT, data exchange is very frequent and also is very large.
Batch authentication protocol or scheme based on pseudonym identity can improve the efficiency of
message signature verification. What's more, it can protect the real identity of the vehicle node by using a
pseudonym but the real identity can be traced when needed. In this paper, the security of two batch
authentication schemes proposed recently is analyzed. This paper shows that the two schemes exist some
security drawbacks and do not satisfy the security properties: unforgeability and traceability. In other words,
a malicious vehicle (acts as an attacker) can forge a signature on a message without knowing the private key
of the vehicle node and anyone cannot trace the real identity of the attacker. Finally, this paper also gives a
simple improvement on the existing security drawbacks.
1 INTRODUCTION
1
Under the environment of intelligent transportation
(Alanazi 2019, Lo 2016, Qu 2015, Zhang 2017)
(InTrans) or vehicle ad hoc networks (He 2015, Li
2015, Liu 2014, Liu 2018, Shim 2012) (VEAHT),
the vehicle can periodically broadcast its own data
information during driving and receive data from
other vehicles or the RSU (Road Side Unit) which
helps to reduce the incidence of traffic accidents and
helps the vehicle to plan better traffic routes.
However, traffic data can involve some sensitive
information such as the identity of vehicle or
position which the owner of the vehicle wish only
the trust organization such as RSU or TA (Trusted
Authority) can get these data. On the other hand, in
order to prevent illegal attacks from malicious
vehicles, it needs to authenticate the realness of the
identity of the vehicle and the truth of the message.
Authentication technology (Cui 2018, Wang 2016,
Zhong 2016) can satisfy the secure data exchange
and privacy protection of the vehicle.
a
https://orcid.org/0000-0001-8046-6457
However, the amount of data that vehicles
produce and receive every day is huge which leads
to a lot of verification load. Batch authentication
protocol or scheme (Bayat 2015, Gayathri 2018,
Horng 2017) can effectively solve the problem. In a
batch authentication scheme, the signature verifier
can verify the validity of n signature on n messages
with only one verification operation which improves
the verification efficiency largely. Therefore, many
scholars present many authentication schemes (Cui
2018, Wang 2016, Zhong 2016, Bayat 2015,
Gayathri 2018, Horng 2017). However, a general
authentication scheme cannot protect the privacy of
the vehicles. An authentication scheme with
(conditional) privacy-preserving (Horng 2015,
Huang 2011, Lin 2007, Zhang 2020) can solve the
problem.
In 2020, Wang et al. proposed an authentication
protocol based on pseudonym in InTrans (Wang
2021). At the same time, the protocol is conditional
privacy-preserving. In other words, the real identity
of the vehicle can be protected normally. But when
needed, the real identity of the vehicle can be traced
by some method. In 2021, Zeng et al. proposed a
certificateless (Ma 2020, Xie 2020, Zhao 2020, Zuo
2019, Zuo 2020) authentication scheme in VEAHT
Hu, X.
Two Forgeable and Untraceable Batch Authentication Schemes based on Pseudonym.
DOI: 10.5220/0011375200003443
In Proceedings of the 4th International Conference on Biomedical Engineering and Bioinformatics (ICBEB 2022), pages 985-991
ISBN: 978-989-758-595-1
Copyright
c
2022 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
985
(
Zeng 2020). The scheme adopts the pseudonym of
the vehicle to protect the real identity of the vehicle.
But the real identity of the vehicle also is traced
afterwards. However, in this paper, we present that
in both authentication schemes, a malicious attacker
can forge a signature without known the private key
of the vehicle, namely do not hold the
unforgeability. At the same time, the both schemes
also do not hold the traceability, namely the real
identity of the vehicle cannot be traced afterwards.
In order to overcome these drawbacks, an improved
method for the both schemes is presented.
2 REVIEW, SECURITY
ANALYSIS AND
IMPROVEMENT OF A
CONDITIONAL PRIVACY
PRESERVING OF
AUTHENTICATION
PROTOCOL
Here, we present a simple review, security analysis
and a simple improvement on Wang et al.’s
authentication protocol (Wang 2021).
2.1 Look Back on Wang et al.’s
Authentication Protocol
Wang et al.’s authentication protocol (Wang 2021)
consists of three stages: System Initial, Identity
Authentication based on Pseudonym and Message
Authentication based on Pseudonym.
2.1.1 System Initial Stage
System parameters generation: Define six
cryptography hash functions
0
H :
**
}1,0{}1,0{ ×
→
*
}1,0{
,
2
H :
*
}1,0{
→
*
q
Z
,
1
H ,
3
H ,
4
H ,
5
H :
*
}1,0{×G
→
*
q
Z
.ECA (Enrollment Certificate
Authority) chooses
a
R
∈
*
q
Z
as its private key
ECA
SK and computes its public key
ECA
PK =
aP
. Then, the system parameters publicly is
{
P
,
G
,
q
,
ECA
PK ,
0
H ,
1
H ,
2
H ,
3
H ,
4
H ,
5
H }.
PCA (Pseudonym Certificate Authority)
generates the private-public pair (
i
PCA
SK
,
i
PCA
PK
) as the above methods.
Node registration certificate application: ECA
generates registration information as follows for
vehicles and RSUs (Road Side Unit) after ECA
authenticates the vehicles and the RSUs. For the
vehicle
a
V with its real identity information
a
RID , ECA chooses
β
R
∈
*
q
Z
and computes
a
STicket = ),(
0 a
RIDH
β
and
a
PTicket =
PSTicket
a
. EVA issues the registration
certificate
a
Ecert to
a
V . For RSU
u
R with its
position information
u
R
Loc
, ECA computes
u
R ’s private and public pair
(
u
R
SK
,
u
R
PK
).
EVA issues the registration certificate
u
Ecert to
u
R .
2.1.2 Identity Authentication based on
Pseudonym Stage
First, make non-interactive identity
authentication based on chameleon hash, the
detail process refers to the literature (Wang
2021).
Identity authentication process based on
pseudonym: when the vehicle
a
V applies to
i
PCA for a pseudonym,
a
V chooses
1
θ
R
∈
*
q
Z
as
its temporary private key
'
a
SK
and computes its
temporary public key
'
a
SK
= P
1
θ
, and its
temporary share key
ai
K =
i
PCA
PK
1
θ
.
a
V chooses
a
k
R
∈
*
q
Z
and computes its part pseudonym
1a
PID = Pk
a
and certificated value
ap
c
=
a
STicket +
11
H
θ
(
'
a
PK
,
1a
PID ,
t
) where
t
is the
time stamp.
i
PCA computes the part pseudonym
2a
PID =
1
H (
i
PCA
SK
,
1a
PID ,
a
PTicket ,
t
) for
a
V if
Pc
ap
=
a
PTicket +
1
'
HPK
a
(
'
a
PK
,
1a
PID ,
t
).
Then, the full pseudonym for
a
V is
a
PID =
(
1a
PID ,
2a
PID ). Then,
i
PCA chooses
a
λ
R
∈
*
q
Z
and computes
'
a
PID
= )(
2 a
PIDH ,
a
Λ =
P
a
λ
,
a
h =
3
H (
a
Λ ,
i
PCA
PK
,
'
a
PID
),
a
d =
i
PCA
SK
+
aa
h
λ
as its part private key.
a
V chooses
a
x
R
∈
*
q
Z
and computes
a
X = Px
a
.
Then, its private key is
a
SK = (
a
x ,
a
d ) and its
ICBEB 2022 - The International Conference on Biomedical Engineering and Bioinformatics
986
public key
a
PK = (
a
X ,
a
Λ ), and is its
pseudonym
a
PID = (
1a
PID ,
2a
PID ).
Vehicles and RSU makes two way identity
authentications before data exchange (Wang
2021).
2.1.3 Message Authentication based on
Pseudonym Stage
Signature stage: given a message
a
m
, the
vehicle
a
V
chooses
a
ω
R
∈
*
q
Z
and computes
a
Ω
=
P
a
ω
,
a
g
=
),,,,(
4
tPIDmH
aaaa
ΛΩ
,
a
l
=
),,,,(
5
tPIDmH
aaaa
ΛΩ
,
a
σ
=
aaaaa
dlxg ++
ω
.
And then (
a
σ
,
a
Ω
,
a
Λ
,
t
) is the signature on
a
m
.
Verification stage: after
u
R
gets a signature
(
a
σ
,
a
Ω
,
a
Λ
,
t
),
u
R
verifies the freshness of
the time
t
, and then computes
a
g
,
a
l
, and
verifies if
P
a
σ
=
)(
aaPCAaaaa
hPKlXg
i
Λ+++Ω
(1)
2.2 Security Analysis and
Improvement of Wang et al.’s
Authentication Protocol
Here, we make the analysis on the security of Wang
et al.’s authentication protocol. We show that their
authentication protocol does not satisfy the
unforgeability. Their protocol also does not satisfy
the traceability for the real identity of the vehicle.
2.2.1 The Forgeability Attack
The attacker can forge a signature without known
the private key of the signature vehicle. And the
attacker cannot be traced afterwards.
The attacker chooses a message
'
a
m
and
generates a pseudonym
"
a
PID
= (
"
1a
PID
,
"
2a
PID
)
for the vehicle
a
V
. Then, the attacker chooses
'
a
ω
R
∈
*
q
Z
and
'
a
x
R
∈
*
q
Z
.
The attacker computers
'
a
PID
=
)(
'
"
2 a
PIDH
,
'
a
Ω
=
P
a
'
ω
,
'
a
g
=
),,,,(
''"'
4
tPIDmH
aaaa
ΛΩ
,
'
a
l
=
),,,,(
''"'
5
tPIDmH
aaaa
ΛΩ
,
a
h
=
),,(
'
'
3 aPCAa
PIDPKH
i
Λ
,
'
a
X
=
PxghPKlg
aaaaPCAaa
i
'1''1'
)(
−−
+Λ+−
,
'
a
σ
=
''
aa
x+
ω
.
Then, (
'
a
σ
,
'
a
Ω
,
a
Λ
,
'
t
) is the forged signature
on
'
a
m
where
'
t
is the time stamp.
(
'
a
σ
,
'
a
Ω
,
a
Λ
,
'
t
) is a correct signature because
)(
''''
aaPCAaaaa
hPKlXg
i
Λ+++Ω
=
)()
)((
''1'
'1'''
aaPCAaaa
aaPCAaaaa
hPKlPxg
hPKlgg
i
i
Λ+++
Λ+−+Ω
−
−
,
=
)(
)(
'
'''
aaPCAa
aaaPCAaa
hPKl
PxhPKl
i
i
Λ++
+Λ+−Ω
,
=
Px
aa
''
+Ω
,
=
PxP
aa
''
+
ω
=
P
a
'
σ
.
2.2.2 The Untraceability
When ECA finds to exist a malicious vehicle node
or happen the dispute, ECA can trace the real
identity of the malicious vehicle node or the dispute
vehicle node by the pseudonym
"
a
PID
= (
"
1a
PID
,
"
2a
PID
) using the method of the literature (Wang
2021). However,
"
a
PID
is generated by the attacker
without any real identity of the vehicle, so ECA
cannot trace the real identity of the vehicle.
2.2.3 The Simple Improvement
From the above attack, it can find that the main
reason that the attacker can forge a valid
signature is that the attacker can modify
arbitrarily
a
X
(=
Px
a
). Therefore, the improved
method is to limit
a
X
. The process is as
follows.
Signature stage: the vehicle
a
V
chooses
a
ω
R
∈
*
q
Z
and computes
a
Ω
=
P
a
ω
,
Two Forgeable and Untraceable Batch Authentication Schemes based on Pseudonym
987
a
g
=
),,,,,(
4
tXPIDmH
aaaaa
ΛΩ
,
a
l
=
),,,,,(
5
tXPIDmH
aaaaa
ΛΩ
,
a
σ
=
aaaaa
dlxg ++
ω
,
and then (
a
σ
,
a
Ω
,
a
Λ
,
t
) is the signature on the
message
a
m
.
The remaining stages are the same to the original
methods of the literature (Wang 2021). Because
a
X
is the input of hash functions
4
H
and
5
H
, the
attacker cannot modify the
a
X
. So, the attacker
cannot forge the valid signature without the private
key of the signer.
3 REVIEW, SECURITY
ANALYSIS AND
IMPROVEMENT OF
CERTIFICATELESS
AUTHENTICATION SCHEME
3.1 The Simple Improvement
Zeng et al.’s certificateless authentication scheme
(Zeng 2020) consists of six stages: SetupSys Stage,
PartKey Extract Stage, User Key Generation Stage,
Pseudonym Generation Stage, Signature Stage and
Verification Stage.
3.1.1 SetupSys Stage
System initialization: KGC (Key Generation
Center) chooses
1
s
R
∈
*
q
Z
as its private key and
computes its public key
K
P
=
Ps
1
. TA (Trusted
Authority) chooses
s
R
∈
*
q
Z
as its main private
key and computes its public key
T
P
= sP .KGC
and TA choose randomly five hash functions
h
:
G
→
*
q
Z
,
1
h
:
*
}1,0{
→
*
q
Z
,
3
h
,
4
h
:
2**
}1,0{}1,0{ ×× G
→
*
q
Z
,
2
h
:
2*
}1,0{ G×
→
*
q
Z
. KGC and TA issue the public system
parameters {
P
, G , q ,
T
P
,
K
P
,
1
h
~
4
h
}.
RSU initialization: for a given RSU, TA
chooses
r
k
R
∈
*
q
Z
as RSU’s private key and
computes RSU’s public key
r
PK
=
Pk
r
. Then,
choose
h
R
∈
*
q
Z
and compute RSU’s signature
Sig
r
= sh(
r
ID
||
r
PK
||
T
) where
T
is the time
stamp.
Vehicle initialization: for a given vehicle
i
V
, TA
gives a real identity
i
RID
and a password
i
PWD
to
i
V
. Then,
i
V
computes
i
Q
=
)(
i
RIDh
and
i
AID
= (
i
Q
,
)(
Ti
PhRID
β
⊕
).
3.1.2 PartiKey Extract Stage
When a vehicle
i
V
requests KGC to generate the
partial key, KGC chooses
i
d
R
∈
*
q
Z
and
computes
i
D
=
Pd
i
,
i
ϕ
=
i
d
+
)||||(
21 Kii
PDQhs
mod q . KGC sends (
i
D
,
i
ϕ
) to
i
V
.
After
i
V
gets (
i
D
,
i
ϕ
),
i
V
accepts (
i
D
,
i
ϕ
) if
P
i
ϕ
=
i
D
+
)||||(
2 KiiK
PDQhP
.
3.1.3 User Key Generation Stage
The vehicle
i
V
chooses
i
x
R
∈
*
q
Z
and computes
i
X
=
Px
i
. Then, its private key is
i
SK
= (
i
ϕ
,
i
x
) and
its public key
i
PK
= (
i
D
,
i
X
).
3.1.4 Pseudonym Generation Stage
For a given vehicle
i
V
, RSU choose
i
r
R
∈
*
q
Z
and
computes its pseudonym
i
ID
= (
i
T
,
1i
ID
,
2i
ID
),
where
1i
ID
=
PrR
it
,
2i
ID
=
)(
Ti
PhRID
β
⊕
)(
Tii
PrTh⊕
and
i
T
is the valid period.
3.1.5 Signature Stage
Given a message
i
M
= (
i
m
,
i
T
), the vehicle
i
V
chooses
i
w
R
∈
*
q
Z
and computes the signature (
i
σ
,
i
W
), where
i
W
=
Pw
i
,
i
h
3
=
)||||||(
3 iiii
TXDIDh
,
i
h
4
=
)||||||||(
4 iiiii
TXWMIDh
,
i
σ
=
iiiii
wxhh
ϕ
++ )(
34
mod
q .
ICBEB 2022 - The International Conference on Biomedical Engineering and Bioinformatics
988
3.1.6 Verification Stage
After RSU gets a signature (
i
σ
,
i
W
), RSU
checks if the signature is fresh. If the signature
is fresh, RSU verifies if
P
i
σ
=
iKiiiii
hPDWXhh
134
)( +++
.
(2)
When RSU gets
n
signatures on
n
message,
RSU makes the batch verification as the
literature (Zeng 2020).
3.2 Security Analysis and
Improvement of Zeng et al.’s
Certificateless Authenti-cation
Scheme
Here, we make the analysis on the security of
Zeng et al.’s certificateless authentication
scheme. We show that Zeng et al.’s
certificateless authentication scheme exists the
same security drawback as the above scheme
(Wang 2021), namely Zeng et al.’s
certificateless authentication scheme does not
satisfy the unforgeability. At the same, their
scheme also does not satisfy the traceability for
the real identity of the vehicle.
3.2.1 The Forgeability Attack
Here, the attacker acts as a malicious KGC. The
attacker can forge a signature with known the secret
key of KGC but it cannot replace the public key of
the vehicle
i
V
. Finally, the attacker cannot be traced
afterwards.
The attacker chooses
'
i
ID
= (
'
i
T
,
'
1i
ID
,
'
2i
ID
),
'
i
Q
,
and
'
i
m
. Then, the attacker chooses
'
i
w
R
∈
*
q
Z
and
'
i
d
R
∈
*
q
Z
.
The attacker computers
'
i
D
=
Pd
i
'
,
'
3i
h
=
)||||||(
'''
3 iiii
TXDIDh
,
'
1i
h
=
)||||(
''
2 Kii
PDQh
,
'
i
W
=
iii
XhPw
'
3
'
−
,
'
4i
h
=
)||||||||(
''''
4 iiiii
TXWmIDh
,
'
i
σ
=
'
11
'''
4 iiii
hsdwh ++
,
Then, (
'
i
σ
,
'
i
W
) is the forged signature on
'
i
m
.
(
'
i
σ
,
'
i
W
) is a correct signature because
P
i
'
σ
=
Phsdwh
iiii
)(
'
11
'''
4
++
,
=
PhsPdPwh
iiii
'
11
'''
4
++
,
=
PhsPdXhXhPwh
iiiiiiii
'
11
''
3
'
3
''
4
)( +++−
,
=
PhsPdXhWh
iiiiii
'
11
''
3
''
4
)( +++
,
=
Kiiiiii
PhDXhWh
'
1
''
3
''
4
)( +++
.
3.2.2 The Untraceability
When TA finds to exist a malicious vehicle node,
according to the scheme (Zeng 2020), TA can trace
the real identity of the malicious vehicle node
i
V
by
the pseudonym
'
i
ID
= (
'
i
T
,
'
1i
ID
,
'
2i
ID
), namely
i
RID
=
)()(
'
1
'
2 iTi
sIDhPhID ⊕⊕
β
. However,
'
i
ID
is chosen
by the attacker without any real identity of the
vehicle
i
V
, so TA cannot trace the real identity
i
RID
of the vehicle
i
V
by computing
)(
'
2 Ti
PhID
β
⊕
)(
'
1i
sIDh⊕
.
3.2.3 The Simple Improvement
From the above attack, it can find that the main
reason that the attacker acts as a malicious KGC can
forge a valid signature is that the attacker can
modify arbitrarily
i
W
(=
Pw
i
). Therefore, the
improved method is to limit
i
W
. The process is as
follows.
Given a message
i
M
= (
i
m
,
i
T
), the vehicle
i
V
chooses
i
w
R
∈
*
q
Z
and computes the signature
(
i
σ
,
i
W
), where
i
W
=
Pw
i
,
i
h
3
=
)||||||||(
3 iiiii
TWXDIDh
,
i
h
4
=
)||||||||(
4 iiiii
TXWMIDh
,
i
σ
=
iiiii
wxhh
ϕ
++ )(
34
mod
q
,
and then (
i
σ
,
i
W
) is the signature on the message
i
m
.
The remaining stages are the same to the original
methods of the literature (Zeng 2020). Because
i
W
is
the input of the hash function
3
h
, the attacker cannot
Two Forgeable and Untraceable Batch Authentication Schemes based on Pseudonym
989
modify the
i
W
. So, the attacker cannot forge the
valid signature even who knows the private key of
KGC.
4 CONCLUSIONS
In this paper, two batch authentication schemes
based on pseudonym is reviewed. Then, this paper
gives an analysis on the security of the two batch
authentication schemes. The analysis shows that
both of the batch authentication schemes do not
satisfy the unforgeability, a malicious vehicle node
or a malicious KGC (Key Generation Center) can
forge a signature on any choose message which
leads to be untraceable of the real identity of the
vehicle. In other words, the two batch authentication
schemes also hold the traceability. This paper also
presents an improvement method on the security
problems of the two batch authentication schemes.
However, this paper does not give the detailed
formal security analysis for both batch improved
authentication schemes which will be as the future
research work.
ACKNOWLEDGEMENTS
This work was supported by the Key Disciplines of
Computer Science and Technology of Shanghai
Polytechnic University, the Innovation Program of
Shanghai Municipal Education Commission
(No.14ZZ167), the Cultivation of Innovative talents-
Construction of Curriculum System-Electronic
Information (No. A30DB212103-0350), the
Collaborative Innovation Platform of Electronic
Information Master of Shanghai Polytechnic
University, the First Class Undergraduate Specialty
“Network Engineering” Construction in Shanghai
(No.A30DB212103-0305), the Network Engineering
Teaching Funds (No. A01GY21G013-0202).
REFERENCES
Alanazi, F., Shareeda, A., Ozguner, F. (2019). An
Efficient Cppa Scheme for Intelligent Transportation
Networks. Pervasive and Mobile Computing, 59(8): 1-
16.
Bayat, M., Barmshoory, M., Rahimi, M., et al. (2015). A
secure authentication scheme for VANETs with batch
verification. Wireless Networks, 21(5): 1733–1743.
Cui, J., Tao, X., Zhang, J., et al. (2018). HCPA-GKA: A
hash function-based conditional privacy-preserving
authentication and group-key agreement scheme for
VANETs. Vehicular Communications, 14: 15–25.
Gayathri, N.B., Thumbur, G., Reddy, P., et al. (2018).
Efficient pairing-free certificateless authentication
scheme with batch verification for vehicular ad-hoc
networks. IEEE Access, 6: 31808–31819.
He, D., Zeadally, S., Xu, B., et al. (2015). An efficient
identity-based conditional privacy-preserving
authentication scheme for vehicular ad hoc networks.
IEEE Transactions on Information Forensics and
Security, 10(12): 2681–2691.
Horng, S., Tzeng, S., Li, T., et al. (2017). Enhancing
security and privacy for identity-based batch
verification scheme in VANETs. Vehicular
Technology, IEEE Transactions, 66(4): 3235-3248.
Horng, S.J., Tzeng, S.F., Huang, P.H., et al. (2015). An
efficient certificateless aggregate signature with
conditional privacy-preserving for vehicular sensor
networks, Inf. Sci., 317:48-66.
Huang, D., Misra, S., Verma, M. (2011). PACP: An
Efficient Pseudonymous Authentication-based
Conditional Privacy Protocol for VANETs. IEEE
Transactions on Intelligent Transportation Systems,
12(3): 736-746.
Li, J., Lu, F., Guizani, M. (2015). ACPN: A novel
authentication framework with conditional
privacypreservation and non-repudiation for VANETs.
IEEE Transactions on Parallel and Distributed
Systems, 26(4): 938–948.
Lin, X., Sun,X., Ho,P., et al. (2007). GSIS: A Secure and
Privacy Preserving Protocol for Vehicular
Communications. IEEE Trans, 56(6): 3442-3456.
Liu, J., Yuen, T., Au,M., et al.(2014). Improvements on an
authentication scheme for vehicular sensor networks.
Expert Systems with Applications, 41(5): 2559-2564.
Liu, Z., Xiong, L., Peng, T., et al.(2018). A realistic
distributed conditional privacy- preserving
authentication scheme for vehicular ad hoc networks.
IEEE Access, 6: 26307–26317.
Lo, N.W., Tsai, J.L. (2016). An efficient conditional
privacypreserving authentication scheme for vehicular
sensor networks without pairings. IEEE Transactions
on Intelligent Transportation Systems, 17(5): 1319–
1328.
Ma,L., Yang,Q., Lai,J.(2020). A certificateless-based
aggregated signature scheme with designated verifier
property, Henan Science and Technology, 717(17):
10-12.
Qu, F., Wu,Z., Wang,F., et al.(2015). A security and
privacy review of VANETs. IEEE Transactions on
Intelligent Transportation Systems, 16(6):2985-2996.
Shim, K.A.(2012). CPAS: An efficient conditional privacy
preserving authentication scheme for vehicular sensor
networks. IEEE Transactions on Vehicular
Technology, 61(4): 1874–1883.
Wang, F., Xu, Y., Zhang, H., et al. (2016). 2FLIP: A two-
factor lightweight privacy-preserving authentication
ICBEB 2022 - The International Conference on Biomedical Engineering and Bioinformatics
990
scheme for VANET. IEEE Transactions on Vehicular
Technology, 65(2): 896–911.
Wang, J., Zhao, M., Chen, Z., et al. (2021). An
authentication scheme for conditional privacy
preserving based on pseudonym in intelligent
transportation. Netinfo Security, 4:49-61.
Xie, Y., Li, X., Zhang, S., et al. (2020). An improved
provable secure certificateless aggregation signature
scheme for vehicular ad hoc NETworks. Journal of
Electronics & Information Technology, 42(5): 1125–
1131.
Zeng, P., Guo,R., Ma,Y., et al. (2020). Provable security
certificateless authentication scheme for vehicular ad
hoc network. Journal of Electronics & Information
Technology, 42(12):2873-2881.
Zhang, L., Wang, J., Mu, Y. (2020). Secure and privacy-
preserving attribute-based sharing framework in
vehicles ad hoc networks. IEEE Access, 8:116781-
116795.
Zhang, L., Wu, Q., Dominggo, F., et al. (2017).
Distributed aggregate privacy-preserving
authentication in VANETs. IEEE Transactions on
Intelligent Transportation Systems, 18(3): 516-526.
Zhao, N., Zhang, G., Gu, X. (2020). Certificateless
aggregate signature scheme for privacy protection in
VANET, Computer Engineering, 46(1): 114-128.
Zhong, H., Wen, J., Cui, J., et al. (2016). Efficient
conditional privacy-preserving and authentication
scheme for secure service provision in VANET.
Tsinghua Science and Technology, 21(6): 620–629.
Zuo, L., Chen, Z., Xia, P., et al.(2019). Improved efficient
certificateless short signature scheme, Journal:
Computer Science, 46(4):172-176.
Zuo, L., Zhang, M., Hu, K., et al.(2020). Certificateless
short signature scheme with double KGC, Application
Research of Computers, 137(5): 1482-1487.
Two Forgeable and Untraceable Batch Authentication Schemes based on Pseudonym
991
