ID-based Safety Message Authentication for Security ...

ID-based Safety Message Authentication for Security and Trust in Vehicular Networks Subir Biswas

Jelena Miˇsi´c

Vojislav Miˇsi´c

Department of Computer Science University of Manitoba Winnipeg, Canada R3T 2N2 Email: [email protected]

Department of Computer Science Ryerson University Toronto ON, Canada M5B 2K3 Email: [email protected]

Department of Computer Science Ryerson University Toronto ON, Canada M5B 2K3 Email: [email protected]

Abstract—We present a safety message authentication scheme for vehicular ad hoc networks using an ID-based signature and verification mechanism. An ID-based technique offers a certificate-less public key verification, while a proxy signature provides with flexibilities in message authentication and trust management. In this scheme, we present a combination of IDbased proxy signature framework over the standard ECDSA for VANET’s safety application messages. We claim that this scheme is resilient against all major security threats and also efficient in terms of computation complexity.

I. I NTRODUCTION Vehicular Ad hoc Networks (VANETs) promise us a way of safe driving with the help of a variety of potential applications mainly for road safety, traffic management, vehicle maintenance and driver assistance. Ideally, a VANET offers two fundamental types of communications- vehicle-to-infrastructure (V2I), and vehicleto-vehicle (V2V) communications. In a typical implementation of VANET, each vehicle is equipped with a wireless communication device called an on-board unit (OBU), whereas a road-side unit (RSU) is installed at a road-side location. The system is coordinated by a trusted third party central authority (CA) which could be the department of transportation (DOT) of a country or territory. Vehicles can independently communicate with an RSU, at the same time, they can also communicate with themselves within the communication range of each other. An RSU is typically used for broadcasting emergency road-safety messages, changed road-condition notifications, locality information, and for commercial applications. On the other hand, an OBU can communicate with an RSU or other OBUs in the communication range mainly for sharing vehicular information like speed, acceleration, location, changed road-condition etc. Due to the ad hoc nature of the network and high speed mobility of vehicles, VANET entities like RSUs and OBUs can not be pre-authenticated while operating on road. This poses a high degree of vulnerability to the functionality of the network in terms of security, privacy and trust. Adversaries either from the provider or among the consumers may take advantage of unauthenticated communications in VANETs for several anti-social or criminal activities. For instance, an unauthorized entity could send out a malicious software update for the users of a VANET. Installation

of such malware in the system might result in a massive failure of vehicles in terms of irregular behavior, security malfunctioning, and/or user privacy. An adversary may mislead the traffic system by broadcasting false traffic-safety or changed road-condition messages on a certain road. Also, a malicious entity may repeat an expired traffic-safety notification to handicap the road-traffic system in the coverage area of a VANET. An expired message could be a commercial application message (e.g. an electronic flyer of a nearby shopping mall), illegitimate replay of which might jeopardize the value added services from providers of VANETs. Thus, a VANET safety (or other application) message must be authenticated by the vehicles on road. The IEEE standards 1609.2 [1] for Wireless Access in Vehicular Environment (WAVE) define the VANET security services, which adopted ECDSA-based [2] message authentication for VANET communications. The ECDSA is a variant of the conventional Digital Signature Algorithm (DSA) which is based on the Elliptic Curve Cryptosystem (ECC). ECC provides the same level of security strength as the other discrete logarithm based systems, while the size of required parameters for ECC is much smaller than that of the discrete logarithm based systems. Therefore, ECDSA is fast, efficient and an effective mechanism for a service oriented, ad hoc, and dynamic network like VANET. However, with the existing solution from the current standards, a sender of safety messages enjoys full freedom of creation, distribution, and re-distribution of a safety- or other application message. Since an RSU is installed at the roadside location without having much physical protection or surveillance, and also a sender vehicle on road is most likely to be an unknown entity to a receiving vehicle, trusting the received content might be harmful. This is because, an adversary could take over an RSU and transmit malicious safety messages to deceive the vehicles on road through the compromised RSU. In reality, it is obvious that a road-safety message, an emergency traffic notification, or a software update is issued by the trusted third party higher authority (e.g. the department of transportation) rather than an ordinary road-side unit (RSU) or a vehicle (OBU). For a V2I communication, regardless of the actual origin

(an RSU, or the department of transportation), an RSU is to deliver VANET’s emergency/road-safety messages due to the limitation with an RSU’s processing ability and communication range as indicated by the IEEE Dedicated Short Range Communications (DSRC) standards [3]. Also, depending on application’s coverage area, a delivered message might need to be forwarded by vehicles at a multi-hop distance. Hence, multiple entities are to be involved in a VANET application message generation and distribution process. In this paper, an ID-based authentication scheme is presented which uses proxy signature on ECDSA in order to address the security and trust issues for road-safety and other emergency application messages— while accommodating the requirements by the existing VANET standards IEEE 802.11p DSRC [3] and WAVE protocol stack 1609.x [1], [4], [5]. We organize the rest of the paper as follows: Section II contains the motivation for an ID-based proxy signature in VANET communications. Section III provides with the useful information and definitions for our scheme. Section IV illustrates our scheme in details. Security analysis and performance comparisons are given in Section V and Section VI respectively, while Section VII contains the concluding remarks of the paper. II. M OTIVATION FOR ID- BASED A PPROACH AND P ROXY S IGNATURE IN VANET S An ID-based signature allows a verifier to use a publicly well-known piece of information about the signer for the verification of the digital signature. Depending on the context, this public information could be an actual identity of the signer, signer’s host network address, signer’s email address, or even a combination of any number of such identifications. ID-based cryptosystem was first proposed by Adi Shamir in 1984 using the difficulty of integer factoring [6]. Later, few other researchers attempted to resolve the open issues with ID-based encryption. Cocks proposed a quadratic residuosity based solution [7], while Hess [8] and Boneh et al. [9] introduced similar schemes based on bilinear Diffie-Hellman problem. An ID-based system is very efficient for a VANET system in a sense that a verifier entity (e.g. an OBU) does not require to store, fetch, and verify the public key certificates of the emergency/road-safety application message signer from a third-party trusted authority. As a result, a VANET can save on storage, communication bandwidth, and time complexities which makes an ID-based system a delicate replacement for PKI-based signature schemes for vehicular networks’ applications. Delegation of rights to sign messages on behalf of the message originator is a much required feature for many of the road-safety/emergency applications in VANETs. In a system where it is impractical for the original signer (e.g. department of transportation) to sign a message destined to an end user or a verifier (e.g. an OBU), the right of signing can be transferred or delegated to an intermediate entity (e.g. an RSU, or an OBU) called a proxy signer.

The proxy signer RSU signs the message on behalf of the original signer, and when the end user (usually an OBU) verifies the message he/she can distinguish the signed message as signed by the proxy signer RSU rather than the original signer. Originally introduced by Mambo et al. [10] in 1996, proxy signature mechanism has been improved further by a number of researchers with new security features and added functionalities [11], [12], [13], [14], [15], [16], [17], [18]. In general, a proxy signature offers a system with resilience to message forgery, repudiation, impersonation, exculpability etc. In our previous work ( [19], [20], [21]), we used proxy signature scheme for preventing user privacy and replay attack in vehicular ad hoc networks. We considered an RSU as a valid member of RSU group where each member RSU would include its certificate within the periodic beacon or WAVE Service Announcement (WSA) [4] to authenticate itself. We also assumed in our previous work that an RSU is trusted by the central authority, while an OBU doesn’t trust the corresponding RSU without verifying the received message. In this paper, we present a practical VANET security scheme where RSUs are independent of each other for signing and delivering a message- either on the RSU itself, or on behalf of the central authority (CA). Regardless of the origin of a message, a verifier can verify the message by using only the location information of the receiver node, and without requiring further any public key certificates. We also provide flexibility in message authentication by forwarding signature materials for a road-safety application message to other VANET entities, when the application scope of a message is larger than the communication range of the message delivering entity. III. P RELIMINARIES In this section, we briefly describe the fundamentals of the proxy signature approach as well as the elliptic curve digital signature algorithm (ECDSA) scheme. A. Proxy Signature Definition 1. Proxy Signature: Proxy signature refers to a variation of digital signature that designates an entity (called a proxy signer) to sign a message on behalf of the original signer. Definition 2. Partial Delegation: The original signer derives a secondary secret key from a primary secret such that it is computationally infeasible to retrieve the primary secret from the knowledge of the secondary secret key. The primary secret is kept with the original signer, while the derived secret key is delivered to the proxy signer in a secure way. 1) Review of Proxy Signature Mechanism: An original signer, a proxy signer, as well as a verifier are involved in proxy preprocessing, proxy signature, and verification of a proxy signature scheme. The following steps are generally followed:

i. Proxy derivation: An original signer generates a proxy key from the original secret key as required by partial delegation based proxy signature. ii. Proxy delivery and verification: Original signer delivers the proxy tuple to the proxy signer. A proxy signer can verify the proxy tuple using a verification equation. iii. Signing: A proxy signer uses any ordinary digital signature scheme to sign a message on behalf of the original signer. It uses the proxy key (derived by the original signer) as the secret key for signing the message. iv. Verification of the proxy signature: Upon reception of the proxy signature, an end user derives a new public key from the original signer’s public key. This new public key is used for verification of proxy signature using the verification method of the corresponding signature scheme. B. On ECDSA We use an elliptic curve over a finite field for our scheme. Below, we discuss some of the preliminary issues with the elliptic curve and ECDSA. Definition 3. A finite field F p is a finite set of p elements along with addition and multiplication operations on F. The number of elements is denoted as the order of the finite field. There exists a finite field of order q if and only if q is a prime power, and on the other hand, if q is a prime power, then there exists only one finite field of order q denoted by Fq . Definition 4. An Elliptic Curve E over a finite field F p is defined in the form of the following equation: y2 = x3 + ax + b,

ii. Signature Generation: The signer computes (x1 , y1 ) = kG; where k is a random number and 1 ≤ k ≤ q. The signer then computes r = x1 mod q and s = k−1 (SHA1(m) + dr)mod q; where if r = 0 or s = 0, the signer aborts the current operation and restarts the procedure. (r, s) represents the signature for message m. iii. Verification: A verifier first checks if r and s are in the interval [1, q−1]. It then does the following computations: w = s−1 mod q u1 = SHA1(m)w mod q u2 = rw mod q X = u1 G + u2 Q If x , O and v = r, the verifier accepts the signature, otherwise rejects. IV. O UR S CHEME As required by an identity-based approach, signatures on VANET application messages in our approach are to be made verifiable using a publicly known identity information associated with the signer. This essentially waives the necessity of a public key certificate from a trusted third party for the signature verification. We therefore use in our approach, the current location information of a signer as the signer’s identity in order to sign and verify the proxy signature, while in the process, ECDSA is used as the basic signature mechanism. A. Notations Table I denotes the notations used throughout the illustration of our scheme. TABLE I N OTATIONS

(1)

where a prime p > 3; a, b ∈ Fp , and 4a3 + 27b2 . 0(mod p). The set of elements of the Elliptic Curve E(F p ) consists of the points (x, y) where x ∈ F p and y ∈ F p . A point at infinity O together with the set of points E(F p ) identifies an elliptic curve. Note that the addition, multiplication, and inversion operations on an elliptic curve points are different from ordinary binary operations. Please refer to [2] for the detailed description of the mentioned operations. 1) ECDSA Domain Parameters: The domain parameters of Elliptic Curve Digital Signature Algorithm (ECDSA) require an Elliptic Curve E over a finite field of size q, and a base point G ∈ (Fq ). Value q is chosen as a prime power pt where p is a prime number, and t is a positive integer. In our scheme, t = 1, thus p = q. Also, as indicated in eqn.(1), two field elements a and b are chosen, where, a, b ∈ (Fq ). All these parameters could be shared by the entities or by some specific user depending upon the ECDSA configuration. 2) ECDSA Summary: A signer of message m follows the steps: i. Key Pair Generation: Select a random number d ∈R Z∗q to compute Q = dG; where G is a base point of the elliptic curve E(F p ).

Component CA q x G ko ki H(.) m tm am IDi IDo t ||

Description trusted central authority a prime number of size 160 bits system’s master secret; 1 < x < q a base point on the elliptic curve E(F p ) a random secret with 1 < ko < q for the original signer a random secret with 1 < ki < q for proxy signer i a one way hash function (e.g. SHA1) a message to be signed by the proxy signer expiry information of message m position tolerance for a message m location information of the proxy signer RSU i location information of the original signer of m current time, rounded up in few seconds, minutes etc. concatenation operation

B. Geographical Scope A VANET application provider (either a CA, or an RSU) can decide on the size of the geographical area within which an application message is valid. If the application message is delivered outside the scope determined by the message source, it’d be discarded immediately by the receiver. A technique is given below for determining the geographical tolerance of an application message along with a verification procedure using which an OBU can determine if a received message is legitimate in the current location, or not.

The following steps illustrate ID-based proxy signature with ECDSA for VANET applications. 1) Key Setup: i. CA generates a system secret x; where 1 < x < q and computes Q = xG.

(2)

This Q is a public parameter, and is preloaded to all possible verifiers in the network. ii. CA then randomly picks ko ; where 1 < ko < q for the original signer to compute Ro = ko G mod q.

Fig. 1. Geo-scope of a message m as shown by the solid circle, and the communication range of an RSU as indicated by dashed circle

iii. For each RSUi under a particular CA decides a random number ki , and determines Ri using the following equation. Ri = ki G mod q.

1) Determination of am : Whenever a message m is generated by CA, a geographical scope of the message in form of a position tolerance value (am ) is associated within. In Fig. 1 the solid line circle represents the geographical scope of m, whereas, the dashed circle indicates the communication range of an RSU. CA— the actual source of m, determines a region for which m is valid as an application message. Let γ be the radius of the region of geographical scope for message m. We assume that the value of γ is always a power of 2. That is, for a positive integer n, γ = 2n . Hence, the tolerance value for message m is computed as am = log2 γ. This am will be used by a receiving OBU to determine the validity of m in its current location. 2) Validation of Geographical Scope: Upon receiving a message m, an OBU compares its own location (obtained from GPS data) with the origin of m taking into account the tolerance value am specified in the message. Let the current GPS data includes l-bits long xgps and ygps for latitude and longitude information respectively of an OBU. The validation of geographical scope is done at an OBU in the following manner: i. Take l − am most significant bits from both xgps and ygps and replace the remaining bits with 0s. The outcome 0 would be xgps and y0gps . 0 0 ii. Return (xgps , ygps ) as the new location information. 0 , y0 ) matches with the source iii. Verify if location (xgps gps location (ID information in this case) of the received message. C. An ID-based Proxy Signature in VANET With ECDSA In our proposed VANET model, an emergency/road-safety application message is generated by a trusted central authority (e.g. department of transportation), while the issued message is signed and delivered to end users (OBUs) by corresponding road-side units (RSUs) on behalf of the originator of the message.

(3)

(4)

iv. The actual location info of the original signer CA (IDo ) and the proxy signer RSUi (IDi ) are public, and all the verifier OBUs in the vicinity of the RSU are aware of their own locations from GPS. CA generates message m along with its expiry information tm , and the geographic tolerance am . It then computes, hi,m = H(IDi ||IDo ||m||tm ||am ).

(5)

v. The proxy key of RSUi for a message m is computed at the CA as Si,m = (ki + hi,m x)ko−1 mod q.

(6)

vi. (Si,m ||m||tm ||am ) is delivered to the RSUi in a secure way. The proxy signer verifies the proxy key Si,m by checking if Ri = (Si,m Ro −hi,m Q)mod q holds. If it does not, the proxy signer requests for a fresh proxy key from the original signer CA. 2) Payload Preprocessing: RSUi computes a session parameter k p based on the payload content and the expiry information of the message. k p = H(IDi ||t) (x p , y p ) = k p Ro

(7)

3) Proxy Signature: i. Once the payload is processed, proxy signer RSUi generates the proxy signature using the following equation. S p,i,m = k−1 p (H(m) + Si,m x p ) mod q.

(8)

ii. The proxy signature (S p,i,m ||Ro ||Ri ) along with the tuple (m||tm ||am ) is delivered to the end user (an OBU).

4) Verification: i. Upon receiving the signature along with a message, a receiver OBU j computes h j,m = H(ID j ||IDo ||m||tm ||am ); where ID j denotes the location information of OBU j . ii. The following verification equation is checked. (x p , y p ) = (H(m)Ro + x p (Ri + h j,m Q))S−1 p,i,m mod q. (9) The above equation holds if the signature is valid. Value x p is independently computed at the verifier end using verifier OBU j ’s location information ID j and current system time t over eqn. (7). We assume that the rounded up location information of RSUi is same as the rounded up location information of OBU j within the RSU’s communication range. That is, IDi = ID j . 5) Correctness: We examine the proxy-key generation—, and proxy signature verification equations (eqn. (6) and (8)) in order to prove the correctness of our scheme. Theorem 1. If the proxy key verification equation holds, the proxy key is valid. Proof: The proxy key (eqn. (6)) is given as: Si,m = (ki + hi,m x)ko−1 mod q. Multiplying both sides by ko G gives, Si,m ko G mod q = (ki G + hi,m xG) mod q; using eqn. (2), (3) and (4), yields: Si,m Ro = (Ri + hi,m Q) mod q or, Ri = (Si,m Ro − hi,m Q) mod q. This is proxy key verification equation used by proxy signer RSUi . Hence, if the verification equation holds, the proxy key is valid. Theorem 2. If a proxy signature (S p,i,m ||Ro ||Ri ) on a given message content (m||tm ||am ) is generated by a valid proxy signer RSUi , it would be accepted by a verifier OBU j . Proof: We investigate the proxy signature equation (eqn. 8). S p,i,m = k−1 p (H(m) + Si,m x p ) mod q; −1 or, S p,i,m = (k−1 p H(m) + Si,m x p k p ) mod q; using eqn.(6) yields: −1 −1 S p,i,m = (k−1 p H(m) + (ki + hi,m x)ko x p k p ) mod q; −1 −1 −1 or, S p,i,m = (k p H(m) + ki ko k p x p + hi,m xko−1 k−1 p x p ) mod q; dividing both sides by S p,i,m , we get: −1 −1 1 = (k−1 + ki ko−1 k−1 + p H(m)S p,i,m p x p S p,i,m −1 −1 −1 hi,m xko k p x p S p,i,m ) mod q; multiplying by G on both sides, we get: −1 −1 G = (k−1 + ki ko−1 k−1 + p H(m)S p,i,m G p x p S p,i,m G −1 −1 −1 hi,m xko k p x p S p,i,m G) mod q −1 −1 −1 −1 or, G = (k−1 p H(m)S p,i,m G + (ki G)ko k p x p S p,i,m + −1 −1 −1 hi,m (xG)ko k p x p S p,i,m ) mod q; replacing (xG) and (ki G) using eqn. (2) and (4) yields: −1 −1 G = (k−1 + Ri ko−1 k−1 + p H(m)S p,i,m G p x p S p,i,m −1 −1 −1 hi,m Qko k p x p S p,i,m ) mod q −1 or, k p ko G mod q = (ko H(m)S−1 p,i,m G + Ri x p S p,i,m + −1 hi,m Qx p S p,i,m ) mod q; using again, eqn. (3), we get: k p Ro mod q = (Ro H(m)S−1 + Ri x p S−1 + p,i,m p,i,m

Fig. 2. Framework of ID-based Safety Message Signature and Forwarding in VANET

hi,m Qx p S−1 p,i,m ) mod q −1 −1 or, (x p , y p ) = (Ro H(m)S−1 p,i,m +Ri x p S p,i,m +hi,m Qx p S p,i,m )mod q or, (x p , y p ) = (Ro H(m) + x p (Ri + hi,m Q))S−1 p,i,m mod q. A verifying OBU receives a message within the communication range of the corresponding RSU. Since, OBU j is in the communication range of RSUi , we can say ID j = IDi which implies hi,m = h j,m from eqn. (5). Therefore, the above equation yields as: (x p , y p ) = (Ro H(m) + x p (Ri + h j,m Q))S−1 p,i,m mod q. We derived the verification equation from the proxy signature equation (eqn. (8)). Hence, if a proxy signature is generated by a legitimate proxy signer, the signature passes the verification process. D. Forwarding of VANET’s Safety Messages If the geographical scope of a VANET’s safety application doesn’t have a complete network coverage through RSUs, an outbound vehicle’s OBU can be used for forwarding authenticated messages to the vehicles- operating on road, and beyond the RSU’s communication range. An OBU— outside the communication range of an RSU, may receive the broadcast through an intermediate “message-forwarder” OBU. The receiver vehicles checks the signature contents for the verification of the message. One easy way to accomplish that is— forwarding exactly the same signature materials as received from RSU. The receiving OBU verifies the signature as if it has received the message from the corresponding RSU. However, since the message is already authenticated by the forwarding OBU, repeating the full verification process in each receiving OBU would be inefficient. Also, in case of any dispute, there is no way to distinguish the message source— if it was received directly from an RSU, or from an intermediate OBU. We present here an efficient and bandwidth friendly way of signature forwarding (along with the message contents) for ID-

based message authentication mechanisms- VANET ECDSA proxy signature. If the proxy signature from RSUi is verified and accepted by an OBU, the OBU can forward the contents (S−1 p,i,m ||u||Ro ||m) to vehicles that are in the communication range of the forwarding OBU, but outside the range of RSUi . Note that, S−1 p,i,m , and u = (Ri + h j,m Q) are already derived at the forwarding OBU during the initial proxy signature verification process; while, value Ro was pre-computed at CA during the key setup phase. Assuming that a receiver of forwarded content is identified as ID0j (=current location of OBU j0 ) whose clock is synchronized with the VANET system time, and the vehicle is within the geo-scope of m; the forwarded signature is verified as follows. i. Compute k0 = H(ID0j ||t). ii. Compute (x0 , y0 ) = k0 Ro (mod q). iii. Verify (x0 , y0 ) = (H(m)Ro + x0 u)S−1 p,i,m (mod q). If the last equation holds, the forwarded message is accepted, otherwise discarded. V. S ECURITY A NALYSIS The security of our scheme depends mainly on the size of the prime q, and the hardness of solving the elliptic curve discrete logarithm problem. In our approach, an original signer of a safety message is a trusted entity. We assume that the central authority (CA) is secured against any kind of physical compromise, whereas a proxy signer RSU could be malicious, or compromised by an adversary. Therefore, an RSU would not be trusted by a vehicle without the verification of the generated proxy signature for a particular message. The followings are possible attack/misbehaviour scenarios with our scheme: • A malicious RSU may attempt to sign a false or a modified message. • An RSU may launch a replay attack by signing an old message. • Given that there are multiple RSUs under the same central authority, a malicious entity may attempt to impersonate an RSU to falsify that by sending a forged signature on a harmful message. This misconduct is known as exculpability. • A malicious RSU may sign a harmful message and later deny its involvement in producing such signature. This potential misbehavior is referred to as repudiation. In the light of the above potential misconduct, we derive the following lemmas to prove the strength of our scheme. Lemma 1. RSUi can not generate a valid proxy key Si,m . Proof: In order to generate a valid proxy key Si,m , a proxy signer RSUi would require the system secret x, hash value hi,m over the corresponding identities (IDi and IDo ), and two other random numbers ki , ko as indicated in eqn.(6). The secret x is irreversible from the knowledge of the public key Q, since that involves point multiplications of an elliptic curve E(F p ).

The corresponding identity values indicate the location information of the entities, which are fixed and must not be changed by the proxy signers as they will be used by the verifier OBUs during the verification of the proxy signature. Different hash values on them would result in an unsuccessful verification. The other two random numbers ki and ko are selected by the CA. Assuming that both of them are 160 bit random numbers, the joined probability of a successful guessing of ki and ko is 1/(2160 − 1)2 . Lemma 2. RSUi can not launch a false message attack and a replay attack. Proof: While signing a message m on behalf of CA, a proxy signer RSUi uses the proxy key Si,m which has been exclusively produced by CA. As given in eqn. (6), CA uses secrets ki , ko , x, the hash value hi,m . This hash value hi,m incorporates the generated message m, expiry info tm etc. Therefore, any change or modification on message content m, or expiry information tm would result in a different proxy key Si,m value for which the signature in eqn. (8) would be different. This makes sure that a false message or a replay attack with this approach will not be successful. In addition to that, since location information of CA and the RSUi are also associated with the corresponding proxy key by eqn. (5) and eqn. (6), a malicious RSU can not use a different set of location information to reproduce the signature in a different location of VANET. Lemma 3. An ID-based ECDSA proxy signature in VANET is non-repudiable and non-exculpable. Proof: An adversary may use the identity of a different RSU to launch an impersonation attack. Assume, RSUv uses another proxy signer RSUi ’s location info IDi instead of IDv , and calculates hi,m0 = H(IDi ||IDo ||m0 ||tm0 ||a0m ) to use in eqn.(6) for IDi ’s proxy key Si,m . Since location information of CA and the RSUi are associated with the corresponding proxy key by eqn. (5) and eqn. (6), a malicious RSU can not use a different set of location information to reproduce the signature in a different location of VANET. Assuming that the total number of proxy signer is much less than q, one can not (other than CA) reproduce Si,m with an acceptable probability. Hence, a valid proxy signature S p,i,m for a given message can only be created by RSUi , and therefore, it is non-repudiable. Apart from that, a verifier OBU would use IDv as the identity of the proxy signer during the verification. Thus, using Si,m0 instead of Sv,m0 for the proxy signature operation would not get the signature passed the verification process. The original signer CA keeps record of all individual proxy keys (Si,m ) along with corresponding ki values. If there is any dispute, CA can reproduce the signature using the credentials of the disputed RSU(s). Therefore, a proxy signer RSUi can not sign a message that would appear as signed by a different

TABLE II C OMPARISON AMONG RELATED ECDSA- BASED SCHEMES IN TERMS OF NUMBER OF DIFFERENT TYPES OF OPERATIONS USED , AND FEATURES . Item

ECDSA [2]

ECDSA-based proxy signature [16]

Proposed scheme

3

ID-based ECDSA signature [23] 4

Point multiplications Modular inverse operations Hash operations ID-based approach Proxy signature

4

4

2

2

2

2

2

2

2

4

7

3

7

3

7

7

3

3

security threats, which is appropriate for authentication and trust management in vehicular network environment. The security and performance analysis indicates the strength of the approach. R EFERENCES

entity, which preserves non-exculpability in our scheme. Lemma 4. ID-based ECDSA proxy signature in VANET is resilient to a proxy-key compromise attack. Proof: Suppose, an adversary successfully compromises an RSUi , and finds the proxy key Si,m . The adversary then attempts to launch an impersonation attack by signing a potentially harmful message using the compromised proxy key Si,m . As indicated in eqn.(8), for launching a modified message m0 , an adversary would require to generate the corresponding proxy key Si,m0 . However, as shown in lemma 1, an adversary cannot produce a proxy key with an acceptable probability. Thus, signing a modified message using the compromised proxy key is not possible in our scheme. VI. C OMPARISON ECDSA-based signatures are more efficient than pairingbased approaches since a point multiplication operation in ECDSA are 20 times faster than a pairing operation [22]. Table. II compares the proposed scheme with three other ECDSA-based techniques [16], [2], and [23] in terms of required operations for both signature generation and verification stages. The most expensive operation type here is the point multiplication, since it involves multiple ordinary multiplications as well as modular inverse operations. On the other hand, a one-way hash function imposes very negligible computation complexity for processing. Our scheme is reasonably efficient in computation complexity as it requires just one extra point multiplication and only two additional hash operations compared to the standard ECDSA signature mechanism, while providing both- proxy, and ID-based signing capability. VII. C ONCLUSION In this paper, we present a VANET framework for ID-based proxy signature technique with ECDSA, where we combined the identity-based features along with the ECDSA proxy signature. The approach is secure and resilient against potential

[1] “IEEE trial-use standard for wireless access in vehicular environments (wave)- security services for applications and management messages,” IEEE, New York, NY, IEEE Std 1609.2, Jul. 2006. [2] D. Johnson and A. Menezes, “The elliptic curve digital signature algorithm (ecdsa),” Certicom Research, Canada; and Dept. of Combinatorics and Optimization, University of Waterloo, Canada, Tech. Rep., 1999. [3] “Draft amendment for wireless access in vehicular environments (WAVE),” IEEE, New York, NY, IEEE Draft 802.11p, Jul. 2007. [4] “IEEE trial-use standard for wireless access in vehicular environments (wave)- networking services,” IEEE, New York, NY, IEEE Std 1609.3, Apr. 2007. [5] “IEEE trial-use standard for wireless access in vehicular environments (wave)- multi-channel operation,” IEEE, New York, NY, IEEE Std 1609.4, Nov. 2006. [6] A. Shamir, “Identity-based cryptosystems and signature schemes,” in Proceedings of CRYPTO 84 on Advances in cryptology. New York, NY, USA: Springer-Verlag New York, Inc., 1985, pp. 47–53. [Online]. Available: http://portal.acm.org/citation.cfm?id=19478.19483 [7] C. Cocks, “An identity based encryption scheme based on quadratic residues,” in In IMA Int. Conf. Springer-Verlag, 2001, pp. 360–363. [8] F. Hess, “Efficient identity based signature schemes based on pairings,” in SAC 2002, LNCS 2595. Springer-Verlag, 2002, pp. 310–324. [9] D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,” SIAM J. Comput., vol. 32, pp. 586–615, March 2003. [Online]. Available: http://portal.acm.org/citation.cfm?id=639069.639089 [10] M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures for delegating signing operation,” in CCS ’96: Proceedings of the 3rd ACM conference on Computer and communications security. New York, NY, USA: ACM, 1996, pp. 48–57. [11] S. Kim, S. Park, and D. Won, “Proxy signatures, revisited,” in ICICS ’97: Proceedings of the First International Conference on Information and Communication Security. London, UK: Springer-Verlag, 1997, pp. 223–232. [12] Z. Dong, L. Shengli, and C. Kefei, “Cryptanalysis of LKK proxy signature,” in Progress on Cryptography. Springer-Verlag, 2004, pp. 161–164. [13] L. Wei-min, Y. Zong-kai, and C. Wen-qing, “A new id-based proxy blind signature scheme,” Wuhan University Journal of Natural Sciences, vol. 10, no. 3, pp. 555–558, 2005. [14] M. Cai, L. Kang, and J. Jia, “A multiple grade blind proxy signature scheme,” Intelligent Information Hiding and Multimedia Signal Processing, International Conference on, vol. 2, pp. 130–133, 2007. [15] J.-H. Park, Y.-S. Kim, and J. H. Chang, “A proxy blind signature scheme with proxy revocation,” Computational Intelligence and Security Workshops, International Conference on, vol. 0, pp. 761–764, 2007. [16] M.-H. Chang, I.-T. Chen, and M.-T. Chen, “Design of proxy signature in ecdsa,” in ISDA ’08: Proceedings of the 2008 Eighth International Conference on Intelligent Systems Design and Applications. Washington, DC, USA: IEEE Computer Society, 2008, pp. 17–22. [17] X. Sun and M. Xia, “An improved proxy signature scheme based on elliptic curve cryptography,” Computer and Communications Security, International Conference on, vol. 0, pp. 88–91, 2009. [18] Q. Xue, F. Li, Y. Zhou, J. Zhang, Z. Cao, and H. Qian, “An ecdlpbased threshold proxy signature scheme using self-certified public key system,” in MobiSec, 2009, pp. 58–70. [19] S. Biswas and J. Misic, “Proxy signature-based rsu message broadcasting in vanets,” in Proceedings of the 25th Biennial Symposium on Communications (QBSC), 2010. Kingston, ON, Canada: IEEE, 2010, pp. 5 – 9. [20] ——, “Establishing trust on vanet safety messages,” in Proceedings of the Second International Conference on Ad Hoc Networks, 2010. Victoria, BC, Canada: Springer, 2010. [21] ——, “Deploying proxy signature in vanets,” in Proceedings of the IEEE GLOBECOM 2010: Global Communications Conference, 2010 (to appear), 2010.

[22] L. Chen, Z. Cheng, and N. P. Smart, “Identity-based key agreement protocols from pairings,” Int. J. Inf. Secur., vol. 6, pp. 213–241, June 2007. [Online]. Available: http://portal.acm.org/citation.cfm?id=1272509.1272511 [23] H. Jin, H. Debiao, and C. Jianhua, “An identity based digital signature from ecdsa,” Education Technology and Computer Science, International Workshop on, vol. 1, pp. 627–630, 2010.