3.1. System Model

• TA: As a Authority which is trusted and cannot be compromised, TA possesses strong computing and storage resources and is responsible for the initialization operations of the entire system, as well as the registration of V and RSU within the system. Besides, TA also can track malicious vehicles.
• RSU: RSU serves as the roadside infrastructure and is also a trusted entity. It provides services to the communicating vehicles and acts as an intermediary between TA and V. RSU is responsible for managing the pseudonyms of vehicles.
• V: Vehicles are the communication entities in the system and are equipped with TPD and OBU. The OBU is responsible for generating key pair, while the TPD can store the key pair and other sensitive datas.

3.2. Security Requirements

• Anonymity: The true identity of a vehicle must be transmitted in an anonymous manner, preventing a malicious adversary from analyzing the original sender’s identity.
• Traceability: If deception occurs, the true identity of the malicious vehicle can be traced.
• Message authentication and integrity: The recipient can verify the legitimacy of the sender’s identity and the validity of the message.
• Revocability: If a vehicle engages in malicious behavior, both RSU and TA can collaborate to revoke the credentials or privileges of that vehicle.
• Unlinkability: Vehicles periodically change their pseudonyms to prevent malicious third parties or vehicles from determining whether the messages originate from the same vehicle.
• Resist other attacks: The Scheme could resist typical attacks such as replay attacks, Sybil attacks, man-in-the-middle attacks, key escrow, etc.

3.3. Elliptic Curve Cryptography

4.1. System Initialization Stage

• Initially, the TA chooses an elliptic curve E, defined as $y^2=x^3+ax+b\left(\mathrm{mod}p\right)$ over a finite field of prime order p,where p is a large prime number, and $a,b\in {\mathbb{F}}_p$.Subsequently, the TA chooses an additive group $\mathbb{G}$ that has an order of q. And P serves as the generator for $\mathbb{G}$.
• Then the TA selects randomly a number $s\in {\mathbb{Z}}_q^{*}$ ,which serves as the master key of the system, and then computes $P_{pub}=sP$,which serves as the public key of the system.
• Afterward, Four general one-way hash functions are selected by TA, which include $H:{\left\{0,1\right\}}^{*}\to {\mathbb{Z}}_q^{*}$, $H_0:\mathbb{G}\to {\mathbb{Z}}_q^{*}$, $H_1:\mathbb{G}\times {\left\{0,1\right\}}^{*}\to {\mathbb{Z}}_q^{*}$, $H_2:{\left\{0,1\right\}}^{*}\times \mathbb{G}\times {\left\{0,1\right\}}^{*}$ $\to {\mathbb{Z}}_q^{*}$.
• Lastly, TA disseminates the public parameters $Param{s}_{pub}=\left\{a,b,P,\mathbb{G},H,H_0,H_1,H_2\right\}$ to all vehicles and RSUs, then, TA keeps s for itself.

4.2. Registration Stage

• The registration of Vehicle
  During the vehicle registration stage, all vehicles register offline. The registration process is as follows:

  (a)

  V generates its own private key $V_{SK}\in {\mathbb{Z}}_q^{*}$, then computes the public key $V_{PK}=V_{SK}P$.

  (b)

  V provides its real identity $VID$ and public key $V_{PK}$ to TA.

  (c)

  TA first checks the registration list to determine if V has already registered. If V is already registered, TA rejects the registration. If V is not registered, then TA chooses a number $\alpha \in {\mathbb{Z}}_q^{*}$ randomly, and TA generates $V_{token}$ for V and adds it to the list, setting the status of V as $legal$.

  (d)

  Each row in the form is formatted as follows:$V_{ID},V_{PK},V_{token},legal$.

  (e)

  The process of TA generating $V_{token}$ for V is as follows:

  $$\begin{array}{cc}\hfill & P_1=\alpha P,R_v=P_1\left(x\right)\hfill \\ \hfill & F_1=H_0\left(V_{PK}\right)\hfill \\ \hfill & S_V={\alpha }^{-1}(F_1+s{R}_v)(modq)\hfill \end{array}$$

  (1)

  (f)

  Finally, TA gets $V_{token}=(R_v,S_V)$ and sends it to the V.

• The registration of RSU
  In this stage, the RSU obtains two seeds $S_1,S_2$ for generating pseudonyms, along with the corresponding token. The entire process is as follows:

  (a)

  RSU generates its own private key $R_{SK}\in {\mathbb{Z}}_q^{*}$, then computes $R_{PK}=R_{SK}P$ which serves as its public key.

  (b)

  RSU provides its real identity $R_{ID}$ and public key $R_{PK}$ to TA.

  (c)

  TA randomly picks a number $\beta \in {\mathbb{Z}}_q^{*}$,then TA generates $R_{token}$ for RSU, the process is as follows:

  $$\begin{array}{cc}\hfill & P_2=\beta P,A=P_2\left(x\right)\hfill \\ \hfill & F_2=H_1(R_{PK}\parallel H_0(S_1\parallel S_2\left)\right)\hfill \\ \hfill & S_R={\beta }^{-1}(F_2+sA)(modq)\hfill \end{array}$$

  (2)

  (d)

  Lastly, TA generates $R_{token}=(A,S_R)$ for the RSU and selects two random seed values $S_1\in {\mathbb{Z}}_q^{*},S_2\in {\mathbb{Z}}_q^{*}$, which are used for pseudonym derivation. TA then sends these values to the RSU.

  (e)

  TA sends $\left\{R_{token},S_1,S_2\right\}$ to the RSU via a protected channel.

4.3. Pseudonym Generation Stage

• V sends a service request =$\left\{V_{PK},V_{token},T\right\}$ to the RSU where $V_{token}=(R_v,S_v)$.
• After receiving the request, The RSU will proceed with the verification.
  • Firstly, The RSU checks the valid of T.If it is valid, the process continues; Otherwise, the RSU rejects the request.
  • Secondly, The RSU checks if $V_{PK}$ is in the revocation list (RL). If it is not in the RL, the process continues, otherwise the RSU rejects the request.
  • Finally, the RSU verifies the $V_{token}$.It computes the value of ${S_v}^{-1}{F}_{1}P+{S_v}^{-1}{R}_v{P}_{pub}$, gets the x-coordinate value of the value and checks if it equals $R_v$.
• If the verification not success, then the RSU refuses to provide services to the vehicle, otherwise, the RSU uses $\left\{S_1,S_2\right\}$ to generate pseudonyms, taking $V_i$ as an example.

  $$\begin{array}{cc}\hfill & S_{i,1}=S_1⨁V_{P{K}_i}\hfill \\ \hfill & S_{i,j}=H^j\left(S_{i,1}\right)\hfill \\ \hfill & S_{i,2}=S_2⨁V_{PKi}\hfill \\ \hfill & S_{i,w-j+1}=H^{w-j+1}\left(S_{i,2}\right)\hfill \\ \hfill & PI{D}_{i,j}=H(S_{i,j}⨁S_{i,w-j+1}⨁T_j⨁{\zeta }_{i,j})\hfill \end{array}$$

  (3)

  where w represents the number of time periods in a day, ${\zeta }_{i,j}\in {\mathbb{Z}}_q^{*}$ is a number selected by RSU randomly in the j-th time interval,$j\in \left[1,w\right]$.
• After generating the pseudonym, the RSU updates the information in the revocation list. For example, it adds a new row of information $\left\{V_{VPKi},PID,available\right\}$, where $available$ means the pseudonym of the $V_i$ is avaiable. The RSU then selects a random number $\theta \in {\mathbb{Z}}_q^{*}$,and generates a signature ${\epsilon }_R$ for $(PID,R_{PK},T_2)$. It responds to $V_i$ with $response=\left\{PID,R_{token},R_{PK},H\left(S_1{S}_2\right),T_2,{\epsilon }_R\right\}$, where ${\epsilon }_R=(C,X),R_{token}=(A,S_R)$.
• The process of generating ${\epsilon }_R$ is as follows:

  $$\begin{array}{cc}\hfill & P_3=\theta P,C=P_3\left(x\right)\hfill \\ \hfill & F_3=H_2(PID\parallel R_{PK}\parallel T_2)\hfill \\ \hfill & X={\theta }^{-1}(H_2+R_{SK}C)modq\hfill \end{array}$$

  (4)
• Upon receiving the $response$, $V_i$ performs necessary operations to verify the RSU’s identity and the information’s legitimacy. The specific steps are as follows:
  • Firstly, $V_i$ checks whether $T_2$ is fresh. If that is the case, the process continues, or else the $V_i$ rejects the request.
  • Then $V_i$ verifies the legitimacy of the RSU. It computes the value of $S_R^{-1}{F}_{2}P+S_R^{-1}A{P}_{pub}$ and gets the x-coordinate value of that value and checks if it is equal to A.
  • Lastly,$V_i$ verifies the information by computing the value of $X^{-1}{F}_{3}P+X^{-1}C{R}_{PK}$, gets the x-coordinate value of that value, and checks if it is equal to C.
  • If all the above equations hold true, then $V_i$ accepts the information and uses the pseudonym for subsequent communication.

4.4. Message Signature Stage

4.5. Message Verification Stage

• Firtly,$V_j$ validates the validity of $T_2$. If it is valid, the process continues, otherwise, $V_j$ rejects.
• Then $V_j$ accesses the revocation list and checks the legitimacy of $PID$. If it is marked as $available$, the process continue, but if it is marked as $revoked$, $V_j$ rejects.
• Next $V_j$ computes $H_2(m\parallel PID\parallel V_{PK}\parallel T_3)$ and the value of $U^{-1}{F}_{4}P+U^{-1}Y{V}_{PK}$,and checks if the x-coordinate value of the value is equal to Y.
• If the equation holds true, it indicates the reliability of the message.Otherwise $V_j$ finds that m is fake message, it will report to the RSU, which will report it to the TA by sending $V_{PK}$. Then the TA will update the status of $V_{token}$ corresponding to $VI{D}_i$ as $illegal$. At the same time, the RSU will update the status of $PID$ corresponding to $V_{PKi}$ in the revocation list as $revoked$.The RSU will no longer distribute pseudonyms to $V_i$ and remove it from the system.

6.1. Computational Cost

6.2. Communication Cost