Abstract
Vehicular ad hoc networks play an important role in current intelligent transportation networks, which have attracted much attention from academia and industry. Vehicular networks can be implemented by Long-Term Evolution Advanced (LTE-A) networks, which have been formally defined in a series of standards by third-generation partnership projects (3GPP). Abundant challenges exist in the authentication processes in LTE-A-based vehicular networks. This paper aimed to improve the security functionality of these vehicular networks by proposing a secure and efficient group authentication and privacy-preserving scheme for vehicular networks based on fuzzy system: the group authentication and privacy-preserving level (GAPL). Compared with existing schemes, the proposed scheme can greatly reduce the number of control message transmissions from mass vehicular equipment (VEs) to the network and substantially avoid overhead in LTE-A-based vehicular networks. Privacy-preserving levels are established to protect VE privacy in authentication. Furthermore, the scheme contains security functions, including privacy preservation, non-frameability and non-repudiation verification.
Introduction
Vehicular ad hoc networks (VANETs) have recently been emerging as mobile ad hoc networks [1]. This type of network can effectively contribute to improving road safety and driving environments. However, due to the large scale of vehicular networks and the nature of open wireless channels, the mobile trajectory is easily tracked, making vehicular networks vulnerable to various threats. For example, an attacker may broadcast messages in a wireless channel, analyze data, predict trajectories, and track vehicles. If the vehicular network exposes the private information of vehicles, it will not be widely accepted by the public [2]. Therefore, providing the necessary security functions to vehicular networks and preserving privacy are necessary for vehicular users.
To accommodate increasing mobile data transmission demands and new multimedia applications, Long-Term Evolution (LTE) and LTE-Advanced (LTE-A) technologies have been specified by the third-generation partnership projects (3GPP) as emerging mobile communication technologies for next-generation broadband mobile wireless networks. It is widely suggested that LTE/LTE-A technologies can be applied to vehicular networks to significantly improve the quality of service for applications relative to that provided by current vehicular networks. In a vehicular network, various modes of communication can exist, including vehicle-to-vehicle (V2 V) [3], vehicle-to-pedestrian (V2P) and vehicle-to-infrastructure (V2I) communications [4]. In particular, V2 V communications constitute a type of machine-type communication (MTC) as specified in the LTE-A standard [5]. 3GPP has formally defined MTC in the standard of Release 10. An on-board unit equipped with a vehicle as vehicular equipment (VE) works as an MTC device (MTCD) with some special features, such as limited computation capacity and low power consumption. Many security threats exist in LTE/LTE-A-based vehicular networks. For example, VE must be authenticated through an authentication process using the evolved packet system authentication and key agreement (EPS-AKA) protocol specified by the 3GPP standard [6]. When a large amount of VEs need to be authenticated simultaneously, the amount of signaling required will cause serious overload, leading to the congestion in LTE/LTE-A vehicular networks. Therefore, LTE/LTE-A networks need a new authentication protocol to avoid congestion resulting from massive VE access.
Various solutions for group authentication and key management solutions for other wireless networks are available. For example, a management group with a binary tree structure and a group key scheme was proposed in [7]. However, group authentication protocols have shown no improvement in terms of their safety and signaling overhead. A polymerization proxy signature based on elliptic curves was proposed in [8]. Since this method can significantly reduce the bandwidth required by the signature and its verification and computational overheads, it has been increasingly used for mobile devices with limited resources to achieve lower energy consumption. The efficient authentication protocol (EAP) for secure group (EAPSG) is a simple and reliable group authentication framework based on Elliptic Curve Diffie-Hellman (ECDH) that was proposed in [9]. EAPSG can reduce the communication overhead and computational complexity in group authentication procedures. Compared with the conventional EAP-AKA protocol, ESPSG can enhance the security and provide better performance. The group-based lightweight authentication scheme for resource-constrained machine-to-machine communications scheme in uses group authentication to reduce severe authentication signaling congestion [10]. This scheme is a novel lightweight group authentication scheme for resource-constrained devices in the 3GPP network architecture and can achieve efficient and secure group authentication in both 3GPP and non-3GPP access scenarios.
Some research has also addressed the authentication and key agreement (AKA) protocol in LTE/LTE-A networks. The secure and efficient group AKA (SE-AKA) scheme in employs the asymmetric key cryptosystem and ECDH to provide robust security protection [11], including privacy preservation. The authentication process used by the SE-AKA scheme adopts group temporary key (GTK) generation to simplify the whole authentication process. By adopting the concept of the SE-AKA scheme, the EAP-based group AKA (EG-AKA) scheme in facilitates access by an MTCD group to the LTE core network through a non-3GPP access network. In the above-mentioned schemes [12], no group key generation method or dynamic group member management mechanism is used. A novel lightweight group authentication protocol (LGTH) was proposed in for the authentication of MTCs in LTE networks based on aggregate message authentication codes (MACs) [13]. Using LGTH, a group leader collects the MACs from all members and validates them. Compared with the public key methods, the LGTH scheme can significantly reduce the computational cost of VEs; however, it must go through a verification process, which increases signaling overhead.
Massive VEs face challenges in requesting authentication on LTE/LTE-A-based vehicular networks; thus, a novel secure and efficient group authentication scheme is designed and proposed for group-based MTCs. This scheme is named group AKA for vehicular networks (GAPL), and its outstanding features result from taking advantage of the secret sharing in and the aggregate proxy signature in (Ahmed, E., & Gharavi, H, 2018) [14, 15]. The contributions of this work can be summarized as follows: A new secure and efficient group authentication scheme is proposed for LTE/LTE-A-based vehicular networks. Compared with existing schemes, the proposed scheme can greatly reduce the number of signal exchanges between massive VEs and the network and signaling overload over LTE/LTE-A-based vehicular networks. Robust security functions, including privacy preservation, non-frameability and non-repudiation verification, can be achieved.
The remainder of this paper is organized as follows. In Section 2, the network architecture and security goals are introduced. In Section 3, the proposed GAPL scheme is presented in detail. In Section 4, the security functionality of the proposed scheme is evaluated. In Section 5, an efficiency analysis of the proposed scheme is performed. Finally, Section 6 concludes the work.
Preliminary information
Network architecture
In LTE/LTE-A-based vehicular networks, as shown in Fig. 1, an MTC user is a control center outside the network operator domain. The user can implement the services provided by one or more MTC servers to operate a large number of VEs Based on 3GPP standards, the MTC network architecture is divided into the following three parts: (1) the Evolved Universal Terrestrial Radio Access Network (E-UTRAN) (InterDigital Technology Corporation, 2018), which consists of MTC equipment and Evolved Node B (eNB); (2) the Evolved Packet Core (EPC), which consists of the Serving Gateway (S-GW), Packet Data Network Gateway (P-GW), Mobility Management Entity (MME) and Home Subscriber Server (HSS) used to perform the function of access authentication; and (3) non-3GPP access networks. The VE works as MTC equipment through the application program interface to connect to an MTC server [16–18].

Network architecture.
The MTC server can connect to the LTE-A network in the following two ways: (1) a mobile service provider deploys MTC servers to the LTE-A network to control the MTC server, and (2) the MTC user presents the MTC server in the LTE-A network [19].
When a large number of VEs access or leave the network simultaneously, signaling congestion occurs [20]. The 3GPP access technologies support some types of MTC applications, such as measurement and monitoring. When the power source is interrupted or after a synchronization time interval, the relevant VEs may be activated at the same time. This results in a large number of access requests being sent to the MME and HSS at the same time, leading to signaling congestion, which can occur in the following two places:
(1) within the wireless access network, such as when a large number of VEs access the eNB and multiple devices use the same wireless channel, and (2) in EPC nodes, including MME, S-GW and P-GW.
An aggregate proxy signature based on an elliptic curve allows a source signer to grant his signature authority to n proxy signer by n proxy signatures on n different messages. The n independent signatures aggregate into a single signature. The receiver of the user signature can check the validity of the signature by bilinear pairings. The computation and validation of the polymerization are legal.
Each group has a member manager (MM) and a tracing manager (TM). The MM is responsible for vehicle registration. The advantage of this scheme is that the signature verification workload is reduced and the verification efficiency improved.
Various important calculation problems commonly use the elliptic curve group in designing secure encryption schemes.
Problem 1: Computational Discrete Logarithm (CDL).
Given R = xP, where P, R = G p , it is easy to calculate R given x and P, but it is difficult to determine x given P and R.
Problem 2: Computational Diffie-Hellman (CDH).
Given P, xP, yP ∈ G p , it is difficult to compute xyP ∈ G p .
Problem 3: Elliptic Curve Factorization (ECF).
Given two points P and R = x • P + y • P, for x, y∈ Z q * *, it is difficult to find x • P and y • P.
Privacy-preserving levels
To subtly explain the privacy preserving function, five levels of user privacy are defined, as shown in Table 1.
Definitions of privacy-preserving levels
Definitions of privacy-preserving levels
Anonymity ((Fu, A et al., 2017),: the identities of VEs should be hidden from normal message receivers in the authentication process [21, 23]. Unlinkability: through the analysis of traffic information, an external observer cannot obtain any positive information from the encrypted information transmission process. Additionally, contact between the vehicle and the intruder cannot be established. An adversary cannot use individual vehicle tracking to hinder or cause vehicle location privacy problems [22]. Traceability: a trusted entity can trace a VE by revealing its identity in the case of any disputed situation, such as a liability investigation [24]. Non-frameability: when tracing misbehaving users, the privilege of tracing the VE cannot be abused by the single trusted entity, and more trusted entities should cooperate to reveal the identity that that an innocent user will not be framed [25]. Non-repudiation: the trusted entity or entities (e.g., the HSS, group manager or Log Export API [LEA]) have the right to verify the original information and the information non-repudiation of the vehicle. When the information is in a state of controversy, a credible agency can independently recover the true identify of a vehicle [26–28].
The security goals of the proposed scheme should be achieved to guarantee the security requirements, which include the following: Group authentication and secure key agreement: all VEs must be authenticated successfully by the core network. After successful authentication, secure channels should be established between all VEs and the MME [31]. Privacy preservation: five levels of user privacy are required to achieve anonymity, unlinkability, traceability, non-frameability and non-repudiation [29]. Attack resistance: the GAPL scheme should be able to resist various attacks in LTE/LTE-A-based vehicular networks, including replay attacks, redirection attacks, and man-in-the-middle attacks [30].
Proposed GAPL scheme
In this section, the proposed scheme is described in detail. The GAPL scheme works based on the aggregation of the proxy signature with secret sharing, which consists of the initialization phase, the group authentication phase and a real ID trace phase for the VE. In the initialization phase, the HSS distributes the proxy signature to the MME and the VE. In the group AKA phase, the MME and the VE mutually authenticate through the proxy signature and then generate a shared secret. Furthermore, any LEAs can cooperate with each other to trace the real ID of the VE. The notations used in the scheme are defined in Table 2.
Definitions of the notations used in the scheme
Definitions of the notations used in the scheme
In the system initialization phase, the HSS first initializes the whole system via the following steps.
The HSS properly chooses a k-bit prime p and generates an elliptic curve G. It selects a q-order subgroup G1 of the additive group of points over G and then chooses an arbitrary generator P of G1. It further chooses a random number
Each vehicle has an identity ID with a VE installed in the vehicle. The VE holds a unique identifier for registration in the LTE/LTE-A network. When the VE and MME first register with the network or the key expires, HSS sends each VE private key KG j -i, where j-i indicates i VE in group G j . For an MTC group containing n VEs, the group is named G1. Each VE in G1 shares group private key KG1, and each group shares private key KG1-i. When the HSS receives the identification ID M ME of the MME, the HSS computes SMME = xH1 (IDMME) as the private key and sends the key to the VE.
The HSS computes a family of unlinkable pseudo identities (
Similarly, when each VEG1-i in group G1 first accesses the network, the HSS computes S
VE
G1-i
= xH1 (ID
VE
G1-i
) as the private key saved in VEG1-i. With its real identity ID
VE
, the scheme implements full-access authentication and negotiates a secret key with the HSS for future communications. Therefore, the VE can constantly change its pseudo identity to achieve user anonymity and unlinkability in the authentication process. To achieve user traceability, non-frameability and non-repudiation, the HSS implements the (t, n) threshold method based on secret sharing via the following steps (11). For random numbers R
i
, construct a t-1 degree polynomial f
i
(x) = a0,i + a1,ix + a2,ix2 + , … , at-1,ixt-1, where a0,i = R
i
, and a1,i, a2,i, …, at-1,i are from G1. To increase the robustness, set 2t-1≤n. If there are n LEAs, then the threshold t belongs to the interval [1, (n + 1)/2]. When t is determined, the degree of the polynomial is t-1. Considering the tradeoff between secrecy and reliability, set t = [n/2] + 1. Let rm,i = f
i
(m), where m = 1, 2, …, n; thus, HSS divides each R
i
into n pieces r
m
, i. Send n pieces r
m
, i to n LEAs via the secure IPSec channel established between the HSS and the LEAs. Erase R
i
from its memory to save the storage cost. Use the detailed real ID of the VE from pieces r
m
, i to achieve traceability, non-frameability and non-repudiation. The initial process of the proposed scheme (GAPL) is described in detail as follows.
Group AKA phase
A group of VE tries to access LTE networks at the same time. First, a group leader is selected according to the communication capability, storage capacity, battery status and other characteristics of each VE, as shown in Fig. 2. The group leader representatives of all other MME members are used for mutual authentication. After confirming the identity on both sides, each VE generates a session key to ensure safety during MME communication. This process is described in detail below.

Group AKA phase.
Compute w = (EID VE G1-i ||GID||TG1-i) and h i = H2 (w), compute VG1-i = h i S VE G1-i , then send the vector (VG1-i, EID VE G1-i , GID, TG1-i) to the leader.
The group leader received all the VE member’s signature VG1-i, then let n signature polymerization into a signature
MME received the message authentication AUTH
leader
from leader, perform the following steps. Check each TG1 - i whether the timeout, if the timeout sends an authentication failed messages to the leader, otherwise enter the next validation process. Compute h
i
= H2 (EID
VE
G1-i
||GID||TG1-i), and validation the formula.
After validation successful, MME choose current time T
M
ME. Through MAC function Compute w = (EID
MME
||GID||T
MME
), among compute
The leader sends the authentication message AUTH
MME
to all the group number VEG1 - i. Perform the following steps. The VEG1 - i compute h
MME
= H2 (EID
VE
G1-i
||T
MME
), and through the formula validation MME’s identity.
If the MME have legal identity, generate the session key The VEG1 - i send the confirmation message to MME, inform MME session key generated successfully, it can communicate.
After finishing validation for the first time, to save the signature VEMME and the encrypted identity EIDMME of the MME into the VEG1 - i. When the VEG1 - i repeat access networks, can be directly to generate the session key, without the need to once again ask MME for signature and identity.
In this phase, any t LEAs can cooperate with each other to trace the real ID of the VE from the pseudo identity IDVE-i as follows.
It should be noted that this phase does not affect the total group AKA delay since VE only notifies the HSS of the authentication result after performing group authentication.
Security evaluation
In this section, the security objectives of the GAPL scheme are analyzed. Burrows-Abadi-Needham (BAN) logic, along with the analytical results of formal automated validation of internet security protocols and applications (AVISPA) verification tools, is used to confirm that the security objectives have been met. The analysis shows that the GAPL scheme can work correctly to achieve these security objectives [32]. A comparative functionality analysis against other relevant schemes is also performed, and the results demonstrate that the GAPL scheme is secure and efficient for vehicular users.
Proof of security objectives
Presently, the most widely used method of formal security protocol analysis is the formal logic analysis method. This method plays an important role in security protocols, especially authentication protocols. Burrows et al. proposed the formal use of BAN logic based on the modal logic of belief, which is used to verify protocols. Furthermore, BAN logic has important significance for security protocol development and correctness.
The logical symbols and inference rules of BAN logic are described as follows. P, Q: subjects; that is, the principal participants in the protocol. X: message. K: secret key. {X }
K
: message X is encrypted with K. P| ≡ Q P believes Q. P ⊲ X: P has received message X. P| ∼ X: P said X. Q ⇒ X: Q has the jurisdiction to X. #(X): X is fresh. P↔K ⟷ Q: K is the common pre-shared key of P and Q.
BAN logic specifies the message-meaning rules, nonce verification rules, jurisdiction rules, etc. The messages above the horizontal line are known as the conditions, while those below it are the results deduced from the known conditions. Message-meaning rules: P share the secret key K with Q. If P receives a message that X encrypted with K, then P believes that Q has sent X. Nonce-verification rule: if P believes that message X is fresh and believes that Q has sent X, then P believes that Q believes X. Jurisdiction rules: if P believes Q has sent message X, and P believes that Q believes X, then P believes X. Belief-joint rules: if P believes X and Y, then P believes messages of a cascade of X and Y; if P believes that Q believes messages of a cascade of X and Y, then P believes that Q believes X or Y; if P believes that Q has said X and Y, then P believes that Q has said X or Y; if P believes the message of a cascade of X and Y, then P believes X or Y. Freshness-joint rule: if P believes that X is fresh, P believes the entire message of a cascade with X is fresh. Reception rules: if P receives messages of a cascade of X and Y, we consider that P receives X or Y; if P receives the connection of the formula of X and Y, we consider that P receives X or Y; P shares secret key K with Q. If P receives message X encrypted with K, we can infer that P receives X. Additional rules: secret key K is fresh. If P receives message X encrypted with K and P believes that P shares secret key K with Q, we can infer that P believes Q has sent message X and that P believes that Q believes P shares secret key K with Q.
This section will be based on the BAN logic model to correctly realize the LTE-A network mutual AKA. The proof process is as follows:
To facilitate the formal analysis, by performing BAN logic analysis, the first step is to convert every step of the authentication into the idealized form.
The initial assumption is the important guarantee for GAPL analysis to be successfully conducted. It assumption included which key is the initial shared, which equipment in some situations is to be trusted, and which equipment generates a new value. Initial assumptions for the proposed agreement are the following.
The ultimate goal of the proposed scheme is to realize the mutual authentication between the VE and Leader and establish a shared session key. The expression of the objectives is presented by BAN logic as follows.
Based on m1, can
based on Statement 7 and A6, by the message-meaning rule,
based on Statement 8, by the fresh value validation and freshness verification rules,
based on Statement 13, the fresh value validation and freshness verification rules,
based on Statement 14 and A6, by the control rule,
According to the logic presentation and derivation, Goals 1–4 can be reached, demonstrating that the GAPL scheme can realize mutual authentication and session key agreement between the VE and the Leader.
Security analysis
In this section, the security properties of the proposed GAPL scheme are analyzed. Specifically, this analysis will focus on how the proposed GAPL scheme achieves the security goals discussed above.
In the key agreement process, the VE and MME keys are independent. Moreover, no key exists in any communication channel transmission. In contrast, the freshness key is authenticated by a set of authentication vectors. Furthermore, each VE group has a different key because of the random number involved in the key generation algorithm.
Formal verification
To ensure that the proposed scheme can resist malicious attacks, considering the design of the security goals, the AVISPA tool is used for formal verification of the protocol security. The AVISPA security protocol analysis tool works based on a complete set of model checking technologies and is a standard and automatic formal analysis tool. AVISPA takes the high-level protocol specification language (HLPSL) as the description tool. Using the HLPS2IF translator, AVISPA converts the description of HLPSL into an intermediate format (IF), and then, its model detector is used to verify the security functions. AVISPA has four security analysis terminals: the On-the-Fly Model Checker (OFMC), the Constraint-Logic-Based Attack Searcher (CLAtSe), the SAT-Based Model Checker (SATMC), and Tree Automata based on Automatic Approximations for the Analysis of Security (TA4SP). These four security analysis terminals have different underlying principles and foci. If a protocol can reach the expected security goals, the results of the security analysis and corresponding data will be presented. If the scheme is verified to be unsafe, the terminal will show the unrealized expected safety goal. To formally verify the security functionality of the proposed GAPL protocol in an LTE-A-based VANET, AVISPA is used for modeling and verification.
The GAPL scheme works to achieve the authentication of a VE to the MME. AVISPA can simulate intruders who can receive and send messages; in HLPSL, the intruder is named i, and its initial knowledge is explicitly defined in the specification (intruder knowledge = {...}). Once the HLPSL specification has been debugged, it will be checked for automatic attack detection by the four checkers. If the proposed protocol is safe, the checking result will report SAFE in the SUMMARY, as marked in Fig. 3. In the GAPL process, HLPSL is used to describe the basic roles of the VE and eNB. It shows the checking results from OFMC and the same results from the other three checkers. Therefore, the simulation results indicate that no revealed attacks were found. Through a simulation of intruder attacks, GAPL is proven to provide a good security presence.

AVISPA checking results of GAPL.
Table 3 clearly shows that the proposed scheme has many excellent features and is more secure than similar authentication schemes. For a vehicle in an LTE-A-based VANET, VE is resistant to various types of security attacks, and anonymity is achieved. The GAPL scheme requires relatively few communications and has low computational costs. The privacy-preserving level of support protects the privacy of VEs in LTE-A-based vehicular networks.
Definition of privacy-preserving levels
Definition of privacy-preserving levels
In this section, the performance of the proposed scheme is compared with that of several existing schemes. Computational and communication overheads are very important performance indicators and are the primary focus of this study. To obtain quantitative results, simulations are conducted to compare GAPL with several typical authentication protocols. The applied cryptographic algorithms employed in the simulation are hashed functions, including the Secure Hash Algorithm (SHA-256), the symmetric encryption Advanced Encryption Standard (AES-128), and the Elliptic Curve Digital Signature Algorithm (ECDSA-160). The parameter settings and their values are listed in Table 4 and are in agreement with the literature. Suppose there are n VEs forming a group that accesses the network t times. The analysis of the computational overhead and communication overhead is as follows. The experimental hardware is an Intel Core E5-1607 processor with a 3.00-GHz clock frequency. The simulation tool is MATLAB 2014b.
Parameter settings
Parameter settings
The communication overhead of GAPL will be compared with those of other schemes. Assume that there are n VEs forming m groups; obviously, n > m. In a VE group, communication between each member and leader, leader and MME, and MME and HSS requires one unit of time. When the VE group applies for network access for the first time during the initialization phase, the VE requests verification and distribution of the long-held private key from the HSS to the VE and MME, which needs (2n+4) units of time. In the AKA phase, VE and MME require (2n+2) units of time to go through mutual authentication. In the subsequent process validation, because of the VE’s saved information, such as the MME signature, (n + 3) units of time are needed to complete the certification process. Table 5 and Fig. 4 show the analytical results obtained for the communication overhead. As the number of VEs involved in the authentication process, the performance advantages of GAPL increase relative to other techniques.
Comparison of communication overheads
Comparison of communication overheads

Comparison of the communication overheads when t = 20.
Although the security evaluation demonstrated that the GAPL scheme is safe against various types of attacks, other types of malicious attacks and unknown types of attacks that cannot be predicted may interrupt the execution of the protocol during the authentication and key establishment phases. Therefore, it is assumed that any type of attack may randomly occur at any step of the protocol execution during authentication. The GAPL scheme cannot proceed if an attack successfully interrupts its execution. Additionally, as the number of successful attacks increases, the consumption overhead required to completely execute the protocol will also increase. VEs are resource-constrained devices in terms of their computational power, storage capacity, and power supply. As shown in Fig. 5, when VE = 200, the consumption overheads of the authentication schemes grow linearly as the probability of successful attacks increases. After the probability of a successful attack reaches 50%, probability is reached, the consumption overhead of GAPL slightly exceeds that of the GBAAM. Each of the schemes has a larger overhead when the probability of successful attack exceeds 60%.

Comparison of the consumption overheads when VE = 200.
Regarding the computational cost, EPS-AKA uses a symmetrical secret key, and its computational cost can be regarded as zero [33]. The following operations will be considered, including a point multiplication (Tmul = 0.6 ms) of the elliptic curve encryption algorithm, a pairing operation (Tpair = 4.5 ms), and an identity encryption of the elliptic curve point operation (Tetp = 0.6 ms) of the hash function. Other operations, such as point addition and one-way hash function, are ignored. Table 6 and Fig. 6 show the analytical results for the computation cost. The proposed scheme for each VE only needs one Tmul, which is better than other schemes. In an LTE-A network, this scheme’s performance is slightly poorer than those of SE-AKA and EG-AKA because GAPL uses a multiple encryption algorithm. However, GAPL can achieve privacy-preservation with one Tmul, while the other schemes cannot.
Comparison of computational costs
Comparison of computational costs

Comparison of the computational costs when t = 20.
The number of attacks used in the simulation was VE = 200. The GAPL scheme was observed to have lower computational cost than the other schemes examined. Assuming a 50% probability of successful attacks, Fig. 7 reveals that the computational costs of DGBAKA, SE-AKA and EG-AKA are lower than those of EPS–AKA and GBAAM. Nevertheless, the linear increment observed for these methods indicates that they have low resistance when the attack types are unknown. The GAPL scheme exhibits smooth ascension under 50%, indicating that the proposed scheme has strong resistance against unknown attacks.

Comparison of the computational costs when VE = 200.
Owing to its aggregation signature, GAPL can largely reduce the signaling cost and achieve low communication overhead and computational cost. However, once an invalid access request exists in the aggregation signature generation, GAPL may not have advantages in efficiency. V2 V communication, which was researched in [33], is a special type of machine-to-machine (M2M) communication [34]. Compared to other MTCDs [35], vehicles are more vulnerable to packet loss or sending bogus messages due to their mobility characteristics. To illustrate the verification cost of GAPL in the worst case, the probability of only one invalid access request in a batch is 0.42, and that of two invalid requests is 0.18; the probability of more than two invalid requests in a batch is almost negligible (i.e., approximately lower than 0.06). Thus, the verification cost of GAPL is evaluated when there is one or two invalid access requests. The worst case and average case are described in [19].
Figure 8 shows the results obtained for the total verification cost in both the worst case and the average case for an invalid request. According to Fig. 8, when there are 100 VEs, the total verification cost in the average case is less than 2000 ms; that is, verifying VE takes approximately 1.2 ms on average, even if there is one invalid access request. Note that the communication between the VE group and the MTC server in MTC service scenarios can begin after the group-based access authentication procedures are complete.

Analytical results for the verification cost of the network for an invalid request.
In this paper, a GAPL scheme based on the aggregation of the proxy signature and MAC to obtain group AKA is proposed and analyzed. The identity of the proxy signature allows multiple VEs using polymerization information aggregation to be placed into a set of identity information. A privacy-preserving level is set to support protecting the privacy of VEs during authentication. The security analysis shows that GAPL is secure against various malicious attacks [36]. Furthermore, without a cryptographic method [37–39], GAPL can achieve outstanding performance compared with existing solutions. In the future, we will continue to carry out attack test on our proposed GAPL scheme, and apply this scheme to the vehicle network for test.
Footnotes
Acknowledgments
This work was supported, the National Natural Science Foundation of China (Grant No. 61871039, 61802019, 61906017, 61932012,), the Supporting Plan for Cultivating High Level Teachers in Colleges and Universities in Beijing (Grant No. IDHT20170511), the Premium Funding Project for Academic Human Resources Development in Beijing Union University (No. BPHR2020EZ01, BPHR2019AZ01), the Beijing Municipal Commission of Education Project (No. KM201911417001), Beijing Union University project (ZK80202001, 202011417004, 202011417005, 202011417SJ025, KYDE40201702).
