A Preference-based Privacy Protection for Value-added Services in Vehicular Ad Hoc Networks

Due to the rapid growth of smart devices, the development of VANET tends to mature. Although many methods have been proposed to resolve the user privacy issue in vehicular ad hoc network (VANET), users still didn’t know what information is collected (e.g. geolocation) and how to use .In this paper, we propose a secure and anonymous scheme for communication, which is based on blind signature techniques, and user can set their own privacy preferences before joining the VANET. Our proposed scheme lets user know whether his/her privacy preferences is suitable for VANET environment, and provide appropriate value-added service to user. Finally we will show our proposed scheme meets various security requirements.

communicate with other nearby vehicles; in V2I mode, vehicles can communicate with neighboring RSUs or base station. VANET have been utilized for vehicles broadcast safety message. For example, if there is the accident happened on the road, the ambulance can broadcast a traffic message to the RSUs to control the traffic light and notify other vehicles that there is an emergency condition.
Due to the VANET has almost fully developed, a lot of value-added service such as vehicle electronic road toll system, traffic control, car location tracking and remote engine diagnosis has been provided by VANET, which enhance driving experience and make drivers more comfortable on the road [2,3]. However, the traffic related messages in VANET are transmitted by air that has brought up some serious problem in terms of security threats and user privacy [15,16]. According to the security threats and privacy issue into consideration, our proposed scheme needs to achieve the following security issue [9,10]: Although many approaches have solved privacy issue in VANET [4,5,11,12,13], the users still don't know that why access such traffic related message and what personal data is collected. Because the core value of VANET is the traffic related messages, if it doesn't provide a secure VANET environment, users may refuse to submit messages, and it will result in the development of VANET value-added service with a big obstacle. In this paper, our proposed scheme aims to provide better user privacy protection in VANET, which is based on blind signature, more specifically, user can set his/her own privacy preferences and be notified whether his/her privacy preference is suitable for value-added service in VANET environment.
The rest of this paper is organized as follows. In Section 2, we describe some basic preliminaries of our scheme. Our proposed scheme is presented in Section 3. The security analysis of our scheme is given in Section 4. Finally, Section 5 concludes this paper.

Preliminaries
As a preliminary, we first introduce the components of VANET. In order to protect user privacy, our scheme is based on privacy coach and blind signature. A brief review of some concepts is provided as follows.

VANET Environment
Vehicular ad hoc networks (VANETs) are a special case of wireless networks which facilitates vehicles on road to communicate for driving safety [14]. In order to make users feel more comfortable and convenient, more and more value-added service has been provided on road [17]. There are four main components in our scheme, which are provided as follow and the environment of our scheme as shown in Fig. 1: 1) Trust authority (TA): TA is a unit, which is in charge of deployment of RSU and registration of legal vehicles. When there is a traffic incident or other violations, the TA will assist in processing. 2) On-board unit (OBU): OBU is a device in the vehicle, and it has been installed applications, after registering with TA, the OBU will receive the message from the RSU or other vehicle's OBU. 3) RSU (Road Side Unit): RSU is in charge of data exchange between OBU and external Internet. RSU has storage and computational capability. Because the high mobility of vehicles, and the frequent data exchange from one RSU to another; therefore, RSUs have to handle the rapid handoff requirement. 4) Service Provider (SP): In our proposed scheme, SP provides all value-added service such as navigation service, parking service. Moreover, SP is charge of comparing value-added services privacy policy, which is in a fixed XML format, with user privacy preferences. After completing, SP returns result to vehicular user.

Privacy Coach
Privacy Coach was proposed by Broenink et al. and the system model of privacy coach is shown in Fig. 2 [6]. Privacy Coach is a mobile application. When users first started using this mobile application, they should fill in a questionnaire. Having finishing, the privacy preferences will be set up, which is result of a questionnaire. Then the user's privacy profile have been stored on the mobile. As user is offered a new RFID tag, just hold its mobile phone to scan the RFID tag, and the coach will ask the provider for offering the privacy policy associated with a tag, which are retrieved from a database. After comparing, the coach tells user whether the corresponding privacy policy fits its privacy profile. The Privacy Coach helps users to determine whether use this RFID tag or not, and users can know more about what personal data will be collected. This software is an open, you can learn more details on [7].We use the concept of Privacy Coach to ensure whether the vehicular users' privacy preference is suitable for value-added service in VANET.

Blind Signature
The concept of Blind Signature was first proposed by David Chaum in 1982 [8].It has been used by Li et al. [5], in order to ensure inability to link between vehicle user and service provider. For Blind Signature example, which are two main participant, namely sender and signer respectively, and using RSA algorithm is as follows: 1) The sender first prepares a message m and a random blind factor r, and computes = × , where ( , ) is a public key of the signer, and send to signer. or not. The goal of Blind Signature is that verifiers can only verify the correctness of this message's digital signature, but this message can't be traced from whom.
The blind signature technique has the characteristic is namely untraceability that can prevents the signer trace the source of message, and this characteristic is very useful in our scheme for achieving user privacy requirement.

Proposed Scheme
In our system, SP may provide various value-added services to vehicular users. In order to let vehicular users know what information is collected and what value-added services is suitable for them, before joining VANET, the vehicular users need to set their privacy preferences by fill in a questionnaire, which is installed in OBU and setup by SP. For example, the question is this service will collect your location information or this service will share your location information with other vehicles, the vehicular user can choose accept or not accept, after finishing, the answer will be recorded and the privacy preferences of the vehicular user will be set up in a fixed XML format and stored on the vehicular user's OBU. An example of a questionnaire is shown in Fig.3.

System Model
Our proposed scheme for the system model has two phases: request signature phase and comparing phase. In request signature phase, each vehicular user must request a blind signature of his/her privacy preferences from TA. In comparing phase, the vehicular user sends a blind signature and his/her privacy preferences to neighboring RSU.RSU can verify whether the blind signature is legal or not. Once the blind signature is authorized, the RSU sends the vehicular user's privacy preferences to SP. When the vehicular user's privacy preferences are received, the SP compare user's privacy preferences with value-added services privacy policy, which is provided by SP. SP will check each variable of policies, then provides appropriate value-added services to vehicular user, and allow RSU to collect driving related data from vehicular user. Fig. 2 shows our system model.   Table 1. Notations used through the proposed scheme A real identity of vehicular user i. A pseudo identity of vehicular user i.

The asymmetric encryption function with Key
The asymmetric decryption function with Key A timestamp, which vehicular user i attached.

TimePer
TimePer is time period, which represents the user privacy preferences period. For example, if user want to use this privacy preferences during 12:00 PM to 5:00 PM, the TimePer is 1200PM0500PM.
It includes , TimePer , privacy preferences The signature of message m.
The identity of RSU The location of RSU The certificate of RSU The public key of TA The secret key of TA ( ) TA's signature on message by using The notation used in the rest of this paper is shown in Table 1.

Initial Phase
In the initial phase, TA assigns itself a pair of public key and secret key, and . TA publishes its public key TPK. TA also deploys each RSU R i located at RL i and assigns each RSU an identity . TA then generates 's certificate as = ( , ), and each will store , and .

Request Signature Phase
In request signature phase, there are two main participants, namely vehicular user and TA respectively; a vehicular user wants to obtain the blind signature of his/her privacy preferences. After receiving user's real identity and privacy preferences from vehicular user, TA generates pseudo identity and blind signature of privacy preferences to vehicular user. The procedure and following step are shown in Fig. 5.  ; otherwise, drop it and the procedure will be cancelled.

Comparing Phase
In comparing phase, there are three main participants, namely vehicular user , RSU, and SP respectively. The vehicular user request to know which value-added services is suitable for his/her privacy preference. RSU is in charge of verifying correctness of the S m i , and SP are responsible to compare the user's privacy preferences with value-added services privacy policy. The procedure and following step are shown in Fig. 4

Security Analysis
In this section, we will demonstrate security requirements that mention in section 1 of the proposed scheme.

Mutual Authentication
In comparing phase, the vehicular user needs to send and blind signature to nearby RSU, after receiving that

Conditional Anonymity
In this section, we will illustrate that real identity of a vehicular user cannot be exposed easily. In request signature phase, the vehicular user encrypts his/her real identity by using TA's public key and sends it to TA. Because only TA can decrypts it by using its secret key, the vehicular user's real identity cannot be known by others. After receiving it from the vehicular user, TA generates a corresponding pseudo identity , and then sends back to the vehicular user. After that, the vehicular user communicates with each other by using pseudo identity. As a result, no one can expose real identity of the vehicular user except TA, and our purposed scheme achieves conditional anonymity.

Unlinkability
In this section, we show that why TA or RSU cannot link up a vehicular user's real identity easily. In request signature phase, the vehicular user send message and request blind signature from TA, TA signs and send to the vehicular user. The vehicular user can obtain . Even if TA cannot know the source of , because is not equal to that TA has signed. As a result, TA unable to trace the source of , and our proposed scheme satisfies unlinkability.

Traceability and Revocability
If the RSU or SP finds that is a malicious user, it will report to TA. TA can use to search its database and find out corresponding , and then trace this vehicular user and revoke his/her right to our purposed scheme. Therefore, our proposed scheme can meet traceability and revocability; it's very helpful for our proposed scheme to resist malicious users.

Conclusions
We proposed a novel protocol for the value-added services in the VANET environment, which based on blind signature technology, and is very useful to solve information asymmetry between the vehicle user and data collector. Different from other method, our proposed scheme lets user can set up his/her privacy preference, which is compared with value-added services privacy policy, and provides appropriate value-added services service for the users. Hence, the user can know that how traffic related message about her/him be used and what personal data is collected. In addition, in our proposed scheme, the vehicular users utilized pseudo identity to communicate with other units, and it can protect the vehicular user's privacy. Moreover, with the blind signature technology, no one including TA cannot link up the source of message and user's identity. With the rapid of smart devices, there are more and more value-added services are provided. As a result, protect user's privacy is more and more important. Our proposed scheme is suitable for value-added services in VANET environment and very helpful for developing of Intelligent Transportation System and Smart city.