Journal of Computer and Communications, 2014, 2, 14-21
Published Online July 2014 in SciRes.
How to cite this paper: Caballero-Gil, P., Martín-Fernández, F. and Caballero-Gil, C. (2014) Tree-Based Revocation for Certi-
ficateless Authentication in Vehicular Ad-Hoc Networks. Journal of Computer and Communications, 2, 14-21.
Tree-Based Revocation for Certificateless
Authentication in Vehicular Ad-Hoc
Pino Caballero-Gil, Francisco Martín-Fernández, Cándido Caballero-Gil
Department of Computer Science, University of La Laguna, Tenerife, Spain
Email:, francisco.martin.07@edu.u,
Received April 2014
This work proposes authentication based on identity as a way to increase the efficiency and secu-
rity of communications in vehicular ad-hoc networks. When using identity-based cryptography to
achieve certificateless authentication, membership revocation is not a trivial problem. Thus, in
order to improve the performance of revocation in such networks, the use of a dynamic authenti-
cated data structure based on perfect k-ary hash trees combined with a duplex version of the new
standard SHA-3 is here presented. Efficient algorithms in the used revocation trees allow reaching
a refresh rate of at most simple updates per inserted node. Consequently, the proposal is espe-
cially useful for situations with frequent revocations, which are foreseeable when vehicular ad-
hoc networks are widely deployed.
K-Ary Tree, Identity-Based Cryptography, Revocation, Hash Function, Vehicular Ad-Hoc Network
1. Introduction
Authentication is a crucial requirement for any communication network. On the one hand, an efficient way to
authenticate legitimate and honest nodes is necessary. On the other hand, being able to exclude compromised
nodes is fundamental to guarantee trustworthiness of network.
When communication security is based on public-key cryptography, a central problem is to guarantee that a
particular public key is authentic and valid. The traditional approach to this problem is through public-key cer-
tificates emitted by a Public-Key Infrastructure (PKI), in which a Certificate Authority (CA) certifies ownership
and validity of public-key certificates. This solution presents many difficulties because the issues associated
with certificate management are quite complicated and expensive. A different approach is the so-called Identity-
Based Cryptography (IBC), where each users public key is his/her public IDentity (ID) so that the need for pu-
blic-key certificates is eliminated.
In order to use any public-key cryptosystem in practice, an efficient revocation mechanism is necessary be-
cause private keys may become compromised. Traditionally, this problem has been solved through a centralized
approach based on the existence of a Trusted Third Party (TTP), which is usually a CA distributing the so-called
Certificate Revocation Lists (CRLs) that can be seen as blacklists of revoked certificates. Alternatively, some
P. Caballero-Gil et al.
authors have proposed an approach based on hash trees as Authenticated Data Structures (ADSs) for a more ef-
ficient management of certificate revocation.
Vehicular Ad-hoc NETworks (VANETs) are self-organizing networks built up from moving vehicles that
communicate with each other mainly to prevent adverse circumstances on the roads, but also to achieve more
efficient traffic management. In particular, these networks are considered an emerging research area of mobile
communications because they offer a wide variety of possible applications, ranging from the aforementioned
road safety and transport efficiency, to commercial services, passenger comfort, and infotainment delivery. Fur-
thermore, VANETs can be seen as an extension of mobile ad-hoc networks where there are not only mobile
nodes, named On-Board Units (OBUs), but also static nodes, named Road-Side Units (RSUs). The so-called In-
telligent Transportation System (ITS) includes two types of communications: between OBUs and between
OBUs and RSUs [1]. Both the European standard for ITS, named ITS-G5, and its American counterpart, named
Wireless Access in Vehicular Environment (WAVE), are based on the IEEE 802.11p amendment to the IEEE
802.11 standard.
Security in VANETs faces many challenges due to the open broadcasting of wireless communications and the
high-speed mobility of vehicles. In these networks, any malicious misbehaving user that can inject false infor-
mation, or modify/replay any previously disseminated message, could be fatal to the others. Therefore, within
the family of standards for vehicular communications IEEE 1609 based on the IEEE 802.11p, the standard
1609.2 deals in particular with the issues related to security services for applications and management messages.
This standard describes the use of PKIs, CAs and CRLs, and implies that in order to revoke a vehicle, a CRL has
to be issued by the CA to the RSUs, who are in charge of sending this information to the OBUs. In particular,
the IEEE 1609.2 standard proposes both broadcast authentication and non-repudiation through the use of the el-
liptic curve digital signature algorithm.
Each vehicle is assumed to have a pair of keys: a private signing key and a public verification key certified by
the CA; and any VANET message must contain: a timestamp with the creation time, the sender's signature, and
the senders public-key certificate.
According to the so-called Dedicated Short-Range Communications (DSRC) channels specifically designed
for automotive use, vehicles periodically exchange with nearby vehicles beacons containing sender's information
such as location and speed because many VANET applications, such as the cooperative collision warning, rely
on the information embedded in these beacons.
In order to protect privacy in VANETs, each OBU can obtain multiple certified key pairs and use different
public keys each time. These public keys are linked to pseudonyms that allow preventing location tracking by
eavesdroppers. Therefore, once VANETs are implemented in practice on a large scale, their size will grow rap-
idly due to the increasing number of OBUs and to the use of such multiple pseudonyms. Thus, it is foreseeable
that if CRLs are used, they will grow up to become very large and unmanageable. Moreover, this context can
bring a phenomenon known as implosion request, consisting of many nodes who synchronously try to download
the CRL during its updating, producing serious congestion and overload of the network, which could lead to a
longer latency in the process of validating a certificate.
The proposal described in this paper defines the use of IBC to achieve certificateless and cooperative authen-
tication in VANETs. It also introduces a perfect k-ary hash tree as an ADS for the management of pseudonym
revocation. By using this ADS, the process of query on the validity of public pseudonyms will be more efficient
because OBUs will send queries to RSUs, who will answer them on behalf of the TTP. In this way, at the same
time this TTP will no longer be a bottleneck and OBUs will not have to download any entire revocation list. In-
stead of that, they will have to manage hash trees where the leaf nodes contain revoked pseudonyms. In particu-
lar, the used k-ary trees are based on the application of a duplex construction of the Secure Hash Algorithm
SHA-3 that was recently chosen as standard, because the combination of both structures allows improving effi-
ciency of updating and querying revoked pseudonyms.
This paper is organized as follows. Section 2 presents a review of related work. Concepts and notation used in
the proposed authentication scheme based on the combination of IBC, perfect k-ary hash trees and a duplex ver-
sion of SHA-3 are introduced in Section 3. Section 4 summarizes the main ideas of the proposal. Finally, Sec-
tion 5 discusses some conclusions and open problems.
2. Related Works
Under appropriate conditions and in certain circumstances, the use of public-key cryptography can be consid-
P. Caballero-Gil et al.
ered essential for information security [2].
For instance, the work [3] proposes the use of a PKI to protect messages and mutually authenticate entities in
VANETs. [4] also defines a PKI-based security protocol where each vehicle pre-loads anonymous public/pri-
vate keys and the TTP stores all the anonymous certificates of all the vehicles. Such a scheme produces ineffi-
ciency in the certificate management process.
Also based on a PKI, a well-known solution for strong authentication in VANETs is based on the signature of
each message [5]. However, the use of a traditional approach to PKIs may fail to satisfy the real-time require-
ment in vehicular communications because according to the DSRC protocol, each OBU will periodically trans-
mit beacons so even in a normal traffic scenario, it is a very rigorous requirement to deploy an authentication
scheme that allows at the same time efficient revocation of invalid public keys, and efficient use of valid public
keys. This is exactly the main goal of this work.
A revocation method called On-line Certificate Status Protocol (OCSP) involves a multitude of validation
agents that respond to client queries with signed replies indicating the current status of a target certificate. This
explicit revocation method has an unpleasant side-effect because it divulges too much information. Since valida-
tion agents constitute a global service, they must involve enough replication to handle the load of all validation
queries, what means that the signature key must be replicated across many servers, which is either insecure or
expensive. A solution called Certificate Revocation Tree (CRT) was proposed in [6] as an improvement for
OCSP involving a single highly secure entity that periodically posts a signed CRL-like data structure to many
insecure validation agents so that users query these agents. In CRTs the leaf nodes are statements concerning
revoked certificates, and the CA signs the root. By using CRTs, the responder can prove the status of any cer-
tificate by showing the path from the root to the leaf node without signing the response, because the signatures
of any leaf node are identical, and given by the signature contained in the root. Thus, no trust in the responder is
necessary. The proposal here described is based on this idea, but does not use any certificate.
The basic ADS proposed in [6] is a Merkle hash tree [7] where the leaf nodes represent revoked certificates
sorted by serial number. A client sends a query to the nearest agent, which produces a short proof that the target
certificate is (or not) on the CRT. [8] introduces several methods to traverse Merkle trees allowing time-space
trade-offs. Other ADSs based on multi-dimensional tree structures are studied in [9] to support efficient search
queries, allowing the retrieval of authenticated certificates from an untrusted repository used for dissemination
by various credential issuers. Besides, many tree-balancing algorithms have been proposed in the bibliography
for hash trees [10]. For instance, AVL trees are balanced by applying rotation, B-trees are balanced by manipu-
lating the degrees of the nodes, and 2 - 3 trees contain only nodes with at least 2 and at most 3 children. How-
ever, in the particular application of public-key revocation, balancing trees does not necessary minimize the
overall communication.
Another interesting problem with CRTs appears each time a certificate is revoked as the whole tree must be
recomputed and restructured. Skip-lists proposed in [11] can be seen as a natural and efficient structure for the
purpose of reducing communication by balancing the CRT. However, they are not good solutions for other
problems such as insertion of new leaf nodes.
Hash trees are usually based on widely used hash functions. This work uses a new version of SHA-3, which is
a cryptographic hash function recently selected as the winner of the NIST hash function competition [12].
SHA-3 uses the Keccak function [13] and a sponge construction [14] in which message blocks are XORed into
the initial bits of the state. However, the version of SHA-3 here used is based on a duplex construction [15],
which allows a more efficient insertion of revoked nodes as leaf nodes of the revocation tree.
In order to solve the problem caused by the management of valid public-key certificates, [16] proposes the
idea of an identity-based cryptosystem in which arbitrary strings can act as public keys so that there is no need
for public-key certificates. The first practical identity-based encryption scheme was described in [17] using a bi-
linear map. Weil and Tate pairings on elliptic curves are the most efficient ways of constructing such bilinear
maps [18]. The proposal here described was implemented using the Tate pairing for identity-based authentica-
3. Preliminaries
3.1. ID-Based Cryptography
The idea of IBC and, in particular, of Identity-Based Signature (IBS) is that the public identity ID of the signer
P. Caballero-Gil et al.
can be used as verification key of a received signature, what avoids the need of any public-key certificate. In our
scheme, such an identity is a public pseudonym Pj sent by the signer node together with the signed message. In
the used ID-based system, each node has to receive all the signing private keys PrPj linked to all its pseudonyms
Pj from a TTP, because it cannot generate them by itself. In particular, a TTP, called in IBC the Private Key
Generator (PKG), is in charge of computing and delivering to each node via a confidential channel, the signing
private keys linked to each of its pseudonyms. On the other hand, the PKG publishes a master public key MPu
and retains the corresponding master private key MPr. Thus, given the master public key MPu, any party will be
able to compute the public key PuPj corresponding to any pseudonym Pj by combining it with MPu. In order to
use the corresponding private key, the node authorized to use a pseudonym must have received it from the PKG,
which uses the master private key MPr to generate all the private keys corresponding to all the pseudonyms.
Thus, the main algorithms in the proposed IBS are as follows:
Setup: The PKG randomly picks its master private key MPr, and therefore computes and publishes its master
public key MPu.
Extraction: For each pseudonym Pj, the PKG uses its master private key MPu to compute the corresponding
private key PrPj and all pairs (Pj, PrPj) are sent securely from the PKG to the corresponding owner.
Signature: A signer node uses its private key PrPj to compute the signature of a message M, and sends
openly both the computed signature PrPj(M) and its pseudonym Pj.
Verification: A node that receives a signed message and corresponding pseudonym (PrPj(M), Pj) uses MPu
and Pj to compute PuPj and verify the signature PrPj(M).
Note that no new ID-based cryptosystem is described in this paper because it is out of its scope. The ID-based
system that has been implemented in the proof-of-concept prototype is the Boneh-Franklin scheme [17], which
uses a bilinear pairing over elliptic curves and bases its security on the Bilinear Diffie-Hellman problem.
The used ID-based system is built from a bilinear map e: G1 × G1 G2 between two groups G1 and G2 so
that according to the bilinearity of e: e(aP, bQ) = e(P, Q)ab for all P, Q ϵ G1 and a, b ϵ Z. Specifically, an ID-
based system can be built from a bilinear map e if and only if a variant of the Computational Diffie-Hellman
problem in G1 is hard. The considered Bilinear Diffie-Hellman problem in G1 is defined as follows: Given P, aP,
bP, cP, compute e(P, P)abc, where P ϵ G1 and a, b, c ϵ Z. In particular, the used bilinear pairing e is described for
an elliptic curve E defined over some field K, so it maps a pair of points of E to an element of the multiplicative
group of a finite extension of K.
The first satisfactory version of the Boneh-Franklin scheme was based on the Weil pairing [17]. However, the
scheme implemented in this work uses the Tate pairing because this is considered the most convenient bilinear
function for the Boneh-Franklin scheme in terms of computational cost. In particular, the implementation of the
proposal includes the use of Miller's algorithm to compute the Tate pairing [19].
In IBC, just a few works exist on revocation mechanisms. Here we propose a scheme to manage revoked
pseudonyms, built on the idea of revocation hash trees.
3.2. Tree Notation
The tree-based model described in this paper is based on the following notation:
h(): Hash function used to define the revocation tree.
h(A0 | A1 |...): Digest obtained with the hash function h applied on the concatenation of the inputs Ai, i = 0,
D ( 1): Depth of the hash tree.
dx (< D): depth of an internal node x in the tree.
t: total number of revoked pseudonyms.
RPj (j = 1, 2, ..., t): j-th Revoked Pseudonym.
Nij (i = D-dNij and j = 0, 1...): Internal Node of the hash tree.
N0j (j = 0, 1...): Leaf Node of the hash tree.
k: Maximum number of children for each internal node in the hash tree.
f(): Keccak function used in SHA-3.
n: Bit size of the digest of h.
s: Bit size of the input to f.
r: Bit size of the input blocks for h after padding.
P. Caballero-Gil et al.
l: Bit size of the output blocks that build the digest of h, which is here assumed to be lower than r.
3.3. K-Ary Hash Tree
In order to improve efficiency of communication and computation in the management of revocations in
VANETs, some authors have proposed the use of particular ADSs such as Merkle trees [7] and skip lists [20]
[21]. However, to the best of our knowledge no previous work has described in detail the use of perfect k-ary
trees as hash trees for revoked pseudonym management.
In general, a hash tree is a tree structure whose nodes contain digests that can be used to verify larger pieces
of data. The leaf nodes in a hash tree are hashes of data blocks while nodes further up in the tree are the hashes
of their respective children so that the root of the tree is the digest representing the whole structure. Most im-
plemented hash trees require the use of a cryptographic hash function h in order to prevent collisions.
On the one hand, each leaf node N0j of a hash tree is given by a hash value. On the other hand, for each inter-
nal node Nij, i is defined by the distance from the node to a leaf node, or the depth of the node. Hence, a leaf
node has i = 0 and the root has i = D. The subindices j of all nodes Nij of each level are numbered from left to
right, so that, for instance, Ni0 is the leftmost node of level i.
Like most hash trees, the Merkle tree is a binary tree, so each internal node Nij is the hash value of the con-
catenation of its two children: Nij = h(Ni-1,0 | Ni-1,1).
On the contrary, this work proposes the use of a more general structure known as k-ary tree, which is a rooted
tree in which each node has no more than k children, and each internal node is obtained by hashing the concate-
nation of all the digests contained in its children. Specifically, we propose the use of a perfect k-ary tree in
which all leaf nodes N0j are at the same depth D (see Figure 1). In this way, one of the major drawbacks of or-
dered tree structures, which is the necessary restructuring when there are changes in the tree, only occurs in our
proposal when the perfect k-ary tree requires the introduction of a new level of depth, because otherwise the
nodes are simply inserted from left to right in order to complete each level of depth.
The authenticity of the used hash tree structure is guaranteed thanks to the TTP signature of the root ND0.
When a RSU answers to an OBU about a query on a pseudonym, it proceeds in the following way. If it finds the
digest of the pseudonym among the leaf nodes of the tree, which means that it is a revoked pseudonym, the RSU
sends to the OBU the route between the root and the corresponding leaf node, along with all the siblings of the
nodes on this path. After checking all the digests corresponding to the received path, and the TTP signature of
the root, the OBU gets convinced of the validity of the received evidence on the revoked pseudonym.
3.4. Duplex Version of SHA-3
Regarding the cryptographic hash function h used in the hash tree, the proposal is based on the use of a new ver-
sion of the Secure Hash Algorithm SHA-3. In SHA-3, the padding of the input is a minimum 10*1 pattern that
consists of a 1 bit, zero or more 0 bits (maximum r-1) and a final 1 bit, and the basic cryptographic hash func-
tion f called Keccak contains 24 rounds of a basic transformation that involves 5 steps. There the input is repre-
Figure 1. Hash tree based on a perfect 5-ary tree.
P. Caballero-Gil et al.
sented by a 5 × 5 matrix of 64-bit lanes. However, the proof-of-concept of our proposal has been implemented
using 32-bit lanes in order to increase flexibility.
Another variation of SHA-3 is the combination of a duplex version of the sponge structure of SHA-3 [15] and
a hash k-ary tree. On the one hand, like the sponge construction of SHA-3, our proposal based on a duplex con-
struction also uses Keccak as fixed-length transformation f, the same padding rule based on the 10*1 pattern,
and data bit rate r, which is here assumed to be 352. On the other hand, unlike a sponge function, the duplex
construction output corresponding to an input string might be obtained through the concatenation of the outputs
resulting from successive input blocks (see Figure 2).
In this way, the use of the duplex construction in our proposed hash tree allows the insertion of a new revoked
node as new leaf node of the tree by running a new iteration of the duplex construction only on the new revoked
node. In particular, the RSU can take advantage of all the digests corresponding to the sibling nodes of the new
node, which were computed in previous iterations, by simply discarding the same minimum number of the last
bits of each of those digests so that the total size of the resulting digest of all the children remains the same, n,
which is here assumed to be the lowest possible size of SHA-3 digest, 224. Thus, while the maximum number of
children of an internal node has not been reached, the RSU stores not only all the digests of the tree but also the
state resulting from the application of Keccak hash function f in the last iteration corresponding to such internal
node, in order to use it as input in a next iteration.
4. Certificateless Authentication
In the scheme proposed in this work, a node does not need any certificate to prove the binding to its public key.
Instead of that, an ID-based authentication scheme and revocation trees are used. We consider the following ba-
sic authentication architecture, which includes three main parties:
TTP: This entity acts as key distribution centre because it is responsible for generating and assigning related
parameters for VANET nodes, and for revoking pseudonyms of misbehaving OBUs and public keys of mis-
behaving RSUs.
RSU: This entity serves as a gateway to provide OBUs within its transmission range with any requested in-
formation about revoked pseudonyms.
OBU: Each vehicle is equipped with an OBU, which periodically broadcasts signed beacons that are re-
ceived by neighbour OBUs and RSUs.
The proposed model is based on the use of a pseudonym Pj set by each OBU, so that for each one the TTP
provides the OBU with a corresponding private key PrPj. If any of those pseudonyms is revoked by the TTP, it
inserts all the pseudonyms corresponding to the same OBU in the revocation tree. The TTP is also responsible
for periodically updating the tree by deleting the expired pseudonyms, and for restructuring the tree when nec-
essary. After each update, the TTP sends the corresponding modifications of the updated tree to all RSUs.
Figure 2. Proposed duplex construction.
P. Caballero-Gil et al.
The RSU has to search vehicle pseudonyms in the revocation tree each time an OBU requests it. The RSU
must provide the requesting OBU either with a verifiable revocation proof of any revoked pseudonym or with a
signed message indicating that the requested pseudonym has not been revoked and is labelled as “OK”. In the
first case, by using the answer data, the OBU can verify the TTP signature of the received signed root, recom-
pute the root of the revocation tree, and check it by comparing it with the received signed root.
The proposed scheme is computationally efficient since it obviates the need to sign each RSU reply, as it re-
moves most of the trust from it. The only case when the RSUs trust is questioned is when it provides an OK
answer because that could be a fraud.
In this regard, when an OBU receives an OKmessage signed by a cheating RSU, it trusts it momentarily.
However, when it contacts another RSU, it asks it again about the same pseudonym. If this RSU provides the
OBU with a proof of revocation whose timestamp contradicts the “OKanswer signed by the questioned RSU,
the OBU sends to the latter RSU an impeachment on the questioned RSU, so that the honest RSU can send it to
the TTP who will revoke its public key by deleting it directly from the revoked RSU. Otherwise, if the second
RSU also sends a signed “OKmessage, the OBU goes on asking about the same pseudonym until it reaches ei-
ther a contradiction or a prefixed trust threshold.
Thus, each OBU stores locally in two separate and complementary structures, the pseudonyms of those OBUs
that it has previously checked as unreliable, and of those OBUs that have been reliable till then. Therefore, in the
future, if it reconnects with any of these vehicles, it can use such information to decide how to proceed. If there
is no RSU nearby, it uses these data to decide whether to establish the communication or not. Otherwise, even if
there is an RSU nearby, there is no need to re-ask it about a checked revoked pseudonym.
5. Conclusion
One of the most important security issues in VANETs is authentication, involving an efficient management of
both valid and invalid public keys. On the one hand, we have proposed identity-based cryptography to achieve
certificateless authentication, what increases efficiency and security in vehicular communications. On the other
hand, in order to deal with the problem of revocation management as VANETs grow, this paper has introduced
the use of a dynamic authenticated data structure based on k-ary hash trees combined with a duplex version of
the new standard SHA-3. Such a structure allows taking advantage of the digests of previous revoked pseudo-
nyms for calculating the hash value corresponding to every new revoked pseudonym. Therefore, its insertion in
the hash tree can be performed by a single iteration of the hash function. There are still some open questions
such as the analysis of optimal values for the parameters and a comparison with previous proposals.
Research supported under TIN2011-25452, IPT-2012-0585-370000 and BES-2012-0518 17.
[1] ETSI (2012) Intelligent Transport Systems.
[2] Blake-Wilson, S. (2000) Information Security, Mathematics, and Public-Key Cryptography. Designs, Codes and Cryp-
tography, 19, 77-99.
[3] Hubaux, J.P., Capkun, S. and Luo, J. (2004) The Security and Privacy of Smart Vehicles. IEEE Security and Privacy, 2,
[4] Raya, M. and Hubaux, J.P. (2007) Securing Vehicular Ad Hoc Networks. Computer Security, 15, 39-68.
[5] IEEE-1609 (2006) Family of Standards for Wireless Access in Vehicular Environments (WAVE). US Department of
[6] Kocher, P. (1998) On Certificate Revocation and Validation. FC’98. LNCS 1465, 172-177.
[7] Merkle, R. (1980) Protocols for Public Key Cryptosystems. IEEE Security and Privacy, 1109, 122-134.
[8] Jakobsson, M., Leighton, T., Micali, S. and Szydlo, M. (2003) Fractal Merkle Tree Representation and Traversal. CT-
RSA. LNCS 2612, 314-326.
[9] Goodrich, M., Shin, M., Tamassia, R. and Winsborough, W. (2003) Authenticated Dictionaries for Fresh Attribute Cre-
dentials. Trust Management, LNCS 2692, 332-347.
P. Caballero-Gil et al.
[10] Cormen, T., Leiserson, C. and Rivest, R. (1990) Introduction to Algorithms. MIT Press.
[11] Goodrich, M., Tamassia, R., Triandopoulos, N. and Cohen, R. (2003) Authenticated Data Structures for Graph and Ge-
ometric Searching. CT-RSA. LNCS 2612, 295-313.
[12] Chang, S., Perlner, R., Burr, W., Turan, M., Kelsey, J., Paul, S. and Bassham, L. (2012) Third-Round Report of the
Sha-3 Cryptographic Hash Algorithm Competition. NIST.
[13] Bertoni, G., Daemen, J., Peeters, M. and Assche, G.V. (2010) Keccak Sponge Function Family Main Document Ver-
sion 2.1, Updated Submission to NIST (Round 2).
[14] Bertoni, G., Daemen, J., Peeters, M. and Assche, G.V. (2008) On the Indifferentiability of the Sponge Construction.
Eurocrypt, LNCS 4965, 181-197.
[15] Bertoni, G., Daemen, J., Peeters, M. and Assche, G.V. (2012) Duplexing the Sponge: Single-Pass Authenticated En-
cryption and Other Applications. Selected Areas in Cryptography, LNCS 7118, 320-337.
[16] Shamir, A. (1985) Identity-Based Cryptosystems and Signature Schemes. Crypt o, LNCS 196, 47-53.
[17] Boneh, D. and Franklin, M. (2001) Identity-Based Encryption from the Weil Pairing. Crypto, LNCS 2139, 213-229.
[18] Joux, A. (2002) The Weil and Tate Pairings as Building Blocks for Public Key Cryptosystems. Algorithmic Number
Theory Symposium, LNCS 2369, 20-32.
[19] Miller, V. (1986) Short Programs for Functions on Curves. Unpublished Manuscript, 97, 101-102.
[20] Ganan, C., Munoz, J., Esparza, O., Mata-Diaz, J. and Alins, J. (2012) Toward Revocation Data Handling Efficiency in
VANETs. Communication Technologies for Vehicles, LNCS 7266, 80-90.
[21] Jakobsson, M. and Wetzel, S. (2004) Efficient Attribute Authentication with Applications to Ad Hoc Networks. ACM
Workshop on Vehicular Ad Hoc Networks, 38-46.