Journal of Computer and Communications, 2014, 2, 1421 Published Online July 2014 in SciRes. http://www.scirp.org/journal/jcc http://dx.doi.org/10.4236/jcc.2014.29003 How to cite this paper: CaballeroGil, P., MartínFernández, F. and CaballeroGil, C. (2014) TreeBased Revocation for Certi ficateless Authentication in Vehicular AdHoc Networks. Journal of Computer and Communications, 2, 1421. http://dx.doi.org/10.4236/jcc.2014.29003 TreeBased Revocation for Certificateless Authentication in Vehicular AdHoc Networks Pino CaballeroGil, Francisco MartínFernández, Cándido CaballeroGil Department of Computer Science, University of La Laguna, Tenerife, Spain Email: pcaballe@ull.es, francisco.martin.07@edu.u ll.es, ccabgil@ull.es Received April 2014 Abstract This work proposes authentication based on identity as a way to increase the efficiency and secu rity of communications in vehicular adhoc networks. When using identitybased cryptography to achieve certificateless authentication, membership revocation is not a trivial problem. Thus, in order to improve the performance of revocation in such networks, the use of a dynamic authenti cated data structure based on perfect kary hash trees combined with a duplex version of the new standard SHA3 is here presented. Efficient algorithms in the used revocation trees allow reaching a refresh rate of at most simple updates per inserted node. Consequently, the proposal is espe cially useful for situations with frequent revocations, which are foreseeable when vehicular ad hoc networks are widely deployed. Keywords KAry Tree, IdentityBased Cryptography, Revocation, Hash Function, Vehicular AdHoc Network 1. Introduction Authentication is a crucial requirement for any communication network. On the one hand, an efficient way to authenticate legitimate and honest nodes is necessary. On the other hand, being able to exclude compromised nodes is fundamental to guarantee trustworthiness of network. When communication security is based on publickey cryptography, a central problem is to guarantee that a particular public key is authentic and valid. The traditional approach to this problem is through publickey cer tificates emitted by a PublicKey Infrastructure (PKI), in which a Certificate Authority (CA) certifies ownership and validity of publickey certificates. This solution presents many difficulties because the issues associated with certificate management are quite complicated and expensive. A different approach is the socalled Identity Based Cryptography (IBC), where each user’s public key is his/her public IDentity (ID) so that the need for pu blickey certificates is eliminated. In order to use any publickey cryptosystem in practice, an efficient revocation mechanism is necessary be cause private keys may become compromised. Traditionally, this problem has been solved through a centralized approach based on the existence of a Trusted Third Party (TTP), which is usually a CA distributing the socalled Certificate Revocation Lists (CRLs) that can be seen as blacklists of revoked certificates. Alternatively, some
P. CaballeroGil et al. authors have proposed an approach based on hash trees as Authenticated Data Structures (ADSs) for a more ef ficient management of certificate revocation. Vehicular Adhoc NETworks (VANETs) are selforganizing networks built up from moving vehicles that communicate with each other mainly to prevent adverse circumstances on the roads, but also to achieve more efficient traffic management. In particular, these networks are considered an emerging research area of mobile communications because they offer a wide variety of possible applications, ranging from the aforementioned road safety and transport efficiency, to commercial services, passenger comfort, and infotainment delivery. Fur thermore, VANETs can be seen as an extension of mobile adhoc networks where there are not only mobile nodes, named OnBoard Units (OBUs), but also static nodes, named RoadSide Units (RSUs). The socalled In telligent Transportation System (ITS) includes two types of communications: between OBUs and between OBUs and RSUs [1]. Both the European standard for ITS, named ITSG5, and its American counterpart, named Wireless Access in Vehicular Environment (WAVE), are based on the IEEE 802.11p amendment to the IEEE 802.11 standard. Security in VANETs faces many challenges due to the open broadcasting of wireless communications and the highspeed mobility of vehicles. In these networks, any malicious misbehaving user that can inject false infor mation, or modify/replay any previously disseminated message, could be fatal to the others. Therefore, within the family of standards for vehicular communications IEEE 1609 based on the IEEE 802.11p, the standard 1609.2 deals in particular with the issues related to security services for applications and management messages. This standard describes the use of PKIs, CAs and CRLs, and implies that in order to revoke a vehicle, a CRL has to be issued by the CA to the RSUs, who are in charge of sending this information to the OBUs. In particular, the IEEE 1609.2 standard proposes both broadcast authentication and nonrepudiation through the use of the el liptic curve digital signature algorithm. Each vehicle is assumed to have a pair of keys: a private signing key and a public verification key certified by the CA; and any VANET message must contain: a timestamp with the creation time, the sender's signature, and the sender’s publickey certificate. According to the socalled Dedicated ShortRange Communications (DSRC) channels specifically designed for automotive use, vehicles periodically exchange with nearby vehicles beacons containing sender's information such as location and speed because many VANET applications, such as the cooperative collision warning, rely on the information embedded in these beacons. In order to protect privacy in VANETs, each OBU can obtain multiple certified key pairs and use different public keys each time. These public keys are linked to pseudonyms that allow preventing location tracking by eavesdroppers. Therefore, once VANETs are implemented in practice on a large scale, their size will grow rap idly due to the increasing number of OBUs and to the use of such multiple pseudonyms. Thus, it is foreseeable that if CRLs are used, they will grow up to become very large and unmanageable. Moreover, this context can bring a phenomenon known as implosion request, consisting of many nodes who synchronously try to download the CRL during its updating, producing serious congestion and overload of the network, which could lead to a longer latency in the process of validating a certificate. The proposal described in this paper defines the use of IBC to achieve certificateless and cooperative authen tication in VANETs. It also introduces a perfect kary hash tree as an ADS for the management of pseudonym revocation. By using this ADS, the process of query on the validity of public pseudonyms will be more efficient because OBUs will send queries to RSUs, who will answer them on behalf of the TTP. In this way, at the same time this TTP will no longer be a bottleneck and OBUs will not have to download any entire revocation list. In stead of that, they will have to manage hash trees where the leaf nodes contain revoked pseudonyms. In particu lar, the used kary trees are based on the application of a duplex construction of the Secure Hash Algorithm SHA3 that was recently chosen as standard, because the combination of both structures allows improving effi ciency of updating and querying revoked pseudonyms. This paper is organized as follows. Section 2 presents a review of related work. Concepts and notation used in the proposed authentication scheme based on the combination of IBC, perfect kary hash trees and a duplex ver sion of SHA3 are introduced in Section 3. Section 4 summarizes the main ideas of the proposal. Finally, Sec tion 5 discusses some conclusions and open problems. 2. Related Works Under appropriate conditions and in certain circumstances, the use of publickey cryptography can be consid
P. CaballeroGil et al. ered essential for information security [2]. For instance, the work [3] proposes the use of a PKI to protect messages and mutually authenticate entities in VANETs. [4] also defines a PKIbased security protocol where each vehicle preloads anonymous public/pri vate keys and the TTP stores all the anonymous certificates of all the vehicles. Such a scheme produces ineffi ciency in the certificate management process. Also based on a PKI, a wellknown solution for strong authentication in VANETs is based on the signature of each message [5]. However, the use of a traditional approach to PKIs may fail to satisfy the realtime require ment in vehicular communications because according to the DSRC protocol, each OBU will periodically trans mit beacons so even in a normal traffic scenario, it is a very rigorous requirement to deploy an authentication scheme that allows at the same time efficient revocation of invalid public keys, and efficient use of valid public keys. This is exactly the main goal of this work. A revocation method called Online Certificate Status Protocol (OCSP) involves a multitude of validation agents that respond to client queries with signed replies indicating the current status of a target certificate. This explicit revocation method has an unpleasant sideeffect because it divulges too much information. Since valida tion agents constitute a global service, they must involve enough replication to handle the load of all validation queries, what means that the signature key must be replicated across many servers, which is either insecure or expensive. A solution called Certificate Revocation Tree (CRT) was proposed in [6] as an improvement for OCSP involving a single highly secure entity that periodically posts a signed CRLlike data structure to many insecure validation agents so that users query these agents. In CRTs the leaf nodes are statements concerning revoked certificates, and the CA signs the root. By using CRTs, the responder can prove the status of any cer tificate by showing the path from the root to the leaf node without signing the response, because the signatures of any leaf node are identical, and given by the signature contained in the root. Thus, no trust in the responder is necessary. The proposal here described is based on this idea, but does not use any certificate. The basic ADS proposed in [6] is a Merkle hash tree [7] where the leaf nodes represent revoked certificates sorted by serial number. A client sends a query to the nearest agent, which produces a short proof that the target certificate is (or not) on the CRT. [8] introduces several methods to traverse Merkle trees allowing timespace tradeoffs. Other ADSs based on multidimensional tree structures are studied in [9] to support efficient search queries, allowing the retrieval of authenticated certificates from an untrusted repository used for dissemination by various credential issuers. Besides, many treebalancing algorithms have been proposed in the bibliography for hash trees [10]. For instance, AVL trees are balanced by applying rotation, Btrees are balanced by manipu lating the degrees of the nodes, and 2  3 trees contain only nodes with at least 2 and at most 3 children. How ever, in the particular application of publickey revocation, balancing trees does not necessary minimize the overall communication. Another interesting problem with CRTs appears each time a certificate is revoked as the whole tree must be recomputed and restructured. Skiplists proposed in [11] can be seen as a natural and efficient structure for the purpose of reducing communication by balancing the CRT. However, they are not good solutions for other problems such as insertion of new leaf nodes. Hash trees are usually based on widely used hash functions. This work uses a new version of SHA3, which is a cryptographic hash function recently selected as the winner of the NIST hash function competition [12]. SHA3 uses the Keccak function [13] and a sponge construction [14] in which message blocks are XORed into the initial bits of the state. However, the version of SHA3 here used is based on a duplex construction [15], which allows a more efficient insertion of revoked nodes as leaf nodes of the revocation tree. In order to solve the problem caused by the management of valid publickey certificates, [16] proposes the idea of an identitybased cryptosystem in which arbitrary strings can act as public keys so that there is no need for publickey certificates. The first practical identitybased encryption scheme was described in [17] using a bi linear map. Weil and Tate pairings on elliptic curves are the most efficient ways of constructing such bilinear maps [18]. The proposal here described was implemented using the Tate pairing for identitybased authentica tion. 3. Preliminaries 3.1. IDBased Cryptography The idea of IBC and, in particular, of IdentityBased Signature (IBS) is that the public identity ID of the signer
P. CaballeroGil et al. can be used as verification key of a received signature, what avoids the need of any publickey certificate. In our scheme, such an identity is a public pseudonym Pj sent by the signer node together with the signed message. In the used IDbased system, each node has to receive all the signing private keys PrPj linked to all its pseudonyms Pj from a TTP, because it cannot generate them by itself. In particular, a TTP, called in IBC the Private Key Generator (PKG), is in charge of computing and delivering to each node via a confidential channel, the signing private keys linked to each of its pseudonyms. On the other hand, the PKG publishes a master public key MPu and retains the corresponding master private key MPr. Thus, given the master public key MPu, any party will be able to compute the public key PuPj corresponding to any pseudonym Pj by combining it with MPu. In order to use the corresponding private key, the node authorized to use a pseudonym must have received it from the PKG, which uses the master private key MPr to generate all the private keys corresponding to all the pseudonyms. Thus, the main algorithms in the proposed IBS are as follows: • Setup: The PKG randomly picks its master private key MPr, and therefore computes and publishes its master public key MPu. • Extraction: For each pseudonym Pj, the PKG uses its master private key MPu to compute the corresponding private key PrPj and all pairs (Pj, PrPj) are sent securely from the PKG to the corresponding owner. • Signature: A signer node uses its private key PrPj to compute the signature of a message M, and sends openly both the computed signature PrPj(M) and its pseudonym Pj. • Verification: A node that receives a signed message and corresponding pseudonym (PrPj(M), Pj) uses MPu and Pj to compute PuPj and verify the signature PrPj(M). Note that no new IDbased cryptosystem is described in this paper because it is out of its scope. The IDbased system that has been implemented in the proofofconcept prototype is the BonehFranklin scheme [17], which uses a bilinear pairing over elliptic curves and bases its security on the Bilinear DiffieHellman problem. The used IDbased system is built from a bilinear map e: G1 × G1 → G2 between two groups G1 and G2 so that according to the bilinearity of e: e(aP, bQ) = e(P, Q)ab for all P, Q ϵ G1 and a, b ϵ Z. Specifically, an ID based system can be built from a bilinear map e if and only if a variant of the Computational DiffieHellman problem in G1 is hard. The considered Bilinear DiffieHellman problem in G1 is defined as follows: Given P, aP, bP, cP, compute e(P, P)abc, where P ϵ G1 and a, b, c ϵ Z. In particular, the used bilinear pairing e is described for an elliptic curve E defined over some field K, so it maps a pair of points of E to an element of the multiplicative group of a finite extension of K. The first satisfactory version of the BonehFranklin scheme was based on the Weil pairing [17]. However, the scheme implemented in this work uses the Tate pairing because this is considered the most convenient bilinear function for the BonehFranklin scheme in terms of computational cost. In particular, the implementation of the proposal includes the use of Miller's algorithm to compute the Tate pairing [19]. In IBC, just a few works exist on revocation mechanisms. Here we propose a scheme to manage revoked pseudonyms, built on the idea of revocation hash trees. 3.2. Tree Notation The treebased model described in this paper is based on the following notation: • h(…): Hash function used to define the revocation tree. • h(A0  A1 ...): Digest obtained with the hash function h applied on the concatenation of the inputs Ai, i = 0, 1... • D (≥ 1): Depth of the hash tree. • dx (< D): depth of an internal node x in the tree. • t: total number of revoked pseudonyms. • RPj (j = 1, 2, ..., t): jth Revoked Pseudonym. • Nij (i = DdNij and j = 0, 1...): Internal Node of the hash tree. • N0j (j = 0, 1...): Leaf Node of the hash tree. • k: Maximum number of children for each internal node in the hash tree. • f(…): Keccak function used in SHA3. • n: Bit size of the digest of h. • s: Bit size of the input to f. • r: Bit size of the input blocks for h after padding.
P. CaballeroGil et al. • l: Bit size of the output blocks that build the digest of h, which is here assumed to be lower than r. 3.3. KAry Hash Tree In order to improve efficiency of communication and computation in the management of revocations in VANETs, some authors have proposed the use of particular ADSs such as Merkle trees [7] and skip lists [20] [21]. However, to the best of our knowledge no previous work has described in detail the use of perfect kary trees as hash trees for revoked pseudonym management. In general, a hash tree is a tree structure whose nodes contain digests that can be used to verify larger pieces of data. The leaf nodes in a hash tree are hashes of data blocks while nodes further up in the tree are the hashes of their respective children so that the root of the tree is the digest representing the whole structure. Most im plemented hash trees require the use of a cryptographic hash function h in order to prevent collisions. On the one hand, each leaf node N0j of a hash tree is given by a hash value. On the other hand, for each inter nal node Nij, i is defined by the distance from the node to a leaf node, or the depth of the node. Hence, a leaf node has i = 0 and the root has i = D. The subindices j of all nodes Nij of each level are numbered from left to right, so that, for instance, Ni0 is the leftmost node of level i. Like most hash trees, the Merkle tree is a binary tree, so each internal node Nij is the hash value of the con catenation of its two children: Nij = h(Ni1,0  Ni1,1). On the contrary, this work proposes the use of a more general structure known as kary tree, which is a rooted tree in which each node has no more than k children, and each internal node is obtained by hashing the concate nation of all the digests contained in its children. Specifically, we propose the use of a perfect kary tree in which all leaf nodes N0j are at the same depth D (see Figure 1). In this way, one of the major drawbacks of or dered tree structures, which is the necessary restructuring when there are changes in the tree, only occurs in our proposal when the perfect kary tree requires the introduction of a new level of depth, because otherwise the nodes are simply inserted from left to right in order to complete each level of depth. The authenticity of the used hash tree structure is guaranteed thanks to the TTP signature of the root ND0. When a RSU answers to an OBU about a query on a pseudonym, it proceeds in the following way. If it finds the digest of the pseudonym among the leaf nodes of the tree, which means that it is a revoked pseudonym, the RSU sends to the OBU the route between the root and the corresponding leaf node, along with all the siblings of the nodes on this path. After checking all the digests corresponding to the received path, and the TTP signature of the root, the OBU gets convinced of the validity of the received evidence on the revoked pseudonym. 3.4. Duplex Version of SHA3 Regarding the cryptographic hash function h used in the hash tree, the proposal is based on the use of a new ver sion of the Secure Hash Algorithm SHA3. In SHA3, the padding of the input is a minimum 10*1 pattern that consists of a 1 bit, zero or more 0 bits (maximum r1) and a final 1 bit, and the basic cryptographic hash func tion f called Keccak contains 24 rounds of a basic transformation that involves 5 steps. There the input is repre Figure 1. Hash tree based on a perfect 5ary tree.
P. CaballeroGil et al. sented by a 5 × 5 matrix of 64bit lanes. However, the proofofconcept of our proposal has been implemented using 32bit lanes in order to increase flexibility. Another variation of SHA3 is the combination of a duplex version of the sponge structure of SHA3 [15] and a hash kary tree. On the one hand, like the sponge construction of SHA3, our proposal based on a duplex con struction also uses Keccak as fixedlength transformation f, the same padding rule based on the 10*1 pattern, and data bit rate r, which is here assumed to be 352. On the other hand, unlike a sponge function, the duplex construction output corresponding to an input string might be obtained through the concatenation of the outputs resulting from successive input blocks (see Figure 2). In this way, the use of the duplex construction in our proposed hash tree allows the insertion of a new revoked node as new leaf node of the tree by running a new iteration of the duplex construction only on the new revoked node. In particular, the RSU can take advantage of all the digests corresponding to the sibling nodes of the new node, which were computed in previous iterations, by simply discarding the same minimum number of the last bits of each of those digests so that the total size of the resulting digest of all the children remains the same, n, which is here assumed to be the lowest possible size of SHA3 digest, 224. Thus, while the maximum number of children of an internal node has not been reached, the RSU stores not only all the digests of the tree but also the state resulting from the application of Keccak hash function f in the last iteration corresponding to such internal node, in order to use it as input in a next iteration. 4. Certificateless Authentication In the scheme proposed in this work, a node does not need any certificate to prove the binding to its public key. Instead of that, an IDbased authentication scheme and revocation trees are used. We consider the following ba sic authentication architecture, which includes three main parties: • TTP: This entity acts as key distribution centre because it is responsible for generating and assigning related parameters for VANET nodes, and for revoking pseudonyms of misbehaving OBUs and public keys of mis behaving RSUs. • RSU: This entity serves as a gateway to provide OBUs within its transmission range with any requested in formation about revoked pseudonyms. • OBU: Each vehicle is equipped with an OBU, which periodically broadcasts signed beacons that are re ceived by neighbour OBUs and RSUs. The proposed model is based on the use of a pseudonym Pj set by each OBU, so that for each one the TTP provides the OBU with a corresponding private key PrPj. If any of those pseudonyms is revoked by the TTP, it inserts all the pseudonyms corresponding to the same OBU in the revocation tree. The TTP is also responsible for periodically updating the tree by deleting the expired pseudonyms, and for restructuring the tree when nec essary. After each update, the TTP sends the corresponding modifications of the updated tree to all RSUs. Figure 2. Proposed duplex construction.
P. CaballeroGil et al. The RSU has to search vehicle pseudonyms in the revocation tree each time an OBU requests it. The RSU must provide the requesting OBU either with a verifiable revocation proof of any revoked pseudonym or with a signed message indicating that the requested pseudonym has not been revoked and is labelled as “OK”. In the first case, by using the answer data, the OBU can verify the TTP signature of the received signed root, recom pute the root of the revocation tree, and check it by comparing it with the received signed root. The proposed scheme is computationally efficient since it obviates the need to sign each RSU reply, as it re moves most of the trust from it. The only case when the RSU’s trust is questioned is when it provides an “OK” answer because that could be a fraud. In this regard, when an OBU receives an “OK” message signed by a cheating RSU, it trusts it momentarily. However, when it contacts another RSU, it asks it again about the same pseudonym. If this RSU provides the OBU with a proof of revocation whose timestamp contradicts the “OK” answer signed by the questioned RSU, the OBU sends to the latter RSU an impeachment on the questioned RSU, so that the honest RSU can send it to the TTP who will revoke its public key by deleting it directly from the revoked RSU. Otherwise, if the second RSU also sends a signed “OK” message, the OBU goes on asking about the same pseudonym until it reaches ei ther a contradiction or a prefixed trust threshold. Thus, each OBU stores locally in two separate and complementary structures, the pseudonyms of those OBUs that it has previously checked as unreliable, and of those OBUs that have been reliable till then. Therefore, in the future, if it reconnects with any of these vehicles, it can use such information to decide how to proceed. If there is no RSU nearby, it uses these data to decide whether to establish the communication or not. Otherwise, even if there is an RSU nearby, there is no need to reask it about a checked revoked pseudonym. 5. Conclusion One of the most important security issues in VANETs is authentication, involving an efficient management of both valid and invalid public keys. On the one hand, we have proposed identitybased cryptography to achieve certificateless authentication, what increases efficiency and security in vehicular communications. On the other hand, in order to deal with the problem of revocation management as VANETs grow, this paper has introduced the use of a dynamic authenticated data structure based on kary hash trees combined with a duplex version of the new standard SHA3. Such a structure allows taking advantage of the digests of previous revoked pseudo nyms for calculating the hash value corresponding to every new revoked pseudonym. Therefore, its insertion in the hash tree can be performed by a single iteration of the hash function. There are still some open questions such as the analysis of optimal values for the parameters and a comparison with previous proposals. Acknowledgements Research supported under TIN201125452, IPT20120585370000 and BES20120518 17. References [1] ETSI (2012) Intelligent Transport Systems. http://http://www.etsi.org/index.php/technologiesclusters/technologies/intelligenttransport [2] BlakeWilson, S. (2000) Information Security, Mathematics, and PublicKey Cryptography. Designs, Codes and Cryp tography, 19, 7799. http://dx.doi.org/10.1023/A:1008345904539 [3] Hubaux, J.P., Capkun, S. and Luo, J. (2004) The Security and Privacy of Smart Vehicles. IEEE Security and Privacy, 2, 4955. http://dx.doi.org/10.1109/MSP.2004.26 [4] Raya, M. and Hubaux, J.P. (2007) Securing Vehicular Ad Hoc Networks. Computer Security, 15, 3968. [5] IEEE1609 (2006) Family of Standards for Wireless Access in Vehicular Environments (WAVE). US Department of Transportation. [6] Kocher, P. (1998) On Certificate Revocation and Validation. FC’98. LNCS 1465, 172177. [7] Merkle, R. (1980) Protocols for Public Key Cryptosystems. IEEE Security and Privacy, 1109, 122134. [8] Jakobsson, M., Leighton, T., Micali, S. and Szydlo, M. (2003) Fractal Merkle Tree Representation and Traversal. CT RSA. LNCS 2612, 314326. [9] Goodrich, M., Shin, M., Tamassia, R. and Winsborough, W. (2003) Authenticated Dictionaries for Fresh Attribute Cre dentials. Trust Management, LNCS 2692, 332347.
P. CaballeroGil et al. [10] Cormen, T., Leiserson, C. and Rivest, R. (1990) Introduction to Algorithms. MIT Press. [11] Goodrich, M., Tamassia, R., Triandopoulos, N. and Cohen, R. (2003) Authenticated Data Structures for Graph and Ge ometric Searching. CTRSA. LNCS 2612, 295313. [12] Chang, S., Perlner, R., Burr, W., Turan, M., Kelsey, J., Paul, S. and Bassham, L. (2012) ThirdRound Report of the Sha3 Cryptographic Hash Algorithm Competition. NIST. nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7896.pdf [13] Bertoni, G., Daemen, J., Peeters, M. and Assche, G.V. (2010) Keccak Sponge Function Family Main Document Ver sion 2.1, Updated Submission to NIST (Round 2). [14] Bertoni, G., Daemen, J., Peeters, M. and Assche, G.V. (2008) On the Indifferentiability of the Sponge Construction. Eurocrypt, LNCS 4965, 181197. [15] Bertoni, G., Daemen, J., Peeters, M. and Assche, G.V. (2012) Duplexing the Sponge: SinglePass Authenticated En cryption and Other Applications. Selected Areas in Cryptography, LNCS 7118, 320337. [16] Shamir, A. (1985) IdentityBased Cryptosystems and Signature Schemes. Crypt o, LNCS 196, 4753. [17] Boneh, D. and Franklin, M. (2001) IdentityBased Encryption from the Weil Pairing. Crypto, LNCS 2139, 213229. [18] Joux, A. (2002) The Weil and Tate Pairings as Building Blocks for Public Key Cryptosystems. Algorithmic Number Theory Symposium, LNCS 2369, 2032. [19] Miller, V. (1986) Short Programs for Functions on Curves. Unpublished Manuscript, 97, 101102. [20] Ganan, C., Munoz, J., Esparza, O., MataDiaz, J. and Alins, J. (2012) Toward Revocation Data Handling Efficiency in VANETs. Communication Technologies for Vehicles, LNCS 7266, 8090. [21] Jakobsson, M. and Wetzel, S. (2004) Efficient Attribute Authentication with Applications to Ad Hoc Networks. ACM Workshop on Vehicular Ad Hoc Networks, 3846.
