System model and scenario
We assume an inter-vehicular communication system with the following entities.
- 1. Participating vehicles Vi equipped with a V2X on-board unit that periodically emit CAM messages while they travel. All messages are signed using pseudonym certificates, which are changed according to the pseudonym change strategy and its parameters. Vehicles start broadcasting messages when they begin their trip and stop when they reach their destination. Each vehicle performs only one trip.
- 2. An adversary that tries to track participants as they travel through the scenario. In particular, his goal is to link their trips’ origin and destination.
Figure 3.1 shows the attacker with limited coverage who tries to track vehicles despite their pseudonym changes. We do not consider event-based DENM messages. They can be forwarded over multiple hops, which might make them available to an attacker outside of the sender’s transmission range. However, they are only sent infrequently and are therefore much less privacy sensitive than CAM messages.
Figure 3.1 Vehicles leaving a trace of messages signed with different pseudonyms (indicated by different colors). The area outside of the attacker’s observation range is called the mix-zone. Note that it is defined implicitly by the attacker’s coverage and unknown to the participants of the V2X system. The attacker tries to track vehicles by matching his observations as they enter and exit the mix-zone, possibly changing their pseudonym in between.