Alternative realization using Lian et al.’s credential scheme
The periodic K-times anonymous authentication scheme due to Lian et al. [125] is more efficient than Camenisch et al.’s periodic n-show credentials [38] but does not provide perfect forward privacy, which is one of our requirements.
The basic functionality of the two schemes is similar. The key difference is their approach to revocation: When showing the credential, a token serial number TSN in created by a deterministic one-way function with the current time period, a counter 1. ..n, and a user-specific secret (ei, e2) as input. Overspending results in a duplicate TSN from which V can compute U’s secret (e1, e2). This enables V to compute and recognize all future and past TSNs for U. Efficient revocation can be implemented by adding all future TSNs up to the credential’s expiration date to an indexed database.
According to their evaluation, the Show protocol is three to four times more efficient than the one from the periodic n-show credential scheme. Additionally, users do not need to update their credentials accumulator when a user was revoked from the system. If one is willing to drop the requirement of perfect forward secrecy, an even more efficient variant of PUCA could be implemented using this scheme. There would still be a significant privacy gain in comparison to the basic scheme but only for users whose credentials are not revoked. When a user’s credential is invalidated, however, e.g., because he wishes to leave the V2X system, his previous transactions with the PCA would be revealed.
Integration into existing systems
As our scheme only modifies the pseudonym issuance phase it is compatible with existing ETSI [69] and IEEE [108] standards and can be deployed alongside the basic scheme. PUCA users can securely communicate with participants that use a different protocol to obtain their pseudonyms and vice versa. For interoperability, the trust hierarchy must be set up such that all PCA certificates are signed by a globally trusted root CA. The compatibility enables both a gradual deployment of PUCA as well as the coexistence of different schemes in the long-term.
