Algorithm Design

The basic idea of the adaptive PSC distribution scheme proposed in the following is to adapt the frequency of cyclic PSC emission to the currently experienced vehicular environment. In general, the new algorithm is built on top of the standardized mechanisms from [125]. These are parametrized as recommended in Section 4.2.1. Hence, implicit and repeated explicit PSC requests are used in combination with cyclic PSC emission. However, the distribution algorithm from [125] is changed in regard to the following major points.

1. Position-based weighting of a request’s significance is applied. In prior work all requests are weighted equally.

2. The PSC inclusion frequency is varied based on the accumulated weights of received requests.

To determine the significance of a request, its sender get assigned to one out of four relevance areas. This assignment is based on the sender’s relative distance to the receiver. This concept is illustrated in Figure 6.1.

node

x

0 a1 a2 a3

A1 A2 A3 A4

Figure 6.1: Significance areas around a vehicle.

Discretization of a node’s environment is inspired by the evaluation concept used in [133, 135]. However, [133, 135] use this concept only for offline evaluation with global knowl- edge about the whole network, i.e., in connection with an available ground truth. In contrast, these areas are used for online calculation of a metric representing a node’s environment in the following. Moreover, sizes of the different relevance areas are varied based on the current communication conditions, while work in [133, 135] uses areas of a-priori fixed size.

The boundaries ai(i ∈ [1; 4]) of the individual areas Ai, as shown in Figure 6.1, are given by Equations 6.1 to 6.4. a1= 1 N N ∑ j=1 dj (6.1) a3= max dj; j ∈ [1; N ] (6.2) a2= a1+ a3 2 (6.3) a4= ∞ (6.4)

N gives the number of currently known nodes in the node’s surrounding. The distance between the own node and (another) node j is denoted by dj. A node is removed from the list of known

nodes, if no message from it has been received within a fixed time span (timeout). A timeout limit of two seconds is used in the following. It is selected to correspond to the doubled max- imum transmission interval of CAMs. Thus, the algorithm tolerates missing at least one CAM from another node without removing it from the list of known nodes. The fourth area A4 is used to filter requests from nodes, which are so far away that no reliable communication with them is possible, i.e., only sporadic message exchange happens. [133, 135] uses fixed values of a1= 100m, a2 = 200m and a3= 300m.

After a request from relevance area Aiwas received, the current authentication ratio riinside Ai is determined by

ri =

ni,auth ni,known

; ni,auth≤ ni,known; ri∈ [0; 1] . (6.5) With ni,authgiving the number of nodes within Ai whose PSC is known and verified, i.e., these nodes are authenticated. ni,known gives the number of all known nodes within Ai, i.e., such nodes from whom at lest one message has been received within the forgetting timeout interval described above.

The different authentication ratios riget combined to a unified weighted authentication ratio rwby rw= 3 ∑ i=1 wi· ri; 3 ∑ i=1 wi = 1; wi ≥ 0. (6.6)

Thus, r4, i.e., the authentication ratio within A4, is ignored for determining the PSC emission frequency. This is done as communication with nodes inside A4 is regarded as unstable and of minor importance, especially in comparison to communication within areas being closer to the monitoring node (A1to A3).

In general, communication with nodes in the close environment of a node is considered more important for safety critical applications, like collision avoidance, in comparison to nodes being further away. Hence, we recommended to use the criterion w1 > w2 > w3 in the selection process of weights wi. Thereby, the influence of unauthenticated nodes in A1 higher than the ones in A2, which have more impact than nodes in A3. The used selection process for parameters wiis described after the introduction of the remaining algorithm.

The current time interval tcertbetween two successive PSC emissions is determined via tcert = { max [( rw 1−rw )z · tcert,min; tcert,min ] rw < 1 ∞ rw = 1 . (6.7)

The PSC inclusion frequency fcert is given by fcert= t−1cert. Furthermore, z ≥ 0 holds. Equation 6.7 is chosen in a way that tcert varies alongside with rw, and the scaling factor (

rw

1−rw )z

of the minimal PSC inclusion period tcert,min may have arbitrary values in the range between 0 and ∞. This overcomes the fixed, standardized setting of tcertfrom [125, 176]. Re- placing the scaling factor with a fixed number yields a system like specified in current ETSI ITS and WAVE standards. The relation between tcertand rwis illustrated in Figure 6.2.

In case of rw = 1, cyclic inclusion of certificates is turned off, i.e., fcert = 0. This is done, as rw = 1 relates to a system status in which the node does not know about any other

unauthenticated node within its surrounding A1to A3. Hence, further dissemination of the PSC in a cyclic manner is considered to be pure overhead. Another station being in need of the PSC can still obtain it via an explicit PSC request, which triggers sending of the PSC even in case cyclic dissemination is turned of.

The minimum value of tcert(tcert,min) is given by the minimum time interval between send- ing of two CAMs. The lower limit for tcert,min(min (tcert,min)) is given by the 10 Hz maximum CAM emission frequency, i.e., a period of min (tcert,min) = 0.1s. This determines the maxi- mum PSC emission frequency, as the security entity cannot trigger the sending of messages on its own, but relies on piggybacking its data to messages generated at higher protocol layers, like CAMs. The parameter z is used to adjust the reactivity of the algorithm to changes in the monitored weighted authentication ratio in its surrounding.

The influence of the parameter z on the inclusion period of PSCs is shown in Figure 6.2 for the case of a CAM emission frequency of 10 Hz (tcert,min = 0.1s). One can see from

0 200 400 600 800 1000 1200 1400 1600 1800 2000 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 certificate inclusion interval [ms] authentication ratio r_w z=0.5 z=1 z=2 z=3 z=4 reference

Figure 6.2: Influence of parameter z on the PSC inclusion interval.

Equation 6.7 and Figure 6.2 that for rw = 1 cyclic PSC emission is turned off. This corresponds to a traffic scenario in which the surrounding of a node does not change over time, e.g., inside a large scale traffic jam. In such kind of traffic scenarios there is no need for PSC emission, as all nodes already know about the PSCs of nodes within their communication range. An approach using z = 0 is looked at in Section 6.2.

Decreasing values of z lead to increased changes of tcert alongside changes in rw, as illus- trated in Figure 6.2. Hence, reaction of the PSC emission algorithm on detected changes in a node’s surrounding is faster for lower values of z. However, this may lead to an overreaction, as it takes time until feedback (from a CAM with included PSC) arrives from the node(s) causing rw ̸= 1. During that time interval unnecessary PSC emissions may occur, due to a too strong reduction in tcert for very low values of z, i.e., z << 1. This shows the need to consider the trade-off between channel load and cryptographic packet loss, i.e., discarded received packets due to not available PSCs for their verification.

The reference value shown in Figure 6.2 is the fixed cyclic PSC inclusion interval of 1 s from [125]. The adaptive scheme uses a significantly longer inclusion interval for high values

of rw, which can be expected to lower channel utilization within a well known neighborhood. Simulation based testing of different parameter combinations for wi and z within the pro- posed adaptive PSC distribution strategy was used to select the values of w1 = 0.6, w2 = 0.3, w3 = 0.1 and z = 0.5. These were found to provide the best performance in regard to channel utilization and cryptographic packet loss. Thus, these parameters are used in the following.

One should note that currently the security envelope of CAMs does not hold a location stamp. However, this information is present in a required data field of a CAM [119, 125]. Thus, the implementation used for evaluation of this approach looks into the secured data to obtain this information. This is not required for BSMs, as their security envelope includes a location stamp [176].