Literature Database Entry


David Foerster, "Verifiable Privacy Protection for Vehicular Communication Systems," PhD Thesis (Dissertation), Department of Computer Science, University of Ulm, December 2016. (Advisor: Frank Kargl; Referees: Falko Dressler and Franz Hauck)


This dissertation examines privacy protection on various layers of vehicular communi- cation focusing on inter-vehicular communication. Also known as Vehicle-to-X (V2X) communication, the technology will supplement modern vehicles' sensors with informa- tion exchanged with other cars or traffic infrastructure via ad-hoc radio communication. V2X communication is expected to deliver significant improvements for traffic safety and efficiency, as well as comfort functions. Privacy protection is crucial for several reasons: Vehicles are personal items, therefore, the traces they leave via radio communication can be considered personal identifiable information if no protection is implemented. V2X-based safety functions may be required by legislation in the future, leaving drivers no choice whether or not to use them. Therefore, established concepts for data protection, such as the requirement for the user's consent for collection and processing of his data, cannot be applied. For the technology to deliver the expected improvements for traffic safety and efficiency, a significant market penetration is required. However, privacy concerns about "Connected Cars" have been raised in the media repeatedly and need to be addressed to ensure rapid adoption once V2X-equipped vehicles are available. Upcoming standards consider privacy protection and there is a significant body of previous research, but several points remain unaddressed: 1. A scheme of changing “pseudonym certificates” has been proposed for privacy-friendly message authentication, but it is unclear when and how often vehicles need to change their pseudonym for adequate protection. 2. For revocation of misbehaving participants, it has been suggested that the certificate authorities retain a mapping database of pseudonym holders. This database constitutes a high-value target and a single point of failure that puts drivers' privacy at risk. 3. Modern cars' connectivity facilities enable new applications such as "crowdsourcing" of sensor data. Privacy protection for drivers is required but must be balanced with quality of the collected data. Recent large-scale security breaches illustrate the difficulty in keeping systems secure that attract motivated and skilled attackers. Furthermore, the revelations by Edward Snowden about extensive governmental surveillance have raised many concerns. Therefore, in the attacker model used throughout this work we assume a powerful adversary that is able to compromise back-end systems. We propose solutions that do not rely on organizational controls (such as separation of duties) but use cryptographic mechanism to verifiably protect users' privacy even when back-end systems are untrusted or compromised. We address the research gaps outlined above with the following contributions: 1. We examine the effectiveness of pseudonym changes to protect drivers from tracking attacks. Our goal is to provide guidance on change strategies and change intervals for real-world deployments. We conduct simulations in two different large-scale traffic scenarios and use the realistic model of an adversary with limited coverage. We propose specific change intervals for an urban scenario, which are shorter than the ones foreseen by upcoming standards. In a highway scenario, however, none of the strategies under evaluation achieves satisfactory protection against our tracking algorithm. 2. The privacy protection offered by changing pseudonym certificates depends on their anonymity, which is threatened by the "mapping database" required by currently proposed revocation mechanisms. We propose a privacy-friendly pseudonym system that provides full anonymity for drivers. It is complemented by a revocation mechanism that is based on a trusted component in each vehicle and does not require resolution of pseudonym holders. 3. For privacy-friendly crowdsourcing, we propose a mechanism that balances drivers’ privacy with the data quality requirements from a traffic authority. Data is only made available if it satisfies a certain privacy level quantified as k-anonymity. The protection is enforced using a decentralized secret sharing scheme and does not require a central, trusted party. For a comprehensive assessment of privacy in vehicular networks it is crucial to consider all relevant layers. Privacy protection on a higher layer is only possible if the lower layers do not leak information. In this dissertation, we present several novel protocols that protect drivers’ privacy by cryptography and data minimization. We demonstrate that strong privacy protection can be achieved even when central parties are untrusted or compromised. Privacy protection in inter-vehicular communication systems is challenging due to their unique character (mobile nodes that emit messages with a high frequency) in conjunction with safety requirements. Our results indicate that these challenges are not fully solved yet and that there may be limitations on the level of privacy that can be achieved under certain traffic conditions.

Quick access

BibTeX BibTeX


David Foerster

BibTeX reference

    author = {Foerster, David},
    referee = {Dressler, Falko and Hauck, Franz},
    advisor = {Kargl, Frank},
    title = {{Verifiable Privacy Protection for Vehicular Communication Systems}},
    institution = {Department of Computer Science},
    year = {2016},
    month = {December},
    location = {Ulm, Germany},
    school = {University of Ulm},
    type = {PhD Thesis (Dissertation)},

Copyright notice

Links to final or draft versions of papers are presented here to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or distributed for commercial purposes without the explicit permission of the copyright holder.

The following applies to all papers listed above that have IEEE copyrights: Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

The following applies to all papers listed above that are in submission to IEEE conference/workshop proceedings or journals: This work has been submitted to the IEEE for possible publication. Copyright may be transferred without notice, after which this version may no longer be accessible.

The following applies to all papers listed above that have ACM copyrights: ACM COPYRIGHT NOTICE. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept., ACM, Inc., fax +1 (212) 869-0481, or

The following applies to all SpringerLink papers listed above that have Springer Science+Business Media copyrights: The original publication is available at

This page was automatically generated using BibDB and bib2web.