1

Software Defined Networking with PseudonymSystems for Secure Vehicular Clouds

Xumin Huang, Rong Yu, Member, IEEE, Jiawen Kang, Ning Wang, Member, IEEE,Sabita Maharjan, Member, IEEE, and Yan Zhang (corresponding author), Senior Member, IEEE

AbstractThe vehicular cloud is a promising new paradig-m where vehicular networking and mobile cloud computingare elaborately integrated to enhance the quality of vehicularinformation services. Pseudonym is a resource for vehiclesto protect their location privacy, which should be efficientlyutilized to secure vehicular clouds. However, only a few ex-isting architectures of pseudonym systems take flexibility andefficiency into consideration, thus leading to potential threatsto location privacy. In this paper, we exploit software-definednetworking technology to significantly extend the flexibilityand programmability for pseudonym management in vehicularclouds. We propose a software-defined pseudonym system wherethe distributed pseudonym pools are promptly scheduled andelastically managed in a hierarchical manner. In order to decreasethe system overhead due to the cost of inter-pool communications,we leverage the two-sided matching theory to formulate andsolve the pseudonym resource scheduling. We conducted extensivesimulations based on the real map of San Francisco. Numericalresults indicate that the proposed software-defined pseudonymsystem significantly improves the pseudonym resource utilization,and meanwhile, effectively enhances the vehicles location privacyby raising their entropy.

I. INTRODUCTIONWith the rapid development of wireless communica-

tion technologies [1], [2], vehicles can utilize vehicle-to-infrastructure and vehicle-to-vehicle communications with thehelp of on-board devices to form vehicular networks. However,many emerging mobile applications require larger and securestorage [3] and complex computation, and brings new resourcechallenges to vehicular networks, e.g., vehicle platoon [4],real-time video streaming application [5][8] and vehicularaugmented reality, social media sharing [9], [10]. To meet thegrowing demands of radio and computing resources, vehicularnetworks take the advantages of cloud computing and areevolving towards vehicular clouds. From a system-level view,idle resources in vehicles, network infrastructures (e.g., road-side unit (RSU)) and cloud infrastructures (e.g, data center)can be recruited to form a vehicular cloud system. A typicalvehicular cloud system [11] consists of three different levels asfollowing. 1) At the bottom level, cooperative vehicles createa vehicular cloud. 2) At the middle layer, a set of adjacentRSUs form a local cloud. 3) At the top layer, central cloud

Xumin Huang, Rong Yu, and Jiawen Kang are with School of Automation,Guangdong University of Technology, China. Email: {xumin.huang, yurong,jiawen.kang.cn}@ieee.org.

Ning Wang is with the Center for Communications Systems Research,University of Surrey, U.K. Email: n.wang@surrey.ac.uk.

Sabita Mahajan and Yan Zhang are with Simula Research Laboratory andUniversity of Oslo, Norway. Email: sabita@simula.no, yanzhang@ieee.org.

manages resources in the system. While ubiquitous wirelesscommunication of pervasive cloud computing greatly facilitatethe formation and functioning of vehicular cloud, privacy andsecurity challenges remain to be addressed for this new domain[12], [13].

To secure vehicular clouds, we focus on pseudonym, whichis an essential resource for vehicles to protect location privacy[14]. Most of the privacy protection schemes are implementedon the basis of pseudonyms, e.g., group signature, silent pe-riod, and mix-zone [14]. Vehicles should periodically changetheir pseudonyms to avoid being continuously tracked. More-over, a third-party cloud service provider may pose potentialthreats to the vehicles because of data leakage [15]. Thisfurther highlights the importance of pseudonyms for vehiclesto protect privacy in vehicular clouds. Vehicles need to possesssufficient pseudonyms to be able to frequently change foranonymity.

Moreover, with the increasing number of vehicles,pseudonym management in vehicular clouds has become achallenging problem. The drawbacks of a previous centralizedapproach to manage pseudonyms mainly include two aspects:a heavy computing workload for the central cloud and abig backhaul delay for the vehicles. These vulnerabilitiesconfine the pseudonym system capacity, and also result inlow utilization of pseudonyms. Consequently, the pseudonymsmay not be sufficient to maintain the location privacy of thevehicles. To this end, a new pseudonym system with highflexibility and efficient pseudonym utilization is necessary. Weexploit Software Defined Networking (SDN) to significantlyenhance the flexibility and programmability for pseudonymmanagement in vehicular clouds. Software defined networkingis a novel technology to control the network in a logicallycentralized, programmable and systematic approach by decou-pling the physical data plane and the abstract control plane[16]. The potential of centralized knowledge, programmabilityand flexibility in an SDN can satisfy the requirements of vehic-ular clouds and simplify pseudonym management, especiallywhen the number of vehicles is high.

In this paper, we propose a Software-Defined PseudonymSystem (SDPS), where distributed pseudonym pools are de-ployed, quickly scheduled and elastically managed in a hi-erarchical manner. Besides, to decrease the system overheaddue to inter-pool communication, we leverage the two-sidedmatching theory to formulate and solve the pseudonym re-source scheduling. The main contributions of this paper aresummarized as follows.

We propose a software-defined pseudonym system with

a hierarchical architecture, which leverages the SDNtechnology to provide flexibility and programmability forpseudonym management.

We develop the two-sided matching theory to solvepseudonym resource scheduling problem, which matchesthe optimal pseudonym transmitters and receivers todecrease the system overhead due to inter-pool commu-nication.

Numerical results show that the proposed software-defined pseudonym system significantly improves thepseudonym resource utilization, and effectively strength-ens the vehicles location privacy.

The rest of this paper is organized as follows. Section IIpresents the related work. We describe a new observationabout delay on pseudonym distribution approaches in SectionIII. A hierarchical architecture of software-defined pseudonymsystem is proposed in Section IV. Section V discusses thepseudonym-allocation problem, and we introduce the two-sided matching theory to solve this problem in Section VI.Performance evaluation of our proposed scheme is providedin Section VII. Finally, Section VIII concludes this paper.

II. RELATED WORK

Recently, a few studies have investigated the combinationof cloud computing and vehicular networks. The authorsin [11] presented a hierarchical architecture to organize thecloud resources in a vehicular network, consisting of threelayers: vehicular cloud, RSU cloud, and central cloud. In[17], the authors pointed out that the way of network serviceprovisioning changes when integrating the mobile cloud modelinto vehicular networks. The Vehicular Ad hoc Networks(VANET) Cloud, a new cloud computing model for VANET asintroduced in [18], consists of three layers: client layer, cloudlayer and communication layer. [19] proposed a new two-tier BUS-VANET that enables less delivery delay and higherdelivery rate than those of the traditional VANET.

Along with the system architectures and design principles,some researchers have shown great interest in the resourceallocation problem in vehicular clouds. Due to uncertainty ofthe vehicles behavior, the variation of available computationresources in vehicular clouds cannot be neglected. To addressthis problem, the authors in [20] proposed an optimal com-putation resource allocation scheme. The dynamic vehicularclouds make a decision about whether or not to locally processa service request. Then the computing resource allocationproblem in a vehicular cloud is formulated as a semi-Markovdecision process to maximize the total long-term reward of thevehicles. The authors in [11] focused on resource allocationand formulated the competition among virtual machines as anon-cooperative game. Similarly, RSU cloud resource manage-ment models in [21] employed SDN technology to decreasevirtual machine migration, and minimize the number of servicehosts and the infrastructure routing delay.

SDN is emerged as a promising approach for providing acentralized control method for global resource management incloud computing environment. The authors in [22] combinedthe SDN framework with cloud computing for cloud resource

optimal control. A resource sharing strategy is designed withglobal optimum in the control plane and executed by eachcloud service provider in the data plane. [23] exploited theSDN technology to allow the flexible allocation of bandwidthcoordinated with virtual machine provisioning to minimizeusers costs. An optimal bandwidth provisioning and routingdecision on virtualized routers are made by a SDN controllerand then implemented on the physical network. Similar workon bandwidth allocation based on SDN was studied in [24] forguaranteeing quality of service. SDN bridges the gaps throughunified network abstraction and programmability, which alsocan be utilized for overcoming todays limitations in vehic-ular networks [25]. Through utilizing the SDN frameworkto manage the cloud resources in vehicular clouds, a newparadigm of 5G-enabled vehicular networks was proposedin [26]. With SDN technology reconfiguring resources, anefficient RSU cloud resource management scheme aiming tominimize reconfiguration overhead was proposed in [21]. Inthis paper, we also consider that SDN can be to coordinateamong vehicles and allocate efficiently all kinds of resourcesin vehicular clouds.

Pseudonyms are crucial for vehicles to protect their locationprivacy when forming a vehicular cloud for inter-vehicularcommunication [14]. Vehicles need sufficient pseudonymsto frequently change for location privacy preservation. Theschemes for pseudonym distribution can be broadly catego-rized into two groups. I) A centralized pseudonym pool dis-tributes pseudonyms to vehicles. In [27], each vehicle obtains48830 pseudonyms at a time, and uses these pseudonyms overa long time (e.g., one year). II) Distributed pseudonym poolsdistribute pseudonyms to vehicles by distributed pseudonympools. In [28], the vehicles periodically obtain a certain num-ber of resource (keys or pseudonyms) from local managers.

For efficient generation and management of pseudonyms,we adopt a distributed approach that distributed local cloudwith a pseudonym pool generates and manages pseudonyms.This approach can reduce pseudonym distribution delay andbalance the computing workload in vehicular clouds. To im-prove pseudonym utilization efficiency and to provide flexibil-ity on pseudonym management, we exploit SDN and proposea new pseudonym system for vehicular clouds. The vehiclesare mobile in both time and space, consequently causingdifferent pseudonym demands in time and from differentpseudonym pools. To address this issue, we design an efficientpseudonym scheduling and distribution scheme using the two-sided matching theory.

III. A NEW OBSERVATION ON PSEUDONYM DISTRIBUTION

In this section, we first introduce two pseudonym manage-ment approaches in detail. Furthermore, we make an observa-tion about pseudonym distribution and find out the advantagesof distributed pseudonym management approach.

A. Two Pseudonym Management approaches

In the centralized pseudonym management approach, acentralized pseudonym pool stores all pseudonyms and cer-tificates, and distributes them to the vehicles for privacy

2

protection. Vehicles request and obtain pseudonyms throughRSUs. All the vehicles send pseudonym requests with digitalsignatures to nearby RSUs after encryption. The RSUs decryptand verify the pseudonym requests, and transmit these requeststo the central manager after encrypting and adding signaturesof the RSUs. The central manager decrypts and verifies thesignatures generated by the RSUs and the vehicles. The centralmanager encrypts the pseudonyms and transmits them to theRSUs. After decryption and verification, the RSUs send thepseudonyms to the vehicles.

For distributed pseudonym-management, there is a localauthority and a pseudonym pool in the local cloud. Vehiclesrequest pseudonyms from the local clouds. The process ofpseudonym distribution in the distributed approach is simpler.The local authorities generate and manage their pseudonymsin their own pseudonym pools. A vehicle sends an encryptedrequest with signature to its nearby RSU, which delivers therequests to a local authority. The local authority decryptsand verifies the request, and then distributes the encryptedpseudonyms to the vehicle. The vehicle verifies and receivesthe pseudonyms from the RSU. We observe that there areless handshake protocols and data transmission delay in thedistributed approach. Besides, for central pseudonym man-agement approach, all the pseudonyms include correspondingpublic and private keys and certificates. This brings a heavycomputing workload to the central cloud from pseudonymsgeneration to revocation. A distributed pseudonym manage-ment approach can be helpful to balance this computingworkload.

B. An experiment about Pseudonym Distribution

In this subsection, we compare the distribution delay ofpseudonyms in different pseudonym management approaches.We select a map of the West University Place and BraeswoodPlace, Houston [29] as observation areas. Twelve RSUs aredeployed in this map according to the scheme proposed in[30]. There are four local clouds in the experiment, eachconsisting of four adjacent RSUs. Some of the vehicles aremobile within the region of interest. We consider that therequest for pseudonyms from the vehicles in different localclouds follows a Poisson process. The average key size is 1024bits in RSA algorithm [31]. The time taken to execute basicoperations in our experiment is referred from [32].

Fig. 1 shows that the distribution delay increases with theincrease in average arrival rate of the vehicles that requestpseudonyms. The pseudonyms distribution delay in the central-ized approach is higher compared to the distributed approach.Moreover, it is clear that the computing overhead of basicoperations of pseudonyms management (e.g., signing, encrypt-ing and decrypting) in the centralized pseudonym managementapproach is higher than that in the distributed approach sincethere are more handshake protocols in the former. The centralauthority manages pseudonyms of all the vehicles, while thelocal authorities only manage a part of the vehicles. Therefore,the distributed approach is more efficient than the centralizedapproach because of smaller distribution delay and lowercomputation overhead.

400 600 800 1000 1200 1400 16000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

Average arrival rate of vehicles

Pse

udon

ym d

istr

ibut

ion

dela

y (s

)

Central pseudonym management systemDistributed pseudonym management system

Fig. 1: The distribution delay comparison of distributed andcentralized management.

IV. SOFTWARE-DEFINED PSEUDONYM SYSTEMS

In this section, we propose a software-defined pseudonymsystem, where distributed pseudonym pools are deployed,scheduled and elastically managed in a hierarchical manner.

A. SDN for Pseudonym Management

SDN has emerged as a novel approach to control the net-work in a centralized, programmable and systematic manner.The core concept of an SDN is the separation between the con-trol plane and the data plane. By decoupling these two planes,network intelligence and state can be logically centralized andthe data forwarding is abstracted from applications [33]. Theflexibility of SDN can be an important advantage for cloudresource allocation to meet dynamic demands, and to improveresource utilization in vehicular clouds [21].

We exploit the SDN concept to increase the flexibilityand programmability for pseudonym management in vehicularclouds. To deploy SDN, a communication protocol betweenthe control plane and the data plane is required. We use theOpenFlow protocol, which is the defacto standard protocolfor SDN. It consists of OpenFlow controller and OpenFlowswitches. We design the pseudonym resource scheduling strat-egy in the control plane. Utilizing this strategy, the OpenFlowcontroller defines pseudonym forwarding rules for every Open-Flow switch in the pseudonym (data) plane. Some benefits ofleveraging SDN in the context of pseudonym management areas follows.

Globalization: The centralized controller obtains globalknowledge about pseudonym resource, i.e., demand andconsumption rates of all local clouds. With these informa-tion, an optimal resource scheduling strategy is designedto allocate the pseudonyms on demand efficiently.

Flexibility: The SDN technology brings flexibility andprogrammability into the vehicular clouds for pseudonymmanagement. Pseudonyms can be flexibly managed ac-cording to the heterogeneous characteristics of vehicularnetworks, such as mobility, topology and capability.

3

Central CloudData centerRegistration

authority

OpenFlow controller

OpenFlow switch

Pseudonym pool

Local data center

Pseudonym resource

Instruction communication

Data transfer

Co

ntro

l pla

ne

Da

ta p

lan

e

Local Cloud

Vehicular Cloud

RSU RSU RSU

Fig. 2: A hierarchical architecture of SDPS in vehicularclouds.

Simplicity: By decoupling the pseudonym resource con-trols (control plane) and pseudonym forwarding functions(data plane), the SDN simplifies pseudonym manage-ment. This goal can be achieved even if the number ofvehicles is high.

B. A Hierarchical Architecture for SDPSFig. 2 shows a hierarchical architecture for SDPS in ve-

hicular clouds, which is divided into data plane and controlplane. The vehicular clouds in this paper have three-layerclouds: central cloud, local cloud and vehicular cloud. Thereare a registration authority, a data center and an OpenFlowcontroller in the central cloud. The registration authoritymanages the digital certificates of all entities, e.g., vehicles,RSUs, OpenFlow switches, and pseudonym pools. The regis-tration authority is in charge of monitoring the behaviors ofall entities to ensure system security [27]. The data centerscollect and store the status information of all local clouds.These information include traffic flow, and the deploymentinformation of pseudonyms, which are used to design the op-timal pseudonym resource scheduling strategy. Some adjacentRSUs and a remote data center form a local cloud, includinga pseudonym pool with an OpenFlow switch. A group ofcooperative vehicles create a vehicular cloud to share vehicularresources.

Pseudonyms are utilized in frequent vehicle-to-vehicle andvehicle-to-infrastructure communication for location privacypreservation. For example, when nearby vehicles in mo-tion constitute a dynamic vehicular cloud, inter-vehicle com-munication is normally required. For location privacy p-reservation, the vehicles without sufficient pseudonyms send

Control

plane

Data

planeForward among pseudonym pools

Forward to

vehicles

OpenFlow switch

Check OpenFlow

switches

Define a pseudonym

flow table

Pseudonym-flow

table

Status information of

OpenFlow switches

Develop an optimal

resource scheduling

strategy

OpenFlow

controller

Fig. 3: Control plane and data plane in SDPS.

pseudonym requests to nearby RSUs. The local cloud sched-ules pseudonyms generated by its pseudonym pool to supportthe demands from vehicles. Generally, the pseudonym de-mands from vehicles in different local clouds may change overtime. This means that there exists redundant or on-demandpseudonym resource among the local clouds.

In the SDPS, pseudonyms are generated by local pseudonympools and transferred to other pseudonym pools in differentlocal clouds when necessary. The pseudonyms are managed bythe local clouds that distribute them. When some pseudonymsare distributed to a vehicle, these pseudonyms will be attachedwith signatures of the local clouds to indicate the manager.For example, a vehicle obtains some pseudonyms from thelocal cloud LC1. LC1 signs the pseudonyms and the vehiclemay enter another local cloud, e.g., LC2 . LC2 verifies thesignatures of the pseudonyms to authenticate the vehicle. Ifthe vehicle wants to request new pseudonyms from LC2,LC2 need to inform LC1 to perform revocation of the formerpseudonyms distributed to the vehicle. Then LC2 distributesnew pseudonyms to the vehicle.

The OpenFlow controller collects and analyzes the globalstatus information in vehicular clouds. To improve pseudonymutilization, the global controller makes an optimal pseudonymresource scheduling strategy, and then OpenFlow switchesforward pseudonym resource. A pseudonym-flow table isdesigned by the controller and sent to every OpenFlow switch.OpenFlow switches receive the pseudonym-flow table, andforward the pseudonyms to vehicles or other pseudonympools according to the flow rules. The system consists of thefollowing SDN components.

OpenFlow controller: In the control plane, the Open-Flow controller is the logical central intelligence of thevehicular clouds, which controls the network behavior

4

of the entire system. The controller designs the optimalpseudonym resource scheduling strategy and generatesa detailed pseudonym-flow table for every OpenFlowswitch.

OpenFlow switch: In the data plane, the pseudonympools equipped with OpenFlow switches are controlledby the OpenFlow controller to perform actions. Theyare stationary elements of data plane, which are respon-sible for forwarding pseudonym-flow, e.g., forwardingpseudonyms to local vehicles or other pseudonym pools.

More details about functions of data plane and control planeare shown in Fig. 3 and are described next.

Data plane: The pseudonym pools in local clouds gener-ate pseudonyms at a constant rate. There is an OpenFlowswitch in every pseudonym pool, and every OpenFlowswitch communicates with the OpenFlow controller. Ac-cording to flow rules in a pseudonym-flow table designedby the OpenFlow controller, a pseudonym pool maydistribute the pseudonyms to relative RSUs to makevehicles anonymous for privacy preservation in its cover-age. On the other hand, it can also transmit redundantpseudonyms to others, or receive a certain number ofpseudonyms from others. Therefore, the data plane isresponsible for performing pseudonym-flow forwardingtasks in this system. Besides, status information aboutOpenFlow switches are also uploaded to the controllerfor checking.

Control plane: The OpenFlow controller in the cen-tral cloud obtains global information about all thepseudonym pools and pseudonym requests from vehicles.The OpenFlow controller makes the optimal pseudonymresource allocation strategy among pseudonym pool-s. A pseudonym-flow table is also designed by thecontroller, and then it decides how the pseudonymsare forwarded in the vehicular clouds. The formatof an item in a pseudonym-flow table is shown as:PID From To Time . Here, PID denotes

the identification of pseudonym. From and Toindicate where the pseudonym is generated from andtransmitted to, respectively. To can be an address of anRSU or other pseudonym pools. Time is the timestampof pseudonym generation. The goal of the pseudonym-flow table is to maximize the utilization of pseudonymresource by transmitting redundant pseudonyms to thepseudonym pools that fall short of pseudonyms. Dueto the cost of inter-pools communication, the redundantpseudonyms should be well scheduled and transferredfrom pseudonym transmitters to receivers among thepseudonym pools. To efficiently match transmitters andreceivers, we use two-sided matching theory to obtain theoptimal result after multi-rounds matching.

V. PROBLEM FORMULATION

In our model, the pseudonym pools with OpenFlow switchesform a network as an undirected graph G = G(V,E). Thenetwork of the pseudonym pools includes m nodes (i.e.,pseudonym pools) and n node pairs (i.e., edges and links).

The pseudonym pools in local clouds are denoted by V ={P1, P2, ..., Pm}. The set of edges E represents the undirectedpseudonym transmission links. The pseudonym data packetscan be transmitted between two connected pseudonym poolsvia wired link with smaller cost. During the transmission ofpseudonym data packets, the data packet loss per distanceunit is l [34]. Then the weights of edges are calculated bythe total pseudonym transmission loss (denoted as c) betweentwo connected pseudonym pools. Here, c = l d, where dis the distance between two connected pseudonym pools. Allthe pseudonym pools are connected with each other. UsingDijkstras algorithm, the link with minimum communicationcost between any two pseudonym pools can be determined.Defining a symmetric matrix M=Dijkstra(G) as the inter-pool minimum communication cost matrix, the element of thematrix, mi,j(i = j), represents the minimum communicationcost between pseudonym pool Pi and pseudonym pool Pj . Tomake this paper clear, we use m(Pi, Pj) to replace mi,j .

At the beginning of an observation period t (i.e., a timewindow), a pseudonym pool Pi possesses a certain amountof residual pseudonym resource Rti . Each pseudonym poolgenerates pseudonyms at a constant rate, i. The averageconsuming rate of pseudonym resource of Pi in the followingtime (denoted as ti) can be estimated from the historicalrecords by statistical methods. During time interval T , ifRti > (

ti i)T , Pi has a certain amount of redundant

pseudonym resource. Otherwise Pi lacks pseudonym resource.Let rti represent the difference between the amount of requiredresources and the amount of actual resources as follows,

r(Pi) =Rti + iT tiT . (1)

Pi shares idle pseudonyms with other pseudonym pools or re-ceives pseudonyms from others. We represent the pseudonympool offering pseudonyms to others as OP, and the pseudonympool receiving pseudonyms from the OPs as RP.

In an SDPS, a pseudonym resource scheduling problemincludes three considerations.

1) OPs are rational to determine that how many idlepseudonyms can be offered to RPs after considering boththe current and future demands.

2) To decrease the system overhead, OPs prefer to offertheir idle pseudonyms to some proper RPs with smallerinter-pool communications cost.

According to this principle, an optimal pseudonym resourceallocation strategy among the pseudonym pools can be de-signed.

VI. SOLUTION FOR PSEUDONYM RESOURCE SCHEDULING

A. The Optimal Strategies for OPs

For OPs, they offer a certain amount of idle pseudonyms toothers according to a predefined utility function. The utilityfunction of an OP, OPi, consists of two components: thesatisfaction function and the cost function. The satisfactionfunction Sti is defined as

Sti = wi log(1 + tix

ti). (2)

5

Here, xti (xti 0) represents the amount of pseudonym

resource that OPi would like to offer to others in time periodt. wi is the willingness of OPi, which is determined by itsgeographical advantage in G. wi can be expressed by

wi =k

j =im(Pi, Pj)

, (3)

where k is a predefined constant. The form of wi is similarto the closeness centrality in [35]. Clearly, less pseudonymtransmission loss between OPi and other pseudonym poolsstimulates OPi to share its idle pseudonyms. The redundantlevel in the current time period of OPi is denoted by

ti = aRti + iT

tiT, (4)

where a is the redundant level gain and is predefined by thepreference of pseudonym pools. OPi is willing to offer morepseudonyms to others for higher utility, when it possesses moreidle pseudonyms. But OPi should take its demand level ofthe next time period (denoted as ti ) into consideration whenoffering idle pseudonyms to others. ti is defined as

ti = bt+1iti

, (5)

where b is the redundant level gain, that can be predefined.The cost of OPi offering resources to others is proportionalto ti . Thus, the utility function of OPi can be expressed as

uti = wi log(1 + tix

ti) tixti. (6)

Next, to obtain the optimal solution, we analyze the charac-teristic of the utility function. Differentiating uti with respectto xti, we get

utixti

=wi

ti

(1+tixti) ln 2

ti ,2utixti

2 = wit2i

(1+ixti)2 ln 2

< 0.

The utility function is concave, so we can obtain its maximalvalue by leveraging u

ti

xti= 0. Thus, the optimal amount of idle

pseudonyms offering to others (denoted as xti ) is expressedas

xti =wi

ti ln 2 1

ti. (7)

For the sake of fairness, xti is constrained by r(OPi) asfollows,

xti = min(r(OPi),wi

ti ln 2 1

ti). (8)

B. Two-sided Matching among the Pseudonym Pools

After calculating the optimal number of idle pseudonymsprovided by the OPs, a global controller in the central clouddecides how to allocate these pseudonyms to the RPs. The OPstransfer their idle pseudonyms to appropriate RPs for less costof the inter-pool communications. It is a matching problembetween the RPs and the OPs to decide that how to match anoptimal RP for every OP, which aims at decreasing the systemoverhead resulted from inter-pool communications.

We use a simple and efficient two-sided matching theorybased on Gale-Shapley algorithm to solve the problem ofoptimal pseudonym resource allocation [36]. RPs, as theinviters, will propose to the invitees OPs according to theirown preference lists (denoted as PL(Pi)). The PL is gener-ated and stored according to communication cost of differentpseudonym pools. In the preference list of RP i, OP j isarranged in the ij th order. Conversely, in the preference listof OP j , RP i is arranged in the

ji th order. The preference

lists are described as follows:

OPj = PL(RPi, ij),

RPi = PL(OPj , ji ).

(9)

We take a pseudonym pool network consisting of two OPsand three RPs as an example. The preference lists of OPs andRPs are given as follows.

OP1 : {RP2, RP1, RP3};OP2 : {RP2, RP1, RP3};RP1 : {OP2, OP1};RP2 : {OP2, OP1};RP3 : {OP1, OP2}.

For simplicity, we consider that every RP demands the equalamount of pseudonyms and the redundant pseudonym resourceof every OP only can satisfy one RP. In the first round ofmatching procedure, every RP proposes to its favorite OPaccording to its preference list. In the first round of result,every OP chooses the favorite one from the existing invitersaccording to the preference list. More details are shown asfollows.

1st round procedure 1st round resultRP1 OP2 RP1 RP2 OP2 RP2 OP2RP3 OP1 RP3 OP1

OP1 chooses to match with RP3 temporally because thatRP3 is the only inviter for OP1 in the first round. OP2 chooseto match with RP2 because that RP2 is prior to RP1 in thepreference list of OP2. Then RP1 has to choose the next OPin its preference list in the next round. Similarly, the secondround procedure and result are listed as

2nd round procedure 2nd round procedureRP1 OP1 RP1 OP1RP2 OP2 RP2 OP2RP3 OP1 RP3

After being rejected by OP2, RP1 proposes to OP1 in thesecond round. Due to the priority of RP1, OP1 prefers to breakthe previous matching result with RP3, and then receives theinvitation from RP1. As a result, RP3 has to stay alone in thisround. Although RP3 tries to propose OP2 subsequently, theresult in the second round is stable because that both OP1 andOP2 do not want to change their current inviters. Thus, twostable matches between RP1, RP2, RP3 and OP1, OP2 areformed and satisfy the requirement of the two-sided matching.According to the above example, we know that, to decreasethe communication cost between the pseudonym pools, the

6

matching problem between RPs and OPs can be solved by atwo-sided matching problem.

We use a binary variable, (RPi, OPj), to denote the finalmatching result. When the binary value is 1, it means that thepseudonym pools are matched. There may exist many roundsduring the process of two-sided matching. Every matchinground includes the following three stages.

1) Stage 1: The inviters propose to the invitees. RPs requestpseudonym resource and send queries to the first OP in theirpreference lists. Every OP that act as the invitee selects the bestpartner according to its own preference list. When multipleRPs propose to the same OP, the OP selects the best RP fromthe proposers. If an RP is rejected by any OP, the RP willpropose to the next OP in the RPs preference list until it isaccepted or is rejected by all the OPs in its preference list.

Theorem 1: (RPi, OPj) = 1 will exist if and only ifijs=1

(RPi, PL(RPi, s)) +jis=1

(PL(OPj , s), OPj) = 0.

Proof: RPi proposes to OPj , which means that RPihas already been rejected by those OPs that whose or-ders are prior to ij . The rejections are expressed byijs=1

(RPi, PL(RPi, s)) = 0. OPj accepts RPi, only

if OPj has no better proposer but RPi, which impliesjis=1

(PL(OPj , s), OPj) = 0. This means that for RPi, it

has been rejected those OPs that are better than OPj inits preference list. So OPj is the best choice of RPi atthat time. Conversely, for OPj , the acceptation of RPi isdone because that there is no better inviter than RPi. Then,(RPi, OPj) = 1 will exist if and only if both RPi and OPjhave been matched with their own best partner. In summary,the final outcome of matching is the optimal two-sided result,because both inviters and invitees have been matched withtheir own best partner. The matching result is stable sinceboth the inviters and the invitees have no better choice [36].

2) Stage 2: OPs decide the amount of transmittedpseudonym resource. If (RPi, OPj) = 1, the amount ofpseudonym resource transmission between RPi and OPj(denoted as t(RPi, OPj)) depends on m(RPi, OPj), x(OPj)and r(RPi). For decreasing transmission cost, the amount oftransmitted pseudonym resource is given by,

t(RPi, OPj) =

r(RPi) +m(RPi, OPj), r(RPi)+

m(RPi, OPj) < x(OPi);x(OPi), m(RPi, OPj) < x(OPi)

r(RPi) +m(RPi, OPj);0, x(OPi) m(RPi, OPj).

(10)The actual amount of pseudonym resource received by RPi isequal to min(t(RPi, OPj)m(RPi, OPj), 0).

3) Stage 3: Updating the members of inviters and in-vitees. If (RPi, OPj) = 1 and RPi obtains enoughpseudonym resource, which satisfies min(t(RPi, OPj) m(RPi, OPj), 0) = r(RPi), RPi will split from the set ofRPs. Otherwise, RPi will update its resource status informa-

tion as follows,

r(RPi) = r(RPi)min(t(RPi, OPj)m(RPi, OPj), 0),(11)

and then joins into the next matching round. Thus, a new setof RPs occurs. OPj will update the status information afteroffering pseudonym resource to RPi, as

r(OPj) = r(OPj) t(RPi, OPj). (12)

If OPj cannot offer enough amount of pseudonyms forany RP in the next round, which satisfies x(OPj) min(m(RP,OPj)), it will split from the set of OPs. Oth-erwise, it still stay in OPs. When the set of RPs or OPs isempty, the matching process ends.

C. Pseudonym-flow Table

The optimal pseudonyms allocation strategy can be per-formed in terms of designing a detailed pseudonym-flowtable for every OpenFlow switch. For a local cloud, it firstsatisfies the local pseudonym demands and then transfersredundant pseudonyms to others. The local clouds transferpseudonyms to local vehicles or other local clouds in a batch.For instance, several pseudonyms are generated in OPi andpackaged together in time slot t. We denote this pseudonympackage as pti. According to the optimal pseudonym resourceallocation strategy, OPi should transfer ti,j (the number ofpseudonym packages) to RPj (j = 1, 2, 3...N). If there existsa local pseudonym request at this time, pti will be delivered tothe local requester otherwise it will be transferred to RPs or bestored in local pseudonym pool when

ti,j = 0. Following

this principle, a detailed pseudonym-flow table of OPi can bedesigned according to Algorithm 1.

VII. NUMERICAL RESULTS

In this section, we evaluate the performance of the proposedpseudonym resource scheme in an actual urban area of SanFrancisco. The latitude is from 37.73619 to 37.81505, andthe longitude is from -122.51431 to -122.36731. As shown inFig. 4, the observed area is approximately 11.03 7.6km2,which is divided into 8 grids (local clouds) according to thespatial distribution of vehicle hotspots in Fig. 5 [37]. Thecoverage of each local cloud is about 11 km2. In an urbanarea, the vehicles often take familiar routes in a specifiedtime period, such as similar trajectories from home to work inthe day time [38]. We also deploy 8 pseudonym pools in theobserved area shown in Fig. 4, whose locations are restrictedby the geographical conditions and the traffic load of eachlocal cloud. The pseudonym pools 1, 2, 3 and 4 are deployedin the commercial areas. And the pseudonym pools 5, 6, 7 and8 belong to the residential areas. This deployment strategy oflocal clouds follows the spatio-temporal distributions of thevehicles.

In this paper, we use the OpenFlow protocol to deploy theSDN [16]. Every pseudonym pool connects with an OpenFlowswitch, which is responsible for forwarding the pseudonymflow. A global OpenFlow controller is deployed at a remotecloud, which acts as the central cloud. There exists a data

7

Algorithm 1 Pseudonym distribution algorithm// An element denoted as A[j] in an array A[N ] indicateshow many pseudonym packets this OP, OPi, has transferredto RPj+1.

1: Initialize an array A[N ] = 0 and j = 0.2: while t T do3: Generate a pseudonym package, pti.4: if there is a local pseudonym request then5: Deliver pti to the local requester.6: else7: Initialize Flag 0.

8: whileN1k=0

A[k]