Certificateless-Based Anonymous Authentication and Aggregate Signature Scheme for Vehicular Ad Hoc Networks

Development of Internet of Vehicles (IoV) has aroused extensive attention in recent years. The IoV requires an efficient communication mode when the application scenarios are complicated. To reduce the verifying time and cut the length of signature, certificateless aggregate signature (CL-AS) is used to achieve improved performance in resource-constrained environments like vehicular ad hoc networks (VANETs), which is able to make it effective in environments constrained by bandwidth and storage. However, in the real application scenarios, messages should be kept untamed, unleashed, and authentic. In addition, most of the proposed schemes tend to be easy to attack by signers or malicious entities which can be called coalition attack. In this paper, we present an improved certificateless-based authentication and aggregate signature scheme, which can properly solve the coalition attack. Moreover, the proposed scheme not only uses pseudonyms in communications to prevent vehicles from revealing their identity but also achieves considerable efficiency compared with state-of-the-art work, certificateless signature (CLS), and CL-AS schemes. Furthermore, it demonstrates that when focused on the existential forgery on adaptive chosen message attack and coalition attack, the proposed schemes can be proved secure. Also, we show that our scheme exceeds existing certification schemes in both computing and communication costs.


Introduction
With the rapid development of communication technology, various vehicles with powerful smart devices can communicate with each other. Therefore, such a novel application has aroused extensive interest in the society. This kind of application is commonly referred to as vehicle ad hoc networks (VANETs), which can provide guarantee for the distance between vehicles and reduce the probability of vehicle collision accidents, help car drivers navigate in real time, and improve the efficiency of traffic operation by communicating with other vehicles and network systems [1].
Although VANETs have a lot of merits, it has a long way to achieve a wide application. One of the obstacles is that the privacy is violated. Without proper privacy protection, malicious adversaries can collect vehicle information, such as routes or status, to perform attacks. Fortunately, using pseu-donyms in communications can avoid this problem. Then, the vehicle can communicate with each other or with roadside unit (RSU) using a pseudonym, and no one can obtain the true identity of the vehicle except for the trusted authority (TA). Even if the messages between the vehicles and the RSUs are collected by hackers, it will not reveal identity privacy. VANETs have other problems such as privacy issues and being vulnerable to attack.
Recently, some novel schemes and algorithms are proposed to solve these problems. Lin et al. [2] proposed a blockchain-based protocol to reduce the verification cost and storage cost for vehicles. Kumar et al. [3] proposed an efficient scheme using path signature to resist Sybil attack. Jiang et al. [4] proposed an anonymous authentication scheme (AAAS) in VANETs, which adopts group signature mechanism to provide more efficient anonymous authentication service for vehicles. Zheng et al. [5] demonstrated a certificateless group signature anonymous authentication scheme for VANETs, which shortens the length of the signature and improves the efficiency of the signature. Among various schemes, we find that Kamil et al.'s scheme [6] has a significant efficiency. However, we find that the scheme cannot resist coalition attack which is launched by two collusive vehicles. For example, two vehicles can maliciously exchange their locations to generate their signatures which can be verified successfully so that they can hide their real locations which may lead to serious consequences. The detailed description and analysis are shown in Subsection 4.3. We make the RSU both the aggregator and the verifier and add a random list to properly solve the problem. Our main contributions in this paper are as follows: (i) Prove that Kamil et al.'s schemes are not secure enough to defend against attacks from malicious vehicles and propose a solution to settle the problem (ii) Propose an improved certificateless-based authentication and aggregate signature scheme in VANETs, and prove that the scheme can perfectly resist the coalition attacks and its correctness (iii) Use the efficiency analysis and simulation to show the superiority of our scheme in efficiency and practicality The rest of this paper is organized as follows. In Section 2, we discuss related works of CLS and CL-AS schemes in VANETs. In Section 3, we describe related concepts and models. In Section 4, we analyze Kamil et al.'s scheme and prove that the scheme cannot resist the coalition attack. We propose our proposed scheme in Section 5 in detail. Experiments and results analysis are described in Section 6. We conclude this paper in Section 7.

Related Works
To settle the problem of security and some privacy requirements in VANETs, a number of professors and scholars [7][8][9] proposed a kind of new scheme called Public Key Infrastructure-based (PKI-based) authentication schemes. In their schemes, they either tried to make vehicles compute more to verify the signatures from other vehicles or assume that there exists a trusted certificate authority to issue and maintain certificates of various vehicles. However, the assumption may be unrealistic because a single node cannot afford the oceans of calculation.
Later, a new kind of signature scheme called identitybased signature (IBS) scheme is widely discussed. For example, Liu et al. [10] proposed an IBS scheme which can take the user's identity as the public key, and the private key is generated by public key generation PKG, which can reduce a single node's burden. However, IBS has inherent problems about key escrow which is generated by user's identity.
In Al-Riyami and Paterson's scheme [11], they firstly introduce the certificateless public key cryptography. In recent years, a lot of researches on CLS and CL-AS schemes with bilinear pairing have been carried on by relevant researchers [12][13][14]. In their schemes, key generation center (KGC) uses its master key and the user's identity information to calculate a part of the private key and send it to the user, whereafter the user combines part of the private key and his/her secret value together to generate the user's real private key which can protect the user's privacy and make the system secure. The above scheme uses the bilinear pairing which costs relatively large computation.
The elliptic curve cryptography is chosen to use in the CLS and CL-AS because of its high efficiency. In Xie et al.'s scheme [15], they proposed rigorous security proof that shows the scheme is able to resist various malicious attacks and ensure privacy protection. In the field of health care, Du et al. [16] proposed a CLAS scheme with high efficiency and low latency which can be more suitable to apply to the field of healthcare. In 2018, Cui et al. [17] demonstrated their novel CLS and CL-AS scheme with ECC, which significantly reduces computing time during sign and verification process. Kamil et al. [6] declared that the scheme proposed by Cui et al. is not secured against the signature forgery attack, and they advanced an improved signature scheme for VANETs. They claimed that their proposed scheme can address all the needs of VANETs about security and privacy. However, we will demonstrate and prove that their scheme cannot resist coalition attacks and our improved scheme can resist the attack and achieves a better performance.

Preliminaries
3.1. Elliptic Curve Cryptography. As widely used in the cryptographic, the elliptic curve cryptography is an excellent algorithm which has an extremely high efficiency and a relatively excellent security. It can use much fewer bits to encrypt messages of the same length than the RSA algorithm in the field of public key cryptography. Because of its fewer calculation parameters, shorter bond length, and less time cost, the elliptic curve cryptography can be perfectly applied to application scenarios of VANETs. We will give the following three definitions to describe the elliptic curve cryptography.
Definition 1 (Elliptic curve definition). Our scheme uses an elliptical encryption algorithm with 160 bits. Assume that F q is a finite field of the module q, where q is a large prime number. The elliptic curve over a finite field F q can be defined as follows: E : x, y ∈ F q and Δ = 4a 3 + 27b 2 ≠ 0 (mod p).
Definition 2 (Addition of elliptic curves). Assume that P = ð x 1 , y 1 Þ ∈ E, where P is a point of the elliptic curve E and −P = ðx 1 ,−y 1 Þ (mod p) is the negative point of P. Suppose Q = ðx 2 , y 2 Þ ∈ E, Q ≠ −P; we can define a line l passes through P and Q, and intersects the elliptic curve at a point R ′ = ðx 3 , y 3 Þ, The symmetrical point about the x-axis with R ′ is R = ð x 3 ,−y 3 Þ; then we can define R = P + Q. In addition, scalar multiplication operation on the elliptic curve can be 2 Wireless Communications and Mobile Computing described as follows: Definition 3 (Elliptic curve discrete logarithm problem). Assume that P 1 is a point on the elliptic curve E on the finite field F q , and select a random number k ∈ Z * q . Then, we can calculate P 2 = k · P 1 . In this case, there is the feasibility of the calculation of P 2 according to Definition 2. According to the elliptic curve discrete logarithm problem (ECDLP), however, it is hardly possible to get k according the above equation.

Forking Lemma
Definition 4 (Forking lemma [18]). Suppose that A is a probabilistic polynomial time turing machine, and its input includes public data. We use Q and R to symbolize the number of queries that A can ask to the random oracle and the number of queries that A can ask to the signer, respectively. Suppose that over a period of time T, A can generate a legitimate signature ðm, σ 1 , h, σ 2 Þ within probability ε ≥ 10ðR + 1ÞðR + QÞ/2 k . If someone do not know the private key, but successfully forge the signature ðσ 1 , h, σ 2 Þ with an indistinguishable distribution probability, then we can imagine a machine, which can get the secret information from the machine and obtain and replace the interaction with the signer by simulation. Eventually, it can generate two legitimate signatures ðm, σ 1 , h, σ 2 Þ and ðm, σ 1 3.3. Certificateless (Aggregate) Signature Scheme. Generally, a certificateless signature (CLS) scheme and a certificateless aggregate signature (CL-AS) scheme consist of the following seven algorithms.
(1) Setup: the KGC and TA will execute this probabilistic algorithm, which needs a security parameter λ, then generates a elliptic curve E, public keys PK TA and P K KGC , and master secrets key α, β, respectively, then publishes a number of system parameters which is used for ensuring the system in order.
(2) ParitialPrivateKeyGeneration: in this algorithm, firstly, the entity V i transmits a tuple which includes its real identity and partial pseudo identity to TA. Then TA sends a whole pseudo identity to KGC with calculation. Eventually, KGC transmits the paitial private key to entity V i in a secure channel.
(3) VehicleKeyGeneration: the entity V i selects random ρ i ∈ Z * q as its secret key and calculates its public key PK V i .
(4) IndividualSign: this algorithm is used by each entity V i ; after generating a message m i , the entity V i tries to calculate a set of varieables. Then it sends the signature σ to the verifier.
(5) IndividualVerify: this algorithm is executed by the verifier such as RSU. When receiving input including signature σ, pseudo identity PID i and current time T cur , the RSU will check the time validity firstly. Then the algorithm will output true if the signature is valid or false otherwise.
(6) AggregateSign: in this algorithm, generally the aggregate signature generator is RSU in our system. For an aggregating set V of n entities V 1 , V 2 , ⋯, V n , the pseudo identity PID i of each vehicle V i as list PID, the corresponding public key PK V i of V i , and message signature tuples ððm 1 , σ 1 Þ, ðm 2 , σ 2 Þ,⋯,ðm n , σ n ÞÞ from V i , respectively. The aggregate signature generator will generate signature σ; then it will transmit the tuple including the signature, the list PID, and time list T to the verifier.
(7) AggregateVerify: in general, this algorithm is executed by another RSU. It takes an aggregating set V of n entities fV 1 , V 2 ,⋯,V n g, the pseudo identity PI D i of each entity V i . The verifier will check the time validity for each entity firstly. Then it will output true if the signature is valid or false otherwise.

Security Model.
In this section, we will demonstrate the security model of CLS and CL-AS schemes. We consider two different types of adversaries: Type 1A 1 and Type 2A 2 .
To be specific, adversary A 1 is able to replace a user's public key or private key but cannot access or even replace the master secret key of KGC. And adversary A 2 is able to access the master secret key of KGC, which can be called an internal attacker. However, it cannot replace or access the public key of a certain user. Generally, we use two games to model the security of CLS and CL-AS schemes, which is played between an adversary A ∈ fA 1 , A 2 g and a challenger C. A can access five oracles to get what he needs. The details are as follows: (1) GenerateUser: given a user's ID PID i and request for its public key PK V i , C returns the public key PK V i of PID i .
(2) RevealPartialPrivateKey: given a user's pseudo identity PID i , C outputs the corresponding partial secret key PPK i .
(3) RevealSecretKey: given a user's pseudo identity PID i , C submits the user's secret key ρ i .
(4) ReplaceKey: given a user's pseudo identity PID i and the public key PK * V i , C will replace the public key P K V i with PK * V i .
(5) Sign: given a message m i ∈ f0, 1g * , C uses the algorithm to generate a signature σ i corresponding to user PID i on message m i and submits it to A.
We construct the following two games, Game I and Game II, for our schemes: 3 Wireless Communications and Mobile Computing (Game I) A Type 1 adversary A 1 and a challenger C will try to play the game as follows: Step 1. C runs the Setup algorithm to generate a master secret key β, a list of system parameters, and the system public key PK KGC . It then sends the system parameters to A 1 and keeps β secret.
Step 3. A 1 generates the corresponding public key PK * V i and a signature σ * i of a user with identity PID * i .
A 1 will win the game if the following conditions are met: (i) It neither uses PID * i to access the RevealPartialSe-cretKey query nor obtains the partial private key (ii) σ * is a valid signature of the user with the identity PID * i and the corresponding public key PK * V i (iii) It never uses ðPID * i , m * i Þ to query the Sign oracle (Game II) A Type 2 adversary A 2 and a challenger C will try to play the game as follows: Step 1. C runs the Setup algorithm to generate a master secret key β, a list of system parameters, and the system public key PK TA . It then sends the system parameters, β, and PK TA to A 2 .
Step 3. A 2 generates the corresponding public key PK * V i and a signature σ * i of a user with identity PID * i .
A 2 will win the game if the following conditions are satisfied: (i) It never use PID * i to access the RevealSecretKey or ReplaceKey query to obtain the partial private key (ii) σ * is a valid signature of user with identity PID * i and the corresponding public key PK * V i (iii) It never uses ðPID * i , m * i Þ to query the Sign oracle Definition 5. The CLS scheme is provably secure, if neither polynomial time adversary A 1 or A 2 is able to win Game I and Game II, respectively with a non-negligible advantage.
We construct the following two games, Game III and Game IV, for our CL-AS scheme.
(Game III) A Type 1 adversary A 1 and a challenger C will try to play the game as follows: Step 1. C runs the Setup algorithm to generate the master secret key β, system parameter, and the system public key PK TA . It then sends the system parameter to A 1 and keeps β secret.
Step 3. A 1 outputs an aggregate signature σ * of n users with identity PID * = fPID * 1 , PID * 2 ,⋯,PID * n g and the correspond- A 1 wins the game if the following conditions are satisfied: (i) At least one of the identities has not been submitted to the RevealPartialSecretKey query to obtain the partial secret key , PID * 2 ,⋯,PID * n g and the corresponding public key (iii) It never uses ðPID * i , m * i Þ to query the Sign oracle (Game IV) A Type 2 adversary A 2 and a challenger C will try to play the game as follows: Step 1. C runs the Setup algorithm to generate the master secret key β, system parameter, and the system public key P K TA . It then sends the system parameter, β, PK TA to A 2 .
Step 3. A 2 outputs an aggregate signature σ * of n users with identity ID * = fID * 1 , ID * 2 ,⋯,ID * n g and the corresponding public key PK * A 2 will win the game if the following conditions are satisfied: (i) It has not used all of the identities to access the RevealPartialSecretKey query to obtain the partial private key.
(iii) It never uses ðID * i , m * i Þ to query the Sign oracle 4 Wireless Communications and Mobile Computing Definition 6. The CL-AS scheme is provably secure, if neither polynomial time adversary A 1 or A 2 is able to win Game III and Game IV, respectively, with a nonnegligible advantage.

Overview of Kamil et al.'s CLS and CL-AS Scheme
In the scheme proposed by Kamil et al. [6], there mainly exist four entities including TA, regional transport management authority (RTMA), which is a trusted party responsible for partial secret key generation, RSU, and vehicle. The scheme is reviewed as follows:

Overview of Kamil et al.'s CLS Scheme
(1) Setup: the TA selects a security parameter k, two secure primes p and q, an elliptic curve E which can be defined by the equation where a, b ∈ F q , a generator P with order q of additive group G consisting of all the points on E, and five hash functions, h 0 , h 1 , h 2 , h 3 , and h 4 . Then, it picks x ∈ ℤ * q as its master secret key and calculates its public key P pub . Also, TA defines a time- (2) UserRegistration: the RTMA executes the following algorithm to register a vehicle with an identity ID k . Firstly, vehicle sends its identity ID k to the RTMA. Then RTMA randomly selects ℏ 1,k ∈ ℤ * q and calculates hash chain set ℏ y,k = fℏ 2,k , ℏ 3,k ,⋯,ℏ n,k g, 1 ≤ y ≤ n, where ℏ y,k = h 0 ðℏ y−1,k Þ.
(3) PartialSecretKeyGeneration: after receiving param and a vehicle with identity ID k , RTMA runs as follows: (4) PseudonymGeneration: after receiving the tuple ð ℏ y,k , ðA k , x k ÞÞ from the RTMA, the vehicle executes the following algorithm: (5) UserKeyGeneration: vehicle with ID k uses the algorithm to generate its private key: (6) Sign: after receiving param, PSK k , SK k , and PK k , a vehicle with pseudo identity PID y,k can sign on a message m k as follows: (7) Verify: after receiving the tuple ðPID y,k , m k , PK k , ω k , σ k , T k Þ, verifier can use the algorithm to verify any signature with following steps: Step 1. The RTMA generates its public key PK RTMA = s · P, where secret key s ∈ ℤ * q is randomly selected.
Step 3. Compute A k = tβ k · P and x k = tβ k + ξ k α k s.
Step 2. Check PSK k is valid or not with the equation holds.
Step 3. Output SK k = a k ðSK 1 k + SK 2 k Þ and PK k = SK k · P as its private and public keys, respectively.
Step 1. Check whether the time delay equation holds. If it holds, then T k is valid and it will accept the signature; otherwise, it will reject it. Step Step 3. Check whether the following equation holds.
(2) AggregateVerify: generally another RSU or AS acts as the verifier. When receiving a certificateless aggregate signature σ T = ðR, V Þ signed by n vehicles. Then it will run as follows: Step 1. Check whether the timestamp T k is valid, if not, it aborts, and if it holds, it runs the following steps. Step Step 3. Check whether the following equation holds.
if it holds, it receives all the signatures; otherwise, the signature is rejected.

Cryptanalysis of Kamil et al.'s CL-AS Scheme.
The security problem in the scheme proposed by Kamil et al. [6] mainly lies in the coalition attack, which is a kind of attack by a number of collusive vehicles. As is described in Figure 1, in the coalition attack, two or more vehicles secretly change a part of their messages such as locations to hide their real locations and routes since the RSU (verifier) receives the exchanged signature. Then something of the collusive vehicles is exchanged officially. Which will definitely harm the system and even worse cause a serious accident.
We describe the coalition attack on Kamil et al.'s CL-AS scheme to illustrate its security flaws.
Assume that two users fU 1 , U 2 g have pseudonym fPI D y,1 , PID y,2 g and message fm 1 , m 2 g, respectively. We show that two users can cooperate to generate valid aggregate signatures even if their individual signature is invalid. Two users can implement the coalition attack by executing the following algorithms.
Step 3. Then, Step 4. Eventually, they can output signature Obviously, the signature σ i = ðR i , V i Þ is not a valid signature. However, when the RSU or AS aggregates the signature as σ = ðR = R 1 + R 2 , V = V 1 + V 2 Þ, it will be a valid signature which satisfies the following equation.
Therefore, the above analysis shows that two malicious users can collude with each other to forge an aggregate signature. Actually, the coalition attack is originally caused by commutative law of addition. Similarly, n users can also forge an aggregate signature with the same algorithms. Hence, Kamil et al.'s CL-AS scheme cannot resist coalition attacks.

System Model.
In this section, we will try to describe our system model in detail including specific explanations. In order to be more specific, the system model is shown in Figure 2. There are four participants in total: trusted authority (TA), key generation center (KGC), road-side unit (RSU), and vehicle, which can be divided into two layers: the upper layer includes TA and KGC, and the lower layer consists of RSUs and vehicles. The demonstration of each participant is as follows: (1) TA: it is a fully trusted third party that is responsible for system initialization, user registration, system parameter generation, and system security implementation. If necessary, it can track malicious behavior and catch malicious nodes. In addition, it also has enough computing power and storage capacity.

Wireless Communications and Mobile Computing
(2) KGC: it is a partially trusted party used for generating partial private key. It can help a vehicle generate partial secret key which contribute to its privacy security. Like the TA, it also has sufficient memory, processing, and computing capabilities.
(3) RSU: it is a smart application device installed in the roadside, which is able to transmit and submit information to TA, KGC, vehicles, or other RSUs in a secure wired connection. In addition, RSU commonly has limited computing power and storage capacity.
(4) Vehicle: it is the major and basic member in VANETs, which is generally equipped with a smart device which can perform the basic function such as transmitting the vehicle's message and performing simple calculation. In addition, vehicle commonly has limited computing power and storage capacity.
Note that TA and KGC are functionally two completely different entities that can be deployed on a single server during deployment.

Design Requirements.
For the safety of communication in VANETs, security and privacy are crucial. According to the latest research in this field, the proposed scheme for VANETs must satisfy the following security requirements: (1) Message Integrity and Authentication: an eligible vehicle should be able to check that whether a message is sent and signed by a legitimate vehicle and is not forged or modified by the malicious entity.
(2) Identity Privacy Preservation: a vehicle should remain anonymous in all circumstances, which means that other malicious entities cannot infer its identity by taking and analyzing multiple pieces of messages about it.
(3) Traceability: the TA must have the ability to trace and obtain the vehicle's real identity, even if the vehicle's identity is anonymous.
(4) Unlinkability: a potentially malicious vehicle must not cross-link two messages sent by the same vehicle to prevent them from extrapolating the route of the vehicle from the information.   Table 1, and descriptions for algorithms are vividly shown in Figure 3 and described as follows: (1) Setup: when given an appropriate security parameter λ, TA will use the λ to generate and output the param by executing the following algorithms: (2) PartialPrivateKeyGeneration: the algorithm will eventually generate the vehicle's partial private key through the algorithms as follows: (3) VehicleKeyGeneration: after receiving the partial private key PPK i , the vehicle V i check if the equation PPK i · P = Q i + n i · PK KGC holds. If it holds, the partial private key PPK i is valid. The vehicle randomly selects its private key ρ i ∈ ℤ * q , then calculates its public key PK V i = ρ i · P.
(4) Sign: in order to achieve authentication and message integrity, when the message is received by any entity, it has to be signed and verified. A vehicle V i uses its pseudo identity PID i and picks the latest timestamp TS. The updated timestamp TS protects a signed message against replay attacks. Given the signing key ðPPK i , PK V i Þ and a traffic related message m i , the vehicle V i performs the following steps, which are repeated every 100 − 300 ms in accordance with DSRC protocol [20]: Verify successfully (Orientation 2 , Location 3 ,…) (Orientation 3 , Location 2 ,…) Figure 2: Certificateless aggregate signature system model. Step 1. Firstly, select two secure prime numbers p and q, then choose a,b ∈ F p , which generate an ellipic curve E defined by the equation y 2 = x 3 + ax + b mod p, where Δ = 4a 3 + 27b 2 ≠ 0 (mod p) and generator P of the additive group G consisting of all the points on E.
Step 2. Choose α ∈ ℤ * q in random, which serves as the master secret key and computes master public key PK TA = α · P. KGC selects β ∈ ℤ * q in random, then calculates PK KGC = β · P which is the public key of KGC.
Step 3. Select three secure hash functions in random: Step 4. Store its master secret key α in its repository and keep it safe. Then publish all the system parameter: Step 1. The vehicle V i with its real identity RID i randomly selects x i ∈ ℤ * q as its private key and calculates its partial pseudo identity PID 1 i = x i · P. Then vehicle V i transmits (RID i , PID 1 i ) to TA.
Step 2. After receiving the tuple, TA calculates another pseudo identity PID 2 i = RID i ⊕ h 1 ðαPID 1 i ∥T cur ∥PK TA ∥∇Þ, where ∇ is the system state information [19]; then TA sends the vehicle's pseudo identity PID i = ðPID 1 i , PID 2 i , T cur Þ to KGC in a secure way.
Step 3. KGC calculates Q i = y i · P, n i = h 2 ðPID i ∥Q i ∥∇Þ and the vehicle's partial private key PPK i = y i + h 2 ðPID i ∥Q i ∥∇Þ × β (mod p). At last, KGC transmits the tuple ðQ i , PPK i Þ to vehicle V i .
Step 1. Choose a random number l i ∈ ℤ * q and calculate L i = l i · P.
Step 2. Calculate r i = h 3 ðm i ∥PID i ∥∇∥PK V i ∥L i ∥TSÞ, where timestamp TS is used to confirm time, and S i = r i l i + ρ i + PP K i mod p.
Step 3. The signature on message m i is σ = ðL i , S i Þ; then the vehicle transmits the signature σ and ðQ i , PID i , m i , PK V i , TSÞ to the verifier.
Step 1. Check whether the TS is valid, if not, the algorithm aborts; otherwise, execute the next step.
Step 3. Check whether the following equation holds or not; if it holds, then the RSU or other entity will Figure 3: The algorithm procedure. 9 Wireless Communications and Mobile Computing accept the signature and the massage; otherwise, it will reject the message.

Our
Proposed CL-AS Scheme. The Setup, PartialPrivate-KeyGeneration, VehicleKeyGeneration, Sign, and Verify algorithms of CL-AS are similar to the proposed CLS scheme. In addition, the Aggregate and AggregateVerify are described as follows. Note that the Aggregate and AggregateVerify algorithms are usually executed by the same RSU to transmit less data in the communication process.
(1) Aggregate: when an aggregator such as a RSU receives n vehicles' messages M = fm 1 , m 2 ,⋯,m n g, signatures σ = fσ 1 , σ 2 ,⋯,σ n g, timestamps TS = fTS 1 , TS 2 ,⋯,TS n g, Q = fQ 1 , Q 2 ,⋯,Q n g, public key of each vehicle PK V = fPK V 1 , PK V 2 ,⋯,PK V n g, L = fL 1 , L 2 ,⋯ ,L n g, and pseudo identities PID = fPID 1 , PID 2 ,⋯,PI D n g. It can execute the following algorithms to aggregate the signature: (2) AggregateVerify: after aggregating n vehicles' messages, the same RSU will execute the following algorithms to verify the aggregate signature as follows: Step 1. Randomly choose a random list RL = fa 1 , a 2 ,⋯,a n g, where a i ∈ ℤ * q , 1 ≤ i ≤ n. Note that the random list RL is firstly introduced in [21,22] and used for resisting coalition attacks here.
Step 2. Calculate S = ∑ n i=1 a i S i and Z = ∑ n i=1 a i ðQ i + PK V i Þ.
Step 1. Check whether the timestamp list TS is valid, if not, the algorithm aborts; otherwise, it executes next step.
Step 2. For every vehicle, calculate Step 3. Check whether the following equation holds or not, if it holds, then the RSU or other entity will accept the signature and the message, then the RSU can transmit them to other entities; otherwise, it will reject the message.

Correctness of Individual Message Verification.
The individual verification in the proposed scheme is correct. The correctness proof is as follows: 5.6. Correctness of Aggregate Message Verification. The aggregate verification in the proposed scheme is correct. The correctness proof is as follows: 5.7. Security Proof of the Proposed CLS Scheme. According to Definition 3, it is extremely hard to solve ECDLP. Therefore, we can prove that our CLS scheme is able to enforce nonforgery.
On the basis of Definition 4, assume that a probabilistic polynomial-time forger A 1 can forge a signature with an advantage ε. In addition, q h i denotes random oracles h i for i = 2, 3, q GU denotes the Generate-User oracle, q PPK denotes Partial-Private-Key oracle, and q SK denotes the Secret-Key oracle. Then, we can know that a challenger C 1 can solve ECDLP during a time scope T, where T ≤ 120686QT/ε, if ε ≥ 10ðq S + 1Þðq h 2 + q h 3 + q PPK + q GU + q SK + q S Þ/q.
(1) Setup: C 1 chooses α and calculates PK TA = α · P which serves as its private key and master public key. Then, C 1 will generate the system parameters param = ðP, p, q, E, G, h 1 , h 2 , h 3 , PK TA , PK KGC Þ, and transmit it to A 1 .
(i) h 2 Hash Query: C 1 will examine whether the hash list L h 2 has the corresponding tuple if it receives the query with parameter ðPID i , Q i Þ from A 1 . If not, C 1 will select a random number τ h 2 ∈ ℤ * q and put it in the list L h 2 . If so, it needs to transmit τ h 2 = h 2 ðPID i ∥ Q i ∥∇Þ to A 1 .
(ii) h 3 Hash Query: C 1 will examine whether the hash list L h 3 has the corresponding tuple ðm i , PID i , PK V i , Z i , TS, τ h 3 Þ if it receives the query with parameter param = ðm i , PID i , PK V i , L i , TSÞ from A 1 . If not, C 1 will choose a random number τ h 3 ∈ ℤ * q and put the tuple ðm i , PID i , PK V i , L i , TS, τ h 3 Þ in the list L h 3. If so, it will transmit τ h 3

10
Wireless Communications and Mobile Computing (2) Partial-Private-Key Query: after receiving a query about the identity PID i from A 1 , C 1 will calculate Q i = y i · P, where y i is randomly selected, and check whether the hash list L h 2 has the corresponding tuple ðPID i , Q i , τ h 2 Þ. If so, C 1 will calculate PPK i = y i + h 2 ðPID i ∥Q i ∥∇Þ × α mod p and transmit the pairial private key of vehicle V i PPK i to A 1 . If not, it will halt.
(3) User-Generation Query: suppose that the query is on the basis of the pseudo identity PID i (i) C 1 will check whether PK V i exists in the list L, if the list L includes ðPID i , PK V i , ρ i Þ. If not, a random number ρ i ∈ ℤ * q will be selected and C 1 will calculate PK V i = ρ i · P. If so, it will transmit PK V i to A 1 . Eventually, the chanllenger C 1 will transmit PK V i to A 1 and update the list does not exist in the list L. Then, a random number ρ i ∈ ℤ * q will be chosen and PK V i = ρ i · P will be calculated and ρ i will be regarded as a private key. Eventually, C 1 will transmit PK V i to A 1 and put the tuple ðPID i , PK V i , ρ i Þ to the list L (4) Private-Key Query: (i) C 1 will check whether ρ i exists in the list L, if the list L includes ðPID i , PK V i , ρ i Þ. If not, it will access a User-Generation query to output the public key PK V i = ρ i · P. Eventually, the chanllenger C 1 will transmit ρ i to A 1 and update the list (ii) C 1 will access a User-Generation query if the tuple ð PID i , PK V i , ρ i Þ does not exist int he list L. Eventually, C 1 will transmit ρ i to A 1 and put the tuple ðPID i , P K V i , ρ i Þ to the list L (5) Sign Query: after receiving a legitimate query about the message m i of pseudo identity PID i , C 1 will check the tuple ðPID i , Q i , τ h 2 Þ in the hash list L h2 . Hence, it can easily get the value τ h 2 from the tuple and select two random numbers l i and r i . Then, C 1 will choose another two random numbers s i and n i . Furthermore, C 1 will calculate Z i = s i · P − n i · PK KGC and S i = s i . Eventually, it will transmit ðL i , S i Þ to A 1 and put the tuple Theorem 7. According to the random oracle, when faced with an adaptive chosen message attack, our proposed scheme has the capacity of unforgeability.
Proof. Assume that an ECDLP sample ðP, Q = x · PÞ is given, the elliptic curve E holds two points P and Q, and an adversary A 1 is able to forge message ðPID i , P K V i , m i , TS, σ i Þ. Hence, we start a game between a challenger C 1 and the adversary A 1 , which can execute and manipulate A 1 to solve ECDLP with a nonnegligible probability.
We know the forking lemma in Definition 4 and apply it to our proposed scheme. After using the same random elements to replay A 1 , C 1 succeeds in getting two legitimate signatures σ i = ðZ i , S i Þ and σ ′ i = ðL ′ i , S ′ i Þ during a polynomial time period, where S i = r i · L i + Q i + PK V i (mod p) and S ′ i = t ′ i · L i + Q i + PK V i (mod p) by computing.
In conclusion, if ε ≥ 10ðq S + 1Þðq h2 + q h3 + q PPK + q UG + q SK + q S Þ/q, then C 1 is able to break the ECDLP during a time period which is less than 120686QT/ε. However, this conclusion is inconsistent with the difficulty of solving the ECDLP. Therefore, we can define that our proposed CLS scheme can resist a forgery attack.

Security
Proof of the Proposed CL-AS Scheme. According to Definition 3, it is extremely hard to solve ECDLP. Therefore, we can prove that our scheme is able to enforce nonforgery. Furthermore, we will prove that our CL-AS scheme can also resist coalition attack.
(1) Setup: a random number α is selected as the master secret key, and the public key can also be calculated as PK TA = α · P. Then, the oracle simulation is ready to run. In this whole game, C 2 maintains a list L = f PID i , PPK i , PK V i , , ρ i g and responds to A 2 ' s oracle as follows.
(i) h 2 Query: after receiving a pseudo identity PID i , C 2 will throw a coin c i ∈ f0, 1g, where 0 holds a probability ε, and 1 holds a probability 1 − ε, then C 2 will select 11 Wireless Communications and Mobile Computing Otherwise, it will define Q i = ω 1 i · P. C 2 will put the tuple ð Proof. Suppose that our CL-AS scheme can be broken by forger A 2 . We can construct a challenger C 2 using forgery algorithm A 2 . Challenger C 2 is able to execute the following steps by interacting with A 2 .
Then, A 2 will transmit n vehicles with identities from the list L * PID = fPID * 1 , PID * 2 ,⋯,PID * n g, public keys from the list L * PK V = fPK * V 1 , PK * V 2 ,⋯,PK * V n g, n messages L * M = fm * 1 , m * 2 ,⋯ ,m * n g, a random list RL * = fa * 1 , a * 2 ,⋯,a * n g, and a certificateless aggregate signature σ * = fL * , S * g. At the beginning, C 2 will select the n tuples ðPID * i , w 1 * i , c * i , Q * i Þ for i = 1, 2, ⋯, n in the list L h2 and precede only c k = 1 and c j = 0 for j = 1, 2, ⋯ , n, j ≠ k. Note that the Sign oracle has not received the tuple ðPID * k , PK * V k , m * k Þ. Otherwise, C 2 will halt and fail. This success case signifies that Q k = w 1 k · PK TA and Q j = w 1 j · P for j = 1, 2, ⋯, n, j ≠ k. In addition, the aggregate signature σ * = ðL * , S * Þ is supposed to satisfy the aggregate verification equation S · P = ∑ n i=1 ða i r i · L i Þ + Z + ð∑ n i=1 a i n i Þ · PK KGC . Accordingly, C 2 checks the tuples ðm * i , PID * i , PK * V i , Z * i , w 2 * i Þ in the list L h3 and the tuple ðPID * i , PPK * i , PK * V i , ρ i Þ from L. Later, it calculates S * i = w 1 * i · α mod p, which will satisfy S * i · P = w 1 * i · PK TA = Q * i for i = 1, 2, ⋯, n, i ≠ k. Eventually, Consequently, the signature ðL′ * , S′ * Þ is a legitimate certificateless signature on message m * k for the reason that the equation below: Eventually, S can get the signature ðL′ * , S′ * Þ as a forgery of the certificateless signature scheme. However, this conclusion is inconsistent with the difficulty of solving the ECDLP. Therefore, we can define that our proposed CLS scheme can resist a forgery attack.
Theorem 9. The proposed certificateless aggregate signature (CL-AS) scheme can resist coalition attacks.
Proof. Assume that there are two malicious vehicles V 1 and V 2 with pseudonyms PID 1 and PID 2 and messages m 1 and m 2 , respectively, and that all other system params are published by TA and KGC. According to the description in Subsection 4.3, two vehicles V 1 and V 2 would like to execute similar algorithms to forge valid signatures. However, our proposed scheme can perfectly resist the coalition attacks; the detailed descriptions are as follows: To begin with, two vehicles V i ði ∈ f1, 2gÞ pick their own private key ρ i and calculate their corresponding public key According to the aforementioned algorithms in Subsection 5.7, two malicious vehicles execute the algorithms in order but secretly exchange their r i L i , which is a part of the signature. Eventually, two vehicles transmit their messages m i , signatures σ i , timestamp TS i , and pseudo identity PID i to the aggregator.
When the aggregator receives the above information, it will aggregate the signature as follows: firstly choose a random list RL = fa 1 , a 2 g, where a i ∈ ℤ * q , 1 ≤ i ≤ n, then calculate S = ∑ 2 i=1 a i S i and Z = ∑ 2 i=1 a i ðQ i + PK V i Þ. Finally, the aggregator will output the signature σ = ðL, SÞ and transmits ðM, σ, Z, RL, PID, Q, TÞ to the verifier.
In the last step, the verifier will check the equation S · P = ∑ 2 i=1 ða i r i · L i Þ + Z + ð∑ n i=1 a i n i Þ · PK KGC holds or not. Unfortunately, the equation is impossible as follows: S · P = a 1 r 2 l 2 + a 1 ρ i + a 1 PPK 1 + a 2 t 1 l 1 + a 2 ρ i + a 2 PPK 2 ð Þ · P = a 1 t 2 · L 2 + a 1 · PK V 1 + a 1 · Q 1 + a 1 n 1 · PK KGC + a 2 t 1 · L 1 + a 2 · PK V 2 + a 2 · Q 2 + a 2 n 2 · PK KGC = a 1 t 2 · L 2 + a 2 One can find that the random list plays an important role in resisting the coalition attacks. And the 2-vehicle situation can also be developed to n vehicles simply with a fully the same method and algorithm, which can prove that our proposed certificateless aggregate signature (CL-AS) scheme can resist coalition attacks. 12 Wireless Communications and Mobile Computing 6. Performance and Security Analysis

Security Analysis
(1) Traceability: in the proposed scheme, only TA has the real identity of the certain vehicle. After submitting the pseudo identity PID i = ðPID 1 i , PID 2 i , T cur Þ, TA can easily trace back to the vehicle's real identity RID i in accordance with the equation i ∥T cur ∥PK TA ∥∇Þ. Therefore, according to the RID list, TA can trace back to the certain vehicle V i , even revoke it. (RID i , PID 1 i ) (2) Message integrity and authentication: according to Definition 3, the ECDLP problem is hard, so that no polynomial adversary can forge a valid message. Therefore, the verifier can verify the validity and integrity of the message ðQ i , PID i , PK V i , m i , TS, σ i Þ by verifying whether the equation S i · P = r i L i + P K V i + Q i + n i · PK KGC holds or not. Therefore, our proposed scheme for VANETs provides message authentication and integrity.
(3) Resistance to replay attacks: the proposed scheme can resist the replay attack for the reason that the tuple ðQ i , PID i , PK V i , m i , TS, σ i Þ includes the timestamp TS. RSU and other vehicles will check the validity of the signature, so they are able to detect the replay of the message. Hence, our proposed scheme for VANETs can resist replay attacks.
(4) Resistance to coalition attacks: our proposed scheme can resist the coalition attacks, because we improve the signature generation process. To be specific, we choose a random list to change the ratio in the equation S = ∑ n i=1 a i S i . Therefore, our scheme uses this method to resist the coalition attacks. 6.2. Performance Analysis. In this section, we will discuss the performance of the proposed scheme and related schemes and make a comparison in detail. We adopt the method of computation evaluation where the bilinear pairing on the security level of 80 bits is created as follows: e : G 1 × G 2 → G T , where G 1 is an additive group generated by a point P with order q on a super singular elliptic curve E : y 2 = x 3 + x mod p with embedding degree 2, p is a 512-bit prime number, q is a 160-bit prime number [25]. The ECC on the security of 80 bits is constructed as follows: G is an additive group with order q that is generated on a nonsingular elliptic curve E : y 2 = x 3 + ax + b mod p, where p, q are 160-bit primes and a, b ∈ ℤ * q . The experiment is conducted using the well-known python cryptographic library PyCryptodome on a desktop running Intel I5-9400 @ 2.90 GHz processor, with 16 GB memory running Windows 10 operating system. The notations of the cryptographic operations used in this paper and their running times are given in Table 2. Table 3 shows the summary of the computation costs in terms of signing a message, verifying a single message, and verifying n messages.
In [13,24], their schemes choose to use bilinear pairing, which significantly increases their operation time. As a contrast, other four schemes [6,12,17,23] do not use bilinear pairing, which can substantially reduce computation time.
In our scheme, L i = l i · P uses a scalar multiplication in ECC operation and the calculation of r i uses a one-way hash function during the individual sign process. In individual verification, we use three scalar multiplication operations for S i · P, r i · L i , and n i · PK KGC , three addition operations, and two one-way hash function operations for the calculations of r i and n i . In aggregate verification process, we use n + 2 scalar multiplication operations for ∑ n i=1 a i r i · L i , S · P, and ∑ n i=1 a i n i · PK KGC , two addition operations, and 2n oneway hash function operations for each n i and r i . By comprision, our scheme has low time complexity and high efficiency. In addition, our scheme can resist coalition attacks, which are a special and security feature that no other scheme has.
We use the data in Table 3 to generate three figures, which can intuitively compare other related schemes with   Figures 4(a)-4(c), we can get the conclusion that our scheme has a considerably low delay in sign and verification procedure, which reveals that our scheme has a much higher efficiency.

Conclusion
Since real application scenarios of VANETs require high efficiency, an efficient certificateless-based anonymous authentication and aggregate signature scheme are proposed. The proposed CLS and its improved scheme CL-AS are appropriate for VANETs duo to analysis and testing. In addition, there is still some work to do in the future such as the low efficiency caused by the illegitimate signature in the aggregate verification process.

Data Availability
The proposed algorithm and its comparison rely on theoretical analysis. No additional test data sets are required in this paper.

Conflicts of Interest
The authors declare that they have no conflicts of interest.