CLASRM: A Lightweight and Secure Certificateless Aggregate Signature Scheme with Revocation Mechanism for 5G-Enabled Vehicular Networks

The rapid deployment of 5G technology has further strengthened the large-scale interconnection between sensing devices and systems and promoted the rapid development of smart cities and intelligent transportation systems. 5G-enabled vehicular networks take advantage of cellular vehicle-to-everything (C-V2X) technology to achieve the connection between moving vehicles, between vehicles and infrastructure, and between vehicles and the cloud, which can reduce the possibility of tra ﬃ c jams and accidents, improve transportation e ﬃ ciency, and realize automatic driving. Besides, 5G-enabled vehicular networks also provide infotainment services and industry application services. High-strength data transmission, however, will bring a serious burden of resource overhead, and there are hidden dangers of security and privacy in the communication process of vehicular networks. Some current vehicular network authentication schemes adopt public key infrastructure-based (PKI-based) and identity-based authentication methods to achieve conditional privacy preservation. Still, these schemes are too expensive and cannot address the problems of costly certi ﬁ cate management or risky key escrow. Some schemes use computationally complex bilinear pairing operations that result in low e ﬃ ciency and do not consider the revocation of malicious nodes so that they cannot e ﬀ ectively prevent further malicious attacks. This paper proposes a lightweight certi ﬁ cateless aggregate signature (CLAS) scheme with a revocation mechanism suitable for 5G-enabled vehicular networks in response to the above problems. Our proposed scheme uses aggregation signature technology to aggregate multiple signatures into a single short signature, thus reducing communication overhead and storage overhead of road side units (RSUs). Furthermore, our proposed scheme utilizes the elliptic curve cryptography (ECC) to reduce veri ﬁ cation time and computational overhead. Moreover, in order to prevent malicious users from sending invalid signatures to attack, our proposed scheme uses binary search to identify invalid signatures and introduces a cuckoo ﬁ lter to revoke malicious users to prevent reattack. Finally, formal proof and experimental analysis show that our proposed scheme has greater advantages with respect to security and e ﬃ ciency compared with the previous schemes. impersonation


Introduction
The large-scale commercial deployment of 5G technology has brought richer application scenarios, promoted the rapid development of smart cities and intelligent transportation systems, and provided more convenience for our lives and work. As an emerging communication technology, 5G enables higher data transmission rate and lower latency and supports direct communication between device-to-device (D2D). Simultaneously, as a crucial part of the smart city sensing system, the rapid development of intelligent sensing technology also makes innovative applications based on the Internet of Vehicles (IoVs) emerged in an endless stream. The traditional vehicular ad hoc networks (VANETs) primarily make use of the dedicated short range communication (DSRC) standard for vehicle-to-vehicle (V2V) communication and vehicle-to-infrastructure (V2I) communication. However, some studies have shown that the DSRC standard has a high probability of collision [1][2][3], especially at higher vehicle density. Moreover, the DSRC standard also has defects in scalability, mobility, and latency, so that it cannot be well suited for delay-sensitive vehicle-to-everything (V2X) applications. Intelligent transportation systems and autonomous driving technologies put forward more stringent requirements on system performance such as communication rate, delay, and reliability of the IoVs. Therefore, C-V2X based on 5G communication technology that can provide low-latency and high-reliability V2X communication capabilities is proposed [4]. Multiple vehicles with intelligent sensing devices make use of C-V2X communication technology to jointly build 5G-enabled vehicular networks to provide a variety of V2X services and applications. For example, vehicles equipped with on-board units (OBUs) can communicate with adjacent vehicles and can also communicate with the RSUs to share information related to road safety and industrial applications. Then, vehicles and RSUs use the emergency and beacon information to make decisions in a timely manner to achieve intelligent driving assistance and reduce the possibility of traffic jams and accidents. In addition, vehicles can also collect sensing information in real time and send it to the cloud to provide services such as environmental monitoring and accident reporting, which realize vehicle-to-network (V2N) communication. Therefore, in order to provide high-quality applications and services, it is necessary to ensure the security and reliable connection of the IoVs.
In 5G-enabled vehicular networks, due to the openness and vulnerability of wireless channels, attackers can intercept, forge, and modify information through malicious means and even inject false information to cause vehicles to change lane or accelerate, which will cause unpredictable consequences [5]. Therefore, in 5G-enabled vehicular networks, the primary problem is how to ensure security of message transmission and exchange. It is not only necessary to authenticate identity of each message sender but also to check the integrity of the message, etc. Secondly, attackers can also obtain sensitive information such as the vehicles' trajectory through analysing the information sent by vehicles and then carry out some criminal acts, thereby reducing the enthusiasm of vehicles to join the IoVs [6]. Therefore, privacy leakage of vehicles is also a problem that must be solved. A pseudonym can be used to replace the vehicle's real identity for communication to ensure privacy and unlinkability. Moreover, a trusted third party that stores the vehicle's real identity is also needed to trace the anonymous vehicle and revoke its identity. Some conditional privacy-preserving authentication schemes have been surveyed [7][8][9][10]. Among them, two authentication schemes based on PKI have been proposed [7,8] to meet security and privacy requirements. However, due to the large number of certificates that needs to be stored and the limited storage capacity of vehicles or RSUs, it is challenging to meet the requirements of PKI-based authentication mechanisms. Besides, in order to alleviate the problem of public key certificate management in PKI-based authentication schemes, many identity-based authentication schemes for VANETs have been proposed [9,10] to realize conditional privacy preservation. However, once the private key generated by the private key generation centre is leaked, the problem of risky key escrow will appear. Fortunately, the certificateless signature (CLS) scheme can solve the above two problems well while retaining the advantages of the identity-based authentication mechanism [11][12][13].
There are also many resource-constrained devices in 5Genabled vehicular networks. Large-scale communication between vehicles will place a severe burden on these devices. Therefore, the communication, computing, storage, and other overhead in IoVs are also worthy of our attention. Using aggregate signature or batch verification can reduce overhead so as to improve authentication efficiency and overcome the delay-sensitive problem [14]. Some schemes using bilinear pairing operations have been proposed [15][16][17], but these schemes incur huge computational overhead and low efficiency of message signing and verification. Therefore, these schemes cannot meet the applications requirements of low latency in 5G-enabled vehicular networks. Recently, Cui et al. [18] proposed a message authentication framework based on reputation score for delay-sensitive 5G-enabled vehicular networks, in which vehicles with poor reputation value cannot communicate with other vehicles. Moreover, Cui et al. [18] proposed an authentication scheme based on ECC, which supports batch authentication to reduce computational overhead. Taha and Shen [19] proposed a vehicular clustering algorithm based on speed, location, and signal strength and proposed a group authentication scheme for 5G scenarios to reduce the computational overhead of handover authentication. The above two schemes are both efficient and feasible, but they do not solve the problems of how to reduce communication overhead and how to revoke malicious users.
Therefore, in 5G-enabled vehicular networks, in order to achieve efficient communication between large-scale vehicles and to meet the requirements of security and privacy preservation, this paper proposes a CLAS scheme with revocation mechanism for 5G-enabled vehicular networks. The main contributions of this paper are summarized as below.
(1) In order to reduce the computational overhead, we propose a CLAS scheme based on ECC without using computationally complex bilinear pairing operations and map to point hash functions. When many vehicles send a large number of messages with signatures to the RSUs, there is huge communication overhead and storage overhead. To solve this problem, we utilize the aggregate signature technology to aggregate multiple signatures into a single short signature and verify it once (2) In order to prevent malicious vehicles from influencing the aggregation verification and interfering with the normal communication of vehicles by inserting invalid signatures into the aggregation signatures, we make use of binary search to identify invalid signatures and take advantage of a cuckoo filter to construct a revocation mechanism to prevent malicious vehicles from attacking again. In order to prevent information injection attacks that often appear in 2 Wireless Communications and Mobile Computing 5G-enabled vehicular networks, the method with a random vector is used to ensure security in the signature aggregation phase (3) Formal proof and security analysis can prove that the proposed CLAS scheme can meet the security and privacy preservation requirements in efficient communication. In addition, experimental results indicate that the proposed CLAS scheme has a particular improvement in computing and communication efficiency compared with the previous schemes The organization of this paper is summarized as follows. We review related work in Section 2. We introduce background knowledge in Section 3. Section 4 describes the proposed CLAS scheme in detail. In Section 5, we give the formal proof and security requirements analysis of the proposed CLAS scheme. In Section 6, we compare our proposed scheme with other schemes in detail in terms of performance. Section 7 concludes this paper.

Related Work
This section will introduce the authentication schemes in traditional VANETs and the security protection methods applied to 5G-enabled vehicular networks, respectively.
At present, a variety of traditional PKI-based authentication schemes have been proposed [7,8]. However, as the number of users increases, a large number of public key certificates will lead to a gradual increase in storage and communication overhead. In 1984, Shamir [20] proposed the identity-based public key cryptography (ID-PKC), which solved the problems existing in the use of certificates in traditional PKI-based schemes and reduced the overhead of certificate management. Although many identity-based authentication schemes have been proposed [20], it still cannot solve the key escrow problem. In these schemes, it is assumed that all users must completely trust the key generation centre (KGC), but this assumption is too ideal to be adopted practically in many applications.
Al-Riyami and Paterson [21] proposed an authentication scheme based on the certificateless public key cryptography (CL-PKC) in 2003, in which the user's private key is a combination of the partial private key generated by the KGC and the secret value generated by the user. After that, many CLS schemes and security models based on CL-PKC have been proposed [22][23][24]. Huang et al. [24] proved that the CLS scheme proposed in [21] could not resist the public key replacement attack and further proposed an improved CLS scheme. Subsequently, Yum and Lee [22] introduced a general CLS framework. However, the above solutions still have problems in terms of efficiency and are not suitable for the low-latency requirements of 5G-enabled vehicular networks.
Boneh et al. [14] first proposed the concept of aggregate signature in 2003. The aggregation signature technology can aggregate n signatures of n messages from n users into a single short signature to reduce the signature length and the authentication burden of RSUs. The validity of the aggregate signature is guaranteed by verifying the validity of each sig-nature involved in the aggregate signature. Batch verification technology is also considered to be an effective method to improve verification efficiency. With this technique, multiple signatures from different signers of different messages can be verified at once. Subsequently, many CLAS schemes applied to VANETs have been proposed. In 2018, Cui et al. [25] proposed a CLAS scheme based on ECC, which has the advantages of certificateless public key cryptography and aggregate signature. This scheme can achieve trade-off between privacy preservation and traceability, and the security of the proposed scheme is proved by the random oracle model (ROM). Gayathri et al. [11] and Bayat et al. [12] proposed some effective CLS schemes for VANETs with batch verification. Unfortunately, Li and Zhang [13] found that the scheme proposed by Bayat et al. was insecure in their security model and proposed an improved scheme. In 2019, Kamil and Ogundoyin [26] proved that the CLS and CLAS schemes proposed by Cui et al. [25] were not secure against Adv II adversary in the ROM and proposed an improved CLAS scheme for VANETs. Subsequently, Zhao et al. [27] proved that the scheme proposed by Kamil and Ogundoyin [26] could not resist Adv I and Adv II adversaries and proposed an improved CLAS scheme based on ECC. However, Thumbur et al. [28] pointed out that the construction of the CLS scheme [27] was incorrect in 2020. Zhong et al. [29] also proposed a privacy-preserving authentication scheme that realized full aggregation in VANETs, in which the length of the aggregate signature was kept constant, reducing communication and storage overhead. However, Kamil and Ogundoyin [30] proved that the scheme [29] was not secure in the standard security model by designing two specific attacks in 2020. Then, they modified the signature, verification, and aggregation verification algorithms [29] to make it more secure and effective. In 2020, Ren et al. [15] and Ali et al. [16], respectively, designed a CLS scheme with batch verification for V2I secure communication in VANETs using blockchain technology. Ali et al. [16] also proposed an efficient CLAS scheme based on bilinear pairing, which took advantage of the immutability and openness of blockchain and could verify whether the identities of all vehicles in VANETs was legitimate. Recently, Mei et al. [17] proposed an effective CLAS scheme with conditional privacy preservation, which used full aggregation technology to reduce bandwidth resources and computational overhead. However, since these schemes [15-17, 29, 30] are all implemented based on bilinear pairing, the process of signing and verifying has a lot of overhead.
With the arrival of the 5G era, the research on security and privacy preservation methods in 5G-enabled vehicular networks is gradually started [2,3,18,19,31,32]. Eiza et al. [3] proposed a novel system model for 5G-enabled vehicular networks, which provided a reliable and secure real-time video reporting service, and also proposed a realtime video reporting service protocol that met security and privacy preservation requirements. Similarly, Zhang et al. [2] also proposed an authentication scheme based on edge computing, which used edge computing vehicles to realize communication and verification between vehicles without the participation of RSUs. Recently, Cui et al. [31] proposed 3 Wireless Communications and Mobile Computing a reliable and efficient content sharing scheme for 5Genabled vehicular networks. Wang et al. [32] proposed a hybrid D2D message authentication scheme for 5Genabled vehicular networks.

Preliminaries
This section first introduces the theoretical basis of our proposed scheme. ECC and cuckoo filter are important components of the proposed CLAS scheme, in which ECC can ensure the efficient performance and security of the system, while the cuckoo filter has an efficient search feature to find malicious user quickly. After that, the system model and the authentication process are described. Then, the basic framework and execution process of the general CLAS scheme are given. Besides, the threat model elaborates the assumption conditions, attack model, and adversary model. Finally, the design goals are summarized.
3.1. ECC. ECC is widely used in the design of cryptographic protocols and security schemes because of its higher computational efficiency and communication efficiency.
Suppose that a finite field F p is defined over a large prime p and an elliptic curve E defined over the field F p is the set of solutions ðx, yÞ to the equation E : where a, b ∈ F p , ðx, yÞ ∈ F p * F p , and ð4a 3 + 27b 2 Þ mod p ≠ 0. Therefore, the elliptic curve E is the set of such solutions together with a point at infinity O, where O is identity element, and the points of E form a finite Abelian group. Here, p and E are fixed and publicly known. Furthermore, suppose that P ∈ E is a fixed and publicly know point, and G p is an additive group whose order is a large prime q and whose generator is P. Therefore, G p is a finite cyclic subgroup on the elliptic curve E. A brief description of the two difficult problems of ECC is as follows.
(1) Elliptic curve discrete logarithm problem (ECDLP): for any given two random points P, Q ∈ G p , where x ∈ ½0::q − 1 is unknown and Q = xP is known, it is hard to compute x in polynomial time with nonnegligible probability (2) Computational Diffie-Hellman problem (CDHP): for any given two random points aP, bP ∈ G p , where a, b ∈ ½0::q − 1 are unknown, it is hard to computer Q = abP, Q ∈ G p in polynomial time with nonnegligible probability The security of ECC is based on the difficulties of the ECDLP and CDHP.

Cuckoo Filter.
A cuckoo filter is a compact variant of a cuckoo hash table and a probabilistic data structure for approximate set membership tests. It only stores fingerprints for each item inserted, supports dynamic addition and deletion of items, and provides higher lookup performance compared to standard Bloom filters without incurring higher overhead in space and performance. Therefore, cuckoo filter is suitable for applications that store many items and aim for low false-positive rates [33].
The cuckoo filter uses two hash functions h 1 ðxÞ and h 2 ðxÞ to insert a new item x into a hash table. If one of x ' s two locations is empty, then the algorithm just puts x in there. But if both are full, the algorithm randomly selects one of them, kicks out the existing item, and puts x in there. At the same time, the kicked item is put to its own alternate location. The insertion operation of the cuckoo filter is shown in Figure 1 3.3. System Model. As shown in Figure 2, the system model of 5G-enabled vehicular networks mainly consists of four entities: trusted authority (TA), application server (AS), RSUs (i.e., 5G-RSUs or 5G-BSs), and vehicles, and they communicate with each other via C-V2X. The system model can be divided into two layers, in which the upper network is composed of TA and AS and the lower network is composed of RSUs and vehicles equipped with OBUs.
TA: TA includes a KGC and a trace authority (TRA). TA uses secure wired channels to communicate with other facilities and is mainly responsible for initializing system parameters for each registered vehicle and RSU in 5G-enabled vehicular networks. TA can also conditionally trace and revoke malicious vehicles to meet the requirements of security and privacy preservation. KGC is responsible for generating a partial private key for each vehicle, while TRA is responsible for generating a pseudonym for each vehicle and can trace the vehicle's real identity through the pseudo identity of the vehicle. TA's executive agency is generally the government's traffic management centre (TMC) AS: AS is an application server with strong computing and storage capabilities. AS uses secure wired channels to communicate with other facilities and is mainly responsible for providing large-scale computing and storage services for 5G-enabled vehicular networks to collect and analyse traffic-related data RSUs: RSUs are located on both sides of the road and generally include 5G base stations and road side units. RSUs use V2I communication mode to receive and transmit vehicles' information. RSUs can also communicate with TA and AS using secure wired channels. Therefore, RSUs have the ability to store and forward data and cooperate with vehicles for data analysis. Moreover, RSUs also check the integrity and authenticity of the messages to fulfil security requirements Vehicles: vehicles are the main carrier for collecting driving data and sensing information in vehicular networks. Vehicles can use V2V communication mode to exchange information with adjacent vehicles and can also use V2N communication mode to communicate with TA and AS When vehicles join vehicular networks, TA initializes system parameters so that each vehicle can be assigned a pseudo identity and a corresponding public and private key pair. The vehicle must sign each message before sending it. After receiving the message signature pair, the RSU needs to verify the signature to ensure the authenticity of the 4 Wireless Communications and Mobile Computing signature and the integrity of the message. When the RSU receives a large number of traffic-related messages, the messages are aggregated, and the messages and signatures are sent to AS for verification and analysis. Finally, AS feeds back the results of authentication and analysis to the TA for further processing.

System
Framework. Generally, the CLAS scheme consist of the following algorithms [11,25]. According to the over-view of our proposed scheme, the process of each algorithm is roughly described as follows: (1) System initialization: according to the security parameter λ input by the system, TA generates an elliptic curve E, master secret keys x and s, system public keys K pub and T pub , and system parameters params, respectively. TA broadcasts system parameters params and keeps the master secret keys x and s

Wireless Communications and Mobile Computing
(2) Pseudo identity generation: vehicle V i sends its real identity RID i and its partial pseudo identity PID i,1 to TRA. TRA verifies the authenticity of the vehicle's real identity RID i and generates pseudonym PID i and then sends it to KGC and vehicle V i (3) Partial private key generation: KGC takes system parameters params, master secret key x, and a vehicle's pseudo identity PID i as input, returns vehicle's partial private key ppk i , and sends it to the vehicle V i over a secure channel (4) Vehicle key generation: vehicle V i takes its pseudo identity PID i , partial private key ppk i , state information ∇, and system parameters params as input and outputs a private key vsk i , a public key vpk i , a full public key PK i , and a full private key sk i (5) Individual signature generation: this algorithm is performed by each vehicle V i that takes state information ∇, its pseudo identity PID i and a message M i as input and responds with a signature σ i as output (6) Individual signature verification: this is an algorithm performed by a verifier, such as an RSU, that uses system parameters params, pseudo identity PID i , message M i , and signature σ i to verify the validity of the signature σ i (7) Signature aggregation: this is an algorithm performed by an aggregate signature generator, such as an RSU, that aggregates n signatures σ i of n messages M i from n users V i into a single short aggregate signature σ and send it to AS (8) Aggregate signature verification: this algorithm is performed by AS for verifying the validity of the aggregate signature σ. It takes system parameters p arams, n pseudo identities fPID 1 , PID 2 , ‥‥PID n g, n messages fM 1 , M 2 , ‥‥M n g, and the aggregate signature σ as input and outputs true if the aggregate signature σ is valid and false otherwise Based on the above algorithm process, the execution flow of our proposed scheme is shown in Figure 3.

Threat
Model. The proposed CLAS scheme has the following assumptions: (1) TA and AS are fully trusted, independent, and reliable entities with sufficient storage and computation capabilities (2) Each RSU is an honest-but-curious entity with slightly less storage and computation capabilities than TA and AS and provides good network coverage and ultrafast information transmission speed (3) Each vehicle is an untrusted entity, equipped with an OBU with limited storage and computation capabilities and equipped with a tamper proof device (TPD) to protect absolute data security In order to prove that our proposed CLAS scheme is not existentially forgeable against adaptive chosen-message attack in ROM, we define two types of adversaries which are similar to these schemes [10,12,13,34]. Type 1. A 1 adversary is an external adversary who has the ability to launch a public key replacement attack but cannot obtain the master secret key or the partial private key Type 2. A 2 adversary represents a malicious-but-passive internal attacker who can access the master secret key and the partial private key but cannot replace any user's public key We consider two games played by a challenger C and an adversary A ∈ fA 1 , A 2 g to define the security of our proposed scheme.
The adversary A can query the following oracles. Create Vehicle ðIDÞ. When receiving a query from A, C takes a vehicle's identity ID as input, calculates vpk i , and sends it to A Partial Private Key ðIDÞ. When receiving the partial private key query for a vehicle whose identity is ID from A, C sends ppk i to A Public Key ðIDÞ. When A requests C for the public key of a vehicle whose identity is ID, C calculates PK i and sends it to A Secret Key ðIDÞ. Given a vehicle whose identity is ID, the oracle sends vsk i to A Replace Public KeyðID, PK i * Þ. When receiving this query from A, C replaces the public key PK i with PK i * Sign ðID, M i Þ. When receiving a message M i from a vehicle whose identity is ID, C calculates a certificateless signature σ i and sends it to A 3.6. Security and Privacy Requirements. Considering that 5G-enabled vehicular networks must meet the requirements of security, efficiency, and privacy protection, the proposed CLAS scheme needs to satisfy the security and privacy requirements described as follows: Message integrity and authentication: in 5G-enabled vehicular networks, when an RSU receives a signature and message sent by a vehicle, it must verify the authenticity and integrity of the message to ensure the legitimacy of the vehicle and to ensure that the message has not been tampered with, impersonated, or forged by a malicious attacker Privacy preserving: during the authentication process for 5G-enabled vehicular networks, vehicles are not allowed to communicate using their real identities and must use pseudonyms Traceability and revocability: when vehicles communicate with pseudonyms, they are likely to be attacked by malicious vehicles. Therefore, TRA must have the ability to obtain the real identity of the malicious vehicle in order to trace its malicious act, as well as put in place certain mechanisms for management, such as revoking the malicious vehicle Unlinkability: an attacker must not be able to infer a vehicle from multiple messages sent by the same vehicle by cross-linking Resistance to various attacks: 5G-enabled vehicular networks are vulnerable, so the proposed CLAS scheme must have the ability to resist various general attacks, such as 6 Wireless Communications and Mobile Computing impersonation attacks, replay attacks, modification attacks, and information injection attacks

The Proposed CLAS Scheme
In this section, we propose an efficient and secure CLAS scheme, which is implemented without bilinear pairing and map to point hash operations. Moreover, when the aggregate signature is verified to be invalid, the proposed CLAS scheme uses binary search to identify invalid signatures and introduces a cuckoo filter to revoke malicious vehicles to prevent the attack again. In addition, the proposed CLAS scheme also uses a random vector to resist information injection attacks. This scheme includes eleven phases: system initialization, pseudo identity generation, vehicle registration, partial private key generation, vehicle key generation, individual signature generation, individual signature verification, signature aggregation, aggregate signature verification, invalid signature identification, and malicious vehicle revocation. The main symbols and description used in this scheme are shown in Table 1.
The detailed implement process of each phase of the proposed CLAS scheme is described as follows.
(i) System initialization: in this phase, KGC and TRA initialize system parameters for RSUs and vehicles (1) According to the security parameter λ, KGC selects two large prime numbers p, q, respectively, and generates an elliptic curve E :   order q from P. TRA also selects a point P on the elliptic curve E as its random generator and generates a group G with order q from P (3) KGC selects a random number x ∈ Z * q from the finite field as its master private key, which is used to extract the partial private key ppk i . Then, it calculates the corresponding public key K pub = x · P, where x is only known by KGC (4) TRA selects a random number s ∈ Z * q as its master private key for traceability and calculates the system public key T pub = s · P, where s is only known by TRA (5) KGC and TRA choose four secure hash functions: (6) KGC and TRA keep the master secrets key x and s and issue the system parameters: Any vehicle that has successfully registered with the TA can access the system parameters via a secure channel and store them in its TPD. Similarly, any RSU can also access the system parameters after successful registration.
(ii) Pseudo identity generation: in this phase, TRA works with vehicles to generate pseudo identities for vehicles to conditionally preserve their privacy, which allows them to send messages anonymously (1) The vehicle V i with its real identity RID i picks a random number ξ i ∈ Z * q to calculate the its partial pseudo identity PID i,1 = ξ i · P, and The vehicle V i then sends fPID i,1 , A i g securely to TRA.
(2) When TRA receives the tuple fPID i,1 , A i g from the vehicle V i , it first checks whether is valid or not. If the identity of the vehicle V i fails, the TRA will discard the tuple; otherwise, it will calculate and generate the vehicle's pseudo identity PID i = fPID i,1 , P ID i,2 , VP i g, where VP i is the valid period of the vehicle's pseudo identity. Finally, TRA sends PID i to KGC and the vehicle V i through a secure channel (iii) Vehicle registration: after receiving the pseudo identity PID i , the vehicle V i stores it in its TPD and then communicates with other entities using the pseudo identity PID i in 5G-enabled vehicular networks.
To preserve vehicle's privacy and trace malicious vehicle, TRA stores both the real identity RID i and the pseudo identity PID i of the vehicle V i . Once a vehicle or RSU reports a malicious vehicle, TRA can obtain the real identity of the vehicle from the vehicle's pseudo identity according to the master private key, and TRA inserts the malicious vehicle's pseudo identity PID i into the negative cuckoo filter (RPID-cuckoo) to revoke it (iv) Partial private key generation: in this phase, KGC generates a partial private key based on the received pseudo identity of the vehicle. The preload method is also used to store the pseudo identities of the vehicle and the partial private keys of the vehicle and to reload when them needs to be updated (1) After receiving the pseudo identity PID i of the vehicle V i , KGC checks the validity of the VP i in PID i and queries the RPID-cuckoo filter to ensure that the pseudo identity of the vehicle has not been revoked by the TRA (2) If the pseudo identity has not expired and the vehicle has not been revoked, KGC chooses a random number u i ∈ Z * q to calculate U i = u i · P, h 2i = h 2 ðPID i kK pub k paramsÞ and creates a partial private key ppk i = u i + xh 2i ðmod qÞ for the vehicle V i (v) Vehicle key generation: in this phase, the vehicle generates a partial public/private key pair and creates its full public/private key pair (1) After receiving the tuple ðU i , ppk i Þ from KGC, the vehicle V i calculates h 2i = h 2 ðPID i kK pub kparamsÞ and checks the validity of the partial private key pp k i by calculating whether the equation holds or not. If it holds, the vehicle V i stores the partial private key ppk i in its TPD; otherwise, the vehicle V i discards the partial private key ppk i (2) The vehicle V i chooses two random numbers a i , b i ∈ Z * q and calculates h 3i = h 3 ðPID i k∇kparamsÞ, θ i = a i h 3i , B i = b i · P, and C i = θ i · P, respectively (1) The vehicle V i randomly selects a pseudo identity PID i from its TPD and picks a latest timestamp t i to prevent replay attacks and ensure the timeliness of sensing information collection (2) The vehicle V i picks a random number r i ∈ Z * q , com- holds or not. If it holds, the verifier accepts the signaturemessage tuple msg (viii) Signature aggregation: in this phase, each RSU acts as an aggregate signature generator. When receiving multiple signature-message tuples fM 1 kPID 1 kvpk 1 kσ 1 kt 1 g, fM 2 kPID 2 kvpk 2 kσ 2 kt 2 g, …, fM n kPID n kvpk n kσ n kt n g from n vehicles fV 1 , V 2 , ‥‥ V n g, the aggregate signature generator aggregates multiple certificateless signatures into a single short signature, which can both reduce the communication overhead and make full use of the computational resources of the RSU. In this phase, the adversary can launch an injection attack by tampering with several valid signatures [29]. In order to prevent information injection attacks in the aggregation signature phase, we use the random vector to resist this attack (1) The aggregate signature generator randomly generates a vector v = fv 1 , v 2 , v 3 ⋯ , v n g that is used to resist information injection attacks, where each v i is a random exponent in the range ½1, 2 t and t is a very small integer (2) The aggregate signature generator calculates If it holds, then AS accepts the certificateless aggregate signature; otherwise, AS performs the following phases All of the above phases are shown in Figure 4.
(x) Invalid signature identification: in this phase, when an attacker inserts an invalid signature into the aggregate signature in order to interfere with the verification resulting in invalid aggregate signature verification, AS identifies invalid signatures from the aggregate signature, requests TRA to revoke the malicious vehicles and broadcast them, and accepts the remaining valid signatures in order to reduce the computational overhead caused by repeated verification and prevent malicious vehicles from attacking. In the process of invalid signature identification, binary search is used jointly by AS and RSU (1) The RSU sorts the previously received multiple signatures, finds the middle position, divides the multiple signatures into two sets and then performs 9 Wireless Communications and Mobile Computing aggregate signature on them, respectively, and sends the two aggregate signatures to AS for verification (2) If AS verifies that either of the two aggregate signatures is invalid, the above procedures 1 and 2 are repeated for the invalid aggregate signatures until an invalid signature is found (3) AS sends multiple pseudo identities corresponding to invalid signatures fPID i , t i g to TRA to trace the real identity RID i of malicious vehicles and revoke them while sending also multiple pseudo identities corresponding to valid signatures fPID i , t i g to TRA and receiving these valid signatures The overall invalid signature identification steps are shown in Algorithm 1 (xi) Malicious vehicle revocation: in this phase, after AS identifies invalid and valid signatures from the aggregate signature and sends them to TRA, TRA traces the real identity RID i of the malicious vehicle through the pseudo identity PID i corresponding to the invalid signature and then maps out all preloaded pseudo identities of the vehicle V i . Finally, TRA makes use of the cuckoo filter to revoke the malicious vehicles. Moreover, when the fingerprint of each vehicle is known, in order to improve the efficiency of signature verification, a cuckoo filter is used to assist in verifying the signature. At the same time, in order to reduce false positives, two cuckoo filters are used to store relative fingerprint information: the positive filter (PID-cuckoo) is used to store fingerprints with valid signatures, and the negative filter (RPID-cuckoo) is used to store fingerprints with invalid signatures   Table 2 Both case 1 and case 2 explicitly state whether the pseudo identity PID i is revoked or not. There is a certain probability that the result of the query is case 3. Case 3 indicates that AS has not yet verified the pseudo identity PID i , or the verification result has not been updated to the cuckoo filter in time. Therefore, the signature verification of the vehi-cle needs to wait for the next round of cuckoo filter update. However, if the number of queries exceeds the preset number of rounds of the system and the query still fails, the message receiver will check whether the message M i is valid or not according to equation (7). Case 4 occurs because the cuckoo filter has a certain false-positive rate. Therefore, the message receiver needs to send a reconfirmation message to TRA via RSU. The process of the message receiver querying the cuckoo filter to verify the pseudo identity PID i is shown in Algorithm 3

Security Proof and Analysis
In this section, we explain the correctness of the verification process in our proposed scheme and prove the unforgeability of the signature in the proposed CLAS scheme. Finally, we analyse how the proposed CLAS scheme meets the requirements of security and privacy protection.
(2) Aggregate signature verification: 5.2. Security Proof. In this section, we provide formal security proof for the proposed CLAS scheme for 5G-enabled vehicular networks. As mentioned earlier, in order to prove that our proposed scheme is existentially unforgeable against an adaptive chosen message attack under the ROM, we define two types of adversaries which are similar to [10,12,13,34] and consider two games.

Theorem 1.
In the ROM, if there is a polynomial time Type 1 adversary A 1 who can forge a valid signature of our scheme in an attack model of game 1 after making at most q h times queries to the random oracles h i Query, q c times Create Vehicle ðIDÞ queries, and q s times Sign ðID, M i Þ queries, that is, win the game with an nonnegligible probability Pr ½Succ ðA 1 Þ, then there must be a polynomial time challenger C that can solve the ECDLP with a nonnegligible advantage ε.
Proof. In the ROM, it is assumed that there is a probabilistic polynomial time adversary A 1 who has enough ability to forge the signature-message tuple msg = fM i kPID i kvpk i kσ i kt i g of the user ID τ . Given a random instance ðP, Q = s · PÞ of the ECDLP to compute s, a polynomial time challenger C calls A 1 as its subroutine and solves the ECDLP with a nonnegligible advantage in polynomial time. A 1 performs the following queries: Setup ðIDÞ. C inputs the security parameter λ in the system initialization phase and then sets K pub = Q and sends the system parameter params = fP, p, q, E, G, h 2 , h 3 , h 4 , K pub , T pub g to A 1 . In this process, C constructs and maintains five hash lists L h 2i , L h 3i , L h 4i , L u , and L pk , all of which are initialized to empty Create Vehicle ðIDÞ. C maintains a list L u = fðID, U i , vp k i , ppk i , vsk i , h 2i Þg. When A 1 makes a query on ID, and if ID is in L u , then C sends ðID, Partial Private Key ðIDÞ. When C receives a partial private key query from A 1 for ID, if ID ≠ ID τ , C checks whether ID is already in L u or not. If ID is in L u , C sends ppk i to A 1 . Otherwise, C runs Create Vehicle ðIDÞ to obtain ppk i and sends it to A 1 . In addition, if ID = ID τ , C stops the game Public Key ðIDÞ. When C receives a public key query from A 1 for ID, C checks whether ID exists in L u or not. If it exists, C sends PK i = fðU i , vpk i Þg to A 1 . Otherwise, C executes Create Vehicle ðIDÞ to obtain the tuple ðU i , vpk i Þ and sends it to A 1 Replace Public Key ðID, PK i * Þ. C maintains a list L pk = ðID, u i , U i , vsk i , vpk i Þ. When A 1 makes a public key replacement query with ðID, PK i * Þ, where U i * = u i * · P, vp k i * = vsk i * · P and PK i * = ðU i * , vpk i * Þ, C sets U i = U i * , vp k i = vpk i * , vsk i = vsk i * , and ppk i = ⊥, and inserts ðID, u i * , Sign ðID, M i Þ. When A 1 makes a signature query with ðID, M i Þ, C performs the following steps: (1) If ID is in L pk , C picks three random numbers x, y, (2) If ID is not in L pk , because C knows the private key of the vehicle with ID, C acts like the procedure of the scheme Forgery. In the end, A 1 outputs a forged but valid certificateless signature σ i = ðR i , S i Þ on ðID, M i Þ, which passes the signature verification phase. If ID ≠ ID τ , C fails and stops According to the forking lemma [35], A 1 can obtain another forged valid signature σ i * = ðR i * , S i * Þ by simulating the game again with the same random tape but different choice of h 4i in polynomial time. We can get s according to the following equation; that is, C successfully solves the ECDLP. Then, we have From these two linear equations, we can derive the value s by Probabilistic Analysis. We analyse the advantages of C successfully obtaining s from ðP, Q = s · PÞ to solve the ECDLP In the process of executing Create Vehicle ðIDÞ query, the random oracle assignment h 2 ðIDkK pub kparamsÞ causes inconsistency, which happens with probability at most q h /q. Therefore, the probability of successful simulation of q c times is at least ð1 − q h /qÞ q c ≥ 1 − q h q c /q. And, the probability of successful simulation of q h times is at least ð1 − q h /qÞ q h ≥ 1 − q h 2 /q. In addition, ID = ID τ has a probability of 1/q c . Therefore, the overall probability of successful simulation is Pr ½Succ ðA 1 Þ ≥ ð1 − q h q c /qÞð1 − q h 2 /qÞð1/q c Þε. It should be noted here that the time complexity t + Oðq c + q s ÞS of C is determined by the exponentiations executed in the Create Vehicle ðIDÞ and Sign ðID, M i Þ queries, where S is the time of a scalar multiplication operation.
C can successfully obtain s from ðP, Q = s · PÞ with an advantage ð1 − q h q c /qÞð1 − q h 2 /qÞð1/q c Þε, where the time complexity of algorithm is t + Oðq c + q s ÞS, which contradicts the ECDLP assumption. Therefore, the proposed scheme can resist the forgery attack of type 1 adversary A 1 under the ROM.

Theorem 2.
In the ROM, if there is a polynomial time Type 2 adversary A 2 who can forge a valid signature of our scheme in an attack model of Game 2 after making at most q h times queries to the random oracles h i Query, q c times Create Vehicle ðIDÞ queries, and q s times Sign ðID, M i Þ queries, that is, win the game with an non-negligible probability Pr ½Succ ðA 2 Þ, then there must be a polynomial time challenger C that can solve the ECDLP with a nonnegligible advantage ε.
Proof. In the ROM, it is assumed that there is a probabilistic polynomial time adversary A 2 who has enough ability to forge the signature-message tuple msg = fM i kPID i kvpk i kσ i kt i g of the user ID τ . Given a random instance ðP, Q = t · PÞ of the ECDLP to compute t, a polynomial time challenger 13 Wireless Communications and Mobile Computing C calls A 2 as its subroutine and solves the ECDLP with a nonnegligible advantage in polynomial time.
A 2 performs the following queries: Setup ðIDÞ. C inputs the security parameter λ in the system initialization phase, picks a random number w ∈ Z * q and sets K pub = w · P, and then sends the system parameter par ams = fP, p, q, E, G, h 2 , h 3 , h 4 , K pub , T pub g to A 2 . In this process, C constructs and maintains five hash lists L h 2i , L h 3i , L h 4i , L u , and L pk , all of which are initialized to null Create Vehicle ðIDÞ. C maintains a list L u = fðID, U i , vpk i , ppk i , vsk i , h 2i Þg. When A 2 makes a query on ID, and if ID is in L u , then C sends ðID, Otherwise, if ID = ID τ , C selects two random numbers x, y ∈ Z * q and then calculates U i = xP, vpk i = Q, ppk i = x + w · h 2i , vsk i = ⊥, and h 2i = h 2 ðIDkK pub kparamsÞ ⟵−yx −1 ðmod qÞ. If ID ≠ ID τ , C selects three random numbers x, y, z ∈ Z * q and then calculates Query. C maintains a list L h 2 = fðID, K pub , params, h 2i Þg. When C receives a query ðID, K pub , paramsÞ from A 2 , if ID is already in L h 2 , it sends h 2i to A 2 . Otherwise, C executes Create Vehicle ðIDÞ to calculate h 2i = h 2 ðIDkK pub k paramsÞ and then sends it to A 2 h 3i Query. C maintains a list L h 3i = fðID, params,∇,h 3i Þg. When C receives a query ðID, params,∇Þ from A 2 , if L h 3i contains ðID, params,∇,h 3i Þ, then C sends h 3i to A 2 . Otherwise, C chooses a random number h 3i ∈ Z * q , calculates h 3i = h 3 ðIDk∇kparamsÞ, sends h 3i to A 2 , and inserts ðID, params,∇,h 3i Þ into L h 3i h 4i Query. C maintains a list L h 4i = ðID, M i , vpk i , R i ,∇, t i , h 4i Þ. When A 2 makes a query on ID, and if ID is in L h 4i , then C sends h 4i to A 2 . Otherwise, C selects a random number h 4i ∈ Z * q , calculates h 4i = h 4 ðM i kIDkvpk i kR i k ∇kt i Þ, sends h 4i to A 2 , and inserts ðID, Partial Private Key ðIDÞ. When C receives a partial private key query from A 2 for ID, C checks whether ID is already in L u or not. If ID is in L u , C sends ppk i to A 2 . Otherwise, C runs Create Vehicle ðIDÞ to obtain ppk i and sends it to A 2 .
Public Key ðIDÞ. When C receives a public key query from A 2 for ID, C checks whether ID exists in L u or not. If it exists, C sends PK i = fðU i , vpk i Þg to A 2 . Otherwise, C executes Create Vehicle ðIDÞ to obtain the tuple ðU i , vpk i Þ and sends it to A 2 Secret Key ðIDÞ. When C receives a private key query from A 2 for ID, if ID ≠ ID τ , C checks whether L u contains ID or not. If ID is in L u , C sends vsk i to A 2 . Otherwise, C executes Create Vehicle ðIDÞ to obtain vsk i and sends it to A 2 . In addition, if ID = ID τ , C stops the game.
Sign ðID, M i Þ. When A 2 makes a signature query with ðID, M i Þ, C performs the following steps: (1) If ID is in L pk , C picks three random numbers x, y, z ∈ Z * q such that S i = x, h 4i = h 4 ðM i kIDkvpk i kR i k∇k t i Þ ⟵ x mod q and R i = x · P + yK pub − xvpk i , then inserts ðID, M i , vpk i , R i ,∇,t i , h 4i Þ to L h 4i , and finally sends the signature σ i = ðR i , S i Þ to A 2 (2) If ID is not in L pk , because C knows the private key of the vehicle with ID, C acts like the procedure of the scheme Forgery. In the end, A 2 outputs a forged but valid certificateless aggregate signature σ = ðR, SÞ on the tuple ðID, M i Þ which passes the signature verification phase. If ID ≠ ID τ , C fails and stops According to the forking lemma [35], A 2 can obtain another valid signature σ * = ðR * , S * Þ by simulating the game again with the same random tape but different choice of h 4i in polynomial time. We can get t according to the following equation; that is, C successfully solves the ECDLP. Then, we have From these two equations, we can derive the value t by Probabilistic Analysis. We analyse the advantages of C successfully obtaining t from ðP, Q = t · PÞ to solve the ECDLP 14 Wireless Communications and Mobile Computing In the process of executing Create Vehicle ðIDÞ query, the random oracle assignment h 4i = h 4 ðM i kIDkvpk i kR i k∇k t i Þ causes inconsistency, which happens with probability at most q h /q. Therefore, the probability of successful simulation of q c times is at least ð1 − q h /qÞ q c ≥ 1 − q h q c /q. And, the probability of successful simulation q h times is at least ð1 − q h /qÞ q h ≥ 1 − q h 2 /q. In addition, ID = ID τ has a probability of 1/q c . Therefore, the overall probability of successful simulation is Pr ½SuccðA 2 Þ ≥ ð1 − q h q c /qÞð1 − q h 2 /qÞð1/q c Þε. It should be noted here that the time complexity t + Oðq c + q s ÞS of C is determined by the exponentiations executed in the Create Vehicle ðIDÞ and Sign ðID, M i Þ queries, where S is the time of a scalar multiplication operation.
C can successfully obtain t from ðP, Q = t · PÞ with an advantage ð1 − q h q c /qÞð1 − q h 2 /qÞð1/q c Þε, where the time complexity of algorithm is t + Oðq c + q s ÞS, which contradicts ECDLP assumption. Therefore, the proposed scheme can resist the forgery attack of type 2 adversary A 2 under the ROM.

5.
3. Security Analysis. Section 3.6 has given the security and privacy requirements that 5G-enabled vehicular networks. In this section, we analyse the proposed CLAS scheme to meet the above security requirements according to Theorems 1 and 2.
(i) Message integrity and authentication: according to Theorems 1 and 2, it is known that any polynomial adversary has no ability to forge a valid message. When a message msg is received from a vehicle, RSUs check the validity and integrity of the message by verifying the equation S i · P = R i + h 4i ðvpk i + h 2i K pub Þ to prevent the message from being tampered with and forged by malicious vehicles. As a result, no malicious adversary can construct h 2i = h 2 ðPID i kK pub kparamsÞ and h 4i = h 4 ðM i kPID i kvpk i kR i k∇k t i Þ to forge a signature σ i = ðR i , S i Þ. Therefore, our proposed scheme meets the security requirements for message integrity and authentication (ii) Privacy preserving: in 5G-enabled vehicular networks, each vehicle adopts pseudonym technology to hide its real identity RID i to communicate, and the pseudo identity of any vehicle involves the TRA's master private key s and a random number.
If an attacker wants to know the real identity of a vehicle, it can only do so through a pseudo identity. However, when given T pub , PID i,1 = ξ i · P, it is hard to calculate ξ i · P · T pub . Besides, TRA keeps the master private key s. Therefore, our proposed scheme can meet the requirements of privacy preserving (iii) Traceability and revocability: in our scheme, TRA can trace the identity of malicious vehicle by getting its real identity RID i . And only TRA can extract the real identity RID i from PID i by its master private key through the equation kT pub Þ · ξ i · T pub . When a malicious action takes place, TRA can effectively trace and revoke the malicious vehicle and insert relevant information of the malicious vehicle into RPID-Cuckoo filter for revocation. Therefore, our proposed scheme can meet the requirements of traceability and revocability (i) Unlinkability: in our scheme, a different pseudo identity is used for each message sent by the vehicle, and the corresponding private key is used to sign the message, in which the number ξ i in the pseudo identity is random. Moreover, there is no relationship between the new pseudo identity and the old pseudo identity for each vehicle. Therefore, the attacker cannot link two messages to the same vehicle, so our scheme meets the requirement of unlinkability (ii) Resistance to replay attacks: in our scheme, the timestamp t i is used to resist replay attacks. After receiving the message and signature, the receiver checks the freshness of the timestamp and whether the validity of the pseudo identity has expired. If the valid time is exceeded, the message is discarded. Therefore, our scheme is resistant to replay attacks (iii) Resistance to modification attack: if the attacker modifies the message and sends it to others, the verifier can easily determine the message has been modified by verifying equation S i · P = R i + h 4i ðvpk i + h 2i K pub Þ. Therefore, our scheme is resistant to modification attacks (iv) Resistance to impersonation attack: according to Theorems 1 and 2, it is proved that our scheme is existentially unforgeable against an adaptive chosen message attack under the ROM. The adversary has not the ability to launch an impersonation attack by forging a valid signature. It is easy to determine if there is an impersonation attack by verifying the equation S i · P = R i + h 4i ðvpk i + h 2i K pub Þ. Therefore, our scheme is resistant to impersonation attacks (v) Resistance to information injection attack: in our scheme, the value of equation S · P = R + C + ∑ n i=1 v i h 4i h 2i K pub can be changed by using a random vector

Scheme
Sign Verify Ali et al. [16] 74.13% 77.56% Ren et al. [15] 87.06% 84.22% Zhong et al. [29] 96.07% 94.65% Xu et al. [37] 95.36% 94.65% Gayathri et al. [36] 50% 39.39% Gayathri et al. [11] 50% 39.39% Ming and Cheng [38] 66.67% 24.80% The size of elements in group G 1 128 bytes The size of elements in group G 40 bytes q j j The size of the elements in Z * q 20 bytes 17 Wireless Communications and Mobile Computing 6.1. Computational Overhead Analysis. We adopt the same evaluation method as He et al. [10] to analyse the computational overhead of the proposed scheme. The basic configuration is 3.40GHz clock frequency, 4GB of running memory, an Intel i7-4770 processor, and MIRACL library running on the Windows 7 operating system. The MIRACL library is a well-known cryptographic library. The bilinear pairing on the security level of 80 bits is constructed as ⅇ : G 1 × G 2 ⟶ G 2 , where G 1 is an additive group of orderq defined on a super-singular elliptic curve E : y 2 = x 3 modp with embedding degree of 2. Here, we considerp as a 512-bit prime number andq as a 160-bit solinas prime number. The ECC on the security level of 80 bits is created on the nonsingular elliptic curve E : y 2 = x 3 + ax + b mod p as follows: G is an additive group of order q, where p, q are 160bit primes and a, b ∈ z * p . The execution time of the basic cryptographic operations in the scheme is shown in Table 3.
We compare the computational overhead of our scheme with these schemes [11,15,16,29,[36][37][38] in three phases: individual signature generation phase, individual signature verification phase, and aggregate signature verification phase. These schemes [15,16,29,37] are based on bilinear pair construction, and these schemes [11,36,38] and our scheme are constructed using ECC. Since the general oneway hash operation T h only incurs very little overhead in the signing and verification process, we no longer count the running time of this operation. The specific analysis of the computation overhead is shown in Table 4.
The computation overhead of the individual signature generation phase and individual signature verification phase are shown in Figure 5. It is seen that a signature needs to consist of bilinear pairing based four scalar multiplications and two scalar point additions. It also needs a map to point hash function operation in Zhong et al.'s scheme [29]. Therefore, the computational cost of the signature generation phase of the scheme is T mtp + 2T pa bp + 4T sm bp = 11:2562 ms. In the signature verification phase, operations performed include three bilinear pairing operations, two scalar multiplication operations based on bilinear pairing, one scalar point addition operation based bilinear pairing, and two map to point hash operations. Thus, the computation cost is 2T mtp + 2T sm bp + T pa bp + 3T bp = 24:8701 ms. The aggregate signature verification phase of Zhong et al.'s [29] scheme requires three bilinear pairing operations, 2n scalar multiplication operations based on bilinear pairing, ð2n − 1Þ scalar point addition operations based on bilinear pairing and n map to point hash operations, where n is the number of sensing information transmitted by the sender within a period of time. In this phase, the computation cost is nT mtp + 2nT sm bp + ð2n − 1ÞT pa bp + 3T bp = 7:8382n + 12:6259 ms.
In the proposed scheme, the signature generation phase requires one scalar multiplication operation based ECC and one scalar point addition operation based ECC, whose computational cost is T sm ecc = 0:442 ms in this phase. In the signature verification phase, operations performed include three scalar multiplication operations based ECC and two scalar point addition operations based ECC. The computational cost in this phase is 3T sm ecc + 2T pa ecc = 1:3296 ms. In the aggregate signature verification phase, operations performed include two scalar multiplication operations based ECC and two scalar point addition operations based ECC. In the aggregate signature verification phase of this scheme, the computation cost is 2T sm ecc + 2 T pa ecc = 0:8876 ms.
6.2. Communication Overhead Analysis. Driven by 5G, the IoVs need to support the interconnection between smart devices and systems. It will provide access to users everywhere at any time and bring high-intensity data transmission pressure to vehicular networks. Therefore, it is crucial to reduce communication overhead. For fairness, we use the variables in Table 6 to simulate the equivalent security levels of the schemes. On the 80-bit security level, let the sizes of the elements in G and G 1 be 40 bytes and 128 bytes, where G and G 1 are an additive group on a nonsingular elliptic curve and an additive group on a super singular curve, respectively. The signature sizes of the schemes [15,29,36,37] are compared with that of the proposed scheme as shown in Table 7. The aggregate signature generated by the proposed scheme consists of one Z * q element and one G element based on elliptic curve; therefore, it only takes 100 bytes to send the aggregate signature. It should be noted that the size of the aggregate signature bears no relation with the number of messages in the scheme of Ren et al. [15], Zhong et al. [29], Gayathri et al. [36], and our scheme. Although these schemes have lower communication cost, the length of Ali et al.'s scheme [16] and Zhong et al.'s scheme [29] are 128 bytes and 256 bytes, respectively, which far exceeds communication cost required by our scheme to send an aggregate signature. Due to the proposed scheme has lower transmission cost than other schemes, it can meet the low delay requirements for 5G-enabled vehicular networks.

Conclusion
This paper proposes a lightweight CLAS scheme with revocation mechanism for 5G-enabled vehicular networks. The proposed scheme uses binary search to identify invalid signatures and introduces a cuckoo filter to revoke malicious users to prevent reattack. The security analysis shows that the proposed scheme is secure under ROM and meets all security and privacy requirements. Moreover, our CLAS scheme uses ECC to construct the specific algorithm, which does not need the computationally complex bilinear pairing operations and map to the point hash functions, thus improving the computational efficiency. Through experimental comparison with other related schemes, our CLAS scheme has significant advantages in computational overhead and communication overhead.

Data Availability
The proposed scheme and its analysis need only theoretical and experimental support. There is no additional data set to be provided in this paper.