An efficient certificateless aggregate signature scheme for vehicular ad-hoc networks

The state-of-the-art telecommunication technologies have widely been adapted for sensing the trafﬁc related information and collection of it. Vehicular Ad-Hoc Networks (VANETs) have emerged as a novel technology for revolutionizing the driving experiences of human. The most effective and widely recognized way for mutual authentication among entities in VANETs is digital signature scheme. The new and attractive paradigm which eliminates the use of certiﬁcates in public key cryptography and solves the key escrow problem in identity based cryptography is cer-tiﬁcateless cryptography. A new certiﬁcateless aggregate signature scheme is proposed in the paper for VANETs with constant pairing computations. Assuming the hardness of computational Difﬁe-Hellman Problem, the scheme is proved to be existentially unforgeable in the random oracle model against adaptive chosen-message attacks.


Introduction
Vehicular Ad-Hoc Networks have attracted comprehensive consideration in last few years for their assurance in enhancing driving safety and revolutionizing the transportation systems.Fundamentally, VANET security design should assure the security primitives of authentication, privacy, non-repudiation, integrity, availability, and in some peculiar application scenarios, confidentiality, to defend the network against intruders.Authentication ensures that a message is trustable by correctly identifying the sender of the message.Privacy is an important factor for the public acceptance and successful deployment of VANETs.It is attained by employing the pseudonymous approach in the communication among entities.The vehicle should not be able to relate the messages with its sender to ensure the private communication but at the same time; there should be mechanism termed as non-repudiation, to track the vehicles by law enforcement authorities, in case the vehicle transmits the wrong information in the network.Integrity requirements demand that the information from the sender to the receiver must not be altered or dropped.The availability ensures that the wireless channel has to be available so that approaching vehicles can still receive the warning messages in safety applications like post-crash warning.Confidentiality requires that the information flowing from sender to receiver should not be eavesdropped.A well recognized resolution is to sign each message with a digital signature.Al-Riyami and Paterson (2003) invented the concept of Certificateless Public Key Cryptography (CL-PKC) which uses a third party called Key Generation Center (KGC) to generate the partial private key for an entity which is then combined with the secret key chosen by entity for the generation of full private key.Then, the user uses the public parameters of KGC and the secret key to compute the public key.The concept of partial private keys is introduced in CL-PKC as if the full private key is generated by the KGC as in Identity Based Cryptography, Baek et al. (2007), then KGC will have the full access on the private key of users and may abuse the capabilities of the network.The notion of partial private key was given in CL-PKC to ensure high security of the network.CL-PKC is considered to be well suited for VANETs in perspective of limited bandwidth and the dynamic nature of such networks.The Certificateless Signature Scheme presented by Al-Riyami and Paterson (2003) can not be used in VANETs as it employs more computational cost in signature generation and verification processes but the high mobility of vehicles in the networks puts an urgent need to reduce the computational time as much as possible to support the reliable message delivery in the highly dynamic vehicular ad-hoc networks.So, this paper majorly focuses on designing of the CLS Scheme with less computational cost but at the same time, the security of the network is also not compromised.In this paper, the Aggregate Certificateless Signature Scheme is proposed as aggregate signatures have the advantage of verifying all the signatures received from the other vehicles in an aggregate manner and reduces the signature verification time drastically because a lot of time will be consumed if the message signatures are verified independently leading to drop of important messages without being verified.Thus, the aggregate signatures enhance the network efficiency by verifying the more message signatures in a stipulated time leading to reduction in the message drop.

Related Work
Many security frameworks have been proposed so far to achieve the desired properties of vehicular ad hoc networks.Huang et al. (2005) proposed a security model for common certificateless signature scheme.An ID based ring signature scheme was adopted by Gamage et al. (2006) by modifying ring signature scheme with enhanced privacy, to achieve signer ambiguity for fulfilling the privacy requirement in VANET applications.However the ring signature scheme is not viable in context of VANET applications, due to unconditional privacy, resulting in requirement of non-repudiation unattainable.The schemes based on group signature are proposed in Lin et al. (2007); Lu et al. (2008); Studer et al. (2009), where the signer privacy is conditional on the group manager as the group manager possess the group master key.All these schemes have the problem of identity escrow, as a group manager can arbitrarily disclose the identity of any group member.Moreover, due to limitation of group formation, these group signature schemes are not feasible in highly mobile networks such as VANETs.An ID-based security framework for VANETs was put forward by Kamat et al. (2006Kamat et al. ( , 2008) ) by providing authentication, non-repudiation, and privacy but it is restricted by the strong dependence on the infrastructure for short-lived pseudonym generation after each message, which renders the signalling overhead overwhelming.A user privacy preserving scheme was proposed by Sun et al. (2007) by adopting pseudonyms approach where traceability was provided simultaneously.
The first certificateless encryption scheme was given by Shamir (1985) who had given the formal proof for his scheme.Boneh et al. (2003) firstly introduced the concept of aggregate signatures.Many aggregate signature schemes have been proposed, Bagherzandi and Jarecki (2010); Boldyreva et al. (2007); Lysyanskaya et al. (2004), since Boneh et al.'s scheme is proposed.The concept of aggregate signatures can be much efficiently used with ID-based signatures and certificateless signatures as certificateless cryptography does not pose a constraint of certificate overhead.The security model of CL Signature Schemes was given by Huang et al. (2005), but the ability of adversaries are not fully caught in CL-PKC by this model as the Certificateless scheme which is secure in this model may be insecure in actual practice.The more generic way to construct CL Signature Schemes was put forward by Yum and Lee (2004) which was proved insecure by Hu et al. (2006) and presented a new one.In addition, the security model of CLS schemes was developed by Hu et al. (2006).A new CLS scheme was propounded by Liu et al. (2007) which was proven secure in standard model.Huang et al. (2007) presented the two new constructions of the security models of certificateless signature schemes.Choi et al. (2007) presented two new efficient constructions of Certificateless Signature Schemes but Boneh et al. (2003) proved their security in weak adversary model.Du and Wen (2009) had given a new very efficient short CLS scheme with few mistakes in their security proof.A very efficient CLAS scheme was presented by Zhang and Zhang (2009) which is secure in the random oracle model.Certificateless signcryption scheme was proposed by Miao et al. (2013) but signcryption has high computational overhead in highly dynamic networks such as VANETs.The certificateless threshold signature scheme was given by Xiong et al. (2013) where the signing power was distributed among the multiple signers which is not a viable solution in VANETs.A certificateless two party authenticated key agreement protocol was proposed by He et al. (2012) but the two party communication is not viable in large scale vehicular ad-hoc networks.So far, very little attention has been devoted for the design of such Certificateless Signature Schemes for specific application scenarios such as VANETs.

Our Contribution
In this paper, a formal security model of CLS Schemes is presented and a new Certificateless Aggregate Signature Scheme for vehicular ad-hoc networks is adduced which provides the security requirements of integrity, authenticity, privacy and non-repudiation.The authenticity and integrity are provided itself by the digital signatures.Privacy is achieved by the issuance of short term identifiers called pseudonyms by the road side infrastructures which prevents the tracking of vehicles but at the same time, provides the nonrepudiation as the authorities can link the pseudonyms with the actual identity of the entity.Aggregate signatures have the advantage of verifying all the signatures together leading to reduction in computation time.Assuming the hardness of computational Diffie-Hellman problem over groups in bilinear maps, the proposed CLAS scheme is proven secure in random oracle model, Bellare and Rogaway (1993).
The rest of the paper is organized as follows.Section 3 gives the preliminaries including bilinear maps, modelling CLAS scheme and the security model of CLS scheme.The setup and the new certificateless signature scheme for VANETs are given in Section 4 and the security proof is shown in Section 5. Finally, the proposed certificateless aggregate signature scheme and the security proof is presented in Section 6.The efficiency of the proposed scheme is in Section 7 and finally, Section 8 concludes the paper.

Preliminaries
In this section, the overview of bilinear maps is presented along with the CLAS modelling and adversarial model for CLS schemes.

Bilinear Maps
Let a cyclic additive group G 1 be of prime order q having a generator point P. Let a cyclic multiplicative group G 2 be of the same order q.The map e : G 1 × G 1 −→ G 2 is considered as a bilinear pairing if the following properties are satisfied: 1. Bilinearity: For any P, X,Y ∈ G 1 , e(P, X + Y ) = e(P, X)e(P,Y ) and for any a, b ∈ Z * q , e(aP, bP) = e(P, P) ab = e(abP, P) = e(P, abP) 2. Non-degenerate: e(P, P) = 1G 2 3. Computability: There exists P, R ∈ G 1 , an efficient algorithm should exist to compute e(P, R) for all P, R ∈ G 1 .
The proposed certificateless signature scheme's security depends on the hardness of the Computational Diffie-Hellman (CDH) problem in the group.
Computational Diffie-Hellman (CDH) problem: Let cyclic group G 1 with order q has a generator P, and given two points, aP and bP for unknown a, b ∈ Z * q , then to compute abP is computationally infeasible.

Modelling Certificateless Aggregate Signature Scheme
• Setup: It takes security parameter 1 as input, then it generates and publishes a list of system parameters as params.
• PartialKeyGen: This algorithm is performed by KGC once for each vehicle as it enters the region of new RTA (Regional Transportation Authority).It takes the inputs params, masterkey and identity ID i to generate the partial private key pp i .
• UserKeyGen: The algorithm is run by user that takes the user identity ID i as input and selects a random x i ∈ Z * q , to output the secret key as x i and public key as P i .
• Sign: The algorithm is run by the user with inputs as params, Identity ID i , secret key x i , partial private key pp i , public key P i and message m k to produce the output as signature σ ik on message m k generated by user with identity ID i . •

Adversarial Model of Certificateless Signature Schemes
This section reviews the adversarial model, Hu et al. (2007) of Certificateless Signature Scheme.Two types of adversaries are considered in Certificateless Cryptography namely, Type I and Type II adversary.
Let A 1 denote a Type I attacker and A 2 denote a Type II attacker.Two games are considered, "Game I" where challenger C interacts with adversary A 1 and "Game II" where C interacts with adversary A 2 .The master key of KGC cannot be accessed by adversary A 1 , but the public key of any entity can be replaced by A 1 with the value chosen by it whereas the master key of KGC can be accessed by the adversary A 2 but A 2 cannot perform public key replacement.The Certificateless Signature Scheme is existentially unforgeable against the adaptive chosen message attack, if the both adversaries A 1 and A 2 have negligible success probability.The following six oracles can be accessed by the adversaries.
• RevealPartialKey: The adversary requests the partial private key of any vehicle with identity ID i .
The challenger C searches the list L and returns the partial private key pp i corresponding to the ID i .If not found, ⊥ is returned.
• RevealSecretKey: The adversary requests the secret key of a vehicle with identity ID i .The challenger responds with the corresponding secret key x i if the entry exists in the list L. Otherwise, it outputs ⊥.
• RevealPublicKey: The adversary can request the public key of the vehicle with identity ID i .The challenger responds with the public key P i .If the entry corresponding to ID i does not exist, ⊥ is returned.
• RevealPseudonym: The adversary makes a request for the pseudonym of the vehicle with ID i .The challenger searches the list L and responds with PS j if the entry exists, otherwise it returns ⊥.
• ReplacePublicKey: On input an identity ID i , the adversary may replace the public key P i of the vehicle with the public key of its own choice, say P i .If the list L does not contain the entry corresponding to ID i , then nothing is done.
• Sign: On input a message M i ∈ {0, 1} * , the adversary can request the signature corresponding to the identity ID i .A valid signature σ i is returned if the entry corresponding to the ID i exists in the list L. If the public key corresponding to ID i has been replaced with P i , then the challenger C returns the valid signature with the new public key P i and secret key x i .If the list L does not contain the entry corresponding to ID i , then a symbol ⊥ is returned.
Game I (for A 1 adversary): In this game, adversary A 1 interacts with the challenger C .
Phase I-1: The Setup algorithm is run by challenger C , which takes the input security parameter to generate the master key and system parameter list params.The parameter list params is sent by challenger C to the adversary A 1 while keeps the master key as secret to itself.
Phase I-2: The polynomially bounded number of oracle-query operations are performed by the adversary A 1 .The adversary A 1 can make RevealPartialKey, RevealSecretKey, RevealPublicKey, Re-vealPseudonym, ReplacePublicKey and Sign queries onto oracle during this stage of simulation.
Phase I-3: Finally, A 1 outputs a message and signature pair < m * i , σ * i > corresponding to the identity ID * i with a public key P * i .Now, A 1 wins Game I if;

New Efficient Certificateless Signature Scheme for VANETs
Here, an efficient certificateless signature scheme based on bilinear pairings is presented.The proposed certificateless signature scheme comprises the following seven algorithms.

Setup
There is one Key Generation Center (KGC) located in the region under one Regional Transportation Authority (RTA).The input is a security parameter 1 where ∈ N, firstly a cyclic additive group G 1 of prime order q is chosen by KGC.And finally, the cyclic multiplicative group G 2 of the same prime order q is chosen.The bilinear pairing e : G 1 × G 1 −→ G 2 is defined by it.Choose a generator point of the group G 1 as P ∈ G 1 .A master key s ∈ R Z * q is uniformally selected and the public key of KGC as q and H 3 : {0, 1} * −→ Z * q are chosen.The message space is defined as M = {0, 1} * .Each RSU in the region under RTA sets y i ∈ Z * q as the secret key of RSU i and P rsu i = y i .P as the public key of RSU i .The public keys of all the RSUs P rsu 1 , P rsu 2 , P rsu 3 , . . ., P rsu n under the region of RTA are sent to the KGC and published under params list.The system parameter list is defined as params = {G 1 , G 2 , e, P, P pub , H 2 , H 3 , P rsu 1 , P rsu 2 , P rsu 3 , . . ., P rsu n }.

Registration
This algorithm is run by RTA to register the vehicle with Identity ID i .RTA maps the relationship between ID i and Q ID i as the actual identity of the vehicle ID i is concealed and Q ID i is only used as the identity by the vehicle for all the communications.Whenever the law enforcement authorities want to trace the vehicle for liability issues, then RTA can reveal the actual identity of the vehicle.When the vehicle enters the region of another RTA, then the vehicle again registers its ID i to get the new pseudo identity.
• Choose the distinct hash function • The vehicle's identity space is ID i ∈ {0, 1} * .The vehicle with identity ID i registers itself with RTA (Regional Transportation Authority) as • The RTA sends the Q ID i to the vehicle.

PartialKeyGen
In the region under single RTA, there is single KGC and partial private key is generated once for each vehicle under the region of one RTA.All the RSUs in the region are directly under the control of RTA of that region.It is assumed that the KGC and RTA do not collude as both of these are different authorities and RTA does not have any authority over KGC.It implies that the KGC and RSUs do not collude with each other.
• KGC runs this algorithm, and takes the inputs parameter list params, master key s and • KGC then generates the partial private key of the vehicle as pp i = s.Q ID i by using the identity Q ID i .
It can be seen that the partial private key pp i of vehicle is a signature on Q ID i with the public/private key pair (P pub , s) and the correctness of the signature is checked by vehicle by checking whether e(pp i , P) = e(Q ID i , P pub ) which can be verified as e(pp i , P) = e(s.

UserKeyGen
This algorithm is used to generate the secret as well as public keys of the vehicles for vehicular communications in VANETs.
• The vehicle updates the secret and public key each time it enters the region of new RTA as it gets the new pseudo identity Q ID i .
• The vehicle and RSU takes as input params, to generate the secret and public keys.The vehicle with identity Q ID i selects x i ∈ R Z * q at random and sets x i as the secret key of vehicle and sets the public key of vehicle as P i = x i .P.

PseudonymGen
This algorithm is run by the corresponding RSU i under whose coverage is the vehicle requesting for the pseudonym.The pseudonyms are allocated to vehicles each time a new RSU is encountered.The frequent updation of pseudonyms under each RSU may lead to consumption of network bandwidth and signalling overhead problem.Therefore, the Road Side Units (RSU) may combine to form the autonomous networks to help solve the signalling overhead problem and bandwidth consumption which may be caused due to the frequently updating of the pseudonyms under each RSU.
• It is assumed that autonomous network is comprised of 4 RSUs in scarcely populated areas and 2 RSUs in densely populated areas.Pseudonym is generated once under one autonomous network.This solution provides privacy and liability at the same time.
• The inputs taken by this algorithm are params and vehicle identity Q ID i and generates the pseudonym of the vehicle in two parts PS1 j and PS2 j such that PS j = PS1 j + PS2 j .
• The autonomous network RSU i selects a j ∈ R Z * q at random and sets PS1 j = a j .Q ID i .
• Then it calculates the hash value of PS1 j as T j = H 3 (PS1 j ) ∈ Z * q .
• The second part of pseudonym PS2 j is calculated as PS2 j = a j .T j .
• Finally the pseudonym PS j is calculated as PS j = PS1 j + PS2 j .

Sign
To sign a message m k ∈ M using the partial private key and private key pair (pp i , x i ) with vehicle identity Q ID i and public key P i , the following steps are performed: • Choose a random r i ∈ R Z * q and compute U i = r i .P ∈ G 1 .
• Compute h i jk = H 2 (m k , PS1 j , P i ,U i ) ∈ Z * q .
• Compute V i jk = pp i .PS2 j + h i jk .ri .P pub + h i jk .xi .P rsu i .
• Output the signature on m k as σ i jk = (U i ,V i jk ).
The first scalar multiplication (pp i .PS2 j ) in V i jk can be pre-computed whenever the pseudonym is generated for Q ID i in the current autonomous network as it saves one scalar multiplication during signature generation.

Verify
To verify the signature σ i jk = (U i ,V i jk ) signed by the vehicle with pseudonym PS j , given are the params, pseudonym PS1 j , the public key P i , the message m k and the signature σ i jk = (U i ,V i jk ), the vehicle: • Computes T j = H 3 (PS1 j ).
• The signatures are accepted if the following equation holds: e(V i jk , P) = e(PS1 j .T j + h i jk .U i , P pub )e(h i jk .P i , P rsu i ) • If the equation holds, output is true; otherwise, output is ⊥.
The correctness of the scheme follows from the fact: The current setup allows the KGC to choose a secret key x i ∈ Z * q and compute new public key of user P i = x i .P with identity Q ID i .Therefore, KGC is able to know both the partial private key and the private key of the vehicle which implies that both KGC and vehicle may deny signature generation.But in this scheme, the pseudonyms are generated by the RSUs and thus RSU verify the user identity and then generates the pseudonym corresponding to that identity.The signatures are generated with the pseudonyms used for those identities.So KGC does not have access to pseudonyms and it cannot forge the signatures.Moreover, if public key is replaced by KGC, it can easily be detected by law enforcement authorities as the KGC is the only entity having that capability.

Security Proof
Assuming the hardness of Computational Diffie-Hellman problem, the security of the Certificateless Signature Scheme is hereby shown.
Theorem 1 In the random oracle model, an adversary A 1 exists having an advantage ε to forge a signature in a game I modelled attack within a time span t and performs queries to various oracles by making q i queries to H i for i = 1, 2, 3, q k queries to RevealPartialKey, q s queries to the RevealSecretKey, q p queries to RevealPublicKey, q ps queries to RevealPseudonym and q sig queries to sign, then CDH problem can be solved in time t + ϕ(q 1 + q 2 + q 3 + q k + q s + q p + q ps + q sig )t m where t m is computation time for scalar multiplication in G 1 with probability ε ≥ 1 (q k + 1).e ε Proof: Let C be an attacker receiving a random instance (P, aP, bP) of the CDH problem in cyclic group G 1 .Point P is a generator of G 1 having prime order q.Now, X = a.P and Y = b.P where a and b are randomly chosen in R Z * q .A type I adversary A 1 interacts with C as modelled in Game I. C uses A 1 for solving the CDH problem by computing abP in G 1 with the construction of an algorithm S 1 .C sends the params = (G 1 , G 2 , e, P, P pub , H 2 , H 3 , P rsu ) to A 1 .S 1 chooses random c ∈ R Z * q and sets P pub = X and P rsu = c.P and then start performing oracle queries.The hash functions H 1 , H 2 and H 3 are considered random oracles and A 1 performs the following queries.It is assumed that H 1 (.) oracle query has been previously made on that identity for which key extraction or signature query has been made.A list L = (ID i , pp i , x i , P i , PS j ) is maintained by S 1 while A 1 makes queries throughout the Game I and C maintains S 1 algorithm.S 1 responds to all the A 1 queries.
H 1 queries: After an identity ID i is being submitted to oracle H 1 , same answer will be given if the request has been asked before.Otherwise, S 1 flips a coin c i ∈ {0, 1} yielding 0 with probability ζ and yielding 1 with probability (1 − ζ ).It then randomly picks H 2 queries: S 1 maintains a list L H 2 = (m k , PS1 j , P i ,U i , h i jk ) which is initially empty.When A 1 issues a query H 2 (m k , PS1 j , P i ,U i ), the same answer from the list L H 2 will be given if the request has been previously made.Otherwise S 1 selects random element h i jk ∈ R Z * q and adds the tuple (m k , PS1 j , P i ,U i , h i jk ) to the list L H 2 and returns h i jk as the answer to the hash value of H 2 (m k , PS1 j , P i ,U i ) to A 1 .
H 3 queries: S 1 maintains a list L H 3 = (PS1 j ,t 1 j ) which is initially empty.When A 1 issues a query H 3 (PS1 j ), same answer will be returned if the query has been previously made.Otherwise, S 1 selects a random t 1 j ∈ R Z * q and adds (PS1 j ,t 1 j ) to the list L H 3 and return t 1 j as answer to A 1 .

RevealPseudonym queries:
The request is issued on an identity ID i .
• The corresponding tuple (ID i , pp i , x i , P i , PS j ) is recovered from the list L. S 1 checks if PS j is ⊥.If PS j = ⊥, S 1 returns PS j to A 1 .Otherwise, S 1 randomly chooses k j ∈ R Z * q and computes PS1 j = k j .Q i ∈ G 1 with ID i corresponding to the list L H 1 = (ID i , α i , c i , Q i ) if c i = 1 and PS2 j = k j .t 1 j where t 1 j corresponds to the list L H 3 = (PS1 j ,t 1 j ).S 1 returns PS j = (PS1 j + PS2 j ) to the adversary A 1 and adds (ID i , pp i , x i , P i , PS j ) to the list L.
• If the list L does not contain (ID i , pp i , x i , P i , PS j ), then S 1 sets PS j = ⊥ and then randomly chooses k j ∈ R Z * q and computes PS1 j = k j .Q i and PS2 j = k j .t 1 j from corresponding lists L H 1 = (ID i , α i , c i , Q i ) and L H 3 = (PS1 j ,t 1 j ) respectively.S 1 answers PS j = (PS1 j + PS2 j ) to the adversary A 1 and adds (ID i , pp i , x i , P i , PS j ) to the list L.

RevealPartialKey queries:
The request is issued on an identity ID i .
• The corresponding tuple S 1 returns partial private key pp i to A 1 and adds tuple (ID i , pp i , x i , P i , PS j ) into list L.
If the tuple containing h i jk already appears in the list L H 2 , then S 1 selects another r i , h i jk ∈ R Z * q and tries again.Finally S 1 responds to A 1 with σ i jk = (U i ,V i jk ).All the responses to Sign queries are valid, i.e. the output (U i ,V i jk ) of sign query is a valid signature generated on message m k .Now, when c i = 0, V i jk = h i jk .ri .X + h i jk .xi .P rsu e(V, P) = e(h i jk .ri .X + h i jk .xi .P rsu , P) = e(h i jk .ri .a.P, P)e(h i jk .xi .c.P, P) = e(h i jk .ri .P, aP)e(h i jk .xi .P, c.P) = e(h i jk .U i + PS1 j .t 1 j , X)e(h i jk .P i , P rsu ) By forking lemma, Shamir (1985), replaying A 1 with some random tape, S 1 obtains two valid signatures ) within polynomial time, where Multiplying both sides of equation ( 1) by (h * i jk ) −1 and both sides of equation ( 2) by (h Subtracting ( 4) from ( 3) Then, S 1 recovers the corresponding b.P, PS2 j = k j .t 1 j .Now P pub = a.P, where a is the secret key of KGC.Then, pp i = a.Q i = a(α i .b.P) = α i .abP.Now, in equation ( 5), ] −1 Thus, algorithm S 1 outputs abP as the solution to Computational Diffie Hellman problem.
The proof is completed by showing that S 1 solves the given instance of CDH problem with the probability ε ≥ 1 (q k + 1).e ε S 1 needs three events in order to succeed: The result of any A 1 's RevealPartialKey queries does not abort S 1 .
E 2 : A valid and non trivial signature is generated by A 1 .
E 3 : Probability that A 1 outputs a valid and nontrivial forgery and S 1 does not abort.
Probability that S 1 succeeds after all these events happen is • Claim 1: Probability that result of any A 1 's RevealPartialKey queries does not abort S 1 is atleast As it takes atmost q k times RevealPartialKey queries, probability of S 1 not aborting after the queries of A 1 is atleast • Claim 2: The probability of S 1 not aborting with A 1 's signature queries and key extraction queries is ε.
• Claim 3: Probability that A 1 outputs a valid and nontrivial forgery and S 1 does not abort is ζ .
Suppose A 1 generated a valid and nontrivial forgery after the events E 1 and E 2 occurred.Thus, Thus, With sufficiently large q k , the term 1 − 1 tends to 1 e .Thus the probability is, Theorem 2 In the random oracle model, an adversary A 2 exists having an advantage ε to forge a signature in a game II modelled attack within a time span t and performs queries to various oracles by making q 2 queries to H 2 , q 3 queries to H 3 , q p queries to RevealPublicKey, q s queries to RevealSecretKey, q ps queries to RevealPseudonym and q sig queries to sign, then the CDH problem in G 1 can be solved in time t + ϕ(q 2 + q 3 + q s + q p + q ps + q sig )t m where t m is the computational time for scalar multiplication in G 1 with probability ε ≥ 1 (q p + 1).e ε • If the list does not contain (ID i , x i , P i , PS j , c i ), then if c i = 1, it halts.
• If c i = 0, S 2 makes RevealPublicKey query and the tuple (ID i , x i , P i , PS j , c i ) is added to the list L and returns x i to A 2 .
Sign Oracle: On receiving a sign query on ID i , S 2 firstly recovers the list L = (ID i , x i , P i , PS j , c i ), then L H 2 = (m k , PS1 j , P i ,U i , h i jk ) and L H 3 = (PS1 j ,t 1 j ) and generates the signature as follows: • If c i = 1, then if the list contains (ID i , x i , P i , PS j , c i ), S 2 checks as x i = γ i and • If c i = 0, then list contains (ID i , x i , P i , PS j , c i ), S 2 checks as x i = γ i and P i = γ i .P ∈ G 1 .
Now, for generating the signature, if c i = 1, then S 2 checks if the adversary A 2 has not made the sign query on (ID i , x i , P i , PS j , c i ).In addition, the forged signature must satisfy e(V, P) = e(PS1 j .t By setting the values as Thus, S 2 outputs abP as the solution of the Computational Diffie Hellman problem.Similar to Theorem 1, it can be shown that the given instance of CDH problem is solved by S 2 with probability ε ≥ 1 (q p + 1).e ε H 1 queries: On submitting an identity ID i to oracle H 1 , it returns same answer if the request has been asked before.Otherwise, a coin c i ∈ {0, 1} is flipped by S yielding 0 with probability ζ and yielding 1 with probability (1 − ζ ) and picks α i randomly from R Z * q .If c i = 0, H 1 (ID i ) is defined as Thus, the output (U * ,V * ) is given by algorithm S which acts as a forgery of the basic certificateless signature scheme.
To complete the proof, it is to be shown that S's advantage in forging the basic certificateless signature is atleast There are three events needed for S to succeed: E 1 : The result of any A 's RevealPartialKey queries does not abort S.
E 2 : A valid and non trivial signature is generated by A .
E 3 : Probability that A outputs a valid and nontrivial forgery and S does not abort.
Probability that S succeeds after all these events happen is • Claim 1: Probability that S does not abort as a result of the RevealPartialKey queries is atleast for key extraction queries, probability that S does not abort is (1 − ζ ).
As it takes atmost q k times RevealPartialKey queries, probability that S does not abort as result of • Claim 2: The probability of S not aborting with A 's signature queries and key extraction queries is ε • Claim 3: Probability that A outputs a valid and nontrivial forgery and S does not abort is ζ .
Proof: Suppose events E 1 and E 2 have occurred and A has generated some valid and nontrivial forgery.Hence P With sufficiently large q k , the term 1 − 1 q k +n q k +n−1 tends to 1 e .Thus the probability is,

Efficiency
In practice, element size in group G 1 can be reduced by a factor of 2 using the various compression techniques.The certificateless aggregate signature scheme proposed here is a short CLAS scheme like BLS signature scheme by Boneh et al. (2001).Elliptic curve are used to choose the group and bilinear map resulting in a group size of 160 bits and thus, the signatures generated by this scheme are of length 160 bits approximately (half-size comparing to other proposed CLAS schemes).Therefore, the proposed scheme is much more efficient in terms of bandwidth which is a must requisite for the bandwidth limited networks such as VANETs.The comparison of the computational costs of the proposed scheme and the computational costs of already existing schemes, Zhang and Zhang (2009); Zhang et al. (2010); Gong et al. (2007) is made in Tab. 1.Here, the cost of operations which may be pre-computed by the signer such as pp i .PS2 i etc. are omitted.
Tab. 1 gives the detailed comparison of the proposed scheme with other schemes based on Type, Sign Cost, Verify Cost and Aggregate Verify Cost.The major goal is to reduce the signature verification cost to enhance the signature verification process.Here, the two main operations are considered on the basis of which comparison is made, scalar multiplication(S) in G 1 and pairing operation(P).The pairing operation is the most costly operation, so there is need to minimize the pairing operations.The scheme presented by Zhang and Zhang (2009) takes (n+3) pairing operations for signature verification process, thus the pairing operations increase linearly as the number of signatures increase.The scheme by Zhang et al. (2010) takes 5 pairing operations and 2n scalar multiplications; therefore it takes 5 constant pairing operations and the scalar multiplications increase linearly.The first scheme in Gong et al. (2007) takes (2n+1) pairing operations and the second scheme in Gong et al. (2007) takes (n+2) pairing operations and n scalar multiplications.Both the schemes are highly costly in Gong et al. (2007) as the pairing operations increase linearly with the number of signatures.The Aggregate Verify procedure of the proposed scheme is much efficient as it takes just 3 pairing operations and 3n scalar multiplications which is less as compared to all other schemes whereas the sign procedure is comparable to other schemes.In vehicular ad-hoc networks, vehicle has high computational power where the vehicle needs to sign only one signature whereas needs to verify multiple signatures.Therefore, the signing cost can be compromised but one cannot compromise on the signature verification cost.It can be seen that the computational cost of the proposed scheme is more efficacious than the already existing schemes.

Conclusion
A new efficient Certificateless Aggregate Signature Scheme is proposed for vehicular communications.The proposed signature scheme is proven existentially unforgeable against the chosen message attack under the assumption that CDH problem is intractable in the random oracle model.The proposed CLAS scheme is adduced specifically for securing vehicular communications in vehicular ad-hoc networks by reducing the signature verification time drastically and helps in verifying more messages in the specific stipulated time, thus increasing the efficiency of the network.The propounded scheme has much less computational cost in terms of verifying signatures when compared with the already proposed works.This scheme is very adequate in networks which have limited bandwidth such as vehicular ad-hoc networks.
by algorithm S in both cases to keep the track of all the queries.Now, ultimately adversary A has to output n users set with identities from L * ID = {ID * 1 . . .ID * n }, public keys from L * P = {P * 1 . . .P * n }, pseudonyms from L * PS = {PS * 1 . . .PS * n }, n messages from the set L * m = {m * 1 . . .m * n } and aggregate signature σ * = (U * 1 . ..U * n ,V * ).Now, S finds the corresponding n tuples (ID i , α i , c i , Q i ) for i = 1 to n from L H 1 and precedes only when c k = 0 and c j = 1 for j = 1 to n and j = k.The signature (m * k , PS1 * k , P * k ,U * k , h * k ) has never been requested before.Otherwise, S will fail and halt.When Q k = α k .P pub and Q j = α j .P for j = 1 to n and j = k, S succeeds.The generated aggregate signature is σ * = (U * 1 . ..U * n ,V * ) satisfying the aggregate verification equation: e(V * , P) = e( n ∑ i=1 Aggregate: The aggregate signature generator runs this algorithm by aggregating the signatures of n users {U 1 .....U n } with public keys {P 1 .....P n }, messages {M 1 .....M n } and signatures {σ 1 .....σ n } to generate the aggregate signature σ as output.• AggregateVerify: This algorithm takes as input an aggregate signature σ which is signed by n users {U 1 .....U n } with public keys {P 1 .....P n } on messages {M 1 .....M n }.It outputs true if the aggregate signature is valid or false otherwise. a valid signature on message m * i with identity ID * i and pubic key P * i .• The identity ID * i has not queried partial private key pp * i during RevealPartialKey queries.Moreover, oracle Sign has never been queried with ID * i and m * i .Game II (for A 2 adversary): In this game, adversary A 2 interacts with the challenger C .The Setup algorithm is run by challenger C , which takes the input security parameter for the generation of the master key and system parameter list params.The parameter list params and the master key both are sent by challenger C to the adversary A 2 .The polynomially bounded number of oracle-query operations are performed by the adversary A 2 .The adversary A 2 can make RevealSecretKey, RevealPublicKey, RevealPseudonym and Sign queries onto oracle during this stage of simulation.The oracle RevealPartialKey is no longer needed by A 2 as A 2 has the access to the master key.Finally, A 2 outputs a message and signature pair < m * Sign has never been queried with ID * i and m * i .Definition 1: A Certificateless Signature scheme is existentially unforgeable under adaptively chosen message attack if the success probability succ A ( ) of any probabilistic polynomial time (PPT) adversary A in any of the above two games is negligible.
i , σ * i > corresponding to the identity ID * i with a public key P * i .Now, A 2 wins Game II if; • σ * i is a valid signature on message m * i with identity ID * i and public key P * i .• The identity ID * i has not queried secret key x * i during RevealSecretKey queries.Moreover, oracle jk , P) = e(pp i .PS2 j + h i jk .ri .P pub + h i jk .xi .P rsu i , P) = e(pp i .PS2 j , P)e(h i jk .ri .P pub , P)e(h i jk .xi .P rsu i , P) = e(s.Q ID i .aj .T j , P)e(h i jk .ri .s.P, P)e(h i jk .xi .yi .P, P) = e(a j .Q ID i .T j , s.P)e(h i jk .ri .P, s.P)e(h i jk .xi .P, y i .P) = e(PS1 j .T j , P pub )e(h i jk .U i , P pub )e(h i jk .P i , P rsu i ) = e(PS1 j .T j + h i jk .U i , P pub )e(h i jk .P i , P rsu i ) 1 j + h i jk .U i , P pub )e(h i jk .P i , P rsu ) = e(k j .Q i .t 1 j + h i jk .U i , P pub )e(h i jk .P i , P rsu ) The above equation holds for a valid signature.Otherwise, S 2 aborts.If the equation holds i.e. if S 2 does not abort, then the signature on (ID * i , x * i PS * i ) from the list L. It sets V * i = α i .P pub , then e(V * i S updates P i to P i by invoking ReplacePublicKey query.Then, S defines the hash value H 2 (m * After this, S computes P * * ,V * ) is a valid signature for identity ID * k on message m * * + PS1 * k .t* 1 k , P pub )e(w * k .P * k , P rsu ) = e(w * k Tab. 1: Comparison of the proposed scheme with other 4 schemes