Efficient Certificate-Less Aggregate Signature Scheme with Conditional Privacy-Preservation for Vehicular Ad Hoc Networks Enhanced Smart Grid System

Vehicular Ad hoc networks (VANETs) as spontaneous wireless communication technology of vehicles has a wide range of applications like road safety, navigation and other electric car technologies, however its practicability is greatly hampered by cyber-attacks. Due to message broadcasting in an open environment during communication, VANETs are inherently vulnerable to security and privacy attacks. However to address the cyber-security issues with optimal computation overhead is a matter of current security research challenge. So this paper designs a secure and efficient certificate-less aggregate scheme (ECLAS) for VANETs applicable in a smart grid scenario. The proposed scheme is based on elliptic curve cryptography to provide conditional privacy-preservation by incorporating usage of time validated pseudo-identification for communicating vehicles besides sorting out the KGC (Key Generation Center) escrow problem. The proposed scheme is comparatively more efficient to relevant related research work because it precludes expensive computation operations likes bilinear pairings as shown by the performance evaluation. Similarly, communication cost is within the ideal range to most related works while considering the security requirements of VANETs system applicable in a smart grid environment.


Introduction
Major advancement in wireless sensor networks (WSN), Internet of Things (IoT) and the advent of the big data paradigm has seen the birth of various network based advancements in cross-cutting technologies, such as VANETs, which support wireless communication within vehicles and road sign units (RSUs) for numerous applications like traffic safety, location based-services, electric vehicles (EVs) and electricity exchange services among others [1][2][3][4][5][6]. The smart grid is one such technology motivated by the development of WSN and IoT in its functionality. EV technology will result in the elevation of power consumption, unsustainable by means of a traditional electricity grid [7]. An obvious solution to sorting out EVs electricity demands is by formulating VANETsenhanced smart grid, with a coordinated charging system that is responsive to efficient cost and electricity utilization by using communication technologies [8,9]. Thus, it is recommended that algorithms for security, authentication, information processing and data aggregation be of high-precision and efficiency to allow low communication latency for real-time pricing and optimal electricity dispatch decisions in a VANETs enhanced smart grid system [10,11]. The concept of VANETs is an advancement of mobile ad hoc networks (MANETs) where there is real-time communication between EVs and RSUs for electricity charging/discharging [7,12,13]. Typically, the topology of VANETs includes trusted • Non-repudiation: Any electric vehicle transaction has economic value and this can motivate fraudulent acts by the entities selling or buying electricity. Therefore, this measure of non-repudiation ensures that any electricity transaction can be accounted for, to the involved parties and any modification cannot be denied by the party. • Message integrity and authentication: In a similar manner, any network transaction once completed cannot be modified by any malicious entity and once there is an attempt to tamper with the transaction, then it should be detectable by any legal entity of the system.
• Privacy: The actual identity of a consumer nor the information of a transaction in the network should not be known by any malicious party eavesdropping on the communications involving a particular targeted entity. • Unlinkability: By observing the transactions in the VANETs network the entity's activities should still not be analysed and be associated with a particular RSU or vehicle. Thus to say messages plying on the network for any participant should still look random to an attacker and nothing associated with the participant should be determined. • Traceability: However, for the undesirable conduct of an entity in the network such acts should be traced and be accounted for, against the individual. On the other hand the vehicle should be hidden or inaccessible from other unauthorized entities. • Resistance to Attacks: Due to communication over a public channel, V2G security scheme must withstand various general attacks such as an impersonation attack, replay attack, modification attack, man-in-the-middle-attack and stolen verifier table attack in VANETs.
Therefore, we propose a novel anonymous certificate-less aggregate signature scheme for VANETs with conditional privacy-preservation in a smart grid system, that addresses common weaknesses of most existing certificate-less aggregate signature schemes. The main contribution of the paper can be summarized as follows: • The proposed scheme achieves user anonymity with conditional privacy, such that each domain stores a Certificate Revocation List (CRL) in all road sign units located in that particular domain. • The proposed scheme achieves optimal efficiency for certificate-less aggregate signature while precluding complex cryptographic operations like bilinear pairings and map-to-point hash operations. • The proposed scheme withstand escrow property powers of the KGC but use of partial private key and user generated full private key for signature signing.
The rest of the paper is organized according to the outline given as follows-Section 2 reviews most relevant related works of CLAS schemes for VANETs. Section 3 provides the mathematical building blocks for the proposed scheme. Section 4 gives the detailed steps of the proposed work. Section 5, presents an indepth analysis of the scheme in terms of security, privacy and performance assessment. Finally, in Section 6 we give concluding remarks about the proposed scheme.

Related Works and Limitations
In VANETs, the source authentication and message integrity of traffic-related information form a very important security requirement in the system. Satisfaction of these security requirements ensure the trust and proper functionality of all versatile technologies that comes with a VANETs system by simply securing moving vehicles, RSUs, Application Servers, and roadside sensors. To this effect many research works have been done to provide the needed security for such an advent technology of smart city [24].
The key management problem posed by the certificate based PKI cryptosystem paved the way to the pioneering work of a certificate-less public key signature (CL-PKS) scheme by Al-Riyami and Paterson [31]. This idea caught much research interest in the aspect of improving the security and performance. In [32], Yum and Lee presented a general procedure to construct a CL-PKS scheme from any ID-based signature scheme. The first CL-PKS scheme was bilinear pairing based proposed by Li et al. in [33]. Whereas in [34], Au et al. presented a new security model for CL-PKS schemes which considers inside attack scenario. The first bilinear pairing free CL-PKS scheme was first proposed by He et al. in [35], which was found to be vulnerable to other attacks in [36]. In [37] a scheme ideal for IoT deployment was proposed; however, it was found to bear some flaws concerning inside attack performance by KGC in [38]. In order to provide the needed security property of anonymous authentication in [39,40] the idea of pseudonym-based authentication was employed. Despite providing privacy preservation, the limitation of overburdened TA in storing these pseudonyms for each vehicle was encountered as has shown out as the shortfall for their approach. In [41], having foreseen the problem of overburdened TA and sought to provide a solution they designed a scheme by using anonymous certificates but this was done at the expense of interactions between the infrastructures. In [42] et al., privacy protection for VANETs communications was achieved based on the technique of ID-based ring signature, but they failed to provide conditional privacy, since there was no any tracking mechanism in their algorithm [43]. Many more researchers demonstrated the need to formulate robust schemes in terms of security and privacy protection. To this cause, Bayal et al. [44] proposed an anonymous authentication scheme, however it is deemed computationally intensive in [45]. In [46], Cui et al. proposed a scheme that utilizes the methods of a cuckoo filter and binary search to facilitate batch verification for vehicular communication of V2V and V2I. He at al. [17] designed an ECC based certificate-less based signature scheme for VANETs system with batch verification feature. However, Mahmood et al. [31] states that their scheme still vulnerable to sidechannel attack since some of sensitive information like TA's master private key is stored in a tamper-proof devices (TPD). A scheme in [47] uses pseudonyms instead of real identities in trying to secure VANETs communications. The scheme in [47] achieves efficiency and provides batch verification but falls short in terms of providing all security requirements like unlinkability.

Preliminaries
Now we will formalize the background knowledge of the building blocks for the proposed scheme. The notations used in the designed algorithm are given and described in Table 1. ECC is a public key cryptosystem based on elliptic curve theory and has an advantage for being a structure for faster and more efficient cryptosystems with robust security. ECC cryptosystems have low computational requirement hence its viable for securing resource constrained network systems that require seamless and real-time operations like the IoT and SG systems [48].

Meanings of Symbols in the Scheme
Two large primes E Is the chosen elliptic curve, Is the prime field of an elliptic curve E order p P Is the generator of E(F p ) with large prime order q G A cyclic group generated by a point P on a non-singular Secret key and public key for V i sk i Full private key for V i T i Validity period for the pseudo-identity ID i for V i RID i A real identity for the vehicle V i (P pub , α) KGC's public key and master key respectively (T pub , β) TRA's public key and master key respectively M i Traffic-related message generated by V i t i Elliptic curve: Given a prime number q, equation y 3 = x 2 + ax + bmodp defines an elliptic curve over a prime field E(F p ), where p > 3, a, b ∈ F q and satisfies = 4a 3 + 27b 2 = 0modp. The points on F p together with the point at infinity O form an additive cyclic group G. Let P be the generator point of order n, the scalar multiple operation is defined as, nP = P + P + · · · + P, n times addition, where n ∈ Z * q , is a positive integer. So, there are a number of intractable problems in an elliptic curve group G of order n, suitable for cryptographic purposes as there is no polynomial algorithm to solve them efficiently by brute-force within probabilistic polynomial time.
Elliptic Discrete Logarithm (ECDL) Problem: Given an element Q ∈ G, the ECDL problem is to extract an element x ∈ Z * q , such that Q = xP. Elliptic Curve Computational Diffie-Hellman (ECCDH) Problem: Given two elements xP, yP ∈ G, with unknown elements x, y ∈ Z * q , the ECCDH problem is to compute Q = xyP.

System Model
In terms of the communication process, the VANETs' architecture is categorized into two layers, namely the physical layer and the application layer, in which case the physical layer is comprised of the vehicles, the RSUs situated on designated points of the road. Vehicles on the roads are embodied with OBUs as a communication enabling device to connect with other vehicles, RSUs or other advanced smart city facilities. [49]. The OBU is equipped with a TPD device to secure stored sensitive information like secret key and the global positioning system (GPS). As such the vehicle is securely able to carry out advanced VANETs communications in smart cities including V2X, V2V and V2I, which are enabled by a dedicated short range communication (DSRC) protocol specifically identified as IEEE 802.11p. On the other hand, the application layers are comprised of the key generation center (KGC) and the tracing authority (TRA) application server, which are the major components undertaking the TA roles in a conditional privacy preserving VANETs based system. The design and the interplay of these main entities in the system is illustrated in Figure 1, where close range networks are facilitated by wireless communication technology such as IEEE802.11p, mid-way network communication is aided by long range communication technology coupled with high bandwidth such as WiMax. Whereas, the backbone network system is empowered by wired communication which is mostly assumed to be secure as it controlled by the public utility company. It is the wireless communication that is supposed to be secured by security algorithm that ensures authentication and integrity on all communications amongst the concerned entities. The TRA is the responsible authority for RSUs and issuing pseudo-identities to vehicles, and can do real identity revocation whenever necessary. In a like manner, the KGC is responsible for public and partial private keys' generation for both RSUs and vehicles. So in VANETs schemes, it is usually assumed that the KGC and TRA are trusted parties and hence assumed honest but curious [50]. Both KGC and TRA have sufficient computation power but the OBUs and RSUs are the one with limited computation and storage capabilities hierarchically with RSUs as most powerful one [23,29,51]. However, OBUs and RSUs are not trusted entities and therefore any communication initiative originating from them must be authenticated. Thus, this inspires the devising of security protocols for VANETs with suitable computation requirements for OBUs and RSUs.

Security Model for CLAS Scheme
As proposed first in [31], in CLAS we assume two types of adversaries termed Type 1 Adversary, A 1 , and Type 2 Adversary, A 2 . Here, A 1 acts as a dishonest user and A 2 acts as a malicious KGC on the other hand. Type 1 Adversary: A 1 adversary does not control the master key but is allowed to replace public keys at will, with any desirable value of its choice. Type 2 Adversary: A 2 adversary has access and controls the master key but cannot replace the public keys of users.
The classical security model proposed in Zhang et al. [52] presents a security adversarial model for certificate-less key agreement schemes. The model is defined as a game between a challenger, C, and an adversary defined by a probabilistic polynomial-time Turing machine,A ∈ {A 1 , A 2 }. Thus, A has full control of the communication channel of all parties and parties only respond to queries from A and cannot communicate directly with each other. As a controller of the communication channel, A has powers to actively carry out the following actions, such as relaying, modifying, delaying, interleaving, deleting all the messages flowing in the system.

The Proposed Certificate-Less Aggregate Signature Scheme
In this section, we will explain the scheme design for VANETs integrated smart grid system titled Efficient Certificate-less Aggregate Signature Scheme with Conditional Privacy-Preservation for Vehicular Ad Hoc Networks Enhanced Smart Grid System. For easy referencing the scheme will be termed ECLAS. The proposed scheme consists of eight algorithms which are: Set-up, Pseudo-Identity Generation, Partial-Private Key Extraction, Vehicle-Key Generation, Sign, Individual Verify, Aggregate and Aggregate verify, which are explained in details as follows.

1.
Set-up In this section, the TA, comprising of two mutually exclusive principle parts, which are the TRA and the KGC, will initialize the system by generating the system parameters.
The TA takes as input the security parameter 1 k the algorithm outputs two large prime numbers, p, q and a non-singular elliptic curve defined by The KGC sets a point P from E and with this point generates a group G of order q. Then KGC randomly selects a number α ∈ Z * q and sets it as its master secret with its corresponding public key computed as P pub = αP.

•
Similarly, the TRA selects a points P on E and with it generates a group G of order q. Further, TRA chooses a random number β ∈ Z * q and computes its public key T pub = βP while setting β as its master secret key used for traceability which is known to TRA only. • All these principle entities (TA, KGC and TRA), choose three hash functions, Then the system public parameters params = {P, p, q, E, G, H 1 , H 2 , H 3 , P pub , T pub } are published.These params are then preloaded in the tamper-proof communicating devices and RSU of the system.

2.
Pseudo-Identity-Generation\Partial-Private-Key-Extraction In this phase, the TRA's responsibility is to generate pseudo-identities for the vehicles while the KGC's responsibility is to create corresponding partial private keys to the pseudo-identities. Thus, finally all vehicles under a TA are registered and preloaded with their pseudo-identities and partial private keys. By use of pseudo-identities that are closed linked to the real identities, the proposed scheme can achieve conditional privacy-preservation when it is necessary to revoke the real identity of an entity the TRA can ably do so. The process of pseudo-identity generation and linkage with partial-private-key is executed by TRA and KGC in a sequential manner as follows: • A vehicle, V i , with its unique real identity denoted as RID i selects a random number k i ∈ Z * q and calculates PID 1 = k i P. Then the vehicle, V i , sends (RID i , PID 1 ) to the TRA through a secure channel. • The TRA first checks the RID i , if its acceptable then it calculates, it is sent to the vehicle and KGC through a secure channel. During revocation TRA obtains the real identity by computing Upon receipt of the pseudo-identity, ID i , KGC chooses a random number, d i ∈ Z * q and computes Q ID i = d i P and then computes the partial private key, psk i , for the vehicle, V i , as The KGC then sends the pseudo-identity and partial private key (Q ID i , psk i ) to the vehicle, V i , through a secure channel.
The vehicle is able to check the authenticity of the pseudo-identity and the partial private key received from the KGC by verifying whether psk i .
The conditional privacy-preservation is enhanced in the design by combining the secret contribution from the vehicle, V i , itself and the TRA on the other hand. It is designed in such a way that the TRA is able to revoke the real identity of the vehicle when needed to do so. At the end of it all, the pseudo-identity and the partial private key are stored in the tamper-proof devices in the vehicle.

Vehicle-Key-Generation
The vehicle, V i , randomly selects a secret value x i ∈ Z * q as its secret key noted as vsk i and then calculates its corresponding public key vpk i = x i .P. Then V i set the full private key as sk i = x i + psk i .

4.
Sign The message signature is necessary for the sake of upholding the authentication and integrity of the message to the receiver of the message who rightly does verification. The vehicle, V i , selects one of its stored pseudo-identity, ID i , and picks the latest timestamp, t i . With the signing Keys (psk i , sk i ) and the traffic related message M i , the vehicle V i carries out the following steps to produce a signature.
• Selects a random number r i ∈ Z * q and computes R i = r i P. and then, V i computes, Here σ i , is the computed certificate-less signature on the traffic related data M i for latest timestamp t i and identification ID i . • Then the final message that, V i sends to nearby RSU and vehicles for verification . These steps are routinely carried out every time, V i sends a message to RSU.

5.
Individual Verify On receipt of the certificate-less signature σ i = (R i , S i ) on the traffic related data M i and timestamped at t i signed by the vehicle along with its public key vpk i , if the received T i in ID i and t i are both valid, then the RSU performs the following procedures.
• Computes and • Verifies whether holds or not.
The RSU accepts the certificate-less signature if the verification holds. Correctness checking works, since P pub = α.P, Thus the computation proceeds as follows: However, for purposes of saving computation cost, it is recommended to do data aggregation and batch verification on the signatures from the network environment of a particular RSU.

Aggregate
Each RSU is an out-posted aggregate signature generator that collects individual certificate-less signatures into a single verifiable one. The components come from an aggregating set V on n vehicles, {V 1 , V 2 , · · · , V n } whose corresponding pseudoidentities are {ID 1 , ID 2 , · · · , ID n } with public keys {vpk, vpk 2 , · · · , vpk n } and message signature pairs (M 1 , The RSU or an application server for the traffic control center for instance computes the sum S = ∑ n i=i S i and output an aggregate certificate-less signature as, σ = (R 1 , S 1 ), (R 2 , S 2 ), · · · , (R n , S n ), for i = 1, 2, · · · , n.

7.
Aggregate Verify On receipt of the certificate-less aggregate signature σ from n vehicle {V 1 , V 2 , · · · , V n } whose pseudo-identities are {ID 1 , ID 2 , · · · , ID n } with corresponding public keys, {vpk, vpk 2 , · · · , vpk n } and the traffic related messages {M 1 ||t 1 , M 2 ||t 2 , · · · , M n ||t n } then the RSU or the application server carries out the following procedures, if both T i in ID i and t i are checked to be valid. and for i = 1, 2, · · · , n • RSU verifies if the computation holds, If the verification holds, then the RSU accepts the aggregate certificate-less signature. The computation is valid by the correctness check, since P pub = α.P,

Analyses
From here on, we will devote to giving a formal security proof, security privacy preservation analyses and then we will present the performance evaluation of the proposed ECLAS scheme with conditional privacy-preservation for a VANETs enhanced smart grid.

Security Proof
In this section now, we will provide security proof for the proposed ECLAS scheme for VANETs. We assume the security model for CLAS schemes where there are two types of adversaries, which are Type 1 Adversary and Type 2 Adversary as demonstrated in the security model for CLAS scheme.

Theorem 1.
Under the assumption that ECDL in G is intractable, then the proposed scheme ( , t, q c , q s , q h ), is secure against adversary 1 in random oracle model, where q c , q s , q h are the Create, Sign and Hash queries respectively which the adversary is allowed to make.
Proof. Suppose there is a probabilistic polynomial time adversary A 1 , we construct an algorithm F that solves the ECDL problem by utilizing A 1 . Assume that F is given an ECDL problem instance, (P, Q) to compute x ∈ Z * q so that Q = xP. Thus, F chooses a challenging identity ID * for the identity ID to answer any random queries from A 1 as follows: • Set-up (ID) Query: The challenger F selects its random numbers α * and β * as its master keys and has a corresponding public key as P * pub = α * P and T * pub = β * P then sends the system parameters {P, p, q, E, G, H 2 , H 3 , P * pub , T * pub } to A 1 . • Create (ID) Query: F stores the hash list L C of the tuple (ID, Q ID i , vpk i , psk i , sk i , h 2 ). Whenever an adversary A 1 makes a query for ID, and if the ID is contained in L C , then F returns (ID, Q ID i , vpk i , psk i , sk i , h 2 ) to A 1 . Then F , execute the oracle as follows. if ID = ID * , F randomly chooses the values a, b, c ∈ Z * q and sets Q ID = a.P * pub + b.P, vpk i = c.P, psk i = b, sk i = c, h 2 = H 2 (ID||Q ID ) ← amodq, then F adds (ID, Q ID , h 2 ) to the list L H 2 and returns (ID, Q ID i , vpk i , psk i , sk i , h 2 ) to A 1 . as the equation psk i .P = Q ID + h 2 .P * pub , thereby implying that the partial private key is valid.
• H 2 Query: Whenever an H 2 query with (ID, Q ID ) is made, and ID is already in the hash list L H 2 , then F reply with a corresponding h 2 . On the other hand, F runs Create(ID) to obtain h 2 and then sends h 2 to A 1 . • Partial-Private-Key-Extract (ID) Query: If ID * = ID, then F aborts the game. Otherwise, F looks in the hash list L C , if ID is found in the list, then F returns psk i to A 1 . If ID is not in the list L C , F executes Create(ID) query to obtain psk i and sends it to A 1 . Sign (ID, m) Query: A 1 makes a sign query on (ID, m), once ID is on the list L R , F chooses random numbers a, b, c ∈ Z * q , and sets s = a, R = P, h 3 = H 3 (m||ID||vpk i ||R||t) ← (a − b − c)modq and then inserts (m, ID, R, vpk i , t, h 3 ) to the list L H 3 . The resultant signature is (R, s), and if ID is not in the list L R , then F acts according to scheme's procedure.
As a result, A 1 produces a forged signature σ = (R, s {1} ) on the message (ID, m) which passes verification process. If ID = ID * , F aborts the process. F keeps on challenging A 1 up until it responds to the H 3 query. A 1 will be prompted to generate another valid signature σ = (R, s {2} ) by using the same R. Thus we have: where i = 1, 2. By solving the two linear equations we obtain the value of r by similarly, with continuous querying, H 2 will allow computation of x.

Probabilistic Analysis:
The simulation of Create(ID) queries fails when the random oracle assignment H 2 (ID||Q ID ) causes inconsistency with the probability of at most q h q . The probability of successful simulation of q c times is at least (1 − q h q ) q c ≥ 1 − ( q h q c q ). Similarly, the simulation is q h successful with the probability of at least (1 − q h q ) q h ≥ (1 − q 2 h q ) and ID = ID * with the probability of 1 q c . Thus, in overall the probability of successful simulation is Theorem 2. Under the assumption that ECDL in G is intractable, then the proposed scheme ( , t, q c , q s , q h ), is secure against adversary 2 in random oracle model, where q c , q s , q h are the Create, Sign and Hash queries respectively which the adversary is allowed to make.
Proof. Suppose there is a probabilistic polynomial time adversary A 2 , we construct an algorithm F that solves the ECDL problem by utilizing A 2 . Assume that F is given a ECCDH problem instance, (P, Q) to compute x, y ∈ Z * q so that Q = xyP. Thus, F chooses an challenging identity ID * for the identity ID to answer any random queries from A 2 as follows: •

Set-up (ID) Query:
The challenger F selects its random numbers α * and β * as its master keys and has a corresponding public key as P * pub = α * P and T * pub = β * P then sends the system parameters {P, p, q, E, G, H 2 , H 3 , P * pub , T * pub } to A 2 . • Create (ID) Query: F stores the hash list L C of the tuple (ID, Q ID i , vpk i , psk i , sk i , h 2 ). Whenever an adversary A 2 makes a query for ID, and if the ID is contained in L C , then F returns (ID, Q ID i , vpk i , psk i , sk i , h 2 ) to A 2 . If ID = ID * , F randomly selects a, b ∈ Z * q and computes Q ID = aP, vpk i = Q, h 2 = H 2 (ID||Q ID ) ← b, psk i = a + x.h 2 , sk i =⊥. If ID = = ID * , F , randomly selects a, b, c ∈ Z * q and computes Q ID = a.P, vpk i = b.P, h 2 = H 2 (ID||Q ID ) ← c, psk i = a + x.h 2 , sk i = b. Then F , responds to the query with (ID, Q ID i , vpk i , psk i , sk i , h 2 ) and then appends (ID, Q ID , h 2 ) to the hash list L H 2 .
• H 2 Query: Whenever an adversary A 2 makes an H 2 query with (ID, Q ID ), and ID is already in the hash list L H 2 , then F reply with a corresponding h 2 . On the other hand, F runs Create(ID) to obtain h 2 and then sends h 2 to A 2 . • Partial-Private-Key-Extract (ID) Query: Upon receipt of the query on ID, F verifies from the hash list L C , if ID is found to be in the hash list F returns psk i to A 2 . If ID is not in the hash list, L C , F executes Create(ID) query to obtain psk i and sends it to A 2 .
, and returns the signature (R, s). If the verification, s.P = h 3 .R + Q ID + vpk i + h 2 .P * pub , holds then the signature is valid.
As a result, A 2 produces a forged signature σ = (R, s {2} ) on the message (ID, m) which passes verification process. If ID = ID * , F aborts the process. F keeps on challenging A 2 up until it responds to the H 3 query. A 2 will be prompted to generate another valid signature σ = (R, s {2} ) by using the same R. Thus we have: where i = 1, 2. By solving the two linear equations involving r and y as variables, we can derive the value of y as an output of ECDL problem.

Security and Privacy-Preservation Analyses
This part discusses the security and privacy-preservation features satisfied by the proposed scheme, specifically this is in respect to anonymity (identity privacy), message authentication, data integrity, traceability, unlinkability and resistance to attacks.
• Anonymity: In the proposed scheme the vehicle's identification ID i is not the real identification RID i , but rather a pseudo-identity as offered by the TRA for purposes of achieving conditional privacy of the vehicle in VANETs. The only way for an adversary or any malicious party to obtain the real identity it by computing . Without knownledge of the TRA's master private key β, no other party can know the vehicle's real identity RID i , since it requires β to calculate H 1 (β.PID 1 ||T i ||T pub ). This manipulation is infeasible for an adversary to achieve since the extraction of β from T pub = β.P, involves an intractable ECDL problem. Therefore, these claims ascertain the satisfaction of user identity privacy-preservation. • Message Integrity and Authentication: By virtue of signing a message before broadcasting, the legitimate user's authenticity is verified. Based on the ECDLP assumption the authenticity and integrity of the message (ID i , , no malicious party can forge σ i = (R i , S i ) which achieves the maessage integrity and authentication of which needs knoweledge of full private key sk i = x i + psk i in its formulation. • Traceability: Although the vehicle is identified by a pseudonym, in necessary circumstances the real identity of a particular vehicle can be mapped back from the pseudonym. For instance, the pseudo-identity of a vehicle is ID i = (PID 1 ||PID 2 ||T i ) and the TRA can revoke the real identity by calculating PID 2 = RID i ⊕ H 1 (β.PID 1 ||T i ||T pub ). As such, once a vehicle is flagged as questionable the TRA is able to trace its true identity and thereby carrying out whatever necessary procedures to curb any kind of malpractice. Once this is done the TRA records the real identity RID i on the revocation list of the system and as a result the vehicle cannot use its corresponding pseudo-identity ID i .
to others has the component PID 1 = k i P, where k i ∈ Z * q is random, that is randomly generated for any particular message transmitted. Since the PID 1 is also a component for pseudo-identity generation, it means the randomness in PID 1 results in the randomness of the publicized pseudo-identity ID i , hence, any two individual captures of the pseudo-identity ID i for V i stills seem random and unrelated to the real identity RID i , in the eyes of eavesdroppers. So by virtue of the identification being anonymous and distinct any captured signatures cannot be linked to previously captured identity nor to a particular true signer. Thus, any communication is seen as random and new in the plying eyes of an adversary and has no any relationship to previous communications for an eavesdropper to learn any useful information from such communication.

•
Resistance to Attacks: At this point we will present a demonstration of how the proposed ECLAS scheme can resist the main common attacks such as-replay attack, modification attack, impersonation attack, and stolen verifier attack.
-Replay Attack Resilience: In the message (ID i , Q ID i , vpk i , M i , t i , σ i ) the t i in the message helps in checking replay attacks. The recipients, RSUs or vehicles will have to check the freshness of the message, and once the timestamp is invalid the message is discarded. As such the proposed scheme, ECLAS, could resist against replay attack. -Modification Attack Resilience: In the scheme a valid message .P pub which simultaneously authenticates the sender, V i , and the TA side of TRA and KGC. Therefore, the proposed ECLAS scheme stands against modification attack.
-Impersonation Attack Resilience: It is not feasible for an attacker to launch a successful impersonation on the message (ID i , Q ID i , vpk i , M i , t i , σ i ) of which can pass verification as if it was generated by a legal user V i . However, it is impossible for an attacker to obtain the KGC's master key α and the users private key x i from the publicly accessible parameters as it will involve solving the intractable problems of ECDLP and ECCDHP from vpk i = x i P and P pub = αP. -Stolen Verifier This is due to the fact that, the vehicle adds a secret value x i to the partial private key psk i when computing its full private key sk i = x i + d i + H 2 (ID i ||Q ID i )α, which is used for signing messages. To this effect although TRA knows the master key β and KGC knows the master key α for the systems, they cannot forge messages to masquerade as V i illegally. Thus, the proposed ECLAS scheme withstands the key escrow attacks. Now we will present a comparison analysis of ECLAS with recent related works in terms of security features satisfied. In Table 2 the results of the comparison is provided with the features coded as, SF-1, SF-2, SF-3, SF-4, SF-5, SF-6 to denote, integrity and authentication, anonymity, traceability and revocability, unlinkability, key escrow problem and resistance to common attacks respectively. In the Table 2 the symbol denotes the satisfaction whereas , denotes not satisfaction of the security feature. As shown by the comparison table, the schemes in [47,53,54] fall short from fulfilling some of the features.

Performance Evaluation
In this section, we will present the performance analysis of the proposed ECLAS scheme in terms of comparable feature with related research on the fields that gives merit to the proposed scheme. As such, performance comparison features are discussed in terms of computation cost analysis and communication cost analysis. We will assess the performance evaluation of the proposed work in terms of computation cost comparison against other related works by adopting the method presented in [17]. In [17] bilinear pairing on an 80 bits security parameter length is created as : G 1 × G 2 → G T . Here we consider G 1 as an additive group of order q defined on a super-singular elliptic curve E : y 2 = x 3 + xmodp of embedding degree of 2. The recommended security parameter length for q and solinas prime number p are taken as 512 bits and 160 bits, respectively.
For convenience, we will define the notations for execution time for different cryptographic computations in the schemes under discussion as portrayed in Table 3. We borrow the execution times directly from [17], which was evaluated using the MIRACL cryptographic library, to assess the efficiency of schemes. Operations which are very light like addition operation in Z * q and the multiplication operation in Z * q will not be considered. The notation for various computation operations are as follows. T bp : Denotes execution time for bilinear pairing operation defined as, e(P, Q), where P, Q ∈ G 1 T bp.m : Denotes execution time for scalar multiplication operation x.P, that is related to pairing operation defined as e(P, Q), where P, Q ∈ G 1 , and x ∈ Z * q T bp.sm : Denotes execution time for small scalar multiplication operation, v i .P, that is related to pairing operation e(P, Q), where P, Q ∈ G 1 and v i ∈ [1, 2 t ] is a small random integer, for a small predefined integer t.
T bp.a : Denotes execution time for point addition in bilinear pairing operation e(P, Q), such that R = P + Q, where R, P, Q ∈ G 1 T H : Denotes execution time for map-to-point hash function operation related to pairing operation e(P, Q), where P, Q ∈ G 1 .
T e.m : Denotes execution time for scalar multiplication operation, x.P, over ECC group, where P ∈ G and x ∈ Z * q . T e.sm : Denotes execution time for small scalar multiplication operation, v i .P, for small exponent test, where P ∈ G and v i ∈ [1, 2 t ] is a small random integer, for a small predefined integer t.
T e.a : Denotes execution time for point addition operation over an elliptic curve group, T h : Denotes execution time for one hash function operation.

Computation Cost Analysis
In this section, we give a formal security proof on the proposed certificate-less signature scheme. While using the computation execution times for various dominant timeconsuming cryptographic operations summarized in Table 3, we carry out a computation analysis of related CLAS schemes [2,13,23,27,55] in terms of the three phases of message signing, individual verify and aggregate verify overhead in RSU. The observation is clear that our proposed scheme, ECLAS, has better computation performance to related works from Table 4. In [27], to generate a signature a vehicle carries out three scalar multiplication, 3T e.m , over an elliptic curve. This means the computation cost for signing is 3T e.m ≈ 1.326 ms. Whilst for verifying a signature, three bilinear pairings, one scalar multiplication over an elliptic curve and one map-to-point hash function operations, are required.
Thus, individual verification needs 2T bp + T e.m + T H ≈ 17.481 ms. In aggregate verification phase, three bilinear pairings, n scalar multiplication over elliptic curve and n map-topoint hash function operations are required, 2T bp + nT e.m + nT H ≈ 12.633 + 4.4198n ms. In the proposed ECLAS scheme, for signature generation a vehicle requires two scalar multiplication with respect to elliptic curve and one hash function operation, 2T e.m + T h , amounting to the computation load of 2T e.m + T h ≈ 0.8841 ms. For individual signature verification, ECLAS, similarly requires two scalar multiplication with respect to elliptic curve and one hash function operation, 2T e.m + T h , amounting to the computation load of 2T e.m + T h ≈ 0.8841 ms. Whereas for aggregate signature verification, ECLAS requires 2n scalar multiplication with respect to elliptic curve and n hash function operation, 2nT e.m + nT h , yielding computation cost of 2nT e.m + nT h ≈ 0.8841n ms. in a similar manner, the computation cost for other relevant comparable schemes [2,13,23,55] can be calculated. Based on the generated summary results of computation cost comparison done in Table 4 and the visual representation done given in Figure 2 we make conclusion on the performance of ECLAS. It is clear that the proposed ECLAS scheme has all over computation efficiency compared to the rest of the scheme except [13], and although it has a slightly lower signing computation overhead it was found to have security flaws in [23], whereas the proposed scheme satisfies the security requirements and withstands KGC escrow property.  [23] the overall computation loads are; 24.3675 ms, 19.664 ms, 2.1887 ms respectively. Subsequently, ECLAS has an overall computation load of 1.7682 ms, which is better than the rest as shown in Figure 2.
The relationship of verification time delay for particular number of aggregate signatures that RSU takes to compute for the schemes [2,13,23,27,55] is portrayed in the Figure 3.
As a requirement in VANETs, vehicles have to broadcast their messages every 100-300 ms, thus it entails that an RSU or AS can receive about 180 messages every 300 ms. Therefore, in one second an RSU is expected to verify about 600-2000 messages [23]. In Figure 3, it endeavors to illustrate the time it takes to do batch verification for 2000 signa-tures. Thus, the comparative analysis shows that the proposed scheme has less verification time delay for n signature aggregation and the number of signatures has a direct proportion linear relationship to the verification delay.

Communication Cost Analysis
In this part now, we will present the communication overhead of the proposed scheme against the related schemes [2,13,23,27,55] by borrowing experiment results from [17] to account for transmission cost for sending packets from vehicle to RSUs in V2I or V2V communication in VANETs, the sizes of elements in G 1 and G are 128 bytes and 40 bytes respectively. In addition, the elements in Z * q , the hash function value and timestamps are of the sizes 20 bytes, 20 bytes and 4 bytes respectively. We will consider the message traffic load for signatures only.
In [27], the vehicle broadcast the message (ID i , vpk i , M i , t i , σ i = (R i , S i )) to RSUs, where ID i , vpk i , R i , S i ∈ G and t i is a timestamp. Therefore, the communication overhead is 3 × 40 + 4 = 124 bytes. In [13] the vehicle sends the message (ID i , vpk i , Q ID i , σ i = (R i , S i ), t i ) to RSUs or AS, where ID i , vpk i , Q ID i , R i ∈ G, S i ∈ Z * q and t i is the timestamp. Thus, the communication load on the network is 4 × 40 + 20 + 4 = 184 bytes. In [55], the vehicle sends (ID i , m i , upk i , signature(U i , V i )) to RSU, which requires the bandwidth size of 4 × 40 + 20 + 4 = 184 bytes. Whereas, in [54] the message sent from a vehicle to RSU is (PS j , PS1 j , P i , PP i , σ i = (U i , V ijk )), where PS j , PS1 j , P i , PP i , U i , V ijk ∈ G. Therefore, the communication overhead is 6 × 128 = 768 bytes. In the proposed, ECLAS, scheme a vehicle sends traffic related signed message (ID i , Q ID i , vpk i , M i , t i , σ i ) to the verifier where ID i ∈ G. Therefore, the total communication overhead is 4 × 40 + 20 + 4 = 184 bytes. The proposed scheme has less communication overhead load than [27,54] and is on a par with the schemes in [46,51,55] as outlined in Table 5.

Schemes
Sending of One Signature Message Sending of n Signature Message Horng et al. [27] 644 bytes 644n bytes Cui et al. [13] 184 bytes 184n bytes Xiong et al. [55] 184 btes 184n bytes Malhi [54] 768 bytes 768n bytes Kamil et al. [23] 184 bytes 184n bytes ECLAS 184 bytes 184n bytes However, these comparable works are found to be insecure in different aspects, like in [13], which so far has a decent efficient output, it was discovered that the scheme is insecure in [23,27].

Conclusions
In this paper, we presented an efficient certificate-less signature scheme with conditional privacy preservation for VANETs enhanced smart grid system that is based on elliptic curve cryptography and it provides user anonymity. The proposed work also removes the inherently key escrow problem associated with identity based cryptography by means of introducing a derivation of a full private key by the vehicle itself. Security proof under the random oracle model approach shows that the proposed scheme is secure by virtue of satisfying all the security requirements for VANETs. In this scheme certificate-less property is achieved without key escrow problem since the signature is derived by using a vehicle full private key which is not known by the KGC. Furthermore, the scheme does not require the computation intensive bilinear pairing and map-to-point hash function operations but rather is just based on less intensive operation over elliptic curve group in the design, hence achieving efficient computation cost. Even the communication overhead is within bounds with comparable schemes whilst achieving higher security merits. Thus, it is a comparatively efficient certificate-less aggregate signature scheme ideal for VANETs communications.