A New Conditional Privacy-Preserving Certificateless Aggregate Signature Scheme in the Standard Model for VANETs

: Vehicular Ad Hoc Networks (VANETs) take moving vehicles and transport facilities as nodes to form mobile networks through wireless communication technology. Its application increases trafﬁc safety and promotes the development of intelligent transport. However, VANETs have security concerns in data transmission. Fortunately, aggregate signature schemes can enhance security and efﬁciency in the VANETs. Nevertheless, some aggregated signature schemes for VANETs still have security concerns. In this paper, we conduct a security analysis of a conditional privacy-preserving CLAS scheme for VANETs proposed recently. The analysis reveals that the scheme exhibits vulnerabilities to the KGC attack and public key replacement attack. We propose an improved scheme to ﬁx security vulnerabilities in response to these issues. Subsequently, formal and informal security assessments are conducted for the improved scheme, demonstrating that it fulﬁlls security requisites. Furthermore, performance assessment demonstrates the practical viability of the reﬁned scheme.


Introduction
With the rapid development of network communication technology and automobile industry, the intelligent transport system (ITS) is experiencing a remarkable surge in growth.Meanwhile, vehicle ad hoc networks (VANETs), as an important part of ITS, are also evolving.VANETs are inter-vehicle communication networks with open mobile ad hoc structures.The main composition of VANETs is that vehicles equipped with communication and computing equipment can realize vehicle-to-vehicle (V2V) [1] and vehicle-to-infrastructure (V2I) [2].All vehicles in the network are equipped with On Board Units (OBUs), which facilitate wireless communication and location function [3].Vehicles can establish communication with other vehicles and RSUs through OBU [4], which will improve the user's driving experience and safety [5,6].For example, vehicles can exchange traffic status information in real-time through VANETs, so that drivers can better understand the surrounding traffic conditions and take action in advance against abnormal conditions.
Many challenges remain for vehicular ad hoc networks.Attackers can launch various attacks by intercepting, changing, and forging the location information.For example, malicious vehicles can manipulate traffic information within the network and disseminate false data to create the illusion of road congestion, thus influencing the route choices made by other vehicles.Therefore, it is firstly necessary to ensure the integrity and reliability of received messages to prevent malicious attackers from pretending to be legitimate users to communicate in VANETs.Secondly, the private information of vehicles such as travelling routes and personal identities should also be protected.To address this issue, it can be solved by anonymous identity.Hubaux et al. [7] proposed the generation of pseudonyms by appropriate authorities.Thus, an anonymous pseudo-identity assigned to the vehicle by the Trace Authority (TRA) can effectively achieve the privacy protection of the vehicle.When a message is disputed, it can ensure that the Traffic Management Centre (TMC) can obtain the real identity of the malicious vehicle and track it to achieve conditional privacy protection of user identity.At the same time, considering the characteristics of highspeed node movement and frequent topology changes in vehicle-mounted self-organizing networks, it is also of great significance to improve the efficiency of each stage of the authentication scheme.Aggregated signatures can achieve the above requirements.An aggregate signature [8] realizes the aggregation of n different user signatures into an aggregate signature, and the verifier can verify the validity of n signatures in batches with only one verification, thus effectively reducing the computational cost.The aggregate signature scheme can address the capacity constraints of RSUs and OBUs while achieving message authentication and striking a harmonious equilibrium between security and efficiency.
To solve the privacy of users and security concerns in the VANET environment, researchers have proposed a multitude of certificateless aggregate signature (CLAS) schemes [9][10][11][12][13][14][15][16][17][18][19][20][21][22].Recently, Wang et al. [23] proposed a CLAS with conditional privacy protection in VANETs.We show that it is vulnerable to KGC attack and public key replacement attack by giving two attacks on Wang et al.'s scheme.In this paper, we propose an improved CLAS scheme to defend against the above security attacks.
Our primary contributions are outlined as follows: • We analyze a conditional privacy-preserving certificateless aggregate signature scheme in the standard model for VANETs and demonstrate that it is not secure.

•
We propose an improved conditional privacy-preserving certificate-free aggregated signature scheme and provide a proof of security.

•
The computational overhead and communication overhead of the scheme are simulated in simulation experiments, and the computational overhead and communication of the improved scheme are comparable to the previous CLAS scheme, but more secure than the previous CLAS scheme.

Related Work
In 2003, the concept of the aggregate signature was introduced by Boneh et al. [8].By aggregated signatures, several signatures from a set of messages are consolidated into a single signature, which is equivalent to verifying multiple signatures at once.This not only avoids massive signature transmission storage but also reduces verification overhead.However, identity-based signature schemes suffer from the inherent problem of key escrow.To overcome this obstacle and reduce the burden of certificate management, Al-Riyami and Paterson [24] firstly designed a certificateless encryption scheme in 2003.
In 2007, Castro et al. [25] proposed the first CLAS scheme by combining a certificateless encryption scheme and aggregate signature.But, as the number of signers in the scheme grows, the system overhead will exhibit a linear increase.In that particular year, Gong et al. [9] introduced a pair of CLAS schemes based on bilinear pairings.However, bilinear pairings are computationally expensive, making them unsuitable for resourceconstrained environments.Subsequently, Xiong et al. [10] developed a CLAS scheme incorporating a immutable pairing operation to reduce the computational burden, and established its security under the random oracle model.However, some scholars [11,12,26] demonstrated that the scheme of Xiong et al. [10] is incapable of resisting a type II adversary attack, anti-collision attack and internal attack.
Malhi and Batra [14] introduced an aggregate signature scheme based on certificateless VANETs in 2015, characterized by constant pairing computations.Afterward, Kumar and Sharma [15] indicated that it is vulnerable to a type II attacker, and enhanced a safer CLAS scheme.In 2019, Zhong et al. [27] constructed a new CLAS authentication protocol by combining a full aggregation in VANETs.Kamil and Ogundoyin [28] showed that the scheme was incapable of defending against type II attacks.So, they designed a safer and enhanced CLAS scheme to deal with these attacks.In 2020, to enhance data sharing efficiency within VANET systems, Cui et al. [29] introduced a data download scheme for privacy-preserving VANETs based on edge computing, which provides a security proof under the random oracle model.In the same year, Xu et al. [22] proposed a new CLAS scheme to solve the problem of routing security authentication.In the next year, Kamil et al. [30] introduced a group key agreement to make it more efficient in the IoV.The group key distribution mechanism facilitates efficient group communication while accommodating dynamic updates.In 2022, Cao et al. [31] proposed lattice-based group signatures that are resistant to quantum attacks.Zhang et al. [32] proposed a certificateless signature based on a homomorphic hash function, which is applied in an auditing scheme to achieve conditional privacy protection this year.In 2023, Gong et al. [33] proposed a pairing-free PCAS scheme without bilinear pair operations to make the scheme more secure and efficient.This year, Xu et al. [34] proposed the PAASH+ scheme that can resist public key substitution attacks to achieve privacy protection in medical scenarios.Li et al. [35] also designed a CPPA scheme by introducing linkable group signatures.The scheme protects privacy and provides authentication, which improves the trustworthiness and traceability of messages.More recently, Wang et al. [23] proposed a CLAS scheme for VANETs within conditional privacy-preservation.However, Shim et al. [36] attacked the scheme and proved that it is not safe against KGC attacks, suffering from logical errors.We indicate that this scheme not only suffers from the above security problems but also fails to resist the public key replacement attack in this paper.Meanwhile, we propose a new improved scheme to resist these attacks.

Review of Wang et al.'s CLAS Scheme
In this section, we provide a concise overview of the CLAS scheme proposed by Wang et al. [23].

System Infrastructure
The CLAS scheme consists of eight phases and five entities in the CLAS scheme, which include Key Generation Center (KGC), Trace Authority (TRA), On board Units (OBUs), Roadside Units (RSUs), and Traffic Management Center (TMC).As shown in Figure 1, we will provide a description of the following five entities.
Key Generation Center (KGC): KGC collaborates with TRA to generate public parameters for VANET to ensure strong security.In addition, KGC generates partial private keys for vehicles.
Trace Authority (TRA): TRA performs key tasks of setup algorithms and vehicle registration within VANETs.As part of this process, TRA allocates a pseudo-identity to each vehicle upon its entry into the network.It is important that only TRA possesses knowledge of the true vehicle identity to ensure safety.In the event of an occurrence of malicious traffic behavior by a specific vehicle, TRA has the capacity to reveal the authentic identity of the mentioned malevolent vehicle.
On Board Units (OBUs): Each vehicle on the road has an On Board Unit (OBU) that allows communication via V2V interactions and V2I communications with Roadside Units (RSUs).Individual pseudo-markers are used to transmit traffic-related data and signatures from vehicles to adjacent RSUs.
Roadside Units (RSUs): RSUs use a DSRC protocol for V2I communication within their coverage areas along roadways.Specifically, RSUs undertake the task of validating individual traffic-related messages emanating from OBUs.After the RSU establishes the legitimacy of the traffic-related message from an OBU, it generates an aggregate signature and transmits it to the TMC.
Traffic Management Center (TMC): TMC decides whether to accept or reject the aggregated signature and extracts insights on the current traffic conditions.Therefore, TMC plays a crucial role in regulating and managing traffic flow.

Threat Model
In the realm of VANETs, two distinct categories of attackers emerge, external attackers A 1 and internal attackers A 2 .Attacker A 1 has the ability to request the user's public key or substitute it, and remains unaware of the system master key.Attacker A 2 can obtain the system master key but is unable to alter the public key or query the public key.The former operates externally to the VANETs' ecosystem, while the latter comprises entities within the VANETs' network.Given the vulnerability of public wireless networks, all adversaries possess the capability to intercept vehicular-RSU communications, enabling them to engage in eavesdropping, interception, modification, or deletion of transmitted information.Notably, our assumptions hold the TMC, KGC, and TRA to be entities with full credibility.Vehicles and RSUs are honest but curious agents and semi-trusted entities, respectively.This implies that they strictly adhere to predetermined protocols while being curious about extracting privacy-related attributes (such as identity, velocity, and location) from accessible data.It is worth noting that any adversary cannot obtain the vehicle's key.Lastly, the temporal synchronization across all VANETs components is maintained.

Wang et al.'s CLAS Scheme
The eight stages are described as follows.In addition, Table 1 shows some useful symbols from the CLAS scheme of Wang et al. [23].

•
Setup: TRA and KGC select a bilinear map e : G 1 × G 1 → G 2 with prime order q > 2 ν , where ν is a security parameter.KGC randomly chooses P, Q ∈ G 1 , s ∈ Z * q and calculates P pub = sP.TRA randomly chooses k and calculates K = kP.The secret key s and k are kept secretly.Then, TRA and KGC choose three hash functions Finally, the public parameters of the publishing system are: params = {G 1 , G 2 , q, e, P, Q, p pub , H 1 , H 2 , H 3 }.The real identity of the vehicle Vh i PID i A set of pseudonyms of Vh i PID i,j The j th pseudonym of An aggregate signature • Pseudonym Generation: First, the TRA will designate a pseudonym PID i,j to the new vehicle Vh i .Vehicle Vh i randomly chooses t i,j ∈ Z * q and calculates T i,j = t i,j P.Then, vehicle Vh i sends (ID i , T i,j ) to the TRA in secret.The TRA verifies the validity of the ID i and calculates PID i,1,j = ID i ⊕ H 1 (kP + T i,j ) and PID i,j = (PID i,1,j , T i,j ).Afterwards, TRA transmits PID i,j to vehicle Vh i .Through obtaining the pseudonym PID i,j = (PID i,1,j , T i,j ) to calculate ID i = PID i,1,j ⊕ H 1 (kP + T i,j ), TRA can effectively determine the true identity of the vehicle when the vehicle Vh i is involved in a malicious collision.
• Partial Private Key Generation: First, KGC randomly chooses r i ∈ Z * q and calculates R i = r i P. It also calculates k i = H 2 (PID i,j , R i ) and d i = r i + k i s mod q. d i is the partial private key for the vehicle Vh i .Subsequently, KGC securely transmits the partial private key d i to vehicle Vh i via a trusted message route.
• Public/Private Key Generation: After receiving a message from the KGC, the vehicle Vh i chooses a single secret value x i ∈ Z * q .The vehicle calculates X i = x i P and public key of the vehicle represented as PK i = (X i , R i ).Furthermore, (d i , x i ) is denoted as the value of the private key.

•
Signature Generation: Firstly, the OBU selects the present timestamp TS i .The OBU randomly selects u i ∈ Z * q and calculates U i = u i P and ) is communicated to the RSU.Whenever a vehicle Vh i transmits a signature, TRA generates a new pseudonym PID i,j and assigns it to Vh i .

•
Single Signature Verification: Upon receipt of the signature σ i on m i ||TS i , the respective RSU involves firstly assessing the timeliness of the timestamp TS i .If TS i is valid, the RSU proceeds to validate the signature's authenticity, as detailed below.The RSU Upon (1) holds, the single signature σ i on m i ||TS i is accepted by the RSU; conversely, it results in rejection.

•
Aggregate: Upon the receipt of a set of n distinct signatures σ i pertaining to diverse messages m i ||TS i from distinct vehicles Vh i , the RSU calculates U = ∑ n i=1 U i , V = ∑ n i=1 V i , and W = ∑ n i=1 W i .Subsequently, the RSU transmits the aggregate signature σ = (U, V, W) to the TMC.

•
Aggregate Verification: After the reception of the aggregated signature σ and corresponding tuples (m i , TS i , PID i,j , PK i ), TMC examines the temporal freshness of each timestamp TS i (i = 1, 2, . . ., n) initially.Subsequent to verification, the TMC computes Lastly, the TMC verifies whether (2) is established.
If (2) holds, the aggregate signature σ i on m i ||TS i (i = 1, 2, . . ., n) is accepted by the TMC; conversely, it results in rejection.

Cryptanalysis of Wang et al.'s CLAS Scheme
We demonstrate the presence of several kinds of attack in Wang et al.'s CLAS scheme [23].

Incorrectness of the Signature Generation
In the Signature Generation algorithm, the vehicle Vh i calculates to generate the single signature.However, h i must be calculated before vehicle Vh i calculates W i , which contradicts the use of W i in the computation of h i .Therefore, the Signature Generation algorithm is logically incorrect.
To resolve the issue in the Signature Generation algorithm, let the vehicle Vh i calculate

KGC Forge Attack
In KGC forge attacks, we know that Q and P are chosen by the KGC in the Setup algorithm.Thus, KGC knows the discrete logarithm of Q relative to P, assuming this discrete logarithm is l.We show that KGC has the ability to generate a forged signature for any message from the RSU, which can be verified.

•
KGC randomly selects u i ∈ Z * q and calculates U i = u i P and It is easy to prove that σ i = (U i , V i , W i ) can be verified by the RSU using the Single Signature Verification algorithm.Here, the validity verification process of the signature is as follows.
e(W i , P) = e(l(R i Therefore, the forged signature σ i passes the Single Signature Verification algorithm.

Replace Public Key Attack
We show the vulnerability of Wang et al.'s scheme against the public key replacement attack.Specifically, we highlight that an adversary can generate legitimate signatures for arbitrary messages pertaining to any vehicles using solely a single authentication message.The details are as follows.

•
Computes The adversary chooses a secret value x i ∈ Z * q and calculates X i = x i P to replace the public key X i .The public key of vehicle Vh i is replaced as The adversary picks a message, m i .The adversary randomly selects u i ∈ Z * q and constructs U i = u i P − (R i + k i P pub ).Then, the adversary calculates We note that e(W i , P) = e(R i + k i P pub + h i X i + U i , Q) in the verification.The forgery process is as follows.
Therefore, the adversary replaces the public key and forges a signature σ i on message m i that can pass the Single Signature Verification algorithm.

Improvement for Wang et al.'s CLAS Scheme
The improved CLAS scheme includes eight distinct stages.Additionally, Table 2 presents partial essential notations within the improved CLAS scheme, and others are listed in Table 1.

Notation Description y pub
The public key of system One-way hash functions Z Hash value of the system public key An aggregate signature • Setup: TRA and KGC generate a prime order q > 2 ν by entering the safety parameter ν.Subsequently, the additive cyclic group G 1 and multiplicative cyclic groups G 2 are generated with prime order q > 2 ν .A bilinear map e : Then, KGC randomly chooses P ∈ G 1 , s ∈ Z * q and calculates y pub = sP and Z = H 3 (y pub ).TRA randomly chooses k and calculates K = kP.Finally, the public parameters of the publishing system are params = {G 1 , G 2 , q, e, P, Z, y pub , H 1 , H 2 , H 3 , H 4 , H 5 }, where the master secret key s and the identity tracking key k are kept secretly.

•
Pseudonym Generation: The vehicle is required to undergo registration with the TRA to ensure the security of the user's information before it can transmit information in VANETs.The virtual identity ID i of the vehicle achieves anonymity during communication.The TRA will designate a pseudonym as PID i,j , which represents the j-th pseudonymous identifier assigned to the vehicle Vh i .Vehicle Vh i randomly chooses t i,j ∈ Z * q and calculates T i,j = t i,j P.Then, vehicle Vh i sends (ID i , T i,j ) to the TRA in secret.The TRA verifies the validity of the ID i and calculates PID i,1,j = ID i ⊕ H 1 (kP + T i,j ) and PID i,j = (PID i,1,j , T i,j ).Afterwards, TRA transmits PID i,j to vehicle Vh i .In the event that vehicle Vh i is involved in malevolent collision, the TRA possesses the capability to trace its actual identity ID i .After obtaining the pseudonym PID i,j = (PID i,1,j , T i,j ) to calculate ID i = PID i,1,j ⊕ H 1 (kP + T i,j ), TRA can effectively determine the true identity of the vehicle when the vehicle Vh i is involved in a malicious collision.
• Partial Private Key Generation: By obtaining the params along with the master key s, KGC generates the partial private key d i for the vehicle Vh i , using the following process.KGC randomly selects r i ∈ Z * q and calculates R i = r i P. Additionally, k i = H 2 (PID i,j , R i ) and d i = r i + k i s mod q are derived.Note that d i is assigned as the partial private key for vehicle Vh i .Following this computation, KGC securely transmits the partial private key d i to vehicle Vh i via a trusted message route.
• Public/Private Key Generation: After receiving a message from the KGC, the vehicle Vh i chooses a single secret value x i ∈ Z * q .Specifically, the vehicle calculates X i = x i P, and the public key of the vehicle is represented as PK i = (X i , R i ).Furthermore, (d i , x i ) is denoted as the value of the private key.
• Signature Generation: The process of generating a signature for a traffic-related message m i ∈ Z * q is as follows.
(1) The OBU selects the present timestamp TS i .
(2) The OBU randomly chooses u i ∈ Z * q and calculates U i = u i P.
) is sent to the RSU.Whenever a vehicle Vh i transmits a signature, TRA generates a new pseudonym PID i,j and assigns it to Vh i .This ensures a single use of each pseudonym, and the vehicle Vh i substitutes the former pseudonym with the updated one.

•
Single Signature Verification: Upon receipt of the signature σ i on m i ||TS i , the respective RSU firstly involves assessing the timeliness of the timestamp TS i .If TS i is on validity, the RSU proceeds to validate the signature's authenticity, as detailed below.The RSU calculates k i = H 2 (PID i,j , R i ), φ i = H 4 (y pub , PK i , U i ) and h i = H 5 (m i ||TS i , PID i,j , U i , PK i ) and verifies whether (3) is established.
If (3) holds, the singular signature σ i on m i ||TS i is accepted by the RSU; conversely, it results in rejection.

•
Aggregate: When receiving a set of n distinct signatures, σ i of diverse messages m i ||TS i from distinct vehicles Vh i .The RSU calculates U = ∑ n i=1 U i and W = ∑ n i=1 W i .Afterward, the RSU transmits the aggregate signature σ = (U, W) to the TMC.

•
Aggregate Verification: After the reception of the aggregated signature σ and corresponding tuples (m i , TS i , PID i,j , PK i ), TMC examines the temporal freshness of each timestamp TS i (i = 1, 2, . . ., n).Next, the TMC computes Lastly, the TMC verifies whether (4) is established.
If (4) holds, the aggregate signature σ i on m i ||TS i (i = 1, 2, . . ., n) is accepted by the TMC; conversely, it results in rejection.

Remark 1.
When there are a few corrupted signatures in the aggregated signature, it is necessary to go through them one by one to verify and lock the invalid signatures.In order to improve the efficiency of retrieving the corrupted signatures, the bisection method can be used to lock the invalid signatures quickly.Meanwhile, for the vehicle that often generates invalid signatures, a penalty mechanism can be set to delay the verification of the vehicle or verify it individually.In turn, the effectiveness and efficiency of aggregated signatures in batch verification is improved.
Remark 2. Pseudonym Generation, Partial Private Key Generation and Public/Private Key Generation algorithms can be predefined in advance.

Security Analysis
Firstly, the correctness proof of Single Signature Veri f ication and Aggregate Veri f ication is explained in this section.Meanwhile, we conduct a formal and informal security analysis of the improved CLAS scheme.Finally, we indicate its capability to fulfill security requirements within VANETs.

Correctness
The correctness of the Single Signature Veri f ication algorithm is described below.
The correctness of the Aggregate Signature Veri f ication algorithm is described below.

Formal Security Analysis
The formal security proof of the improved scheme in a standard model is provided in this section.We consider two kinds of attackers, A 1 and A 2 : an external attacker A 1 can subsitute the vehicle's public key, and is not capable of corroding the KGC's system master key; an internal attacker A 2 can corrode the KGC's system master key, but is incapable of substituting the vehicle's public key.
Theorem 1.In the standard model, the proposed CLAS scheme is unforgeable when the CDHP assumption holds in the adaptive chosen-identity attacks (EUF-CMA) against Adversary A 1 .
Lemma 1.In the CLAS scheme, challenger C can solve the Computational Diffie-Hellman Problem (CDHP) if the adversary A 1 succeeds in producing valid forged signatures in game I in the standard model.
Proof.Suppose a random tuple (P, aP, bP) representing the Computational Diffie-Hellman Problem (CDHP) is given.Let PID τ be the challenge identity.If A 1 produces a valid signa-ture in the improved CLAS scheme, subsequent to their interaction with A 1 , the challenger C acquires the value of abP.
Setup: Challenger C executes the Setup algorithm to generate system public parameters by a security parameter v with sets Z = bP, and publishes system public parameters params = {G 1 , G 2 , q, e, P, Z, y pub , H 1 , H 2 , H 3 , H 4 , H 5 }.Then, C sends these system parameters to A 1 , and the master secret key s is kept secretly.
Queries: A 1 executes the following queries and interacts with challenger C. Challenger C maintains lists L U and L P , which are initially empty.A 1 performs user public key queries, which takes precedence over other queries.

•
User public key queries: Challenger C maintains the list L U = (PID i,j , r i , x i ).Given a request with pseudonym PID i,j , challenger C will search (PID i,j , r i , x i ) in L U .If successful, C returns (r i P, x i P).Instead, C discusses the following situations.
(1) PID i,j = PID τ , C randomly selects x i and assigns R i = aP.Subsequently, (PID i,j , ⊥, x i ) is appended to the list L U , where ⊥ represents a null value.Following this, C transmits PK i = (R i , x i P) to A 1 .(2) PID i,j = PID τ , C randomly selects x i , r i and assigns X i = x i P, R i = r i P. Subsequently, (PID i,j , r i , x i ) is appended to the list L U .Following this, C transmits • User public key replacement queries: Challenger C holds list L R = (PID i,j , PK i , PK i ); when A 1 requests to query the tuple (PID i,j , PK i ), C substitutes PK i with PK i , and adds (PID i,j , PK i , PK i ) to L P .

•
Partial private key extraction queries: Upon A 1 's submission of a request using the pseudonym PID i,j , challenger C conducts a search within L P for (PID i,j , d i ).If the search is successful within L P , C will return d i to A 1 .In the case of failure, C proceeds with the instructions, as follows.
(2) If PID i,j = PID τ , C searches for r i in the list L U and calculates d i = r i + k i s mod q.Then, C transmits d i to A 1 .
• Secret value queries: A 1 requests with the pseudonym PID i,j , challenger C searches x i in L U , and returns x i to A 1 .

•
Signature queries: After receiving the query for the tuple (PID i,j , m i ||TS i ) from A 1 , C performs user public key queries, partial private key extraction queries and secret value queries to obtain the values of R i , d i , x i .After that, C computes as the signature on the tuple of (PID i,j , m i ||TS i ); such a signature is valid.
Forgery Phase: A 1 forges an aggregate signature σ i = (U i , W i ) on message m i ||TS i and outputs it.After C obtains the forged signature σ i , if PID i,j = PID τ , the game aborts.Otherwise, PID i,j = PID τ , and there are PK i = (aP, x i P) and Z = bP.C looks for the list L U to obtain x i , and calculates Likewise, A 1 outputs a forged aggregate signature σ = (U , W ) on the message m i ||TS i (i = 1, 2, . . ., n) and τ ∈ {1, 2, . . ., n}, where U = ∑ n i=1 U i and W = ∑ n i=1 W i .σ τ is the forged signature of user PID τ on m τ ||TS τ , who has not been executed for Partial private key extraction queries.If PID τ = PID τ , PK τ = (aP, x τ P), and Z = bP.Subsequently, C performs the following process to solve CDHP.

•
Compute Look for r i in the list L U , and calculate k i = H 2 (PID i,j , r i P) and Theorem 2. In the standard model, the proposed CLAS scheme is unforgeable when the CDHP assumption holds in the adaptive chosen-message attacks (EUF-CMA) against attacker A 2 .
Lemma 2. In the CLAS scheme, challenger C must solve the Computational Diffie-Hellman Problem (CDHP) if the adversary A 2 succeeds in producing valid forged signatures in game II in the standard model.
Proof.Suppose a random tuple (P, aP, bP) representing the Computational Diffie-Hellman Problem (CDHP) is given.If A 2 produces a signature that passes verification within the improved CLAS scheme, subsequent to their interaction with A 2 , the challenger C acquires the value of abP.Setup: Challenger C executes the Setup algorithm to generate system public parameters by a security parameter v and sets Z = bP, and publishes system public parameters params = {G 1 , G 2 , q, e, P, Z, y pub , H 1 , H 2 , H 3 , H 4 , H 5 }.Then, C sends these system parameters and the master secret key s to A 2 .
Queries: A 2 executes the following queries and interacts with challenger C. Firstly, challenger C maintains the empty list L U .Then, A 2 performs user public key queries, which takes precedence over other queries.

•
User public key queries: Challenger C keeps the list L U , where L U = (PID i,j , r i , x i ).
When presented with a request with the pseudonym PID i,j , C conducts a search within L U for (PID i,j , r i , x i ).Upon a successful match, C returns (r i P, x i P).Alternatively, C analyzes the following two situations.
(1) If PID i,j = PID τ , C randomly selects r i and assigns X i = aP.Subsequently, (PID i,j , r i , ⊥) is appended to the list L U .Following this, C transmits PK i = (r i P, X i ) to A 2 .(2) If PID i,j = PID τ , C randomly selects x i , r i and assigns X i = x i P, R i = r i P. Subsequently, (PID i,j , r i , x i ) is appended to the list L U .Following this, C transmits • Secret value queries: A 2 submits a query for the pseudonym PID i,j .If PID i,j = PID τ , challenger C fails and aborts.Moreover, C seeks x i in the L U and returns x i .• Signature queries: After A 2 requests the query of a tuple (PID i,j , m i ||TS i ), C performs User public key queries, Partial private key extraction queries and Secret value queries to obtain the values of R i , , and as the signature on the (PID i,j , m i ||TS i ), such a signature is valid.
Forgery Phase: A 2 forges an aggregate signature σ i = (U i , W i ) on message m i ||TS i and outputs it.After C obtains the forged signature σ i , if PID i,j = PID τ , the game aborts.Otherwise, PID i,j = PID τ , so there are PK i = (r i P, aP) and Z = bP.C looks for the list L U to obtain r i , and calculates Likewise, A 2 outputs a forged aggregate signature σ = (U , W ) on the message m i ||TS i (i = 1, 2, . . ., n) and τ ∈ {1, 2, . . ., n}, where U = ∑ n i=1 U i and W = ∑ n i=1 W i .PID τ has not been executed for secret value queries, which means σ τ is the forged signature of user PID τ on m τ ||TS τ .If PID τ = PID τ , PK τ = (r τ P, aP), and Z = bP.Subsequently, C performs the following process to solve CDHP.

•
Search r i in the list L U , and calculate to resolve the CDLP.

Informal Security Analysis
We will informally analyze the improved CLAS scheme to satisfy security demands in the VANETs' environment.

1.
Authentication: Authentication can be achieved by the proof of Theorem 1.In Probabilistic Polynomial Time (PPT), no attacker can forge a valid signature.The verifier confirms the authenticity of the message and the validity of the signature by executing the Single Signature Verification or Aggregate Veri f ication algorithm.

2.
Nonrepudiation: In our CLAS scheme, TRA can recover its real identity ID i according to the vehicle's pseudonym PID i,j , and the vehicle cannot deny the signature σ i generated by itself.Therefore, the proposed scheme supports nonrepudiation.

3.
Anonymity: In VANETs, vehicles can only use the pseudonym PID i when communicating with other entities.When a vehicle wants to join VANETs, TRA runs the Pseudonym Generation algorithm to assign a pseudonym to the vehicle: PID i,1,j = ID i ⊕ H 1 (kP + T i,j ), PID i,j = {PID i,1,j , T i,j }.The authentic identity ID i of the vehicle is concealed within the pseudonym PID i,j .4.
Unlinkability: The authentic identity ID i of the vehicle is hidden in the fake identity PID i,j = {PID i,1,j , T i,j } in this scheme, where T i,j = t i,j P, PID i,1,j = ID i ⊕ H 1 (kP + T i,j ).When transmitting different messages, the random numbers t i,j ensure that the vehicle generates a different pseudonym each time.The attacker cannot associate two signatures to reveal the vehicle's authentic identity, since their pseudonyms are only used once.

5.
Traceability: When communicating with other vehicles and the RSU, the vehicle uses the pseudonym PID i,j = {PID i,1,j , T i,j }.TRA tracks the authentic identity of the vehicle by computing ID i = PID i,1,j ⊕ H 1 (kP + T i,j ).The tracking key k is securely maintained by TRA.Consequently, in the event of a malicious incident involving a vehicle, only TRA possesses the capability to unveil the authentic identity of the vehicle.6.
Anti-replay attacks: In the improved CLAS scheme, when running the Signature Generation algorithm, each signature σ i contains a current time stamp TS i .The verifier can verify the timeliness of the timestamp TS i to verify whether the message m i was replayed.Therefore, no one can replay the signed messages.7.
Anti-impersonation attack: If an attacker attempts to forge the vehicle's pseudonym and send a fake message, the signature generated by the adversary will be rejected by the Single Signature Veri f ication or Aggregate Veri f ication mechanism.Thus, our proposed CLAS scheme supports a defense against impersonation attacks.

Performance Evaluation
In this section, we take a comparative analysis of the improved CLAS scheme with several CLAS schemes [21][22][23]28,37], encompassing factors such as computational overhead and communication overhead.

Computation Overhead
Simulation experiments comparing computational overhead were performed on a desktop consisting of an Intel(R) Core(TM) i5-11300H processor with 3.11 GHz of clock frequency and 16 GB of RAM, using Java to implement pairing-based cryptographic computations; referenced libraries include Java.security and it.unisa.dia.gas.jpbc.Table 3 shows some cryptographic symbols and execution times of corresponding cryptographic operations.We mainly calculate the computational burden of three parts of the scheme, as follows.
(1) The vehicle generates the signature.
In this scheme, vehicles need to perform two elliptic curve scalar multiplications and two hash functions when generating a signature.When RSU validates a single signature, two bilinear pairing operations, three elliptic curve scalar multiplication operations, two elliptic curve scalar addition operations, and three hash functions are required.When verifying an aggregate signature, TMC needs to perform two bilinear pairing operations, 3n elliptic curve scalar multiplication operations, 3n elliptic curve scalar addition operations, and 3n hash functions.In addition, the calculation overhead of other schemes can also be calculated according to this method.Table 4 provides a comparative analysis of the computational burdens associated with other schemes.In the end, Figure 2 shows the computational costs associated with generating and verifying a single signature.It is apparent that our scheme has the lowest cost of generating a single signature than others [21][22][23]28,37].Moreover, the cost of verifying a single signature is less than other scheme [21,22,28,37] and slightly more than Wang et al. [23].Further, the computational costs are shown in relation to the number of signatures in Figure 3.

Communication Overhead
We assess the communication burden of the enhanced scheme as well as several CLAS schemes.Given that the scheme relies on bilinear pairings, various parameters come into play, including the curve type within the bilinear pairing group, group order, and element length considerations.Specifically, the value of p amounts to 64 bytes, while the elements of G 1 are sized at 128 bytes.Also, the sizes of the hash function output and the timestamp are 20 bytes and 4 bytes, respectively.We assume that after receiving n signatures, RSU transmits an aggregated signature.For the convenience of calculation and comparison, we assume n = 100 for the analysis.Subsequently, Table 5 summarizes the comprehensive evaluation of the communication overhead.Furthermore, it is evident that the communication overhead of this approach is less than that of other schemes [21][22][23]37], and equal to Kamil et al. [28] as illustrated in Figure 4. But, the signature generation and verification cost of Kamil et al. [28] is higher.

Practicality Assessment
In order to assess the processing capability of RSU, we introduce the RSU service capacity denoted as the Rsc, and its calculation formula is [23]: T ver represents the duration needed for a single signature verification, which is 34.0827 ms.We make N denote the vehicle volume within 800 m of the RSU coverage.Meanwhile, v depicts the vehicle's average speed, ranging from 5 to 20 m per second.Furthermore, p denotes the probability of a valid signature, and d corresponds to the distance of RSU coverage's communication, assuming 1000 m.It is obvious from Figure 5 that Rsc gradually decreases as the vehicle density and velocity escalate.Therefore, a better Rsc of the RSU service capacity can be obtained by reducing the vehicle density.

Conclusions
In this paper, we perform a security assessment of Wang et al.'s proposed CLAS scheme focusing on its conditional privacy-preserving in VANETs, and show that the scheme exhibits vulnerabilities to the KGC attack and public key replacement attack.Therefore, we present an enhanced CLAS scheme designed to fix the security issues.The security proof shows that the improved CLAS scheme effectively guards against type I and type II attackers within the standard model.It also realizes several security requirements specific to VANETs.Lastly, we assess the improved scheme's performance with regard to computational cost and communication cost.

Figure 2 .
Figure 2. Computation overhead of signing and verifying one signature.

Figure 3 .
Figure 3.The relationship between aggregation verification and the number of signatures.

Figure 5 .
Figure 5. Rsc in the improved scheme.

Table 1 .
Notations in Wang et al.'s CLAS scheme.

Table 2 .
Notations in improved CLAS scheme.

Table 3 .
Execution time of cryptographic operations.