Efficient Certificateless Aggregate Signature Scheme for Performing Secure Routing in VANETs

Hubei Co-Innovation Center of Basic Education Information Technology Services, College of Computer, Hubei University of Education, Wuhan, China Guangdong Provincial Key Laboratory of Data Security and Privacy Protection, Guangzhou, China Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan, China Department of Computer Science and Engineering, -apar University, Patiala, India School of Communication and Information Engineering, Asia University, Taichung City, Taiwan King Abdul Aziz University, Jeddah, Saudi Arabia Department of Information Systems and Cyber Security, Department of Electrical and Computer Engineering, -e University of Texas at San Antonio, San Antonio, TX, USA


Introduction
Vehicular ad hoc networks (VANETs) have drawn comprehensive attention in recent years as they help enhance driving safety and optimize transportation systems [1,2]. Figure 1 shows a typical VANET architecture in a vehicleroad cooperative system. e VANET is based on sensor detection and wireless communication technology to obtain vehicle road information, which is usually composed of road trusted authorities (TAs), road side units (RSUs) along the roads, and on-board units (OBUs) installed in the vehicles.
rough vehicle-vehicle and vehicle-road information exchange and sharing, the traffic control center can effectively understand the traffic environment, further realize the intelligent cooperation between vehicles and the infrastructure, and finally achieve the goal of optimizing system resources and improving road traffic.
Just as everything has two sides, VANETs are bringing convenience to people's lives while also facing great security challenges. On the one hand, mobile VANETs, by exchanging information between vehicles, can enhance the safety of the vehicle and thus ensure passenger safety. On the other hand, dynamic topology and lack of centralized management features make it difficult for users to identify nodes that have malicious behavior in VANETs. VANETs may suffer from malicious attacks such as message tampering, false message sending, and denial of service (DOS) [3]. is means that, in a VANET, there may be malicious nodes broadcasting false information to other nodes and attempting to disrupt route discovery or data transmission, and because the VANET is a network where vehicles are constantly changing positions, secure routing is essential.
To defend against the intruder's attack, VANETs' security design should meet the security attributes such as authenticity, privacy, and integrity. Among them, authenticity can ensure the reliability of a message by correctly identifying the identity of the sender, which can be used to solve the problem of secure routing authentication. Privacy refers to the private communication by using pseudonyms between communication entities. Integrity is the mechanism by which information cannot be tampered with or discarded as it is transmitted from the sender to the receiver. e above attributes are important factors that enable the public to accept and successfully deploy VANETs.
Digital signature [4,5] can provide routing authentication, integrity detection, and nonrepudiation. Anyone should be able to verify the validity of the signature through the signer's public key, which helps to achieve efficient and secure communication between nodes in the VANET. However, RSUs and traffic control centers in the VANET (generally verified by TAs) all need to verify a large number of route-related signatures in high-density communication scenarios [2], which will result in higher computational burden for nodes, especially for the node in resource-constrained networks. In these situations, it is best to limit the digital signature's communication requirements (i.e., size). One accepted solution is the aggregate signature technology which is the best choice to solve the above problems.
Because the aggregate signature can reduce the node authentication overhead and the certificateless cryptosystem can solve certificate management and key escrow problems existing in the traditional cryptosystem, many researchers combine certificateless cryptography and aggregate signature to further propose various CLAS schemes. e CLAS can not only prevent the routing information from being forged, tampered, and impersonated but also ensure the integrity of the routing information and provide authentication and nonrepudiation for the routing information sender. In this paper, we put forward a CLAS scheme for the practical application environment of the VANETs.

Our Research Contributions.
In this paper, we put forward a novel CLAS scheme which could better support the reliable routing information delivery in the highly dynamic VANETs. e main contributions of this paper are summarized as follows: (i) Firstly, we define a typical VANET architecture for an emergency linkage scheduling environment, which is more close to the actual application scenario. (ii) Secondly, we present a CLAS scheme for VANETs, and our new scheme can provide secure routing for VANETs while meeting the security requirements. (iii) Finally, we prove the security and evaluate the performance of the newly proposed CLAS scheme.

Organization of the Paper.
e remainder of this paper is organized as follows: Section 2 describes the related work. Section 3 gives the problem statement related to our paper, and then we present details of the proposed CLAS scheme in Section 4. Furthermore, in Sections 5 and 6, the security proof and the performance analysis are presented. Finally, we give the conclusion of our work in Section 7.

Related Works
To achieve the identity authentication of the message sender and then establish a trust relationship between the nodes, many digital signature schemes have been put forward successively. In a traditional PKI-based public key cryptosystem [6][7][8], each user has a key pair, public key, and private key, where the former remains public and the latter remains secret. To ensure the correspondence between the user's public key and his/her identity, the certificate authority (CA) needs to issue and maintain a certificate for the user, which involves various certificate management issues such as certificate distribution, storage, and revocation.
In the identity-based public key cryptosystem (ID-PKC) [9][10][11][12], the public key is selected by the user himself/herself, and the user's private key is produced by the private key generator (PKG) based on his/her identity information. Because no certificate is required, the ID-PKC can eliminate the problem of certificate management in the PKI. However, since the PKG can obtain any user's private key, the ID-PKC suffers from a key escrow issue which means it must be fully trusted by all users, and this assumption is too strong in some applications.
To solve the problems existing in the above two cryptosystems, researchers in [13] first put forward a certificateless public key cryptosystem (CL-PKC). In the CL-PKC, the user's public key is produced by the user himself/herself, and the user's full private key is generated by the cooperation between the KGC and the user. e former is responsible for generating the partial private key based on the user's identity, and the latter is responsible for generating the secret value. erefore, CL-PKC can not only solve the complex certificate management problem in the PKI-based cryptography but also solve the inherent key escrow issue in the identity-based cryptography [14]. e advantages of the CL-PKC have aroused the enthusiasm of researchers, and many certificateless signature (CLS) schemes have been proposed [2,15,16]. Huang et al. [15] demonstrated that the CLS scheme proposed in [13] could not resist the public key replacement attack and further proposed an improved CLS scheme. Yum and Lee [2] introduced a generic CLS construction. However, Hu et al. [16] indicated that their scheme is insecure and further proposed an improved CLS scheme. Au et al. [17] proposed an enhanced security model that allows the malicious KGC to produce key pairs in any way. Nevertheless, the certificateless signature schemes proposed in [18,19] have been found to be insecure against malicious KGC attacks.
Boneh et al. [20] proposed the concept of aggregate signature in Eurocrypt 2003. e aggregator can compress n different signatures with respect to n messages from n different signers into an aggregate signature. e verifier can authenticate the multiple senders simply by verifying the short aggregate signature, which can save the bandwidth and computational cost of mobile devices in VANETs. Because aggregate signatures greatly shorten the length of the signature, they are especially suitable for applications in resource-constrained VANETs.
Gong et al. [21] combined the certificateless public-key cryptosystem with the aggregate signature and then proposed the first CLAS scheme, but they did not present the formal security proof of the scheme. After the groundbreaking work [21], many CLAS schemes [22][23][24][25][26][27] were proposed for various practical application scenarios. Zhang and Zhang [22] redefined the concept and security model for the CLAS scheme and proposed a new CLAS scheme, but their scheme has been proven to not resist malicious KGC attacks.
Xiong et al. [23] proposed a CLAS scheme, but He et al. [24] found that their scheme was falsifiable and further put forward a new CLAS scheme. e researchers [26,27] have found that the CLAS scheme proposed in [25] is insecure for malicious KGC attacks. Horng et al. [28] proposed a CLAS scheme, but we found that the scheme cannot resist any type of adversary in the certificateless security model and the signature is falsifiable. More recently, Li et al. [29] demonstrated that there is a security defect in the CLAS scheme proposed in [24] and further put forward an improved CLAS scheme.

Problem Statement
In this section, we first describe the bilinear map and relational difficult problems and then introduce the system model of our proposed CLAS scheme. Finally, the system components of the CLAS scheme are given.

Bilinear Map.
Suppose that G 1 and G 2 are two cyclic groups, where prime number q is the order of G 1 and G 2 and P is the generator of G 1 . e: G 1 × G 1 ⟶ G 2 is a bilinear map. For all P, Q, S ∈ G 1 , a, b ∈ Z * q , and e should satisfy the following properties: (1) Bilinearity: e(P, Q + S) � e(P, Q)e(P, S) and e(aP, bQ) � e(abP, Q) � e(P, abQ).

Computational Diffie-Hellman (CDH) Problem.
Given a generator P of an additive cyclic group G 1 with the order q and a random instance (aP, bP), it is difficult to calculate abP, where a and b remain unknown.

Computational Diffie-Hellman (CDH) Assumption.
ere does not exist adversary A, and the CDH problem can be decided in probabilistic polynomial time with a nonnegligible probability ε, where ε > 0 is a very small number.

System Model.
In this paper, we take the application of VANETs in the emergency linkage scheduling (ELS) environment as an example and give the corresponding VANET architecture that is shown in Figure 2. ere are six types of entities in the VANET architecture: on-board unit (OBU), road side unit (RSU), key generation center (KGC), emergency command center (ECC), signature aggregator (SA), and trusted authority (TA). e entities are specifically defined as follows.

On-Board Unit.
On-board unit is a device installed in the vehicle. Let ID i denote the identity and (SK i , PK i ) denote the key pair of an OBU. Each OBU can use its private key to generate a signature for the relevant routing information and then send the signature to the signature aggregator.

Road Side Unit.
Road side unit is a device installed on the side of the road, which can generate signatures for related messages, realize the exchange and sharing of the vehicle-road information, and further provide local realtime traffic information to the emergency command center.

Key Generator Center.
Key generator center is a device that is responsible for generating system parameters params and the partial private key D i for each OBU or RSU corresponding to his/her identity and then secretly sends D i to the OBU or RSU.

Emergency Command Center.
Emergency command center is a device with strong computing power and plenty of storage space, which can obtain information on the accident scene and surrounding road conditions from OBUs or RSUs Security and Communication Networks through the vehicle network emergency linkage system and further give corresponding emergency measures to improve rescue efficiency.

Signature Aggregator.
Signature aggregator refers to a certain computing power of a device. It is responsible for collecting a single route-related signature from OBUs or RSUs and then generating an aggregate signature and sending it to the corresponding TA.

Trusted Authority.
Trusted authority is a device with a certain computing power. It is responsible for verifying the route-related aggregate signature and then outputting a verification result.

System Components.
Our CLAS scheme for performing secure routing in VANETs is a collection of the following seven polynomial time algorithms: algorithm executed by the KGC, where k is the security parameter, params is the system parameter list, s is the system master key, and P pub is the system master public key. (ii) Partial-Key-Gen (params, ID i ) ⟶ D i is a probabilistic algorithm executed by the KGC, where params is the system parameter list, ID i ∈ 0, 1 { } * is a user's identity, and D i is the partial private key corresponding to the user's identity ID i . (iii) User-Key-Gen (params, D i ) ⟶ (SK i , PK i ) is a randomized algorithm executed by the user with identity ID i , where params is the system parameter list, D i is the partial private key corresponding to the identity ID i , and (SK i , PK i ) is the key pair of the user with the identity ID i .
(iv) Sign (params, (SK i , PK i ), ID i , m i ) ⟶ σ i is a randomized algorithm executed by the signer, where params is the system parameter list, (SK i , PK i ) is the key pair of the signer, ID i is the signer's identity, m i is the message, and σ i is the signature on the message m i .
{ } is a probabilistic algorithm executed by the verifier, where params is the system parameter list, ID i is the signer's identity, PK i is the public key of the signer, m i is the message, and σ i is the signature on the message m i ; 1 or 0 is the output to indicate whether the signature σ i is validated.
deterministic algorithm executed by the signature aggregator, where params is the system parameter list, ID i is the signer's identity, PK i is the public key of the signer, m i is the message, and σ i is the signature on the message m i .
} is a deterministic algorithm executed by the aggregate verifier, where params is the system parameter list and σ is the aggregate signature on the message m i with the identity ID i and the public key PK i . 1 or 0 is the output to indicate whether the aggregate signature σ is validated.

Our Proposed CLAS Scheme
To improve the security of routing information in VANETs, we propose a new CLAS scheme. Compared to previous works, our new scheme strives to achieve the following two goals: (1) to ensure the unforgeability of the signature scheme and (2) to improve the performance of the scheme. Our CLAS scheme includes seven phases: Setup, Partial-Key-Gen, User-Key-Gen, Sign, Verify, Aggregate, and Aggregate-Verify. e scheme details are described below.

4.1.
Setup. e KGC generates system parameters after obtaining the security parameter k by executing the following operations: (1) e KGC generates two cyclic groups G 1 and G 2 with the order q, where q is a prime number. P is a generator of G 1 . e: G 1 × G 1 ⟶ G 2 is a bilinear pairing. (2) e KGC randomly selects s ∈ Z * q as the master key and calculates P pub � sP as the public key.

Partial-Key-Gen.
e KGC produces the user's partial private key by executing the following operations: (1) Given ID i as a user's identity, the KGC first calculates Q i � H 1 (ID i ) and then computes the user's partial private key D i � s · Q i . (2) e KGC secretly sends D i to the corresponding user.

User-Key-Gen.
A user with the identity ID i generates his/her full private key and public key by executing the following operations: (1) e user randomly selects x i ∈ Z * q as the secret value. (2) e user sets SK i � D i , x i as a user's full private key. (3) e user computes PK i � x i P as a user's public key.

Sign.
A signer with the identity ID i produces a signature σ i on the message m i by executing the following operations: (1) e signer inputs system parameters params, signature key pairs (SK i , PK i ), and the message m i . (2) e signer selects w i ∈ Z * q randomly and then computes W i � w i P.

4.5.
Verify. e verifier verifies the signature σ i � (W i , V i ) on the message m i with identity ID i by executing the following operations: (2) e verifier verifies the following: (3) If equation (1) holds, it emits 1 and the verifier accepts σ i ; otherwise, it emits 0 and the verifier rejects σ i .

4.6.
Aggregate. e aggregator generates the aggregate signature σ from user-message-public key-signature pairs (ID i , m i , PK i , σ i ) 1≤i≤n by executing the following operations: e aggregate verifier verifies the following: (4) If equation (2) holds, it emits 1 and the verifier accepts the aggregate signature σ; otherwise, it emits 0 and the verifier rejects σ.
Our proposed CLAS scheme is correct if and only if the single signature and aggregate signature generated using our scheme can satisfy equations (1) and (2), respectively, where the correctness of the scheme is elaborated as follows:

Security Analysis
In this section, we analyze the security of our proposed CLAS scheme. We first give the security model of a CLAS scheme and then prove that our proposal can satisfy signature unforgeability under the security model. At last, we demonstrate a comparative summary of the security between our CLAS scheme and three recently published CLAS schemes.

Security Model.
ere exist two types of adversaries in the CLAS security model: A I and A II . A I simulates an outside attacker, who cannot obtain the system master key but can replace any user's public key. A II simulates a KGC, Security and Communication Networks an internal attacker, who can obtain the system master key but cannot replace any user's public key.

Definition 1.
e security model of a CLAS scheme is defined by two games (denoted by Game1 and Game2) played between an adversary A ∈ A I , A II and a challenger C; more details are defined below.
A can access the following six random oracle machines in the security model.

Setup.
C executes the Setup algorithm to generate the system master key s and params. For different types of adversaries, C will make a corresponding response.

Reveal-Partial-Key.
When the challenger C receives a partial private key query from A for a user with the identity ID i , C first checks if ID i � ID tu holds. If it holds, it aborts; otherwise, it checks if there is a record corresponding to the identity ID i in the list L D . If it exists, then D i is sent to A; otherwise, it generates D i , sends it to A, and stores it in the list L D .

Reveal-Secret-Key.
When the challenger C receives a secret value query from A for a user with the identity ID i , C first checks if ID i � ID tu holds. If it holds, it aborts; otherwise, it checks if there is a record corresponding to the identity ID i in the list L x . If it exists, then x i is sent to A; otherwise, it generates x i , sends it to A, and stores it in the list L x .

Reveal-Public-Key.
When the challenger C receives a public key query from A for a user with the identity ID i , C first checks if there is a record corresponding to the identity ID i in the list L PK . If it exists, then PK i is sent to A; otherwise, it generates PK i , sends it to A, and stores it in the list L PK .

Replace-Public-Key.
When the challenger C receives a query that replaces the public key on the identity ID i with A ′ s choice of public key PK * i , C first checks if there is a record corresponding to the identity ID i in the list L PK . If it exists, then it updates the corresponding item (ID i , x i , PK i , D i ) to (ID i , x i , PK * i , D i ) in the list L PK ; otherwise, it aborts.

Sign.
When the challenger C receives a signature query on the message m i with the signer's identity ID i , C first checks whether the target user ID i has been created. If the user ID i has not been created, it aborts; otherwise, if the target user ID i has been created and the related user public key PK i has not been replaced, then a valid signature σ i is returned; otherwise, if the target user ID i has been created and the corresponding user public key PK i has been replaced with PK * i , then a signature σ * i is returned.
We next define two games to describe two different types of attackers in the CLAS scheme.
(1) Game1. e challenger C interacts with the adversary A I as follows: (1) C inputs a security parameter k and generates the system master key s and the system parameter list params by running the Setup algorithm. en, C sends params to A I and keeps s secret.
(2) A i can access any hash oracle and Reveal-Partial-Key, Reveal-Secret-Key, Reveal-Public-Key, Replace-Public-Key, and Sign queries at any phase.
(2) Forgery. A I outputs an aggregate signature σ * with respect to n pairs ( We say that A I wins Game1 if and only if the following conditions are met: (1) σ * is a valid aggregate signature with respect to pairs (2) e targeted identity ID * i has not been submitted during the Reveal-Partial-Key query.
(3) (ID * i , m * i ) has not been submitted during the Sign query.
(3) Game2. e challenger C interacts with the adversary A II as follows: (1) C inputs a security parameter k and generates the system master key s and the system parameter list params by running the Setup algorithm. en, C returns params and s to A II .
(2) A II can access any hash oracle and Reveal-Partial-Key, Reveal-Public-Key, and Sign queries at any phase.
(4) Forgery. A II outputs an aggregate signature σ * with respect to pairs (ID * i , m * i , PK * i , σ * i ), where 1 ≤ i ≤ n. We say that A II wins Game2 if and only if the following conditions are met: (1) σ * is a valid aggregate signature with respect to usermessage-public key-signature pairs ( e targeted identity ID * i has not been submitted during the Reveal-Secret-Key query. (3) (ID * i , m * i ) has not been submitted during the Sign query.

Security Proof.
In the section, we will prove that our proposed CLAS scheme is secure under the security model presented in Section 5.1. Our security proof consists of the following two parts: (1) the CLAS scheme is unforgeable to type 1 adversary A I and (2) the CLAS scheme is unforgeable to type 2 adversary A II .

Theorem 1. Our proposed CLAS scheme is existentially unforgeable against the adversary A I , if the CDH problem is difficult to solve in G 1 .
Proof. We can prove the unforgeability of our CLAS scheme against A i with Game1 that involves an adversary A I and a simulator C.
Given a random instance of the CDH problem (P, Q 1 � aP, Q 2 � bP), where P is a generator of G 1 , our goal is to calculate the value of abP by solving the CDH problem.
e specific proof process is as follows: (i) Setup: C randomly selects ID tu as the identity of the target user challenged, sets P pub � Q 1 � aP, and generates and sends the system parameter params � G 1 , G 2 , P, e, q, P pub , H 1 , H 2 , h 1 , h 2 to A I . A I executes the following queries.
(ii) H 1 query: C maintains a list L H 1 whose structure is , and all the elements in L H 1 are initialized to null. When C receives a query with the identity ID i from A i , it first checks whether the tuple (iii) H 2 query: C maintains a list L H 2 whose structure is (P pub , ϑ, Z), and all the elements in L H 2 are initialized to null. When C receives a query with P pub from A I , it checks if a tuple (P pub , ϑ, Z) exists in L H 2 ; if it exists, it sends Z to A I ; otherwise, C randomly selects ϑ ∈ Z * q and computes Z � ϑP. It sends Z to A i and stores (P pub , ϑ, Z) to L H 2 . (iv) h 1 query: C maintains a list L h 1 whose structure is (ID i , PK i , W i , α i ), and all the elements in L h 1 are initialized to null. When C receives a query with the tuple (ID i , PK i , W i ) from A I , it checks whether a tuple (ID i , PK i , W i , α i ) exists in L h 1 ; if it exists, it sends α i to A I ; otherwise, C randomly selects α i . It returns α i to A I and stores (viii) Reveal-Public-Key queries: C maintains a list L PK whose structure is (ID i , PK i ), and all the elements in L PK are initialized to null. When C receives a query with the identity ID i from A I , it first checks whether a tuple (ID i , PK i ) exists in L PK ; if it exists, it sends PK i to A I ; otherwise, C accesses L x to get x i and computes PK i � x i P. It sends PK i to A I and stores (ID i , PK i ) to L PK . (ix) Replace-Public-Key queries: when C receives a query with the tuple (ID i , PK * i ) from A I , in response, C replaces the real public key PK i of ID i with PK * i chosen by A I in L PK . (x) Sign queries: when C receives a query with the tuple (m i , ID i , PK i ) from A I , C accesses L H 1 , L H 2 , L h 1 , and L h 2 to get ζ i , Q i , Z, α i , and β i respectively. Furthermore, C chooses a random w i ∈ Z * q and computes to A I as the signature on the message m i with the identity ID i and the public key PK i . (xi) Forgery: finally, A I outputs a forged aggregate signature σ * � (W * , V * ) from message-identitypublic key pairs (m * i , ID * i , PK * i ), where 1 ≤ i ≤ n. If all ζ i � 0 holds, A I aborts; otherwise, without loss of generality, let ID tu � ID 1 , that is, ≤ n), and then the forged signature can make the following equation hold: where . . , W * n . Furthermore, the derivation process is shown as Security and Communication Networks 1 − 1 .

(5)
However, this is in contradiction with the CDH assumption, so the single signature and the aggregate signature generated by our proposed scheme satisfy the unforgeability.

Theorem 2. Our proposed CLAS scheme is existentially unforgeable against the adversary
Proof. We can prove the unforgeability of our CLAS scheme against A II with Game2 that involves an adversary A II and a simulator C.
Given a random instance of the CDH problem (P, Q 1 � aP, Q 2 � bP), where P is the generator of G 1 , our goal is to calculate the value of abP by solving the CDH problem. e specific proof process is as follows: (i) Setup: C randomly selects ID tu as the identity of the target user challenged, sets P pub � λP, and generates and sends params � G 1 , G 2 , P, e, q, P pub , H 1 , H 2 , h 1 , h 2 } and system master key λ to A II . A II executes the following queries: h 1 , h 2 , and Reveal-Secret-Value queries are the same as the corresponding queries in eorem 1 Since A II can access the system master key, there is no need for the Reveal-Partial-Key queries and Replace-Public-Key queries.
(ii) H 1 query: C maintains a list L H 1 whose structure is (ID i , η i , Q i ), and all the elements in L H 1 are initialized to null. When C receives a query with the identity ID i from A II , it first checks whether the tuple (ID i , η i , Q i ) exists in L H 1 ; if it exists, it sends Q i to A II ; otherwise, C randomly selects η i ∈ Z * q , sets Q i � η i P, sends Q i to A II , and stores (ID i , η i , Q i ) to L H 1 . (iii) H 2 query: C maintains a list L H 2 whose structure is (P pub , ϑ, Z), and all the elements in L H 2 are initialized to null. When C receives a query with P pub from A II , it checks if a tuple (P pub , ϑ, Z) exists in L H 2 ; if it exists, it sends Z to A II ; otherwise, C randomly selects ϑ ∈ Z * q and computes Z � ϑQ 1 � ϑaP. It sends Z to A II and stores (P pub , ϑ, Z) to L H 2 .
(iv) Reveal-Public-Key queries: C maintains a list L PK whose structure is (ID i , ζ i , PK i ), and all the elements in L PK are initialized to null. When C receives a query with the identity ID i from A II , it first checks whether a tuple (ID i , ζ i , PK i ) exists in L PK ; if it exists, it sends PK i to A II ; otherwise, C selects a random value ζ i ∈ 0, 1 { }; if ζ i � 0, C accesses L x to get x i and computes PK i � x i P; otherwise, if ζ i � 1, C randomly chooses x i ∈ Z * q and computes PK i � x i Q 2 � x i bP. It sends PK i to A II and stores (ID i , ζ i , PK i ) to L PK . (v) Sign queries: when C receives a query with the tuple (m i , ID i , PK i ) from A II , C accesses L H 1 , L H 2 , L h 1 , and L h 2 to get Q i , ζ i , Z, α i , and β i , respectively. Furthermore, C chooses a random w i ∈ Z * q and computes as the signature on the message m i with the identity ID i and the public key PK i . (vi) Forgery: finally, A ii outputs a forged aggregate signature σ * � (W * , V * ) from message-identitypublic key pairs (m * i , ID * i , PK * i ), where 1 ≤ i ≤ n. If all ζ i � 0 holds, A II aborts; otherwise, without loss of generality, let ID tu � ID 1 , that is, ζ 1 � 1, ζ i � 0 (2 ≤ i ≤ n), and then the forged signature can make the following equation hold: where

Security and Communication Networks
Furthermore, the derivation process is shown as However, this is in contradiction with the CDH assumption, so the single signature and the aggregate signature generated by our proposed scheme satisfy the unforgeability.

Security Comparisons and Performance Analysis
In this section, we first compare the security of the new CLAS scheme and the other three CLAS schemes and then further analyze the performance advantages of the new CLAS scheme by evaluating the computation overhead.

Security Comparisons.
In the section, we compare the security of our proposed CLAS scheme with that of the other three CLAS schemes [21,25,29]. For ease of description, let A I and A II denote the type 1 and the type 2 adversaries, respectively. Furthermore, the two types of adversaries are divided into three levels [30], where B i1 denotes general adversary, B i2 denotes strong adversary, and B i3 denotes superadversary, respectively, and i ∈ 1, 2 { }; the value of i corresponds to the type i adversary. √ denotes it can satisfy the corresponding security requirement, and × denotes it cannot satisfy the corresponding security requirement. W denotes the weaker security, and S denotes the stronger security under the corresponding attack types. SP denotes the security performance. e security comparison of various schemes is shown in Table 1.
From Table 1, we can find that the first two schemes (i.e., Gong et al.'s scheme [21] and Liu et al.'s scheme [25]) cannot meet all security attributes. Especially for Gong et al.'s two CLAS schemes [21], under the attacks of A i and A ii adversaries, none of them could satisfy the security level of B 3 . In contrast, Li's CLAS scheme and our proposed CLAS scheme can meet all the security requirements.

Performance Analysis.
In this section, we performed a performance analysis of the newly proposed CLAS scheme by comparing the computation overhead of our scheme with that of Li et al.'s scheme. To achieve a credible security level, we select q and p as 160-bit and 512-bit prime numbers, respectively. An Ate pairing e: G 1 × G 1 ⟶ G 2 is used in our experiments, where G 1 and G 2 are two cyclic groups with the same order q, defined on the supersingular elliptic curve E(F p ): y 2 � x 3 + 1.
We have implemented Li et al.'s scheme and our new scheme with the MIRACL library [31] on a Lenovo computer with Windows 7 operating system. And its hardware configuration is Intel I5-3470 3.20 GHz CPU and 4G bytes of memory. For the sake of simplicity, we firstly define the corresponding relation-related symbol-operation-execution time, as shown in Table 2.
Because Setup, Partial-Key-Gen, and Private-Key-Gen phases are executed by the PKG or user, and all of them are one-time operation, we focus on the analysis and comparison of computational costs in Sign, Verify, Aggregate, and Aggregate-Verify phases. Since the addition and multiplication of numbers in Z * q will only generate less computational overhead, we can ignore them.
In the Sign phase, the user in Li et al.'s scheme needs to perform two general hash operations in Z * q , one map-topoint hash operation in G 1 , three point addition operations in G 1 , and five point multiplication operations in G 1 . erefore, the time for generating a signature in the Sign phase is 2T m− s + T m− p + 3T ecc− pa + 5T ecc− pm , whereas the user in our proposal needs to perform two general hash operations in Z * q , one map-to-point hash operation in G 1 , two point addition operations in G 1 , and three point multiplication operations in G 1 . erefore, the time for generating a signature in the Sign phase is 2T m− s + T m− p + 2T ecc− pa + 3T ecc− pm milliseconds.
In the Verify phase, the verifier in Li et al.'s scheme needs to execute two general hash operations in Z * q , two map-topoint hash operations in G 1 , two point addition operations in G 1 , two point multiplication operations in G 1 , and three bilinear pairing operations. erefore, the time for verifying a signature in the Verify phase is 2T m− s + 2T m− p + 2T ecc− pa + 2T ecc− pm + 3T bp , whereas the verifier in our proposal needs to perform two general hash operations in Z * q , two map-to-point hash operations in G 1 , one point addition operation in G 1 , two point multiplication operations in G 1 , and three bilinear pairing operations. erefore, the time for verifying a signature in the Verify phase is 2T m− s + 2T m− p + T ecc− pa + 2T ecc− pm + 3T bp milliseconds.
In the Aggregate phase, the aggregator in Li et al.'s scheme needs to execute n − 1 point addition operations in G 1 , whereas the aggregator in our proposal needs to execute n − 1 point addition operations in G 1 . We can find that the running time of the Aggregate phase in the two schemes is equal to (n − 1)T ecc− pa milliseconds.
In the Aggregate − Verify phase, the aggregate verifier in Li et al.'s scheme needs to execute 2n general hash operations in Z * q , n + 1 map-to-point hash operations in G 1 , 4n − 2 point addition operations in G 1 , 2n point multiplication operations in G 1 , and three bilinear pairing operations. erefore, the running time of the Aggregate − Verify phase is 2nT m− s + (n + 1)T m− p + (4n − 2)T ecc− pa + 2nT ecc− pm + 3T bp milliseconds, whereas the verifier in our proposal needs to perform 2n general hash operations in Z * q , n + 1 map-topoint hash operations in G 1 , 3n − 2 point addition operations in G 1 , 2n point multiplication operations in G 1 , and three bilinear pairing operations. erefore, the running time of the Aggregate − Verify phase is 2nT m− s + (n + 1)T m− p + (3n − 2)T ecc− pa + 2nT ecc− pm + 3T bp milliseconds.
Suppose that n � 100, that is, there are 100 signatures that need to be generated, verified, aggregated, and aggregate-verified. From the results in Figure 3, we can see that Li et al.'s scheme has the same computation overhead as our new CLAS scheme in the Aggregate phase, whereas in Sign, Verify, and Aggregate − Verify phases, the computation cost of our scheme is lower than that of Li et al.'s scheme. Especially in the Sign phase, the computation cost of our scheme is reduced by 26 percentage points compared with that of Li et al.'s scheme. In summary, our presented CLAS scheme reduces the computation cost while meeting security requirements.

Conclusion
Digital signature can provide secure routing authentication, privacy protection, integrity, and nonrepudiation. To solve the above problems, several CLAS schemes have been introduced recently. Unfortunately, most existing CLAS schemes have been found to have security flaws or have unsatisfactory performance in computation and communication costs. To avoid the above issues and better fix the problem of secure routing authentication in resource-constrained VANETs, we put forward a new CLAS scheme. e security analysis demonstrates that the new CLAS scheme is provably secure and is able to satisfy the security attributes in VANETs. e specific performance evaluation shows that the new CLAS scheme can achieve a novel security level while reducing the computation cost. Our CLAS scheme is robust against all types of attacks, which makes it more suitable for performing secure routing in resource-constrained VANETs.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.