Aggregatable Certificateless Designated Verifier Signature

In recent years, the Internet of Things (IoT) devices have become increasingly deployed in many industries and generated a large amount of data that needs to be processed in a timely and efficient manner. Using aggregate signatures, it provides a secure and efficient way to handle large numbers of digital signatures with the same message. Recently, the privacy issue has been concerned about the topic of data sharing on the cloud. To provide the integrity, authenticity, authority, and privacy on the data sharing in the cloud storage, the notion of an aggregatable certificateless designated verifier signature scheme (ACLDVS) was proposed. ACLDVS also is a perfect tool to enable efficient privacy-preserving authentication systems for IoT and or the vehicular ad hoc networks (VANET). Our concrete scheme was proved to be secured underling of the Computational Diffie-Hellman assumption. Compared to other related schemes, our scheme is efficient, and the signature size is considerably short.


I. INTRODUCTION
A wireless sensor network (WSN) is made up of a large number of sensor nodes, which are densely deployed very close to each other. It has the advantages of low cost, high efficiency and low latency. The protocols and algorithms used in the wireless sensor network must possess self-organizing capabilities. A sensor node has an onboard processor, and it can be used to process simple computations locally and transmits only the necessary and partially processed data back to the requested node. This cooperative effort of sensor nodes is one of the unique and attractive features of wireless sensor networks.
The above-described feature ensures a wide range of applications for wireless sensor networks, for example, healthcare, military, and security. For healthcare application, a doctor can securely monitor the wearable health devices. With consent from the patient, the wearable health devices allow the doctor to have a better understanding of the patient's current condition. However, the generated patient's medical reports from these devices could leak the privacy of the patient, and, hence, there should be appropriately handled and be The associate editor coordinating the review of this manuscript and approving it for publication was Kashif Saleem .
protected. The data and its signature transmitting between the sensor devices and the monitor have to be encrypted to provide confidentiality and authenticity. It can be done merely implementing the SSL/TLS protocol. Nevertheless, it ensures only confidentiality and authenticity, but it does not preserve the privacy of the patient. For the privacy of a patient, it can be achieved by implement the designated verifier signature instead of the general signature. Moreover, to save the cost of the communication and computation, the aggregate signature scheme can be applied to limit the amount of the data needed to transmit through the network. The data and its signature can be gathering at the sensor gateway, then the sensor gateway aggregates them into a single signature and passes it to the monitor server. The detail of this implementation is described in [10].
With the rapid growth of the application of various Internet of Things (IoT) devices and the development of wireless communication technology especially for WSN, the topic of vehicular ad hoc networks (VANET) has attracted significant interest and attention. In VANET, Vehicles equipped wireless devices can communicate with each other. The main objective of VANET is to set up and maintain a communication network among vehicles without using any centralized network architecture based base station [26]. One of the examples of the VANET applications, the critical medical emergencies in a place with no access to any communication infrastructure, it is vital to pass on the information that could save human lives. Lack of support in VANET, it has put additional responsibility on each vehicle that is part of the network. Every node must maintain and forward the communication on this network to other nodes. In the United State, the intelligent transportation systems (ITS) implement the Dedicated Short Range Communications (DSRC) that operates around the 5.9 GHz frequency band. The DSRC consists of RoadSide units (RSUs) and On-Board Units (OBUs) that have transceivers and transponders. A vehicle with OBUs can communicate with another vehicle with OBUs directly, which is called Vehicle to Vehicle (V2V) communication.
Meanwhile, a vehicle with OBUs that communicates with a Road Side Unit (RSU) is known as Vehicle-to-Infrastructure (V2I). Each vehicle in VANET can operate in both modes of communication simultaneously. More details of VANET can be found in [25].
However, the rapid movement of the nodes affect the stability of the network route and the large scale of nodes in the network caused communication delays, is a significant problem on VANET that could not be ignored [9]. The concept of certificateless public key cryptography has been recommended to secure the communication in the VANET, and avoid the complexity associated with managing public key certificates and the drawbacks of the key escrows in identity-based cryptography [25], [26], [29], [30]. For the public key management in cryptography, Certificate Authority(CA) is commonly utilized to certify the public key. However, it is a security weak point in the VANET, which creates a single point of failure. In the VANET enviroments, where the perspective of limited bandwidth and the dynamic nature of the networks are crucial. A compromised AC will put the security of the whole VANET in risk, and the collapsing of the communication in the network is unavoidable. Hence, the efficient key agreement and distribution in VANET is strategically assigned to certificateless cryptography. In some specific applications, the signatures on the same message generated by different nodes need to be compressed to reduce the cost of transmission and verification computation due to the bandwidth and storage constrained environments. The above issue can be solved with an aggregate signature which can reduce the cost of verification, and the length of the signature. It was designed to be effective in the bandwidth and storage constrained environments.

A. RELATED WORK
Since the seminal introduction of digital signature notion [11] and its formalization [12], the notion of digital signatures has been extended to capture different scenarios and situations in real life. With a public-private keys pair, it allows a signer with a private key to produce a signature on the message and lets anyone verify this signature with a public key.
A designated verifier signature (DVS) provides both authenticity and deniability properties at the same time. It was proposed by Jakobsson, Sako and Impagliazzo in [19]. The authenticity property ensures that a signer indeed signs this digital signature. The deniability property ensures that only the designated verifier can verify the validity of this digital signature signed by the signer. Moreover, this conviction cannot be transferred to any other third party. It has been widely studied and extended to many areas [13], [16], [18], [21], [22], [24], [32]- [35], [37].
Laguillaumie and Vergnaud were first to propose a multi-designated verifiers signature scheme (MDVS) in [21]. Later, Thorncharoensri et al. [35] introduced a policy-controlled signature (PCS) which is a variant of MDVS in the attributed based topics. They also proposed the extension schemes in [37]. The signature size of MDVS schemes is linear to the number of the designated verifiers, while the signature size of PCS schemes is linear to the number of the attribute in the policy, but it does not limit the number of the designated verifiers. There are many variants of DVS, such as the universal designated verifier signature (UDVS) scheme [32], [36] where a delegator can sign on behalf of the signer, the one-time UDVS scheme where a signature can be recover if the delegator produced more than one universal designated verifier signature, ID-based DVS [33], and proxy DVS [16].
The certificateless public key cryptography was first proposed by Al-Riyami and Paterson in [2]. Unlike the traditional public key cryptography that needs a certificate to ensure the authenticity of the public keys, certificateless public key cryptography does not require the use of any certificate. The formal security definitions of certificateless signature (CLS) schemes have been intensively discussed by Au et al. in [3], Huang et al. in [15] and Huang et al. in [17]. Karati et al. [20] put forward the lightweight certificateless signature that can be run on restricted computation devices. However, it was proven to be insecure by Zhang et al. [39]. Later, Yang et al. [38] illustrates the public key replacement attack on the Zhang et al.'s improved CLS scheme [39].
The used of certificateless aggregate signature on VANETs application was demonstrated by Cui et al. [9]. They also proposed an efficient certificateless aggregate signature scheme for the VANETs which does not require bilinear pairing. The certificateless public key cryptography in the standard model was proposed by Canard and Trinh in [7].
In some applications such as Multicast applications which may allow data sending from the leaf nodes to gather at the branch node before pass to the root node. This leads to a many-to-one communication pattern. To ensure authenticity, integrity and non-repudiation, the cost of verification computation and bandwidth is linear to the size of the leaf nodes. This leads to the propose of the aggregate signature scheme in 2003 by Boneh et al. [6]. An aggregate signature refers to an aggregation of n signatures of n messages signed by n signers, by an aggregation algorithm, into a single signature. The verifier only needs to verify this aggregate signature, which confirms whether or not the signature is from the specified n users. Aggregate signatures not only reduce the cost of verification but can also reduce the length of the signature that is transmitted and can be valuable in environments constrained for bandwidth and storage. Since the proposed of the aggregate signature scheme, it has been widely studied and expanded in many areas. Recently, due to the popularity of the IoT topics, the compact and lightweight certificateless aggregate signature schemes were proposed in [10], [14], [23]. Deng et al. proposed a certificateless short aggregate signature in [10]. It is efficient in the signing and verifying process where requires only two pairing operations in the verification, and the size of the signature is only one point on the elliptic curve and some state of information. However, the state of information must be shared among signers (devices) before each signer can sign on a message. This causes another issue in securely generated a shared state of information. Hashimoto and Ogata introduced a compact and unrestricted certificateless aggregate signature which the signature's size is constant. Their concrete scheme shares the similarity to Deng et al.'s concrete scheme; however, the former scheme is much flexible. It does not need to share a state of information for every time the signer generates a signature. Li et al. recently proposed the most efficient certificateless aggregate signature scheme in [23]. The concrete scheme does not require the bilinear pairing, and it also allowed the scalar multiplication over E/F q to be computed offline and store them for later use. Therefore, it is suitable for limited computation power IoT devices.
Huang et al. was first introduced the notion of certificateless designated verifier signature schemes in [18]. Recently, many certificateless designated verifier signature schemes were proposed [13], [22], [28], [31]. Rastegari et al. [28] provided intensive security reviews on certificateless designated verifier signature schemes and they gave a conclusion on the suitable security model for certificateless designated verifier signature schemes. They also proposed a concrete scheme in a standard model. Shen et al. introduced the certificateless aggregate signature with the designated verifier (CLASDV) in [31]. In this scheme, the aggregator acts as a delegator in the universal designated verifier signature scheme which, given a signature from the original signer, he/she can generate a designated verifier signature on behalf of the original signer. Unlike the aggregator in our scheme, he/she can only aggregate the signature to reduce the communication cost and cannot generate a designated verifier on behalf of the signers.
Our goal to construct the aggregatable certificateless designated verifier signature scheme (ACLDVS) is not a simple task by combining or modifying the above-mentioned works. There is no generic DVS scheme that can convert an existing DVS scheme to ACLDVS. Combining certificateless signature, aggregate signature and designated verifier signature together is not a trivial process. For example, in Shen et al. CLASDV scheme [31], it can only achieve privacy through the aggregator. The privacy of the signer is not preserved since the beginning.
Since our scheme is unique and applicable for many applications, our comparison with other schemes is aims to compare in term of performance. our scheme position in the balance of communication cost, performance and privacy-preserving. Hence, the well-known related signature schemes [9], [18], [20] were chosen for the comparison in Section V.

B. OUR CONTRIBUTIONS
In this paper, we concentrate on providing a designated verifier signature that can simultaneously aggregate by any party; however, only the designated verifier can prove the validity of this aggregate designated verifier signature.
Our reliable and efficient certificateless aggregate designated verifier scheme solves the aforementioned problems in integrity, authentication, and privacy. Compared with other certificateless aggregate signature and certificateless designated verifier schemes, our scheme has better performance as follows.
1) Our concrete scheme does not employ expensive bilinear pairings and map-to-point hash functions, hence, our scheme can easily implement on most of IoT devices. Since our scheme has a unique property that it is a combination of aggregate signature, designated verifier signature and certificate less signature schemes, we compared our scheme to well known efficient schemes in those areas. The results of the comparison are in the Table 2 and Figure 1 to 5. 2) Our concrete scheme satisfies the requirements of unforgeability in [28] as we demonstrated our security proofs in Section IV-A. 3) Our concrete scheme provides a signer privacy preservation in the aspect of deniability; hence, none other than designated verifier can verify the validity of the signature. This property is due to the transcript simulation, which it is indicated that the designated verifier can also generate the signature.
Paper Organization: The organization of the paper is organized as follows. In the next section, some notation and definitions used throughout this paper is described. The definition of an aggregatable certificateless designated verifier signature (ACLDVS) and its security notions are described in Section III. In the following section, the construction of the efficient ACLDVS scheme is described with its security proof. Finally, the comparison of our scheme with other schemes and the conclusion of the paper will be presented in the last two sections.

II. PRELIMINARIES A. NOTATION
The following notations will be used in the rest of this paper.

B. BILINEAR PAIRING
Let G 1 and G 2 be the cyclic multiplicative groups where their generators are g 1 and g 2 respectively. Let p be a prime and the order of both generators. Let G T be another cyclic multiplicative group with the same order p. Letê be an efficient algorithm. We denote byê : G 1 × G 2 → G T a bilinear mapping with the following properties: 1) Bilinearity: e(g 1 , g 2 ) ∈ G T Note that there exists ϕ(.) function which maps G 1 to G 2 or vice versa in one-unit time.

Definition 1 (Computational Diffie-Hellman (CDH) Problem):
Given a 3-tuple (g, g χ , g ψ ∈ G 1 ) as input, output g χ ·ψ . An algorithm A has advantage in solving the CDH problem if where the probability is over the random choice of χ , ψ ∈ Z * q and the random bits consumed by A. Assumption 1 (Computational Diffie-Hellman Assumption [5], [11]): We say that the (t, )-CDH assumption holds if no PPT algorithm with time complexity t(.) has an advantage at least in solving the CDH problem.

III. AGGREGATABLE CERTIFICATELESS DESIGNATED VERIFIER SIGNATURE SCHEMES (ACLDVS)
In this section we will propose our aggregatable certificateless designated verifier signature schemes (ACLDVS). There are three main players which are a trusted authority KGC who issues keys associated with its public key to the rest,a verifier V and a signer S who generates a signature that can be verified only by a specified verifier V . Let ID = {ID 1 , . . . , ID n } be a set of n identities and U = ID ∪ {pk i : ID i ∈ ID} be a set of identity and public key of n users.
System Parameter Generation (Setup): Given a security parameter as input, a probabilistic algorithm Setup outputs the system parameter param and the private key (sk K ) of a trusted authority. That is, Extract Partial Private Key (PPK): Given param, a user identity ID U ∈ {0, 1} * and sk K as input, a probabilistic algorithm PPK outputs the partial private key (psk U ) and the public parameter (ppk U ) of a user. That is, Noted that U is represented the user who may be a signer or a verifier. Setup User Secret Value (SetSV): Given param and a user identity ID U as input, a probabilistic algorithm SetSV outputs the Secret Value (sv U ) of the user. That is, Setup User Private Key (SetSK): Given param, the user identity IDP, psk U and sv U as input, a probabilistic algorithm SetSK outputs the private key (sk U ) of the user. That is, Setup User Public Key (SetPK): Given param and the user identity ID U as input, a probabilistic algorithm SetPK outputs the public key (pk U ) of a signer. That is, Signature Signing (Sign): Given param, sk S , pk S , pk V and a message M as input, a probabilistic algorithm Sign outputs a signer's signature δ. That is, Aggregate (Aggregate): Given param, U, δ 1 , . . . , δ n and M as input, a probabilistic algorithm Aggregate outputs a signer's signature σ That is, Verification (Verify): Given param, sk V , U, M and σ as input, a deterministic algorithm Verify outputs a verification decision d ∈ {accept, reject}. That is, Transcript Simulation (Sim): Given param, sk V , U, M as input, a probabilistic algorithm Sim outputs a simulated signature σ That is,

A. SECURITY MODEL OF AGGREGATABLE CERTIFICATELESS DESIGNATED VERIFIER SIGNATURE SCHEMES
In ACLDVS, there are two models of the attack which describe with different capabilities: Type I: In this type of the attack, an adversary A I does not have access to the master key. However, it has an ability to replace any public key and/or obtain the most of signers' secret keys (but at least one signer's secret key and one verifier's secret key must remain secret to A I ). Given the above ability with the public parameter and queries in Table 1, A I can choose messages with adaptive strategies and submit them to the signing oracle. Finally, if A I can output a valid message-signature pair that have never been queried before, then A I is successful in the attack.
Type II: In this type of the attack, an adversary A II has access to the master key. However, it doesn't have an ability to replace any public key of its own choice. Given the above ability with the public parameter and queries in Table 1, A I can choose messages with adaptive strategies and submit them to the signing oracle. Finally, if A I can output a valid message-signature pair that have never been queried before, then A I is successful in the attack.

IV. OUR SCHEME
The ACLDVS scheme is described as follows.
Setup : On input a security parameter , KGC randomly chooses a prime p ≈ poly(1 ). Let G 1 , G 2 and G T denote three groups of prime order p. Letê be the bilinear mapping function, which maps G 1 and G 2 to G T . The above mapping function is defined asê : To generate a public parameter, first, select a random integer a ∈ Z * p . Choose a random generator g ∈ G 1 and a bilinear mapping functionê. Construct a function ϕ : G 1 → G 2 and compute o = ϕ(g) ∈ G 2 . Select hash functions H : {0, 1} * → G 1 and h : {0, 1} * → Z * p . Compute W = g a . Set sk K = a and param = (p,ê, g, o, W , H , h). Then, Setup returns (param, sk K ). PPK : With param, sk K and ID U ∈ {0, 1} * as input, PPK randomly generates psk U as follows: select random an integer µ U ∈ Z * p . Let ppk U = (T U = g µ U ) and compute l U = h(ID U ||T U ). Let psk U = d U = µ U + l U · a. Then, PPK returns (ppk U , psk U ).

3) Verify each pk i by computing
A. SECURITY ANALYSIS Theorem 1: The ACLDVS scheme is designated verifier signature scheme.
Proof: The verification of ACLDVS requires x U , y U , z U and d U which are the secret key of the designated verifier. From the Sim algorithm, the designated verifier also can generate a valid signature by using his/her secret key (x U , y U , z U , d U ). Hence, the signature produced by the designated verifier is indistinguishable from the signature produced by the signer. To be precise, this signature cannot confirm its validity by a third party.

Theorem 2: The ACLDVS scheme is existentially unforgeable under Type-I adversary A I attack model, if the CDH assumption holds in the random oracle model.
Proof: Assume that there exists a forger algorithm A I running the existential unforgeability game defined in Section III-A. Then we will show that, by using A I , an adversary F solves the CDH problem.
Initialization: on input g, g χ and g ψ as an instance of the CDH problem, F runs Setup and sets g = g, W = g χ and obtains (param = (p,ê, g, o, W , h), sk K = χ).
Queries: The following queries are constructed by A I before running the simulation.
Hash − Q : On a request for a hash value of a string (h( )), Hash − Q check whether in the queried list or not. If it exists in the list then return the corresponding value, otherwise, Hash − Q randomly chooses ι $ ← Z p then returns h( ) = ι. Hash − Q keeps ( , ι) in its list and the list can be accessed only by F. Let ǫ H be a number of the hash queries. PPK − Q : With ID i ∈ {0, 1} * as input, PPK − Q randomly generates psk i as follows: select random However, if the input identity is ID * V , will abort the simulation. Let ǫ pp be the list of queried ID i in the PPK − Q queries. PPK − Q returns (ppk U , psk U ). SV − Q : With ID i ∈ {0, 1} * as input, SV − Q selects random integers x i , y i , z i ∈ Z * p , sets sv i = (x i , y i , z i ). Then, SK − Q returns sv i for ID i . However, if the input identity is ID * V , it will abort the simulation. Let ǫ sk be a number of the queries with the ID i in the list L sk . SK − Q : Since PPK − Q and SV − Q queries can be used to obtain the same result with this type of query, hence, for this attack model, we simply ignore its construction. PK − Q : With ID i ∈ {0, 1} * as input, PK − Q runs SetPK to output pk i = (X i = g x i , Y i = o y i , Z i = o z i , T i ) for a user U . However, if the input identity is ID * S , it randomly picks x S * , y S * , µ S * , k S * , j S * , ∈ Z * p , sets γ S * = k S * = h(ID * S ||B S * ||T S * ||X S * ||Y S * ||Z S * ) in Hash − Q and calculates B S * = g j S * (T S * · W l S * ) −k S * , c S * = j S * . It outputs pk S * = (X S * = g x S * , Y S * = g y S * , T S * = g µ S * , γ S * , c S * ) for ID * S . If the input identity is ID * V , it randomly selects Let ǫ pk be a number of the queries with the ID i in the list L pk . RPK − Q : With ID i ∈ {0, 1} * andp k i as input, RPK − Q uses ID i to get the corresponding pk i from SetPK and replaces it withp k i . In order for pk i to pass the public key verification, If sv i that is corresponded withp k i had been queried, then the record (ID i , pk i ,p k i ) will be removed from the list. Intuitively, L rpk keeps only the records that F cannot simulate the signature due to the lack of knowledge of the corresponding sv. Moreover, if the input identity is ID * V , it will abort the simulation. Let ǫ rpk be a number of the queries in the list L rpk . Sign − Q : With M ∈ {0, 1} * , ID V and U as input, Sign − Q runs Sign or Sim for all signature queries except a signature query for ID * S as a signer and ID * V as a verifier. Sign − Q outputs the signature for ID * S as a signer and ID * V as follows: 1) Select random integersṙ S * ∈ Z * p . 2) Verify pk i by computing Sign − Q outputs δ S * for the query of a signature on M , ID * S and ID * V . Let ǫ s be a number of the queries in the list L s . Verify − Q : With M ∈ {0, 1} * , δ, ID V and U as input, Verify − Q runs Verify for all ID i . If ID V is ID V * and ID S * ∈ U, checks whether the below equations hold or not.

1) Run Hash
If it does not hold, then Verify outputs reject. Otherwise, it outputs accept.
Phase I: The simulation is begun by giving an access to the above queries to A I . Noted that A I always makes a query for a any string (or message) to Hash − Q oracle before it outputs a potential forgery.
Phase II: At the end of the simulation, after executing an adaptive strategy with the above queries, A I outputs a forgery σ * on a message M * with ID 1 , . . . , ID n ∈ U * : ∃ID i / ∈ (L sk ∧ L pp ) and ID V * / ∈ (L sk ∧ L pp ). A I wins the game if a signature σ * on the message M * with U, ID V * , pk V * is valid and it was not an output from the Sign − Q queries.
Solve CDH Problem: To solve CHD problem, the Forking technique in [4], [27] is applied. F first obtains a signature σ * on message M * where h(m||R S * ||Y V * z S * ||pk V * ||pk S * ) =ṙ S Simultaneously F resets A I to the initial state and repeats again the above simulation with a different hash value h(m||R S * ||Y V * z S * ||pk V * ||pk S * ) =r S . Eventually, A I outputs another signature σ . Finally, F computes Probability: Let A be the success probability ADV A I (.) that A I outputs a forgery. Let F be the success probability ADV EUF−CMA (.) that A I wins the above simulation and C the success probability ADV CDH (.) that F solves the CDH problem. The success probability in solving CDH problem by using A I is based on the Forking Lemma in [4], [27]. Some notation will be defined first.
A : The success probability ADV A I (.) that A I outputs a forgery.
F : The success probability ADV EUF−CMA (.) that A I wins the above simulation C ; The success probability ADV CDH (.) that F solves the CDH problem. E 1 : The simulation does not abort in PPK − Q queries E 2 : The simulation does not abort in SV − Q queries E 3 : The simulation does not abort in RPK − Q queries E 4 : The simulation does not abort after A I outputs the forgery Noted that it is a fact that ǫ H ǫ s ≥ ǫ rpk ≈ ǫ pp ≈ ǫ sv ≈ ǫ pk from the nature of the aforementioned simulation. The success probability in solving CDH problem is described as follows: From (1) and (2), Noted that F 2 l is negligible, hence, it is omitted. To summarize the probability, A I wins the above game and outputs a signature σ * on a message M * with a probability of e 3 · ǫ pk · √ ǫ H C . The above success probability shows that our aggregatable certificateless designated verifier signature scheme secures against existentially unforgeable under an adaptive chosen message attack in the Type-I adversary model if the success probability of solving CDH problem is negligible. Assume that there exists a forger algorithm A II running the existential unforgeability game defined in Section III-A. Then we will show that, by using A II , an adversary F solves the CDH problem.
Initialization: on input g, g χ and g ψ as an instance of the CDH problem, F runs Setup and sets g = g and obtains (param = (p,ê, g, o, W , h), sk K = a).
Queries: The following queries are constructed by A II before running the simulation.
Then, SK − Q returns sv i for ID i . However, if the input identity is ID * S or ID * V , it will abort the simulation. Let ǫ sk be a number of the queries with the ID i in the list L sk . SK − Q : With ID i ∈ {0, 1} * as input, SK − Q selects random integers x i , y i ∈ Z * p , runs PPK − Q to obtain (ppk i , psk i ) and SV − Q to obtain (x i , y i , z i ). Next, it sets sk i = (x i , y i , z i , d i ). Then, SK − Q returns sk i for ID i . However, if the input identity is ID * S or ID * V , it aborts the simulation. Let ǫ sk be a number of the queries with the ID i in the list L sk . PK − Q : With ID i ∈ {0, 1} * as input, PK − Q runs SetPK and outputs pk i = ( for a user V * . Let ǫ pk be a number of the queries with the ID i in the list L pk . Sign − Q : With M ∈ {0, 1} * , ID V and U as input, Sign − Q runs Sign or Sim for all signature queries except a signature query for ID * S as a signer and ID * V as a verifier. It will compute the signature for ID * S as a signer and ID * V as follows: 1) Select random integers r S * ,r S * ∈ Z * p . 2) Run Hash − Q to obtain 3) Verify pk i by computing and checking whether g c i ?
If it does not hold, then Verify outputs reject. Otherwise, it outputs accept. Phase I: The simulation is begun by giving sk K and an access to the above queries to A II . Noted that A II always makes a query for a any string (or message) to Hash − Q oracle before it outputs a potential forgery.
Phase II: At the end of the simulation, after executing an adaptive strategy with the above queries, A II outputs a forgery σ * on a message M * with ID 1 , . . . , ID n ∈ U * : A II wins the game if a signature σ * on the message M * with U, ID V * , pk V * is valid and it was not an output from the Sign − Q queries.
Solve CDH Problem: To solve CHD problem, the Forking technique in [4], [27] is applied. F first obtains a signature σ * on message M * where h(m||R * S ||R S * ||X y S * V * ||pk V * ||pk S * ) = r S Simultaneously F resets A II to the initial state and repeats again the above simulation with a different hash value h(m||R * S ||R S * ||X y S * V * ||pk V * ||pk S * ) =r S . Eventually, A II outputs another signature σ . Finally, F compute Probability: Let A be the success probability ADV A II (.) that A II outputs a forgery. Let F be the success probability ADV EUF−CMA (.) that A II wins the above simulation and C the success probability ADV CDH (.) that F solves the CDH problem. The success probability in solving CDH problem by using A II is based on the Forking Lemma in [4], [27]. Some notation will be defined first.
A : The success probability ADV A II (.) that A II outputs a forgery.
F : The success probability ADV EUF−CMA (.) that A II wins the above simulation C ; The success probability ADV CDH (.) that F solves the CDH problem.
The simulation does not abort in SK − Q queries E 2 : The simulation does not abort after A II outputs the forgery Noted that it is a fact that ǫ H ǫ pk > ǫ sk from the nature of the aforementioned simulation. The success probability in solving CDH problem is described as follows: From (1) and (2), Noted that F 2 l is negligible, hence, it is omitted. To summarize the probability, A II wins the above game and outputs a signature σ * on a message M * with a probability of e · ǫ pk 2 · √ ǫ H C . The above success probability shows that our aggregatable certificateless designated verifier signature scheme secures against existentially unforgeable under an adaptive chosen message attack in the Type-II adversary model if the success probability of solving CDH problem is negligible. VOLUME 8, 2020

V. ASYMPTOTIC ANALYSIS AND EXPERIMENTAL RESULTS
Our ACLDVS schemes captures the need of authenticity and privacy-preserving in the limited computation environment. The comparison between our scheme and other schemes in Table 2. We denoted n as the number of the signers participated in the signing process for the aggregate signature scheme. Let E denote a computation of exponential in G 1 or G T . Let M be a computation of scalar multiplication in G 1 . Let P be a computation of bilinear pairing functionê. A computation of hash functions from {0, 1} * to G 1 is denoted as H . and the computation of hash function from {0, 1} * to Z p is denoted as h. Since the multiplication and addition computation in Z p is trivial, they are omitted.
The experiments were using the Pairing-Based Cryptography Library (PBC) provided by [8]. The code was written in Python using the Charm-Crypto framework developed by Akinyele et al. [1] for the rapid cryptography   development. The first experiment was conducted on Intel Xeon CPU model X5650 with CPU clocked at 2.67 GHz with 2 cores and 4 threads configuration with 16 Gigabytes of ECC DDR3 memory. The operating system used in this experiment is Ubuntu 18.04. The second experiment was conducted on Raspberry Pi4 Cortex-A72 (ARM v8) 64-bit VOLUME 8, 2020 SoC with CPU clocked at 1.5 GHz with 4 cores configuration and 4 Gigabytes of DDR4 memory. Raspbian is the operation system used in the second experiment.
both experiments were executed with 224 bit of MNT (Type D in PBC) curves. Type D curve with 224 bit size of group element is a curve that has a short size for the group elements, and it is considerably fast for the bilinear pairing computation. It achieved the security comparable to the 1344 bits (6 x 244 bits) of discrete logarithm (DLog) security.
Each experiment was conducted by first randomly selected one verifier (only for the designated verifier scheme). The number of signers participated in the simulation were start from 1 to 200 signers with a unique identity for each signer. In each round of the simulation, the number of signers participated in the signing were increased by one. In each round, the simulator ran the KGC for signers to extract the partial private-public key pair before process the key validation, signing and verification. A message used in the experiment has been randomly generated in each round with a fixed size of 30 bytes. From the results in Figure 1

VI. CONCLUSION
Privacy issue over the information shared in the cloud storage or in the VANET without an efficient and proper control mechanism has motivated us to provide schemes resolving it. The notion of a aggregatable certificateless designated verifier signature scheme captures the need for the integrity, authenticity, authority, and privacy, which presents as a perfect tool to enable efficient privacy-preserving authentication systems for VANET. Moreover, our ACLDVS signature is aggregatable, which it is helpful in reducing the communication cost in the ad hoc network environment.