A short certificateless aggregate signature against coalition attacks

Certificateless aggregate signature (CLAS) is a crucial cryptosystem. It can not only compress multiple signatures into a short signature, but also ensure the validity of each signature participating in the aggregation by verifying the validity of an resulting aggregate signature. Therefore, a secure and efficient CLAS scheme is very useful for resource-constrained environments because it greatly reduces the overall length of the signature and the verifier’s computational overhead. Cheng et al. presented an efficient CLAS scheme and proved its security in the random oracle model. However, we find that their scheme has security flaws. In this paper, we demonstrate that Cheng et al.’s CLAS scheme is vulnerable to coalition attacks from internal signers. To overcome these attacks, we present an improved CLAS scheme and prove that it is existentially unforgeable under the computational Diffie-Hellman assumption. In addition, our CLAS scheme can not only resist coalition attacks but also generate a very short aggregate signature. The performance analysis results show that our improved CLAS scheme is lower than the related CLAS schemes in terms of communication overhead and computation cost.


Introduction
Digital signature is one of the major cryptosystems in modern cryptography, which can authenticate the user's identity, protect the integrity of the data and achieve the non-repudiation of the user's behavior. Hence, digital signature is one of the important security technologies in open network environments [1][2][3], which can ensure data security and identity authentication in new network forms and services [4][5][6]. In a digital signature scheme, the user uses his/her private key to sign the message, while the corresponding public key is used to verify the legality of the signature generated by the user. However, in a traditional public key cryptosystem, the user's public key is a random string that cannot be associated with the user's identity. To authenticate the authenticity of the user's public key, the user's identity and public key are usually bound by a public key certificate issued by a certificate authority [7][8][9]. That is, the validity of the user's public key is determined by the legitimacy of the corresponding certificate. Unfortunately, the storage and management of numerous public key certificates require PLOS  huge computational and storage overheads when deployed in the real world, which greatly increases the burden of the system. To eliminate the problem of certificate management in public key cryptosystems, the concept of identity-based cryptography was proposed by Shamir [10]. In an identity-based signature (IBS) scheme, each user selects a unique identity as his/her public key, such as email address, telephone number, etc., and the user's private key is computed by a trusted private key generator (PKG). Because the user's public key is a public identity information, it does not need a certificate to verify the validity of the user's public key. So, the identity-based signature scheme implements the binding of the public key and the entity identity in another way, and greatly simplifies key management. Boneh and Franklin [11] used bilinear pairing to design the first practical identity-based encryption scheme. Later, many efficient IBS schemes have also been presented [12][13][14]. However, the PKG can generate each user's private key, which makes the PKG impersonate the user to sign arbitrary message without being discovered. Hence, key escrow is the main security flaw in identity-based cryptography.
Al-Riyami and Paterson [15] introduced the notion of certificateless signature (CLS) to solve the inherent key escrow problem in identity-based cryptosystems. In a CLS scheme, the user's private key is composed of the secret value and the partial private key. The secret value is selected by the user himself, and the partial private key is generated by a third party called key generation center (KGC). Since the KGC does not know the secret value of the user, PKG cannot obtain the user's full private key. In this way, the security threats posed by key escrow are resolved. In addition, the user's public key is derived from the secret value but no longer requires a certificate for authentication. That is, the CLS scheme can basically solve the problems of both the traditional signature scheme and the IBS scheme. Therefore, CLS has become one of the most important research hotspots in public key cryptography. The first CLS scheme was designed by Al-Riyami and Paterson [15], but Huang et al. [16] found that their scheme [15] was insecure under public key replacement attacks. Subsequently, several efforts have been made to construct more secure CLS schemes [17][18][19][20][21].
Certificateless aggregate signature (CLAS) has the advantages of CLS and aggregate signature, which has attracted great attention from researchers. CLAS can compress n individual signatures of n different messages into a short signature. The verifier only needs to verify the final aggregate signature to determine whether n individual signatures involved in the aggregation are valid. As a result, CLAS not only reduces the signature length and the verifier's computation costs, but also enhances the security of aggregate signature. CLAS is a very useful technique for reducing communication bandwidth and storage overhead, and it is very suitable for environments with limited computing resources and high-efficiency requirements, such as vehicular ad-hoc networks [22][23][24], wireless sensor networks [25,26], the Internet of things [27], and so on [28,29].
In recent years, researchers have proposed many CLAS schemes [30][31][32]. Yum and Lee [33] presented a CLAS scheme in the random oracle model. However, Hu et al. [34] found that their CLAS scheme [33] was unable to resist public key replacement attacks. Chen et al. [35] presented another CLAS scheme, but was vulnerable to public key replacement attacks and honest-but-curious KGC attacks [36,37]. Deng et al. [38] constructed an efficient CLAS scheme and demonstrated its security, but Kumar and Sharma [39] showed that this scheme [38] could not provide unforgeability. Zhang et al. [40] also proposed an efficient CLAS scheme and proved its security in the random oracle model. However, Shim [41] pointed out that their CLAS scheme could not resist collusion attacks from internal users and KGC. Xiong et al. [42] designed a CLS scheme with lower signature verification overhead and further constructed a CLAS scheme with higher performance. However, Zhang et al. [43] pointed out that the CLS and CLAS schemes of Xiong et al. [42] could not withstand attacks from a malicious-but-passive KGC. In addition, Cheng et al. [44] and He et al. [45] noted that the CLS and CLAS schemes of Xiong et al. [42] were also insecure against honest-but-curious KGC attacks, respectively. An improved CLAS scheme was proposed by He et al. [45], but Li et al. [46] demonstrated that this modified scheme was still insecure under malicious-but-passive KGC attacks. Cheng et al. [44] also designed an improved version of Xiong et al.'s CLAS scheme, which was proved to be existentially unforgeable in the random oracle model. Unfortunately, we find that Cheng et al.'s CLAS scheme [44] is also insecure against coalition attacks from the collusion of insider signers. That is, the signers generate multiple invalid individual signatures, but the resulting aggregate signature is valid.
To the best of our knowledge, it is still open and challenging to design a secure and efficient CLAS scheme. In this paper, we focus on this issue, providing a new method for addressing it. We first present a coalition attack of insider signers to show the security flaws of Cheng et al.'s CLAS scheme [44]. Such attacks indicate that the validity of an aggregate signature does not guarantee the legitimacy of each individual signatures participating in the aggregation. However, this result has violated the security objectives of the CLAS scheme. To withstand this kind of practical and powerful attack, we further propose an improved CLAS scheme on the basis of Wang et al.'s CLS scheme [47]. In the random oracle model, we prove that the improved CLAS scheme satisfies existential unforgeability under the computational Diffie-Hellman (CDH) assumption. We also demonstrate that our CLAS scheme is secure against coalition attacks. In our CLAS scheme, an aggregate signature is only a group element, so the length of an aggregate signature is independent of the number of signers involved in the aggregation. Additionally, the analysis results indicate that the improved CLAS scheme has lower computational overhead and communication costs.
The remainder of this paper is organized as follows. Section 2 introduces some preliminaries. Section 3 reviews Cheng et al.'s CLAS scheme [44] and gives the corresponding cryptanalysis. Our improved CLAS scheme is presented in Section 4. Section 5 gives the conclusions.

Preliminaries
The following are some preliminaries related to this paper, including the security notions of CLAS, bilinear paring and complexity assumption.

Formal security model of CLAS
A CLAS scheme mainly includes three entities: KGC, n users and an aggregator, as formally defined in the following seven algorithms [32][33][34].
• Setup(λ) ! (pp, msk): Given a security parameter λ, the KGC executes this algorithm to produce the master secret key msk and public parameters pp.
• PartialKeyGen(pp, msk, ID i ) ! psk i : Upon input of pp, msk and a user U i 's identity ID i , the KGC executes this algorithm to produce a partial private key psk i for U i .
• UserKeyGen(pp, ID i ) ! (usk i , pk i ): Upon input of pp and ID i , the user U i creates its secret value usk i and public key pk i . Note that the private key of U i is sk i = (usk i , psk i ).
• Sign(pp, sk i , m i ) ! σ i : Upon input of pp, sk i and message m i , the user U i generates an individual signature σ i on m i .
• Verify(pp, ID i , pk i , m i , σ i ) ! {0, 1}: Upon input of pp, ID i , pk i and a signature σ i on a message m i , this algorithm outputs 1 if σ i is valid; else, it outputs 0.
• Aggregate ðpp; fm i ; s i g n i¼1 Þ ! s: Upon input of n message/signature pairs (m i , σ i ) from n users U i (i = 1, . . ., n), the aggregator runs this algorithm to generate an aggregate signature σ on {m 1 , . . ., m n }.
The security model of a CLAS scheme mainly considers two types of attackers [42,44,48], named Type I adversary A 1 and Type II adversary A 2 .
• A 1 represents a dishonest user (i.e., an external attacker). A 1 can know the secret value of each user and replace any user's public key, but does not know the master secret key msk.
• A 2 represents a malicious KGC. A honest-but-curious KGC knows msk and generates the user's private key, but is unable to perform public key replacement. In addition to having the ability of a honest-but-curious KGC, a malicious-but-passive KGC is also allowed to embed trapdoors in msk and public parameters pp during the system initialization phase.
The following uses two security games between an attacker A 2 fA 1 ; A 2 g and a challenger C to define the unforgeability of a CLAS scheme.
Game 1: The first game is played by C and A 1 .
• Initialization: C sends public parameters pp generated by the algorithm Setup(λ) to A 1 , and then secretly stores the master secret key msk.
• Partial-private-key-query: If A 1 asks for a partial private key of an identity ID i , then C executes the algorithm PartialKeyGen(pp, msk, ID i ) to produce psk i and returns it to A 1 .
• Public-key-query: If A 1 requests a public key of ID i , then C performs the algorithm UserKey-Gen(pp, ID i ) to produce pk i and returns it to A 1 .
• Secret-value-query: If C receives an identity ID i sent by A 1 , then C responds to A 1 with a secret value usk i output by the algorithm UserKeyGen(pp, ID i ).
• Public-key-replacement-query: If C receives ID i and pk 0 i sent by A 1 , then the public key of ID i is replaced by pk 0 i . • Sign-query: When A 1 asks for a signature of a message m i and an identity ID i , C runs the algorithm Sign(pp, sk i , m i ) to produce an individual signature σ i of m i and sends it to A 1 .
• Forgery: A 1 finally produces a forgery ðfm where at least one of n identities fID � 1 ; :::; ID � n g is the identity ID � of the target user. Assumed that the t-th signer's identity , . . ., n}. If the following three conditions are satisfied, then A 1 wins the game.
1. Partial-private-key-query has never received an inquiry about ID � t .

Sign-query has never received an inquiry about
Game 2: The second game is played by C and A 2 . We consider that the second type of attacker is a malicious-but-passive KGC, which is a strengthened security model.
• Initialization: A 2 sends the master secret key msk and public parameters pp generated by the algorithm Setup(λ) to C.
• Queries: In addition to Partial-private-key-query and Public-key-replacement-query, A 2 may initiate other queries defined in Game 1.
• Forgery: A 2 finally produces a forgery ðfm If the following three conditions are satisfied, then A 2 wins the game.
1. Secret-value-query has never received an inquiry about ID � t . 2. Sign-query has never received an inquiry about ðID If there is no polynomial-time attacker A 2 fA 1 ; A 2 g who can win in the above two games with a non-negligible probability, then a CLAS scheme is said to be existentially unforgeable under adaptive chosen-message attacks [42,44,48].

Bilinear pairing and complexity assumption
Assume that p is a prime number, G 1 and G 2 are two cyclic groups with order p, and g is a generator of G 1 . If a map e: G 1 × G 1 ! G 2 satisfies the following conditions, then e is called a bilinear pairing [43]: • Non-degeneracy:e(g, g) is not an identity element 1 G 2 in G 2 . That is, eðg; gÞ 6 ¼ 1 G 2 .
Given three elements ðg; g a ; g b Þ 2 G 3 1 , the CDH problem is to calculate g ab 2 G 1 , where the unknown values a and b are randomly chosen from Z � p . Definition 2 (CDH assumption). If the probability of any polynomial-time attacker to solve the CDH problem is negligible, then the CDH problem is called intractable [47,49].

Review of Cheng et al.'s CLAS scheme
To overcome the security flaws in Xiong et al.'s CLAS scheme [42], Cheng et al. [44] presented an improved CLAS scheme that is described as follows.
• Setup: Given a security parameter λ, the KGC selects two multiplicative cyclic groups G 1 and G 2 with prime order p, a bit string Q of length l, a generator g in G 1 and a bilinear pairing e: Then, the KGC randomly selects s 2 Z � p and computes P pub = g s . The KGC also picks three hash functions Finally, the KGC secretly stores the master secret key msk = s and publishes public parameters pp = {G 1 , G 2 , p, g, e, Q, P pub , H 0 , H 1 , H 2 }.
• PartialKeyGen: After receiving an identity ID i submitted by a user U i , the KGC computes psk i = H 1 (ID i ) s and sends ID i 's partial private key psk i to U i through a secure channel.
• UserKeyGen: The user U i with identity ID i randomly selects x i 2 Z � p and computes public key pk i ¼ g x i . Then, U i sets its secret value usk i = x i and private key • Sign: For a message m i , the signer U i selects a random value r i 2 Z � p and computes an individual signature of m i .
• Verify: Given ID i , pk i and an individual signature and then verifies the following equation: If this equation holds, output 1; otherwise, output 0.
• Aggregate: After receiving the message-signature pair (m i , V i and outputs an aggregate signature σ = (R 1 , . . ., R n , V).

Attack on Cheng et al.'s CLAS scheme
In the random oracle model, Cheng et al.'s CLAS scheme [44] was proved to satisfy the security requirement of existential unforgeability. Unfortunately, in this subsection, we demonstrate that Cheng et al.'s CLAS scheme [44] cannot resist coalition attacks from internal signers. Without loss of generality, suppose that {ID 1 , pk 1 } and {ID 2 , pk 2 } are the identity/public key pairs of the signers fU 1 ; U 2 g, respectively. As a result, we show that U 1 cooperates with U 2 to generate invalid individual signature σ i on message m i for i = 1, 2, whereas the resulting aggregate signature σ on {m 1 , m 2 } is valid.
1. U 1 randomly selects r 1 2 Z � p and computes R 2. U 2 randomly selects r 2 2 Z � p and computes R Þ as a signature on m 2 . 5. U 1 cooperates with U 2 to produce an aggregate signature s � ¼ ðR Clearly, fs � 1 ; s � 2 g are invalid individual signatures of fU 1 ; U 2 g on {m 1 , m 2 }, respectively. However, the forged aggregate signature s � ¼ ðR Therefore, dishonest signers can jointly forge a valid aggregate signature for arbitrary messages. This shows that even if some individual signatures participating in the aggregation are invalid, the resulting aggregate signature is also valid. That is, the validity of every individual signature involved in the aggregation cannot be guaranteed by the legitimacy of the corresponding aggregate signature. So, Cheng et al.'s CLAS scheme [44] is insecure under coalition attacks.

Our improved CLAS scheme
In Cheng et al.'s CLAS scheme [44], dishonest signers can use some invalid individual signatures to jointly generate a valid aggregate signature. However, the main reason for the success of such attacks is due to the fact that signers can exchange their individual signature values with each other during the generation of an aggregate signature.

Construction
In this subsection, we design an enhanced CLAS scheme for preventing the above coalition attack. The following is the description of our CLAS schem. • Sign: For a message m i , the user U i uses its secret value usk i = x i and partial private key Then, U i outputs σ i as an individual signature of m i .
• Verify: Given ID i , pk i and an individual signature σ i on message m i , a verifier computes H 1 (ID i ) and V i = H 3 (m i , ID i , pk i ), and then checks the following equation: eðs i ; gÞ ¼ eðV i ; pk i ÞeðH 1 ðID i Þ; P pub Þ: If it holds, accept σ i and output 1; else, reject σ i and output 0.

Security analysis
We prove that the improved CLAS scheme is existentially unforgeable under Type I and Type II adversaries. Also, we demonstrate that our CLAS scheme can withstand coalition attacks. Theorem 1. If the security of our CLAS scheme is broken by a polynomial-time Type I adversary A 1 , then the CDH problem can be solved.
Proof. Suppose that A 1 forges a valid aggregate signature with probability ε 1 after making at most q i random oracle queries to H i (i = 1, 3), q psk partial private key queries, q pk public key queries, q rep public key replacement queries, q usk secret value queries and q s signing queries, then we can construct an algorithm C to solve the CDH problem. After receiving a random CDH instance ðg; g a ; g b Þ 2 G 3 1 , C will utilize A 1 's forgery to calculate the CDH value g ab .
• Initialization: C sets P pub = g a and runs the algorithm Setup(λ) to produce other parameters.
Then, C sends public parameters pp to A 1 . Note that the master secret key msk = a is unknown to C. Moreover, C controls two random oracles to simulate hash functions H 1 and H 3 . To simplify the description, it is assumed that A 1 has performed related hash queries before making other inquiries. To avoid collisions and consistently respond to all kinds of queries initiated by A 1 , C maintains a list L ¼ ðID i ; psk i ; usk i ; pk i Þ and two other lists ðL 1 ; L 3 Þ that are all initially empty. C picks a random integer d 2 [1, q 1 ] and responds to all queries initiated by A 1 in the following way.
• H 1 queries: Upon receiving the i-th H 1 inquiry about an identity ID i , C first checks whether an entry for ID i exists in L 1 . If yes, C sends the corresponding value H 1 (ID i ) to A 1 . Otherwise, C randomly selects y i 2 Z � p and sets to L 1 ; otherwise, C sets the target user's identity ID � = ID d and y � = y d , and then adds (ID � , y � , H 1 (ID � )) to L 1 . Finally, C sends H 1 (ID i ) to A 1 .
• H 3 queries: A 1 issues an H 3 query for (m i , ID i , pk i ). If it is found in L 3 , then C sends the corresponding value V i to A 1 . Otherwise, C randomly selects z i 2 Z � p and sets • Partial-private-key-query: After receiving an identity ID i submitted by A 1 , C considers the following two cases.
• If ID i = ID � , C terminates the game.
• If ID i 6 ¼ ID � , C checks whether L contains an entry for ID i .
1. If it exists, C sends psk i to A 1 .
2. Else, C finds the tuple (ID i , y i , H 1 (ID i )) in L 1 and returns a partial private key psk i ¼ ðP pub Þ y i to A 1 . Then, C adds (ID i , psk i , ?, ?) to L.
• Public-key-query: On receiving an identity ID i , C checks if an entry for ID i exists in L, where pk i 6 ¼ ?. If yes, C sends pk i to A 1 . Otherwise, C randomly selects x i 2 Z � p and sets usk i = x i and pk i ¼ g x i . If ID i = ID � , C sets the target user's public key pk � = pk i and secret value usk � = usk i . Then, C adds the corresponding tuple to L and returns a public key pk i to A 1 .
• Secret-value-query: If A 1 issues a query for an identity ID i , C first initiates a public key query about ID i and then returns the corresponding secret value usk i to A 1 .
• Public-key-replacement-query: If A 1 submits an identity ID i and a public key pk 0 i , C first checks whether there is an entry for ID i in L. If yes, C replaces ID i 's public key with pk 0 i ; otherwise, C sets ID i 's public key to pk 0 i and then adds a new tuple (ID i , ?, ?, pk i ) in L.
• Sign-query: A 1 asks a signature query on its selected identity ID i and message m i . If ID i = ID � , C terminates the game. Else, C searches the lists L and L 3 to find the corresponding tuples (psk i , usk i , pk i ) and V i = H 3 (m i , ID i , pk i ), respectively. Then, C returns s i ¼ V Else, C finds (usk � = x � , pk � ) corresponding to ID � t in L. Then, C obtains the tuples (ID � , y � , H 1 (ID � )) and ðm � t ; ID � ; pk � ; z � ; V � Þ from L 1 and L 3 , respectively. Since s � t is valid, the following equation must hold: From the above equation, C calculates g ab as Hence, C solves the CDH problem.
Next, we analyze the successful probability that C can solve the CDH problem instance. If the following events occur, C will not quit during the entire simulation game.
• During the simulation of Partial-private-key-query, each identity ID i queried by A 1 is not equal to ID � . The probability is at least 1 À 1 • During the simulation of Sign-query, each identity ID i queried by A 1 is not equal to ID � . The probability is at least 1 À 1 • In the forgery phase, at least one of n identities fID � 1 ; . . . ; ID � n g is the target user's identity • V � can be found in L 3 . The probability is at least 1 À q 3 p � � . Hence, the overall success probability of C solving the CDH problem is Theorem 2. If the security of our CLAS scheme is broken by a polynomial-time Type II adversary A 2 , then the CDH problem can be solved.
Proof. Let A 2 be a malicious-but-passive KGC. Suppose that A 2 forges a valid aggregate signature with probability ε 2 after making at most q i random oracle queries to H i (i = 1, 3), q pk public key queries, q s signing queries and q usk secret value queries, then there exists a solver C that invokes A 2 to violate the CDH assumption. Given a CDH instance ðg; g a ; g b Þ 2 G 3 1 , the goal of C is to calculate g ab by interacting with A 2 .
• Initialization: A 2 picks a random value s 2 Z � p as the master secret key msk and calculates P pub = g s . Then, A 2 runs Setup(λ) to produce other parameters and sends (pp, msk) to C. After that, C picks a random integer d 2 [1, q 3 ] and maintains three initially empty lists L, L 1 and L 3 .
• H 1 queries: Upon receiving an H 1 query on an identity ID i , C returns the corresponding value H 1 (ID i ) to A 2 if L 1 contains an entry for ID i . Otherwise, C selects y i 2 Z � p at random and sets H 1 ðID i Þ ¼ g y i . Then, C sends g y i to A 2 and adds (ID i , y i , H 1 (ID i )) to L 1 .
• H 3 queries: Upon receiving the i-th H 3 query on (m i , ID i , pk i ), C sends the corresponding V i to A 2 if an entry for (m i , ID i , pk i ) exists in L 3 . Otherwise, C selects a random value z i 2 Z � p and sets ; otherwise, C sets the target user's identity ID � = ID i and pk � = pk i and then adds (m i , ID � , pk � , z i , V i ) to L 3 . Finally, C sends V i to A 2 .
• Public-key-query: A 2 asks a public key query for ID i and if it is found in L, then C returns pk i to A 2 . Otherwise, C selects a random value x i 2 Z � p and sets Otherwise, C sets the public key pk � = pk i of the target user, and adds (ID � , ?, pk � ) to L. Finally, C returns pk i to A 2 . Note that the target user's secret value usk � = a, while a is unknown to C.
• Secret-value-query: On receiving the query on ID i , C aborts if ID i = ID � ; otherwise, C first initiates a public key query about ID i and then returns the corresponding secret value usk i to A 2 .
• Sign-query: Upon receiving an identity ID i and a message m i , C proceeds as follows: • If ID i = ID � , C aborts.
• Else, C searches the lists L and L 1 to find (ID i , x i , pk i ) and (ID i , y i , H 1 (ID i )), respectively. Next, C makes an H 3 query on (m i , ; ID � ; pk � Þ is not found in L 3 , C aborts. Otherwise, C looks up the lists L 1 and L 3 to obtain the tuples (ID � , y � , H 1 (ID � )) and ðm � t ; ID � ; pk � ; z � ; g bz � Þ, respectively. Since s � t is valid, the following equation must hold: Thus, C can use the master key msk = s to calculate the CDH value Here, we also analyse the probability of C using A 2 's forgery to successfully solve the CDH instance. C completes the entire simulation if the following events occur.
• ID � has never appeared during secret value queries. The probability is at least ð1 À 1 q 3 Þ q usk .
• ID � has never appeared during signing queries. The probability is at least ð1 À 1 q 3 Þ q s .
• V � can be found in L 3 . The probability is at least ð1 À q 3 p Þ. Therefore, the overall success probability of C solving the CDH problem is Since the CDH problem is intractable, the success probability of A 1 or A 2 attacking our CLAS scheme is negligible. According to Theorem 1 and Theorem 2, the following theorem is easily obtained.
Theorem 3. If the CDH assumption holds, then our improved CLAS scheme satisfies existential unforgeability in the random oracle model. Theorem 4. Our CLAS scheme is secure under coalition attacks.
The above analysis indicates that if the internal signers exchange each other's individual signature value during aggregate signature generation, the collision resistance of H ensures that the final aggregate signature could not pass the signature verification equation. In other words, an aggregate signature is valid in our CLAS scheme if and only if each individual signature used to generate the aggregate signature is also valid. Hence, our CLAS scheme can resist coalition attacks.

Performance analysis
We compare our CLAS scheme with other similar schemes [27,30,31,35,39,[42][43][44][45][46] in terms of performance and security properties. In Table 1, we give the description of some symbols that need to be used in this subsection.

Performance comparison.
Because the computational costs of multiplication, hash function and other cryptographic operations are relatively small, we focus on the time-consuming bilinear pairing and exponentiation operations when analysing the performance. Table 2 shows a detailed performance comparison between our CLAS scheme and the related CLAS schemes, where the required symbols are given in Table 1.

Experimental evaluation.
We also conduct performance evaluation experiments on the proposed CLAS scheme and other CLAS schemes [43,44,46]. The simulated environment is set up on a laptop with the Windows 10 operating system, and the main configuration is Intel(R) Core(TM) i7-6500 CPU @ 2.59 GHz and 8 GB RAM. To execute the bilinear pairing operation quickly, we choose the curve a.param of type A in the PBC-0.47-VC library. The detailed simulation results are shown in Figs 1, 2 and 3. Fig 1 shows that each signer needs approximately 26 ms to generate an individual signature in our CLAS scheme. The scheme of Zhang et al. [43] needs approximately 49 ms. Cheng et al.'s scheme [44] requires approximately 52 ms, and Li et al.'s scheme [46] requires approximately 91 ms. Therefore, our CLAS scheme requires the least computational cost when generating an individual signature.
The communication overhead of a CLAS scheme mainly relies on the size of the aggregate signature. Table 2 shows that our CLAS scheme and Zhang et al.'s scheme [43] have the same aggregate signature length, and Cheng et al.'s scheme [44] and Li et al.'s scheme [46] also have the same aggregate signature length. Fig 2 shows that the size of an aggregate signature in our CLAS scheme is fixed at 128 bits, while the length of an aggregate signature in Cheng et al.'s scheme [44] increases linearly with the number of signers. Hence, our CLAS scheme greatly reduces the communication cost. Fig 3 shows that the computational cost of verifying an aggregated signature is linearly increasing with the total number of signatories. Notably, the verification cost of an aggregate signature is less than the total cost of n individual signature verifications participating in the aggregation. Compared with other CLAS schemes [43,44,46], Fig 3 shows that our CLAS scheme has lower computational overhead when verifying aggregate signatures.
In summary, the results of the performance evaluations performed in the above experiments are consistent with the theoretical analysis results in Table 2. From the above analysis,   we can see that our improved CLAS scheme has lower computational overhead, shorter signature length and higher security.

Conclusions
Cheng et al. [44] proposed an efficient CLAS scheme and proved its security. In this paper, we demonstrate that their CLAS scheme [44] cannot resist coalition attacks from internal signers. To prevent these attacks, we design an enhanced CLAS scheme that is secure under coalition attacks. Under the CDH assumption, our improved scheme is proved to satisfy existential unforgeability in the random oracle model. In addition, our CLAS scheme can aggregate n individual signatures into a short signature which is only an element in G 1 . More importantly, the length of an aggregate signature is fixed and has nothing to do with the total number of signers participating in the aggregation. Therefore, our CLAS scheme is very suitable for network environments with limited resources, such as the Internet of vehicles, and wireless communication networks [50][51][52].