A Lightweight Certificateless Aggregate Ring Signature Scheme for Privacy-preserving in Smart Grids


 There exists a problem of user privacy leakage in the smart grids (SGs) that malicious attackers may intercept or tamper with electricity data and associate the stolen data with real users to commit crimes. Besides, node equipment resources in the SGs are limited. Aiming at the problems above, most of the existing privacy-preserving schemes apply aggregate signature to ensure the integrity of message and improve communication efficiency. However, they cannot realize the anonymity of users to block link attacks, and most of the aggregate signature verification has a high computational cost. Therefore, we propose a certificateless aggregate ring signature (CLARS) scheme based on computational Diffie-Hellman problem and decisional Diffie-Hellman problem. Our scheme is suitable for privacy-preserving in SGs. In this scheme, certificateless cryptosystem is used to avoid key escrow and certificates management problems and ring signature is used to ensure the unconditional anonymity of users. In addition, our scheme is proved to be unforgeability and unconditional anonymity under adaptively chosen message attacks against Type I and Type II adversaries in the random oracle model. Compared with previous certificateless aggregate signature (CLAS) schemes, our CLARS scheme has lower computational cost, which only needs two pairing operations.

1 Introduction signature, simplifying the verification of any number of signatures to one verification. This greatly reduces the storage space of the signature and at the same time reduces the requirement for network bandwidth [7].
Ring signature is firstly defined by Rivest et al. [8] in 2001. A ring signature allows one member of a group to sign messages on behalf of the group without revealing their identities. The verifier of the signature can only verify whether the signature comes from the signature set or not, but does not know who signed it. Therefore, the ring signature scheme [9][10][11][12] has correctness, unforgeability and unconditional anonymity.
In order to protect the privacy of SMs and ensure the real-time performance of SGs, we propose a new CLARS scheme for SGs, with the following contributions: • We propose a new CLARS scheme to prevent the privacy of SMs from leaking. Analysis shows that this scheme is practical with good performance, and it is suitable for resource-constrained SG systems. • We give formal security proofs based on the CDHP and DDHP assumption for our proposed CLARS scheme, which satisfies the existential unforgeability, unconditional anonymity under malicious KGC attacks and public key replacement attacks. • Performance analysis shows that our scheme has lower computational cost compared with existing CLAS schemes. In the aggregate verification phase, our scheme only requires two pair operations.
The remainder of this paper is organized as follows. Related works are reviewed in Sect. 2. The preliminary knowledge is given Sect. 3. The scheme of this paper is given in Sect. 4. In Sect. 5, the correctness and safety of the proposed scheme are theoretically proved. We conducted a performance analysis in Sect. 6. Finally, the conclusion is drawn in Sect. 7.

Related work
Privacy protection in SGs is mainly from two aspects: user data protection and user identity protection. When an attacker obtains real-time power consumption information and associates it with the user' s real identity, he can directly attack the target user. However, an attacker does not pose a threat to the user if he knows only the information on the use of electricity or the identity of the customer, or neither. Batteries can be used to hide near real-time data. Existing solutions to protect power data include data aggregate schemes based on perturbation techniques, data fragmentation and homomorphic encryption. The technologies to protect the identity of users include pseudonyms, k-anonymity and other anonymizing techniques like blind signatures, group signers, ring signature and obfuscation techniques.

User data protection
Privacy preserving based on household batteries. To protect the privacy of SGs, Kalogridis et al. [13] proposed a power management model using rechargeable batteries. The basic principle of rechargeable batteries for privacy-preserving is to use battery charging and discharge to hide the user's power-consumption information read by SMs. However, the drawback of such a solution is that using batteries to hide the user's usage information may conflict with the economic interests of the users, such as charging during peak consumption periods.
Privacy preserving based on data aggregation. The SGs processe data while transmitting data, and the transmission and aggregation are parallel. Typical aggregation technologies can be divided into three categories, which are data aggregation technologies based on perturbation technology, data fragmentation, and homomorphic encryption. Disturbance-based data aggregation is mainly based on data aggregation of clusters [14], k-way privacy protection [15] and differential privacy [16,17]. However, this kind of scheme has a large computational and communication overhead. When individual data is tampered with, neither data can be recovered, nor final aggregated data can be obtained. Data fragmentation technology mainly includes fragmentation, hybrid aggregation [18] and data aggregation based on secret sharing [19]. Although the sharding technology can reduce computational overhead, it requires a relatively large communication overhead, which may cause collisions between nodes and data loss of nodes. Data aggregation based on homomorphic encryption [20] can aggregate ciphertext without decryption. But it does not support integrity verification. Additionally, the aggregator only knows the final result, and cannot obtain other information about the smart meter.

User identity protection
Privacy preserving based on pseudonym. In order to protect the data collected in real time in SGs, Tan et.al [21] proposed a privacy protection scheme based on pseudonyms. It uses the group key, time, and the number of SMs to generate pseudonyms and sends them to the SMs. Each SM receives the user's pseudonym instead of the real ID, so that the consumption information cannot be associated with a specific user.
Privacy preserving based on anonymity. Articles [22,23] are based on the anonymization of the SMs by a trusted third party, and only the trusted third party can have the link relationship between the actual account and the anonymous ID. In order to strip away the corresponding relationship between user sensitive data and individuals, and effectively solve the problem of privacy leakage caused by link attacks, Samarati and Sweeney first proposed the idea of k-anonymization [24]. This idea requires that each tuple in the published data set cannot be distinguished from other k − 1 tuples. With development of deanonymization technology and data mining technology, attackers can reconstruct anonymized data with side information, and then find the true source of data. In addition, there are security risks associated with communication between smart meters and trusted third parties.
Blind signature is a signature method proposed by David Chaum [25]. The content of the message is invisible to the signer before signing. The signer of the blind signature is different from the author of the message, which can effectively protect privacy. Papers [26,27] use blind signature technology to protect privacy, but blind signatures have problems such as duplication of signatures and high computational overhead. In 1991, Chaum et al. proposed group signatures [28]. Usually group signatures consist of group administrators and several members, and any member can sign anonymously on behalf of the group. Gai et.al [29] proposed a model-permitted smart grid blockchain edge model (PBEM-SGN), which uses group signature and secret channel authorization technology to ensure the legitimacy of users. Because the group signature depends on the group administrator, there is a risk that the group administrator may trace the identity of the signature member. Ring signature is a special group signature, which was first proposed by three cryptographers Rivest, Shamir and Tauman in 2001 [8]. In the ring signature, there are only ring members and no administrators. The verification of the ring signature can only determine whether the signature comes from which ring and cannot be specific to a certain user in the ring. The certificateless public key cryptosystem not only avoids the complicated certificate management problems in the traditional public key cryptosystem system, but also solves the inherent key escrow problem in the identity-based cryptosystem. In 2018, Karati et.al [30] proposed a certificateless signature scheme for industrial Internet of things. In 2020, Zhang et.al [31] proposed a certificateless aggregate ring signcryption for smart home environment. Bouakkaz et.al [32] proposed a certificateless ring signature scheme with batch verification.

Bilinear pairing and complexity assumptions
Bilinear Pairing. Let G 1 be an additive group of prime order q and G 2 be a multiplicative group of the same order. P is a generator of G 1 , and e is a bilinear map such that e : G 1 × G 1 → G 2 with the following properties: • Bilinearity: For all P, Q ∈ G 1 and a, b ∈ Z * q , e(aP, bQ) = e(P, Q) ab . • Non-degeneracy: e(P, P ) = 1 .
• There is an efficient algorithm to compute e(P, Q), for all (P, Q) ∈ G 1 .

Definition 1 The computational Diffie-Hellman problem (CDHP):
Given a generator P of a group G and a tuple (aP, bP ) for unknown a, b ∈ Z * q , the CDHP is to compute abP . Suppose that the probability of adversary A

Definition 2
The decisional Diffie-Hellman problem (DDHP): Given a generator P of a group G and a tuple (aP, bP, Y ) for unknown a, b ∈ Z * q , Y ∈ G, the DDHP is to decide whether Y = abP . Suppose that the probability of adversary A decides Y = abP in time t is Succ DDHP If ε is negligible, DDHP is (t, ε) difficult.

System model
As shown in Figure 1, the SG system model includes SM, regional gateway (BG), CC, KGC and power supplies (PS). The implementation process corresponding to Figure 1is as follows: 1. As a trusted third party, KGC is responsible for generating partial private keys and system parameters for both users SMs and BG in the system, which has higher computational and storage capabilities than the rest of the entities. 2. SMs are used to record personal user information, which can collect power consumption data of household electrical appliances in real time. 3. SMs can send power consumption messages and signatures to the BG after the certificateless ring signature. The BG can verify these power consumption messages.
4. BG acts as a concentrator to is used to verify the signature and aggregate data. Then, it transmits valid messages and the aggregated signature to the CC. 5. After obtaining the message, CC firstly verifies the aggregated signature and then performs billing, forecasting, load forecasting and demand response, etc. 6. PS distributes power to users according to the strategy specified by CC. 7. User adjusts the electricity consumption in real time according to the electricity consumption in the previous cycle.

A framework for CLARS scheme
Setup: This algorithm is run by KGC. It takes k system security parameter as input and it outputs the system parameters params and master key msk. Key generation: This algorithm is run by KGC and ring member ID i . ID i selects a secret value x i , then it takes params as input and outputs public key P K i . KGC takes P K i , ID i and params as input. It outputs partial private key P SK i . Certificateless-ring-signature: This algorithm is run by a ring member (the actual signer) with identity ID k . It takes message m k with its private key SK k and all identities of ring members L ID with corresponding public keys list L P K as input. It outputs a certificateless aggregate ring signature σ k .
Single-verification-CLARS : This algorithm is run by a receiver (BG). It takes a certificateless aggregate ring signature σ k on message m k , the system parameters params and all identities of ring members L ID with corresponding public keys list L P K as input. It outputs true if the certificateless ring signature σ k is valid, or false otherwise. Aggregate signature: This algorithm is run by an aggregator (BG). It takes certificateless aggregate ring signature list L σ on corresponding electricityrelated message list L m as input. It outputs an aggregated signature σ. Aggregate-verification-CLARS : This algorithm is run by a receiver (BG). It takes the system parameters params, an aggregate signature σ on corresponding electricity-related message list L m and all identities of ring members L ID with corresponding public keys list L P K as input. It outputs true if the certificateless aggregate ring signature σ is valid, or false otherwise.

Security model of CLARS scheme
Definition 3 CLARS is said to be unforgeable under adaptive chosen message attacks (EUF-CLARS-CMA) if the polynomial bounded adversary with a negligible advantage in the following game.
Game I: unforgeability of CLARS against A I . Challenger C and adversary A I play the following game.
Initialization. C runs the Setup algorithm to generate system master secrete key msk and system parameters params, and saves the msk. Then C sends params to A I .
A I can adaptively perform the following oracle queries of the polynomial order of magnitude.
• Hash queries: A I submits any value, and challenger C returns the corresponding hash value. • User public key queries: A I requests any public key of an identity ID i , and challenger C returns the corresponding public key P K i to him. • User public key replacement queries: A I chooses a new public key P K i with respect to an identity ID i . Challenger C replaces the current key P K i with the new public key P K i . • Partial private key extraction queries: A I requests any partial private key of an identity ID i , and challenger C returns the corresponding partial private key P SK i to him. • Private key extraction queries: A I requests any private key of an identity ID i , and challenger C returns the corresponding private key SK i to him. • Certificateless ring signature queries: A I chooses a message m, a public key list of the ring members L ID and corresponding public key list L P K and sends them to challenger C. C returns the corresponding signature σ to him.
Forgery. Finally, A I outputs a certificateless ring signature σ on a message m, which satisfies the following conditions: 1) A I cannot ask for the partial private keys of the users in L ID .
2) The forged signature σ is not obtained by certificateless ring signature queries.
3) The forged certificateless ring signature σ is valid. Game II: unforgeability of CLARS against A II . Challenger C and adversary A II play the following game.
Initialization. C runs the Setup algorithm to generate system master secrete key msk and system parameters params. Then C sends params and msk to A II .
A II can adaptively perform the following oracle queries of the polynomial order of magnitude.
• Hash queries: A II submits any value, and challenger C returns the corresponding hash value. • User public key queries: A II requests any public key of an identity ID i , and challenger C returns the corresponding public key P K i to him. • Private key extraction queries: A II requests any private key of an identity ID i , and challenger C returns the corresponding private key SK i to him. • Certificateless ring signature queries: A II chooses a message m, a public key list of the ring members L ID and corresponding public key list L P K and sends them to challenger C. C returns the corresponding signature σ to him.
Forgery. Finally, A II outputs a certificateless ring signature σ on a message m, which satisfies the following conditions: 1) A II cannot ask for the private keys of the users in L ID .
2) The forged signature σ is not obtained by certificateless ring signature queries.
Definition 4 CLARS is said to be unconditional anonymity if for any message m, any public key list L P K of the ring membersontent L ID , receiver ID r and certificateless ring signature σ. Even if the receiver ID r has unlimited computing resources, it identifies the real signer is no better than 1 n (Here, n is the number of ring members).
Game III: unconditional anonymity of CLARS against A III . Initialization. Query. same as that in the Game II.
The adversary A III wins the game III if and only if µ = µ .

PROPOSED CLARS SCHEME
In this section, we present a new CLARS scheme based on CDHP and DDHP for SGs. Six polynomial-time algorithms, Setup, Key generation, Certificatelessring-signature, Single-verification-CLARS, Aggregate signature and Aggregateverification-CLARS are included in the proposed scheme and they are constructed as below.
(1) Setup: Given a security parameter k, KGC generates the system parameters params and the master key msk as follows: • Let G 1 be an additive group of prime order q > 2 k and G 2 be a multiplicative group of the same order. And P is a generator of G 1 . Let e be a bilinear map such that: e : G 1 × G 1 → G 2 . • KGC chooses a random value s ∈ Z * q as msk and sets P pub = sP ∈ G 1 as its system public key.
• KGC keeps secret its master key s and publishes the system parameters (2) Key generation: This algorithm is performed by the user and KGC to generate public and private keys.
• KGC calculates the partial private key P SK i = sh 1i Q i ∈ G 1 and sends R i , P SK i and h 1i to the ID i via a secure channel. User U i 's public key is P K i = (X i , Y i ), and private key is SK i = (x i , P SK i ). BG's public key is P K r = (X r , Y r ), and private key is SK r = (x r , P SK r ).
(3) Certificateless-ring-signature: User signs message and send it to BG. There are n ring members L ID = {ID 1 , ID 2 , . . . , ID n } and corresponding public key L P K = {P K 1 , P K 2 , . . . , P K n }. ID k is the actual signer, and its private key is SK k , public key is P K k . ID k can sign the message m k , on behalf of ring members L ID and public key L P K , using its private key SK k as following: • The signer ID k randomly picks u k ∈ Z * q , computes (4) Single-verification-CLARS : This algorithm is executed by BG, its identity is ID r . It performs the following steps: • BG produces the aggregate signature σ = (h U1 , . . . , h Un , U 1 , . . . , U n , V ) to the receiver.
(6) Aggregate-verification-CLARS : Individual verification of each message causes a huge computational load. Therefore, we introduce the aggregate verification concept. BG can simultaneously verify messages from multiple users. It makes sense to minimize the pairing operations required to achieve signature verification.
• BG verifies the equation 2: If equation 2 holds, BG accepts the message L m , otherwise it rejects it.

Correctness analysis
The following calculations are used to show the correctness of the proposed CLARS scheme. The verifier verifies the single signature σ k and the aggregate signature σ according to the formulas, and if they are true, the verifications are passed.

Security analysis
Theorem 1 If an EUF-CLARS-CMA adversary A I has an advantage ε against an CLARS scheme, asking at most q Hi (i = 1, 2, 3, 4, 5) hash queries to random oracles, at most q U user public key queries, at most q R user public key replacement queries, at most q P P partial private key extraction queries, at most q P private key extraction queries, and at most q RS certificateless ring signature queries, then there exists an algorithm that solves the CDHP with the advantage ε q H 1 .
Proof Assume that the challenger C receives an instance of (aP, bP ), the goal of C is to compute the value of abP , C runs A I as a subroutine and plays the role of the challenger in Game I. Initialization. C runs the Setup algorithm to generate system master secrete key msk and system parameters params = {G 1 , G 2 , P, q, P pub = aP, H 1 , H 2 , H 3 , H 4 , H 5 } , and saves the msk. Then C sends params to A I . A I can adaptively perform the following oracle queries of the polynomial order of magnitude.
H 1 queries: C maintains the list L 1 of tuple (ID i , Q i ), which is initially empty. When A I makes q H1 query on ID i , if L 1 contains (ID i , Q i ), C returns corresponding Q i from L 1 to A I . Otherwise, C runs the following algorithm: If ID i = ID * , C sets Q i = bP . Then C returns Q i to A I and adds (ID i , Q i ) to L 1 .
If ID i = ID * , C selects a random v h1 ∈ Z * q and sets v h1 P = H 1 (ID i ). Then C returns v h1 P to A I and adds (ID i , v h1 P ) to L 1 .
H 3 queries: C maintains the list L 3 of tuple (m i , P SK i , P K i , u i , h 2i ), which is initially empty. When A I makes q H3 query on (m i , P SK i , P K i , u i ), if L 3 contains (m i , P SK i , P K i , u i , h 2i ), C returns corresponding h 2i from L 3 to A I . Otherwise, C selects a random h 2i ∈ Z * q and sets h 2i = H 3 (m i ||P SK i ||P K i ||u i ). Then C returns h 2i to A I and adds (m i , P SK i , P K i , u i , h 2i ) to L 3 . H 4 queries: C maintains the list L 4 of tuple (m k , U 1 , . . . , U k−1 , U k+1 , . . . , U n , h U k ), which is initially empty. When A I makes q H4 query on (m k , U 1 , . . . , U k−1 , U k+1 , . . . , U n ), if L 4 contains (m k , U 1 , . . . , U k−1 , U k+1 , . . . , U n , h U k ), C returns corresponding h U k from L 4 to A I . Otherwise, C selects a random h U k ∈ Z * q and sets h U k = n k=1 H 4 (m k ||U i ), ∀i ∈ {1, 2..., n} \ {k}. Then C returns h U k to A I and adds (m k , U 1 , . . . , U k−1 , U k+1 , . . . , U n , h U k ) to L 4 . H 5 queries: C maintains the list L 5 of tuple (m k , L ID , L P K , h U k , h 3 k ), which is initially empty. When A I makes q H5 query on (m k , L ID , L P K , h U k ), if L 5 contains (m k , L ID , L P K , h U k , h 3 k ), C returns corresponding h 3 k from L 5 to A I . Otherwise, C selects a random h 3 k ∈ Z * q and sets h 3 k = H 5 (m k ||L ID ||L P K ||h U k ). Then C returns h 3 k to A I and adds (m k , L ID , L P K , h U k , h 3 k ) to L 5 .
User public key queries: C maintains the list L U of tuple (ID i , x i , X i , Y i , P SK i ), which is initially empty. When A I makes q U query on ID i , if L U contains (ID i , x i , X i , Y i , * ), C returns corresponding (X i , Y i ) to A I . Otherwise, C randomly selects x i ∈ Z * q and makes q H1 to extract Q i from L 1 . Then C returns (x i Q i , x i P ) to A I and adds ( User public key replacement queries: When A I makes q R query on ID i , C replaces the current public key value ( Partial private key extraction queries: When A I makes q P P query on ID i , C runs the following algorithm: If ID i = ID * , C fails the Game I. If ID i = ID * , C checks the list L U , if L U contains P SK i , C returns corresponding P SK i from L U to A I . Otherwise, C extracts v h1 , h 1i from L 1 , L 2 respectively and sets P SK i = v h1 h 1i aP . Then C returns P SK i to A I and adds (ID i , * , * , * , P SK i ) to L U .
Private key extraction queries: Certificateless ring signature queries: The adversary A I chooses a set of ring members L ID with corresponding public keys L P K , then sends the request q RS on the message m k , to generate a certificateless ring signature. C performs as following algorithm: • Choose randomly a signer k ∈ {1, . . . , n}, then the signer selects a random . In order to define the hash value of h 2 k , C looks for in L 3 .
In order to define the hash value of h 1 k , C looks for in L 2 . • For all P K i ∈ L P K , C picks U i ∈ G 1 , ∀i ∈ {1, 2..., n} \ {k}, then computes H 4 (m k ||U i ). In order to define the hash value . In order to define the hash value of h 3 k . C looks for in L 5 .
• Finally, C sets V k = (u k + h 2 k )h 3 k x k P SK k ∈ G 1 . Such to define the value of h 2 k and h 3 k go to previous steps.
• Obviously, the result of q RS are valid because the following equation is hold: Forgery. Eventually, the adversary A I can forge a certificateless ring signature σ k = (U k , V k , h 3 k ) on the message m k and fulfills the following condition: • A I cannot ask for the partial private keys of the users in L ID .
• The forged signature σ k is not obtained by certificateless ring signature query. • The forged certificateless ring signature σ k = (U k , V k , h 3 k ) is valid. That is, e(V k , P ) = e(h 3 k U k , P pub ).
Then output abP as the solution of the CDHP. Probability. To solve the CDHP successfully by C, we assume that A I has an advantage of ε in forging a certificateless signature σ k in time limit t. Let q Hi (i = 1, 2, 3, 4, 5) are the number of H i (i = 1, 2, 3, 4, 5) queries, and A I never repeats q Hi for the same value of input. Such as, let q U , q P P , q RS be times of user public key queries, partial private key extraction queries and certificateless ring signature queries, respectively.
We donate some events as follows: Π 1 : ID * 's partial private key was not queried by A I . Π 2 : ID * belongs to the group L ID . Π 3 : ID * is the actual signer.
. Therefore, if A I can forge a certificateless ring signature with advantage ε, C can solve CDHP with probability at least ε q H 1 . However, it contradicts with the hardness assumption of CDHP. Therefore, the proposed CLARS scheme is existentially unforgeable against adversary A I .

Theorem 2
If an EUF-CLARS-CMA adversary A II has an advantage ε against an CLARS scheme, asking at most q Hi (i = 1, 2, 3, 4, 5) hash queries to random oracles, at most q U user public key queries, at most q P private key extraction queries, and at most q RS certificateless ring signature queries, then there exists an algorithm that solves the DDHP with the advantage ε q U .
Proof Assume that the challenger C receives an instance of (aP, bP, Y ), the goal of C is to determine whether Y = abP , C runs A II as a subroutine and plays the role of the challenger in Game II. Initialization. C runs the Setup algorithm to generate system master secrete key msk and system parameters params = {G 1 , G 2 , P, q, P pub = aP, H 1 , H 2 , H 3 , H 4 , H 5 }, and saves the msk. Then C sends params and msk to A II .
A II can adaptively perform the following oracle queries of the polynomial order of magnitude.
H 1 queries: C maintains the list L 1 of tuple (ID i , Q i ), which is initially empty. When A II makes q H1 query on ID i , if L 1 contains (ID i , Q i ), C returns corresponding Q i from L 1 to A II . Otherwise, C runs the following algorithm: If ID i = ID * , C sets Q i = aP . Then C returns Q i to A II and adds (ID i , Q i ) to L 1 .
If ID i = ID * , C selects a random v h1 ∈ Z * q and sets v h1 P = H 1 (ID i ). Then C returns v h1 P to A II and adds (ID i , v h1 P ) to L 1 .
H 3 queries: C maintains the list L 3 of tuple (m i , P SK i , P K i , u i , h 2i ), which is initially empty. When A II makes q H3 query on (m i , P SK i , H 4 queries: C maintains the list L 4 of tuple (m k , U 1 , . . . , U k−1 , U k+1 , . . . , U n , h U k ), which is initially empty. When A II makes q H4 query on (m k , U 1 , . . . , H 5 queries: C maintains the list L 5 of tuple (m k , L ID , L P K , h U k , h 3 k ), which is initially empty. When A II makes q H5 query on (m k , L ID , User public key queries: C maintains the list If ID i = ID * , C randomly selects x i ∈ Z * q and makes q H1 to extract Q i from L 1 . Then C returns (x i Q i , x i P ) to A II and adds (ID i , Private key extraction queries: When A II makes q P query on ID i , C runs the following algorithm: If ID i = ID * , C fails the Game II. If ID i = ID * , C checks the list L U . If L U contains (ID i , x i , X i , Y i , P SK i ), C returns corresponding (x i , P SK i ) to A II . Otherwise, C looks for Q i , h 1i in L 1 and L 2 , and computes P SK i = sh 1i Q i . Then C returns (x i , P SK i ) to A II and adds ( * , * , * , * , P SK i ) to L U .
Certificateless ring signature queries: The adversary A II chooses a set of ring members L ID with corresponding public keys L P K , then sends the request q RS on the message m k , to generate a certificateless ring signature. C performs as following algorithm: • Choose randomly a signer k ∈ {1, . . . , n}, then the signer selects a random . In order to define the hash value of h 2 k , C looks for in L 3 .
In order to define the hash value of H 4 (m k ||U i ). In order to define the hash value . In order to define the hash value of h 3 k .C looks for in L 5 .
• Finally, C sets V k = (u k + h 2 k )h 3 k sh 1 k X k ∈ G 1 . Such to define the value of h 1 k and h 2 k go to previous steps.
• Obviously, the result of q RS are valid because the following equation is hold: Forgery. Eventually, the adversary A II can forge a certificateless ring signature σ k = (U k , V k , h 3 k ) on the message m k and fulfills the following condition: • A II cannot ask for the private keys of the users in L ID .
• The forged signature σ k is not obtained by certificateless ring signature query. • The forged certificateless ring signature Solve DDHP. Because Q k = aP and Y k = x k P = bP , X k = x k Q k = abP . Y = X k . Therefore, C can determine Y = abP and solve the DDHP. Probability. To solve the DDHP successfully by C, we assume that A II has an advantage of ε in forging a certificateless signature σ k in time limit t. Let q Hi (i = 1, 2, 3, 4, 5) are the number of H i (i = 1, 2, 3, 4, 5) queries, and A II never repeats q Hi for the same value of input. Such as, let q U , q P , q RS be times of user public key queries, private key extraction queries and certificateless ring signature queries, respectively. We donate some events as follows: Π 1 : ID * 's private key was not queried by A II . Π 2 : ID * belongs to the group L ID . Π 3 : ID * is the actual signer.
Therefore, if A II can forge a certificateless ring signature with advantage ε, C can solve DDHP with probability at least ε q U . However, it contradicts with the hardness assumption of DDHP. Therefore, the proposed CLARS scheme is existentially unforgeable against adversary A II .

Theorem 3
The CLARS scheme is unconditional anonymous.
Proof Initialization. Query. same as that in the Game II.
In the CLARS scheme, because u k is randomly selected from Z * q and h 1 k , h 2 k is the output of random oracle, U k = h 1 k (u k +h 2 k )X k is distributed uniformly. Since U i are randomly selected from G 1 for i = k and h U k is the output of the output of random oracle, so h 3 k is distributed uniformly. By u k , x k is randomly selected from Z * q and h 2 k , h 3 k is the output of random oracle, then In conclusion, no matter who is the actual signer, all the mentioned parameters are independent and uniformly distributed for any message m k , receiver and ring members L ID . Therefore, even if adversary has unbounded computing resources and all the private keys corresponding to the L ID , there are no adversaries can identify the actual signer over random guessing with a no-ignorable advantage. Hence, P r[µ = µ ], the anonymity holds.
6 Performance analysis 6.1 Security attributes First, we summarize the security attributes of several CLAS schemes from pairing and our CLARS scheme, as shown in Table 1. Here, synchronization refers to clock synchronization, and only messages checked out in the same time interval can be aggregated. Signers need to share a synchronized clock. Clock synchronized aggregate signature is not suitable for mobile computing environments and is difficult to implement.

Computation cost
We define some notations of cryptography operations in Table 2. The execution time of kinds of cryptography operations on the bilinear group pair is collected  [30], to achieve faster pairing computation, the nature of curve Type-A is considered as 512-bit group and the underline embedding degree is considered as 2, which is equal to 1024-bit RSA security level. Type-A is a super singular curve y 2 = x 3 + x built with Solinas prime ordered group, where G 1 = G 2 . They gives the running time of related operations, and we shows them in Table 3. Table 4 shows detailed computational overhead comparisons between the proposed CLAS.
In our scheme, to generate a signature needs two scalar point multiplication operations. So, the computation cost is T Sign = 2T s = 2 × 0.318 = 0.636ms.
In the single verification, our scheme needs three pairing operations and one scalar point multiplication operation. Thus, the cost of computational is T SignV er = 2T p + T s = 2 × 2.468 + 0.318 = 5.254ms.
In the aggregate verification, our scheme needs three pairing operations and n scalar point multiplication operations. So, the computation cost is T AggV er = 2T p + nT s = 2 × 2.468 + 0.318n = 0.318n + 4.936ms.

Communication cost
To sign any message m k , the signer executes Certificateless-ring-signature algorithm and produces signature σ k = (h U k , U k , V k ). Therefore, the length of signature is 2|G 1 | + H, where H is hash function's output. The length of signature in scheme [38,34,36,39] is 2|G 1 |, which is little less than our scheme. However, our scheme not only provides lower computational cost in the aggregate signature verification phase, but also has unconditional anonymity compared with other CLAS schemes.

Conclusion
In order to ensure users' privacy and prevent malicious users from tampering with electricity data, a certificateless aggregate ring signature scheme to protect the privacy of smart meters is proposed in this paper, which solves the problem of users' privacy and limited computing resources. We also show a detailed and strict formal security proof to demonstrate that this scheme is unforgeable and unconditional anonymity against replacing public key and malicious but passive KGC adversaries under adaptively chosen message attacks in the random oracle model. In addition, it can randomly aggregate signatures anytime, anywhere. Performance analysis shows that our CLARS scheme has a lower computational load, so it is suitable for resource-constrained smart grids.