A Secure Certificateless Signature Scheme for Space-Based Internet of Things

. Space-based Internet of things (S-IoT) can provide global services and connection capabilities. It has broad emerging application, including marine monitoring, forest monitoring, animal monitoring, disaster emergency response and other felds. However, owing to the openness of satellite communications, S-IoT is vulnerable to hijacking attacks, and malicious attackers can tamper with or forge transmitted messages. More seriously, due to limited S-IoT node resources, it is difcult to directly apply existing security solutions to terrestrial networks to the S-IoT. In this study, we propose CSP, a novel, secure, and efcient scheme based on certifcateless signatures and bilinear pairings for S-IoT. CSP consists of six phases: system setup, partial private key settings, private key settings, public key settings, signing and verifying. In CSP, we especially design that part of the private key comes from the ground KGC and the other part is generated by the communication entity itself. We theoretically prove CSP is secure, and it is able to resist tampering or forgery attacks. Moreover, it can also ensure the authenticity, integrity, unforgeability, and non-repudiation of transmitted messages. We also conducted extensive experiments and compared CSP with the existing schemes. Te experimental results demonstrate that CSP can signifcantly reduce the total scheme time consumption. Especially, it can reduce about 50–60% of the time in the signature verifcation phase.


Introduction
Space-based Internet of Tings(S-IoT) has broad application prospects in the felds of disaster emergency, animal monitoring, air pollution monitoring, aerospace measurement and control, aviation and navigation, and mobile communications [1][2][3][4][5][6], as shown in Figure 1. At present, the IoT generally transmits information through terrestrial networks such as the Internet and mobile communication networks, which severely limits the application scope and makes it hard to achieve true interconnection of all things. Terrestrial networks mainly cover densely populated areas such as cities and towns. More than 70% of the Earth's area and more than 3 billion people are not covered by terrestrial networks. S-IoT can cover sparsely populated areas such as oceans, polar regions, and deserts [7,8]. In addition, S-IoT can also be applied in situations where terrestrial infrastructure has been damaged, such as reconstruction in disaster areas. According to the forecast of McKinsey, an American consulting company, the output value of S-IoT will reach 560 billion to 850 billion dollars within the next 5 years. It is expected that the number of machine-to-machine (M2M) and IoT networks connected to S-IoT will reach 5.96 million by 2025 [9].
Authentication is one of the fundamental issues for security [10]. However, owing to the openness of satellite communications, identity authentication between nodes and message integrity authentication face signifcant challenges. First, in S-IoT, a single satellite usually needs to provide data transmission services for massive ground nodes. Te particularity of the environment makes the messages transmitted by satellites vulnerable to security threats such as eavesdropping, tampering, and forgery. Terefore, the communication security between satellite nodes is indispensable. Second, since the communication bandwidth of a satellite is typically narrow and satellite storage resources are also limited, the authentication scheme must be efcient. Tird, in S-IoT, scores of ground nodes are distributed in the wild and may even be carried by animals. Te computing, storage, and energy resources of ground nodes are severely limited due to the constraints of weight, volume, and deployment environment. Tese constraints require that the operations of ground nodes must be simple enough to operate [11]. Terefore, a secure and efective authentication scheme is urgently needed to ensure the development of S-IoT.
Te main contribution of this study can be summarized as follows: (1) We proposed CSP, a novel, secure, and efcient scheme based on certifcateless signatures and bilinear pairings for S-IoT. To set the complete private key, a partial private key comes from the ground KGC and the other part of the private key is generated by the communication entity itself. In this way, CSP does not need a certifcate authority and solves the key escrow issues.
(2) We have proved CSP, which has strong security and can efectively resist the attacks of external and internal adversaries. Moreover, CSP enables authenticity, integrity, unforgeability, and nonrepudiation of transmitted messages. (3) We designed the CSP so that it only needs one hash function. Compared with the previous schemes, our scheme reduces the bilinear pairing operations in the verifcation phase. Performance evaluation shows that CSP can signifcantly reduce the total scheme time consumption. Especially, it can reduce about 50-60% of the time in the signature verifcation phase.
Te organization of this study is summarized as follows. In Section 2, we review the related work. Te S-IoT architecture, some principles of cryptography, and security model are described in Section 3. In Section 4, we elaborate on our proposed scheme for CSP. We present the security analysis of CSP in Section 5. In Section 6, we evaluate the performance. We fnally conclude the study and discuss the future research direction in Section 7.

Related Work
Te existing work on the certifcation of IoT can be roughly divided into three types. Te frst method is the authentication based on the public key infrastructure (PKI) mechanism, the second method is the authentication based on the identity-based cryptosystem (IBC), and the third method is the authentication based on the certifcateless public key cryptography (CL-PKC).
In the traditional PKI, the certifcate authority (CA) complexly manages the public key and identity information of all users and issues certifcates to authenticated users. However, the generation, storage, distribution, verifcation, and revocation of certifcates can be resource intensive.
Shamir [12] introduced IBC to try to solve the tedious problem of certifcate management. As shown in [13], in addition to human users, computers and servers, smartphones, other mobile devices, and IoT devices also have their own identities. Te IBC uses the user's identity information directly as the public key. Te user's private key is generated by the key generation center (KGC) using the master key and the user's identity information. Tere have also been some studies [14,15] on IBC in recent years. However, in an IBC system, the KGC must be highly trusted because it can encrypt and decrypt messages on behalf of any system user. Tis creates a key escrow problem inherent in the IBC system. Once KGC is invaded or breached, all users' private keys and identity information will be leaked. Ten, the entire system will be paralyzed. To solve these problems, Al-Riyam et al. [16] proposed CL-PKC. Tey designed a novel certifcateless signature (CLS) scheme, in which KGC only provides part of the user's private key, and the other part is generated by the user, which can solve the key escrow problem. In addition, different from the traditional PKI system, users in the CL-PKC system do not need to be authenticated. Terefore, CLS do not need a certifcate authority. CLS can be divided into two categories: one contains bilinear pairs and the other does not contain them.
Later, CLS technology has been greatly developed. In 1996, Bellare and Rogaway [17] proposed a random oracle model (ROM) to prove the security of the CLS scheme. Tis model can efciently evaluate the scheme, but there are many loopholes. At the beginning of this century, Choudary Gorantla and Saxena [18] claimed to have proposed a highefciency CLS scheme. However, in 2006, Cao et al. [19] proved that their scheme is not secure against key substitution attacks. Zhang et al. [20] designed a new certifcateless signature scheme using bilinear pairings and used the ROM to achieve strict security proofs under the assumption of computing the Dife-Hellman Problem (DHP), but their algorithm's computational cost is signifcant.
In 2012, Tso et al. [21] proposed a certifcateless short signature scheme. However, Du and Wen [22] point out that the scheme cannot resist the attack of the second type of strong adversary in the ROM model. Tere are also two short CLS schemes [23,24], both of which have been proven to be secure. However, the scheme in [23] needs to perform two bilinear calculations during verifcation, while the scheme in [24] requires three bilinear calculations. Obviously, the computational cost is relatively high. Te frst CLS scheme without bilinear pairings is proposed in [25], but it is pointed out in [26] that this scheme is vulnerable to the second type of strong adversaries. After that, proposed CLS schemes without bilinear pairings were proposed in [27,28], respectively. However, it is pointed out in [29,30] that both schemes are vulnerable to the frst type of super-adversaries. In 2015, Hassouna et al. [31] claimed to propose a strongly secure CLS scheme and proved its security under the assumption of two classes of strong adversary attacks. However, scholars soon proved that the scheme in [31] is insecure in the face of the attack of the frst type of strong adversary. In addition, Wang et al. [32] proposed a novel, reliable, and efcient pairing-free certifcateless scheme for the Industrial Internet of Tings (IIoT) that utilizes the state-of-the-art blockchain technique and smart contracts. In 2018, Jia et al. [33] proposed an effcient and nonbilinear pairwise CLS scheme suitable for the IoT. In 2020, Du et al. [34] found that the scheme in [33] could not resist the attack of the frst type of adversaries and proposed a new scheme. In the same year, a bilinear pair-free CLS scheme suitable for resource-constrained scenarios was proposed in [35]. However, in 2021, Xu et al. [36] found that the solution of [35] was vulnerable to signature forgery attacks and could not achieve its purpose. Table 1 shows the main mechanisms and shortcomings of the existing works. From the above, we can see that the existing PKI and IBC mechanisms may not be suitable for S-IoT. Te CLS scheme without bilinear pairings does not seem to be reassuring in terms of security. Especially, in recent years, the scheme proposed in a short period of time will be found to be unsafe. However, existing CLS schemes containing bilinear pairings have a large overhead. If these schemes are applied to the S-IoT, they will take up a large amount of resources. Terefore, we want to design a CLS scheme that balances security and computational overhead, which is suitable for the special environment of S-IoT.

S-IoT
Architecture. Te typical S-IoT architecture [3] is shown in Figure 2. Te S-IoT architecture consists of three parts: space segment, ground segment, and user terminal. Te space segment consists of a constellation of satellites. Te ground segment mainly includes the ground stations and the control stations. Te user terminal refers to various terminals which are mainly used to send and receive signals. Information security is an important issue in S-IoT. Tere may be malicious nodes attacking the S-IoT system through eavesdropping, forgery, tampering, and other means.

Elliptic Curve.
Elliptic curve cryptography (ECC) is a method of constructing cryptographic schemes from elliptic curves over fnite felds. Elliptic curve cyphers can achieve the same strength with shorter keys than RSA; that is, elliptic curve cyphers have shorter key lengths but higher strength. In general, an elliptic curve cypher with a key length of 160 bits can achieve the same strength as RSA with a key length of 1024 bits.
Let p be a large prime number of length λ, GF(p) represents a fnite feld, and an elliptic curve is a series of points satisfying the following equations: where O represents the point at infnity.

Bilinear Pairing.
Let the bilinear mapping be e: G 1 × G 2 ⟶ G 2 , where G 1 and G 2 are the additive cyclic group and the multiplicative cyclic group of order prime p, respectively. Te generator of G 1 is P. Te bilinear map satisfes the following properties: there is a valid algorithm that can compute e(P, Q)

Bilinear Dife-Hellman Problem (BDHP).
Given aP, bP, cP ∈ G 1 , a, b, c ∈ Z * q , where P is the generator of G 1 , it is hard to calculate e(P, P) abc ∈ G 2 .
3.6. Certifcateless Signature. A certifcateless signature scheme generally includes three entities: KGC, signer, and verifer. Te general steps of the CLS are as follows: (1) Setup: this step is performed by KGC. We input a security parameter l and output the system master key s and public parameter params. KGC securely keeps the system master key s and makes params public. (2) Set partial private key: this step is performed by KGC. We input the system master key s, the public parameter params and the signer's identity ID. Ten, we output the partial private key D. (3) Set private key: this step is performed by the signer.
We input the public parameters params, the signer's identity ID, the partial private key D, and the signer's secret value. We output the private key sk. (4) Set public key: this step is performed by the signer.
We input the public parameter params and the signer's secret value and output the public key pk.
(5) Sign: this step is performed by the signer. We input public parameters params, message m, the signer's ID, the private key sk, and the public key pk and output the signature σ. (6) Verify: this step is performed by the verifer. We input public parameters params, message m, signer ID, the public key pk, and the signature σ and, fnally, output Verify(m, σ, params, ID, pk) ⟶ true or false.

Security Model of CLS.
As mentioned in [37,38], traditional security controls and detection systems are often tailored against external threats, but insider attacks are also an ever-increasing threat to a system with dire consequences. For comprehensive consideration of safety, in a certifcateless cryptosystem, external adversary and internal adversary A 1 and A 2 can be assumed [12]. At frst, there are normal and strong adversaries in ROM. In [39], the adversary is expanded and classifed into normal, strong, and super three levels. Trough oracle queries, a normal adversary can only obtain the valid signature of the entity with the original public key. If the entity's public key is replaced, the normal adversary cannot obtain a valid signature. If the public key of a strong adversary has been replaced, the   adversary cannot obtain a valid signature until providing the associated secret value of the new public key. A super adversary can obtain the valid signature of the entity whose public key has been replaced without the new secret value.
Here, we consider the case of super adversary attacks. Te frst type of adversary A 1 : these kinds of adversaries are also called external adversaries. Te adversary can replace the public key of the target entity, but cannot obtain the master key of the KGC and partial private key of the entity.
Te second type of adversary A 2 : these kinds of adversaries are also called internal adversaries. Te adversary knows the master key of KGC and the partial private key, but cannot replace the public key of the target entity.

Type-I Model
Setup: challenger C executes the algorithm to get the master secret key s and public parameters params. Ten, C keeps s as secret and makes the parameters public. Queries: A 1 adaptively asks one of the following queries to C.
(1) Public key extraction query: A 1 obtains the public key pk i of ID i (2) Replace public key query: A 1 replaces pk i with pk i ′ which A 1 chooses (3) Private key extraction query: A 1 obtains the private key sk i of ID i (4) Signature query: A 1 obtains a valid signature σ for (ID i , m) Output: fnally, A 1 outputs a valid forgery σ * for

Type-II Model
Setup: challenger C executes the algorithm to get the master secret key s and public parameters params.
Ten, C keeps s as secret and makes params public. Queries: A 2 adaptively asks one of the following queries to C. (1) Public key extraction query: A 2 obtains the public key pk i of ID i (2) Partial private key extraction query: A 2 obtains the partial private key D i of ID i (3) Signature query: A 2 obtains a valid signature σ for (ID i , m) Output: fnally, A 2 outputs a valid forgery σ * for where Verify(m * , σ * , params, ID * i , pk i ) ⟶ true.

Proposed CSP Scheme
Our proposed scheme, CSP, is as follows: Setup (KGC): the function of KGC is completed by the network control center (NCC) on the ground. KGC inputs security parameter k and selects elliptic curve addition cyclic group G 1 and multiplication cyclic group G 2 with order q. Te generator of G 1 is P. We set up bilinear mapping e: KGC selects a random number s ∈ Z * q as the system master key and calculates P pub � s · P as the system public key. KGC selects a secure hash function KGC securely saves the master key s and makes the parameter params � (q, G 1 , G 2 , e, P, P pub , H 1 ) to the public. Set partial private key (KGC): after KGC receives ID i from the entity(the satellite or the user on the ground) S i , it calculates Q i � H 1 (ID i ) and then calculates the partial private key D i � sQ i P of S i . Set public/private key (entity): KGC sends D i to S i . S i randomly selects the secret value x i , x i ′ ∈ Z * q , and then calculates We take (X i , Y i ) as the public key pk i and take (D i , Z i ) as the private key sk i . Sign (entity): when S i needs to sign a message m, the specifc description is as follows: Verify (entity): when another entity S j receives the message m with the signature σ i , it uses the public key pk i of S i to verify the signature. Te specifc description is as follows: (3) S j verifes that s i � s j . If the equation holds to prove that the signature is valid; otherwise, the verifcation fails, the message is discarded, and a reauthentication message rm is returned.
Correctness analysis: Security and Communication Networks 5 As shown in Figure 3, the steps of interaction between satellite nodes are as follows: Step 1 (KGC): KGC generates system parameters params � (q, G 1 , G 2 , e, P, P pub , H 1 ) to the public. Ten, KGC calculates partial private keys. KGC sends partial private keys to the corresponding satellites. In this scene, we take satellites S i , S j , and S k as an example.
Step 2 (S i , S j , S k ): S i randomly selects the secret value We take (X i , Y i ) as the public key pk i . We take (X i ′ , Y i ′ ) as the public key pk i ′ . We take (D i , Z i ) as the private key sk i . We take (D i , Z i ′ ) as the private key sk i ′ .
Step 3 (S i ): when S i needs to sign a message m, S i generates σ i � (m, N i , s i ) as the signature of the message m to S j and generates σ i ′ � (m ′ , N i ′ , s i ′ ) as the signature of the message m ′ to S k .
Step 4 (S j , S k ): when satellites S j and S k receive the message m and m ′ with the signature σ i and σ i ′ , S j uses the public key pk i to verify the signature σ i and S k uses the public key pk i ′ to verify the signature σ i ′ . As shown in Figure 4, the steps of interaction between satellite and ground nodes are as follows: Step 1 (KGC): KGC generates system parameters params � (q, G 1 , G 2 , e, P, P pub , H 1 ) for the public. Ten KGC calculates partial private keys. KGC sends partial private keys to the corresponding satellite and ground nodes. In this scene, take the satellite S i and the ground node S j as an example.
Step 2 (S i , S j ): S i randomly selects the secret value x i , x i ′ ∈ Z * q , and then calculates X i , Q i , Z i , and Y i . S j randomly selects the secret value x j , x j ′ ∈ Z * q , and then calculates X j , Q j , Z j , and Y j .We take (X j , Y j ) as the public key pk j and take (D j , Z j ) as the private key sk j .
Step 3 (S i ): S i generates σ i � (m, N i , s i ) as the signature.
Step 4 (S j ): when the ground node S j receives the message m with the signature σ i , it uses the public key pk i of S i to verify the signature σ i .

Lemma 1.
Under the attack of the frst type of super adversary A 1 , it is assumed that A 1 can adaptively perform q H for H 1 oracle queries, q d for partial private key extraction queries, q sk for private key extraction queries, q pk for public key extraction queries, and q s for signature queries; there is an algorithm C that can solve the ECDHP problem with the advantage of ε ′ ≥ ε(1/q H )(1 − (1/q H )) q sk +q pk .
Proof. Let A 1 be a super adversary, and we assume that the challenge for C is to know that Z i � x i ′ P (which can be obtained in the private key query below), and aP, a ∈ Z * q . C calculates ax i ′ P after interacting with A 1 . We play the game as follows: Game 1: challenger C inputs the security parameter l, runs the system establishment algorithm to generate the system master key s and system parameter params, then sends the params to A 1 , and saves s in secret.
After going through all the queries, A 1 outputs a forged signature (m * .N * , S * ); if the forgery meets the following requirements, the super adversary A 1 is considered to win. (1) A 1 has never submitted (ID * , m * ) to the signature oracle (2) A 1 never submitted ID * to partial private key oracles (3) Verify(m * , σ * , params, ID * , pk i ′ ) ⟶ true H 1 oracle query: C maintains a list L H 1 consisting of triples (ID i , Q i , M i ), and the list is initially empty. When A 1 asks C for H 1 with identity ID i , if ID i has been stored in L H 1 , then C returns the corresponding value to A 1 ; otherwise, C calculates Q i � nP, n ∈ Z * q ; let M i � r i , r i ∈ Z * q ; we insert the new tuple (ID i , Q i , M i ) into the list L H 1 and return to A 1 . Setup: C runs the system algorithm, selects a generator P, and calculates P pub � sP, where s is the system master key that C does not know; in this game, C randomly selects an identity ID * , generates system parameters params � (P, P pub , H 1 ), and send to A 1 .
Public key extraction query: C maintains a list L pk consisting of triples (ID i , x i , pk i ), and the list is initially empty. When A 1 inputs ID i to ask, if ID i has been stored in L pk , C returns the corresponding value to A 1 ; otherwise, C calculates X i � x i P, Y � x i P, x ∈ Z * q and returns the value to pk i . Ten, C inserts (ID i , x i , pk i ) into the list L pk . Public key query: when A 1 enters (ID i , pk i ) query, if the tuple (ID i , x i , pk i ) corresponding to ID i exists in the list L pk , C sets pk i � pk i ′ and sets (ID i , x i , pk i ) and returns the list L pk ; otherwise, C performs the public key generation step to generate (ID i , x i , pk i ), then sets pk i � pk i ′ , and returns (ID i , x i , pk i ′ ) to the list L pk . Private key extraction query: C maintains a list L sk consisting of four tuples (ID i , x i ′ , sk i , Z i ), and the list is initially empty. When A 1 asks with ID i , if ID i has been stored in L sk , C returns the corresponding value to A 1 ; otherwise, C calculates Z � x i ′ P, x i ′ ∈ Z * q , and converts the new tuple (ID i , x i ′ , sk i , Z i ) which is inserted into the list L sk and returned to A 1 . Signature query: when C receives a (ID i , m i ) signature query, it performs the following steps: (1) If ID � ID * , C aborts the query and outputs an error; otherwise, C queries ( A 1 aborts the query and outputs the signature σ � (N * , S * ) of the identity ID * i on the message m * , which satisfes the verifcation condition: It can be known that V ′ � ax i ′ P, which solves the ECDHP problem. Set events E 1 , E 2 and E 3 are as follows: E 1 : A 1 goes through a series of queries and C does not abort. E 2 : A 1 successfully forges a valid signature. E 3 : there is ID � ID * in forged signature. We set Pr[E 2 | E 1 ] ≥ ε, then obviously we have: It can be calculated that C can solve the ECDHP problem with a nonnegligible probability: ε ′ ≥ ε1/q H (1 − (1/q H )) q sk +q pk . Tis proof is unforgeable against adaptive selective message attacking the signature. Terefore, it is proved that the scheme can guarantee the authenticity and integrity of the message under the attack of the frst type of super adversary A 1 .

Lemma .
Under the attack of the second type of super adversary A 2 , it is assumed that A 2 can adaptively perform q H for H 1 oracle queries, q d for partial private key extraction queries, q sk for private key extraction queries, q pk for public key extraction queries, and q s for signature extraction queries; there is an algorithm C that can solve the BDHP problem with the advantage of ε ′ ≥ ε1/q H (1 − (1/q H )) q d +q pk .
Proof. Let A 2 be a super adversary. We assume that the challenge for C is that given the master key s, D i � sQ i P (which can be obtained in the partial private key query below), b � sQ i , aP and cP, a, c ∈ Z * q an calculate S * � e(P, P) abc after interacting with A 2 .
Game 2: challenger C inputs the security parameter l, runs the system establishment algorithm to generate the system master key s and system parameter params, then sends the params to A 2 , and saves s in secret. After going through all the queries, A 2 outputs a forged signature (m * .N * , S * ); if the forgery meets the following requirements, the super adversary A 2 is considered to win.
(1) A 2 has never submitted (ID * , m * ) to the signature oracle (2) A 2 never submitted ID * to private key oracles (3) Verify(m * , σ * , params, ID * , pk i ) ⟶ true H 1 oracle query: C maintains a list L H 1 consisting of triples (ID i , Q i , M i ), and the list is initially empty. When A 2 asks C for H 1 with identity ID i , if ID i has been stored in L H 1 , then C returns the corresponding value to A 2 ; otherwise, C calculates Q i � nP, n ∈ Z * q ; let M i � r i , r i ∈ Z * q , and we insert the new tuple (ID i , Q i , M i ) into the list L H 1 , and return to A 2 . Setup: C runs the system algorithm, selects a generator P, and calculates P pub � sP, where s is the system master key that C does not know; in this game, C randomly selects an identity ID * , generates system parameters params � (P, P pub , H 1 ), and sends to A 2 .
Public key extraction query: C maintains a list L pk consisting of triples (ID i , x i , pk i ), and the list is initially empty. When A 2 inputs ID i to ask, if ID i has been stored in L pk , C returns the corresponding value to A 2 ; otherwise, C calculates X i � x i P, Y � x i P, x ∈ Z * q and returns the value to pk i . Ten, C inserts (ID i , x i , pk i ) into the list L pk . Partial private key extraction query: C maintains a list L D , consisting of triples (ID i , Q i , D i ), and the list is initially empty. When A 2 asks C with identity ID i , if ID � ID * , C aborts and outputs an error; otherwise, if ID i has been stored in L D , C returns the corresponding value to A 2 ; if ID i is not stored in L D , then C extracts the tuple (ID i , Q i , M i ) from the list L H , calculates D i � sQ i P, and returns it to A 2 . Signature query: when C receives a (ID i , m i ) signature query, it performs the following steps: (1) If ID � ID * , C aborts the query and outputs an error; otherwise, C queries (ID i , Q i , M i ), We calculate s i � e(M i D i , Z i ) a and sign the message using (N i , s i ). C sends (N i , s i ) to A 2 A 2 aborts the query and outputs the signature σ � (N * , S * ) of the identity ID * i on the message m * , which satisfes the verifcation condition: Te premise that the signature satisfes the verifcation conditions is the parameter c � N i x i ′ x 2 i which is known to A 2 . Tus, A 2 can calculate S * � e(P, P) abc which solves the BDHP problem. We set events E 1 , E 2 , and E 3 are as follows: Security and Communication Networks 7 E 1 : A 2 goes through a series of queries and C does not abort. E 2 : A 2 successfully forges a valid signature. E 3 : there is ID � ID * in forged signature. We set Pr[E 2 |E 1 ] ≥ ε; then, obviously we have It can be calculated that C can solve the BDHP problem with a nonnegligible probability: ε ′ ≥ ε1/q H (1 − (1/q H )) q d +q pk . Tis proof is unforgeable against adaptive selective messaging attacks on the signature. Terefore, it is proved that the scheme can guarantee the authenticity and integrity of the message under the attack of the second type of super adversary A 2 .
Te above is a formal analysis in the ROM, which can ensure the strong security of CSP. Te informal analysis is as follows.
Authenticity: CSP can realize the authentication of the message source and the authentication of the communication entity. Tis is determined by adding the identity information of the communication entity in the signature.
Integrity: CSP can guarantee that data have not been tampered with or damaged. Tis is determined by adding a hash function to the message in the signature. Once the message is changed, the corresponding hash function will change, which will result in authentication failure.
Unforgeability: CSP means that nobody except the communication entity itself can forge the signature. Tis is determined by the private key generation method of CSP. Only the ground KGC knows the secret value that generates the partial private key and only the communication entity itself knows the complete private key.
Nonrepudiation: CSP requires that neither the sender nor the receiver can deny the transmission. Tis is determined by adding the identity information of the sender in the signature. Besides, the receiver must reply with a message indicating whether the verifcation was successful.

Performance Evaluation
In this section, we test the performance of CSP. We compare CSP with existing representative CLS schemes. To ensure a benchmark for comparison, CSP uses widely accepted parameters. Te program runs on a virtual machine with an Intel(R) Core(TM) i7-9750H-CPU@2.60 GHz and 16 GB of RAM, using the Ubuntu18.04LT operating system. Using the Type-A type in the PBC library, its security level is comparable to that of 1024 bit RSA. Te Type-A of this library is constructed on the elliptic curve y 2 � x 3 + x in the fnite feld GF(p), where p is a large prime number of 160 bits. Assuming the message length is 128 bits. Table 2 shows the time required for various operations in the simulation environment of this study. We can see that the bilinear pairing operation takes the longest, followed by the hash operation and the point multiplication operation. Since the scalar addition and multiplication operations take negligible time compared to other operations, we ignore the overhead of these two types of operations in the comparison. Te value in the table is the average time of each operation 100 times. Table 3 shows the efciency comparison of CLS schemes for satellite-to-satellite nodes. In S-IoT, we frst consider the case of authentication between satellite nodes. Since each satellite node provides services for massive ground nodes, we believe that the authentication of satellite nodes requires high security. Terefore, we consider that when a satellite wants to authenticate with other satellites, it needs to use diferent public and private keys. It mains that the satellite node S i uses (sk i , pk i ) for authentication with the satellite node S j , while S i uses (sk i ′ , pk i ′ ) for authentication with the satellite node S k (j ≠ k). In S-IoT, the roles of users and signers who generate public and private keys can only be assumed by the satellite itself, which cannot be delegated to a third party. Terefore, when calculating the overhead of the signing in this case, the overhead of generating public and private keys is included. Due to the diference in algorithms between CLS schemes with bilinear pairings and those without, the CLS schemes without bilinear pairings often include the point addition operation and the modular inverse operation. However, the time of these two operations is relatively short. For a more intuitive comparison, these two operations are ignored here.
Te values of security against A 1 and A 2 are determined according to which level of adversary attack (normal, strong, and super) the corresponding scheme can resist in ROM. Among these schemes, it is mentioned in [36] that the scheme in [35] was vulnerable to signature forgery attacks and was insecure against A 1 , and the scheme in [31] has recently been shown to be insecure in the face of the attack of A 1 .
It can be seen from Figure 5 that, in the simulation environment of this study, except for the unsafe schemes in the table, the scheme in [34] has the shortest time of 8.727 ms when signing. CSP needs 10.638 ms for signing, which is in the middle level of these schemes. However, in the verifcation and total time comparison, the overhead of CSP is the smallest, which are 4.681 ms and 15.319 ms. Compared with the scheme in [34], CSP improves the efciency by about 50% and 15%, respectively. In the CLS schemes with bilinear pairs, CSP has the smallest overhead in both the signature and verifcation phases, which improves efciency by about 9% and 60%, respectively. Besides, CSP can prove a higher level of security. Te reason is that the scheme in [31] does not fully use the user's public key when verifying the signature. It only uses part of the public key, which leads to the additional verifcation if the public key is authentic and valid. Te authenticity and validity of the public key will increase the overhead of the bilinear pairing operations. Table 4 shows the efciency comparison of CLS schemes for satellite-to-ground nodes. When the satellite node is authenticated with the ground node in S-IoT, it is troublesome and resource-consuming to frequently update the Step 2 Step 1 Step 4 Step 3 KGC: This role is filled by the satellite manufacturer or operating company   public and private keys. Terefore, when the satellite S i is authenticated with the ground node, it only uses (sk i , pk i ).
We can see from Figure 6 that the scheme in [34] has the shortest times of 0.886 ms in the signing phase, except for the unsafe scheme. CSP needs 4.791 ms, which is similar to the schemes in [31,36]. In the verifcation phase and total time comparison, CSP still has the best performance, which improves efciency by about 50% and 7%, respectively.
Finally, we discuss the issue of CSP complexity. For the scenario in Figure 5, to complete the authentication between satellite nodes, three authentication messages need to be transmitted. Te communication cost of each authentication message is 480 bits. Te signature cost is 10.638 ms, and the verifcation cost is 4.681 ms. For the scenario in Figure 6, three authentication messages between the satellite and the ground node need to be transmitted. Te communication cost of each authentication message is 480 bits. Te signature cost is 4.971 ms. Te verifcation cost is 4.681 ms. Te CSP performance is shown in Table 5.
Step 1 Step 2 Step 4 Step 3 Select H 1 : {0,1}* → Z q * and the master key s Calculate P pub = s ·P Generate system parameters params = (q, G 1 , G 2 , e, P, P pub , H 1 ) and partial secret key D i = sQ i P, Q i = H 1 (ID i ) KGC: This role is filled by the satellite manufacturer or operating company a ground node Generate secret key x i , x i ′ ∈ Z q * Calculate X i = x i P, Z i = x i P, Y i = x i P pub Take (X i , Y i ) as the public key pk i and (D i , Z i ) as the private key sk i params and D i     Total   0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25 cost (ms)

Conclusions and Future Work
Due to the special environment and restricted resources, the security solution used by the terrestrial network for communication cannot be directly applied to the S-IoT. Tis study proposes a strong, secure certifcateless signature scheme with bilinear pairings named CSP, which is suitable for S-IoT. Before the satellite is connected to the space-based network, the manufacturer or the company that undertakes the work of KGC inputs the partial private key and public parameters to the satellite. Te satellite uses its own identity information and secret value to calculate the public key, the private key, and the signature. CSP can ensure the authenticity, integrity, unforgeability, and nonrepudiation of transmitted messages. Te CSP solves the problems of complicated certifcate management in the traditional PKI system key escrow in the IBC system. In the future, the secure access of satellites facing a large number of ground nodes is an important issue. In recent years, an ultra-superfast authentication protocol for electric vehicles, charging by utilizing the characteristics of extended chaotic maps, has been proposed in [40] which can resist man-in-the-middle attacks, replay attacks, and impersonation attacks. Tis work provides us with new ideas on how to perform rapid authentication when considering a large number of nodes that want to access satellites. Besides, analysis shows that compared with similar schemes, CSP can achieve a higher security level and lower overhead. However, CSP still needs a relatively long time in the signature phase, which is the research direction of future work.

Data Availability
Te data that support the fndings of this study can be obtained from the corresponding author upon reasonable request.