A Strongly Unforgeable Certificateless Signature Scheme and Its Application in IoT Environments

With the widespread application of the Internet of Things (IoT), ensuring communication security for IoT devices is of considerable importance. Since IoT data are vulnerable to eavesdropping, tampering, forgery, and other attacks during an open network transmission, the integrity and authenticity of data are fundamental security requirements in the IoT. A certificateless signature (CLS) is a viable solution for providing data integrity, data authenticity, and identity identification in resource-constrained IoT devices. Therefore, designing a secure and efficient CLS scheme for IoT environments has become one of the main objectives of IoT security research. However, the existing CLS schemes rarely focus on strong unforgeability and replay attacks. Herein, we design a novel CLS scheme to protect the integrity and authenticity of IoT data. In addition to satisfying the strong unforgeability requirement, the proposed scheme also resists public key replacement attacks, malicious-but-passive key-generation-centre attacks, and replay attacks. Compared with other related CLS schemes without random oracles, our CLS scheme has a shorter private key, stronger security, and lower communication and computational costs.


Introduction
The Internet of Things (IoT) is a self-establishing network of smart devices that are equipped with electronics, sensors, software, and actuators and that are connected via the Internet to generate, collect, and exchange data [1]. Since IoT devices connect objects in different environments to the Internet for information exchange and communication to realize intelligent identification, location, tracking, monitoring, management, and other functions, IoT devices have the ability to support a wide range of services. Consequently, the IoT builds a network that covers various things throughout the world via numerous IoT devices, and it enables various human-to-human, human-to-thing, thing-to-thing, and thing-to-thing interactions. Figure 1 shows a variety of IoT applications, including intelligent transportation, military target tracking, surveillance, public safety, smart home, industrial monitoring, smart city, medical equipment, and food traceability [2]. The application of the IoT involves all economic and social aspects of daily life and fundamentally changes the way in which humans interact with the world around them. Hence, the IoT is considered to be an information technology revolution and has become a growth point for the global economy [3]. Various IoT-enabled devices with embedded sensors collect and send IoT data to data centres over public networks; thus, the issues of security and privacy in IoT environments have become increasingly important [4,5]. Only authentic data can be stored in data centres, which requires the integrity and authenticity of the data transmitted by an IoT device to be checked before being stored. The signature-based cryptosystem is technology that provides the integrity, real source, unforgeability, and non-repudiation of the data. An IoT device signs the data using its private key during data transmission, and the data centre confirms the data authenticity and integrity by verifying the validity of the received signature. Therefore, a digital signature scheme can ensure data integrity and data authenticity in the IoT. However, the IoT differs from traditional networks. Most IoT devices have limited computational and processing capabilities, short communication ranges, and restricted storage and power resources. Conventional cryptosystems cannot run on resource-constrained IoT devices. The main reason is that conventional cryptosystems are classified into two categories: PKI-based and ID-based cryptosystems. Traditional PKI-based cryptosystems require certificates to authenticate users' public keys, which results in a large amount of computational overhead and communication costs to manage and exchange certificates. The identity-based cryptosystem avoids the use of certificates, but there are security flaws in key escrow that make it unsuitable for large-scale network environments. Hence, designing an efficient, secure signature scheme is very important for IoT security.
In a signature scheme, the private key of the signer is used to sign the message, and the validity of the corresponding signature is verified by the signer's public key. The signature's validity not only ensures that the signer with the private key can apply a valid signature to the message but also ensures the authenticity and integrity of the message. The user's public key is generally a random string; thus, authenticating the authenticity of the user's public key is particularly crucial. In traditional public key infrastructure (PKI) settings, a certificate issued by a fully trusted authority associates the user's public key with the user's real identity. The authenticity of the user's public key can be verified by the legality of the corresponding certificate. However, the storage, distribution, verification, and revocation of certificates in PKI are resource-intensive and computationally expensive tasks [6]. Hence, PKI is unsuitable for resource-constrained IoT environments.
Shamir [7] proposed identity-based cryptography (IBC) to solve the complex certificate management problems in PKI. IBC allows a key generation centre (KGC) to produce the user's private key, but the corresponding user's public key comes from their public identity information, such as an e-mail address or mobile phone number. However, KGC can replace the user to decrypt any ciphertext or to forge the signature of any message without being found, which results in the key escrow problem.
The concept of certificateless signature (CLS) was introduced by Al-Riyami and Paterson [8]. In a CLS scheme, the user's private key consists of two parts: One is a partial private key generated by the KGC, and the other is a secret value calculated independently by the user. The CLS scheme solves the key escrow problem because the KGC is unable to obtain the user's final private key. In addition, the user generates the corresponding public key based on its secret value, but it is not necessary to verify the authenticity of the public key by using the certificate. In practical applications, the user's public key is sent to the recipient together with the signature or is obtained from a public directory in a proper manner.
Certificateless signatures have received considerable attention in recent years, and researchers have designed numerous CLS schemes [9][10][11][12]. Most existing CLS schemes [13][14][15] have been proven to be secure in the random oracle model [16], where a cryptographic hash function is modelled as an ideal random oracle. The random oracle paradigm helps construct efficient cryptographic schemes, but it has received substantial criticism. It has been shown that, when random oracles are instantiated with actual hash functions, the cryptographic scheme that proves to be secure using the random oracle model may be unsafe in reality [17]. To overcome this security flaw, Liu et al. [18] designed the first CLS scheme without random oracles. Later, several CLS schemes [19][20][21][22] in the standard model were proposed, but these schemes cannot resist public key replacement (PKR) attacks or malicious-but-passive KGC (MKGC) attacks. In addition, most existing CLS schemes [23][24][25] without random oracles are proven to be existentially unforgeable against adaptive chosen-message attacks. This security notion only ensures that an attacker cannot forge the signature of any new message; it does not guarantee that the attacker generates the valid signature for the signed message. However, some signature schemes are malleable [26]; thus, an attacker can generate multiple valid signatures of the same message by using the previous message-signature pair without the signer's private key. In other words, these schemes do not satisfy strong unforgeability, which is a stronger security notion than existential unforgeability. Strong unforgeability is desirable in some applications [27][28][29] (such as electronic commerce, construction of certificateless signcryption schemes, and certificateless group signature schemes). If a CLS signature scheme satisfies existential unforgeability and can prevent an attacker from forging a valid signature of a previously signed message, then we say that the CLS scheme is strongly unforgeable. Strong unforgeability is an important property of the CLS scheme, but few CLS schemes [30] satisfy strong unforgeability in the standard model. Unfortunately, none of those strongly unforgeable CLS schemes considers replay attacks [31,32]. Note that the energy of the IoT device is one of the main factors that restricts improvements in network performance. However, replay attacks, which are considered to be one of the major attacks faced by IoT devices, can consume a large amount of node energy. Therefore, a CLS scheme that is applicable to IoT environments must consider replay attacks.
In this paper, motivated by the above concerns, we present a new CLS scheme for IoT environments that is more secure and efficient than the previous CLS schemes. As a potential signature-based authentication technology, our proposed scheme manifests a solution to the problems of data authenticity and data integrity in the IoT. The main contributions of this paper are the following.

•
A novel CLS scheme without random oracles is constructed. Under the collision-resistant hash function (CRHF) and computational Diffie-Hellman (CDH) assumptions, the proposed CLS scheme is proven to be strongly unforgeable against adaptive chosen-message attacks in the standard model.

•
In our CLS scheme, the user's public key is not only bound to the user's partial private key but also embedded into the signature of the message. This makes the proposed CLS scheme have a higher security trust level and be capable of resisting PKR attacks and MKGC attacks.

•
The proposed CLS scheme resists replay attacks by verifying the freshness of the timestamp and the validity of the signature. To our best knowledge, our scheme is the first CLS scheme with a strong unforgeability in the standard model that can resist replay attacks.
• Compared to other CLS schemes in the standard model, our CLS scheme has higher security, a smaller key size, a shorter signature length, and lower computational overhead for signature generation and signature verification.

•
Due to the aforementioned functionalities, our CLS scheme is able to be implemented and deployed in IoT environments where IoT devices have limited computing power, storage space, and communication bandwidth.
The remainder of this paper is organized as follows. We present the relevant CLS works in Section 2. Then, we introduce some preliminaries and security notions of the CLS scheme in Section 3. The proposed CLS scheme and its security proof are presented in Sections 4 and 5. Section 6 gives the CLS system model for IoT environments and performance analysis. Section 7 concludes this paper.

Related Work
The first CLS scheme was proposed by Al-Riyami and Paterson [8]. Later, Huang et al. [33] noted that their CLS scheme [8] was unable to resist PKR attacks and proposed security notions for CLS schemes. Since then, researchers have constructed a large number of provably secure CLS schemes [9][10][11][12][13][14][15] in the random oracle model. Aiming to eliminate the security requirements of ideal random oracles, Liu et al. [18] constructed a CLS scheme without random oracles based on the identity-based signature scheme proposed by Paterson and Schuldt [34]. However, Xiong et al. [19] and Huang et al. [35] demonstrated that Liu et al.'s CLS scheme [18] was insecure against MKGC attacks. To enhance the security of Liu et al.'s CLS scheme [18], Xiong et al. [19] presented an improved scheme, but it was still vulnerable to MKGC attacks [36]. Furthermore, Xia et al. [37] showed that several CLS schemes [18][19][20] without random oracles were susceptible to PKR attacks.
Subsequently, Yu et al. [21] designed a CLS scheme and claimed that their scheme was secure in the standard model. However, Yuan et al. [23] and Pang et al. [27] independently demonstrated that Yu et al.'s CLS scheme [21] was insecure against PKR or MKGC attacks. As a countermeasure, Yuan et al. [23] designed an enhanced scheme, but it did not satisfy strong unforgeability. Based on the Boneh-Boyen signature [38] and Pointcheval-Sanders signature [39], Canard and Trinh [25] constructed a CLS scheme with a low computational cost. However, Canard and Trinh's CLS scheme [25] was existentially unforgeable in the standard model. Subsequently, Huang et al. [22] constructed a CLS scheme with strong unforgeability in the standard model. Unfortunately, Yang et al. [30] demonstrated that Huang et al.'s CLS scheme [22] failed to achieve a strong unforgeability and was vulnerable to MKGC attacks. Furthermore, Yang et al. [30] presented a secure CLS scheme, but their scheme still has some drawbacks, including a longer private key size and a higher computational overhead than those of the previous schemes.
Digital signatures are widely used to ensure data authenticity and integrity. Yeh et al. [4] devised a CLS scheme for IoT environments. However, Jia et al. [40] demonstrated that Yeh et al.'s scheme [4] was insecure against PKR attacks and then proposed a new CLS scheme to overcome the flaws of Yeh et al.'s scheme [4]. Based on technologies such as RSA, DSA, and Merkle tree, Li et al. [41] proposed an IoT data communication framework to provide integrity and authenticity. Frädrich et al. [42] used redactable signature [43] to design another framework for the IoT environment to allow the redaction of parts from signed data and proved its security in the random oracle model. To achieve the security requirements in IoT, Challa et al. [44] presented a new signature-based authenticated key establishment scheme for the IoT environment. Based on Nyberg's fast one-way accumulator [45], Yao et al. [46] designed a lightweight multicast authentication mechanism for small scale IoT applications. Yang et al. [47] proposed a certificateless aggregate signature scheme for vehicular ad hoc networks to reduce transmission bandwidth and verification overhead of signatures. To protect the identity privacy of IoT devices, Yang et al. [48] constructed a strong designated-verifier proxy re-signature (SDVPRS) scheme in the standard model and applied it to the IoT environment. Unfortunately, the existing data integrity and authenticity schemes in IoT have two drawbacks. (1) Some schemes [41,42,44,[46][47][48] require heavy management and communication overheads of certificates to achieve authenticity authentication of the user's public key. (2) Most of the schemes [4,[40][41][42]44,46,47] are proved to be secure in the random oracle model. To fill thess gaps, Karati et al. [3] presented a secure CLS scheme for IoT environments in the standard model, but their scheme did not consider a strong unforgeability and replay attacks. To our best knowledge, designing an efficient CLS scheme that both satisfies strong unforgeability in the standard model and is resistant to PKR attacks, MKGC attacks, and replay attacks remains an open issue. Therefore, in this paper, we advance such a construction for IoT environments to ensure data integrity and data authenticity.

Preliminaries
Here, we briefly review some preliminary knowledge, including the definition of bilinear pairings, the complexity assumptions, and the security model of the CLS schemes.

Bilinear Paring
Assume that G 1 and G 2 are cyclic groups with the same order of prime p and that g is any generator of G 1 . A bilinear pair e : G 1 × G 1 → G 2 is a map that satisfies the following conditions [23]: • Bilinearity: e(g a , g b ) = e(g, g) ab for all a, b ∈ Z p . • Nondegeneracy: e(g, g) = 1.

•
Computability: There is an algorithm that can efficiently calculate e(g a , g b ) for any a, b ∈ Z p .

Complexity Assumptions
Given two elements g, h ∈ G 1 , the discrete logarithm (DL) problem [30] is to find an integer a ∈ Z p such that h = g a .
Let A denote an attacker with probabilistic polynomial time (PPT). The advantage ε of A to solve the DL problem in G 1 is defined as Definition 1 (DL assumption). We say that the DL assumption holds in G 1 if there is no PPT attacker A to solve the DL problem with a non-negligible advantage ε.
Given three elements, g, g a , and g b ∈ G 1 for unknown, randomly chosen a, b ∈ Z p , the computational Diffie-Hellman (CDH) problem [22] is to calculate g ab ∈ G 1 .
The advantage ε that any PPT adversary A can solve the CDH problem in G 1 is defined as Definition 2 (CDH assumption). The CDH assumption holds in G 1 if there is no PPT attacker A to solve the CDH problem with a non-negligible advantage ε.
Suppose that {H k } represents a family of hash functions H k : {0, 1} * → {0, 1} n , where n is the length of the output value of H k and k is an index. Given the index k, the collision resistance of hash function (CRHF) [30] H k is to find m 0 = m 1 such that H k (m 0 ) = H k (m 1 ). The advantage ε of any PPT adversary A in breaking the collision resistance of H k is defined as Definition 3 (CRHF assumption). A hash family {H k } is collision resistant if the advantage ε of any PPT adversary A to break the collision resistance of hash function H k is negligible.

Security Model of CLS
A CLS scheme consists of six algorithms, as follows: • Setup: This algorithm takes as input a security parameter λ, and it outputs the master secret key msk and system parameters param. • SetPubKey: This algorithm takes as input param and an identity ID, and it outputs a secret value usk ID and a public key pk ID . • PSKExtract: This algorithm takes as input param, ID, and pk ID , and it returns a partial private key psk ID for identity ID. • SetSecKey: Upon receiving param, usk ID , and psk ID , this algorithm outputs a private key sk ID .

•
Sign: This algorithm takes as input param, an identity ID's private key sk ID and public key pk ID , a timestamp T, and a message m, and it returns a signature σ on m. • Verify: Upon receiving param, ID, pk ID , T, m, and σ, this algorithm outputs 1 if σ is a valid signature of ID on m with respect to T and pk ID , and it outputs 0 otherwise.
According to the security model for CLS presented in References [15,35], a CLS scheme's security should consider two types of adversaries: type I and type II adversaries. A type I adversary is a PKR attacker who knows the secret value of the targeted entity and who can replace any entity's public key with its own. A type I adversary models an outside attacker who is not capable of possessing the master secret key of the KGC. In contrast, a type II adversary models an honest-but-curious KGC attacker who holds the master secret key of the KGC and generates the partial private key of any entity. However, a type II adversary can neither perform the entity's PKR nor obtain the secret value of the targeted entity. To meet more realistic security requirements, Au et al. [49] presented an enhanced security model in which a type II adversary is viewed as an MKGC attacker. In this case, a malicious KGC can access the master secret key of the KGC and may embed extra trapdoors in the system parameters and the master secret key during the initialization phase of the system. Hence, the type II adversary that we focus on is an MKGC attacker.
Here, the security model for a strongly secure CLS scheme is formalized via the following games (denoted Games 1 and 2) between a challenger C and an adversary A ∈ {A 1 , A 2 }. Game 1: Executed between a challenger C and a type I adversary A 1 .
• Initialization: C first runs the algorithm Setup to obtain the master secret key msk and system parameters param. C then runs the algorithm SetPubKey to output the secret value usk * and corresponding public key pk * of the targeted entity. Finally, C sends param and (usk * , pk * ) to A 1 while keeping msk secret. • Queries: A 1 can adaptively access the following oracles with C.
-Public Key Query O pk (ID i ): Upon receiving an identity ID i , C runs the algorithm SetPubKey to obtain a public key pk i and sends it to A 1 .

-
Public Key Replacement (PKR) Query O rep (ID i , pk i ): Upon receiving such a query, C finds and replaces the original public key pk i of identity ID i with a new public key pk i .
-Partial Private Key Query O psk (ID i , pk i ): Upon receiving an identity ID i and a public key pk i , C runs the algorithm PSKExtract to generate a partial private key psk i and sends it to A 1 .

-
Private Key Query O sk (ID i ): When A 1 initiates a private key inquiry about an identity ID i , C executes the algorithm SetSecKey to produce a private key sk i and sends it to A 1 . Note that C returns the symbol ⊥ if ID i has already appeared in PKR queries.

-
Signing Query O sign (ID i , T, m): Upon receiving an identity ID i , a timestamp Tm and a message m, C first executes the algorithm SetSecKey to produce a private key sk i and then uses sk i , T, and the identity ID i 's matching public key pk i to execute the algorithm Sign to produce a signature σ i on m. Finally, C sends σ i to A 1 .
• Forgery: A 1 eventually outputs a forged signature σ * on a message m * corresponding to an identity ID * , a timestamp T * , and the targeted public key pk * . It is said that A 1 wins this game when the following conditions are fulfilled:

Game 2:
Executed between a challenger C and a type II adversary A 2 . To launch malicious attacks more easily, A 2 is allowed to set some trapdoors during the initialization phase of the game.
• Initialization: C invokes A 2 to produce the master secret key msk and system parameters param. Then, C runs the algorithm SetPubKey to produce the secret value usk * and the corresponding public key pk * of the targeted entity. Finally, C sends pk * to A 2 while keeping usk * secret.

•
Queries: A 2 can adaptively access the oracles O pk (ID i ), O sk (ID i ), and O sign (ID i , T, m), which are defined in Game 1, and C responds in the same way as it does in Game 1.

•
Forgery: A 2 eventually outputs a forged signature σ * on a message m * corresponding to an identity ID * , a timestamp T * , and the targeted public key pk * . It is said that A 2 wins this game when the following conditions are fulfilled: (1) Verify(param, ID * , pk * , T * , m * , σ * ) = 1.

Proposed CLS Scheme
Based on Waters' scheme [26] and its variants [28,34], we propose an undeniable and strongly unforgeable CLS scheme in the standard model. Our CLS scheme is described as follows.
• Setup: Upon giving the security parameter λ as input, the KGC produces the master secret key and system parameters by performing the following steps.
(1) Select G 1 and G 2 as two cyclic groups with prime order p, a generator g of G 1 , and a bilinear pairing e : (2) Select two random values α, β ∈ Z * p and compute g 1 = g α and g 2 = g β .
(3) Select two random elements u 0 , v 0 ∈ G 1 and two vectors u = (u i ) and v = (v j ) of lengths n u and n m , respectively, where u i , v j ∈ G 1 for i = 1, ..., n u and j = 1, ..., n m .
Then, the entity computes usk ID = g θ 1 θ 2 as its secret value and sets its public key pk ID = (pk ID,1 , pk ID,2 , pk ID,3 ). • PSKExtract: Given an identity ID and a public key pk ID of an entity, the KGC first computes a vector Then, the KGC selects s ∈ Z * p at random and computes psk ID,1 = g αβ (U ID ) s and psk ID,2 = g s .
Finally, the KGC sends the partial private key psk ID = (psk ID,1 , psk ID,2 ) to the entity via a secure channel.
If this equation holds, then the entity accepts psk ID as a valid partial private key. • SetSecKey: The entity with identity ID selects a random value r ∈ Z * p and computes a vector where pk ID is ID's public key. Then, the entity uses its secret value usk ID and partial private key psk ID = (psk ID,1 , psk ID,2 ) to compute its private key • Sign: The signer with identity ID generates a signature of a message m by performing the following steps.
• Verify: Given the signer's identity ID and public key pk ID = (pk ID,1 , pk ID,2 , pk ID,3 ), timestamp T, and a signature σ = (σ 1 , σ 2 , σ 3 ) of message m, the verifier first chooses the current time T . Then, the verifier verifies the legality of σ as follows.
where δ is a threshold value, the verifier refuses to verify the validity of σ and exits. ( Then, the verifier checks If this equation holds, the verifier accepts σ and outputs 1; otherwise, the verifier rejects σ and outputs 0. Correctness: The correctness of a signature σ = (σ 1 , σ 2 , σ 3 ) on a message m is presented as follows:

Security Proof
In our CLS scheme, the algorithm SetSecKey randomizes the entity's secret value usk ID and partial private key psk ID = (psk ID,1 , psk ID,2 ) to generate the final private key sk ID = (sk ID,1 , sk ID,2 ) = (psk ID,1 · usk ID · (U ID ) r , psk ID,2 · g r ). Hence, it is not feasible for a malicious KGC to produce a valid signature without the secret value usk ID . Additionally, the KGC cannot derive the entity's private key sk ID from the master secret key msk and the entity's partial private key psk ID .
To prevent PKR and MKGC attacks, a part pk ID,3 of the entity's public key is embedded in the signature σ. Only each entity can produce its legal public key pk ID = (pk ID,1 , pk ID,2 , pk ID,3 ) = (g θ 1 , g θ 2 , g θ 3 ); thus, the malicious KGC can neither set the entity's public key at will nor derive the secret value usk ID from the signature. Furthermore, it is impossible to obtain the value (pk ID,3 ) r m directly from the entity's public key pk ID and the public value σ 3 = g r m of the signature unless the adversary can solve the CDH problem.
The algorithm PSKExtract binds each entity's public key pk ID , identity ID, and partial private key psk ID , which can enhance the trust level of the proposed CLS scheme. If the KGC attempts to replace the entity's public key pk ID , then the entity's identity ID and the new public key must be re-bound to compute a new partial private key, which results in the entity's identity ID corresponding to two public keys and two partial private keys. Therefore, our CLS scheme can easily determine whether the KGC replaced the entity's public key.
In addition, H 3 is a collision-resistant hash function. The hash value h combines the message m, the identity ID, public key pk ID , two values σ 2 , and σ 3 in the signature, a timestamp T, and system parameters param as h = H 3 (m, T, ID, pk ID , sk ID,2 , σ 3 , param). Hence, an attacker cannot forge a new valid signature from an existing signature on a message; that is, an adversary cannot generate a valid signature on any previously signed/new message in our CLS scheme.
In the following, we introduce two theorems to demonstrate that our CLS scheme satisfies a strong unforgeability against PKR and MKGC attacks in the standard model. Reduction technology is used to prove the strong unforgeability of the proposed scheme; specifically, if an attacker breaks the security of the scheme, a solver then uses the attacker's ability to solve the underlying hard problem related to the scheme. However, this problem is intractable in reality; thus, such an attacker does not exist. Furthermore, we prove that the proposed CLS scheme can resist replay attacks. Theorem 1. In the standard model, our CLS scheme is strongly unforgeable against PKR attacks. Specifically, there is a type I adversary A 1 that breaks the security of the proposed CLS scheme with advantage ε 1 after making at most q pk public key queries, q psk partial private key queries, q rep PKR queries, q sk private key queries, and q s signing queries. Then, an algorithm C can use the forgery of A 1 to solve the CDH problem with advantage ε 1 .
Proof. C is given a random instance (g, g a , g b ) ∈ G 3 1 of the CDH problem, and C's goal is to output g ab with the help of A 1 . The algorithm C simulates the challenger in Game 1 and responds to A 1 's queries as follows. • Initialization: C first sets l u = 2(q psk + q sk + q s ) and l m = 2q s such that l u (n u + 1) < p and l m (n m + 1) < p. Then, C simulates the algorithm Setup by performing the following steps: (1) Randomly select k u (0 ≤ k u ≤ n u ) and k m (0 ≤ k m ≤ n m ).
(2) Randomly select x 0 , x 1 , ..., x n u ∈ Z l u , y 0 , y 1 , ..., y n u ∈ Z p , c 0 , c 1 , ..., c n m ∈ Z l m , and d 0 , d 1 , ..., Note that the adopted hash functions are not considered to be random oracles in the following proof. (4) Set g 1 = g a and g 2 = g b , where g a and g b are from the input of the instance of the CDH problem.
From the perspective of A 1 , the distribution of the system parameters produced by C is identical to the real construction.
In our CLS scheme, we have Q = H 1 (ID, pk ID ) = (Q 1 , ..., Q n u ) ∈ {0, 1} n u for an identity ID and a public key pk ID , and we have M = H 2 (m, T) = (M 1 , ..., M n m ) ∈ {0, 1} n m for a message m and a timestamp T. Aiming to simplify the analysis, we define the following four functions: Hence, we have the following equations: which is initially empty. C constructs the following oracles to answer a series of A 1 's queries.
-Public Key Query O pk (ID i ): When A 1 initiates such an inquiry for an identity ID i , C looks up the corresponding entry in the list L. If ID i is found in L, C returns pk i to A 1 . Otherwise, C randomly selects θ i,1 , θ i,2 , θ i,3 ∈ Z * p and computes the secret value usk i = g θ i,1 θ i,2 and the public key pk i = (pk i,1 , pk i,2 , pk i,3 ) = (g θ i,1 , g θ i,2 , g θ i,3 ). Then, C stores {(ID i , θ i,1 , θ i,2 , θ i,3 , usk i , pk i )} in L and sends pk i to A 1 .

-
Public Key Replacement Query O rep (ID i , pk i ): If there is an entry for the identity ID i in the list L, C replaces the original public key pk i of ID i with a new public key pk i . Otherwise, C directly sets pk i as the public key of ID i . -Partial Private Key Query O psk (ID i , pk i ): When A 1 requests a partial private key of an identity ID i and a public key pk i , C returns psk i to A 1 if there is an entry for ID i and pk i in the list L. Otherwise, C computes F(ID i ) and J(ID i ).
(1) If F(ID i ) = 0 mod l u , C randomly selects s i ∈ Z * p and calculates a partial private key and Q i = H 1 (ID i , pk i ) = (Q i,1 , ..., Q i,n u ) ∈ {0, 1} n u . Then, C stores the partial private key of the corresponding entry in L and sends psk i to A 1 .
(2) If F(ID i ) = 0 mod l u , C terminates the simulation.
Note that the partial private key psk i = (psk i,1 , psk i,2 ) generated by C is legal.
Hence, from A 1 's perspective, the partial private key psk i simulated by C is computationally indistinguishable from that computed by the real KGC.

-
Private Key Query O sk (ID i ): When A 1 requests the private key of an identity ID i , C checks for an entry of ID i in L. If it exists, C returns sk i to A 1 ; otherwise, C computes F(ID i ) and J(ID i ). If F(ID i ) = 0 mod l u , C terminates; otherwise, C initiates a public key query about ID i to acquire a secret value usk i and a public key pk i and then initiates a partial private key query with (ID i , pk i ) to acquire a partial private key psk i . Next, C executes the algorithm SetSecKey to create a private key sk i , stores sk i of the corresponding entry in L and sends sk i to A 1 .

-
Signing Query O sign (ID i , T, m): Upon receiving an identity ID i , a timestamp T, and a message m, C issues a query O pk (ID i ) to acquire a public key pk i = (pk i,1 , pk i,2 , pk i,3 ) and the triplet (θ i,1 , θ i,2 , θ i,3 ). Then, C proceeds as follows.
(1) If F(ID i ) = 0 mod l u , C first makes a query O sk (ID i ) to acquire a private key sk i and then runs the algorithm Sign to generate a signature σ i of m. Finally, C sends σ i to A 1 . (2) If F(ID i ) = 0 mod l u , C computes K(m). If K(m) = 0 mod l m , C terminates; otherwise, C randomly selects r i , r m ∈ Z * p and computes Q i = H 1 (ID i , pk i ), U ID i , M = H 2 (m, T), and V m . Furthermore, C computes Forr m = r m − a K(m) , we have Clearly, the signature σ i = (σ i,1 , σ i,2 , σ i,3 ) generated by C is legal because σ i satisfies the following verification equation: From A 1 's perspective, the signatures simulated by C are computationally indistinguishable from those produced by the real signer. • Forgery: A 1 eventually outputs a signature σ * = (σ * 1 , σ * 2 , σ * 3 ) on a message m * corresponding to an identity ID * , a timestamp T * , and targeted public key pk * . If F(ID * ) = 0 mod p or K(m * ) = 0 mod p, C terminates; otherwise, C computes h * = H 3 (m * , T * , ID * , pk * , σ * 2 , σ * 3 , param) and uses (θ * 1 , θ * 2 , θ * 3 ) to output g ab as a solution to the CDH instance as follows: Now, we analyze the probability that C can successfully solve the CDH problem. If the following conditions hold, C completes the above simulation without aborting.
(1) All partial private key queries on (ID i , pk i ) have F(ID i ) = 0 mod l u .
(2) All private key queries on ID i have F(ID i ) = 0 mod l u .
(3) All signing queries on (ID i , T, m) have F(ID i ) = 0 mod l u or K(m) = 0 mod l m .
Here, we define four independent events X i , X * , Y j , and Y * as follows.
• X i : F(ID i ) = 0 mod l u for the ith query, where 1 ≤ i ≤ q psk + q sk + q s .
Because the events q psk +q sk +q s i=1 X i , X * , q s j=1 Y j , and Y * are independent, the probability that C does not terminate is From l u (n u + 1) < p, l m (n m + 1) < p, 0 ≤ k u ≤ n u , 0 ≤ k m ≤ n m , x 0 , x 1 , ..., x n u ∈ Z l u and Therefore, it is easy to derive F(ID) = 0 mod l u and K(m) = 0 mod l m from F(ID) = 0 mod p and K(m) = 0 mod p, respectively. Moreover, F(ID) = 0 mod l u implies that F(ID) = 0 mod p, and K(m) = 0 mod l m implies that K(m) = 0 mod p. Since x 0 , x 1 , ..., x n u and c 0 , c 1 , ..., c n m are randomly chosen, we obtain the probabilities of the events X * and Y * as follows:

Furthermore, we have
Pr[ Since l u = 2(q psk + q sk + q s ) and l m = 2q s , we write Therefore, if A 1 breaks the strong unforgeability of the proposed CLS scheme with advantage ε 1 , then C has an advantage ε 1 ≥ ε 1 16q s (n u +1)(n m +1)(q psk +q sk +q s ) to solve the given instance of the CDH problem.

Theorem 2.
In the standard model, the proposed CLS scheme is strongly unforgeable against MKGC attacks launched by the type II adversary A 2 . Concretely, assuming that A 2 compromises the security of our CLS scheme with advantage ε 2 after making at most q pk public key queries, q sk private key queries, and q s signing queries, then an algorithm C can use A 2 's forgery to solve the CDH problem in G 1 with advantage ε 2 .
Proof. Supposing that a PPT adversary A 2 breaks the strong unforgeability of our CLS scheme in an adaptive chosen-message attack, we can construct an algorithm C that calls A 2 as a subroutine to violate the CDH assumption. Assuming that C is given a random instance (g, A = g a , B = g b ) ∈ G 3 1 , to calculate g ab , C simulates the challenger in Game 2 to answer all A 2 's queries.

•
Initialization: For the given values q sk , q s , n u , and n m , C sets l u = 2(q sk + q s ) and l m = 2q s such that l u (n u + 1) < p and l m (n m + 1) < p. C selects a random element θ * ∈ Z * p and calculates pk * 3 = g θ * . Then, C sets the targeted entity's public key pk * = (pk * 1 , pk * 2 , pk * 3 ) = (A = g a , B = g b , g θ * ) and sends parameters (G 1 , G 2 , p, g, e) and pk * to A 2 .
Subsequently, A 2 performs the following steps to produce other system parameters and the master secret key.
(1) Select two random integers k u and k m , where 0 ≤ k u ≤ n u and 0 ≤ k m ≤ n m .
Note that the secret value of the targeted entity is usk * = g ab , which is unknown to C, and the system parameters are param = {G 1 , G 2 , p, g, e, g 1 , g 2 , u 0 , v 0 , u, v, H 1 , H 2 , H 3 }.
As the initialization phase in Theorem 1, we define the following four functions: Furthermore, we have the following equations: • Queries: C maintains an initially empty list L 2 of tuples {(ID i , θ i,1 , θ i,2 , θ i,3 , pk i , sk i )} and builds the following oracles to answer the queries initiated by A 2 .
-Public Key Query O pk (ID i ): When A 2 issues such a query on an identity ID i , C looks up the corresponding entry in list L 2 and sends pk i to A 2 . Otherwise, if L 2 does not store this entry, C randomly selects θ i,1 , θ i,2 , θ i,3 ∈ Z * p and computes the public key pk i = (pk i,1 , pk i,2 , pk i,3 ) = (A θ i,1 , B θ i,2 , g θ i,3 ) = (g aθ i,1 , g bθ i,2 , g θ i,3 ). Note that the secret value is usk i = g abθ i,1 θ i,2 , but a and b are unknown to C. Then, C stores {(ID i , θ i,1 , θ i,2 , θ i,3 , pk i )} in L 2 and transmits pk i to A 2 .

-
Private Key Query O sk (ID i ): Upon receipt of a query on an identity ID i , C returns sk i to A 2 if ID i is found in L 2 ; otherwise, C makes a query O pk (ID i ) to obtain a public key pk i = (pk i,1 , pk i,2 , pk i,3 ) and the triplet (θ i,1 , θ i,2 , θ i,3 ) and then verifies whether F(ID i ) = 0 mod l u .
(1) If F(ID i ) = 0 mod l u , C exits the simulation.
(2) If F(ID i ) = 0 mod l u , C selects s i ∈ Z * p and uses the master secret key msk = g αβ to compute stores the private key of the corresponding entry in L 2 and sends sk i = (sk i,1 , sk i,2 ) to A 2 .
The correctness of sk i simulated by C is F(ID i ) . Hence, the above equations indicate that sk i = (sk i,1 , sk i,2 ) is a valid private key of identity ID i .

-
Signing Query O sign (ID i , T, m): Upon receiving a message m, an identity ID i , and a timestamp T, C issues a query O pk (ID i ) to obtain a public key pk i = (pk i,1 , pk i,2 , pk i,3 ) and a triplet (θ i,1 , θ i,2 , θ i,3 ). Then, C considers the following two cases: (1) If F(ID i ) = 0 mod l u , C makes a query O sk (ID i ) to obtain a private key sk i and then runs the algorithm Sign to generate a signature σ i on m. Finally, C sends σ i to A 2 . (2) If F(ID i ) = 0 mod l u , C computes K(m). If K(m) = 0 mod l m , C quits the simulation; otherwise, C randomly selects r i , r m ∈ Z * p and computes Letr m = r m − aθ i,1 θ i,2 K(m) ; then, we have The simulated signature σ i = (σ i,1 , σ i,2 , σ i,3 ) satisfies the following signature verification equation; thus, σ i is a valid signature on message m: • Forgery: A 2 eventually outputs a signature σ * = (σ * 1 , σ * 2 , σ * 3 ) on a message m * corresponding to an identity ID * , a timestamp T * , and the targeted public key pk * . If F(ID * ) = 0 mod p or K(m * ) = 0 mod p, C terminates; otherwise, C calculates h * = H 3 (m * , T * , ID * , pk * , σ * 2 , σ * 3 , param) and then uses θ * and g αβ to output the CDH value g ab by calculating Here, we discuss the probability of C outputting a correct solution for the CDH instance. C completes the above simulation if all of the following events occur: • F(ID i ) = 0 mod l u during private key queries. • F(ID i ) = 0 mod l u or K(m) = 0 mod l m during signing queries. • F(ID * ) = 0 mod p and K(m * ) = 0 mod p in the forgery phase.
The probability of C completing the simulation is analogous to that in Theorem 1. We define four independent events, X i , X * , Y j , and Y * , as follows: Similar to the probability analysis in Theorem 1, we give the probability of C not aborting as .
Hence, C can solve the given instance of the CDH problem with advantage ε 2 ≥ ε 2 16q s (q sk +q s )(n u +1)(n m +1) .
We obtain Theorem 3 by combining Theorems 1 and 2, as follows.
Theorem 3. In the standard model, our CLS scheme is strongly unforgeable against adaptive chosen-message attacks corresponding to type I and II adversaries under the CDH and CRHF assumptions.

Theorem 4.
Our CLS scheme is resistant to replay attacks.
Proof. In replay attacks, the adversary generally initiates two types of attacks [31,32]. One is to directly replay the intercepted message and the corresponding signature, and the other is to modify the timestamp in the signature of the intercepted message and to create a new signature for the message.
In the first type of attack, it is assumed that the adversary replays an intercepted combination of message m, timestamp T, and signature σ generated by an IoT device. Upon receiving this combination {m, T, σ}, the data centre compares the timestamp T in the combination with the current timestamp T . If the value of T − T exceeds the threshold δ, the data centre can determine that m in this combination is a replayed message and can discard m. Therefore, the first type of attack has no effect on our CLS scheme.
Since our CLS scheme satisfies strong unforgeability, the attacker cannot generate a legal signature for any message. Therefore, in the second type of attack, the attacker can only use the existing combination {m, T, σ} to initiate the attack. In the proposed scheme, the timestamp T is bound to the message m, i.e., M = H 2 (m, T). Additionally, the timestamp T is embedded in the parameter h in the form of h = H 3 (m, T, ID, pk ID , σ 2 , σ 3 , param) and is also embedded in the signature σ of the message m in the form of (pk 3 ) r m h . If the attacker wants to replace T in the signature σ with a new timestamp T * , the attacker needs to calculate h * = H 3 (m, T * , ID, pk ID , σ 2 , σ 3 , param) and (pk 3 ) r m h * . Although an attacker can calculate h * and (pk 3 ) h * , the difficulty in calculating r m from (pk 3 ) r m h is equivalent to solving the DL problem. However, if the attacker does not know r m , then they cannot calculate the correct value (pk 3 ) r m h * . In addition, T * must satisfy the conditions H 2 (m, T) = H 2 (m, T * ) and H 1 (m, T) = H 1 (m, T * ), which is equivalent to finding a collision of the hash functions H 2 and H 3 . Since the DL problem is unsolvable in reality and the functions H 2 and H 3 are CRHF, the second type of attack does not compromise the security of our CLS scheme. In summary, the proposed CLS scheme can efficiently withstand replay attacks.

System Model
In a CLS scheme for IoT environments, it is very important that data are not modified and that the source of the data is authentic during data transmission. Therefore, we mainly focus on the integrity and authenticity of IoT data in our system while simultaneously reducing the bandwidth, computational cost, and storage overhead for IoT devices. Figure 2 shows our CLS system model for IoT environments, which consists of three entities: PKG, data centre, and IoT device. • PKG: This entity is primarily responsible for producing system parameters and computing partial private keys for the data centre and each IoT device. The PKG sends system parameters to all of the entities through a public channel and transmits an individual partial private key to each entity via a secure channel. • Data centre: This entity has a strong computing power and storage space; thus, it can check the integrity and authenticity of the data by verifying the signature sent by each IoT device and can store the authentic data for other users to use. Initially, the data centre submits its identity information to the PKG to apply for the corresponding partial private key; it then saves the system parameters and partial private key sent by the PKG.

•
IoT device: This entity equipped with sensors has limited computational and memory resources and limited battery capacity. During the registration of the IoT device, the PKG generates a unique partial private key based on the physical address of each IoT device. After the IoT device is embedded with system parameters and its private key, it signs messages collected from the physical world and sends the corresponding signatures along with messages to the data centre.

Performance Analysis
In this subsection, we analyze the performance of the proposed CLS scheme. Compared with other cryptographic operations, bilinear pairing and exponentiation are the most time-consuming operations [22,28]; hence, our efficiency analysis mainly emphasizes the computational costs of these two operations. Tables 1 and 2 compare the performance of our CLS scheme and other related CLS schemes [21][22][23]27,30] without random oracles in terms of private key size, signature length, computational cost, and security. In Table 1, the KeySize and SigSize columns list the sizes of the private key and signature, respectively. The Sign and Verify columns present the computational costs of the algorithms Sign and Verify, respectively. Let P and E represent the execution times of a bilinear pairing and an exponentiation, respectively. Let n u represent the length of an identity, and let |G 1 | and |p| represent the lengths of an element in G 1 and Z p , respectively. In Table 2, the columns Type I, Type II, and Replay attacks show whether the CLS scheme can resist PKR attacks, MKGC attacks, and replay attacks, respectively. The SUF column denotes whether the CLS scheme satisfies a strong unforgeability in the standard model. It should be noted that the key length affects the storage capacity of the IoT device and the data center and that the signature length affects the communication capabilities of the IoT device and the storage capacity of the data center. In addition, the overhead of signature generation and signature verification affect the computing power of the IoT device and the data center, respectively. Yu et al. [21] |p| + 2|G 1 | 4|G 1 | 7E E + 5P Yuan et al. [23] |p| + 2|G 1 | 3|G 1 | 3E E + 6P Pang et al. [27] |p| + 2|G 1 | 3|G 1 | 7E 4E + 5P Huang et al. [22] 3|G 1 | 3|G 1 | 5E 3E + 6P Yang et al. [30] (4 + n u )|p| From Tables 1 and 2, the length of the private key in our CLS scheme is 2|G 1 |, which is the shortest among the six CLS schemes. The size of the signature in the proposed CLS scheme is 3|G 1 |, which is equivalent to that of the schemes presented in References [22,23,27] but smaller than that of other schemes [21,30]. In the signing phase, our CLS scheme requires three exponentiations, as does Yuan et al.'s scheme [23], but is superior to other schemes [21,22,27,30]. In the verification phase, the computational cost of the proposed CLS scheme is E + 5P, which is lower than that of the five other CLS schemes. Moreover, the efficiency of the verification process in our CLS scheme can be improved by a pre-calculation. Note that the verification equation for signature legitimacy is as follows: e(σ 1 , g) = e(g 2 , g 1 ) · e(pk ID,1 , pk ID,2 ) · e(U ID , σ 2 ) · e((pk ID,3 ) h V m , σ 3 ).
Here, e(g 2 , g 1 ) and e(pk ID,1 , pk ID,2 ) can be pre-computed; thus, the time cost of verification in our CLS scheme can be reduced to one exponentiation and 3 bilinear pairings. Furthermore, only our CLS scheme can resist PKR attacks, MKGC attacks, and replay attacks while satisfying a strong unforgeability.
We also evaluated the performance of the proposed CLS scheme via experiments conducted with the PBC-0.47-VC cryptographic library [50]. The simulation program was run on a laptop equipped with a basic configuration of a 2.50 GHz CPU, 8 GB RAM, and the 64-bit Windows 10 operating system. To obtain faster pairing computation, we selected the Type A curve in the PBC library, which is a super-singular curve y 2 = x 3 + x built with the 512-bit order of the base field. The results of the experiment are presented in Figures 3-6. Scheme [29] Scheme [23] Our scheme Length (bit) Figure 3. A comparison of the private key size.
The IoT device must secretly store its private key; therefore, the size of the private key is important for an IoT device with a limited storage capacity. As shown in Figure 3, the size of the private key in our CLS scheme is 256 bits, which is 92.8% of that in Yuan et al.'s CLS scheme [23]. However, the size of the private key increases linearly with the length of the entity's identity in Yang et al.'s CLS scheme [30]. For example, if the length n u of the entity's identity is 100 bits, then the private key size in our CLS scheme is approximately 11% of that in Yang et al.'s CLS scheme [30]. In other words, our CLS scheme has a higher performance in private key length. Scheme [29] Scheme [23] Our scheme Length (bit) Since IoT devices possess limited battery power and communication bandwidth, one of the goals of our CLS scheme is to reduce the communication overhead of IoT devices. The most critical factor affecting communication cost is signature size. Figure 4 shows that the signature size of our CLS scheme and that of Yuan et al. [23] is 384 bits, while the signature size of Yang et al.'s CLS scheme [30] is 532 bits. Hence, the proposed CLS scheme has a lower communication overhead. Due to the characteristics of IoT devices, such as limited computing and processing power, the computational overhead of generating signatures for IoT devices should be as small as possible. Figure 5 shows that the cost of signature generation in our CLS scheme is almost the same as that in Yuan et al.'s CLS scheme [23] but less than that in Yang et al.'s CLS scheme [30]. The data centre has a strong computation and storage capability to verify the validity of signatures sent by IoT devices. Figure 6 shows that the proposed CLS scheme greatly reduces the computational overhead of signature verification and that its performance is superior to that of the other two schemes [23,30].
A scheme in the random oracle model usually has a higher computational performance, but its security depends on the ideal random oracle. Both our scheme and Yang et al.'s [48] scheme are provable in the standard model, and their security only depends on the difficulty of the associated mathematical problems. Therefore, these two schemes have higher security than other schemes [4,[40][41][42]44,46,47]. Our scheme and Yang et al.'s scheme [48] use CLS and SDVPRS respectively to guarantee the integrity and authenticity of data in IoT. We compare the signature generation and verification overhead of two schemes, and the corresponding results are shown in Figures 7 and 8.  From Figure 7, we can see that the computational cost of signature generation in our scheme is lower than that in the scheme of Reference [48]. This is because the signature generation in the scheme of Reference [48] requires an additional bilinear pairing operation. Figure 8 shows that the time consumption of signature verification in the scheme of Reference [48] is lower than ours, but the scheme in Reference [48] does not satisfy the properties of a strong unforgeability and replay attack resistance. As a result, our scheme has a higher security.
In summary, the results of all the above experimental analyses are consistent with those of the theoretical analysis in Table 1. Therefore, we conclude that our CLS scheme is applicable to IoT environments.

Conclusions
The IoT is profoundly changing production activities, social management, and public services, but ensuring the integrity and authenticity of data is an important issue for IoT. To solve this problem, a new CLS scheme for IoT environments is presented in this paper. In addition to protecting data integrity and data authenticity, our CLS scheme also reduces the computational and communication costs for IoT devices. The proposed CLS scheme is proven to be strongly unforgeable against adaptive chosen-message attacks under the CDH and CRHF assumptions in the standard model. Additionally, our CLS scheme can withstand replay attacks. Furthermore, the performance comparisons demonstrate that our CLS scheme outperforms the previous CLS schemes without random oracles. The Internet of Vehicles is considered to be one of the most potential areas in IoT and has wide application prospects in the field of intelligent transportation. Compared with ordinary sensors, the vehicle terminal equipment has a more stable power supply and higher computing power and storage space. Hence, our CLS scheme is suitable for the Internet of Vehicles.
Author Contributions: X.Y. wrote the original draft. X.P. conducted security analysis. G.C. and T.L. designed the simulation experiments. M.W. re-edited the draft. C.W. validated the rightness and feasibility of the proposed scheme.

Conflicts of Interest:
The authors declare no conflict of interest.