#### Abstract

Space-based Internet of things (S-IoT) can provide global services and connection capabilities. It has broad emerging application, including marine monitoring, forest monitoring, animal monitoring, disaster emergency response and other fields. However, owing to the openness of satellite communications, S-IoT is vulnerable to hijacking attacks, and malicious attackers can tamper with or forge transmitted messages. More seriously, due to limited S-IoT node resources, it is difficult to directly apply existing security solutions to terrestrial networks to the S-IoT. In this study, we propose CSP, a novel, secure, and efficient scheme based on certificateless signatures and bilinear pairings for S-IoT. CSP consists of six phases: system setup, partial private key settings, private key settings, public key settings, signing and verifying. In CSP, we especially design that part of the private key comes from the ground KGC and the other part is generated by the communication entity itself. We theoretically prove CSP is secure, and it is able to resist tampering or forgery attacks. Moreover, it can also ensure the authenticity, integrity, unforgeability, and nonrepudiation of transmitted messages. We also conducted extensive experiments and compared CSP with the existing schemes. The experimental results demonstrate that CSP can significantly reduce the total scheme time consumption. Especially, it can reduce about 50–60% of the time in the signature verification phase.

#### 1. Introduction

Space-based Internet of Things(S-IoT) has broad application prospects in the fields of disaster emergency, animal monitoring, air pollution monitoring, aerospace measurement and control, aviation and navigation, and mobile communications [1–6], as shown in Figure 1. At present, the IoT generally transmits information through terrestrial networks such as the Internet and mobile communication networks, which severely limits the application scope and makes it hard to achieve true interconnection of all things. Terrestrial networks mainly cover densely populated areas such as cities and towns. More than 70% of the Earth’s area and more than 3 billion people are not covered by terrestrial networks. S-IoT can cover sparsely populated areas such as oceans, polar regions, and deserts [7, 8]. In addition, S-IoT can also be applied in situations where terrestrial infrastructure has been damaged, such as reconstruction in disaster areas. According to the forecast of McKinsey, an American consulting company, the output value of S-IoT will reach 560 billion to 850 billion dollars within the next 5 years. It is expected that the number of machine-to-machine (M2M) and IoT networks connected to S-IoT will reach 5.96 million by 2025 [9].

Authentication is one of the fundamental issues for security [10]. However, owing to the openness of satellite communications, identity authentication between nodes and message integrity authentication face significant challenges. First, in S-IoT, a single satellite usually needs to provide data transmission services for massive ground nodes. The particularity of the environment makes the messages transmitted by satellites vulnerable to security threats such as eavesdropping, tampering, and forgery. Therefore, the communication security between satellite nodes is indispensable. Second, since the communication bandwidth of a satellite is typically narrow and satellite storage resources are also limited, the authentication scheme must be efficient. Third, in S-IoT, scores of ground nodes are distributed in the wild and may even be carried by animals. The computing, storage, and energy resources of ground nodes are severely limited due to the constraints of weight, volume, and deployment environment. These constraints require that the operations of ground nodes must be simple enough to operate [11]. Therefore, a secure and effective authentication scheme is urgently needed to ensure the development of S-IoT.

The main contribution of this study can be summarized as follows:(1)We proposed CSP, a novel, secure, and efficient scheme based on certificateless signatures and bilinear pairings for S-IoT. To set the complete private key, a partial private key comes from the ground KGC and the other part of the private key is generated by the communication entity itself. In this way, CSP does not need a certificate authority and solves the key escrow issues.(2)We have proved CSP, which has strong security and can effectively resist the attacks of external and internal adversaries. Moreover, CSP enables authenticity, integrity, unforgeability, and nonrepudiation of transmitted messages.(3)We designed the CSP so that it only needs one hash function. Compared with the previous schemes, our scheme reduces the bilinear pairing operations in the verification phase. Performance evaluation shows that CSP can significantly reduce the total scheme time consumption. Especially, it can reduce about 50-60% of the time in the signature verification phase.

The organization of this study is summarized as follows. In Section 2, we review the related work. The S-IoT architecture, some principles of cryptography, and security model are described in Section 3. In Section 4, we elaborate on our proposed scheme for CSP. We present the security analysis of CSP in Section 5. In Section 6, we evaluate the performance. We finally conclude the study and discuss the future research direction in Section 7.

#### 2. Related Work

The existing work on the certification of IoT can be roughly divided into three types. The first method is the authentication based on the public key infrastructure (PKI) mechanism, the second method is the authentication based on the identity-based cryptosystem (IBC), and the third method is the authentication based on the certificateless public key cryptography (CL-PKC).

In the traditional PKI, the certificate authority (CA) complexly manages the public key and identity information of all users and issues certificates to authenticated users. However, the generation, storage, distribution, verification, and revocation of certificates can be resource intensive.

Shamir [12] introduced IBC to try to solve the tedious problem of certificate management. As shown in [13], in addition to human users, computers and servers, smartphones, other mobile devices, and IoT devices also have their own identities. The IBC uses the user’s identity information directly as the public key. The user’s private key is generated by the key generation center (KGC) using the master key and the user’s identity information. There have also been some studies [14, 15] on IBC in recent years. However, in an IBC system, the KGC must be highly trusted because it can encrypt and decrypt messages on behalf of any system user. This creates a key escrow problem inherent in the IBC system. Once KGC is invaded or breached, all users’ private keys and identity information will be leaked. Then, the entire system will be paralyzed.

To solve these problems, Al-Riyam et al. [16] proposed CL-PKC. They designed a novel certificateless signature (CLS) scheme, in which KGC only provides part of the user’s private key, and the other part is generated by the user, which can solve the key escrow problem. In addition, different from the traditional PKI system, users in the CL-PKC system do not need to be authenticated. Therefore, CLS do not need a certificate authority. CLS can be divided into two categories: one contains bilinear pairs and the other does not contain them.

Later, CLS technology has been greatly developed. In 1996, Bellare and Rogaway [17] proposed a random oracle model (ROM) to prove the security of the CLS scheme. This model can efficiently evaluate the scheme, but there are many loopholes. At the beginning of this century, Choudary Gorantla and Saxena [18] claimed to have proposed a high-efficiency CLS scheme. However, in 2006, Cao et al. [19] proved that their scheme is not secure against key substitution attacks. Zhang et al. [20] designed a new certificateless signature scheme using bilinear pairings and used the ROM to achieve strict security proofs under the assumption of computing the Diffie–Hellman Problem (DHP), but their algorithm’s computational cost is significant.

In 2012, Tso et al. [21] proposed a certificateless short signature scheme. However, Du and Wen [22] point out that the scheme cannot resist the attack of the second type of strong adversary in the ROM model. There are also two short CLS schemes [23, 24], both of which have been proven to be secure. However, the scheme in [23] needs to perform two bilinear calculations during verification, while the scheme in [24] requires three bilinear calculations. Obviously, the computational cost is relatively high. The first CLS scheme without bilinear pairings is proposed in [25], but it is pointed out in [26] that this scheme is vulnerable to the second type of strong adversaries. After that, proposed CLS schemes without bilinear pairings were proposed in [27, 28], respectively. However, it is pointed out in [29, 30] that both schemes are vulnerable to the first type of super-adversaries. In 2015, Hassouna et al. [31] claimed to propose a strongly secure CLS scheme and proved its security under the assumption of two classes of strong adversary attacks. However, scholars soon proved that the scheme in [31] is insecure in the face of the attack of the first type of strong adversary. In addition, Wang et al. [32] proposed a novel, reliable, and efficient pairing-free certificateless scheme for the Industrial Internet of Things (IIoT) that utilizes the state-of-the-art blockchain technique and smart contracts. In 2018, Jia et al. [33] proposed an efficient and nonbilinear pairwise CLS scheme suitable for the IoT. In 2020, Du et al. [34] found that the scheme in [33] could not resist the attack of the first type of adversaries and proposed a new scheme. In the same year, a bilinear pair-free CLS scheme suitable for resource-constrained scenarios was proposed in [35]. However, in 2021, Xu et al. [36] found that the solution of [35] was vulnerable to signature forgery attacks and could not achieve its purpose.

Table 1 shows the main mechanisms and shortcomings of the existing works. From the above, we can see that the existing PKI and IBC mechanisms may not be suitable for S-IoT. The CLS scheme without bilinear pairings does not seem to be reassuring in terms of security. Especially, in recent years, the scheme proposed in a short period of time will be found to be unsafe. However, existing CLS schemes containing bilinear pairings have a large overhead. If these schemes are applied to the S-IoT, they will take up a large amount of resources. Therefore, we want to design a CLS scheme that balances security and computational overhead, which is suitable for the special environment of S-IoT.

#### 3. Preliminaries

##### 3.1. S-IoT Architecture

The typical S-IoT architecture [3] is shown in Figure 2. The S-IoT architecture consists of three parts: space segment, ground segment, and user terminal. The space segment consists of a constellation of satellites. The ground segment mainly includes the ground stations and the control stations. The user terminal refers to various terminals which are mainly used to send and receive signals. Information security is an important issue in S-IoT. There may be malicious nodes attacking the S-IoT system through eavesdropping, forgery, tampering, and other means.

##### 3.2. Elliptic Curve

Elliptic curve cryptography (ECC) is a method of constructing cryptographic schemes from elliptic curves over finite fields. Elliptic curve cyphers can achieve the same strength with shorter keys than RSA; that is, elliptic curve cyphers have shorter key lengths but higher strength. In general, an elliptic curve cypher with a key length of 160 bits can achieve the same strength as RSA with a key length of 1024 bits.

Let *p* be a large prime number of length , GF(p) represents a finite field, and an elliptic curve is a series of points satisfying the following equations:where represents the point at infinity.

##### 3.3. Bilinear Pairing

Let the bilinear mapping be , where and are the additive cyclic group and the multiplicative cyclic group of order prime *p,* respectively. The generator of is . The bilinear map satisfies the following properties:(1)Bilinearity: ; there are and . Then, , (2)Nondegenerate: (3)Computability: ; there is a valid algorithm that can compute

##### 3.4. Elliptic Curve Computational Diffie–Hellman Problem (ECDHP)

Given , where is the generator of , it is hard to calculate .

##### 3.5. Bilinear Diffie–Hellman Problem (BDHP)

Given , where is the generator of , it is hard to calculate .

##### 3.6. Certificateless Signature

A certificateless signature scheme generally includes three entities: KGC, signer, and verifier. The general steps of the CLS are as follows:(1)Setup: this step is performed by KGC. We input a security parameter *l* and output the system master key *s* and public parameter *params.* KGC securely keeps the system master key *s* and makes *params* public.(2)Set partial private key: this step is performed by KGC. We input the system master key *s*, the public parameter *params* and the signer’s identity *ID.* Then, we output the partial private key *D.*(3)Set private key: this step is performed by the signer. We input the public parameters *params*, the signer’s identity *ID*, the partial private key *D*, and the signer’s secret value. We output the private key *sk.*(4)Set public key: this step is performed by the signer. We input the public parameter *params* and the signer’s secret value and output the public key *pk.*(5)Sign: this step is performed by the signer. We input public parameters *params*, message *m*, the signer’s *ID*, the private key *sk*, and the public key *pk* and output the signature .(6)Verify: this step is performed by the verifier. We input public parameters *params*, message *m*, signer *ID*, the public key *pk*, and the signature and, finally, output .

##### 3.7. Security Model of CLS

As mentioned in [37, 38], traditional security controls and detection systems are often tailored against external threats, but insider attacks are also an ever-increasing threat to a system with dire consequences. For comprehensive consideration of safety, in a certificateless cryptosystem, external adversary and internal adversary and can be assumed [12]. At first, there are normal and strong adversaries in ROM. In [39], the adversary is expanded and classified into normal, strong, and super three levels. Through oracle queries, a normal adversary can only obtain the valid signature of the entity with the original public key. If the entity’s public key is replaced, the normal adversary cannot obtain a valid signature. If the public key of a strong adversary has been replaced, the adversary cannot obtain a valid signature until providing the associated secret value of the new public key. A super adversary can obtain the valid signature of the entity whose public key has been replaced without the new secret value. Here, we consider the case of super adversary attacks.

The first type of adversary : these kinds of adversaries are also called external adversaries. The adversary can replace the public key of the target entity, but cannot obtain the master key of the KGC and partial private key of the entity.

The second type of adversary : these kinds of adversaries are also called internal adversaries. The adversary knows the master key of KGC and the partial private key, but cannot replace the public key of the target entity.

###### 3.7.1. Type-I Model

Setup: challenger*C*executes the algorithm to get the master secret key

*s*and public parameters

*params.*Then,

*C*keeps

*s*as secret and makes the

*parameters*public. Queries: adaptively asks one of the following queries to

*C*.(1)Public key extraction query: obtains the public key of (2)Replace public key query: replaces with which chooses(3)Private key extraction query: obtains the private key of (4)Signature query: obtains a valid signature for Output: finally, outputs a valid forgery for , where

###### 3.7.2. Type-II Model

Setup: challenger*C*executes the algorithm to get the master secret key

*s*and public parameters

*params.*Then,

*C*keeps

*s*as secret and makes

*params*public. Queries: adaptively asks one of the following queries to

*C*.(1)Public key extraction query: obtains the public key of (2)Partial private key extraction query: obtains the partial private key of (3)Signature query: obtains a valid signature for Output: finally, outputs a valid forgery for , where .

#### 4. Proposed CSP Scheme

Our proposed scheme, CSP, is as follows: Setup (KGC): the function of KGC is completed by the network control center (NCC) on the ground. KGC inputs security parameter and selects elliptic curve addition cyclic group and multiplication cyclic group with order . The generator of is . We set up bilinear mapping . KGC selects a random number as the system master key and calculates as the system public key. KGC selects a secure hash function . KGC securely saves the master key and makes the parameter to the public. Set partial private key (KGC): after KGC receives from the entity(the satellite or the user on the ground) , it calculates and then calculates the partial private key of . Set public/private key (entity): KGC sends to . randomly selects the secret value , and then calculates , , and . We take as the public key and take as the private key . Sign (entity): when needs to sign a message , the specific description is as follows:(1) randomly selects a large integer (2) calculates (3) calculates (4) calculates (5) sends as a signature Verify (entity): when another entity receives the message *m* with the signature , it uses the public key of to verify the signature. The specific description is as follows:(1) calculates .(2) calculates .(3) verifies that . If the equation holds to prove that the signature is valid; otherwise, the verification fails, the message is discarded, and a reauthentication message is returned. Correctness analysis:As shown in Figure 3, the steps of interaction between satellite nodes are as follows: Step 1 (KGC): KGC generates system parameters to the public. Then, KGC calculates partial private keys. KGC sends partial private keys to the corresponding satellites. In this scene, we take satellites , , and as an example. Step 2 (, , ): randomly selects the secret value , and then calculates , , , and , , , . We take as the public key . We take as the public key . We take as the private key . We take as the private key . Step 3 (): when needs to sign a message , generates as the signature of the message *m* to and generates as the signature of the message to . Step 4 (, ): when satellites and receive the message *m* and with the signature and , uses the public key to verify the signature and uses the public key to verify the signature . As shown in Figure 4, the steps of interaction between satellite and ground nodes are as follows: Step 1 (KGC): KGC generates system parameters for the public. Then KGC calculates partial private keys. KGC sends partial private keys to the corresponding satellite and ground nodes. In this scene, take the satellite and the ground node as an example. Step 2 (): randomly selects the secret value , and then calculates , , , and . randomly selects the secret value , and then calculates , , , and .We take as the public key and take as the private key . Step 3 (): generates as the signature. Step 4 (): when the ground node receives the message *m* with the signature , it uses the public key of to verify the signature .

#### 5. Security Analysis

Lemma 1. *Under the attack of the first type of super adversary , it is assumed that can adaptively perform for oracle queries, for partial private key extraction queries, for private key extraction queries, for public key extraction queries, and for signature queries; there is an algorithm C that can solve the ECDHP problem with the advantage of .*

*Proof. *Let be a super adversary, and we assume that the challenge for is to know that (which can be obtained in the private key query below), and . calculates after interacting with . We play the game as follows: Game 1: challenger *C* inputs the security parameter *l*, runs the system establishment algorithm to generate the system master key *s* and system parameter *params*, then sends the params to , and saves *s* in secret. After going through all the queries, outputs a forged signature ; if the forgery meets the following requirements, the super adversary is considered to win.(1) has never submitted to the signature oracle(2) never submitted to partial private key oracles(3) oracle query: *C* maintains a list consisting of triples , and the list is initially empty. When asks *C* for with identity , if has been stored in , then *C* returns the corresponding value to ; otherwise, *C* calculates ; let ; we insert the new tuple into the list and return to . Setup: *C* runs the system algorithm, selects a generator , and calculates , where *s* is the system master key that *C* does not know; in this game, *C* randomly selects an identity , generates system parameters , and send to . Public key extraction query: *C* maintains a list consisting of triples , and the list is initially empty. When inputs to ask, if has been stored in , *C* returns the corresponding value to ; otherwise, *C* calculates and returns the value to . Then, *C* inserts into the list . Public key query: when enters query, if the tuple corresponding to exists in the list , *C* sets and sets and returns the list ; otherwise, *C* performs the public key generation step to generate , then sets , and returns to the list . Private key extraction query: *C* maintains a list consisting of four tuples , and the list is initially empty. When asks with , if has been stored in , *C* returns the corresponding value to ; otherwise, *C* calculates , and converts the new tuple which is inserted into the list and returned to . Signature query: when *C* receives a signature query, it performs the following steps:(1)If , *C* aborts the query and outputs an error; otherwise, *C* queries , , from .(2)Calculate (3)Calculate , signs the message using . *C* sends to . aborts the query and outputs the signature of the identity on the message , which satisfies the verification condition: It can be known that , which solves the ECDHP problem. Set events , and are as follows: : goes through a series of queries and *C* does not abort. : successfully forges a valid signature. : there is in forged signature. We set , then obviously we have:It can be calculated that *C* can solve the ECDHP problem with a nonnegligible probability: . This proof is unforgeable against adaptive selective message attacking the signature. Therefore, it is proved that the scheme can guarantee the authenticity and integrity of the message under the attack of the first type of super adversary .

Lemma 2. *Under the attack of the second type of super adversary , it is assumed that can adaptively perform for oracle queries, for partial private key extraction queries, for private key extraction queries, for public key extraction queries, and for signature extraction queries; there is an algorithm C that can solve the BDHP problem with the advantage of .*

*Proof. *Let be a super adversary. We assume that the challenge for is that given the master key *s*, (which can be obtained in the partial private key query below), an calculate after interacting with . Game 2: challenger *C* inputs the security parameter *l*, runs the system establishment algorithm to generate the system master key *s* and system parameter *params*, then sends the params to , and saves *s* in secret. After going through all the queries, outputs a forged signature ; if the forgery meets the following requirements, the super adversary is considered to win.(1) has never submitted to the signature oracle(2) never submitted to private key oracles(3) oracle query: C maintains a list consisting of triples , and the list is initially empty. When asks C for with identity , if has been stored in , then C returns the corresponding value to ; otherwise, C calculates ; let , and we insert the new tuple into the list , and return to . Setup: *C* runs the system algorithm, selects a generator , and calculates , where *s* is the system master key that *C* does not know; in this game, *C* randomly selects an identity , generates system parameters , and sends to . Public key extraction query: *C* maintains a list consisting of triples , and the list is initially empty. When inputs to ask, if has been stored in , *C* returns the corresponding value to ; otherwise, *C* calculates and returns the value to . Then, *C* inserts into the list . Partial private key extraction query: *C* maintains a list , consisting of triples , and the list is initially empty. When asks *C* with identity , if , *C* aborts and outputs an error; otherwise, if has been stored in , *C* returns the corresponding value to ; if is not stored in , then *C* extracts the tuple from the list , calculates , and returns it to . Signature query: when *C* receives a signature query, it performs the following steps:(1)If , *C* aborts the query and outputs an error; otherwise, *C* queries , , from (2)We calculate (3)We calculate and sign the message using . *C* sends to aborts the query and outputs the signature of the identity on the message , which satisfies the verification condition: The premise that the signature satisfies the verification conditions is the parameter which is known to . Thus, can calculate which solves the BDHP problem. We set events , , and are as follows: : goes through a series of queries and *C* does not abort. : successfully forges a valid signature. : there is in forged signature. We set ; then, obviously we haveIt can be calculated that *C* can solve the BDHP problem with a nonnegligible probability: . This proof is unforgeable against adaptive selective messaging attacks on the signature. Therefore, it is proved that the scheme can guarantee the authenticity and integrity of the message under the attack of the second type of super adversary .

The above is a formal analysis in the ROM, which can ensure the strong security of CSP. The informal analysis is as follows.

Authenticity: CSP can realize the authentication of the message source and the authentication of the communication entity. This is determined by adding the identity information of the communication entity in the signature.

Integrity: CSP can guarantee that data have not been tampered with or damaged. This is determined by adding a hash function to the message in the signature. Once the message is changed, the corresponding hash function will change, which will result in authentication failure.

Unforgeability: CSP means that nobody except the communication entity itself can forge the signature. This is determined by the private key generation method of CSP. Only the ground KGC knows the secret value that generates the partial private key and only the communication entity itself knows the complete private key.

Nonrepudiation: CSP requires that neither the sender nor the receiver can deny the transmission. This is determined by adding the identity information of the sender in the signature. Besides, the receiver must reply with a message indicating whether the verification was successful.

#### 6. Performance Evaluation

In this section, we test the performance of CSP. We compare CSP with existing representative CLS schemes. To ensure a benchmark for comparison, CSP uses widely accepted parameters. The program runs on a virtual machine with an Intel(R) Core(TM) [email protected] GHz and 16 GB of RAM, using the Ubuntu18.04LT operating system. Using the Type-A type in the PBC library, its security level is comparable to that of 1024 bit RSA. The Type-A of this library is constructed on the elliptic curve in the finite field *GF(p)*, where *p* is a large prime number of 160 bits. Assuming the message length is 128 bits.

Table 2 shows the time required for various operations in the simulation environment of this study. We can see that the bilinear pairing operation takes the longest, followed by the hash operation and the point multiplication operation. Since the scalar addition and multiplication operations take negligible time compared to other operations, we ignore the overhead of these two types of operations in the comparison. The value in the table is the average time of each operation 100 times.

Table 3 shows the efficiency comparison of CLS schemes for satellite-to-satellite nodes. In S-IoT, we first consider the case of authentication between satellite nodes. Since each satellite node provides services for massive ground nodes, we believe that the authentication of satellite nodes requires high security. Therefore, we consider that when a satellite wants to authenticate with other satellites, it needs to use different public and private keys. It mains that the satellite node uses for authentication with the satellite node , while uses for authentication with the satellite node . In S-IoT, the roles of users and signers who generate public and private keys can only be assumed by the satellite itself, which cannot be delegated to a third party. Therefore, when calculating the overhead of the signing in this case, the overhead of generating public and private keys is included. Due to the difference in algorithms between CLS schemes with bilinear pairings and those without, the CLS schemes without bilinear pairings often include the point addition operation and the modular inverse operation. However, the time of these two operations is relatively short. For a more intuitive comparison, these two operations are ignored here.

The values of security against and are determined according to which level of adversary attack (normal, strong, and super) the corresponding scheme can resist in ROM. Among these schemes, it is mentioned in [36] that the scheme in [35] was vulnerable to signature forgery attacks and was insecure against , and the scheme in [31] has recently been shown to be insecure in the face of the attack of .

It can be seen from Figure 5 that, in the simulation environment of this study, except for the unsafe schemes in the table, the scheme in [34] has the shortest time of 8.727 ms when signing. CSP needs 10.638 ms for signing, which is in the middle level of these schemes. However, in the verification and total time comparison, the overhead of CSP is the smallest, which are 4.681 ms and 15.319 ms. Compared with the scheme in [34], CSP improves the efficiency by about 50% and 15%, respectively. In the CLS schemes with bilinear pairs, CSP has the smallest overhead in both the signature and verification phases, which improves efficiency by about 9% and 60%, respectively. Besides, CSP can prove a higher level of security. The reason is that the scheme in [31] does not fully use the user’s public key when verifying the signature. It only uses part of the public key, which leads to the additional verification if the public key is authentic and valid. The authenticity and validity of the public key will increase the overhead of the bilinear pairing operations.

Table 4 shows the efficiency comparison of CLS schemes for satellite-to-ground nodes. When the satellite node is authenticated with the ground node in S-IoT, it is troublesome and resource-consuming to frequently update the public and private keys. Therefore, when the satellite is authenticated with the ground node, it only uses .

We can see from Figure 6 that the scheme in [34] has the shortest times of 0.886 ms in the signing phase, except for the unsafe scheme. CSP needs 4.791 ms, which is similar to the schemes in [31, 36]. In the verification phase and total time comparison, CSP still has the best performance, which improves efficiency by about 50% and 7%, respectively.

Finally, we discuss the issue of CSP complexity. For the scenario in Figure 5, to complete the authentication between satellite nodes, three authentication messages need to be transmitted. The communication cost of each authentication message is 480 bits. The signature cost is 10.638 ms, and the verification cost is 4.681 ms. For the scenario in Figure 6, three authentication messages between the satellite and the ground node need to be transmitted. The communication cost of each authentication message is 480 bits. The signature cost is 4.971 ms. The verification cost is 4.681 ms. The CSP performance is shown in Table 5.

#### 7. Conclusions and Future Work

Due to the special environment and restricted resources, the security solution used by the terrestrial network for communication cannot be directly applied to the S-IoT. This study proposes a strong, secure certificateless signature scheme with bilinear pairings named CSP, which is suitable for S-IoT. Before the satellite is connected to the space-based network, the manufacturer or the company that undertakes the work of KGC inputs the partial private key and public parameters to the satellite. The satellite uses its own identity information and secret value to calculate the public key, the private key, and the signature. CSP can ensure the authenticity, integrity, unforgeability, and nonrepudiation of transmitted messages. The CSP solves the problems of complicated certificate management in the traditional PKI system key escrow in the IBC system. In the future, the secure access of satellites facing a large number of ground nodes is an important issue. In recent years, an ultra-super-fast authentication protocol for electric vehicles, charging by utilizing the characteristics of extended chaotic maps, has been proposed in [40] which can resist man-in-the-middle attacks, replay attacks, and impersonation attacks. This work provides us with new ideas on how to perform rapid authentication when considering a large number of nodes that want to access satellites. Besides, analysis shows that compared with similar schemes, CSP can achieve a higher security level and lower overhead. However, CSP still needs a relatively long time in the signature phase, which is the research direction of future work.

#### Data Availability

The data that support the findings of this study can be obtained from the corresponding author upon reasonable request.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This research was partially supported by the National Natural Science Foundation of China (Grant no. 61972412).