Time-constrained strong multi-designated verifier signature suitable for Internet of things–based collaborative fog computing systems

Fog computing is viewed as an extended technique of cloud computing. In Internet of things–based collaborative fog computing systems, a fog node aggregating lots of data from Internet of things devices has to transmit the information to distributed cloud servers that will collaboratively verify it based on some predefined auditing policy. However, compromised fog nodes controlled by an adversary might inject bogus data to cheat or confuse remote servers. It also causes the waste of communication and computation resources. To further control the lifetime of signing capability for fog nodes, an appropriate mechanism is crucial. In this article, the author proposes a time-constrained strong multi-designated verifier signature scheme to meet the above requirement. In particular, a conventional non-delegatable strong multi-designated verifier signature scheme with low computation is first given. Based on its constructions, we show how to transform it into a time-constrained variant. The unforgeability of the proposed schemes is formally proved based on the famous elliptic curve discrete logarithm assumption. The security requirement of strong signer ambiguity for our substantial constructions is also analyzed by utilizing the intractable assumption of decisional Diffie–Hellman. Moreover, some comparisons in terms of the signature size and computational costs for involved entities among related mechanisms are made.


Introduction
Traditionally, enterprises utilize a centralized database to arrange information technology (IT) resources. Yet, with the coming of the concept of cloud computing which provides all kinds of cloud services such as software, hardware, storage, computation, and analysis via the Internet, organizations could more effectively pay their attention to required cloud services and reduce unnecessary cost expense. In 2012, Huang et al. 1 introduced a unified architecture of cloud service delivery platform which can deliver many IT resources and support dozens of software as a service (SaaS). Generally speaking, cloud computing has several advantages including cost savings, high security, dynamic expansion, improved performance, high productivity, and reliability. To ensure data security of cloud users, a provider of cloud services usually sets up relevant backup mechanisms and disaster recovery processes.
Although the concept of cloud computing services has greatly revolutionized conventional ways of data usage, store, and sharing, the high latency of network transmission and centralized processing bottlenecks of cloud servers are still critical questions of Internet of things (IoT)-based cloud service applications. For example, in an Intelligent Transportation System (ITS), the vehicle driving data collected by sensors is an important source of information to ensure traffic safety and smooth driving. An ITS has to make instant decisions and responses according to these data. When all the data are processed by clouds, it not only causes the burdens on cloud systems but also leads to the inability to effectively respond to various emergencies immediately. Due to the above concerns, the notion of fog computing is introduced. We could say that a fog is a cloud closer to the ground and is a computing mode closer to users as well. In an information-centric future Internet, the techniques of fog computing-enabled cognitive network function virtualization are also crucial. In 2019, Wu et al. 2 presented a virtualization scheme for on-demand caching functions and came up with a forwarding approach for future Internet nodes and fog nodes. Besides, they also addressed a cognitive resource configuration method based on their virtualization architecture. The simulation results of their scheme exhibit better performance over the original information-centric networking (ICN).
For protecting the security of diversified IoT-based fog computing applications, we usually have to adopt suitable cryptographic protocols. In modern cryptosystems, 3,4 the technique of digital signature schemes plays a crucial role in modern era. Such a scheme provides many important properties such as non-repudiation, authenticity along with data integrity. Although generic digital signature schemes have been extensively employed in many electronic commerce applications, they are not suitable for privacy-enabled services such as copyright protection, business contract signing, and electronic voting. 5,6 To additionally provide digital signatures with the property of confidentiality, we can employ the technique of designated verifier signature (DVS) schemes which only permit a designated recipient to verify a given signature. A strong multi-designated verifier signature (SMDVS) scheme is a group-oriented extension of general DVS ones. In such a scheme, a signer can produce a multi-designated verifier signature for a group of recipients who will collaborate with each other to inspect the validity of received multi-signatures. Meanwhile, a verifying group is able to generate valid transcripts which are computationally indistinguishable from an original one and are designated for themselves.

Related works
In 1990, a digital signature variant called undeniable signature is proposed by Chaum and Van Antwerpen. 7 In this scheme, a verifier must cooperate with an original signer to verify a signature rather than solely. Namely, an original signer has the complete power to select preferred verifiers who could be granted the privilege to access given signatures. Still, a signer must participate in every signature verification procedure.
To provide digital signatures with the characteristic of confidentiality, in 1996, Jakobsson et al. 8 introduced a system of designated verifier proof. In their mechanism, a recipient can independently run the verification procedure of signature without signer's intervention. However, only an intended verifier would believe the identity of real signer due to the fact that the former is able to create a legitimate transcript of signature which is difficult to distinguish when compared with the one created by an original signer. This property is called non-transferability which also prevents a malicious verifier from purposely disseminating received signatures. Unfortunately, Wang 9 showed that there are still some security flaws in their mechanism.
Since only an indicated verifier will be persuaded of the real signer's identity in Jakobsson et al.'s system, Saeednia et al. 10 incorporated the private key of verifier with the verification procedure of signatures and accordingly presented a strong designated verifier signature (SDVS) scheme in 2003. As the knowledge of verifier's private key is necessary for running a signature verification procedure, only an intended recipient is capable of verifying a given signature. In the next year, Susilo et al. 11 employed the well-known bilinear Diffie-Hellman problem (BDHP) to address an SDVS method implemented on identity-based cryptosystems.
Considering the merits of message recovery signature schemes, in 2007, several researchers 12 addressed an SDVS variant enabling a specific verifier to retrieve signed messages from received signatures. In this way, a message is unnecessary to be transmitted along with its signature for reducing communication overheads. In 2009, Kang et al. 13 also adopted ID-based systems to construct an SDVS mechanism with shorter signature length.
In 2011, Lin et al. 14 employed the security assumption of discrete logarithm (DL) to propose a pairingfree SDVS approach which exhibits lower computational and communicational costs as compared with previous protocols. Later, Tian 15 presented an SMDVS scheme for broadcast propagation. In his system, the simulation just needs the private key of one verifier.
In 2014, Zhang et al. 16 considered the impact of rogue key attacks on multi-designated verifier signature (MDVS) and gave a new security model of unforgeability to capture such an attack. They also presented a new construction based on the DL assumption. Without using bilinear pairings, in 2016, Hu et al. 17 introduced an undeniable SDVS scheme in which a judger is responsible for telling a genuine signer by simple computation. However, they failed to present reliable formal security proofs in either random oracle or standard models.
Thinking of a more flexible verification policy, in 2019, Rastegari et al. 18 proposed a threshold MDVS scheme in which a threshold number of the set of designated verifiers is sufficient to inspect the validity of a given signature. They also proved the basic security requirement of their scheme in the standard model. Up to present, various DVS variants  have been proposed. Still, none of existing DVS systems deals with the issue of lifetime of signing capability.

Motivations and objectives
It is obvious that an SMDVS scheme could be applied to IoT-based collaborative fog computing systems in which a fog node would send authenticated data to multiple semi-honest cloud servers for collaborative verification and auditing procedures. In a distributed computing system, several semi-honest cloud servers must cooperatively verify a given multi-signature to prevent a sensitive message from easily obtained by a masqueraded or compromised cloud server. Moreover, existing SMDVS schemes fail to take the issue of lifetime of signing capability for fog nodes into consideration.
Motivated by the above reason, this article will propose a new SMDVS scheme supporting the functionality of time-constrained signing power. The property of time-constrained signing power for fog nodes is crucial in a fog computing system, since a few fog nodes might be compromised by attackers and used to send bogus data. It is thus obvious that the main advantage of time-constrained signing capability in a fog computing system is to prevent compromised fog nodes from persistently injecting bogus data to confuse backend cloud servers. In addition, such a functionality also makes our scheme suitable for specific IoT applications like natural resource monitoring which usually deploys non-recyclable IoT sensors and fog nodes in extreme environments.
A major challenge to design a time-constrained SMDVS scheme is how to realize the control of lifetime of signing power. Moreover, as fog nodes might only be equipped with slight processing capabilities and limited storage space, the adopted cryptographic mechanism must have low computational complexity.

Contributions
This article concentrates on the research of security protocols for IoT-based collaborative fog computing systems. Some concrete contributions are listed as follows: (1) A new non-delegatable SMDVS scheme and its time-constrained variant are proposed. (2) Both of the proposed schemes could achieve the existential unforgeable against adaptive chosen-message attack (EUF-CMA) security in the random oracle model provided that the hardness assumption of elliptic curve discrete logarithm (ECDL) holds. The rest of this article is arranged as follows. In section ''Preliminaries,'' we first roughly recall some mathematical characteristics and the adopted cryptographic assumptions. We present the proposed SMDVS schemes in section ''The proposed SMDVS schemes.'' Some essential security proofs and the evaluation of efficiency will be demonstrated in sections ''Proof of security and performance analysis'' and ''Efficiency analysis.'' Eventually, a conclusion to highlight the significance of this article is presented in section ''Conclusion.''

Preliminaries
In this section, we first review the mathematical backgrounds of elliptic curve systems, and then describe underlying security problems and their computational assumptions.

Bilinear pairings
Let G 1 and G 2 be two groups of prime order q. The former is additive while the latter is multiplicative. The function of bilinear pairing is defined as e: G 1 3 G 1 ! G 2 . Some characteristics of the function of bilinear pairing are described as follows: (1) Bilinearity

Non-degeneracy
If there is a generator P in the group G 1 , there is also another generator e(P, P) in the group G 2 .

Computability
Given two values P x , P y 2 G 1 2 , there is an efficient polynomial-time algorithm for computing the value of e(P x , P y ).

Computational assumptions
Elliptic curve discrete logarithm problem. Let (P, aP) be a problem instance randomly chosen from the group G 1 for some unknown integer a 2 Z q * , the elliptic curve discrete logarithm problem (ECDLP) is to derive the value a 2 Z q * .
ECDL assumption. The ECDL assumption states that the advantage for every probabilistic algorithm, say A, which runs in polynomial-time to solve any instance of ECDLP is negligible.
Decisional Diffie-Hellman problem. Let (P, aP, bP, C) be a problem instance randomly chosen from the group G 1 for some unknown integers a, b 2 Z q * , the decisional Diffie-Hellman problem (DDHP) is to determine whether the equality C = abP holds or not.
DDH assumption. The DDH assumption states that the advantage for every probabilistic algorithm, say A, which runs in polynomial-time to solve any instance of DDHP is negligible.

The proposed SMDVS schemes
We first describe the parties participated in the proposed system. Next, the composed algorithms and two substantial formations would be presented in the sections. The first construction is a basic SMDVS scheme while the second one is a time-constrained variant. We will show the differences of these two schemes and state the advantages of our time-constrained mechanism.

Joined entities
In the proposed basic SMDVS system as shown in Figure 1, there are two major parties including a fog node (signer) and a verifying group which is composed of n cloud servers (designated verifiers). The former acts as a data aggregator responsible for collecting various messages such as environmental data or human health data and will produce a multi-verifier signature that could only be inspected by the latter. In our system architecture, each cloud server is semi-honest, that is, they are curious about received information. Specifically, a clerk of the verifying group will assist in verifying an SMDVS and making a computationally indistinguishable transcript for the group. Note that a fog node plays an important role in the IoT-based collaborative fog computing architecture, as its data are gathered from various IoT devices or sensors. The produced SMDVS is transmitted via a public network. Although the communication security between IoT devices and fog nodes is also vital, this article does not discuss such an issue.
When it comes to a time-constrained SMDVS system as shown in Figure 2, there is also a trusted Key Authority Server (KAS) involved. The KAS will issue time-constrained private keys to fog nodes and maintain a revocation list to control the lifetime of signing capability for each fog node. More specifically, a revocation list contains invalid time-constrained public keys and their corresponding statuses which are either ''Revoked'' or ''Hold.'' The former means permanently revoked while the latter stands for temporarily unused. The KAS will periodically announce the updated  revocation list. To verify a time-constrained SMDVS, cloud servers must make a request to the KAS for a corresponding time-constrained public key first.
Note that in our designed systems, all cloud servers must collaboratively verify the received SMDVS. As long as there is one cloud server that is unwilling to assist, the procedure could not be proceeded. Although a threshold system would be more appealing to the practical applications, a distribution mechanism of secret shares among all cloud servers is mandatory. It also results in extra computational efforts and the security issue of secret shares.
In order to reduce the network transmission latency, a fog node will upload its data to nearby cloud servers, which means that the verifying group is composed of adjacent cloud servers close to the fog node. Figure 3 shows a conceptual model when the proposed schemes are employed in the application of Internet Protocol (IP) camera surveillance. Specifically, a fog node gathering data from several IP cameras will generate an SMDVS to all cloud servers within its communication range. The cloud servers receiving such an SMDVS would form a designated verifying group whose members must collaborate with each other to carry out the verification steps.
Another practical usage of the proposed schemes is the automated inventory system. In this system, fog nodes are deployed among factories and warehouses. When a fog node receives messages from sensors indicating material shortage, it will send an SMDVS to all adjacent cloud servers to apply for a reorder procedure of materials.

Algorithms
There are four algorithms in the proposed (time-constrained) SMDVS scheme. Definitions of each algorithm are stated as follows: Setup: by inputting a security parameter to run the algorithm, some necessary parameters of the system are initialized. SMDVS-Gen: the SMDVS-Gen algorithm is used to create a DVS d for an intended verifying group. The essential input parameters include system public parameters, the private key SK of the fog node, and all public keys PKs of the verifying group along with a message m. SMDVS-Verify: the SMDVS-Verify algorithm is used to verify a given DVS d and will return a response of either True or an error symbol. The essential input parameters include public parameters of the system, a received message, a fog node's public key PK, all private keys SKs of the verifying group, and a specific multi-verifier signature d.
Transcript Simulation (TS): the goal of TS algorithm could be used to produce a legitimate transcript of signature, say d * , for a verifying group. The essential input parameters are system public values, the public key PK of original fog node, all private keys SKs of the verifying group, and a message to be signed.

Construction of a basic scheme
Using the previously defined algorithms, we give a substantial formation for the strong SMDVS scheme as follows. Some utilized symbols are listed in Table 1.
Setup: initially, by inputting a random value k as a security parameter, the algorithm selects

Notation
Description groups G 1 and G 2 . Both groups have the same prime order q. G 1 is an additive group while G 2 is a multiplicative one. The parameter P is a generator in the group G 1 . The symbols of h 0 , h 1 and h 2 represent three secure one-way hash functions which should be collision-resistant. There is also a function e called bilinear pairing which satisfies that e: The public parameters of the system consist of {G 1 , G 2 , q, P, e, h 0 , h 1 , h 2 }. SMDVS-Gen: without loss of generality, let U s be a fog node and VG = {V 1 , V 2 , ..., V n } be a verifying group composed of n cloud servers. Each entity is equipped with a private key SK which is a random integer x i 2 Z q and a public key PK computed as Y i = x i P. Let m be an aggregated data from several IoT-based devices or sensors, and t s be the current timestamp. In order to sign the message m for the designated verifying group VG, U s chooses a random value z 2 Z q * and computes Here, d = (l, s) is regarded as a multi-designated verifier signature for the message m intended for VG.
SMDVS-Verify: to check the validity of the DVS d for the message m, each cloud server V i of the group VG first checks whether |t v 2 t s | ł Dt, where t v is the current timestamp and Dt is a predefined time period of a valid network transmission. If it holds, the clerk V c will choose r, and then returns it to V c . When all K i s are collected, V c could compute and delivers Z to all V i s 2 VG. Then, each V i continues to compute and sends it back to V c . After all Z i s are gathered, V c could compute and then checks the accuracy of the signature by inspecting whether We prove that the equality (11) is correct through the following derivations. According to equation (11), we get TS: for making a legitimate transcript d$ of the signature in relation to the received message m, a clerk V c of VG first randomly picks l$, r, f 2 Z q * . Then, he determines a timestamp t s # and sends R$ = r(l$P 2 h 0 (m || t s , Y)Y s ) to the group VG. Next, each cloud server of VG computes and then returns it to V c . When all of K i $s is received, V c will compute and delivers Z$ to all V i s 2 VG. Each cloud server of VG can therefore compute which will be sent back to V c . After obtaining all Z i $s, V c could derive It is evident that the derived transcript d$ = (l$, s$) would be a valid signature with respect to the message m || t s #.

Construction of a time-constrained variant
A time-constrained variant can further control the lifetime of signing capability for fog nodes in IoT environments. In particular, a fog node compromised by a malicious adversary would be unable to persuade cloud servers of bogus data. Based on our basic SMDVS construction, we could extend it into a time-constrained variant by introducing a KAS. A KAS is responsible for generating a time-constrained key-pair of fog nodes and also maintaining a revocation list. When a timeconstrained private key is expired or revoked, its corresponding public key will be recorded in the revocation list. Although a fog node can still use the revoked time key to sign messages, the resulted signatures would not be regarded as legitimate by cloud servers. Consequently, when using any time-constrained public key, one should first make sure that it is still in the valid time periods by checking the revocation list of KAS. The proposed scheme did not further deal with the update issue of time-constrained key-pairs. Interested readers can refer to the key-update mechanism in Du et al. 40 The advantage of introducing an independent KAS is centralized administration of timeconstrained keys. The KAS also implements the X.509 standard to generate certificates for valid time keys. Using a centralized structure could make the revocation process more efficient and simple.
Without redesigning the entire structure, the extended time-constrained SMDVS variant still enjoys the advantage of low computation complexity of our basic scheme. It also benefits those practical systems adopting our basic scheme to painlessly upgrade the time-constrained functionality. Since the Setup phase is the same as that of our basic construction, we simply present modified parts of other algorithms below. Let (x t 2 Z q , Y t = x t P) be a time-constrained key-pair associated with a fog node, say U s . Consequently, the private key SK of U s would be composed of {x s , x t } while the public key PK is {Y s , Y t }. In the SMDVS-Gen algorithm, U s will perform the same signing procedures except that equations (4) and (5) would be modified as Here, (l, s t ) is regarded as a time-constrained SMDVS for the message m intended for VG. In the above equation (18), the time-constrained private key x t is utilized to control the signing power of fog nodes. When the valid period of time-constrained private key is expired, all corresponding signatures would be viewed as illegal by cloud servers, since its corresponding public time key will be kept in the revocation list of KAS.
To accommodate the modification in the above equation, we have to replace equations (10) and (11) in the SMDVS-Verify algorithm as We prove that equation (21) is correct through the following derivations. According to equation (21), we get Likewise, in the TS algorithm, equations (16) and (17) for generating a valid signature s t $ would be replaced by Then, the derived transcript d$ = (l$, s t $) would be a valid time-constrained SMDVS in relation to the message m || t s #.

Proof of security and performance analysis
This article proves that the proposed substantial formations fulfill essential security characteristics in this section. We will provide the security model for the proposed system and then prove its security in the following sections.

Lin
Let us first consider the following potential attacks against the proposed schemes: (1) Joint attacks from revoked fog nodes: if two or more revoked fog nodes cooperatively inject bogus data to fool cloud servers, it will be detected as the revoked information of their time-constrained public keys has been revealed in the revocation list of KAS. Thus, any SMDVS created by revoked fog nodes would be treated as illegal and those transmitted messages will be directly dropped by cloud servers. (2) Replay attacks: to prevent the replay attacks, we add a timestamp into the signature. Whenever an SMDVS is received, each cloud server will first check the freshness of received timestamps. If an adversary attempts to modify the embedded timestamp of any intercepted SMDVS, he or she will face the intractability of ECDLP and one-way hash functions and fail to make it. (3) Collusion attacks: consider the collusion attacks plotted by two or more malicious cloud servers. According to the proposed SMDVS-Verify algorithm, it requires the knowledge of all private keys of the group VG to inspect the validity of an SMDVS. Therefore, even if there are n 2 1 cloud servers colluding with each other, they cannot successfully derive the correct value W = zY to verify a given SMDVS. (4) Backward security attacks: in the proposed time-constrained SMDVS scheme, a fog node will use its private key and a time key to produce a valid signature. Even if the current time private key x t is compromised by an adversary, he or she still cannot forge any valid SMDVS without knowing the private key x s . Hence, the backward secrecy is fulfilled in the proposed scheme.

Security model
The most important security requirement of a generic digital signature scheme is unforgeability. A commonly used security notion for unforgeability is EUF-CMAs. We adapt its definition for SMDVS schemes as follows: In the security proof model of random oracles, an SMDVS scheme is said to be EUF-CMA secure if no probabilistic adversary A running in polynomialtime has the non-negligible advantage to defeat a challenger B in the following interactive game: Setup: initially, B generates system parameters and sends public parameters to the adversary A.
Hash oracles: A could adaptively request B for the output of submitted hash oracles. SMDVS-Gen oracles: A could adaptively request B for the output of SDMVS-Gen oracles on arbitrarily chosen messages. SMDVS-Verify oracles: A could adaptively request B for the output of SMDVS-Verify oracles on any message m with an SMDVS d. The return value would be a bit ''0'' if d is an invalid SMDVS for m; else, a bit ''1'' is responded instead. Forgery: at last, the adversary A chooses an arbitrary message m * and then returns a forged signature d * = (l * , s * ). We say that the adversary A is the winner of this game as long as the following conditions hold: 1. The outputted d * is a valid SMDVS in relation to the message m * . 2. The SMDVS d * is not acquired from any SMDVS-Gen oracle.
As to an SMDVS scheme, the properties of signer ambiguity and non-transferability should also be taken into account. We describe these definitions as follows.

Definition 2.
In the security proof model of random oracles, an SMDVS scheme is said to fulfill the security requirement of SSA if no probabilistic SSA-distinguisher D 1 against the proposed scheme has the nonnegligible advantage to defeat a DDH-distinguisher D 2 in the following interactive game: Setup: initially, D 2 generates system parameters and sends public parameters along with a signing private key x s to the distinguisher D 1 . Hash oracles: D 1 could adaptively request D 2 for the output of submitted hash oracles. Challenge: at last, D 2 flips an internal coin to decide a random bit b. If b = 1, D 2 generate a messagesignature pair (m || t s , d = (l, s t )) using the signing private key x s . Otherwise, a random messagesignature pair is created instead. The generated message-signature pair is the challenge for D 1 who has to guess a bit b#. When b# = b, we say that D 1 wins this game.

Definition 3.
In the security proof model of random oracles, an SMDVS scheme is said to fulfill the security requirement of unconditional non-transferability if no probabilistic distinguisher D against the proposed scheme has the non-negligible advantage to win the following game played with a challenger C: Setup: initially, the challenger C generates system parameters and two signatures (d, d$) for the message m || t s . d is computed by running the SMDVS-Gen algorithm while d$ is derived by executing the TS algorithm. Then, C sends public parameters, the message m || t s and two signatures (d, d$) to the distinguisher D.
Hash oracles: D could adaptively request C for the output of submitted hash oracles. Challenge: at last, C flips an internal coin to decide a random bit b. If b = 1, C generate a signature d * = (l * , s t * ) using the SMDVS-Gen algorithm. Otherwise, C employs the TS algorithm to create d * . The generated signature d * = (l * , s t * ) is the challenge for D who has to guess a bit b#. When b# = b, we say that D wins this game.
There is an extra security requirement called nondelegatability which describes that neither a signer nor a designated verifier could delegate his or her signing power to anyone without revealing his or her own private key information. According to the literature of Tian et al., 41 a non-delegatable DVS scheme emphasizes the responsibility of a signer and hence is only desired in some special application scenarios. We will show that the proposed schemes are non-delegatable later.
Security proof Theorem 1. In the security proof model of random oracles, the designed substantial formation of our basic SMDVS is said to be EUF-CMA secure if no probabilistic adversary A running in polynomial-time t has the non-negligible advantage e to break the assumption of (t#, e#)-ECDL under the attacking scenario of adaptive chosen-message attacks, where e 0 ø 10 q sg + 1 Proof. We employ the technique of Forking lemma to prove this theorem. Assume that a probabilistic adversary A launches adaptive chosen-message attacks against the proposed scheme. If the success probability of A is non-negligible, say e, within the polynomialtime t, we could exploit its advantage to solve the ECDL assumption by building a new algorithm called B. Let a random instance of ECDLPs be (P, aP) for unknown integers a 2 Z q * , and the successful output of B has to be a. B runs two games with A and is also in charge of answering A's queries as follows: Setup: initially, B generates system parameters . , Y v n )g to the adversary A. Phase 1: the challenges and responses between A and B are described as follows: h 0 oracle: whenever A queries the response of h 0 (m || t s , Y), B searches the stored h 0 -table for a consistent value v 0 2 R Z q * from the matched record (m || t s , Y, v 0 ) and then returns it. h 1 oracle: whenever A queries the response of h 1 (m || t s , N, l), B searches the stored h 1 -table for a consistent value v 1 2 R Z q * from the matched record (m || t s , N, l, v 1 ) and then returns it. h 2 oracle: whenever A queries the response of h 2 (m || t s , W), B searches the stored h 2 -table for a consistent value V 2 from the matched record (m || t s , W, v 2 , V 2 ), where v 2 2 R Z q * and then returns V 2 . SMDVS-Gen oracle: whenever A queries an SMDVS in relation to some message m || t s , B will choose l, v 0 , v 1 , v 2 2 R Z q * and perform the following steps: Then. d = (l, s) is a simulated SMDVS on m || t s . SMDVS-Verify oracle: whenever A queries the validity of an SMDVS d = (l, s) for some message m || t s , B will look the h 1 -table for all entries containing this message m || t s and the signature parameter l. If there is such a record, B will continue to check whether the second value N is equivalent to e(b(aP), h 2 (m || t s , b(lP 2 h 0 (m || t s , bP)aP))). If it holds, B returns a bit ''1.'' Otherwise, a bit ''0'' is returned. Forgery: at last, the adversary A will choose an arbitrary message m * || t s and then return a forged signature d * = (l * , s * ) which is not an output of any SMDVS-Gen oracle. In the second game, A also has the non-negligible advantage e to output another SMDVS d ** = (l ** , s ** ) for m * || t s . Analysis of the simulation: anyone can observe that based on the simulation of h 0 oracle, the challenger B will return the value v 0 in the first game and we have l * = z + x s h 0 (m || t s , Y) = z + av 0 mod q. In the second game, B would return a different value, say v 0 #, for solving the given instance of ECDLPs. If the adversary A is provided with the same random tape to choose random bits, the forged SMDVS parameter l * of the second game should be z# + av 0 # mod q, where z# = z. Consequently, with these two equations, that is Let q f and q sg be the maximum query times of h 0 and SMDVS-Gen oracles, respectively. According to the Forking lemma, the success probability e# of B after running two simulation games could be expressed as e# ø 10(q sg + 1)(q sg + q f )/2 k and the expected running time is t# ł 120,686(q f )t/e.

Theorem 2.
In the security proof model of random oracles, the designed substantial formation of timeconstrained SMDVS is said to be EUF-CMA secure if no probabilistic adversary A running in polynomialtime t has the non-negligible advantage e to break the assumption of (t#, e#)-ECDL under the attacking scenario of adaptive chosen-message attacks, where e 0 ø 10 q sg + 1 À Á q sg + q f À Á 2 k t 0 ł 120, 686 q f À Á t e Proof. Assume that a probabilistic adversary A attempts to plot adaptive chosen-message attacks against the proposed scheme. If the success probability of A is nonnegligible, say e, within the polynomial-time t, we are able to make good use of its advantage to solve the ECDL assumption by constructing a new algorithm named B. Given an identical ECDLP instance, that is, (P, aP) for some unknown integers a 2 Z q * , B has to successfully compute a for winning this game. During each query of A, B acts as follows: Setup: initially, B generates system parameters . . , Y v n g to the adversary A. Note that the adversary A is allowed to learn the information of time-constrained private key d.
Phase 1: the challenges and responses between A and B are described as follows: h 0 oracle: every time that A submits an h 0 (m || t s , Y) oracle, and B performs the same steps as those defined in Theorem 1. h 1 oracle: every time that A submits an h 1 (m || t s , N, l) oracle, and B performs the same steps as those defined in Theorem 1. h 2 oracle: every time that A submits an h 2 (m || t s , W) oracle, and B performs the same steps as those defined in Theorem 1. SMDVS-Gen oracle: every time that A submits an SMDVS-Gen oracle for some message m || t s , and B executes the O SMDVS-Gen algorithm as shown in Figure 4. SMDVS-Verify oracle: every time that A submits an SMDVS-Verify oracle on a time-constrained SMDVS d = (l, s t ) for some message m || t s , and B executes the O SMDVS-Verify algorithm as shown in Figure 5.
Forgery: finally, the adversary A determines a chosen message m * || t s and then forges a timeconstrained SMDVS d * = (l * , s t * ) that could not be the answer of any SMDVS-Gen oracle. In the second game, A also has the non-negligible advantage e to output another time-constrained SMDVS d ** = (l ** , s t ** ) for m * || t s . Analysis of the simulation: the detailed analyses of this simulation game could be referred to those stated in Theorem 1, because the proposed timeconstrained variant and its basic scheme have quite similar structures. Therefore, based on the arguments of Theorem 1, one can realize that the success probability of B to solve the given ECDLP instance could also be expressed as e 0 ø 10 q sg + 1 À Á q sg + q f À Á 2 k and the running time of B is t# ł 120,686(q f )t/e. Theorem 3. In a key-compromise attacking scenario where an adversary leans the information of original fog node's private key, our proposed substantial formations of basic SMDVS scheme and its time-constrained variant still fulfill the security property of SSA.
Proof. We first give a heuristic argument of proofs. Assume there is a malicious adversary who has leaned the information of original fog node's private key. Given a fresh signature which has not been received by the verifying group, the adversary might try to distinguish the fog node's identity by checking whether equation (5) or equation (19) holds or not. However, in equation (5) or equation (19), there is a meta value N which could be rewritten as It should be noted that without knowing the random integer z chosen by the fog node, no one could derive the parameter N to perform equation (5) or equation (19) successfully. In a more formal approach of proofs, we display that if there is an SSA-distinguisher D 1 against the proposed time-constrained SMDVS variant, we could construct a DDH-distinguisher D 2 to solve a random DDH instance of (P, aP, bP, C). The DDHdistinguisher D 2 will output a bit ''1'' provided that C = abP; else, a bit ''0'' is returned instead. Likewise, the SSA-distinguisher D 1 who is given a signing private key x s and a message-signature pair (m || t s , d = (l, s t )) would output a bit ''1'' on condition that the signature d is produced using the signing private key x s and is legitimate with respect to the message m || t s . We exhibit the algorithm of constructed DDH-distinguisher D 2 as Figure 6.
It could be deduced that if D 1 is a (t, e)-polynomialtime SSA-distinguisher against the proposed timeconstrained SMDVS variant, D 2 would be a (t#, e#)polynomial-time DDH-distinguisher in which e = e# and t# ł t + 3T M + T B , where T M is the time for running a point multiplication and T B is the time for running a bilinear map. Hence, the proposed SMDVS schemes achieve a strong notion of the security requirement for signer ambiguity even in the key-compromise attacking scenario.   former is generated by the fog node U s while the latter is created by the verifying group VG. According to the algorithm of SMDVS-Gen in section ''Construction of a basic scheme,''U s will first choose a random value z 2 Z q * and then compute a valid SMDVS where Y = P n i = 1 Y v i and l$ 2 Z q * . It can be seen that the distribution of (d, d$) is identical, and thus, they are indistinguishable. Assume that there is a challenger C and a corresponding distinguisher D who tries to distinguish the given signatures (d, d$). The challenger C will produce an SMDVS d * = (l * , s * ) by running the Sim TS-I algorithm as shown in Figure 7.
From the description of the Sim TS-I algorithm, we know that That is, the distribution of (d, d$) is indistinguishable, and the distinguisher D would be unable to tell them apart. where Y = P n i = 1 Y v i and l$ 2 Z q * . It is obvious that the distribution of d is the same as that of d$. Let C be a challenger and D a distinguisher of (d, d$). The challenger C will generate an SMDVS d * = (l * , s t * ) by executing the Sim TS-II algorithm as demonstrated in Figure 8.
In accordance with the steps stated in the Sim TS-II algorithm, we also have Namely, the distribution of these two signatures (d, d$) is indistinguishable, and the distinguisher D would be unable to differentiate d computed by the signer U s from d$ derived by the designated verifying group VG. Theorem 6. The proposed substantial formations of basic SMDVS scheme and its time-constrained variant satisfy the security property of non-delegatability.
Proof. According to the notations utilized in section ''The proposed SMDVS schemes,'' we first assume that an adversary A is able to lean the shared secret key information, that is, x s Y between the fog node and the verifying group VG. Based on the basic assumption of ECDL, we know that it is computationally infeasible for A to derive the private key information x s from the value x s Y. Next, let us consider the following cases of attacking scenarios: Case 1: A tries to compute a valid SMDVS d which is either (l, s) or (l, s t ). Without knowing the private key x s , the first approach of A is to choose a random integer l. In this way, however, it would be difficult for him to derive a valid value W satisfying that W = zY, since A does not knowing the corresponding random number z. Case 2: the second approach of A to forge a valid SMDVS d = (l, s) or (l, s t ) is to choose an integer z first and then attempts to derive a valid N using the shared secret key x s Y. Nevertheless, A does not have the real private key x s to compute a valid value l. Consequently, the forged signature d will be detected during the signature verification process. Case 3: if A tries to verify a given SMDVS d = (l, s) or (l, s t ) with the shared secret key x s Y, the adversary also faces the difficulty in deriving the correct value W# = zY without knowing either all the private keys of the verifying group VG or the random number z chosen by the signer U s . Due to the above analyses, this article claims that the security property of non-delegatability is fulfilled in the proposed SMDVS schemes.

Efficiency analysis
To perform an efficiency analysis on the proposed substantial formations of SMDVS framework, we consider the length of signature along with the computational complexity of every joined party. Some used symbols are first defined as follows. The approximate running time of each computation is estimated according to the experimental setting of Han et al. 31  We compare the proposed formations with previous related (S)MDVS schemes including Chow, 37 Laguillaumie and Vergnaud, 38 Tian, 39 and RDBS. 18 Detailed analyses are demonstrated in Tables 2 and 3. It is evident that the length of signature among the proposed, Tian and RDBS schemes are fixed while that of the other two is variable depending on the group size. As to the security proof model, almost all compared mechanisms provide concrete security proofs in either random oracle or standard models except for Chow's scheme whose computational assumption is also unknown. Although RDBS scheme could be proved secure in the standard model, each verifier of their system has to verify the shares of all joined parties, which will inevitably result in extra computation efforts. We summarize the approximate running time of the signer and each verifier among these systems in Figures  9 and 10. Note that since RDBS scheme is a (t, n)-MDVS, we simply let t = n for easily facilitating the estimation. As illustrated in these figures, when the group size n is set to be 10, the estimated computation time of the signer in the proposed basic or timeconstrained SMDVS scheme is 103.2 ms while that of each verifier in the proposed basic or time-constrained variant is 46 ms. Nevertheless, a clerk of the verifying group has to spend additional 172.2 ms for assisting the verification procedure.
To further ensure the practical feasibility of our proposed schemes, we could use a Raspberry Pi Model B device to serve as a fog node. Some research works 42,43 also adopted these tiny embedded devices in many IoT applications like motion detection and home automation. A Raspberry Pi Model B is equipped with a Quadcore ARM Cortex-A7 CPU of 900 MHz and has 512 MB memory. According to the simulation of Ting    et al., 44 it would take approximately 34 and 46 ms to carry out a 160-bit point multiplication and bilinear pairing, respectively, on a Raspberry Pi Model B machine. That is, if such a device implements the proposed schemes, it will spend about 114 ms to generate a valid SMDVS in our basic or time-constrained schemes. We believe that the above estimated running time is within an acceptable time period in most IoT-based application scenarios.

Conclusion
For facilitating the security applications in IoT-based collaborative fog computing systems, this article came up with two new non-delegatable SMDVS schemes based on bilinear pairings. The first basic scheme is a conventional SMDVS which allows all designated cloud servers to cooperatively verify a signature generated by a fog node. We show that a time-constrained SMDVS variant could be easily extended from our basic construction. Both of the proposed schemes are formally proved EUF-CMA secure in the random oracle model as long as the hardness assumption of ECDL holds. In addition, the crucial requirement of SSA for our mechanisms is satisfied based on the DDH assumption. When compared with previous approaches, ours also have lower computational complexity, which helps with an effective implementation in IoT-based collaborative fog computing environments. The future work of this research will focus on a dynamic verification group, that is, the number of cloud servers involved in the verification group is changeable and a threshold value of verifiers is sufficient to represent the entire group. Furthermore, a concrete construction of time-constrained SMDVS scheme combined with certificateless public key systems would bring more practical benefits.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding
The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported, in part, by the Ministry of Science and Technology of Republic of China under the contract number MOST 109-2221-E-019-052.