A Lightweight Identity-Based Signature Scheme for Mitigation of Content Poisoning Attack in Named Data Networking With Internet of Things

Named Data Networking (NDN) is one of the future envisioned networking paradigm used to provide fast and efficient content dissemination with interest-based content retrieval, name-based routing and in-network content caching. On the one hand, this new breed of future Internet architecture is becoming a key technology for data dissemination in the IoT networks; on the other hand, NDN suffers from new challenges in terms of data security. Among them, a content poisoning attack is the most common data security challenge. The aim of this attack is to inject poisoned content with an invalid signature to the network. Therefore, to prevent NDN against possible content poisoning attack, a signature of the contents is appended to each data packet for verifications. In this paper, we propose an identity-based signature scheme for IoT-based NDN networks, with a special emphasis on content integrity and authenticity. The proposed scheme is based on the concept of the Hyperelliptic curves, which provide the same level of security as Rivest-Shamir-Adleman (RSA), Bilinear pairing and Elliptic Curve Cryptosystems (ECC) with lower-key size. The proposed scheme is subject to both formal and informal security analysis in order to show the feasibility of our scheme. Finally, the performance of the proposed scheme is analyzed via comparison with the relevant existing schemes that authenticates the superiority of our scheme in terms of security and efficiency.


I. INTRODUCTION
The Internet of Things (IoT) has been acknowledged as a potential deployment area for Named Data Networking (NDN) over the traditional host-to-host approach, due to the huge amount of data dissemination produced by the IoT devices [1]. The current host-to-host nature of the Internet is not suitable for handling these smart devices because of the issues such as high latency, less security, limited address spacing and caching, etc., and therefore may not be able to provide efficient content distribution to the end-users [2]. In order to cope up with these limitations, a new Internet paradigm, called Named Data Networking (NDN) is proposed [3].
The associate editor coordinating the review of this manuscript and approving it for publication was Aniello Castiglione .
NDN is equipped with the advanced features of in-network caching and name-based routing which provide better content accessing for end-users with efficient connectivity to IoT devices [4], [5]. Moreover, NDN deals with two types of packets i.e. interest packet and data packet. The interest packets are sent to retirive a particular piece of data while the the response to that particular interest is called data packet. The NDN node generally maintains three types of data structures, viz., Content Store (CS), Pending Interest Table (PIT) and Forwarding Information Base (FIB) [6]. The CS stores the data packets passing through the router that can be cached for future reuse. The PIT stores all the interests that a router has forwarded but not satisfied yet. The FIB is used to forward the interest packets from one router to another based on routing protocols [7]. Suppose a client A sends an interest for some contents as shown in the Figure 1. The particular interest of client A will be forwarded to the original content provider for the first time. However, the response in the form of data packets will be cached by the intermediate routers R4, R3, and R1 for future use. Later on, if client B requires the same piece of contents, the particular interest of client B will be satisfied locally from R3, instead of forwarding the interest to the original content provider.The in-network caching policy of NDN increases the response time of the overall network by providing the contents locally from its caches instead of forwarding the interest to the original provider [8]. In Addition, NDN uses digital signature for signing every data packet for providing authentication and data integrity [9].
NDN faces some security issues in terms of the IoT network; one of the most common is the content poisoning attack [10]. The aim of this attack is to congest the cache with invalid contents that are normally signed with a fake signature [11]. In a content poisoning attack, the attacker takes full control of the intermediate router and send fake contents with an invalid signature to the client. Further, as NDN uses an in-network caching, therefore, the poisonous contents can be stored and forwarded in the entire network and hence can cause a massive disaster for the clients. A general scenario of content poisoning attack is shown in the Figure 2. In step 1, a client A shows an interest for some content. In step 2, after receiving the interest, the provider will provide the respective content with digital sign. According to NDN in-network caching policy, the intermediate routers between client A and provider, will keep the copy of the content in its CS for future reuse. Here, in the given scenario, the routers 3, 2, and 1 must store the copies of content in its CS and forwards the content to the client A. In step 3, an attacker takes control of the router 2 and forge the valid signature of the content by injecting a fake signature with poisonous content. In step 4, a client B, connected with router 5, shows an interest for the same content. In step 4, the router will act as a provider and will provide the poisonous copy of the content from its CS to the Client B and the intermediate routers 4, and 5 will store the poisonous copy of contents in its CS.
To prevent content poisoning attack, different solutions have been proposed in the literature [12]- [24]. Unfortunately, none of the solutions work effectively by providing a valid solution to the signature generation and verification.In digital signature, the private key of a particular signer is used to sign the content/message, while the public key is used for the authenticity of the signer [25]. However, it is a costly operation for every router, to verify the authenticity of each content with a Public Key Infrastructure (PKI) setting [26]. Therefore, IoT-based NDN network demands a lightweight signature scheme that can be used to solve the certificates management issues with minimal computation and communication costs.
Shamir in 1984 [27], proposed the first identity-based signature (IBS) scheme for solving the certificate related issues in PKI. The proposed work uses the identity of a signer for the calculation of the public key while the private key is generated by a third party named key generation center (KGC). Using the concept of Shamir, a number of schemes [28]- [32], [34], [35] and [36]- [53] have been proposed. However, none of the proposed solutions work effectively because of high incurring computation and communication costs. Further, the proposed schemes are mainly based on bilinear pairing and elliptic curves that perform heavy computational operations which are not a suitable option for resource-constrained IoT devices. Moreover, these schemes are not validated through any sort of formal security validation tools such as Automated Validation of Internet Security Protocols and Applications (AVISPA) or Scyther etc. that can, somehow, guarantee security.

A. AUTHOR'S MOTIVATIONS AND CONTRIBUTIONS
Motivated by the above, in this paper, we propose an identity-based signature scheme for the prevention of content poisoning attack in the IoT-based NDN networks. The proposed scheme is based on the advanced version of elliptic curves, called the Hyperelliptic curve [54]. The Hyperelliptic curve provides the same level of security as Rivest-Shamir-Adleman (RSA), Bilinear pairing and Elliptic Curve Cryptosystems (ECC) with smaller key size [55]. Moreover, our scheme prevents content poisoning attack with less verification overhead and keeps the caches clean from invalid contents. Furthermore, the client can authenticate the provider's and verify the integrity of the content in order VOLUME 8, 2020 to reduce verification overhead. To achieve this, we studied different ID-based signature [36]- [53] schemes that are designed for IP-based Internet architecture. The aforementioned schemes lead us to show some contributions which are as follows: • We propose an efficient and formally secure identitybased signature scheme for preventing content poisoning attack in IoT-based NDN environment.
• We use a lightweight Hyperelliptic curve algorithm for the efficiency in terms of computational and communication costs • For formal security analysis, we validate our scheme through a well-known validation tool, i.e. Automated Validation of Internet Security Protocols and Applications (AVISPA) • We also provide provable security through random oracle model (ROML) regarding existential unforgeability against adaptive chosen content (message) attack (EUF − IBS − ACCA).
• We compare our scheme with existing content poisoning attack schemes and the theoretical discussion shows that our scheme prevents content poisoning attack with low latency and less verification overhead • We also compare our scheme with existing ID-based signature scheme, the final results show that our scheme is much more efficient and highly secured from its existing counterparts • We also provide a practical implementation of our proposed scheme in the application scenario of NDN-based smart city.

B. PAPER ORGANIZATION
In Section II, we discuss the related work about content poisoning attack in NDN and Identity-based Signature schemes. Section III describes the preliminaries for our proposed scheme. Section IV discusses the proposed mechanism and its algorithms. In section V, we discuss and compare the proposed scheme with existing schemes.
In section VI, we described the application scenario and practical deployment for the proposed scheme. Section VII provides conclusions. Section VIII contains the appendix of the simulation code and results.

II. RELATED WORK
Researchers have presented different solutions for mitigation of content poisoning attack in recent times. However, they are struggling to protect NDN from this prominent attack. Here, we divide the related work into two parts; NDN based solution for content poisoning attack and Identity-based Signature schemes.

A. CONTENT POISONING ATTACK PREVENTION SCHEMES IN NDN
In 2013, Gasti et al. [10] proposed probabilistic signature verification using the ''self-certifying interest/data packet'' (SCID) for helping the routers to authenticate every receiving chunk of the content. However, due to the extra overhead on the router, the proposed approach failed to perform well. Ghali et al. [12] added interest-Key Binding (IKB) to the interest packet in order to bind the content name and provider public key. A key locator puts the provider key to the interest. However, signature and PKI based verifications are a slow process and cannot be able to perform at line speed.
Ghali et al. [13] further proposed a ranking algorithm for reducing the overhead of routers. The aim of this algorithm is to differentiate between valid and invalid content on the basis of observed consumer behavior. It prioritizes valid content over invalid in reply to consumer interests. However, it verifies each content that creates overhead and it also rejects a valid content due to abnormal behavior of valid content and stores the invalid content.
Kim et al. [14] proposed a check before storing (CBS) mechanism for reducing the cost of the signature verification. This mechanism probabilistically checks and verifies content items and only stores the validated content items in CS. It divides content into two types, cache hit, and cache miss. In case of a cache hit, it stores the content and in the latter case, bypass it. For cache replacement, it uses a segmented Least Recently Used (LRU) policy in which content is initially placed in the unprotected section of the cache and then upon successful verification, it is moved to the protected one. It just verifies the signature of a serving content that has a first cache hit. The limitation of this scheme is the latency that occurs due to the verification process for every chunk that is requested twice. Hence, an attacker can enforce verification of each invalid content by requesting it twice. A valid content can be bypassed and fake content can be stored through this mechanism. Kim et al. [15] further looked at its own work [9], particularly the verification attack and proposed scheme to exploit the relationship between the number of serving content and the amount of cache-hit events to defend against verification attack. Nguyen et al. [16] experimentally measured content poisoning attack and concluded that it can easily and badly affect NDN.
Baugher et al. [17] presented self-verifying names for the shifting authentication mode of ICN. It ensures the authenticity of data for read-only named data. The limitation of this scheme is that invalid users can sign fake data from the providers. Bianchi et al. [18] and Detti et al. [19] presented 'Lossy Caching'. In Lossy Caching, content is authenticated and stored with a certain probability. But the probability affects the hit ratio and the recency of network caches. The problem is to find out the best possible probability value. The scheme is not compatible with different cache replacement policies. Dibenedetto and Papadopoulos et al. [20] presented on-path content poisoning detection and avoiding mechanism. In this scheme, consumers have to send some additional information to routers. The routers maintain a naming list of coming data packets with their interfaces and aggressively send traffic to look at other valid paths. We argue that these places are creating additional overhead on both users and routers.
Wu et al. [21] presented Router-Oriented Mitigation (ROM) scheme which offers security assurance even when the caches are injected. ROM temporarily removes injected routers from the transmission, introduces reputation for every router and forwards content on the basis of these reputations. However, sometimes a valid router acts like an injected one; if there is no alternative path for the transmutation. Mai et al. [22] proposed a Bayesian Network techniques approach for examining and discovering irregularity in NDN routers. They introduced a record of checked metrics as a numerical measure to mark the behavior of the router. They developed a micro detector for checking and detecting normal to abnormal behavior. The proposed network structure associates alarms from micro detectors and its design are based on the expert knowledge of NDN specification and NFD implementation. The performance and significance of the Bayesian Network techniques approach confirm that this attack is very alarming in NDN. Long Mai et al. [23] further used the Montimage Monitoring Tool (MMT) for the detection of content poisoning attacks in which the orchestrators can respond for the alleviation of its impact on the network. The authors only experimented with the effect of a content poisoning attack, but they do not provide any solution for avoiding this attack. It is a very costly process to pass each content from the micro detector.
Hu et al. [24] proposed a light-weight mitigation mechanism; name-key-based forwarding and multipath forwarding-based inband probe. In the first one, the interest is forwarded toward trusted content sources in order to decrease the insertion of poisoned content. If poisoned content is still there on the on-path, the multipath forwarding of a reissued interest that rejects poisoned content acts as inband probes and perform on-demand signature verification at the middle routers. This removes invalid content from routers and sends valid content to the present user. It also restores valid content recovery for future interests with no need for any out-of-band communications. After the request, a client should obtain the key of the provider. The limitation is if there is no matching key for the interest in FIB the interest will be discarded. Divergent has many disadvantages like collision may occur by all traffic on one side, it also leads to a denial of service attack. Interest can be forwarded, where no source is available for data.

B. IDENTITY-BASED SIGNATURE SCHEMES
In 1984, Shamir [27] introduced the concept of identitybased signature to solve the certificate management issues of public-key cryptography (PKC). Later on, many ID-based signature schemes were introduced [35]- [37] by using the concept of Shamir [27]. In 2001, Sahu and Padhye [37] introduced a full workable ID-based encryption (IBE) scheme by using bilinear pairings. This idea leads Boneh and Franklin et al. [38] to propose the ID-based signature scheme (IBS) over bilinear pairings. In 2003, Cha and Cheon [40] proposed an ID-based signature scheme using Gap Diffie-Hellman. The scheme ensures unforgeable protection against ID-based attacks in the random oracle model. In the same year later, Hess [41] proposed an ID-based signature scheme that provides security based on Diffie-Hellman Problem (DHP) by using the random oracle model.
In 2005 Xu et al. [42] proposed an ID-based signature scheme for authentication in Mobile Ad Hoc Network. This scheme worked on offline/online concepts and provide security against forged-ability attacks. The aim of the offline/online concept to divide the signature into two steps, offline step and online step. In the offline step, the signature is performed without knowing the message. The online step allows the signer to know the message before signing. Further, in 2006, Xu et al. [43] proposed an ID-based signature scheme to improve [42] for multi-signature support. In 2007, Du and Wen [29] proposed a short ID-based signature scheme to reduce signature computation cost. In 2008, Li et al. [44] proved that the security of [43] scheme is weak and easily breakable. In 2009, Zhang et al. [45] proposed an IBS scheme using the random oracle model to improve the weakness of [43]. In 2010, Liu [46] proposed an authentication scheme for wireless sensor networks to use offline storage multiple times in polynomial time. The silent feature of this scheme is that there is no need for a pairing operation. Further, in 2012 Li et al. [47] proposed the PF-IBS algorithm to reduce the computation cost. In 2014, Le and Fang [48] proposed an ID-based signature for message recovery. The authors used the random oracle model for security proof based on the Bilinear Diffie-Hellman problem. The scheme is improved in 2015, by Chen et al. [49] by proposing an ID-based blind signature to protect user identity and validate signer. In 2016, Z. Qin et al. [50] proved the security of some schemes and point out that these schemes suffer from forgery attack and security can be easily be compromised. In 2017, Sharma et al. [51], proposed a pairing-free IBS scheme in the random oracle model. The aim of this scheme is to reduce signature computation cost and safety from forging signature attacks. For checking the performance of this scheme, the authors used MICAz with TinyOS and RELIC-Toolkit. In 2018, Sharma and Sharma [34] proposed an IBS scheme using the bilinear map in the random oracle model to reduce the communication cost and provide a more secure signature. The authors proved the security of the proposed scheme under the computational Diffie-Hellman problem. In the same year, James et al. [52] proposed an IBS scheme for signature and message recovery. In the proposed scheme, the authors used bilinear pairings over Elliptic Curves to reduce signature cost. Additionally, they also proved the correctness and security of this scheme.
In 2019, Krishna et al. [53] proposed an IDS scheme without using pairings over the elliptic curve to reduce the computation and communication costs. The authors proved the security of the scheme under the elliptic curve discrete logarithm problem (ECDL). Recently, Yaduvanshi anda Mishra [35] proposed a short IBS scheme over the elliptic curve without using bilinear pairing to reduce VOLUME 8, 2020 computation cost. Further, the scheme is proved under the assumption of the ECDL problem.
The schemes [34], [35], [42]- [53] in the literature, suffer from high computational and communicational requirements which is not a suitable choice for the resource-constrained IoT devices.
Moreover, the aforementioned schemes are specially designed for the IP-based architecture of the Internet. To make it capable for IoT-based NDN network and for the prevention of content poisoning attack, a lightweight signature scheme is required, which can provide strong security with less computation and communication resources.

III. PRELIMINARIES A. HYPERELLIPTIC CURVE
At first, we discuss shortly the Hyperelliptic curve (Hεċ). Let ù be a finite set and assume â is the genus of Hεċ with an [56]. Moreover, Hεċ of genus â ≥ 2 over ù is a set of points (), ù*ù as mentioned in the equation (1).
Hεċ :ẇ 2 + ()ẇ = f() (1) Note that Hεċ points are totally different from the elliptic curve [57]. In case of the divisors that are the formal sum of the finite integer such as d = χ i z i where χ i ε ù and z i ε Hεċ. Moreover, in case it forms Jacobian group J -H εċ having the following brief order.

1) HYPERELLIPTIC CURVE DISCRETE LOGARITHM PROBLEM
Suppose â is a divisor which is known to everyone publicly in the entire network and L· is picked as a random private number from ù, then recovering L· from â1 = â.L· is known to be Hεċ discrete logarithm problem.

B. SYNTAX OF IDENTITY-BASED SIGNATURE
The proposed identity-based signature scheme is the extended version of [35], which consists of the four algorithms: setup, key generation, Provider-Signature Generation, and Client-Signature Verification, respectively. The basic syntax of the proposed scheme is discussed in the following mentioned steps.
• In this algorithm, given φ as a security parameter, the network manager picks a secret key as ∇ and processed a public key . Generates all public parameters set ⊥ ⊥ and publishes it.
• Key Generation: The network manager takes the identity of each user Idu as an input and generates the private key u and public key w u for the Id u . • Provider-Signature Generation: This algorithm is run by the provider and it takes the devisor D, private key p and content C as an input and generate sign tuple δ • Client-Signature Verification: This algorithm is normally executed on the client-side in which the client calculates the public key w p , and the hash function W to verify δ.

C. THREAT MODAL
In the proposed scheme, for the transmission of content among producer and client, we consider the Dolev-Yao (DY) [55], [55], model. According to DY, the communication between two parties is performed in an open channel. In the DY threat model, the attacker has a full command to modify the content, forge the signature in any IoT-based NDN network. Further, the IoT-based NDN network has the ability to detect the behavior of the malicious user inside the network.
To modify the content and forge the signature, the attacker tries to launch a content poisoning attack. To maintain the security and prevent content poisoning attack in the IoT-based NDN network it is really important to validate all users from its signature. The identity based signature scheme is considered to be existential unforgeability against adaptive chosen content (message) attack (EUF − IBS − ACCA). If there is no intruder (JNT) with the polynomial bonding running time, while inputting the common parameters (Param = ⊥ ⊥), wins the following game with a non-negligible probability. The challenger commanding the game and will have to be responded to the JNT quaries.
1. The JNT issues key generating queries Q KG , for the given identity Id u , for this purpose the challenger will run the key generating query by providing the input identity Id u , further, obtain the corresponding private key u and provide it to the JNT.

The JNT issue the Provider-Signature Generation
Queries Q PSG as an input, further, obtain the corresponding private key u . After that, run the Provider-Signature Generation algorithm by providing the u as an input and provide it to the JNT with the resultant signature δ. 3. The adversary JNT generate ( δ ) by taking Id u and C as an input. The Q KG and Q PSG never have been called for Id u and C before.
The JNT take message C and ⊥ ⊥ as an input and generate δ as a signature. The probability of the adversary winning the game is decided from the advantage of the JNT. The JNT is declared to be the (u, τ, Q KG Q PSG Q h ) forger, if it has at least advantages in the aforementioned game. The JNT may run for at most ( τ ) time, while making at most Q KG extraction queries, Q h hash queries with Q PSG sign queries in the random oracle model (ROM). The algorithm is considered to be secure against the (UF − IBS − ACCA) if there exist no (u, τ, Q KG Q PSG Q h ) forger. The abbreviation used in preliminaries and algorithm sections is mentioned in Table 1.

IV. PROPOSED SCHEME
Here, we proposed a lightweight OnDemand verification authentication scheme for mitigating content poisoning attacks in IoT-based NDN network. In our scheme all the providers and the clients register themselves with the network manager by providing their identities, then the network manager generates public and private keys by using their identities. Whenever the client shows an interest for some contents, the NDN routers forward that particular interest towards the provider as indicated in Figure 3. Upon receiving the interest the provider applies Hash on the requested content to get the message digests (MD 1 ) and digitally signs the MD 1 with his private key. After that, the requested content is delivered to the client with the digital signature and MD 1 of the provider. The requested content is stored in caches of R-1, R-2, and R-4 by following leave copy everywhere (LCE) caching policy as shown in Figure 1. Suppose, an attacker poisoned the original content A in R-2 as shown in Figure 4.
Later, if another client B shows interest for the same contents A and that interest is received at R-2, here, the R-2 will send the poisoned copy to client B as shown in Figure 5  (step-4).
Here, if client B wishes to verify the received contents A due to its importance, it sends a request to NA for the corresponding public key of the original content provider. After receiving the public key, the client B tries to verify the digital signature with the corresponding public key of the provider. If it decrypts with the public key, then it means the publisher is registered with the NA and is an authentic provider. In this way, the original provider is authenticated. After the authentication phase, if client B wants to check the integrity of the content. It simply applies Hash on the received content to get the message digest MD 2 . The Client B than compare the computed MD 2 with the received MD 1 . If both message digests are equal, it means the content has not been poison otherwise the content has been poisoned. If the content is poisoned, then the client B encrypts the poisoned contents A and MD 2 with the public key of the valid provider and sends it to the original provider. After receiving, the provider decrypts MD 2 with its private key and compares it with its valid content MD 1 . At the end, original provider broadcasts a message regarding this poisoned content in the networks to remove it from the router caches.

A. PROPOSED SCHEME ALGORITHMS
This phase contains a brief discussion of the proposed scheme and its algorithms. The abbreviations used in our proposed algorithm are shown in Table 2. The scheme consists of three participants, namely; the network manager, provider of contents and the client. The proposed scheme consists of four algorithms [51]: setup, key generation, provider and client verification. We processed our proposed scheme algorithm in the following step: Setup: In this algorithm, given φ as a security parameter, the network manager picks a secret key as ∇∈ 1, 2, 3, . . . .., q − 1 processed a public key as =∇.D, where D is the divisor of the hyperelliptic curve (Hεċ). Generates all public parameters as ⊥ ⊥ = (h 0 , h 1 , , Hεċ, ù, â, φ , J -, D) and publishes it, where (h 0 h 1 ) are the one way collision resistant hash functions.
Key Generation: This algorithm enables a network manager to generate a public and private key for a user with the identity Id u by using the followed computations.   3) Compute u = (v u + ź .∇) mod q 4) Set u is the private key for the user with the identity Id u 98916 VOLUME 8, 2020

5)
Set w u is the public key for the user with the identity Id u 6) Give ( u w u ) to the user with the identity Id u through secure network

Provider-Signature Generation:
This algorithm is executed by the provider. It takes the Divisor D, the private key of the provider p and the content C as an input to produce a sign tuple δ = (C, W, L, M).

1) A provider first Randomly chooses
where Nr is the fresh nonce 4) Set W = MD 1 5) Computes S = p W + d mod q 6) Sends a sign tuple δ = (C, W = MD 1 , L, S) to the client Client-Signature Verification: Upon receiving δ = (C, W, L, S), the client can verify the contents in the following steps: • Computes content digests W = h 1 C//L// Nr// Id p • Set W = MD 2 • Computes S.D = W w p + β + L for signature verification • Compare MD 2 = MD 1 for integrity, if it is not holds, then it means that the content is poisoned.

Poisoned Content Removing:
Once the content is poisoned, then client B and provider perform the followed steps. The proposed scheme can be secured against existential unforgeability against adaptive chosen content (message) attack(EUF − IBS − ACCA), if the intruder (JNT) has the non-negligible advantage ξ , and JNT can request most of the time τ for the queries such that, hash queries Q h , key generating queries Q KG , and Provider-Signature Generation queries Q PSG with ξ · (10(Q h 0 +1)(Q h 0 +Q PSG ) 2 φ , then the challenger with executing time τ · (23(Q τ h 0 ) ξ and probability ξ · 1 9 [51], [54], can solve HECDLP.
Key Generating Queries Q KG : When JNT submits a request with Id u , then randomly selects x , y ∈ 1, 2, 3, . . . .., q − 1 , sets w u = x . + y.D, u = y, ź = h 0 (Id u w u ) = −x modq, and β = ź . . So, returns the tuple ( u w u ) and includes (Id u w u , u h 0 (Id u w u )) to the list h list 0 . Provider-Signature Generation Queries Q PSG : When JNT submits a request with Id u , then can perform the below steps: 1) Check the Id u , if it is already submitted for hash queries Q h or key generating queries Q KG , it returns (Id u w u , u h 0 (Id u β)) from the list h list 0 to perform the Provider-Signature Generation process as like of section (A). Here, produced δ and inserts h 1 (C//L// Nu// Id u ) into h list 1 2) If it is not being submitted for key generating queries Q KG , then processed this oracle, get the private key, and make a signature. 3) Otherwise, randomly selects x , y ∈ {1, 2, 3, . . . .., q − 1}, calculate L = x .D − y.w u − y. ź . , where ź = h 0 (Id u w u ) is obtained from the list h list 0 , sets x = S, and y = W. Then, it inserts C//L// Nu// Id u //y into h list 1 . Here, it should be noticed that if (C//L// Nu// Id u ) exists in h list 1 , then response is a flop and exists. So, y is a uniformly selected number, here, the probability failure is nope extra then 1 q , which can be ignored. When JNT has the capacity derived the same signature such that Provider-Signature Generation process as like of section (A), for C with ξ · (10(Q h 0 +1)(Q h 0 +Q PSG ) 2 φ . Here, it is to be noted that when C has not been submitted to the Provider-Signature Generation oracle, then can make two valid signatures that are δ = (C, W, L, S) and δ = (C, W , L, S ). So, we have the following verification processes: Firstly, However, if the attacker wants to generate the forge digital signature S * = p W + d * and launching the content poisoning attack, then it needs to calculate a random private number d from L = d .D and private key of the provider X p from w p = p .D. Here, finding d and p are the two discrete logarithm problems over the Hyperelliptic curve and therefore infeasible to break two-time discrete logarithm problems.
So, from the aforementioned discussions, we can say that our scheme is safe against the Attacker to launch a content poisoning attack.

V. DISCUSSION AND COMPARISONS
In this section, we compared our scheme with two different types of schemes, i.e. i) NDN-based schemes for content poisoning attack prevention and ii) identity-based signature schemes.

A. NDN-BASED SCHEMES
The existing NDN-based schemes for mitigation of content poisoning attack don't have any proper signature verification mechanism. So, we compare our scheme with [13], [15], [21], [22], and [24] on the basis of latency, verification overhead, and security as shown in Table 2. In Addition, we also explain the reason for their weaknesses in the respective schemes.
Ghali et al. [13], the ranking algorithm scheme differentiate between valid and fake content objects based on observed consumer's behavior. The scheme verifies and provides ranking to every content according to consumer's feedback. The scheme works with low latency and eliminates the extra overhead problem due to verifying only cache hit contents according to the client's feedback. However, the security of the scheme is weak, because it is totally depended on client feedback. Any attacker can give positive feedback about the invalid provider and malicious router or negative feedback about a valid provider and router. The illegal users can interest for a number of non-popular contents, so NDN routers attach provider key and store the return contents copies in every intermediate router CS between clients and providers. Our scheme reduces the verification overhead. Further, our scheme is strongly secured and stops other attacks because it ensures the security properties of authenticity, integrity, unforgeability, and non-repudiations.
Kim et al. [15] divide the contents into two types; cache hit and cache miss. In case of the cache hits it stores the contents otherwise, bypassed it. The scheme works with high latency and extra verification overhead, due to the verification process that occurs for every chunk that is requested twice. Further, the security level of the scheme is an average due to verifying cache hit contents twice. However, in the proposed scheme, any attacker can verify and store non-popular and invalid contents and further request for it many times. As compared to this scheme our proposed scheme works on low latency and very less verification overhead due to the identity-based signature verification process because it removes the certificate management issues. In addition, our scheme provides protection from cache pollution attacks because it broadcast the invalid contents and hence eliminates the invalid content from CS of the router.
Wu et al. [21] proposed ROM, the Router-Oriented Mitigation to temporarily remove the injected routers from the transmission. A router can be considered injected if they show any abnormal behavior or client give negative feedback about it. The scheme is suffering from high latency due to removing router in on-path transmission and divergence of path. Further, by putting all traffic on one side can create extra overhead. If there is no alternative path for the transmutation, then what to do. As compared to this scheme our scheme works with low latency and produces high security due to on-demand verification.
Mai et al. [22] scheme that passes every content from NDN firewall and micro detectors in Bayesian Network techniques to mitigate content poison attack. The authors connect alarm with micro detectors that activate when any significant changes occur from its normal to abnormal behavior of nodes. The scheme works with high latency and extra overhead due to passing every content from firewall and micro detectors. The proposed scheme passes every popular and non-popular content from the micro detector. On the other hand, our scheme solves the latency problem due to the identity-based signature verification process. Further, our scheme provides strong security by offering the security properties of authenticity, integrity, unforgeability, and non-repudiations that stop content poisoning attack as compared to Mai et al. [22] scheme.
Hu et al. [24] proposed a light-weight mitigation mechanism name key-based forwarding and multipath forwarding-based inband prob. Before forwarding every interest, the router should attach the public key of the provider from FIB to interest. If any on-path poisoning content/router found the inband will change the path from the poisoning content/router. The scheme facing latency problems due to the changing path during transmission. Also, interest can be forwarded towards where is no source available for data. Hu et al. [24] scheme is not suitable for large and complex networks due to attaching provider public key with every interest. If there is no public key of the specific content provider in FIB that the client wants then what will be done, no solution given by the authors. Our proposed scheme works with minimum latency and strong security without the need for provider public key with interest. Further, our scheme stops content poisoning attack with a broadcast that eliminates poison content from the cache.

B. IDENTITY-BASED SCHEMES
In this section, we compare our schemes with the existing schemes on the basis of computation and communication costs.

1) COMPUTATION COST
In this section, the comparison in terms of computation cost is made between the proposed and those of Sharma et al. [51], James et al. [52], Sharma and Sharma [34],  Krishna et al. [53], and Yaduvanshi and Mishra [35]. The comparison includes the expansive mathematical operations, which is used in the proposed and in the aforementioned existing schemes such as bilinear pairing operation (B ), elliptic curve point multiplication ( M), and Hyperelliptic curve divisor multiplication (ĥ DM. Here, the minor operation like addition, division, subtraction, encryption, decryption, and hash that require less time during computation being ignored. We showed the required major operation in Table 3 for Sharma et al. [51], James et al. [52], Sharma and Sharma [34], Krishna et al. [53], Yaduvanshi and Mishra [35], and for our proposed scheme, respectively. Additionally, in Table 4, we provide a comparison by utilizing these major operations with respect to milliseconds (ms). By assuming the experiments produced in [61] with the following mentioned system specification.
Computation Cost Reduction of the Proposed Scheme From the Existing Schemes: Cost reduction can be calculated by using the following formula.
existing scheme − proposed scheme existing scheme * 100 • Reduction of the proposed scheme from Sharma et al. [51] as:  Figure 6, we have shown the computational cost reduction.

Communication Overhead Reduction of the Proposed Scheme From the Existing Schemes in Terms of Bits:
Cost reduction can be calculated by using the following formula.
existing scheme − proposed scheme existing scheme * 100 • Reduction of the proposed scheme from Sharma et al. [51] as: In this section, we consider the NDN-based smart city network, where a number of sensors and routers are deployed to produce different contents as shown in Figure 8. Moreover, the things in the smart city are connected based on the NDN policy. During communication and transmission in the NDN-based smart city, the forwarding is based on name-based routing with in-network content caching.
In NDN-based smart city every node maintains three types of data structures, namely Content Store (CS), stores the copy of the contents with itself in the CS for future use, Pending Interest Table (PIT), the PIT stores all the interests that a router has forwarded but not satisfied yet, and Forwarding Information Base (FIB), used to forward the requests from one router to another based on routing protocols [24]. Suppose two smart things want to communicate with each other, here the communication will consist of three participants, namely; client, network manager, and provider.
The client is those who require content, the provider is those who provide content to the client, and the network manager is a fully trusted third party, who is responsible for secure communication among the client and the provider as further shown in Figure 9.
The secure communication between client and provider is mentioned in the following phases; 1. Registration Phase: In this phase, the client and the provider need to register themselves with the network manager by sending their Identities ( Id u ). The network manager gets their Identities ( Id u ) and generate a private key u = (v u + ź .∇) mod q, and public key w u = v u .D, for the user by using their identity Id u .Then the network manager sends the u and w u to both client and provider. 2. Signature Generation Phase: when the client shows an interest in content C, after receiving the interest the provider will digitally sign C. For this purpose, the provider takes the Divisor D, the private key of the provider p and the content C as an input to produce a sign tuple δ = (C, W, L, S). For signing the tuple δ  Further, the digital signature S = p W + d mod q and finally generated a signed tuple δ = (C, W, L, S) and send it to the client. VOLUME 8, 2020 Verification Phase: After receiving the signed tuple δ = (C, W, L, S), the client can verify the contents in the following steps: it computes content digests W = h 1 C//L//Nr// Id p , set W = MD 2 , computes S.D = W w p + β + L for signature verification, and compare MD 2 = MD 1 for integrity, if it is not holds, then it means that the content is poisoned. 3. Poisoned Content Removing: Once the content is poisoned, then the client encrypts the poisoned contents and MD 2 as OJ = ε w p (C, MD 2 ), sends POJ to the original provider. So, after receiving POJ , the publisher decrypts (AMD 2 ) = D p (POJ), compares MD 2 with its valid content MD 1 as MD 2 = MD 1 . If the equality does not hold, then the original provider broadcasts a message regarding this poisoned content in the networks to remove it from the router caches.

VII. CONCLUSION
In this paper, we proposed an efficient and formally secure identity-based signature scheme for preventing content poisoning attack in IoT-based NDN networks. First, the proposed scheme is compared with NDN-based security schemes with respect to the content poisoning attack and the results show that our scheme provides strong security with low latency against content poisoning attack. Then, the newly designed scheme is compared with the existing identity-based signature schemes in terms of computational cost and communication overhead. The proposed scheme reduces the computational cost from 32.30% to 97.31% and communication overhead from 19.04 % to 89.28 % from the existing schemes.
In addition, we validate the security requirement of the proposed scheme through AVISPA formally and the Simulation results show that our scheme is SAFE under the two back end protocol i.e. ATSE and OFMC. Moreover, the contributed scheme provided a provable security under the random oracle model (ROML) regarding existential unforgeability against adaptive chosen content (message) attack (EUF − IBS − ACCA). To conclude, we provided a practical application scenario of the proposed scheme on the NDN-based smart city network.

APPENDIX
In this section, we discuss and validate the proposed scheme with the well-known simulation tool AVISPA. The code and results are shown in the following subsection For the simulation, we use the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool. AVISPA is an automatic tool that proves the validation of cryptographic schemes in terms of SAFE or UNSAFE mode. According to the HLPSL language syntax and rules, AVISPA provides results of the development scheme. The code is written using the rules of HLPSL. The intermediate format (IF) converts written code into lower-level machine language. Translation to IF is achieved with the help of HLPSL to the IF translator. Clark and Jacob [59], [60] suggest that HLPSL2IF translator orders the execution of the judgment by given primary knowledge, every agent can build the messages he/she imagines. AVISPA tool uses On-the-fly Model-Checker (OFMC), CL-based Attack Searcher (CLAtSe), SAT-based Model-Checker (SATMC), and Tree-Automata-based Protocol Analyzer (TA4SP), the back end for their work as shown in Figure 10. As required, every back end provides its own functionality.

B. PROVIDER ROLE
In this part, we explain the provider role. In our scheme, the provider digitally signs the content with its private key for the signature generation and hash value. The HLPSL code for the provider role is shown in Table 6.

C. CLIENT ROLE
In this subsection, we explain the role of the client in our proposed scheme. If the client wants verification of content and provider, they need to get the public key of the provider. With the provider public key, the client can check authenticity of the provider. The client role HLPSL code is shown in Table 7.

D. PROVIDER VERIFICATION AND BROADCAST
This subsection combines the role of client-side verification and broadcasting invalid content to remove it from CS. A client can verify the provider with public key. In case of invalidity, the client send the poison content to the network manager. Network manager, broadcasts the poison content networks for removing this poisoned content from different CS's of nodes. The HLPSL code for provider verification and broadcasting is shown in Table 8.

E. SIMULATION RESULT OF PROPOSED SCHEME
In this section, we present the simulation results according to the above-stated HLPSL code. We apply HLPSL code on following two protocols. VOLUME 8, 2020

1) OFMC PROTOCOL RESULT
The HLPSL code for the OFMC protocol shows that our scheme is SAFE as it prevents the IoT-based NDN from content poisoning attack. The results are shown in Figure 11.

2) ATSE PROTOCOL RESULT
The HLPSL code for the ATSE protocol shows the safety of our proposed scheme. This scheme is efficient to prevent IoT-based NDN from content poisoning attack. The results of this protocol are shown in Figure 12.