Wireless Communications and Mobile Computing

Wireless Communications and Mobile Computing / 2020 / Article

Research Article | Open Access

Volume 2020 |Article ID 2145829 | https://doi.org/10.1155/2020/2145829

Aisha Kanwal Junejo, Nikos Komninos, "A Lightweight Attribute-Based Security Scheme for Fog-Enabled Cyber Physical Systems", Wireless Communications and Mobile Computing, vol. 2020, Article ID 2145829, 18 pages, 2020. https://doi.org/10.1155/2020/2145829

A Lightweight Attribute-Based Security Scheme for Fog-Enabled Cyber Physical Systems

Academic Editor: Davide Mattera
Received20 Nov 2019
Revised09 Jul 2020
Accepted24 Jul 2020
Published21 Sep 2020

Abstract

In this paper, a lightweight attribute-based security scheme based on elliptic curve cryptography (ECC) is proposed for fog-enabled cyber physical systems (Fog-CPS). A novel aspect of the proposed scheme is that the communication between Fog-CPS entities is secure even when the certification authority (CA) is compromised. This is achieved by dividing the attributes into two sets, namely, secret and shared, and subsequently generating two key pairs, referred to as the partial and final key pairs, for each entity of the Fog-CPS system. Unlike existing attribute-based encryption (ABE) and identity-based encryption schemes, in the proposed scheme, each entity calculates the final public key of the communicating CPS devices without the need of generating and transmitting digital certificates. Moreover, the proposed security scheme considers an efficient and secure key pair update approach in which the calculation overhead is limited to one group element. To show the effectiveness of the proposed scheme, we have calculated and compared the memory and processing complexity with other bilinear and elliptic curve schemes. We have also implemented our scheme in a Raspberry Pi (3B+ model) for CPS simulations. The proposed scheme guarantees the confidentiality, integrity, privacy, and authenticity in Fog-CPS systems.

1. Introduction

Fog computing can improve the monitoring and management of next-generation cyber physical systems (CPS). A general fog-enabled cyber physical system (Fog-CPS) as shown in Figure 1 consists of three layers, namely, the CPS device, fog, and cloud. Fog-CPS systems are vulnerable to numerous security, privacy, and trust challenges. With regard to security, different attacks, namely, interception, interruption, modification, fabrication, unauthorized authentication, and access, can be carried out to disrupt the communication between Fog-CPS entities. The abovementioned challenges could be addressed by employing lightweight cryptographic techniques. However, the existing solutions have a number of limitations. Firstly, in public key encryption (PKE) schemes, the generation, verification, and distribution of certificates incur extra computation and communication overhead which is not desirable for resource-limited CPS devices. Secondly, in attribute-based encryption (ABE) schemes, there is a certification authority (CA) which generates the secret keys based on a set of attributes. However, the compromise of CA can endanger the secret keys and therefore the secrecy of encrypted messages. Thirdly, the existing ABE schemes which are based on bilinear pairing require large security parameters and therefore are not suitable for resource-constrained CPS devices.

Considering the limitations of existing solutions, in this paper, a lightweight security scheme is proposed. The proposed scheme guarantees that the communication between entities is secure in cases where the CA might be compromised.

1.1. Motivation

The motivation for designing such a solution comes from the identity-based encryption (IBE) and ABE schemes as it is believed that inherent attributes of CPS devices can be used for identification, authentication, and access control. From here onwards, the proposed scheme is called as Fog-CPS.

Moreover, in the proposed scheme, the CA (i.e., FA in this case) cannot decrypt the messages exchanged among CPS devices, thus maintaining their privacy. This is achieved by dividing the attribute set into two subsets, a secret and a shared attribute subset. Precisely, each entity in a Fog-CPS system will have two key pairs, namely, a “partial key pair” and a “final key pair” generated from secret and shared attribute sets, respectively. The secret attributes are only known to FA which registers the entities and generates the partial key pair. The registration of CPS entities with FA ensures that published public keys are authentic and do not require any further verification.

However, as the secret attributes are only known to FA; the other collaborating CPS devices cannot verify them. To address this problem, a notion of “shared” attributes is introduced. The shared attributes are known to collaborating Fog-CPS entities which generate the final public and secret keys. The encryption and decryption would take place using final public and secret keys. Such an approach is advantageous for two reasons: (1) the secret attributes are only shared with the FA and the leakage of partial secret keys would not risk the communication of collaborating entities and (2) the scheme is scalable because the final public keys are generated by the collaborating devices themselves without the aid of FA. Any device can generate the final public keys of other devices.

Furthermore, upon key update, the key regeneration process is lightweight, since the key generation process as found in Algorithms 13 is not repeated.

1: Input: Security parameter , secret attribute set .
2: Output:
  .
  
3: Choose elliptic curve group , where is a base point on the elliptic curve defined over the finite field .
4: Choose a one-way collision resistance hash function, defined as:
      
5: Create a secret random number .
6: Map attributes in secret set to using hash function and compute secret number .
      
7: Next, compute public key components Pi as:
     
1: Input: Public Key and shared attribute set .
2: Output:.
3: Let be the device attribute string over shared attribute set.
4: Map attributes in shared set to using hash function and compute .
      
5: Next, compute final public key components as:
               
1: Input: Secret key and shared attribute set .
2: Output:.
3: Compute secret number as follows:
                 
where is the secret key component from and is computed similar to Equation (6) in Algorithm 2.
4: Next, compute Equation (9), which is a -degree at most polynomial in .
      
5: Pick two random numbers . Compute such that the following condition holds.
        
6: Next, compute secret key component u1
          
1.2. Contributions

The contributions of this paper are enumerated below: (1)First, a lightweight attribute-based security scheme is proposed for Fog-CPS systems(2)Second, the Fog-CPS scheme considers an efficient and secure key pair update approach in which the calculation overhead is limited to one group element(3)Third, the proposed scheme is compared with other schemes based on bilinear pairing and elliptic curves by calculating its memory and processing overhead(4)Fourth, the proposed scheme is implemented on a resource-limited Raspberry Pi (3B+ model) for CPS simulations.

The remaining parts of this paper are organized as follows: the related work is discussed in Section 2. The proposed scheme is presented in Section 3. Next, the experimental results are presented in Section 4. The conclusion and future work are discussed in Section 5.

To secure the communication in CPS systems, the literature adopts a hybrid approach in which both symmetric (AES-based) and asymmetric (RSA-based and ABE) encryption techniques are used. AES (Advanced Encryption Standard) is used to encrypt the communication between sensor nodes and the gateway, whereas the asymmetric schemes are used to encrypt the communication between the gateway and the service provider.

Recently, Mahmood et al. [1] propose an authentication scheme for a smart grid. The scheme has a few limitations: (1) the scalability in case of large-scale CPS systems with hundreds of nodes and (2) the inconsideration of access control mechanism. In a smart grid system, there are several heterogeneous devices at different layers, so including access control mechanisms is crucial. Kocabas et al. [2] present a medical cloud-assisted CPS architecture consisting of acquisition, preprocessing, cloud, and action layers. The study proposes an AES (Advanced Encryption Standard) symmetric key encryption scheme for communication between the acquisition and preprocessing layers. The main disadvantage of [2] is the key management of symmetric keys in such a complex environment with hundreds of CPS devices. Shuo et al. [3] propose a distributed authentication framework for the multidomain M2M environment. The proposed framework employs a hybrid encryption scheme involving IBE and AES symmetric encryption.

Sravani et al. [4] present a signature-based authenticated key establishment scheme for IoT applications. Hu et al. [5] propose a communication architecture for Body Area Networks (BANs) and design a scheme to secure the data communication between wearable sensors and data consumers (doctors and nurses). They propose the CP-ABE and signature-based schemes to store the encrypted data at the data sink. Guo et al. [6] propose a CP-ABE scheme with constant-size decryption keys. Chen et al. [7] propose fully secure KP-ABE and CP-ABE with constant-size ciphertexts and a fully secure ABS with constant-size signatures. Odelu and Das [8] propose a lightweight and constant-size secret key ABE scheme based on ECC. However, key update/revocation and key generation are some of the limitations of the scheme in [8].

A major limitation of the existing ABE schemes [5, 7, 9, 10, 11, 12] is the complexity; these schemes require large security parameters (i.e., 1024- or 2048-bit size). Besides that, in the above cited ABE schemes, CA generates and distributes the secret keys. Nonetheless, sharing of private attributes with CA can risk the privacy, since the CA can also decrypt messages and retrieve CPS system data. Moreover, the compromise of CA can also risk the secrecy of communication between the sender and receiver. Additionally, some studies propose symmetric key schemes for resource-constrained devices. However, in large-scale Fog-CPS systems, the symmetric key management process becomes very complicated and complex. Symmetric schemes require a separate protocol for session key agreement and generation. Furthermore, when the short-size data is encrypted with a symmetric key, then the information which is revealed about the key may be critical for ciphertext-only attack.

Henceforth, it is believed a lightweight encryption scheme based on ECC wherein the CA only generates the partial key pair is the appropriate choice. ECC-based schemes require smaller security parameters (i.e., 128 or 256 bits) and therefore can be implemented in resource-limited CPS devices.

3. Proposed Fog-CPS Security Scheme

In this section, the proposed Fog-CPS scheme is presented. Table 1 lists the notations used throughout the paper.


NotationDescription

Security parameter
A sufficiently large prime number
An elliptic curve defined over the finite field
A base point in
Scalar multiplication,
Elliptic curve point addition
Elliptic curve group generated by
One-way collision resistance hash functions
Device attribute set
Secret attribute set
Shared attribute set
Access policy,
Public key components
Public and secret key pair generated from
Public and secret keys generated from
Final secret key components
Ciphertext
Finite field over

3.1. Preliminaries

In this section, the attributes, access structures, and the computational hard problems are discussed.

3.1.1. Secret and Shared Attribute Sets

All CPS devices and fog nodes possess a set of attributes. Let be the attribute set of each CPS device consisting of both secret and shared attributes. As an example, a few attributes for both sets are listed in Table 2.

(a)

Secret attribute set shared between Fog-CPS entities and FA

Device IDIP addressLocationMalicious activities reportedNumber of key updatesTrust

(b)

Shared attribute set shared between Fog-CPS entities

Entity IDEntity typeApplication IDApplication typeData identifierTrust

3.1.2. Access Structure

The attribute string of a device is presented with an -bit string . To further elaborate the attribute string, the example of shared attribute set is considered. The attribute string is defined as follows: and . For example, if and 4 attributes are considered for final key pair generation, then ; the 5-bit string becomes 11011. Likewise, an access policy is defined by and specified with attributes in the shared attribute set . The access policy is also represented with -bit string where , for , and , for . If the access policy is defined on attributes , then the policy string is . Additionally, the proposed scheme is based on the AND-gate access control structure. The attribute set fulfills the access policy , if and only if and , for all .

3.1.3. Computational Hard Problems

The security of the Fog-CPS scheme is based on the computational problems described below.

(1) q-Generalized Diffie-Hellman (q-GDH) Assumption [13]. Given in and all the subset products for any strict subset , it is hard to compute , where is a base point in . Since the number of subset products (elliptic curve scalar point multiplications) is exponential in , access to all these subset products is provided through an oracle. For a vector , define to be an oracle that for any strict subset responds with .

Definition 1 (-GDH assumption). The assumption is satisfied in , if for all -time algorithms , the advantage , where and for any sufficiently small .

(2) q-Diffie-Hellman Inversion (q-DHI) Problem [13]. Given a -tuple , the problem is to compute where .

Definition 2 (-DHI assumption). satisfies the -DHI assumption, if for all -time algorithms , the advantage becomes for any sufficiently small , where the probability is over the random choice of in and the random bits of .

It can be shown by a reduction that our computational problem is at least as hard as the discrete logarithm problem (DLP).

3.2. Assumptions

The following assumptions are made regarding the Fog-CPS entities. (1)It is assumed that CPS devices, such as smart meter and home appliances, can be compromised and leak sensitive information(2)The FA, fog nodes, and cloud provider are honest but curious and might try to gather as much information (from CPS devices, users, social media, and external resources) as possible that can later be used to generate the profile of CPS devices/users. Such information can be used for targeted advertisement and spamming(3)All Fog-CPS entities will register with the FA using their secret attribute set and it would generate their partial key pair(4)The CPS entities and fog nodes generate the final public keys of the collaborating devices(5)Access policies based on shared attributes are shared with CPS devices, FA, fog nodes, and cloud(6)It is assumed that the elliptic curve group parameters are preshared with entities

3.3. Fog-CPS Security Scheme Description

The proposed Fog-CPS security scheme has adopted the encryption and decryption algorithms of [8]. Furthermore, additional changes were made to the key generation algorithms of [8] as specified below: (1)The attributes in the Fog-CPS scheme are divided into two sets, i.e., a secret and a shared . Therefore, the key generation process is also distributed between the FA and Fog-CPS entities. Three algorithms, namely, partial key pair generation, final public KeyGen, and final secret KeyGen, are designed for the complete key generation process(2)The Fog-CPS security scheme uses two elliptic curve (EC) points for each attribute instead of three as in [8]. The use of two points per attribute reduces the processing and memory overhead and makes the Fog-CPS scheme efficient but also secure.(3)Efficient key update algorithms with limited additional overhead are introduced

3.4. Fog-CPS Security Scheme Construction

The Fog-CPS security scheme consists of eight algorithms out of which seven are presented here. As previously mentioned, the encryption and decryption algorithms are adopted from [8]. However, we made a few changes to the encryption algorithm, so it is also presented, but the description of the decryption algorithm is omitted.

3.4.1. Partial Key Pair Generation

The partial key pair generation algorithm is executed by the FA which registers the Fog-CPS entities based on a secret attribute set . Algorithm 1 takes as input the security parameter and a set of secret attributes . consists of a long string of 1 s (chosen finite field) and defines the length of the secret keys and messages. It outputs the partial public/secret key pair . Subsequently, the FA publishes the public key and sends the secret key to the CPS device. For initial communication, Fog-CPS entities can use the partial public keys. The partial public keys guarantee that Fog-CPS entities are legitimate and registered with FA.

3.4.2. Final Public KeyGen

The second pair of keys, namely, the final public and secret keys, is generated from the shared attribute set. The final public keys can be generated by any CPS device or fog node that shares a set of attributes with some other entity. Algorithm 2 generates the final public key of a CPS device. It takes as input the partial public key generated over the secret attribute set and the shared attribute set . It outputs the final public key .

3.4.3. Final Secret KeyGen

Algorithm 3 generates the final secret key of a CPS device. It takes as input the secret key generated over the secret attribute set and the shared attribute set . It outputs the final secret key .

3.4.4. Encrypt

The encryption algorithm takes as input the final public key , access policy , and a message . It outputs a ciphertext . Algorithm 7 presents the encryption procedure in detail.

Proposition 3. From Equations (9) and (18), a new polynomial can be calculated as It can easily be verified that is a polynomial function in , if and only if . The encryption algorithm and the secret key generation algorithms are designed in such a way that must be a polynomial for a successful decryption.

3.4.5. Decrypt

The decryption algorithm takes as input the final secret key and ciphertext and outputs the plaintext message . The construction of the decryption algorithm is the same as the one in [8].

3.4.6. Partial Key Pair Update

If the secret attributes of a CPS entity are changed, then all the keys need to be updated. The key update procedure will start by regenerating the partial public/secret key pair. In the partial key pair update procedure, Algorithm 4 is executed. It takes the updated set of secret attributes as input and generates a new partial key pair for the CPS device. Subsequently, the final public and secret keys are also regenerated.

1: Input: Secret set.
2: Output: New partial key pair .
3: Increment the counter for revoked keys.
4: If the attributes are the same, the previous computations over attributes are considered.
5: Else, perform calculations for attributes from to .
6: Map attribute in to using Equation (1) and compute secret number .
        
7: Next, compute using Equation (3).
8: Next, compute public key component for attribute using Equation (4).
3.4.7. Final Key Update

If the shared attributes of a CPS device are updated, then the final public and secret keys need to be regenerated. In this case, Algorithms 5 and 6 are executed to generate the new final public and secret keys of the Fog-CPS entities. These algorithms take the updated set of shared attributes as input and generate the new final public and secret keys of the CPS device.

1: Input: Shared attribute set.
2: Output: New final public key .
3: If the attributes are the same, the previous computations over attributes are considered.
4: Else, perform calculations for attributes from to .
5: Map attribute in shared set to . Apply hash function and compute using Equation (5). Then, compute :
      
6: Next, compute final public key component , for attribute using Equation (7).
1: Input: Shared attribute set.
2: Output: New final secret key .
3: If the attributes are the same, the previous computations over attributes are considered.
4: Else, perform calculations for attributes from to .
5: Compute secret number using Equation (8).
6: Next, compute :
      
where polynomial has been computed over attributes in Equation (9).
7: Pick two random numbers and then compute using Equation (10).
8: Next, compute secret key component using Equation (11).
1: Input:, , and .
2: Output:.
3: Create a random number and compute
            
where is a key derivation function which takes the new elliptic curve point and generates a secret key .
4: Let be the access policy string. Compute the corresponding degree at most polynomial function in as
      
Let denote the coefficient of in the polynomial .
5: Choose two one-way collision resistance hash functions, and , defined as:
            
where is the length of a random string, is the length of message , is a binary string of arbitrary length, and is a binary string of length . The length of the hash value is the same as the length of a random string , and similarly, the hash value will be the same size as the message .
6: Next, the which consists of three components , , and is computed. is a point on the elliptic curve which is computed from the polynomial and components in corresponding to attributes in . is computed as follows:
     
     
Next, is computed by a XOR operation on and computed in Step 3.
            
Lastly, is computed by a XOR operation on and message .
            
3.4.8. KeyRevoke

Similar to existing ABE schemes, the keys are revoked by the CA but in our application scenario FA. However, the keys can also be revoked due to the malicious behaviour of CPS devices. Three cases for key revocation have been identified: (1)Legitimate revoke: in the first case, both key pairs can be revoked due to a system update, expiration date, and scheduled maintenance of the Fog-CPS system.(2)Malicious activity: in the second case, the key revocation may take place due to the malicious behaviour which might be observed and/or reported by FA, fog nodes, and CPS devices. Two cases of malicious activity are considered below: (a)Malicious FA: the compromise of partial key pair would not trigger key revocation.(b)Malicious CPS devices: the compromise of a CPS device would trigger revocation of the partial key pair. For example, if the secret key is compromised or leaked, then again keys should be revoked and regenerated.(3)Attribute update: in the third case, the change in the attribute set can trigger a key revocation.

In key revocation, FA revokes the existing partial key pair and generates new keys in the first two cases, i.e., legitimate revoke and malicious activity. In the third case, the keys are regenerated as discussed in Sections 3.4.6 and 3.4.7. As the generation of final public and secret key is dependent upon the partial key pair generated over secret attributes, so the revocation of partial key pair requires the revocation of final public and secret keys. As a result, Algorithms 46 are designed. The proposed key update algorithms are lightweight as each revocation only incurs the overhead of one extra key component. In each subsequent key update, the attribute counter is incremented by one.

3.4.9. Correctness

The correctness of the Fog-CPS security scheme is based on the following property. For a given pair of final keys and generated from Encrypt, the decryption algorithm Decrypt will output the correct , if ; otherwise, the decryption will fail.

3.5. Fog-CPS Security Scheme Application Scenario

The proposed scheme can be applied to any Fog-CPS scenario. To demonstrate it, a case in a fog-enabled smart grid power control (Fog-SGC) system is considered wherein a smart home device reports meter data to a neighbouring area network (NAN) device. Figure 2 illustrates the communication between smart home device, NAN device, and FA. The interaction between all other entities in a Fog-SGC system would be similar as between smart home and NAN devices. Initially, all entities, namely, smart meters and fog nodes, register with FA based on their secret attribute sets . The FA executes Algorithm 1 to generate their partial key pair. Subsequently, the FA publishes the public key and securely transmits the secret key to the device.

After registration with FA, the smart home device sends a data store request to the NAN device. Upon receiving the request, the NAN device asks for a set of shared attributes . Subsequently, the smart home device generates the final public key of the NAN device by executing Algorithm 2. Next, the NAN device executes Algorithm 3 to generate the final secret key corresponding to the shared attribute set. Then, the smart home device encrypts using the final public key of the NAN device and signs the shared attributes using its secret key . Subsequently, the smart home device sends and signature to the NAN device. Following this, the NAN device verifies the and decrypts the . Upon successful decryption, it gets an assurance that the smart home device possesses the required attributes and stores .

4. Theoretical Security Analysis and Evaluation

As mentioned in the previous sections, in the proposed Fog-CPS security scheme, each entity possesses two key pairs, namely, partial and secret. So keeping that in view, the security of the proposed scheme is carefully analyzed to ensure security against the following attacks: (i)Computing the final secret key from the partial secret key (ii)Computing the partial/final secret keys from the partial/final public keys(iii)Computing the final secret key from multiple ciphertexts (i.e., chosen ciphertext attack)

The Fog-CPS scheme is secure against the abovementioned attacks due to the -Diffie-Hellman Inversion (q-DHI) problem [13], elliptic curve discrete logarithm problem (ECDLP), and the robustness of the hash functions.

Additionally, the robustness of the proposed scheme is based on two fundamental security notions of encryption schemes, namely, indistinguishability of messages and the collision resistance against secret keys. Message indistinguishability is an important security property of many encryption schemes. Given the ciphertext and the encryption key, the adversary cannot tell apart two same-length but different messages encrypted under the scheme, even if he chose the messages himself. With collision resistance, the attackers cannot pool their secret key components corresponding to a set of attributes to generate a new key which otherwise cannot be generated from their own attributes. Before presenting the security analysis against the abovementioned attacks, the notion of collision resistance as presumed in this scheme is discussed.

4.1. Collision Resistance against Secret Keys

The proposed scheme does not follow the same conventional attribute sharing as the existing ABE schemes. Attributes are only shared between two CPS devices and the FA node. So, the collision attack as presumed in existing schemes does not apply in this case. In other words, the pooling of attributes and secret key components (i.e., the collision attack) from several adversaries who do not share the attributes would not benefit in generating the secret keys. Precisely, for the security of the proposed scheme, the definition of collision resistance is modified.

In this case, it is essential to prevent a device from generating the final secret key of another device.

Theorem 1. It can be shown by a reduction that the computational problem in the proposed scheme is at least as hard as the discrete logarithm problem (DLP).

Proof. Assume is an algorithm that efficiently solves our problem. We can use to compute the discrete logarithm of an element to the base as follows: (i)Invoke on input and (ii) will return will return , and such that and modulo (iii)Now we can compute a number such that (this can be done efficiently using the extended Euclidean algorithm because is prime and therefore and are coprime)(iv)Then, (v)Hence, is the discrete logarithm of to the base (vi)Note that the discrete logarithm problem is at least as hard as our problem since if you can compute discrete logarithms to some base , you can and for given and such that and modulo . Hence, the two problems are equally hard under the assumption that is of order .

4.2. Key Generation Analysis

In this section, the difficulty of deriving the partial/final secret keys from their respective public keys and final secret key derivation from multiple ciphertexts and partial secret key is analyzed. Additionally, the computational difficulty of guessing the attributes and subsequently generating the secret keys is also discussed.

4.2.1. Partial/Final Secret Key Guessing

The partial and final secret keys in Algorithms 1 and 3 are generated based on the secret and shared attributes which are mapped to . The success probability of guessing an attribute is equivalent to the complexity of hashing algorithm , i.e., (birthday paradox). For the partial secret key , the adversary should guess all attributes in set and the secret random number . The secret numbers which are used in partial key pair generation cannot be derived by collision attack due to its complexity. To be precise, the computational complexity is of the order of number of attributes for hash function and random guessing. This also applies to final public and secret key generation algorithms whereby the shared attributes are hashed and subsequently used in key generation. Additionally, the assumption that each entity possesses a unique set of secret and shared attributes with no overlap with the attribute set of other entities makes attribute guessing more difficult.

4.2.2. Partial/Final Secret Key Generation

The partial secret key of a CPS device cannot be guessed due to the difficulty of deriving the secret key components and in Algorithm 1. So, in order to generate/guess the final secret key, the adversary needs to know the secret key , shared attribute set , and three secret numbers . is computed from the secret components and in algorithm 3.4.2 whereas are random numbers. The secret component can only be computed and/or known if both the FA node and the CPS device are compromised. The compromised device can leak the shared attribute set and the final secret key .

Theorem 2. The proposed scheme is secure against an adversary with knowledge of the shared attribute set for deriving the final secret key by collision attack.

Proof. Having the knowledge of is not enough for generating the , where From Equation (10) in Algorithm 3, where and are random numbers. The condition in Equation (24) only holds if and are known, and subsequently, the values of can be computed. All these values can then be used to solve Equation (23). Another solution to Equation (23) is to correctly guess the random numbers and compute . The difficulty of computing is already explained in preceding paragraphs. Hence, generating without knowing secret components , , and is computationally infeasible for an adversary.

4.2.3. Computing the Secret Keys from Public Keys

It is underlined that the secret keys, either partial or final, cannot be computed from their respective public keys due to the intractability of the elliptic curve discrete logarithm problem (ECDLP). Given two points , the ECDLP problem is to find an integer , if it exists, such that . Following the same notion, the problem is to compute partial/final secret keys from public keys . Like in case of , given the for all attributes in , the problem is to compute from its corresponding public key component. The ECDLP problem has to be solved for all attributes in a given attribute set. The same applies to the final secret key generation from . For the , ECDLP is to compute from given and . To be precise, due to the intractability of ECDLP, it is not feasible to compute secret keys from public keys.

4.2.4. Computing the Decryption Key from Ciphertext

Additionally, the proposed scheme is secure against an adversary for deriving the decryption key from the ciphertext .

Theorem 3. Given the ciphertext , it is hard to compute decryption key .

Proof. A ciphertext corresponding to the access policy consists of the following parameters:

Since , it is hard to compute using due to the difficulty of solving the elliptic curve discrete logarithm problem. Given , , this problem can be reduced to the problem as follows. Let . The parameters are then rewritten as , . This implies that if an adversary has the ability to solve the problem, he/she can compute the key and then successfully decrypt the ciphertext . The following theorem proves that solving the problem is as hard as the problem.

Remark 1. From the above discussion, the proposed scheme is collision resistant against secret keys. As a result, computing the key from a ciphertext corresponding to the access policy without a valid user secret key is as hard as the problem. This implies that given , where , the problem reduces to the problem and then decides whether is equal to or a random element in . But as the problem is hard to solve, so would be . Hence, an adversary cannot derive from .

4.3. Network Devices Compromise Analysis

Having discussed the difficulty of generating and/or guessing the secret keys, the impact of the compromise of Fog-CPS entities on the proposed security scheme is discussed.

4.3.1. Compromise of FA

The compromise of FA can have drastic impact on the security of the Fog-CPS system. A compromised FA can reveal the partial secret keys of Fog-CPS entities. An adversary in possession of a partial secret key and the shared attribute set can generate the corresponding final secret key . After having generated the final secret key, the adversary can also change the attributes agreed with FA and subsequently further compromise the network. However, if the adversary is not aware of the shared attribute set, then it cannot generate the final secret key. Moreover, the actual encryption and decryption is performed using final public and secret keys meaning that the communication between the CPS devices is still secure.

4.3.2. Compromise of CPS Device and Fog Nodes (Leakage of Final Secret Key)

The compromise of CPS devices and fog nodes will only leak their own secret keys. The compromise of one set of secret keys does not risk the messages encrypted under different shared attributes therefore keys. Henceforth, legitimate CPS devices can still communicate securely.

5. Experimental Evaluation

To evaluate the performance of the proposed scheme, its algorithmic efficiency in terms of processing time and memory complexity is measured.

5.1. System Configurations

For benchmarking the time complexity, two sets of experiments are conducted to demonstrate the effectiveness of the proposed scheme on both resource-limited CPS devices and resourceful fog nodes. In the first experiment, the scheme is evaluated on a Raspberry Pi 3B+ model (CPS devices). It has a Quad Core 1.2 GHz, 64-bit CPU, 1 GB of RAM, a wireless LAN and Bluetooth Low Energy (BLE) on board, 100 Base Ethernet, 40-pin extended GPIO, 4 USB ports, HDMI, and micro SD port. In the second experiment, it is executed on a virtual machine running Ubuntu R16.04 with Python 3.6.4. on Intel (R) Core(TM) i5-4310U CPU@2.000 GHz with 8.0 GB RAM (fog nodes).

5.2. Implementation and Evaluation

The Fog-CPS scheme is compared with five other ABE schemes in Guo et al. [6], Odelu and Das [8], Cheng et al. [12], Yamada et al. [14], and Zhou et al. [9] using the Charm crypto library [15]. All security schemes, including this, are based on a selective security model. It is noted that the proposed scheme is not based on bilinear elliptic curves and can be implemented on any elliptic curve. However, in order to compare the scheme with existing ABE schemes which are based on bilinear maps, it is implemented on bilinear curves, i.e., MNT159 and SS512. On other curves, namely, prime192v1 and secp224r1, the memory overhead would be less. The proposed scheme and two others in Guo et al. [6] and Odelu and Das [8] are tested on a non-super-singular asymmetric bilinear curve (i.e., MNT159), whilst three of the schemes [9, 12, 14] have been tested on the super-singular SS512 curve. Both SS512 and MNT159 curves provide 80-bit security.

5.3. Timing Results

The execution times of all algorithms are benchmarked to compare the efficiency of different schemes. In the existing schemes in Guo et al. [6], Odelu and Das [8], Cheng et al. [12], Yamada et al. [14], and Zhou et al. [9], the Setup and KeyGen algorithms are separate. But, since there is no Setup in the Fog-CPS scheme, the execution time of both these algorithms is added and compared with the timing of the final public and secret key generation. To be precise, the final key pair generation timing of this scheme is the sum of the execution times of Algorithms 2 and 3.

For Setup and KeyGen, three different sizes of attribute universe and user attribute sets are considered. To be precise, an attribute universe of 10, 20, and 30 attributes has been implemented for measuring the timing of the Setup algorithm. Likewise, for the secret key generation, a user attribute set of 5, 15, and 25 attributes is taken into consideration.

Additionally, the encryption and decryption algorithms are also implemented to demonstrate that they are more efficient than the ones in Odelu and Das [8] because this scheme uses lesser elliptic curve group elements. Another reason to implement the encryption and decryption algorithms was to measure their execution timings on the Raspberry Pi, i.e., CPS devices. Henceforth, two types of benchmarks are set for measuring the times for encryption and decryption: (1) 1 kilobyte (1 kB) and (2) 1 megabyte (1 MB). These two low size messages are used because CPS devices and cloud requests are usually transmitted in low size messages. Furthermore, in the encryption algorithm, an access policy of constant size, i.e., 5 attributes, is considered. For the key update, there are two cases with an increment and decrement of one attribute, i.e., . However, in our experimental evaluation, the execution time for key update is recorded in case of attributes only.

Tables 35 list the processing times of all algorithms for the first and second experiments for attribute of 10, 20, and 30, respectively. Additionally, graphs (see Figures 310) are also plotted for the results of the first experiment.


SchemesSetup+KeyGen (final KeyGen)Encrypt (1 kB)Decrypt (1 kB)Encrypt (1 MB)Decrypt (1 MB)

First experiment
Guo et al. [6]0.270.150.59175.09696.16
Odelu and Das [8]0.180.300.08326.791.9
Cheng et al. [12]0.360.180.31212.3367.5
Yamada et al. [14]0.631.541.831547.51838.3
Zhou et al. [9]0.130.120.94153.21118.5
Fog-CPS scheme0.020.200.035252.243.11

Second experiment
Guo et al. [6]0.0340.020.0524.2162.65
Odelu and Das [8]0.030.090.0296.7127.28
Cheng et al. [12]0.050.030.0234.8932.58
Yamada et al. [14]0.230.560.26564.66288.43
Zhou et al. [9]0.050.200.1220.21119.75
Fog-CPS scheme0.0080.060.0165.2911.14


SchemesSetup+KeyGen (final KeyGen)Encrypt (1 kB)Decrypt (1 kB)Encrypt (1 MB)Decrypt (1 MB)

First experiment
Guo et al. [6]0.320.150.62184.29740.01
Odelu and Das [8]0.360.310.08377.4105.8
Cheng et al. [12]0.680.240.37275.4416.5
Yamada et al. [14]1.161.551.841595.21822.3
Zhou et al. [9]0.190.120.94153.91123.7
Fog-CPS scheme0.060.240.04253.243.28

Second experiment
Guo et al. [6]0.0340.020.0524.4963.09
Odelu and Das [8]0.050.090.0299.2127.87
Cheng et al. [12]0.090.040.0336.8534.88
Yamada et al. [14]0.410.880.38911.76383.99
Zhou et al. [9]0.080.020.1120.18119.57
Fog-CPS scheme0.0170.060.01165.4711.26


SchemesSetup+KeyGen (final KeyGen)Encrypt (1 kB)Decrypt (1 kB)Encrypt (1 MB)Decrypt (1 MB)

First experiment
Guo et al. [6]0.370.160.68186.78740.01
Odelu and Das [8]0.520.320.09375.0105.61
Cheng et al. [12]1.00.310.42361.21515.24
Yamada et al. [14]1.691.551.841533.41838.8
Zhou et al. [9]0.310.151.10154.21128.2
Fog-CPS scheme0.100.240.04253.743.28

Second experiment
Guo et al. [6]0.0450.020.0524.4963.09
Odelu and Das [8]0.070.080.0297.6427.97
Cheng et al. [12]0.110.040.0339.8436.10
Yamada et al. [14]0.621.380.591330.16580.92
Zhou et al. [9]0.100.020.1120.18119.57
Fog-CPS scheme0.0270.060.0165.7612.92

5.3.1. First Experiment

In this experiment, our implementations are carried out on the Raspberry Pi 3B+ model. Timing results are shown in Figures 310. From Figure 3, it can be observed that the Fog-CPS scheme takes 0.02 sec for the final key pair generation over 10 attributes, 0.06 sec over 20 attributes, and 0.10 sec over 30 attributes. Additionally, Figure 4 shows the partial key pair generation timings and Figures 5 and 6 show the final and partial key pair update timings of the Fog-CPS scheme. It can be observed that key pair update timings of this scheme are negligible due to the lightweight and efficient process. Figures 7 and 8 show the timings of encryption; this scheme takes 0.20 and 252.3 sec to encrypt a message of 1 kB and 1 MB, respectively. Similarly, for decrypting a ciphertext of 1 kB and 1 MB, it takes 0.03 sec and 43.1 sec as shown in Figures 9 and 10, respectively.

5.3.2. Second Experiment

In the second experiment, the implementations are executed on a desktop computer (configurations are mentioned in Section 5.1). Tables 35 list the timing results of the final key pair generation, encryption, decryption, and key pair updates. Overall, it is observed that benchmarks recorded on the Raspberry Pi 3B+ model are slower than on the desktop computer. Comparing the timings of both experiments in Table 3, it is noted that the proposed scheme is slower on the Raspberry Pi. But it is still the fastest compared to the rest of the schemes as it only takes 0.008, 0.017, and 0.02 seconds for an attribute universe of 10, 20, and 30 attributes, respectively.

Analyzing the processing times for encryption of 1 kB and 1 MB messages, it can be observed that the encryption timing of the schemes by Zhou et al. [9] and Yamada et al. [14] is almost equal and they are faster than rest of the schemes, followed by the scheme of Cheng et al. [12].

The Fog-CPS scheme is three times slower whereas the scheme by Odelu and Das [8] is four times slower than the schemes by Zhou et al. [9] and Guo et al. [6]. Likewise, the Fog-CPS security scheme is 10 times faster than the scheme by Yamada et al. [14] which is the slowest of all schemes. Comparing the timings of encryption and decryption, it is observed that in the case of encryption, the proposed scheme is a bit slower than three of the other schemes. However, in decryption, this scheme is the fastest of all; it takes only 0.01 seconds for encryption of the 1 kB message. Following the same trend as in encryption, the scheme by Yamada et al. [14] is the slowest of all the other schemes in decryption as well. Furthermore, it can be observed that for decryption of the 1 kB message, the execution time of the scheme by Odelu and Das [8] is almost equal to that by Cheng et al. [12].

5.4. Memory Overhead

Table 6 shows the calculation of the memory overhead of each scheme. In the MNT159 curve, one group element in and takes bits whereas one group element in takes bits. Likewise, in the SS512 curve, one group element in takes bits whereas one group element in takes bits.


SchemesSetupKeyGenEncryptDecryptKey updateBytes

Fog-CPS scheme1340
Odelu and Das [8]N/A1760
Guo et al. [6]
N/A1636
Zhou et al. [9]
N/A9876
Yamada et al. [14]
N/A6292
Cheng et al. [12]
N/A6932

Note: and : prime order pairing groups (160 bits); exp: exponent operation; : pairing operation; and : no. of attributes in secret key and access policy; : elliptic curve group defined over finite field ; : order of the base point (160 bits in ); : length of plaintext message .

The column Bytes represents the total number of bytes required in all algorithms (i.e., Setup, KeyGen, Encrypt, Decrypt, and KeyRevoke) for an attribute universe of 10 and an access policy of 5 attributes. In the case of the proposed scheme, the memory overhead of one partial and final key pair generation and one key update in both cases is also considered when calculating the number of bytes required by each algorithm.

The proposed Fog-CPS scheme is lightweight than the Odelu and Das [8] scheme as it requires fewer elliptic curve group elements. Our scheme requires elements in for generation of both partial and final public keys whereas the scheme by Odelu and Das [8] requires elements for the public key. Likewise, for partial and final secret keys, our scheme requires only two secret elements in the finite field , whereas the scheme by Odelu and Das [8] requires three. The length of in our scheme is group elements whereas in the scheme by Odelu and Das [8].

As can be seen in Table 6, the Fog-CPS scheme has the lowest memory overhead, i.e., 1340 bytes followed by the Guo et al. [6] and Odelu and Das [8] schemes which take 1636 and 1760 bytes, respectively. The Zhou et al. [9] scheme incurs the highest overhead of 9876 bytes. It is noted that for the proposed scheme, the memory overhead of one final public and secret key over a shared attribute set has also been considered. Moreover, for the Setup and KeyGen algorithms, i.e., partial key pair generation in this case, the Fog-CPS scheme has the lowest overhead compared to all other schemes. The final secret key in the proposed scheme only requires one element of the order of base point on the elliptic curve .

In the Guo et al. [6] scheme, there are elements in and one in for , two elements in for , and elements in for . In the Zhou et al. [9] scheme, there are and group elements in and , respectively, whereas has 2 group elements in and one in . The in the Cheng et al. [12] scheme has elements in and two in ; the has elements in , whereas the has 2 elements in and one in . In the Yamada et al. [14] scheme, contains 6 elements in and one in , contains elements in , and contains in . The Zhou et al. [9] scheme has the highest memory overhead followed by the Cheng et al. [12] and Yamada et al. [14] schemes. Both the Zhou et al. [9] and Cheng et al. [12] schemes have constant size ciphertexts which only require 2 group elements in and one element in . The in the Fog-CPS scheme and the Guo et al. [6] scheme have almost the same number of elements. In the key update Algorithms 46, this scheme only requires 2 elements in and 2 elements of the order of base point on the elliptic curve .

5.5. Computational Overhead

The computational overhead of all schemes is summarized in Table 7. The column Total operations represents the total number of operations by considering all algorithms, i.e., Setup, KeyGen, Encrypt, and Decrypt. In the proposed scheme, the computational overhead of one partial and final key pair generation and update are also considered. From Table 7, it is observed that the Fog-CPS scheme introduces the lowest computational overhead than all other schemes which are based on bilinear maps and elliptic curves.


SchemesSetupKeyGenEncryptDecryptKeyRevokeTotal operations

Fog-CPS schemeN/A
Odelu and Das [8]N/AN/A
Guo et al. [6]N/A
Zhou et al. [9]