Abstract
In this paper, a lightweight attributebased security scheme based on elliptic curve cryptography (ECC) is proposed for fogenabled cyber physical systems (FogCPS). A novel aspect of the proposed scheme is that the communication between FogCPS entities is secure even when the certification authority (CA) is compromised. This is achieved by dividing the attributes into two sets, namely, secret and shared, and subsequently generating two key pairs, referred to as the partial and final key pairs, for each entity of the FogCPS system. Unlike existing attributebased encryption (ABE) and identitybased encryption schemes, in the proposed scheme, each entity calculates the final public key of the communicating CPS devices without the need of generating and transmitting digital certificates. Moreover, the proposed security scheme considers an efficient and secure key pair update approach in which the calculation overhead is limited to one group element. To show the effectiveness of the proposed scheme, we have calculated and compared the memory and processing complexity with other bilinear and elliptic curve schemes. We have also implemented our scheme in a Raspberry Pi (3B+ model) for CPS simulations. The proposed scheme guarantees the confidentiality, integrity, privacy, and authenticity in FogCPS systems.
1. Introduction
Fog computing can improve the monitoring and management of nextgeneration cyber physical systems (CPS). A general fogenabled cyber physical system (FogCPS) as shown in Figure 1 consists of three layers, namely, the CPS device, fog, and cloud. FogCPS systems are vulnerable to numerous security, privacy, and trust challenges. With regard to security, different attacks, namely, interception, interruption, modification, fabrication, unauthorized authentication, and access, can be carried out to disrupt the communication between FogCPS entities. The abovementioned challenges could be addressed by employing lightweight cryptographic techniques. However, the existing solutions have a number of limitations. Firstly, in public key encryption (PKE) schemes, the generation, verification, and distribution of certificates incur extra computation and communication overhead which is not desirable for resourcelimited CPS devices. Secondly, in attributebased encryption (ABE) schemes, there is a certification authority (CA) which generates the secret keys based on a set of attributes. However, the compromise of CA can endanger the secret keys and therefore the secrecy of encrypted messages. Thirdly, the existing ABE schemes which are based on bilinear pairing require large security parameters and therefore are not suitable for resourceconstrained CPS devices.
Considering the limitations of existing solutions, in this paper, a lightweight security scheme is proposed. The proposed scheme guarantees that the communication between entities is secure in cases where the CA might be compromised.
1.1. Motivation
The motivation for designing such a solution comes from the identitybased encryption (IBE) and ABE schemes as it is believed that inherent attributes of CPS devices can be used for identification, authentication, and access control. From here onwards, the proposed scheme is called as FogCPS.
Moreover, in the proposed scheme, the CA (i.e., FA in this case) cannot decrypt the messages exchanged among CPS devices, thus maintaining their privacy. This is achieved by dividing the attribute set into two subsets, a secret and a shared attribute subset. Precisely, each entity in a FogCPS system will have two key pairs, namely, a “partial key pair” and a “final key pair” generated from secret and shared attribute sets, respectively. The secret attributes are only known to FA which registers the entities and generates the partial key pair. The registration of CPS entities with FA ensures that published public keys are authentic and do not require any further verification.
However, as the secret attributes are only known to FA; the other collaborating CPS devices cannot verify them. To address this problem, a notion of “shared” attributes is introduced. The shared attributes are known to collaborating FogCPS entities which generate the final public and secret keys. The encryption and decryption would take place using final public and secret keys. Such an approach is advantageous for two reasons: (1) the secret attributes are only shared with the FA and the leakage of partial secret keys would not risk the communication of collaborating entities and (2) the scheme is scalable because the final public keys are generated by the collaborating devices themselves without the aid of FA. Any device can generate the final public keys of other devices.
Furthermore, upon key update, the key regeneration process is lightweight, since the key generation process as found in Algorithms 1–3 is not repeated.



1.2. Contributions
The contributions of this paper are enumerated below: (1)First, a lightweight attributebased security scheme is proposed for FogCPS systems(2)Second, the FogCPS scheme considers an efficient and secure key pair update approach in which the calculation overhead is limited to one group element(3)Third, the proposed scheme is compared with other schemes based on bilinear pairing and elliptic curves by calculating its memory and processing overhead(4)Fourth, the proposed scheme is implemented on a resourcelimited Raspberry Pi (3B+ model) for CPS simulations.
The remaining parts of this paper are organized as follows: the related work is discussed in Section 2. The proposed scheme is presented in Section 3. Next, the experimental results are presented in Section 4. The conclusion and future work are discussed in Section 5.
2. Related Work
To secure the communication in CPS systems, the literature adopts a hybrid approach in which both symmetric (AESbased) and asymmetric (RSAbased and ABE) encryption techniques are used. AES (Advanced Encryption Standard) is used to encrypt the communication between sensor nodes and the gateway, whereas the asymmetric schemes are used to encrypt the communication between the gateway and the service provider.
Recently, Mahmood et al. [1] propose an authentication scheme for a smart grid. The scheme has a few limitations: (1) the scalability in case of largescale CPS systems with hundreds of nodes and (2) the inconsideration of access control mechanism. In a smart grid system, there are several heterogeneous devices at different layers, so including access control mechanisms is crucial. Kocabas et al. [2] present a medical cloudassisted CPS architecture consisting of acquisition, preprocessing, cloud, and action layers. The study proposes an AES (Advanced Encryption Standard) symmetric key encryption scheme for communication between the acquisition and preprocessing layers. The main disadvantage of [2] is the key management of symmetric keys in such a complex environment with hundreds of CPS devices. Shuo et al. [3] propose a distributed authentication framework for the multidomain M2M environment. The proposed framework employs a hybrid encryption scheme involving IBE and AES symmetric encryption.
Sravani et al. [4] present a signaturebased authenticated key establishment scheme for IoT applications. Hu et al. [5] propose a communication architecture for Body Area Networks (BANs) and design a scheme to secure the data communication between wearable sensors and data consumers (doctors and nurses). They propose the CPABE and signaturebased schemes to store the encrypted data at the data sink. Guo et al. [6] propose a CPABE scheme with constantsize decryption keys. Chen et al. [7] propose fully secure KPABE and CPABE with constantsize ciphertexts and a fully secure ABS with constantsize signatures. Odelu and Das [8] propose a lightweight and constantsize secret key ABE scheme based on ECC. However, key update/revocation and key generation are some of the limitations of the scheme in [8].
A major limitation of the existing ABE schemes [5, 7, 9, 10, 11, 12] is the complexity; these schemes require large security parameters (i.e., 1024 or 2048bit size). Besides that, in the above cited ABE schemes, CA generates and distributes the secret keys. Nonetheless, sharing of private attributes with CA can risk the privacy, since the CA can also decrypt messages and retrieve CPS system data. Moreover, the compromise of CA can also risk the secrecy of communication between the sender and receiver. Additionally, some studies propose symmetric key schemes for resourceconstrained devices. However, in largescale FogCPS systems, the symmetric key management process becomes very complicated and complex. Symmetric schemes require a separate protocol for session key agreement and generation. Furthermore, when the shortsize data is encrypted with a symmetric key, then the information which is revealed about the key may be critical for ciphertextonly attack.
Henceforth, it is believed a lightweight encryption scheme based on ECC wherein the CA only generates the partial key pair is the appropriate choice. ECCbased schemes require smaller security parameters (i.e., 128 or 256 bits) and therefore can be implemented in resourcelimited CPS devices.
3. Proposed FogCPS Security Scheme
In this section, the proposed FogCPS scheme is presented. Table 1 lists the notations used throughout the paper.
3.1. Preliminaries
In this section, the attributes, access structures, and the computational hard problems are discussed.
3.1.1. Secret and Shared Attribute Sets
All CPS devices and fog nodes possess a set of attributes. Let be the attribute set of each CPS device consisting of both secret and shared attributes. As an example, a few attributes for both sets are listed in Table 2.
3.1.2. Access Structure
The attribute string of a device is presented with an bit string . To further elaborate the attribute string, the example of shared attribute set is considered. The attribute string is defined as follows: and . For example, if and 4 attributes are considered for final key pair generation, then ; the 5bit string becomes 11011. Likewise, an access policy is defined by and specified with attributes in the shared attribute set . The access policy is also represented with bit string where , for , and , for . If the access policy is defined on attributes , then the policy string is . Additionally, the proposed scheme is based on the ANDgate access control structure. The attribute set fulfills the access policy , if and only if and , for all .
3.1.3. Computational Hard Problems
The security of the FogCPS scheme is based on the computational problems described below.
(1) qGeneralized DiffieHellman (qGDH) Assumption [13]. Given in and all the subset products for any strict subset , it is hard to compute , where is a base point in . Since the number of subset products (elliptic curve scalar point multiplications) is exponential in , access to all these subset products is provided through an oracle. For a vector , define to be an oracle that for any strict subset responds with .
Definition 1 (GDH assumption). The assumption is satisfied in , if for all time algorithms , the advantage , where and for any sufficiently small .
(2) qDiffieHellman Inversion (qDHI) Problem [13]. Given a tuple , the problem is to compute where .
Definition 2 (DHI assumption). satisfies the DHI assumption, if for all time algorithms , the advantage becomes for any sufficiently small , where the probability is over the random choice of in and the random bits of .
It can be shown by a reduction that our computational problem is at least as hard as the discrete logarithm problem (DLP).
3.2. Assumptions
The following assumptions are made regarding the FogCPS entities. (1)It is assumed that CPS devices, such as smart meter and home appliances, can be compromised and leak sensitive information(2)The FA, fog nodes, and cloud provider are honest but curious and might try to gather as much information (from CPS devices, users, social media, and external resources) as possible that can later be used to generate the profile of CPS devices/users. Such information can be used for targeted advertisement and spamming(3)All FogCPS entities will register with the FA using their secret attribute set and it would generate their partial key pair(4)The CPS entities and fog nodes generate the final public keys of the collaborating devices(5)Access policies based on shared attributes are shared with CPS devices, FA, fog nodes, and cloud(6)It is assumed that the elliptic curve group parameters are preshared with entities
3.3. FogCPS Security Scheme Description
The proposed FogCPS security scheme has adopted the encryption and decryption algorithms of [8]. Furthermore, additional changes were made to the key generation algorithms of [8] as specified below: (1)The attributes in the FogCPS scheme are divided into two sets, i.e., a secret and a shared . Therefore, the key generation process is also distributed between the FA and FogCPS entities. Three algorithms, namely, partial key pair generation, final public KeyGen, and final secret KeyGen, are designed for the complete key generation process(2)The FogCPS security scheme uses two elliptic curve (EC) points for each attribute instead of three as in [8]. The use of two points per attribute reduces the processing and memory overhead and makes the FogCPS scheme efficient but also secure.(3)Efficient key update algorithms with limited additional overhead are introduced
3.4. FogCPS Security Scheme Construction
The FogCPS security scheme consists of eight algorithms out of which seven are presented here. As previously mentioned, the encryption and decryption algorithms are adopted from [8]. However, we made a few changes to the encryption algorithm, so it is also presented, but the description of the decryption algorithm is omitted.
3.4.1. Partial Key Pair Generation
The partial key pair generation algorithm is executed by the FA which registers the FogCPS entities based on a secret attribute set . Algorithm 1 takes as input the security parameter and a set of secret attributes . consists of a long string of 1 s (chosen finite field) and defines the length of the secret keys and messages. It outputs the partial public/secret key pair . Subsequently, the FA publishes the public key and sends the secret key to the CPS device. For initial communication, FogCPS entities can use the partial public keys. The partial public keys guarantee that FogCPS entities are legitimate and registered with FA.
3.4.2. Final Public KeyGen
The second pair of keys, namely, the final public and secret keys, is generated from the shared attribute set. The final public keys can be generated by any CPS device or fog node that shares a set of attributes with some other entity. Algorithm 2 generates the final public key of a CPS device. It takes as input the partial public key generated over the secret attribute set and the shared attribute set . It outputs the final public key .
3.4.3. Final Secret KeyGen
Algorithm 3 generates the final secret key of a CPS device. It takes as input the secret key generated over the secret attribute set and the shared attribute set . It outputs the final secret key .
3.4.4. Encrypt
The encryption algorithm takes as input the final public key , access policy , and a message . It outputs a ciphertext . Algorithm 7 presents the encryption procedure in detail.
Proposition 3. From Equations (9) and (18), a new polynomial can be calculated as It can easily be verified that is a polynomial function in , if and only if . The encryption algorithm and the secret key generation algorithms are designed in such a way that must be a polynomial for a successful decryption.
3.4.5. Decrypt
The decryption algorithm takes as input the final secret key and ciphertext and outputs the plaintext message . The construction of the decryption algorithm is the same as the one in [8].
3.4.6. Partial Key Pair Update
If the secret attributes of a CPS entity are changed, then all the keys need to be updated. The key update procedure will start by regenerating the partial public/secret key pair. In the partial key pair update procedure, Algorithm 4 is executed. It takes the updated set of secret attributes as input and generates a new partial key pair for the CPS device. Subsequently, the final public and secret keys are also regenerated.

3.4.7. Final Key Update
If the shared attributes of a CPS device are updated, then the final public and secret keys need to be regenerated. In this case, Algorithms 5 and 6 are executed to generate the new final public and secret keys of the FogCPS entities. These algorithms take the updated set of shared attributes as input and generate the new final public and secret keys of the CPS device.



3.4.8. KeyRevoke
Similar to existing ABE schemes, the keys are revoked by the CA but in our application scenario FA. However, the keys can also be revoked due to the malicious behaviour of CPS devices. Three cases for key revocation have been identified: (1)Legitimate revoke: in the first case, both key pairs can be revoked due to a system update, expiration date, and scheduled maintenance of the FogCPS system.(2)Malicious activity: in the second case, the key revocation may take place due to the malicious behaviour which might be observed and/or reported by FA, fog nodes, and CPS devices. Two cases of malicious activity are considered below: (a)Malicious FA: the compromise of partial key pair would not trigger key revocation.(b)Malicious CPS devices: the compromise of a CPS device would trigger revocation of the partial key pair. For example, if the secret key is compromised or leaked, then again keys should be revoked and regenerated.(3)Attribute update: in the third case, the change in the attribute set can trigger a key revocation.
In key revocation, FA revokes the existing partial key pair and generates new keys in the first two cases, i.e., legitimate revoke and malicious activity. In the third case, the keys are regenerated as discussed in Sections 3.4.6 and 3.4.7. As the generation of final public and secret key is dependent upon the partial key pair generated over secret attributes, so the revocation of partial key pair requires the revocation of final public and secret keys. As a result, Algorithms 4–6 are designed. The proposed key update algorithms are lightweight as each revocation only incurs the overhead of one extra key component. In each subsequent key update, the attribute counter is incremented by one.
3.4.9. Correctness
The correctness of the FogCPS security scheme is based on the following property. For a given pair of final keys and generated from Encrypt, the decryption algorithm Decrypt will output the correct , if ; otherwise, the decryption will fail.
3.5. FogCPS Security Scheme Application Scenario
The proposed scheme can be applied to any FogCPS scenario. To demonstrate it, a case in a fogenabled smart grid power control (FogSGC) system is considered wherein a smart home device reports meter data to a neighbouring area network (NAN) device. Figure 2 illustrates the communication between smart home device, NAN device, and FA. The interaction between all other entities in a FogSGC system would be similar as between smart home and NAN devices. Initially, all entities, namely, smart meters and fog nodes, register with FA based on their secret attribute sets . The FA executes Algorithm 1 to generate their partial key pair. Subsequently, the FA publishes the public key and securely transmits the secret key to the device.
After registration with FA, the smart home device sends a data store request to the NAN device. Upon receiving the request, the NAN device asks for a set of shared attributes . Subsequently, the smart home device generates the final public key of the NAN device by executing Algorithm 2. Next, the NAN device executes Algorithm 3 to generate the final secret key corresponding to the shared attribute set. Then, the smart home device encrypts using the final public key of the NAN device and signs the shared attributes using its secret key . Subsequently, the smart home device sends and signature to the NAN device. Following this, the NAN device verifies the and decrypts the . Upon successful decryption, it gets an assurance that the smart home device possesses the required attributes and stores .
4. Theoretical Security Analysis and Evaluation
As mentioned in the previous sections, in the proposed FogCPS security scheme, each entity possesses two key pairs, namely, partial and secret. So keeping that in view, the security of the proposed scheme is carefully analyzed to ensure security against the following attacks: (i)Computing the final secret key from the partial secret key (ii)Computing the partial/final secret keys from the partial/final public keys(iii)Computing the final secret key from multiple ciphertexts (i.e., chosen ciphertext attack)
The FogCPS scheme is secure against the abovementioned attacks due to the DiffieHellman Inversion (qDHI) problem [13], elliptic curve discrete logarithm problem (ECDLP), and the robustness of the hash functions.
Additionally, the robustness of the proposed scheme is based on two fundamental security notions of encryption schemes, namely, indistinguishability of messages and the collision resistance against secret keys. Message indistinguishability is an important security property of many encryption schemes. Given the ciphertext and the encryption key, the adversary cannot tell apart two samelength but different messages encrypted under the scheme, even if he chose the messages himself. With collision resistance, the attackers cannot pool their secret key components corresponding to a set of attributes to generate a new key which otherwise cannot be generated from their own attributes. Before presenting the security analysis against the abovementioned attacks, the notion of collision resistance as presumed in this scheme is discussed.
4.1. Collision Resistance against Secret Keys
The proposed scheme does not follow the same conventional attribute sharing as the existing ABE schemes. Attributes are only shared between two CPS devices and the FA node. So, the collision attack as presumed in existing schemes does not apply in this case. In other words, the pooling of attributes and secret key components (i.e., the collision attack) from several adversaries who do not share the attributes would not benefit in generating the secret keys. Precisely, for the security of the proposed scheme, the definition of collision resistance is modified.
In this case, it is essential to prevent a device from generating the final secret key of another device.
Theorem 1. It can be shown by a reduction that the computational problem in the proposed scheme is at least as hard as the discrete logarithm problem (DLP).
Proof. Assume is an algorithm that efficiently solves our problem. We can use to compute the discrete logarithm of an element to the base as follows: (i)Invoke on input and (ii) will return will return , and such that and modulo (iii)Now we can compute a number such that (this can be done efficiently using the extended Euclidean algorithm because is prime and therefore and are coprime)(iv)Then, (v)Hence, is the discrete logarithm of to the base (vi)Note that the discrete logarithm problem is at least as hard as our problem since if you can compute discrete logarithms to some base , you can and for given and such that and modulo . Hence, the two problems are equally hard under the assumption that is of order .
4.2. Key Generation Analysis
In this section, the difficulty of deriving the partial/final secret keys from their respective public keys and final secret key derivation from multiple ciphertexts and partial secret key is analyzed. Additionally, the computational difficulty of guessing the attributes and subsequently generating the secret keys is also discussed.
4.2.1. Partial/Final Secret Key Guessing
The partial and final secret keys in Algorithms 1 and 3 are generated based on the secret and shared attributes which are mapped to . The success probability of guessing an attribute is equivalent to the complexity of hashing algorithm , i.e., (birthday paradox). For the partial secret key , the adversary should guess all attributes in set and the secret random number . The secret numbers which are used in partial key pair generation cannot be derived by collision attack due to its complexity. To be precise, the computational complexity is of the order of number of attributes for hash function and random guessing. This also applies to final public and secret key generation algorithms whereby the shared attributes are hashed and subsequently used in key generation. Additionally, the assumption that each entity possesses a unique set of secret and shared attributes with no overlap with the attribute set of other entities makes attribute guessing more difficult.
4.2.2. Partial/Final Secret Key Generation
The partial secret key of a CPS device cannot be guessed due to the difficulty of deriving the secret key components and in Algorithm 1. So, in order to generate/guess the final secret key, the adversary needs to know the secret key , shared attribute set , and three secret numbers . is computed from the secret components and in algorithm 3.4.2 whereas are random numbers. The secret component can only be computed and/or known if both the FA node and the CPS device are compromised. The compromised device can leak the shared attribute set and the final secret key .
Theorem 2. The proposed scheme is secure against an adversary with knowledge of the shared attribute set for deriving the final secret key by collision attack.
Proof. Having the knowledge of is not enough for generating the , where From Equation (10) in Algorithm 3, where and are random numbers. The condition in Equation (24) only holds if and are known, and subsequently, the values of can be computed. All these values can then be used to solve Equation (23). Another solution to Equation (23) is to correctly guess the random numbers and compute . The difficulty of computing is already explained in preceding paragraphs. Hence, generating without knowing secret components , , and is computationally infeasible for an adversary.
4.2.3. Computing the Secret Keys from Public Keys
It is underlined that the secret keys, either partial or final, cannot be computed from their respective public keys due to the intractability of the elliptic curve discrete logarithm problem (ECDLP). Given two points , the ECDLP problem is to find an integer , if it exists, such that . Following the same notion, the problem is to compute partial/final secret keys from public keys . Like in case of , given the for all attributes in , the problem is to compute from its corresponding public key component. The ECDLP problem has to be solved for all attributes in a given attribute set. The same applies to the final secret key generation from . For the , ECDLP is to compute from given and . To be precise, due to the intractability of ECDLP, it is not feasible to compute secret keys from public keys.
4.2.4. Computing the Decryption Key from Ciphertext
Additionally, the proposed scheme is secure against an adversary for deriving the decryption key from the ciphertext .
Theorem 3. Given the ciphertext , it is hard to compute decryption key .
Proof. A ciphertext corresponding to the access policy consists of the following parameters:
Since , it is hard to compute using due to the difficulty of solving the elliptic curve discrete logarithm problem. Given , , this problem can be reduced to the problem as follows. Let . The parameters are then rewritten as , . This implies that if an adversary has the ability to solve the problem, he/she can compute the key and then successfully decrypt the ciphertext . The following theorem proves that solving the problem is as hard as the problem.
Remark 1. From the above discussion, the proposed scheme is collision resistant against secret keys. As a result, computing the key from a ciphertext corresponding to the access policy without a valid user secret key is as hard as the problem. This implies that given , where , the problem reduces to the problem and then decides whether is equal to or a random element in . But as the problem is hard to solve, so would be . Hence, an adversary cannot derive from .
4.3. Network Devices Compromise Analysis
Having discussed the difficulty of generating and/or guessing the secret keys, the impact of the compromise of FogCPS entities on the proposed security scheme is discussed.
4.3.1. Compromise of FA
The compromise of FA can have drastic impact on the security of the FogCPS system. A compromised FA can reveal the partial secret keys of FogCPS entities. An adversary in possession of a partial secret key and the shared attribute set can generate the corresponding final secret key . After having generated the final secret key, the adversary can also change the attributes agreed with FA and subsequently further compromise the network. However, if the adversary is not aware of the shared attribute set, then it cannot generate the final secret key. Moreover, the actual encryption and decryption is performed using final public and secret keys meaning that the communication between the CPS devices is still secure.
4.3.2. Compromise of CPS Device and Fog Nodes (Leakage of Final Secret Key)
The compromise of CPS devices and fog nodes will only leak their own secret keys. The compromise of one set of secret keys does not risk the messages encrypted under different shared attributes therefore keys. Henceforth, legitimate CPS devices can still communicate securely.
5. Experimental Evaluation
To evaluate the performance of the proposed scheme, its algorithmic efficiency in terms of processing time and memory complexity is measured.
5.1. System Configurations
For benchmarking the time complexity, two sets of experiments are conducted to demonstrate the effectiveness of the proposed scheme on both resourcelimited CPS devices and resourceful fog nodes. In the first experiment, the scheme is evaluated on a Raspberry Pi 3B+ model (CPS devices). It has a Quad Core 1.2 GHz, 64bit CPU, 1 GB of RAM, a wireless LAN and Bluetooth Low Energy (BLE) on board, 100 Base Ethernet, 40pin extended GPIO, 4 USB ports, HDMI, and micro SD port. In the second experiment, it is executed on a virtual machine running Ubuntu R16.04 with Python 3.6.4. on Intel (R) Core(TM) i54310U CPU@2.000 GHz with 8.0 GB RAM (fog nodes).
5.2. Implementation and Evaluation
The FogCPS scheme is compared with five other ABE schemes in Guo et al. [6], Odelu and Das [8], Cheng et al. [12], Yamada et al. [14], and Zhou et al. [9] using the Charm crypto library [15]. All security schemes, including this, are based on a selective security model. It is noted that the proposed scheme is not based on bilinear elliptic curves and can be implemented on any elliptic curve. However, in order to compare the scheme with existing ABE schemes which are based on bilinear maps, it is implemented on bilinear curves, i.e., MNT159 and SS512. On other curves, namely, prime192v1 and secp224r1, the memory overhead would be less. The proposed scheme and two others in Guo et al. [6] and Odelu and Das [8] are tested on a nonsupersingular asymmetric bilinear curve (i.e., MNT159), whilst three of the schemes [9, 12, 14] have been tested on the supersingular SS512 curve. Both SS512 and MNT159 curves provide 80bit security.
5.3. Timing Results
The execution times of all algorithms are benchmarked to compare the efficiency of different schemes. In the existing schemes in Guo et al. [6], Odelu and Das [8], Cheng et al. [12], Yamada et al. [14], and Zhou et al. [9], the Setup and KeyGen algorithms are separate. But, since there is no Setup in the FogCPS scheme, the execution time of both these algorithms is added and compared with the timing of the final public and secret key generation. To be precise, the final key pair generation timing of this scheme is the sum of the execution times of Algorithms 2 and 3.
For Setup and KeyGen, three different sizes of attribute universe and user attribute sets are considered. To be precise, an attribute universe of 10, 20, and 30 attributes has been implemented for measuring the timing of the Setup algorithm. Likewise, for the secret key generation, a user attribute set of 5, 15, and 25 attributes is taken into consideration.
Additionally, the encryption and decryption algorithms are also implemented to demonstrate that they are more efficient than the ones in Odelu and Das [8] because this scheme uses lesser elliptic curve group elements. Another reason to implement the encryption and decryption algorithms was to measure their execution timings on the Raspberry Pi, i.e., CPS devices. Henceforth, two types of benchmarks are set for measuring the times for encryption and decryption: (1) 1 kilobyte (1 kB) and (2) 1 megabyte (1 MB). These two low size messages are used because CPS devices and cloud requests are usually transmitted in low size messages. Furthermore, in the encryption algorithm, an access policy of constant size, i.e., 5 attributes, is considered. For the key update, there are two cases with an increment and decrement of one attribute, i.e., . However, in our experimental evaluation, the execution time for key update is recorded in case of attributes only.
Tables 3–5 list the processing times of all algorithms for the first and second experiments for attribute of 10, 20, and 30, respectively. Additionally, graphs (see Figures 3–10) are also plotted for the results of the first experiment.
5.3.1. First Experiment
In this experiment, our implementations are carried out on the Raspberry Pi 3B+ model. Timing results are shown in Figures 3–10. From Figure 3, it can be observed that the FogCPS scheme takes 0.02 sec for the final key pair generation over 10 attributes, 0.06 sec over 20 attributes, and 0.10 sec over 30 attributes. Additionally, Figure 4 shows the partial key pair generation timings and Figures 5 and 6 show the final and partial key pair update timings of the FogCPS scheme. It can be observed that key pair update timings of this scheme are negligible due to the lightweight and efficient process. Figures 7 and 8 show the timings of encryption; this scheme takes 0.20 and 252.3 sec to encrypt a message of 1 kB and 1 MB, respectively. Similarly, for decrypting a ciphertext of 1 kB and 1 MB, it takes 0.03 sec and 43.1 sec as shown in Figures 9 and 10, respectively.
5.3.2. Second Experiment
In the second experiment, the implementations are executed on a desktop computer (configurations are mentioned in Section 5.1). Tables 3–5 list the timing results of the final key pair generation, encryption, decryption, and key pair updates. Overall, it is observed that benchmarks recorded on the Raspberry Pi 3B+ model are slower than on the desktop computer. Comparing the timings of both experiments in Table 3, it is noted that the proposed scheme is slower on the Raspberry Pi. But it is still the fastest compared to the rest of the schemes as it only takes 0.008, 0.017, and 0.02 seconds for an attribute universe of 10, 20, and 30 attributes, respectively.
Analyzing the processing times for encryption of 1 kB and 1 MB messages, it can be observed that the encryption timing of the schemes by Zhou et al. [9] and Yamada et al. [14] is almost equal and they are faster than rest of the schemes, followed by the scheme of Cheng et al. [12].
The FogCPS scheme is three times slower whereas the scheme by Odelu and Das [8] is four times slower than the schemes by Zhou et al. [9] and Guo et al. [6]. Likewise, the FogCPS security scheme is 10 times faster than the scheme by Yamada et al. [14] which is the slowest of all schemes. Comparing the timings of encryption and decryption, it is observed that in the case of encryption, the proposed scheme is a bit slower than three of the other schemes. However, in decryption, this scheme is the fastest of all; it takes only 0.01 seconds for encryption of the 1 kB message. Following the same trend as in encryption, the scheme by Yamada et al. [14] is the slowest of all the other schemes in decryption as well. Furthermore, it can be observed that for decryption of the 1 kB message, the execution time of the scheme by Odelu and Das [8] is almost equal to that by Cheng et al. [12].
5.4. Memory Overhead
Table 6 shows the calculation of the memory overhead of each scheme. In the MNT159 curve, one group element in and takes bits whereas one group element in takes bits. Likewise, in the SS512 curve, one group element in takes bits whereas one group element in takes bits.
The column Bytes represents the total number of bytes required in all algorithms (i.e., Setup, KeyGen, Encrypt, Decrypt, and KeyRevoke) for an attribute universe of 10 and an access policy of 5 attributes. In the case of the proposed scheme, the memory overhead of one partial and final key pair generation and one key update in both cases is also considered when calculating the number of bytes required by each algorithm.
The proposed FogCPS scheme is lightweight than the Odelu and Das [8] scheme as it requires fewer elliptic curve group elements. Our scheme requires elements in for generation of both partial and final public keys whereas the scheme by Odelu and Das [8] requires elements for the public key. Likewise, for partial and final secret keys, our scheme requires only two secret elements in the finite field , whereas the scheme by Odelu and Das [8] requires three. The length of in our scheme is group elements whereas in the scheme by Odelu and Das [8].
As can be seen in Table 6, the FogCPS scheme has the lowest memory overhead, i.e., 1340 bytes followed by the Guo et al. [6] and Odelu and Das [8] schemes which take 1636 and 1760 bytes, respectively. The Zhou et al. [9] scheme incurs the highest overhead of 9876 bytes. It is noted that for the proposed scheme, the memory overhead of one final public and secret key over a shared attribute set has also been considered. Moreover, for the Setup and KeyGen algorithms, i.e., partial key pair generation in this case, the FogCPS scheme has the lowest overhead compared to all other schemes. The final secret key in the proposed scheme only requires one element of the order of base point on the elliptic curve .
In the Guo et al. [6] scheme, there are elements in and one in for , two elements in for , and elements in for . In the Zhou et al. [9] scheme, there are and group elements in and , respectively, whereas has 2 group elements in and one in . The in the Cheng et al. [12] scheme has elements in and two in ; the has elements in , whereas the has 2 elements in and one in . In the Yamada et al. [14] scheme, contains 6 elements in and one in , contains elements in , and contains in . The Zhou et al. [9] scheme has the highest memory overhead followed by the Cheng et al. [12] and Yamada et al. [14] schemes. Both the Zhou et al. [9] and Cheng et al. [12] schemes have constant size ciphertexts which only require 2 group elements in and one element in . The in the FogCPS scheme and the Guo et al. [6] scheme have almost the same number of elements. In the key update Algorithms 4–6, this scheme only requires 2 elements in and 2 elements of the order of base point on the elliptic curve .
5.5. Computational Overhead
The computational overhead of all schemes is summarized in Table 7. The column Total operations represents the total number of operations by considering all algorithms, i.e., Setup, KeyGen, Encrypt, and Decrypt. In the proposed scheme, the computational overhead of one partial and final key pair generation and update are also considered. From Table 7, it is observed that the FogCPS scheme introduces the lowest computational overhead than all other schemes which are based on bilinear maps and elliptic curves.
For partial and final public key generation, the FogCPS scheme requires scalar multiplications in the elliptic curve group . Likewise, for Encrypt and Decrypt, and scalar point multiplications are required, respectively. Moreover, in the key update algorithms, i.e., 4, 5, and 6, this scheme only requires two scalar multiplications.
For the Setup and KeyGen algorithms, the Guo et al. [6] scheme requires exponentiations and 1 pairing operation, respectively. In addition, the Encrypt algorithm requires exponentiations and a single pairing whereas Decrypt requires exponentiations and 4 pairing operations. The Setup and KeyGen algorithms in the Zhou et al. [9] scheme require and exponentiation operations, respectively. Similarly, for Encrypt, it requires 3 exponentiations and 1 pairing, whereas for Decrypt, exponentiation and pairing operations are required. Moreover, for the Setup and KeyGen algorithms, the Cheng et al. [12] scheme requires exponentiation and pairing operations. On the contrary, it requires 3 exponentiation and 2 pairing operations for the Encrypt and Decrypt algorithms, respectively. In the Yamada et al. [14] scheme, exponentiations are required for both the Setup and KeyGen algorithms. However, the Encrypt algorithm requires exponentiations and Decrypt requires exponentiation and pairing operations.
6. Conclusion
The security and privacy challenges posed by FogCPS systems can affect both individuals and systems. The heterogeneous nature of CPS devices with varying degrees of computation and storage capacity also make it a challenging task to devise the security solutions. It is therefore essential to find lightweight solutions which eliminate the need for applying different security mechanisms at different layers of FogCPS. Moreover, the devised schemes must also enable the users/CPS devices to have control over their data without risking their privacy of information (e.g., identities, location, data, and type of service used) with other entities, such as the fog nodes and/or cloud provider. The existing PKE and ABE schemes are computationally expensive and, therefore, not suitable for resourceconstrained devices. Moreover, the sharing of attributes with the FA risks the privacy of CPS devices as it can also decrypt the messages. Considering the limitations of existing schemes, in this paper, a lightweight encryption scheme is proposed. In the FogCPS scheme, the CPS devices generate the keys without relying on a FA. In our proposed security scheme, the above problems are addressed by dividing the attribute set into secret and shared attributes. The secret attributes are used for entity registration with FA, whereas the shared attributes are only shared with the collaborating CPS devices and employed to generate the final public and secret keys. The compromise of FA would not endanger the secrecy of messages among CPS devices, as they can still securely communicate. Furthermore, the key update process of the proposed scheme is very lightweight, since the key generation process as found in Algorithms 1–3 is not repeated.
Another novel aspect of the FogCPS scheme is that it is based on elliptic curve cryptography which supports smaller key sizes and is highly suitable for resourceconstrained CPS devices. The experimental evaluation shows that the FogCPS security scheme outperforms other ABE schemes based on bilinear pairing and elliptic curves. In the future, the authors will investigate how the proposed scheme can be further improved to support more expressive access structures and an adaptive security model.
Data Availability
This study does not involve any personal data and other datasets.
Conflicts of Interest
The authors declare that there is no conflict of interest regarding the publication of this article.