A Lightweight Attribute-Based Security Scheme for Fog-Enabled Cyber Physical Systems

In this paper, a lightweight attribute-based security scheme based on elliptic curve cryptography (ECC) is proposed for fog-enabled cyber physical systems (Fog-CPS). A novel aspect of the proposed scheme is that the communication between Fog-CPS entities is secure even when the certification authority (CA) is compromised. This is achieved by dividing the attributes into two sets, namely, secret and shared, and subsequently generating two key pairs, referred to as the partial and final key pairs, for each entity of the Fog-CPS system. Unlike existing attribute-based encryption (ABE) and identity-based encryption schemes, in the proposed scheme, each entity calculates the final public key of the communicating CPS devices without the need of generating and transmitting digital certificates. Moreover, the proposed security scheme considers an efficient and secure key pair update approach in which the calculation overhead is limited to one group element. To show the effectiveness of the proposed scheme, we have calculated and compared the memory and processing complexity with other bilinear and elliptic curve schemes. We have also implemented our scheme in a Raspberry Pi (3B+ model) for CPS simulations. The proposed scheme guarantees the confidentiality, integrity, privacy, and authenticity in Fog-CPS systems.


Introduction
Fog computing can improve the monitoring and management of next-generation cyber physical systems (CPS). A general fog-enabled cyber physical system (Fog-CPS) as shown in Figure 1 consists of three layers, namely, the CPS device, fog, and cloud. Fog-CPS systems are vulnerable to numerous security, privacy, and trust challenges. With regard to security, different attacks, namely, interception, interruption, modification, fabrication, unauthorized authentication, and access, can be carried out to disrupt the communication between Fog-CPS entities. The abovementioned challenges could be addressed by employing lightweight cryptographic techniques. However, the existing solutions have a number of limitations. Firstly, in public key encryption (PKE) schemes, the generation, verification, and distribution of certificates incur extra computation and communication devices can be used for identification, authentication, and access control. From here onwards, the proposed scheme is called as Fog-CPS.
Moreover, in the proposed scheme, the CA (i.e., FA in this case) cannot decrypt the messages exchanged among CPS devices, thus maintaining their privacy. This is achieved by dividing the attribute set A into two subsets, a secret A S and a shared A K attribute subset. Precisely, each entity in a Fog-CPS system will have two key pairs, namely, a "partial key pair" and a "final key pair" generated from secret A S and shared A K attribute sets, respectively. The secret A S attributes are only known to FA which registers the entities and generates the partial key pair. The registration of CPS entities with FA ensures that published public keys are authentic and do not require any further verification.
However, as the secret A S attributes are only known to FA; the other collaborating CPS devices cannot verify them. To address this problem, a notion of "shared" A K attributes is introduced. The shared A K attributes are known to collaborating Fog-CPS entities which generate the final public and secret keys. The encryption and decryption would take place using final public and secret keys. Such an approach is advantageous for two reasons: (1) the secret A S attributes are only shared with the FA and the leakage of partial secret keys would not risk the communication of collaborating entities and (2) the scheme is scalable because the final public keys are generated by the collaborating devices themselves without the aid of FA. Any device can generate the final public keys of other devices.
Furthermore, upon key update, the key regeneration process is lightweight, since the key generation process as found in Algorithms 1-3 is not repeated.

1.2.
Contributions. The contributions of this paper are enumerated below: (1) First, a lightweight attribute-based security scheme is proposed for Fog-CPS systems (2) Second, the Fog-CPS scheme considers an efficient and secure key pair update approach in which the calculation overhead is limited to one group element (3) Third, the proposed scheme is compared with other schemes based on bilinear pairing and elliptic curves by calculating its memory and processing overhead (4) Fourth, the proposed scheme is implemented on a resource-limited Raspberry Pi (3B+ model) for CPS simulations.
The remaining parts of this paper are organized as follows: the related work is discussed in Section 2. The proposed scheme is presented in Section 3. Next, the experimental results are presented in Section 4. The conclusion and future work are discussed in Section 5.

Related Work
To secure the communication in CPS systems, the literature adopts a hybrid approach in which both symmetric (AESbased) and asymmetric (RSA-based and ABE) encryption techniques are used. AES (Advanced Encryption Standard) is used to encrypt the communication between sensor nodes and the gateway, whereas the asymmetric schemes are used to encrypt the communication between the gateway and the service provider.

Wireless Communications and Mobile Computing
Recently, Mahmood et al. [1] propose an authentication scheme for a smart grid. The scheme has a few limitations: (1) the scalability in case of large-scale CPS systems with hundreds of nodes and (2) the inconsideration of access control mechanism. In a smart grid system, there are several heterogeneous devices at different layers, so including access control mechanisms is crucial. Kocabas et al. [2] present a medical cloud-assisted CPS architecture consisting of acquisition, preprocessing, cloud, and action layers. The study proposes an AES (Advanced Encryption Standard) symmetric key encryption scheme for communication between the acquisition and preprocessing layers. The main disadvantage of [2] is the key management of symmetric keys in such a complex environment with hundreds of CPS devices. Shuo et al. [3] propose a distributed authentication framework for the multidomain M2M environment. The proposed framework employs a hybrid encryption scheme involving IBE and AES symmetric encryption.
Sravani et al. [4] present a signature-based authenticated key establishment scheme for IoT applications. Hu et al. [5] 1: Input: Security parameter λ, secret attribute set A S . 2: Output:PK A S /SK A S PK A S = fG, P i , H 1 g, ∀i = 0, 1, ⋯, t. SK A S = fsg: 3: Choose elliptic curve group G, where P is a base point on the elliptic curve E p ða, bÞ defined over the finite field Z p . 4: Choose a one-way collision resistance hash function, H 1 defined as: H 1 : f0, 1g * → Z * p : 5: Create a secret random number r ∈ Z p . 6: Map t < n attributes in secret set A s to Z p using hash function H 1 and compute secret number s.
1: Input: Public Key PK A S and shared attribute set A K . 2: Output:PK A K = fU i g, ∀i = 0, 1, ⋯, t. 3: Let A K = a 1 a 2 ⋯ :a t be the device attribute string over shared attribute set. 4: Map t < n attributes in shared set A K to Z p using hash function H 1 and compute k.
1: Input: Secret key SK A S and shared attribute set A K . 2: Output:SK A K = fu 1 g. 3: Compute secret number α as follows: α = sk,ð8Þ where s is the secret key component from SK A S and k is computed similar to Equation (6) in Algorithm 2. 4: Next, compute Equation (9), f ðα, A K Þ which is a t-degree at most polynomial in Z p ½x.
5: Pick two random numbers r u , t u ∈ Z P . Compute s u such that the following condition holds.
1/f ðα, A K Þ = s u − r u t u ðmod pÞ, 3 Wireless Communications and Mobile Computing propose a communication architecture for Body Area Networks (BANs) and design a scheme to secure the data communication between wearable sensors and data consumers (doctors and nurses). They propose the CP-ABE and signature-based schemes to store the encrypted data at the data sink. Guo et al. [6] propose a CP-ABE scheme with constant-size decryption keys. Chen et al. [7] propose fully secure KP-ABE and CP-ABE with constant-size ciphertexts and a fully secure ABS with constant-size signatures. Odelu and Das [8] propose a lightweight and constant-size secret key ABE scheme based on ECC. However, key update/revocation and key generation are some of the limitations of the scheme in [8].
A major limitation of the existing ABE schemes [5,7,9,10,11,12] is the complexity; these schemes require large security parameters (i.e., 1024-or 2048-bit size). Besides that, in the above cited ABE schemes, CA generates and distributes the secret keys. Nonetheless, sharing of private attributes with CA can risk the privacy, since the CA can also decrypt messages and retrieve CPS system data. Moreover, the compromise of CA can also risk the secrecy of communication between the sender and receiver. Additionally, some studies propose symmetric key schemes for resource-constrained devices. However, in large-scale Fog-CPS systems, the symmetric key management process becomes very complicated and complex. Symmetric schemes require a separate protocol for session key agreement and generation. Furthermore, when the short-size data is encrypted with a symmetric key, then the information which is revealed about the key may be critical for ciphertext-only attack.
Henceforth, it is believed a lightweight encryption scheme based on ECC wherein the CA only generates the partial key pair is the appropriate choice. ECC-based schemes require smaller security parameters (i.e., 128 or 256 bits) and therefore can be implemented in resourcelimited CPS devices.

Proposed Fog-CPS Security Scheme
In this section, the proposed Fog-CPS scheme is presented. Table 1 lists the notations used throughout the paper.

Preliminaries.
In this section, the attributes, access structures, and the computational hard problems are discussed.
3.1.1. Secret and Shared Attribute Sets. All CPS devices and fog nodes possess a set of attributes. Let A = A S ∪ A K be the attribute set of each CPS device consisting of both secret A S and shared A K attributes. As an example, a few attributes for both sets are listed in Table 2. 3.1.2. Access Structure. The attribute string of a device is presented with an n-bit string a 1 a 2 ⋯ a n . To further elaborate the attribute string, the example of shared attribute set A K is considered. The attribute string is defined as follows: a i = 1, if A i ∈ A K and a i = 0, if A i ∉ A K . For example, if n = 5 and 4 attributes are considered for final key pair generation, then A K = fA 1 , A 2 , A 4 , A 5 g; the 5-bit string A K becomes 11011. Likewise, an access policy is defined by ℙ and specified with attributes in the shared attribute set A K . The access policy is also represented with n-bit string b 1  (1) q-Generalized Diffie-Hellman (q-GDH) Assumption [13]. Given a 1 P, a 2 P, ⋯, a q P in G and all the subset products ð Q iϵS a i ÞP ∈ G for any strict subset S ⊂ f1, ⋯, qg, it is hard to compute ða 1 ⋯ a q ÞP ∈ G, where P is a base point in E p ða, bÞ ; a 1 , a 2 , ⋯, a q ∈ Z * p . Since the number of subset products (elliptic curve scalar point multiplications) is exponential in q, access to all these subset products is provided through an oracle. For a vector a = ða 1 , ⋯, a q Þ ∈ ðZ p Þ q , define O p,a to be an oracle that for any strict subset S ⊂ f1, ⋯, qg responds with O p,a ðSÞ = ðΠ i∈S a i Þ ∈ G.
Definition 2 (q-DHI assumption). G satisfies the ðt, q, ϵÞ -DHI assumption, if for all t-time algorithms A, the advantage becomes Adv GDH A,q = Pr ½AðP, xP, x 2 P, ⋯, x q PÞ = ð1/xÞP < ϵ for any sufficiently small ϵ > 0, where the probability is over the random choice of x in Z * p and the random bits of A.
It can be shown by a reduction that our computational problem is at least as hard as the discrete logarithm problem (DLP).

3.2.
Assumptions. The following assumptions are made regarding the Fog-CPS entities.
(1) It is assumed that CPS devices, such as smart meter and home appliances, can be compromised and leak sensitive information (2) The FA, fog nodes, and cloud provider are honest but curious and might try to gather as much information (from CPS devices, users, social media, and external resources) as possible that can later be used to generate the profile of CPS devices/users. Such information can be used for targeted advertisement and spamming (3) All Fog-CPS entities will register with the FA using their secret attribute set and it would generate their partial key pair (4) The CPS entities and fog nodes generate the final public keys of the collaborating devices (5) Access policies based on shared attributes are shared with CPS devices, FA, fog nodes, and cloud (6) It is assumed that the elliptic curve group parameters are preshared with entities 3.3. Fog-CPS Security Scheme Description. The proposed Fog-CPS security scheme has adopted the encryption and decryption algorithms of [8]. Furthermore, additional changes were made to the key generation algorithms of [8] as specified below: (1) The attributes in the Fog-CPS scheme are divided into two sets, i.e., a secret A S and a shared A K . Therefore, the key generation process is also distributed between the FA and Fog-CPS entities. Three algorithms, namely, partial key pair generation, final public KeyGen, and final secret KeyGen, are designed for the complete key generation process (2) The Fog-CPS security scheme uses two elliptic curve (EC) points for each attribute instead of three as in [8]. The use of two points per attribute reduces the processing and memory overhead and makes the Fog-CPS scheme efficient but also secure.

Fog-CPS Security Scheme
Construction. The Fog-CPS security scheme consists of eight algorithms out of which seven are presented here. As previously mentioned, the encryption and decryption algorithms are adopted from [8]. However, we made a few changes to the encryption algorithm, so it is also presented, but the description of the decryption algorithm is omitted.

Partial Key Pair Generation ðλ,
The partial key pair generation algorithm is executed by the FA which registers the Fog-CPS entities based on a secret attribute set A S . Algorithm 1 takes as input the security parameter λ and a set of secret attributes A S . λ consists of a long string of 1 s (chosen finite field) and defines the length of the secret keys and messages. It outputs the partial public/secret key pair PK A S /SK A S . Subsequently, the FA publishes the public key PK A S and sends the secret key SK A S to the CPS device. For initial communication, Fog-CPS entities can use the partial public keys. The partial public keys guarantee that Fog-CPS entities are legitimate and registered with FA.

Final Public KeyGen ðPK
The second pair of keys, namely, the final public and secret keys, is generated from the shared attribute set. The final public keys can be generated by any CPS device or fog node that shares a set of attributes with some other entity. Algorithm 2 generates the final public key of a CPS device. It takes as input the partial public key PK A S generated over the secret attribute set A S and the shared attribute set A K . It outputs the final public key PK A K .

Final Secret KeyGen ðSK
generates the final secret key of a CPS device. It takes as input the secret key generated over the secret attribute set A S and the shared attribute set A K . It outputs the final secret key SK A K .

Encrypt ðPK
The encryption algorithm takes as input the final public key PK A K , access policy ℙ, and a message M. It outputs a ciphertext CT. Algorithm 7 7 presents the encryption procedure in detail. (9) and (18), a new polynomial can be calculated as

Proposition 3. From Equations
It can easily be verified that f ðx, S P Þ/f ðx, S K Þ is a polynomial function in x, if and only if ℙ ⊆ A K . The encryption algorithm and the secret key generation algorithms are designed in such a way that f ðx, S P Þ/f ðx, S K Þ must be a polynomial for a successful decryption.

Decrypt ðCT, SK
The decryption algorithm takes as input the final secret key SK A K and ciphertext CT and outputs the plaintext message M. The construction of the decryption algorithm is the same as the one in [8].
3.4.6. Partial Key Pair Update ðλ,Á S Þ → PḰ A S /SḰ A S . If the secret attributes of a CPS entity are changed, then all the keys need to be updated. The key update procedure will start by regenerating the partial public/secret PK A S /SK A S key pair. In the partial key pair update procedure, Algorithm 4 is executed. It takes the updated set of secret attributes A S as input 1: Input: Secret A S set. 2: Output: New partial key pair PK A S /SK A S . 3: Increment the counter c for revoked keys. 4: If the attributes are the same, the previous computations over t attributes are considered. 5: Else, perform calculations for attributes from i = t to t ± 1. 6: Map t ± 1 attribute in A S to Z p using Equation (1) and compute secret numberś.
Algorithm 4: Partial key pair update.
1: Input: Shared A K attribute set. 2: Output: New final public key PK A K . 3: If the attributes are the same, the previous computations over t attributes are considered. 4: Else, perform calculations for attributes from i = t to t ± 1. 5: Map ðt ± 1Þ attribute in shared set A K to Z p . Apply hash function H 1 and compute k i using Equation (5). Then, compute k: k = k + k t±1 :ð14Þ 6: Next, compute final public key component U i , for ðt ± 1Þ attribute using Equation (7).
Algorithm 5: Final public key update. 6 Wireless Communications and Mobile Computing and generates a new PḰ A K /SḰ A K partial key pair for the CPS device. Subsequently, the final public and secret keys are also regenerated.

Final Key Update ðPḰ
If the shared attributes of a CPS device are updated, then the final public and secret keys need to be regenerated. In this case, Algorithms 5 and 6 are executed to generate the new final public and secret keys of the Fog-CPS entities. These algorithms take the updated set of shared attributesÁ S as input and generate the new final public and secret keys Ṕ 3.4.8. KeyRevoke. Similar to existing ABE schemes, the keys are revoked by the CA but in our application scenario FA. However, the keys can also be revoked due to the malicious behaviour of CPS devices. Three cases for key revocation have been identified: (1) Legitimate revoke: in the first case, both key pairs can be revoked due to a system update, expiration date, and scheduled maintenance of the Fog-CPS system.
(2) Malicious activity: in the second case, the key revocation may take place due to the malicious behaviour which might be observed and/or reported by FA, 5: Choose two one-way collision resistance hash functions, H 2 and H 3 , defined as: where l r is the length of a random string, l m is the length of message M, f0, 1g * is a binary string of arbitrary length, and f0, 1g l is a binary string of length l. The length of the hash value is the same as the length of a random string r, and similarly, the hash value will be the same size as the message M. 6: Next, the CT which consists of three components C 1 , C r , and C m is computed. C 1 is a point on the elliptic curve which is computed from the polynomial f ðx, S P Þ and U i components in PK A K corresponding to attributes in ℙ. C 1 is computed as follows: where polynomial f ðα, A K Þ has been computed over t attributes in Equation (9). 7: Pick two random numbers r u , t u ∈ Z P and then compute s u using Equation (10). 8: Next, compute secret key component u 1 using Equation (11). (3) Attribute update: in the third case, the change in the attribute set can trigger a key revocation.
In key revocation, FA revokes the existing partial key pair and generates new keys in the first two cases, i.e., legitimate revoke and malicious activity. In the third case, the keys are regenerated as discussed in Sections 3.4.6 and 3.4.7. As the generation of final public and secret key is dependent upon the partial key pair generated over secret attributes, so the revocation of partial key pair requires the revocation of final public and secret keys. As a result, Algorithms 4-6 are designed. The proposed key update algorithms are lightweight as each revocation only incurs the overhead of one extra key component. In each subsequent key update, the t attribute counter is incremented by one.
3.4.9. Correctness. The correctness of the Fog-CPS security scheme is based on the following property. For a given pair of final keys ðPK A K , SK A K Þ and CT generated from Encrypt ðPK A K , M, ℙÞ, the decryption algorithm Decrypt ðCT, ℙ, SK A K , A K Þ will output the correct M, if ℙ ⊆ A K ; otherwise, the decryption will fail.
3.5. Fog-CPS Security Scheme Application Scenario. The proposed scheme can be applied to any Fog-CPS scenario. To demonstrate it, a case in a fog-enabled smart grid power control (Fog-SGC) system is considered wherein a smart home device reports meter data D to a neighbouring area network (NAN) device. Figure 2 illustrates the communication between smart home device, NAN device, and FA. The interaction between all other entities in a Fog-SGC system would be similar as between smart home and NAN devices. Initially, all entities, namely, smart meters and fog nodes, register with FA based on their secret attribute sets A S . The FA executes Algorithm 1 to generate their partial key pair. Subsequently, the FA publishes the public key PK A S and securely transmits the secret key SK A S to the device.
After registration with FA, the smart home device sends a data store request to the NAN device. Upon receiving the request, the NAN device asks for a set of shared attributes A K . Subsequently, the smart home device generates the final public key of the NAN device by executing Algorithm 2. Next, the NAN device executes Algorithm 3 to generate the final secret key SK A K corresponding to the shared attribute set. Then, the smart home device encrypts D using the final public key PK A K of the NAN device and signs the shared attributes A K using its secret key SK A K . Subsequently, the smart home device sends CT and signature σ to the NAN device. Following this, the NAN device verifies the σ and decrypts the CT. Upon successful decryption, it gets an assurance that the smart home device possesses the required attributes and stores D.

Theoretical Security Analysis and Evaluation
As mentioned in the previous sections, in the proposed Fog-CPS security scheme, each entity possesses two key pairs, namely, partial and secret. So keeping that in view, the security of the proposed scheme is carefully analyzed to ensure security against the following attacks:   The Fog-CPS scheme is secure against the abovementioned attacks due to the q-Diffie-Hellman Inversion (q-DHI) problem [13], elliptic curve discrete logarithm problem (ECDLP), and the robustness of the hash functions.
Additionally, the robustness of the proposed scheme is based on two fundamental security notions of encryption schemes, namely, indistinguishability of messages and the collision resistance against secret keys. Message indistinguishability is an important security property of many encryption schemes. Given the ciphertext and the encryption key, the adversary cannot tell apart two same-length but different messages encrypted under the scheme, even if he chose the messages himself. With collision resistance, the attackers cannot pool their secret key components corresponding to a set of attributes to generate a new key which otherwise cannot be generated from their own attributes. Before presenting the security analysis against the abovementioned attacks, the notion of collision resistance as presumed in this scheme is discussed.

Collision Resistance against Secret
Keys. The proposed scheme does not follow the same conventional attribute sharing as the existing ABE schemes. Attributes are only shared between two CPS devices and the FA node. So, the collision attack as presumed in existing schemes does not apply in this case. In other words, the pooling of attributes and secret key components (i.e., the collision attack) from several adversaries who do not share the attributes would not benefit in generating the secret keys. Precisely, for the security of the proposed scheme, the definition of collision resistance is modified.
In this case, it is essential to prevent a device from generating the final secret key SK A K of another device. Theorem 1. It can be shown by a reduction that the computational problem in the proposed scheme is at least as hard as the discrete logarithm problem (DLP).
Proof. Assume A is an algorithm that efficiently solves our problem. We can use A to compute the discrete logarithm of an element h to the base g as follows: (i) Invoke A on input m = g andḿ = h (ii) A will return will return r, s, and t such that r s ≡ g and r t ≡ h modulo p (iii) Now we can compute a number x such that x · s ≡ 1ðmod GÞ (this can be done efficiently using the extended Euclidean algorithm because p is prime and therefore s and p are coprime) (iv) Then, g ðx:tÞ ≡ ðr s Þx · t ≡ ðr ðx:sÞ t ≡ r t ≡ hðmod GÞÞ (v) Hence, x · t is the discrete logarithm of h to the base g (vi) Note that the discrete logarithm problem is at least as hard as our problem since if you can compute discrete logarithms to some base r, you can s and t for given m andḿ such that r s ≡ m and r t ≡ m modulo G. Hence, the two problems are equally hard under the assumption that r is of order p.

Key Generation Analysis.
In this section, the difficulty of deriving the partial/final secret keys from their respective public keys and final secret key derivation from multiple ciphertexts and partial secret key is analyzed. Additionally, the computational difficulty of guessing the attributes and subsequently generating the secret keys is also discussed.

Partial/Final
Secret Key Guessing. The partial and final secret keys in Algorithms 1 and 3 are generated based on the secret and shared attributes which are mapped to Z p . The success probability of guessing an attribute is equivalent to the complexity of hashing algorithm H 1 , i.e., 2 n/2 (birthday paradox). For the partial secret key SK A S , the adversary should guess all attributes in set A S and the secret random number r. The secret numbers s i which are used in partial key pair generation cannot be derived by collision attack due to its complexity. To be precise, the computational complexity is of the order of number of attributes for hash function and random guessing. This also applies to final public and secret key generation algorithms whereby the shared attributes are hashed and subsequently used in key generation. Additionally, the assumption that each entity possesses a unique set of secret and shared attributes with no overlap with the attribute set of other entities makes attribute guessing more difficult.

Partial/Final
Secret Key Generation. The partial secret key SK A S of a CPS device cannot be guessed due to the difficulty of deriving the secret key components s i ∈ A S and r ∈ Z p in Algorithm 1. So, in order to generate/guess the final secret key, the adversary needs to know the secret key SK A S , shared attribute set A K , and three secret numbers α, r u , t u . α is computed from the secret components s and k in algorithm 3.4.2 whereas r u , t u are random numbers. The secret component s can only be computed and/or known if both the FA node and the CPS device are compromised. The compromised device can leak the shared attribute set and the final secret key SK A K .

Theorem 2.
The proposed scheme is secure against an adversary A with knowledge of the shared attribute set A K for deriving the final SK A K secret key by collision attack.
Proof. Having the knowledge of A K is not enough for generating the SK A K = u 1 , where where r u and t u are random numbers. The condition in Equation (24) only holds if s u and α are known, and subsequently, the values of r u t u can be computed. All these values can then be used to solve Equation (23). Another solution to Equation (23) is to correctly guess the random numbers r u , t u and compute α. The difficulty of computing α is already explained in preceding paragraphs. Hence, generating SK A K without knowing secret components ðr u , t u Þ, s u , and α is computationally infeasible for an adversary.

Computing the Secret Keys from Public Keys.
It is underlined that the secret keys, either partial or final, cannot be computed from their respective public keys due to the intractability of the elliptic curve discrete logarithm problem (ECDLP). Given two points P, Q ∈ EðF q Þ, the ECDLP problem is to find an integer x, if it exists, such that Q = xP. Following the same notion, the problem is to compute partial/final secret SK A S /SK A K keys from public keys PK A S / PK A K . Like in case of SK A S , given the PK A S = fP i = s i Pg for all attributes in A S , the problem is to compute s i from its corresponding public key P i component. The ECDLP problem has to be solved for all attributes in a given attribute set.
The same applies to the final secret key SK A K generation from PK A K . For the SK A K , ECDLP is to compute k i from given U i and P i . To be precise, due to the intractability of ECDLP, it is not feasible to compute secret keys from public keys.

Computing the Decryption Key from
Ciphertext. Additionally, the proposed scheme is secure against an adversary for deriving the decryption key r m P from the ciphertext CT = fℙ, U m,i , K 1m , C σm , C m g.
Theorem 3. Given the ciphertext CT = fℙ, U m,i , K 1m , C 1 , C r , C m g, it is hard to compute decryption key r m P.
Proof. A ciphertext CT corresponding to the access policy ℙ consists of the following parameters: Since ∑ n−jℙj i=1 U m,i = rmðf ðα, ℙÞ − f 0 ÞP, it is hard to compute r m P using C 1 due to the difficulty of solving the elliptic curve discrete logarithm problem. Given U m,i = rmUi = r m k P i , i = 1, 2, ⋯, q = n − jℙj, this problem can be reduced to the ðq − 1Þ-DHI problem as follows. Let Q = αr m P. The parameters are then rewritten U m,i = r m U i = α i r m P as Q i = U m,i = α i−1 Q, i = 1, 2, ⋯, q. This implies that if an adversary A has the ability to solve the ðq − 1Þ-DHI problem, he/she can compute the key r m P = ð1/αÞQ 1 = ð1/αÞQ and then successfully decrypt the ciphertext CT. The following theorem proves that solving the ðq − 1Þ-DHI problem is as hard as the q-GDH problem. Remark 1. From the above discussion, the proposed scheme is collision resistant against secret keys. As a result, computing the key k m = r m P from a ciphertext CT corresponding to the access policy ℙ without a valid user secret key SK A K is as hard as the q − GDH problem. This implies that given fU m,1 , U m,2 , ⋯, U m,q , C 1 g, where q = n − jℙj, T ∈ G, the q − GDH problem reduces to the ðq − 1Þ − DHI problem and then decides whether T is equal to r m P or a random element in G. But as the q − GDH problem is hard to solve, so would be ðq − 1Þ − DHI. Hence, an adversary cannot derive r m P from C 1 .

Network Devices Compromise Analysis.
Having discussed the difficulty of generating and/or guessing the secret keys, the impact of the compromise of Fog-CPS entities on the proposed security scheme is discussed.

Compromise of FA.
The compromise of FA can have drastic impact on the security of the Fog-CPS system. A compromised FA can reveal the partial secret keys SK A S of Fog-CPS entities. An adversary in possession of a partial secret key SK A S and the shared attribute set A K can generate the corresponding final secret key SK A K . After having generated the final secret key, the adversary can also change the attributes agreed with FA and subsequently further compromise the network. However, if the adversary is not aware of the shared attribute set, then it cannot generate the final secret key. Moreover, the actual encryption and decryption is performed using final public and secret keys PK A K /SK A K meaning that the communication between the CPS devices is still secure.

Compromise of CPS Device and Fog Nodes (Leakage of
Final Secret Key). The compromise of CPS devices and fog nodes will only leak their own secret keys. The compromise of one set of secret keys does not risk the messages encrypted under different shared attributes therefore keys. Henceforth, legitimate CPS devices can still communicate securely.

Experimental Evaluation
To evaluate the performance of the proposed scheme, its algorithmic efficiency in terms of processing time and memory complexity is measured.

System Configurations.
For benchmarking the time complexity, two sets of experiments are conducted to demonstrate the effectiveness of the proposed scheme on both resource-limited CPS devices and resourceful fog nodes. In the first experiment, the scheme is evaluated on a Raspberry Pi 3B+ model (CPS devices). It has a Quad Core 1.2 GHz, 64-bit CPU, 1 GB of RAM, a wireless LAN and Bluetooth Low Energy (BLE) on board, 100 Base Ethernet, 40-pin extended GPIO, 4 USB ports, HDMI, and micro SD port. In the second experiment, it is executed on a virtual machine running Ubuntu R16.04 with Python 3.6.4. on Intel (R) Core(TM) i5-4310U CPU@2.000 GHz with 8.0 GB RAM (fog nodes).

Implementation and Evaluation.
The Fog-CPS scheme is compared with five other ABE schemes in Guo et al. [6], Odelu and Das [8], Cheng et al. [12], Yamada et al. [14], and Zhou et al. [9] using the Charm crypto library [15]. All security schemes, including this, are based on a selective security model. It is noted that the proposed scheme is not based on bilinear elliptic curves and can be implemented on any elliptic curve. However, in order to compare the scheme with existing ABE schemes which are based on bilinear maps, it is implemented on bilinear curves, i.e., MNT159 and SS512. On other curves, namely, prime192v1 and secp224r1, the memory overhead would be less. The proposed scheme and two others in Guo et al. [6] and Odelu and Das [8] are tested on a non-super-singular asymmetric bilinear curve (i.e., MNT159), whilst three of the schemes [9,12,14] have been tested on the super-singular SS512 curve. Both SS512 and MNT159 curves provide 80-bit security.

Timing Results.
The execution times of all algorithms are benchmarked to compare the efficiency of different schemes. In the existing schemes in Guo et al. [6], Odelu and Das [8], Cheng et al. [12], Yamada et al. [14], and Zhou et al. [9], the Setup and KeyGen algorithms are separate. But, since there is no Setup in the Fog-CPS scheme, the execution time of both   11 Wireless Communications and Mobile Computing these algorithms is added and compared with the timing of the final public and secret key generation. To be precise, the final key pair generation timing of this scheme is the sum of the execution times of Algorithms 2 and 3.
For Setup and KeyGen, three different sizes of attribute universe U and user attribute sets A are considered. To be precise, an attribute universe U of 10, 20, and 30 attributes has been implemented for measuring the timing of the Setup algorithm. Likewise, for the secret key generation, a user attribute set A of 5, 15, and 25 attributes is taken into consideration.
Additionally, the encryption and decryption algorithms are also implemented to demonstrate that they are more efficient than the ones in Odelu and Das [8] because this scheme uses lesser elliptic curve group elements. Another reason to implement the encryption and decryption algorithms was to measure their execution timings on the Raspberry Pi, i.e., CPS devices. Henceforth, two types of benchmarks are set for measuring the times for encryption and decryption: (1) 1 kilobyte (1 kB) and (2) 1 megabyte (1 MB). These two low size messages are used because CPS devices and cloud requests are usually transmitted in low size messages. Furthermore, in the encryption algorithm, an access policy ℙ of constant size, i.e., 5 attributes, is considered. For the key update, there are two cases with an increment and decrement of one attribute, i.e., t ± 1. However, in our experimental evaluation, the execution time for key update is recorded in case of t + 1 attributes only.
Tables 3-5 list the processing times of all algorithms for the first and second experiments for attribute U of 10, 20, and 30, respectively. Additionally, graphs (see  are also plotted for the results of the first experiment.  Tables 3-5 list the timing results of the final key pair generation, encryption, decryption, and key pair updates. Overall, it is observed that benchmarks recorded on the Raspberry Pi 3B+ model are slower than on the desktop computer. Comparing the timings of both experiments in Table 3, it is noted that the proposed scheme is slower on the Raspberry Pi. But it is still the fastest compared to the rest of the schemes as it only takes 0.008, 0.017, and 0.02 seconds for an attribute universe of 10, 20, and 30 attributes, respectively.
Analyzing the processing times for encryption of 1 kB and 1 MB messages, it can be observed that the encryption timing of the schemes by Zhou et al. [9] and Yamada et al. [14] is almost equal and they are faster than rest of the schemes, followed by the scheme of Cheng et al. [12].
The Fog-CPS scheme is three times slower whereas the scheme by Odelu and Das [8] is four times slower than the schemes by Zhou et al. [9] and Guo et al. [6]. Likewise, the Fog-CPS security scheme is 10 times faster than the scheme by Yamada et al. [14] which is the slowest of all schemes. Comparing the timings of encryption and decryption, it is observed that in the case of encryption, the proposed scheme is a bit slower than three of the other schemes. However, in decryption, this scheme is the fastest of all; it takes only  [14] is the slowest of all the other schemes in decryption as well. Furthermore, it can be observed that for decryption of the 1 kB message, the execution time of the scheme by Odelu and Das [8] is almost equal to that by Cheng et al. [12].

Memory
Overhead. Table 6 shows the calculation of the memory overhead of each scheme. In the MNT159 curve, one group element in G and G 1 takes 2 × 160 = 320 bits whereas one group element in G T takes 2 × 512 = 1024 bits.
Likewise, in the SS512 curve, one group element in G 1 takes 2 × 512 =1 024 bits whereas one group element in G T takes 2 × 1024 = 2048 bits. The column Bytes represents the total number of bytes required in all algorithms (i.e., Setup, KeyGen, Encrypt, Decrypt, and KeyRevoke) for an attribute universe U of 10 and an access policy ℙ of 5 attributes. In the case of the proposed scheme, the memory overhead of one partial and final key pair generation and one key update in both cases is also considered when calculating the number of bytes required by each algorithm. Zhou et al. [9] Yamada et al. [14] Cheng et al. [12]

Wireless Communications and Mobile Computing
The proposed Fog-CPS scheme is lightweight than the Odelu and Das [8] scheme as it requires fewer elliptic curve group elements. Our scheme requires 2ðn + 1Þ elements in G for generation of both partial and final public keys whereas the scheme by Odelu and Das [8] requires 3ðn + 1Þ elements for the public key. Likewise, for partial and final secret keys, our scheme requires only two secret elements in the finite field Z p , whereas the scheme by Odelu and Das [8] requires three. The length of CT in our scheme is ðn − jℙj + 2Þ group G elements whereas ðn − jℙj + 3Þ in the scheme by Odelu and Das [8].
As can be seen in Table 6, the Fog-CPS scheme has the lowest memory overhead, i.e., 1340 bytes followed by the Guo et al. [6] and Odelu and Das [8] schemes which take 1636 and 1760 bytes, respectively. The Zhou et al. [9] scheme incurs the highest overhead of 9876 bytes. It is noted that for    14 Wireless Communications and Mobile Computing the proposed scheme, the memory overhead of one final public and secret key over a shared attribute set ðjA k j = 10Þ has also been considered. Moreover, for the Setup and KeyGen algorithms, i.e., partial key pair generation in this case, the Fog-CPS scheme has the lowest overhead compared to all other schemes. The final secret key in the proposed scheme only requires one element of the order of base point on the elliptic curve G.
In the Guo et al. [6] scheme, there are ð2n + 1Þ elements in G 1 and one in G T for PK, two elements in G 1 for SK, and ðn − jℙj + 2Þ elements in G 1 for CT. In the Zhou et al. [9] scheme, there are ð6n + 1ÞG 1 and ð2jAj + 1Þ group elements in PK and SK, respectively, whereas CT has 2 group elements in G 1 and one in G T . The PK in the Cheng et al. [12] scheme has 2n elements in G 1 and two in G T ; the SK has jAj + 1 elements in G 1 , whereas the CT has 2 elements in G 1 and one in G T . In the Yamada et al. [14] scheme, PK contains 6 elements in G 1 and one in G T , SK contains ð4jAj + 2Þ elements in G 1 , and CT contains 3ðjℙj + 1Þ in G 1 . The Zhou et al. [9] scheme has the highest memory overhead followed by the Cheng et al. [12] and Yamada et al. [14] schemes. Both the Zhou et al. [9] and Cheng et al. [12] schemes have constant size ciphertexts which only require 2 group elements in G 1 and one element in G T . The CT in the Fog-CPS scheme and the Guo et al. [6] scheme have almost the same number of elements. In the key update Zhou et al. [9] Yamada et al. [14] Cheng et al. [12]   Zhou et al. [9] Yamada et al. [14] Cheng et al. [12] Table 7. The column Total operations represents the total number of operations by considering all algorithms, i.e., Setup, KeyGen, Encrypt, and Decrypt. In the proposed scheme, the computational overhead of one partial and final key pair generation and update are also considered. From Table 7, it is observed that the Fog-CPS scheme introduces the lowest computational overhead than all other schemes which are based on bilinear maps and elliptic curves.
For partial and final public key generation, the Fog-CPS scheme requires ð2n + 2Þ scalar multiplications in the elliptic curve group G. Likewise, for Encrypt and Decrypt, ðn − ℙ + 1Þ and ðn − ℙ + 2Þ scalar point multiplications are required, respectively. Moreover, in the key update algorithms, i.e., 4, 5, and 6, this scheme only requires two scalar multiplications.

16
Wireless Communications and Mobile Computing exponentiation operations, respectively. Similarly, for Encrypt, it requires 3 exponentiations and 1 pairing, whereas for Decrypt, ð2jℙj + 1Þ exponentiation and pairing operations are required. Moreover, for the Setup and KeyGen algorithms, the Cheng et al. [12] scheme requires ðn + jAjÞ exponentiation and n pairing operations. On the contrary, it requires 3 exponentiation and 2 pairing operations for the Encrypt and Decrypt algorithms, respectively. In the Yamada et al. [14] scheme, ð4jAj + 3Þ exponentiations are required for both the Setup and KeyGen algorithms. However, the Encrypt algorithm requires ð3jℙj + 1Þ exponentiations and Decrypt requires 2jℙj exponentiation and pairing operations.

Conclusion
The security and privacy challenges posed by Fog-CPS systems can affect both individuals and systems. The heterogeneous nature of CPS devices with varying degrees of computation and storage capacity also make it a challenging task to devise the security solutions. It is therefore essential to find lightweight solutions which eliminate the need for applying different security mechanisms at different layers of Fog-CPS. Moreover, the devised schemes must also enable the users/CPS devices to have control over their data without risking their privacy of information (e.g., identities, location, data, and type of service used) with other entities, such as the fog nodes and/or cloud provider. The existing PKE and ABE schemes are computationally expensive and, therefore, not suitable for resource-constrained devices. Moreover, the sharing of attributes with the FA risks the privacy of CPS devices as it can also decrypt the messages. Considering the limitations of existing schemes, in this paper, a lightweight encryption scheme is proposed. In the Fog-CPS scheme, the CPS devices generate the keys without relying on a FA. In our proposed security scheme, the above problems are addressed by dividing the attribute set into secret and shared attributes. The secret attributes are used for entity registration with FA, whereas the shared attributes are only shared with the collaborating CPS devices and employed to generate the final public and secret keys. The compromise of FA would not endanger the secrecy of messages among CPS devices, as they can still securely communicate. Furthermore, the key update process of the proposed scheme is very lightweight, since the key generation process as found in Algorithms 1-3 is not repeated. Another novel aspect of the Fog-CPS scheme is that it is based on elliptic curve cryptography which supports smaller key sizes and is highly suitable for resource-constrained CPS devices. The experimental evaluation shows that the Fog-CPS security scheme outperforms other ABE schemes based on bilinear pairing and elliptic curves. In the future, the authors will investigate how the proposed scheme can be further improved to support more expressive access structures and an adaptive security model.