Group Key Management Scheme for Multicast Communication Fog Computing Networks

Abstract

In group key management, the implementation of encryption often fails because multicast communication does not provide reliable linkage. In this paper, a new group key management scheme is proposed for multicast communication in fog computing networks. In the proposed scheme, any legal fog user belonging to a fog node will be able to decrypt a ciphertext encrypted by a secret shared key. The shared secret key is divided into key segments. In the rekeying operation process, each key segment is split into two factors with its shared production mechanism. The key updates are required to belong to the fog provider or the group management device. Fog users will have independent key segments unchanged. Then, the cost, the message of rekeying, and the dependence on credible channels will be decreased. This method can resist collusion attacks and ensure backward security and forward security, even if the number of users leaving is larger than the threshold value. Our scheme is also suitable for untrusted affiliate networks.

1. Introduction

Multicast communication technology is important for different network applications [1,2], especially for wireless networks. It is effective in transferring data from one source to many different destinations. Multicast communication technology has been used in network video, online e-sports, and real-time online conferences, which gets to be susceptible to different security assaults, e.g., refusal of service, eavesdropping, and attacks to capture the physical nodes [3]. At a given time, the message of a source can be sent to many destinations using multicast communication technology. Therefore, the security of multi-directional communication will be a challenging issue [4,5,6], and security schemes are needed for security, authentication, integrity, and non-repudiation of multicast communication [7].

Multicast communication technology is applied to untrusted networks, and tolerances forwarding network [8], such as deep space network, in which the time latency is very long and unreliable links generate rekeying errors [9]. Some solutions have also been proposed to combine multicast communication with other emerging effective technology, such as fog computing technology, which is deployed at the edge of the network near to the users [10]. There have also been many proposals to ensure data security and safety for multicast communication technology in fog computing [11,12]. In [13,14], the authors discuss the fog computing model for security and privacy issues, the advantages and applications of fog computing, like the smart grid, smart traffic lights in a vehicular network, and software-defined networks. In [15], the author uses visual cryptography and zero watermarking to develop a biometric security mechanism in fog computing. The paper [16] proposes identity authentication schemes based on fog computing, checking data integrity, data encryption to meet security, resolution, and availability of face recognition. To authenticate users, a secure key management scheme is proposed for fog computing services in [17]. In [18], the authors discussed problems related to fog computing, such as applications, challenges, and technologies, through surveying with different fog computing models. In [19], the authors have proposed an effective method in fog computing with an anti-duplication privacy protection technique to manage ownership. In [20], to ensure secure communication between a group of fog nodes and clouds, the authors have designed a key exchange scheme as an attribute-based encryption scheme. In [21], the authors propose an anonymous summary scheme, in which fog nodes are responsible for synthesizing data from the terminal nodes, and then transfer the aggregate data to the public cloud server. In [22], the author presents a summary of the research contributions and outlines future research directions to solve various security and privacy challenges in the fog computing field.

In multicast communication security, there are many proposed technologies. Group key management (GKM) is one of the important technologies [23,24,25]. It is a platform for security and efficiency, to support access, authentication, key agreement, etc. Therefore, to design schemes of GKM for multicast communication needs to be reviewed in detail for efficiency and security. Especially, the joining or leaving operation of members in the network, and the network resource costs for rekeying operations, must be ensured for forward and backward security [24,26]. GKM schemes have been proposed and applied and can classify into two categories following the member’s role. First is the key agreement protocol, such as the group key agreement [27,28], the communication-efficient group key agreement [29,30], the tree-based group key agreement [28], and the Diffie-Hellman-Logical Key Hierarchy (DH-LKH) [31,32]. Before communication, a shared key needs to be agreed upon by all group members. Part of the key material needs to be contributed to calculate the shared keys. The key management works the same on all members. The updated members have the rekeying tasks, and the computing costs are related to the scale of the networks, as given the autonomic group key management in deep space DTN (AGKM) in [33], and the autonomous shared key management scheme for space networks (AKMSN) [34]. There is no need to have a key management center as a powerful entity for key agreement protocol. The security channel does not need to be configured and some failed members can be accepted during the negotiation process. However, the Key Agreement Protocol has some inherent shortcomings, such as the scale of the network involves costs for rekeying operations. The implementation of public cryptographic arithmetic and the main time for exchanging materials between members is very high, so it consumes a lot of network resources. However, when the current wireless network is sensitive with the delay time or is limited with the resources, key agreement protocol is not suitable. Second is the key distribute protocol. The key management center plays a key role, such as having a strong entity. They undertake the task of creating, distributing, updating, and revoking. In the key distribute protocol, the shared keys will be sent for each legitimate member before joining the network to establish a secure channel. Two members can contact each other successfully, when they had a shared key, such as pairs key management [35], a key management scheme of random pre-distribution [36,37,38], and logical key hierarchy (LKH++) [39]. The network resource cost and time latency will be lower in these protocols, compared to those in the key agreement protocol.

In multicast communication, most GKM proposals are based on the ciphertext of the encryption key model, which can only be decoded successfully with a decryption key (Dk). In the rekeying operation, all members need to participate, which leads to the problem of 1-affect-n that considers whether the member updates. This affects the rest of the group as long as one member changes. The cause is that only one traffic encryption key (TEK) or group key is applied in group communication. To enforce security, after a single membership change, TEK needs to be updated for all members of the group. TEK is used to evaluate a 1-effect-n phenomenon. Otherwise, the group application suffers from the 1-affect-n phenomenon and consequent performance deterioration. Some other proposals are proposed in [40,41,42,43,44] to reduce the rekeying scale. In general, group key management has an important target to improve efficiency that decreases delay time, resource overheads, and scale in rekeying operations.

In [35], the authors propose a GKM scheme based on the multi-decryption key one-encryption key model. The multi-decryption keys have independent properties with each other corresponding to one encryption key. In the rekeying operation, the legitimacy of the decryption key that pertains to non-updated members is not destroyed by the updated decryption key. It can be said that this model is suitable for multicast communication. Consequently, the multi-decryption key protocol of one encryption key is promising to be widely applied in [42,43,44,45], in bilinear pairings [46], and threshold cryptography [47]. However, the schemes have some shortcomings, where the rekeying operation is still related to the network scale, and members who join or leave the network must participate in the rekeying operation, which is the ineffective cause in the collusion attack. Through collecting key segments with more than one threshold value, an attacker can negotiate the shared key.

In group key management, the implementation of encryption often fails because multicast networks do not provide reliable linkage. In this paper, we try to a group key management scheme for multicast communication fog computing networks, named GKMSFC. The main contributions are as follows:

• Any legal fog user who belongs to a fog node will be able to decrypt a ciphertext encrypted by a secret shared key.
• The shared secret key is divided into key segments, In the rekeying operation process, each key segment is split into two factors with his shared production mechanism, key updates are required to belong to the fog provider or the group management device.
• For the security aspect, because a different random value is chosen by the source in every process of decrypting, it is not possible to damage the decryption key, and the proposed scheme can ensure the backward and forward security and can against the collusion attacks.

The following sections of this paper are organized as follows. In Section 2, we illustrate the basic fog network structure and security requirements; In Section 3, we present and describe the knowledge of bilinear pairing and threshold cryptography. In Section 4, a group key management diagram is proposed, which includes the details of the use of main keys and a secret shared key. In Section 5, bases on security properties, such as the repairs, forward / backward security, and collusion attack, we analyze the security of the proposed model. In Section 6, we compare the performance of other group key management schemes with the proposed scheme; and finally, the conclusion of the article is given in Section 7.

2. Fog Computing Environment

2.1. Fog Network

Fog computing is defined as a computing server device at the edge of the network and includes devices close to the end-user. It plays as an intermediary layer between user devices and the cloud, in other words, it is the extended part of the cloud towards user devices. Fog nodes exist in fog computing networks, which can be considered as a “mini-cloud” located at the edge of the network and implemented through a variety of edge devices [48,49]. A fog computing-based network model is portrayed in Figure 1, which is represented by a hierarchy including cloud layer, fog layer, and end-user layer. The system entities are explained below:

• Cloud: Store, control, handle all data centers, and online services. It receives all data from Fog nodes, analyzes, and processes data according to the requirements of some applications.
• Fog Node (FN): Is an important active component for processing, calculating, and storing secret keys. It includes devices between the cloud and end-users, such as the base stations, servers, gateways, routers, switches, and access points. Each fog node serves the end-users in its communication range. We assume that the entities are reliable and well protected.
• Fog User (FU): Are the types of terminals that use services provided by the cloud or the providers of fog services. These types of devices are structured as heterogeneous (such as vehicle networks, smartphones, IoT devices, etc.). They connect short communication with the Fog node, in which the devices can be equipped with sensors and the ability to communicate to perceive environmental phenomena and send data through channels of communication to the fog node.
• Fog Key Management Center (FKM): Computes and creates secret keys, session keys, and private keys for users. In the fog network system, it is completely trusted by all members. The results and discussions may be presented separately, or in one combined section, and may optionally be divided into headed subsections.

2.2. Security Requirements

To ensure secure access, each fog service has a service key and each user or a group is sharing the same service key for access and is served by the fog devices. New challenges will arise, such as efficiency, performance, and scalability, if a group of dynamic users is sharing the same service key. Then, in group communication, only legitimate users can access the service and should follow the following rules:

• Backward security: When a new member joins the fog node to use the services, the GKM must ensure that a new member cannot decrypt the data before it joins the fog node. Then the GKM system is secure.
• Forward security: When a member loses the privilege of accessing the fog to use the service, it will not decrypt any group keys and any future group messages. Then the GKM system is secure.
• Collusion attacks: A secure GKM system will not be compromised, when some members cooperate to use the old keying documents to regain the group key.

2.3. Fog Security Devices Role

In each fog point, the FN is a member. It also acts as a representation of its Fog Users (FUs) cluster in its parent fog. When the FN receives the parent’s fog notification, it announces the message to the FU in its cluster. All FNs use the same shared key (Sk), and the FN’s task is to publish the received notifications. In this configuration, a single membership change in any fog cluster will result in a new Sk distribution to all fog users in all fog zones, as a common Sk is used. When one of the security fogs becomes the driving force for the member’s change, it is better to isolate the cluster from the other fog clusters, and divide it into segments to limit the effects of re-tracking of dynamic fog, and thus to reduce the 1-affects-n phenomenon. In our plan, we propose that in such situations the dynamic FN would decide to use an Sk independent of its fog cluster and Let (s, tk) be the threshold in the cryptographic protocol, where s is the key segments divided from the secret shared key (Sk), tk is a number of key thresholds, and each user collects a key section. Fog Users (FUs) can re-store shared keys if they own more key segments than the threshold tk. The rekeying operation only includes the resources of the encryption key, and the decoding of end-user FU does not change when a member of the group joins or leaves. The decryption key of the group members is not affected by the joining users’ rekeying operation. In this action, only the decryption key (Dk) is updated by FKM. Do not lose the legitimacy of the Dk when the member leaves without affecting the remaining members, it means that the FKM updates still own the decryption key without changing.

3. Key Establishment

3.1. Bilinear Pairings

Let ($G_{\iota },+$) and ($G_{\tau },\times$) respectively denote a cyclical addition and multiplication group of large prime order $p$. A generator is denoted by $G_p$, which belongs to the cyclic group G with order $p$. A bilinear map is given by $\widehat{e}:G_{\iota }\times G_{\iota }\to G_{\tau }$, and a generator of$G_{\tau }$ is $\widehat{e}\left(G_p,G_p\right)$. There are three properties in a bilinear map [50,51].

• Bilinearity. For $\forall G_{p_{\iota }},G_{p_{\tau }},ℳ\in G$, we have $\widehat{e}\left(G_{p_{\iota }}+G_{p_{\tau }},ℳ\right)= \widehat{e}\left(G_{p_{\iota }},ℳ\right)\left(G_{p_{\tau }},ℳ\right)$ and $\widehat{e}\left(x{G}_{p_{\iota }}+y{G}_{p_{\tau }}\right)=\widehat{e}{\left(G_{p_{\iota }},G_{p_{\tau }}\right)}^{xy}$, where $\forall x,y\in \mathbb{Z}$;
• Computability. For $\forall G_{p_{\iota }},G_{p_{\tau }}\in G_{\iota }$, there continually exists an efficient algorithm to calculate the value of $\widehat{e}\left(G_{p_{\iota }},G_{p_{\tau }}\right)$;
• Nondegeneracy. If $\exists G_p\in G_{\iota }$, then we have $\widehat{e}\left(G_{p_{\iota }},G_{p_{\tau }}\right)\ne 1$.

Based on the Bilinear Pairings, we will propose a security scheme, and define a probabilistic polynomial-time algorithm by the bilinear map instance generator. For the Bilinear Decision Diffie-Hellman Problem, we need to calculate the value $\widehat{e}{\left(G_p,G_p\right)}^{xyz}$ by giving $\left[x{G}_p,y{G}_p,z{G}_p and \sigma G_p \right]\in G$, where $x,y,z\in \mathbb{Z}$, decide $\widehat{e}{\left(G_p,G_p\right)}^{xyz}?=\widehat{e}{\left(G_p,G_p\right)}^{\sigma }$.

3.2. Threshold Cryptography

Let (s, tk) be the threshold cryptographic protocol, where s is the key segment which is divided from the secret shared key, tk is the number of key thresholds. Each user collects a key section. Users can re-store the shared keys if they own more key segments than the threshold tk [52].

Each legal $F{U}_i$ has a unique identity ($i{d}_i$),$i\in \left\{1,2,\dots ,s\right\}$. In all identities form $\mu =\left(i{d}_i,i{d}_2,\dots ,i{d}_s\right),$ the FKM selects k random value in $\left\{x_0, x_1, x_2,\dots ,x_{tk-1}|x_i\in \mathbb{Z}\right\}$. From a tk-degree polynomial equation, we have,

$$ℱ\left(id\right)={\displaystyle \sum }_{i=1}^{tk}{x}_{j}i{d}^j.$$

(1)

Constructing an equation of tk − 1 degree polynomial,

$$ℱ\left(id\right)={\displaystyle \sum }_{j=1}^{tk-1}{x}_{j}i{d}^j+x_0.$$

(2)

In a key distribution (KD) $x_0$is the shared key, FKM computes,

$$K{D}_i=ℱ\left(i{d}_i\right)={\displaystyle \sum }_{j=1}^{tk-1}{x}_{j}i{d}^j+x_0.$$

(3)

With a set$\mu$, via a secure channel, $F{U}_i$ receives the value $K{D}_i$ as key segments $x_0$. In a key recovery phase, FU is able to decrypt the encrypted ciphertext by using the shared key, because it collects tk key segments.

The polynomial equation is shown according to the Lagrange’s interpolation formula as follows,

$$ℱ\left(id\right)={\displaystyle \sum }_{i{d}_i\in {\mu }^{\prime }} K{D}_j{\displaystyle \prod }_{i{d}_i,i{d}_j\in {\mu }^{\prime } i{d}_i\ne i{d}_j}\frac{id-i{d}_j}{i{d}_i-i{d}_j},K{D}_i= ℱ\left(i{d}_i\right).$$

(4)

where ${\mu }^{\prime }=\left\{i{d}_{i1},i{d}_{i2},\dots ,i{d}_{itk}\right\}\left( {\mu }^{\prime }\subset \mu \right),\left\{ K{D}_{i1}= ℱ\left(i{d}_{i1}\right), K{D}_{i2}= ℱ\left(i{d}_{i2}\right),\dots , K{D}_{itk}= ℱ\left(i{d}_{it}\right)\right\}$.

The formula that can be used to calculate shared keys is

$$x_0=ℱ\left(0\right)={\displaystyle \sum }_{i{d}_i\in {\mu }^{\prime }} K{D}_j{\displaystyle \prod }_{i{d}_i,i{d}_j\in {\mu }^{\prime } i{d}_i\ne i{d}_j}\frac{-i{d}_j}{i{d}_i-i{d}_j},K{D}_i= ℱ\left(i{d}_i\right).$$

(5)

To concise, we assign a parameter ${\phi }_{i{d}_i\in {\mu }^{\prime }}$ with

$${\phi }_{i{d}_i\in {\mu }^{\prime }} ={\displaystyle \prod }_{i{d}_i,i{d}_j\in {\mu }^{\prime } i{d}_i\ne i{d}_j}\frac{id-i{d}_j}{i{d}_i-i{d}_j}.$$

(6)

When $id=0,{\phi }_{i{d}_i\in {\mu }^{\prime }}\left(0\right)$ is showed as

$${\phi }_{i{d}_i\in {\mu }^{\prime }}\left(0\right)={\displaystyle \prod }_{i{d}_i,i{d}_j\in {\mu }^{\prime } i{d}_i\ne i{d}_j}\frac{-i{d}_j}{i{d}_i-i{d}_j}.$$

(7)

3.3. Shared Secret Product

In substance, the threshold (s, tk) based secret product shared mechanism comes from the multiplication of two factors, where the two factors are $x_0 \mathrm{and} y_0$ illustrated by two formulas: ${ℱ}_{\iota }\left(id\right)={\displaystyle \sum }_{j=1}^{t{k}_{\iota }-1}{x}_{j}i{d}^j+x_0$ with a degree $t{k}_{\iota }-1$ polynomial and random parameter sets $\left\{x_0, x_1, x_2,\dots ,x_{t{k}_{\iota }-1}\right\}$, and ${ℱ}_{\tau }\left(id\right)={\displaystyle \sum }_{j=1}^{ t{k}_{\tau }-1}{y}_{j}i{d}^j+y_0$ with a degree $t{k}_{\tau }-1$ polynomial and random parameter sets $\left\{y_0, y_1, y_2,\dots ,y_{t{k}_{\iota }-1}\right\}$. Based on this secret product shared mechanism, FU can compute a product correctly, but it is unable to calculate to get any information on the two factors [53].

Constructing a degree $t{k}_{\iota }+t{k}_{\tau }-2$ polynomial as follows

$$ℱ\left(id\right)={ℱ}_{\iota }\left(id\right){ℱ}_{\tau }\left(id\right)=\left({\displaystyle \sum }_{j=1}^{t{k}_{\iota }-1}{x}_{j}i{d}^j+x_0\right)\left({\displaystyle \sum }_{j=1}^{t{k}_{\tau }-1}{y}_{j}i{d}^j+y_0\right).$$

(8)

$x_0 \mathrm{and} y_0$ are divided into s segments corresponding to the two formulas ${ℱ}_{\iota }\left(id\right),$ and ${ℱ}_{\tau }\left(id\right)$, and each member receives a key segments ${ℱ}_{\iota }\left(i{d}_i\right) \mathrm{and} {ℱ}_{\tau }\left(i{d}_i\right)$. Then ${ℱ}_{\iota }\left(i{d}_i\right)\times {ℱ}_{\tau }\left(i{d}_i\right)$ is a segment of production $x_0 \mathrm{and} y_0$.

The formula $ℱ\left(id\right)$ is shown

$$ℱ\left(id\right)={\displaystyle \sum }_{i{d}_i\in {\mu }^{\prime }}{ℱ}_{\iota }\left(i{d}_i\right){ℱ}_{\tau }\left(i{d}_i\right){\displaystyle \prod }_{i{d}_i,i{d}_j\in {\mu }^{\prime } i{d}_i\ne i{d}_j}\frac{id-i{d}_j}{i{d}_i-i{d}_j},$$

(9)

and

$$x_0{y}_0=ℱ\left(0\right)={\displaystyle \sum }_{i{d}_i\in {\mu }^{\prime }}{ℱ}_{\iota }\left(i{d}_i\right){ℱ}_{\tau }\left(i{d}_i\right){\displaystyle \prod }_{i{d}_i,i{d}_j\in {\mu }^{\prime } i{d}_i\ne i{d}_j}\frac{-i{d}_j}{i{d}_i-i{d}_j}.$$

(10)

4. Group Key Management Scheme in Fog Computing Network

In this section, we will give out the proposed scheme, named GKMSFC, which is a new group key management scheme for multicast communication fog computing networks), there are FKM is Fog Key Management Center, The whole scheme is divided into four stages, including initialization stage, encryption stage, decryption stage and rekeying stage. $\mathcal{S}{ℰ}_k(\ast )$ is the algorithm of the symmetric encryption key, $\mathcal{S}{\mathcal{D}}_k(\ast )$ is the algorithm of a symmetric decryption key, ${𝒽}_k(\ast )$ the hash function and N is the number of members.

4.1. Initialization Stage

Random numbers $\delta +\epsilon$ are selected and kept secretly by FKM from $\left\{\left( x_1, x_2,\dots ,x_{\delta -1}, y_1, y_2,\dots ,y_{\epsilon -1},F{S}_{t{k}_{\iota }},F{S}_{t{k}_{\tau }}\right)\in {\mathbb{Z}}_{G_p}\right\}$, to construct formulas$ℱ\left(id\right)$ and ${ℱ}_{\iota }\left(id\right)$ with δ—1-degree polynomial, ${ℱ}_{\tau }\left(id\right)$ is a formula with ε—1-degree polynomial. With the shared secret product mechanism, ${ℱ}_{\iota }\left(id\right)$ and ${ℱ}_{\tau }\left(id\right)$ are given as follows

$$\{\begin{array}{c}{ℱ}_{\iota }\left(id\right)={\displaystyle \sum _{i=1}^{\delta -1}}{x}_{i}i{d}^i+F{S}_{t{k}_{\iota }}\\ {ℱ}_{\tau }\left(id\right)={\displaystyle \sum _{i=1}^{\epsilon -1}}{y}_{i}i{d}^i+F{S}_{t{k}_{\tau }}\end{array}.$$

(11)

Polynomial formula $ℱ\left(id\right)$ with the degree $\delta +\epsilon -2$ is

$$ℱ\left(id\right)={ℱ}_{\iota }\left(id\right){ℱ}_{\tau }\left(id\right)=\left({\displaystyle \sum }_{i=1}^{\delta -1}{x}_{i}i{d}^i+F{S}_{t{k}_{\iota }}\right)\left({\displaystyle \sum }_{i=1}^{\epsilon -1}{y}_{i}i{d}^i+F{S}_{t{k}_{\tau }}\right).$$

(12)

The FKM selects $id+KDn\left(id+KD>\delta +\epsilon -2,KD<\epsilon -1,id>\delta -1\right)$ numbers and constructing several sets as follows

$$\mathbb{T}=\left\{t_{0,1},t_{0,2},\dots ,t_{0,i},\dots ,t_{0,id}\right\} and {\mathbb{Q}}_j=\left\{q_{j,1},q_{j,2},\dots ,q_{j,i},\dots ,q_{j,KD}\right\}, j\in \left\{1,2,\dots ,s\right\}.$$

(13)

Then calculating $M_{ek}=F{S}_{t{k}_{\iota }},F{S}_{t{k}_{\tau }}{G}_p\in G$, where $F{S}_{t{k}_{\iota }},F{S}_{t{k}_{\tau }}$ are selected by FKM as the main encryption key. The FKM selects two numbers ${ℳ}_{\iota },{ℳ}_{\tau }\in G_{\iota }$ and computes

$$\begin{array}{c}{\mathbb{T}}^{*}=ℱ\left(\mathbb{T}\right)G_p={ℱ}_{\iota }\left(\mathbb{T}\right){ℱ}_{\tau }\left(\mathbb{T}\right)G_p\hfill \\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}=\left\{{ℱ}_{\iota }\left(t_{0,1}\right){ℱ}_{\tau }\left(t_{0,1}\right)G_p,{ℱ}_{\iota }\left(t_{0,2}\right){ℱ}_{\tau }\left(t_{0,2}\right)G_p,\dots ,{ℱ}_{\iota }\left(t_{0,id}\right){ℱ}_{\tau }\left(t_{0,id}\right)G_p\right\},\end{array}$$

(14)

$$\begin{array}{c}{\mathbb{Q}}_{\iota j}^{*}={ℱ}_{\iota }\left({\mathbb{Q}}_j\right)\left({ℳ}_{\iota }+{ℳ}_{\tau }\right)\hfill \\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em} =\left\{{ℱ}_{\iota }\left(q_{j,1}\right)\left({ℳ}_{\iota }+{ℳ}_{\tau }\right),{ℱ}_{\iota }\left(q_{j,2}\right)\left({ℳ}_{\iota }+{ℳ}_{\tau }\right),\dots ,{ℱ}_{\iota }\left(q_{j,id}\right)\left({ℳ}_{\iota }+{ℳ}_{\tau }\right)\right\},\end{array}$$

(15)

$${\mathbb{Q}}_{\tau j}^{*}={ℱ}_2\left({\mathbb{Q}}_j\right)\left({ℳ}_{\iota }+{ℳ}_{\tau }\right)=\left\{{ℱ}_{\tau }\left(q_{j,1}\right)G_p,{ℱ}_{\tau }\left(q_{j,2}\right)G_p,\dots ,{ℱ}_{\tau }\left(q_{j,id}\right)G_p\right\}, j\in \left\{1,2,\dots ,s\right\}.$$

(16)

After the first step is finished, a Fog user ($F{U}_j$) has some decryption keys $D{k}_j$ and an encryption key $Ek$, which are expressed as

$$Ek=\langle p,G_{\iota },G_{\tau },\widehat{e},G_p,{ℳ}_{\iota },{ℳ}_{\tau },{ℳ}_{FS},{\mathbb{T}}^{*},\{{\mathbb{Q}}_{\tau j}^{*}\}\rangle ,D{k}_j=\{{\mathbb{Q}}_{\iota j}^{*}\}.$$

(17)

In the $Ek$, an encipherer of a session key is decrypted by the main encryption key ${ℳ}_{FS}$, $F{U}_j$ has the decryption key ${\mathbb{Q}}_{1j}^{*}\in \left\{1,2,\dots s\right\}$ for its decoder.

4.2. Encryption Stage

A source wants to send a plaintext $Mas$ to some destinations, main encryption key ${ℳ}_{FS}$ creates session key $Sk$ to encrypt the $Mas$ into a ciphertext Cipt through the following steps:

• A random number q is selected by the source to calculates ${ℳ}_{\iota }^{*}=q{ℳ}_{\iota }$;
• Session key $Sk=\left(S{k}_{\iota },S{k}_{\tau }\right)=h\left(id\parallel G_p^{*}\parallel {ℳ}_{FS}\parallel q\right)$ with ${ℳ}_{FS}$ and handles encryption $\mathrm{Cipt}= \mathcal{S}{ℰ}_{t{k}_{\iota }}\left(Mas\right),mac=h\left(Mas,S{k}_{\tau }\right) and \psi =\widehat{e}{\left({ℳ}_{FS},{ℳ}_2\right)}^{q}Sk$ are calculated by the source;
• The source calculates
  $F{S}^{**}=qF{S}^{*}=\left\{q{ℱ}_{\iota }\left(t_{0,1}\right){ℱ}_{\tau }\left(t_{0,1}\right)G_p,q{ℱ}_{\iota }\left(t_{0,2}\right){ℱ}_{\tau }\left(t_{0,2}\right)G_p,\dots ,q{ℱ}_{\iota }\left(t_{0,id}\right){ℱ}_{\tau }\left(t_{0,id}\right)G_p\right\}$ and ${\mathbb{Q}}_{\tau j}^{*}=q{ℱ}_{\tau }\left({\mathbb{Q}}_j\right)G_p=\left\{q{ℱ}_{\tau }\left(q_{j,1}\right)G_p,q{ℱ}_{\tau }\left(q_{j,2}\right)G_p,\dots ,q{ℱ}_{\tau }\left(q_{j,id}\right)G_p\right\}$;
• Finally, the ciphertext ${\mathrm{Cipt}}^{*}=\left[Cipt,mac,\psi ,{ℳ}_{\iota }^{*},F{S}^{**},{\mathbb{Q}}_{\tau j}^{*}\right]$ is sent to the destinations by the source.

4.3. Decryption Stage

An end-user $F{U}_j$ uses the decryption key ${\mathbb{Q}}_{\iota j}^{*}$ to decrypt a Cipt to obtain a plaintext $Ma{s}^{\prime }$. The steps are given as follows:

• An end-user $F{U}_j$ calculates $S{k}^{\prime }$ with ${\mathbb{Q}}_{\iota j}^{*}$ and ${\mu }^{″}=\left\{t_{0,1},t_{0,2},\dots ,t_{0,i},\dots ,t_{0,id},q_{j,1},q_{j,2},\dots ,q_{j,i},\dots ,q_{j,KD}\right\}$, where

  $$\begin{array}{l}S{k}^{\prime }=\left(S{k}_{\iota }^{\prime },S{k}_{\tau }^{\prime }\right)\\ =\frac{\widehat{e}\left({ℳ}_{\iota }^{*},{ℳ}_{FS}\right)\psi }{\widehat{e}({ℳ}_{\iota }+{ℳ}_{\tau },{{\displaystyle \sum }}_{i=1}^{id}{\phi }_{x_{0,i},{\mu }^{″}}\left(0\right)\times yℱ\left(t_{0,i}\right)p){{\displaystyle \prod }}_{j=1}^{KD}\widehat{e}\left({\phi }_{x_{i,j},{\mu }^{″}}\left(0\right){ℱ}_{\iota }\left(q_{i,j}\right)\left({ℳ}_{\iota }+{ℳ}_{\tau }\right),{ℱ}_{\tau }\left(q_{i,j}\right)q{G}_p\right)}.\end{array}$$

  (18)
• $F{U}_j$ decrypts the ciphertext with $Ma{s}^{\prime }=\mathcal{S}{\mathcal{D}}_{S{k}_{\iota }^{\prime }}\left(Cipt\right),ma{c}^{\prime }=h\left(Ma{s}^{\prime },S{k}_{\tau }^{\prime }\right)$;
• The $F{U}_j$ will accept a valid plaintext (Mas’) in case I’= I, else it will be rejected.

4.4. Rekeying Stage

The rekeying operation only includes the resources of the encryption key, the decoding of the end-user. FU does not change when a member of the group joins or leaves.

• Join
  We assume a new user joins as $F{U}_{n+1}$, this activity will take place as follows:

  (1)

  FKM selects id random numbers ${\mathbb{Q}}_{n+1}=\left\{t_{n+1,1},t_{n+1,2},\dots ,t_{n+1,id}\right\}$ for $F{U}_{n+1}$, having a new set $\{{\mathbb{Q}}_j\mid j\in \left\{1,2,\dots ,n+1\right\}\}$;

  (2)

  FKM selects $\left\{y_1^{\prime }, y_2^{\prime },\dots ,y_{\epsilon -1}^{\prime },F{S}_{t{k}_{\tau }}^{\prime }\right\}$, replaces ${ℱ}_{\tau }\left(id\right)$ with ${ℱ}_{\tau }^{\prime }\left(id\right)= {\displaystyle \sum }_{i=1}^{\epsilon -1}{y}_i^{\prime }i{d}^i+F{S}_{t{k}_{\tau }}^{\prime }$, so $ℱ\left(id\right)⟹ {ℱ}^{\prime }\left(id\right)$ with $\delta +\epsilon -2$degree polynomial

  $${ℱ}^{\prime }\left(id\right)={ℱ}_{\iota }\left(id\right){ℱ}_{\tau }^{\prime }\left(id\right)=\left(\sum _{i=1}^{\delta -1}{x}_{i}i{d}^i+F{S}_{t{k}_{\iota }}\right)\left(\sum _{i=1}^{\epsilon -1}{y}_i^{\prime }i{d}^i+F{S}_{t{k}_{\tau }}^{\prime }\right).$$

  (19)

  FKM calculates ${\mathbb{T}}^{*} and {\mathbb{Q}}_{\tau j}^{*}$ with

  $$\begin{array}{c}{\mathbb{T}}^{*}={ℱ}^{\prime }\left(\mathbb{T}\right)G_p=\\ {ℱ}_{\iota }\left(\mathbb{T}\right){ℱ}_{\tau }^{\prime }\left(\mathbb{T}\right)G_p=\left\{{ℱ}_{\iota }\left(t_{0,1}\right){ℱ}_{\tau }^{\prime }\left(t_{0,1}\right)G_p,{ℱ}_{\iota }\left(t_{0,2}\right){ℱ}_{\tau }^{\prime }\left(t_{0,2}\right)G_p,\dots ,{ℱ}_{\iota }\left(t_{0,id}\right){ℱ}_{\tau }^{\prime }\left(t_{0,id}\right)G_p\right\}.\end{array}$$

  (20)

The decryption key of the group members is not affected by the joining users’ rekeying operation. However, in this action, only the Dk is updated by FKM.

• Leave
  We assume a new user leaves as $F{U}_n$, this activity will take place as follows:

  (1)

  The FKM deletes $\left\{{\mathbb{Q}}_n=\left\{t_{n,1},t_{n,2},\dots ,t_{n,id}\right\}\right\}\in F{U}_n$ from $\left\{{\mathbb{Q}}_j\mid j\in \left\{1,2,\dots ,n\right\}\right\}$;

  (2)

  FKM selects $\left\{y_1^{\prime }, y_2^{\prime },\dots ,y_{\epsilon -1}^{\prime },F{S}_{t{k}_{\tau }}^{\prime }\right\}$, replaces ${ℱ}_{\tau }\left(id\right)$ with ${ℱ}_{\tau }^{\prime }\left(id\right)= {\displaystyle \sum }_{i=1}^{\epsilon -1}{y}_i^{\prime }i{d}^i+F{S}_{t{k}_{\tau }}^{\prime }$, so $ℱ\left(id\right)⟹ {ℱ}^{\prime }\left(id\right)$ with $\delta +\epsilon -2$degree polynomial

  $${ℱ}^{\prime }\left(id\right)={ℱ}_{\iota }\left(id\right){ℱ}_{\tau }^{\prime }\left(id\right)=\left(\sum _{i=1}^{\delta -1}{x}_{i}i{d}^i+F{S}_{t{k}_{\iota }}\right)\left(\sum _{i=1}^{\epsilon -1}{y}_i^{\prime }i{d}^i+F{S}_{t{k}_{\tau }}\right).$$

  (21)

  FKM calculates ${\mathbb{T}}^{*} and {\mathbb{Q}}_{\tau j}^{*}$ with

  $$\begin{array}{c}{\mathbb{T}}^{*}={ℱ}^{\prime }\left(\mathbb{T}\right)G_p=\\ {ℱ}_{\iota }\left(\mathbb{T}\right){ℱ}_{\tau }^{\prime }\left(\mathbb{T}\right)G_p=\left\{{ℱ}_{\iota }\left(t_{0,1}\right){ℱ}_{\tau }^{\prime }\left(t_{0,1}\right)G_p,{ℱ}_{\iota }\left(t_{0,2}\right){ℱ}_{\tau }^{\prime }\left(t_{0,2}\right)G_p,\dots ,{ℱ}_{\iota }\left(t_{0,id}\right){ℱ}_{\tau }^{\prime }\left(t_{0,id}\right)G_p\right\}\end{array}$$

  (22)

  $${\mathbb{Q}}_{\tau j}^{*}={ℱ}_{\tau }^{\prime }\left({\mathbb{Q}}_j\right)G_p=\left\{{ℱ}_{\tau }^{\prime }\left(q_{j,1}\right)G_p,{ℱ}_{\tau }^{\prime }\left(q_{j,2}\right)G_p,\dots ,{ℱ}_{\tau }^{\prime }\left(q_{j,y}\right)G_p\right\}, j\in \left\{1,2,\dots ,n-1\right\}.$$

  (23)

Do not lose the legitimacy of the Dk, when the member leaves without affecting the remaining members, it means that the FKM updates still own the decryption key without changing.

5. Security Analysis

In this section, we demonstrate the process of decrypting a ciphertext by a legitimate member through the process of modifying. Through the security section, we demonstrate that the calculation of the probability of an attacker cracking is equal to the BDDH problem, and the probability of this attack is insignificant for the attacker to crack. Our scheme guarantees the security of Collusion attacks, Backward secrecy, and Forward secrecy.

5.1. Adjusting

The primary key encrypts a session key if any member with a valid Dk can decrypt a ciphertext to obtain the right plaintext Mas. $F{U}_j$ uses Fog service legally with ${\mu }^{″}=\left\{t_{0,1},t_{0,2},\dots ,t_{0,i},\dots ,t_{0,id},q_{j,1},q_{j,2},\dots ,q_{j,i},\dots ,q_{j,KD}\right\}$. The process of successfully decrypting Mas with the decryption key $\left\{{\mathbb{Q}}_j\mid j\in \left\{1,2,\dots ,s\right\}\right\}$ is as follows

$$\begin{array}{c}\mathcal{S}{\mathcal{D}}_{\frac{\widehat{e}\left({ℳ}_{\iota }^{*},{ℳ}_{FS}\right)\psi }{\widehat{e}\left({ℳ}_{\iota }+{ℳ}_{\tau },{{\displaystyle \sum }}_{i=1}^{id}{\phi }_{t_{0,i},{\mu }^{″}}\left(0\right)\times qℱ\left(t_{0,i}\right)p\right){{\displaystyle \prod }}_{j=1}^{KD}\widehat{e}\left({\phi }_{q_{i,j},{\mu }^{″}}\left(0\right){ℱ}_{\iota }\left(q_{i,j}\right)\left({ℳ}_{\iota }+{ℳ}_{\tau }\right),{ℱ}_{\tau }\left(q_{i,j}\right)q{G}_p\right)}}\left(\mathcal{S}{ℰ}_k\left(Mas\right)\right)\\ =\mathcal{S}{\mathcal{D}}_{\frac{\widehat{e}\left({ℳ}_{\iota }^{*},{ℳ}_{FS}\right)\widehat{e}{\left({ℳ}_{FS},{ℳ}_{\tau }\right)}^{y}Sk}{\widehat{e}\left({ℳ}_{\iota }+{ℳ}_{\tau },{{\displaystyle \sum }}_{i=1}^{id}{\phi }_{t_{0,i},{\mu }^{″}}\left(0\right)\times qℱ\left(t_{0,i}\right)p\right){{\displaystyle \prod }}_{j=1}^{KD}\widehat{e}\left({\phi }_{q_{i,j},{\mu }^{″}}\left(0\right){ℱ}_{\iota }\left(q_{i,j}\right){ℱ}_{\tau }\left(q_{i,j}\right)\left({ℳ}_{\iota }+{ℳ}_{\tau }\right),q{G}_p\right)}}\left(\mathcal{S}{ℰ}_k\left(Mas\right)\right)\\ =\mathcal{S}{\mathcal{D}}_{\frac{\widehat{e}\left(y{ℳ}_{\iota },{ℳ}_{FS}\right)\widehat{e}\left(y{ℳ}_{FS},{ℳ}_{\tau }\right)S_k}{\widehat{e}\left({ℳ}_{\iota }+{ℳ}_{\tau },{{\displaystyle \sum }}_{i=1}^{id}{\phi }_{t_{0,i},{\mu }^{″}}\left(0\right)\times qℱ\left(t_{0,i}\right)p\right)\widehat{e}\left({{\displaystyle \sum }}_{j=1}^{KD}{\phi }_{q_{i,j},{\mu }^{″}}\left(0\right){ℱ}_{\iota }\left(q_{i,j}\right){ℱ}_{\tau }\left(q_{i,j}\right)\left({ℳ}_{\iota }+{ℳ}_{\tau }\right),q{G}_p\right)}}\left(\mathcal{S}{ℰ}_k\left(Mas\right)\right)\\ =\mathcal{S}{\mathcal{D}}_{\frac{\widehat{e}\left({ℳ}_{\iota }+{ℳ}_{\tau },y{ℳ}_{FS}\right)}{\widehat{e}\left({ℳ}_{\iota }+{ℳ}_{\tau },{{\displaystyle \sum }}_{i=1}^{id}{\phi }_{t_{0,i},{\mu }^{″}}\left(0\right)\times qℱ\left(t_{0,i}\right)p\right)\widehat{e}\left({{\displaystyle \sum }}_{j=1}^{KD}{\phi }_{q_{i,j},{\mu }^{″}}\left(0\right){ℱ}_{\iota }\left(q_{i,j}\right){ℱ}_{\tau }\left(q_{i,j}\right)q{G}_p,\left({ℳ}_{\iota }+{ℳ}_{\tau }\right)\right)}}\left(\mathcal{S}{ℰ}_k\left(Mas\right)\right)\\ =\mathcal{S}{\mathcal{D}}_{\frac{\widehat{e}\left({ℳ}_{\iota }+{ℳ}_{\tau },y{ℳ}_{FS}\right)}{\widehat{e}\left({ℳ}_{\iota }+{ℳ}_{\tau },\left({{\displaystyle \sum }}_{i=1}^{id}{\phi }_{t_{0,i},{\mu }^{″}}\left(0\right)\times qℱ\left(t_{0,i}\right)+{{\displaystyle \sum }}_{j=1}^{KD}{\phi }_{q_{i,j},{\mu }^{″}}\left(0\right){ℱ}_{\iota }\left(q_{i,j}\right){ℱ}_{\tau }\left(q_{i,j}\right)\right)q{G}_p\right)}}\left(\mathcal{S}{ℰ}_k\left(Mas\right)\right)\\ =\mathcal{S}{\mathcal{D}}_{\frac{\widehat{e}\left({ℳ}_{\iota }+{ℳ}_{\tau },q{ℳ}_{FS}\right)}{\widehat{e}\left(ℱ\left(0\right)q{G}_p,\left({ℳ}_{\iota }+{ℳ}_{\tau }\right)\right)}}\left(\mathcal{S}{ℰ}_k\left(Mas\right)\right)\\ =\mathcal{S}{\mathcal{D}}_{\frac{\widehat{e}\left({ℳ}_{\iota }+{ℳ}_{\tau },qF{S}_{t{k}_{\iota }}F{S}_{t{k}_{\tau }}{G}_p\right)}{\widehat{e}\left(F{S}_{t{k}_{\iota }}F{S}_{t{k}_{\tau }}q{G}_p,\left({ℳ}_{\iota }+{ℳ}_{\tau }\right)\right)}}\left(\mathcal{S}{ℰ}_k\left(Mas\right)\right)\\ =\mathcal{S}{\mathcal{D}}_{\mathrm{tk}}\left(\mathcal{S}{ℰ}_{\mathrm{tk}}\left(\mathrm{Mas}\right)\right)=Mas.\end{array}$$

(24)

5.2. Security

If the security of the program can be deduced into a complex and difficult issue, our project still satisfies the safety of the system. In the Probability Polynomial Time (PPT), we prove that it is a non-negligible probability for attacker cracks the BDDH problem (Bilinear Decision Diffie-Hellman Problem). We primarily center the security of main Ek within the equation $=\hat{\mathrm{e}}{\left({ℳ}_{FS},{ℳ}_{\tau }\right)}^{q}Sk$, because security depends on $Sk$ but the security of $Sk$ depends on the main Ek. We deduce security for the BDDH problem by building an emulator as given in Algorithm 1:

Algorithm 1 Steps for Building the Emulator

Input: set $\langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_{tk}, tk\in \left\{0,1\right\}\rangle$, and $\sigma$ is a random number $\mathrm{If} \langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_0\rangle$ is a valid quadruple, $\mathrm{then} \left(\langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_0\rangle \in SD\right)$ when ${\mathbb{Z}}_1=\widehat{e}{\left(G_p,G_p\right)}^{\sigma }$. $\mathrm{Else} \langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_0\rangle$ is an invalid quadruple, $\mathrm{then} \langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_0\rangle \ne \mathbb{Q}$. Suppose the attacker has a probability of success $\varphi$ when unlocking the problem BDDH:   5.1. ${ℳ}_{FS}=x{G}_p$, ${ℳ}_{\iota }=y{G}_p$, $z\in \mathbb{Z}$ is a random number, configure ${\mathbb{Q}}_j$ and $\mathbb{T}$,   polynomial ${ℱ}_{\iota }\left(id\right)$ with $\delta -1$ degree, polynomial ${ℱ}_{\tau }\left(id\right)$with $\epsilon -1$ degree,   $ℱ\left(id\right)={ℱ}_{\iota }\left(id\right){ℱ}_{\tau }\left(id\right)$ with $\delta +\epsilon -2$ degrees, then send to the attacker a set   $\langle p,G,G_T,\widehat{e},G_p,{ℳ}_{\iota },{ℳ}_{\tau },{ℳ}_{FS},{\mathbb{T}}^{*},\{{\mathbb{Q}}_j^{*}\}\rangle$;   5.2. The attacker selects and sends two same size keys$S{k}_0,S{k}_1$ to emulator;   5.3. The emulator chooses randomly$y\in \left\{0,1\right\}$, and sends ${\mathrm{Cipt}}^{*}=$      $\left[z{G}_p,z{ℳ}_{\iota },{\mathbb{Z}}_{tk},S{k}_y,qF{S}^{*}\right]$ that is ciphertext;   5.4. The attacker analyzes ${\mathrm{Cipt}}^{*}$to receive$y^{\prime }\in \left\{0,1\right\}$ and sends it to the emulator.   If y′ = y,     Then output $\langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_{tk}\rangle$.   Else,     output $\langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_{1-tk}\rangle$.   If $tk=0$,     Then $Cipt$ is an valid ciphertext with $Cipt={\mathbb{Z}}_{0}S{k}_y=\widehat{e}{\left(G_{FS},G_{\tau }\right)}^{\sigma }S{k}_y=$     $\widehat{e}{\left(G_p,G_p\right)}^{xyz}S{k}_y$.   If $tk=1,$     Then $Cipt$ is an invalid ciphertext with $Cipt={\mathbb{Z}}_{1}S{k}_y=\widehat{e}{\left(G_p,G_p\right)}^{\sigma }S{k}_y$

Therefore, if c is an invalid ciphertext the attacker will not be able to retrieve any information. The probability of success or failure when prediction y is equal, it can show as,

$$G_{p}q\left(y^{\prime }=y\mid tk=1\right)=G_{p}q\left(y^{\prime }\ne y\mid tk=1\right)=\frac{1}{2}.$$

(25)

Judgment probability $\langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_{tk}\rangle$ of emulator program when value $tk=1$ is,

$$G_{p}q(\langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_{tk}\rangle \in \mathcal{S}\mathcal{D}\mid t=1)=\frac{1}{2}.$$

(26)

The attacker obtains a valid ciphertext, when $tk=0$, with the probability of $\widehat{e}$, is organized according to the formula,

$$G_{p}q\left(y^{\prime }=y\mid tk=0\right)=\frac{1}{2}+\varphi .$$

(27)

Therefore, the judgment probability $\langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_k\rangle$ of the emulator program is valid

$$G_{p}q\left(\langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_{tk}\rangle \in \mathcal{S}\mathcal{D}\mid t=0\right)=\frac{1}{2}+\varphi .$$

(28)

In short, the advantage of cracking BDDH problems is

$$\begin{array}{c}{G}_{p}q(\langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_{tk}\rangle \in \mathcal{S}\mathcal{D})y\hfill \\ \hspace{1em}\hspace{1em}\hspace{1em}=G_{p}q(\langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_{tk}\rangle \in \mathcal{S}\mathcal{D} and t=1)\\ \hspace{1em}\hspace{1em}\hspace{1em}+G_{p}q(\langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_{tk}\rangle \in \mathcal{S}\mathcal{D} and t=0)\\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}=\left(\frac{1}{2}\right)G_{p}q(\langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_{tk}\rangle \in \mathcal{S}\mathcal{D}\mid t=1)\\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}+\left(\frac{1}{2}\right)G_{p}q(\langle x{G}_p,y{G}_p,z{G}_p,{\mathbb{Z}}_{tk}\rangle \in \mathcal{S}\mathcal{D}\mid t=0)=\frac{\left(1+\varphi \right)}{2}.\end{array}$$

(29)

Thus, from (30) GKMSFC and the BDDH problem have an equal probability of cracking key, this probability is negligible for the probability polynomial-time attacker.

5.3. Collusion Attack

Collusion attacks will threaten shared secret keys, if the number of secret key’s segments held by the attacker is greater than tk. Therefore, some GKM schemes based on cryptographic thresholds are not able to avoid this type of attack [45,46]. Because when a member leaves, the main encryption key remains unchanged. Then these members can collude with each other or malicious people can invade and compromise encryption keys with members leaving by taking the main Ek material $F{S}_{FS}\left({ℳ}_{\iota }+{ℳ}_{\tau }\right)$ with tk segments. Then it will calculate$\left[{ℳ}_{FS}=F{S}_{FS}{G}_p,G_p^{*}=q^{\prime }{G}_p,{ℳ}_{\iota }^{*}=q{ℳ}_{\iota }\right]$ on Ek and can successfully calculate Ek as

$$\begin{array}{c}\frac{\widehat{e}\left({ℳ}_{\iota }^{*},{ℳ}_{FS}\right)\psi }{\widehat{e}\left(F{S}_{FS}\left({ℳ}_{\iota }+{ℳ}_{\tau }\right),q^{\prime }{G}_p\right)}=\frac{\widehat{e}\left({ℳ}_{\iota }^{*},{ℳ}_{FS}\right)\widehat{e}{\left({ℳ}_{\mathrm{FS}},{ℳ}_{\tau }\right)}^{q^{\prime }}Ek}{\widehat{e}\left(\left({ℳ}_{\iota }+{ℳ}_{\tau }\right),F{S}_{FS}{q}^{\prime }{G}_p\right)}=\frac{\widehat{e}\left(F{S}_{FS}{G}_p,q^{\prime }{ℳ}_{\iota }\right)\widehat{e}\left(q^{\prime }{ℳ}_{\tau },F{S}_{FS}{G}_p\right)Ek}{\widehat{e}\left(\left({ℳ}_{\iota }+{ℳ}_{\tau }\right),s_s{q}^{\prime }{G}_p\right)}\\ =\frac{\widehat{e}\left(F{S}_{FS}{G}_p,q^{\prime }\left({ℳ}_{\iota }+{ℳ}_{\tau }\right)\right)Ek}{\widehat{e}\left(\left({ℳ}_{\iota }+{ℳ}_{\tau }\right),F{S}_{FS}{q}^{\prime }{G}_p\right)}=Ek.\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\end{array}$$

(30)

Thus, to prevent a collusion attack, every time a member joins or leaves the network, the ${ℳ}_{FS}$ of the main key must be updated, because the encryption Sk can be successfully cracked by an attacker if it does not know the main key and q′. For our GKMSFC, even if the attacker collects more keys than the number of the threshold, it cannot recover the main key. At the installation step with $ℱ\left(id\right)$ with $\delta +\epsilon -2$ degree $F{S}_{t{k}_{\iota }}$, $F{S}_{t{k}_{\tau }}$, the main key is divided into some key segments. The source takes the id of the key segment of $F{S}_{t{k}_{\iota }},F{S}_{t{k}_{\tau }}$ and nKD key segments of $F{S}_{t{k}_{\tau }}$. The destination receives KD segments of $F{S}_{t{k}_{\tau }}$. The destination is not able to calculate $F{S}_{t{k}_{\iota }},F{S}_{t{k}_{\tau }}$ before the decrypting step, because it does not have enough key segments even when $F{S}_{t{k}_{\iota }}$ is a known number. At the decrypting step, the source sends a ciphertext ${\mathbb{Q}}_{\tau j}^{*}=q{ℱ}_{\tau }\left({\mathbb{Q}}_j\right)G_p=\left\{q{ℱ}_{\tau }\left(q_{j,1}\right)G_p,q{ℱ}_{\tau }\left(q_{j,2}\right)G_p,\dots ,q{ℱ}_{\tau }\left(q_{j,\epsilon }\right)G_p\right\}$ on $F{S}_{t{k}_{\tau }}$ where q is a random number, with BDDH cracking probability. ${\mathbb{Q}}_{\tau j}^{*}$is negligible for a destination to retrieve $\left\{{ℱ}_{\tau }\left({\mathbb{Q}}_j\right)G_p\right\}$. Therefore, it is impossible to restore the main key $F{S}_{t{k}_{\iota }},F{S}_{t{k}_{\tau }}$ with the segments $\epsilon \left(KD\le \epsilon \le \delta +\epsilon -1\right)$ of the compromised members. The attacker can compromise and get more key segments than the number of $\delta +\epsilon -1$, when the number of members leaves is $\frac{\delta +\epsilon -1}{CD}$. The other attackers get ${\mathbb{Q}}_{\iota j}^{*}={ℱ}_{\iota }\left({\mathbb{Q}}_j\right)\left({ℳ}_{\iota }+{ℳ}_{\tau }\right) \mathrm{with} j\in \left\{1,2,\dots , \frac{\delta +\epsilon -1}{KD}\right\}$on $F{S}_{t{k}_{\iota }}$ and ${\mathbb{Q}}_{\tau j}^{*}=q_j{ℱ}_{\tau j}\left({\mathbb{Q}}_j\right)G_p$, on $F{S}_{t{k}_{\tau }}$ and ${\mathbb{Q}}_{\tau j}^{*}=q{ℱ}_{\tau }\left({\mathbb{Q}}_j\right)G_p$, on $F{S}_{t{k}_{\tau }}$ in all encrypting operations. If the source chooses random q, then respond $q=q_1=q_2=\dots =q_j=\dots =q_{\frac{\delta +\epsilon -1}{2}}$ and ${ℱ}_{\tau }\left(id\right)={ℱ}_{\mathsf{\tau }}{\left(\mathrm{id}\right)}_1^{\prime }={ℱ}_{\mathsf{\tau }}{\left(\mathrm{id}\right)}_2^{\prime }=\dots ={ℱ}_{\mathsf{\tau }}{\left(\mathrm{id}\right)}_{\mathrm{j}}^{\prime }=\dots ={ℱ}_{\mathsf{\tau }}{\left(\mathrm{id}\right)}_{\frac{\mathsf{\delta }+\mathsf{\epsilon }-1}{2}}^{\prime }$, an attacker can calculate the encryption key Ek as follows

$$\begin{array}{c}\frac{\widehat{e}\left({ℳ}_{\iota }^{*},{ℳ}_{FS}\right)\psi }{{{\displaystyle \prod }}_{i=1}^{\left[\left(\delta +\epsilon -1\right)/KD\right]}{{\displaystyle \prod }}_{j=1}^{KD}\widehat{e}\left({\phi }_{x_{i,j},{\mu }^{″}}\left(0\right){ℱ}_{\iota }\left(q_{i,j}\right)\left({ℳ}_{\iota }+{ℳ}_{\tau }\right),{ℱ}_{\tau }\left(q_{i,j}\right)q{G}_p\right)}\\ =\frac{\widehat{e}\left({ℳ}_{\iota }^{*},{ℳ}_{FS}\right)\psi }{{{\displaystyle \prod }}_{i=1}^{\left[\left(\delta +\epsilon -1\right)/KD\right]}{{\displaystyle \prod }}_{j=1}^{KD}\widehat{e}\left({\phi }_{x_{i,j},{\mu }^{″}}\left(0\right){ℱ}_{\iota }\left(q_{i,j}\right){ℱ}_{\tau }\left(q_{i,j}\right)\left({ℳ}_{\iota }+{ℳ}_{\tau }\right),q{G}_p\right)}\\ =\frac{\widehat{e}\left({ℳ}_{\iota }^{*},{ℳ}_{FS}\right)\widehat{e}{\left({ℳ}_{FS},{ℳ}_{\tau }\right)}^{q}Ek}{\widehat{e}\left(ℱ\left(0\right)\left({ℳ}_{\iota }+{ℳ}_{\tau }\right),q{G}_p\right)}= \frac{\widehat{e}\left({ℳ}_{FS},q{ℳ}_{\iota }+{ℳ}_{\tau }\right)Ek}{\widehat{e}\left(ℱ\left(0\right)\left({ℳ}_{\iota }+{ℳ}_{\tau }\right),q{G}_p\right)}=Ek.\end{array}$$

(31)

Therefore, to defend the session key Sk and the main key $F{S}_{t{k}_{\iota }},F{S}_{t{k}_{\tau }}$, conditions are required on $q\ne q_1\ne q_2\ne \dots \ne q_j\ne \dots \ne q_{\frac{\delta +\epsilon -1}{2}}$and ${ℱ}_{\tau }\left(id\right)\ne {ℱ}_{\tau }{\left(id\right)}_1^{\prime }\ne {ℱ}_{\tau }{\left(id\right)}_2^{\prime }\ne \dots \ne {ℱ}_{\tau }{\left(id\right)}_j^{\prime }\ne \dots \ne {ℱ}_{\tau }{\left(id\right)}_{\frac{\delta +\epsilon -1}{2}}^{\prime }$. ${\mathbb{Q}}_{\tau j}^{*}=q{ℱ}_{\tau }\left({\mathbb{Q}}_j\right)G_p=\left\{q{ℱ}_{\tau }\left(q_{j,1}\right)G_p,q{ℱ}_{\tau }\left(q_{j,2}\right)G_p,\dots ,q{ℱ}_{\tau }\left(q_{j,\epsilon }\right)G_p\right\}$ on ${ℱ}_{\tau }\left(id\right)G_p$ does not match the updated key segments ${ℱ}_{\upsilon }^{\prime }\left(id\right)G_p$. So, any malicious person can steal $F{S}_{t{k}_{\iota }}\left({ℳ}_{\iota }+{ℳ}_{\tau }\right)$ and more key segments than the number of the upper threshold, but it is not able to recover $F{S}_{t{k}_{\tau }}^{\prime }{G}_p$.

5.4. Forward/Backward Security

These are some important targets of security in GKM. Before and after the key update is at risk of being cracked by many members. The model in [45,46] cannot resist the collusion attack. In scheme [45,46], if the number of joining or leaving members is more than tk, it will be unable to guaranteed security. We propose a GKMSFC scheme with better performance because this scheme controls the random number q depended on the main key ${ℳ}_{FS}$. Enemies cannot attack, even if they capture the main key ${ℳ}_{FS}$, because they do not have a random session key q. Moreover, the FKM updates ${ℱ}_{\tau }\left(id\right)$ to update ${\mathbb{Q}}_{\tau j}^{*}$, the main key $M_{FS}^{\prime }=F{S}_{t{k}_{\iota }},F{S}_{t{k}_{\tau }}^{\prime }{G}_p$ is unable to be recovered before updating by a new joining member, but only recover the main key with ${\mathbb{Q}}_{2n+1}^{*}={ℱ}_{\tau }^{\prime }\left({\mathbb{Q}}_{n+1}\right)G_p=\left\{{ℱ}_{\tau }^{\prime }\left(q_{n+1,1}\right)G_p,{ℱ}_{\tau }^{\prime }\left(q_{n+1,2}\right)G_p,\dots ,{ℱ}_{\tau }^{\prime }\left(q_{n+1,id}\right)G_p\right\},$ by a new joining member, therefore it can ensure backward security. For the case when a member leaves, ${\mathbb{Q}}_{\tau j}^{*}$, can be updated by the FKM with updated ${ℱ}_{\tau }\left(id\right),$ the main key $M_{FS}^{\prime }=F{S}_{t{k}_{\iota }},F{S}_{t{k}_{\tau }}^{\prime }{G}_p$ after the update is difficult to calculate with ${\mathbb{Q}}_{2n+1}^{*}={ℱ}_{\tau }^{\prime }\left({\mathbb{Q}}_n\right)G_p=\left\{{ℱ}_{\tau }^{\prime }\left(q_{n,1}\right)G_p,{ℱ}_{\tau }^{\prime }\left(q_{n,2}\right)G_p,\dots ,{ℱ}_{\tau }^{\prime }\left(q_{n,id}\right)G_p\right\}$, and before the updating, it can only restore the $M_{FS} M_{FS}=F{S}_{t{k}_{\iota }},F{S}_{t{k}_l}{G}_p$.

6. Analysis Performance of KMGSFC

In this section, we analyze our model performance by comparison with other models through parameters, such as computation overhead, message overhead, rekeying efficiency, network load, scalability, 1-affect-n problem, and time latency.

6.1. Computation Overhead

The calculation of the bilinear pair in the GKMSFC scheme is considered with the most complex activities, which includes scalar multiplication in $G_{\iota }$, $G_{\tau }$, pairing calculations, and exponential modules.

• id for scalar multiplication ${\mathbb{T}}^{*}$, nKD scalar multiplication for ${\mathbb{Q}}_{\iota j}^{*}$ in $G_{\iota }$, scalar multiplication for ${ℳ}_{FS}$ are all done by FKM. Then we can calculate the total cost of computation, id + 2nKD + 2, for scalar multiplication in $G_{\iota }$.
• For the encrypting phase, we can calculate the total cost of computation as id + nKD + 1, for scalar multiplication in $G_{\iota }$ and exponential modules. The source performs scalar multiplication for ${ℳ}_{\iota }$, id scalar multiplication for $F{S}^{**}$, nKD scalar multiplication for ${\mathbb{Q}}_{\tau j}^{*}$, and exponential module for $\psi$.
• For the decoding phase, we can calculate the total cost of calculation as the scalar multiplication id + KD in G, KD + 1 in $G_{\tau }$ (Equation (25)), because id scalar multiplication is deployed for ${\displaystyle \sum }_{i=1}^{id}{\phi }_{t_{0,i},{\mu }^{″}}\left(0\right)\times qℱ\left(t_{0,i}\right)p,$ KD with scalar multiplication in $G_{\iota }$ with KD in ${\displaystyle \prod }_{j=1}^{KD}\widehat{e}\left({\phi }_{q_{i,j},{\mu }^{″}}\left(0\right){ℱ}_{\iota }\left(q_{i,j}\right)\left({ℳ}_{\iota }+{ℳ}_{\tau }\right),{ℱ}_{\tau }\left(q_{i,j}\right)q{G}_p\right)$, and multiplication in $G_{\tau }$ is done in the numerator of Formula (25).

6.2. Message Overhead

Suppose N₁ is the size of the group $G_{\iota }$, $G_{\tau }$, the size of$\mathcal{S}{ℰ}_k(*)$is N2, and the size of ${𝒽}_k(\ast )$is N3. Then in the encryption phase,$C_{Mas}=\left(id+KD+2\right)N1+ N2+ N3$, and the network scale affects the message cost $C_{Mas}$.

6.3. Rekeying Efficiency

In our key management model, the cost of messages and network connections are zero, because a member leaves or joins, the other members still retain the decryption key. Only FKM updates the encryption key by recalculating ${\mathbb{T}}^{*}$ and ${\mathbb{Q}}_{\tau j}^{*}$. In $G_{\iota }$, FKM performs scalar multiplication $\delta +\left(n+1\right)\left(\epsilon -1\right)$ for a joining $F{U}_{n+1}$, or scalar multiplication $\delta +\left(n-1\right)\left(\epsilon -1\right)$ for a leaving $F{U}_n$. However, in the scheme [45,46], the rekeying protocol ought to be redeployed to send a new Dk to the members and in the scheme the rekeying protocol ought to be redeployed to send a new key service to the members.

If the polynomial $ℱ\left(id\right)$ in the scheme [45,46] has a degree $\delta +\epsilon -2,$the decoder has id key segments and enciphers with KD key segments. In $G_{\iota }$, key management center performs scalar multiplication $id +\left(n+1\right)\left(KD-1\right)$ for a joining $F{U}_{n+1}$ and the key segments are updated for members with n + 1 messages cost, or scalar multiplication $id +\left(n-1\right)\left(KD-1\right)$ for a leaving $F{U}_n$ and the key segments are updated for members with the cost given by n–1 messages.

In

Table 1. Comparison of group key management (GKM) different schemes.

Scheme	Communication		Computation		Storage		Security		Scale
	Joining	Leaving	Member (Operation)		Member	Bulletin	Collusion	Forward and Backward
			Joining	Leaving
Key Management for Fog Computing
GKMSFC	0	0	id+(n + 1)KD	id+(n − 1)KD	n	0	Yes	Yes	Yes
Scheme [54]	$2\sqrt{\frac{2n}{n_{FS}}}-3$	$2\sqrt{\frac{2n}{n_{FS}}}-3$	$2\sqrt{2n_{FS}}-3$	$2\sqrt{2n_{FS}}-3$	$n_{FS}+\sqrt{2n_{FS}}+1$	3	No	Yes	Yes
Scheme [55]	n + 1	n − 1	n + k + 1	n + k + 1	n	1	No	Yes	Yes
Key Management Center
Scheme [45,46]	(n + 1)KD$N_1$	(n + 1)KD$N_1$	id+(n + 1)KD	id+(n − 1)KD	n	n	Yes	Yes
AKMSN [56]	$\left(n+2\right)N_1$	$N_1$	4n + 7	4n − 1	N + 2	1	Yes	Yes
KeyDer-GKM+ [57]	1	$\log N$	1	1	1	N	Yes
Key Distribute Protocol (at Session j, 1 ≤ j ≤ m)
LKH [58]	$\log N$	$\log N$	$\log N$	$\log N$	$\log N$	$\mathrm{jlog}N$	Yes	Yes	Yes
HK [59]	j(t + r)		t	m	m	mt	t-revoke
DCM [60]	t + r		t	m − j	m − j	t + r	No
NOFT &ROFT [61]	$\log N$	$\log N$	$\log N$	$\log N$	$\log N$	$\mathrm{jlog}N$	Yes	Yes

, we provide a performance comparison of some GKM schemes with our scheme. These schemes are effective as they can be executed by cryptographic hash functions and symmetric encryption schemes. We offer accurate analytical formulas rather than numerical data, using a set of system parameters that can be used to evaluate complexity and efficiency without network simulation. In each comparison, we introduce a bulletin to guarantee that an asynchronous member can calculate the updated group key regardless of how many rekey processing procedures are missed. The communication overhead is the number of transmitted tokens, the computation overhead is the number of performed activities for a member and the storage overhead is the number of stored keys for a member during the rekey and recovery processes.

Table 1 shows that Scheme [55] requires a message sent from the Fog Security Gateway to the end-users to request rekeying operation when a member joins or leaves, but our proposal outperformed the performance in this operation without any messages from the fog device. Furthermore, our proposal can prevent collusion attacks, ensure forward/backward security. However, Scheme [55] and Scheme [54] only protect forward/backward security. Although GKMSFC and Scheme [45,46] have the same computational cost, GKMSFC has less network load and message costs. Computation cost in AKMSN is more than the computation cost of Scheme [45,46] and GKMSFC, during the update of the rekeying re-establishment.

6.4. Scalability

In our proposal, the joining or leaving action is easy, without the involvement operation of other members [45,46]. Although the program needs support from FKM as well as Scheme [45,46] with the support of key management center, our proposal has better scalability than Scheme [45,46], because of the operation of the Scheme [45,46]’s rekeying process requires all members to join members who are joining. In the GKMSFC, the decryption key will not change for the remaining members, so the rekeying time will be less.

6.5. 1-affect-n Problem

We run the simulation using the Python Network library and obtain the average results over many iterations per simulation scenarios. We study 1 affects n phenomenon of each simulation protocol and the amount of decryption and re-encryption operations required for communication, by comparing KMGSFC with three existing approaches using single SK: independent SK per smog, centralized scheme, and scheme in [55].

In Figure 2, the features of the proposed scheme reduce to zero with the impact of the 1-affect-n phenomenon and improve the performance of GKM. In addition, the proposed scheme also maintains the quality of service (QoS) of group applications, especially for some high-security group applications, such as military communications where the group communication has to be interrupted during key updating. In conclusion, the 1-affect-n phenomenon in GKMSFC can be minimized to zero.

6.6. Time Latency

In key management, computing and communication of two activities will increase the latency: hardware performances when objects joining the network, and the complexity of key management algorithm. This paper focuses on communication latency, especially the latency in deep space networks. Because the calculation latency is significantly less than the spread latency, this latency will be determined by the channel’s physical properties when the link is reliable and the radio waves speed is fixed. Then more distance leads to more latency, and spread latency can be significantly increased in case there is unreliability to the channel. It can be sent multiple times to meet the task’s requirements with the same message. In this manner, the procedure of our proposition is based on the distribution of fog devices, and its advantages are the computing abilities near the end-user, to increase the link reliability. Moreover, our key management program reduces the dependence of reliable links, because the redundant members are eliminated, and in rekeying the key updating of legitimacy, members can be ignored. Attempting to gather as many key segments as possible with all the members, reducing the retransmission as many times as possible, the ability to not send the key material in unreliable links can reduce the latency in GKM. Without a reliable link, the legitimacy of the member’s Dk and the secret shared key can also be updated and revoked by the proposed FKM.

This scheme is tested to check the effectiveness in the probability of connection of the link from 0.1 to 1, and the threshold of threshold cryptography value is 10 with 100 members participating. The time latency of Scheme [45,46] and GKMSFC are almost similar in different connectivity probability links. As shown in Figure 3, with the x-axis showing the probability of the connection link, the y-axis shows the success rekeying rate.

In the GKMSFC Scheme, FKM has the task of rekeying without interactions between members, so it has a better performance than that of the Scheme [45,46]. However, in scheme [46,47], the success rekeying rate decreases with the decreasing probability of connection. In rekeying operation, GKMSFC has less time latency than Scheme [45,46], as shown in Figure 3.

The transmission time latency of GKMSFC and Scheme [45,46] is compared in Figure 4, with 2 selected random members, respectively source and destination. The distance between the two members are 10 hops, and each hop has a latency of 1ms. The relay member gets to be an updated member with a probability of 0.5 because during the transition member data can update the key. It can be seen that GKMSFC has less time latency than Scheme [45,46] because when there is a change of members, the old members are not involved in the rekeying process, as shown in Figure 5.

7. Conclusions

Based on the common secret product of the cryptography threshold and the bilinear pairs, we have proposed GKMSFC based scheme, which is a profile of a key management diagram that has better performance. The independence of the key is met by the decryption keys, with the advantage of an encryption key that corresponds to multi-decryption keys, including two components, fog computing and the end-users, respectively. In the rekeying operation, the key segments are divided into two elements, one is kept secret by FMK, where it can update the main key by its method. The other one is known by members which is unchanged, to help to improve the rekeying efficiency for time latency. The failure to update the decryption key of all remaining members would improve the cost of messaging and calculation. For the security aspect, because a different random value is chosen by the source in every process of decrypting, it is not possible to damage the decryption key, even an attacker has several key segments that exceed the threshold. GKMSFC can ensure the backward and forward security and can against the collusion attacks.