Provable Secure Group Key Establishment Scheme for Fog Computing

In the fog computing paradigms, fog nodes are closer to terminal devices and can extend services to the edge of the network, thereby reducing the impact of high latency and restricted networks in the Internet of Things (IoTs). Fog compu-ting applications usually organize the terminal devices in groups and require some form of security protection. Previous studies on the establishment of group keys for fog computing architectures have high communication costs and cannot verify the authenticity of each entity. Therefore, in this paper, we propose a mutual authentication group key establishment scheme for the fog computing architecture by using elliptic curve cryptography. After mutual authentication, the cloud server can transfer the computing overhead to the fog node, which will be responsible for authenticating the device group and distributing the established group session key. The group session key consists of the private key of each entity and some random and tempo-rarily stored values. We prove that the established group session key is protected by the Canetti-Krawczyk (CK) adversary model. Finally, we evaluate performance based on calculation and communication costs. Compared with previous studies, the proposed scheme is lightweight and effective because it only involves elliptic curve operations and symmetric cryptographic operations.


I. INTRODUCTION
To deal with the problems of high latency and constrained networking in Internet of things (IoTs), the concept of fog computing was introduced. The components of fog computing can in general be grouped into three layers: cloud layers, fog layers and end device layers. The cloud layer comprises cloud servers with high computing capability and databases for storage, providing data analysis capabilities security services for authentication. The fog layer consists of routers, gateways, base stations, switches, etc. It decentralizes the computing requirement of the cloud server and extends the services to the edge of the network, and thus enable real time data processing [1]. In the fog layer, the fog node has certain computing and storage capacity and is responsible for processing, aggregating and transmitting the data to the cloud layer. The end device layer contains a large number of IoTs devices. These devices can be sensor devices or mobile phones and in general send the sensor data to the fog layer via short range communication such as Bluetooth, Zigbee and Wi-Fi.
There are emerging applications of fog computing, such as the intelligent transportation system (ITS) using vehicular ad-hoc networks (VANETs), healthcare system and mobile networks. As mentioned in [2], in ITS, vehicles are equipped with onboard units (OBUs) to communicate to the fog nodes via the nearby roadside units (RSUs). The information of the vehicles will be sent to the intelligent transportation center (ITC) via the fog nodes, and ITC will collect the information and make decisions according to the traffic. In healthcare systems, the sensor devices will collect the physiological data and transmit them to the fog node for preprocessing [3]. The cloud server then conducts the data analysis to predict the condition of the patient.
In the architecture of fog computing, the devices are usually organized as groups. For example, in VANETs, groups of vehicles will communicate with each other in a network. If limited security protections are provided in the network, the fog nodes and devices may be compromised. The messages transmitted also can be eavesdropped. The attacker may obtain some privacy information such as personal data, location histories and healthy conditions. To ensure the stability and reliability of the messages, there must be a group key to encrypt the transmitted messages and protect the communication over insecure networks.
Although fog computing is considered to be a more secure architecture than cloud computing [3], it still has many security and privacy issues [4][5][6]. Authentication is an important issue for the security of fog computing. Compared with cloud computing, authentication in fog computing will face greater challenges. In fog computing, there are multiple different trust domains such as cloud, fog service providers, and users, that is, multiple participants interact in an ecosystem where multiple trust domains coexist [7].
Because the fog nodes and devices will dynamically change their location, it is not realistic to pre-share a session key between these entities [8]. Authenticated key agreement (AKA) protocols can authenticate each entity and generate a common session key at each session. Each entity in the group can encrypt messages by the group session key (GSK). Since the message is authenticated without bothering the cloud server, the transmission is efficient and the devices can assure the message authenticity [9].
Shabisha Placide, et al. [10] developed an authentication and key agreement mechanism for groups of IoTs devices. In the authentication and key agreement mechanism, the cloud server, the fog node and devices compute the GSK with certain points on elliptic curves (EC) by using the Lagrange interpolation. The communication cost of EC points is high, resulting in high latencies. In addition, the authentication mechanism is not imposed on all of messages and thus it cannot verify whether a device is forged or not.
As the emergence of the fifth generation wireless communication (5G), the number of connected devices will be expected to increase [9]. To reduce the authentication requests, fog nodes can be used to verify the authenticity of the devices without much involving the cloud server. This mechanism thus reduces the computation overheads of the cloud server. The previous study of establishing GSK in the fog computing paradigms [10] involves many rounds of messages exchanged, resulting a high latency. In this paper, we reduce the communication overheads between the cloud server and the fog nodes by first authenticating the fog node and then delegating the authentication tasks to the authenticated fog nodes.
Centralized group key distribution (GKD) uses a group key manager (GKM) to manage and distribute the session key [11]. In this scheme, if the GKM is compromised, the entire system will be broken. In the proposed scheme the authenticated fog nodes act like the role of GKM to distribute the GSK while the fog nodes are not centralized. Each device will interact with the nearby fog node for authentication and the GSK. Furthermore, the GSK is composed of private keys of each entity and some random and temporarily stored values, and each entity also needs its private key and some random values to accomplish the mutual authentication phase. Hence, there is no key escrow problems.
We will conduct a formal security analysis with the random oracle model [12] and the Canetti-Krawczyk (CK) threat model [13]. In the security analysis, we assume that the attacker cannot distinguish the GSK from a random value. The proposed scheme will be proved with respect to an adversary who is able to reveal session state specific information, or long-term private keys and previous GSKs. Finally, a performance analysis of the communication and computation costs will be presented. The results show that the computation and communication costs is less than existing approaches [10].

II. RELATED WORK
In this section, we will review some existing approaches on key agreement and authentication for the group of devices in fog computing and IoT applications.

A. INTERNET OF THINGS (IOTs) ARCHITECTURE
Amin et al. [14] and Odelu, Vanga, et al. [15] developed an authenticated key agreement and distribution scheme of the client and server architecture. The approach focused on distributed cloud computing environments and all users are requested to be authenticated by the cloud server to establish a common session key [14]. The operations mainly include exclusive-or, symmetric keys and hash functions and thus the communication overhead is low even for the resourceconstrained IoTs devices. However, Li, Wenting, et al. [16] pointed out that the method cannot specifically solve the problem about user anonymity and forward secrecy since some private information is preserved by the smart card. In addition, Aman, Muhammad Naveed, et al. [17] and Guin, Ujjwal, et al. [18] proposed mutual authentication schemes with physically unclonable function (PUF) in the environment of IoTs.

B. FOG COMPUTING ARCHITECTURE
Aiming at improving the AKA protocol proposed in [19], Jia, Xiaoying, et al. [8] presented an AKA scheme for a fogdriven healthcare application. The approach can authenticate each entity and generate a common session key for each session by using elliptic curve and bilinear mapping operations. However, because of the high cost of the bilinear pairing operation, it is hard to apply the scheme to resource constrained devices. In addition, the scheme requires the devices to have a smart card and is subject to the vulnerabilities of side-channel attacks [20]. To improve the communication costs, Ma, Mimi, et al. [2] and Patonico, Simone, et al. [21] proposed AKA protocols for the fog computing architecture, by using elliptic curves and hash functions to achieve mutual authentication and key agreement. It is shown that the scheme offers anonymity to each entity. The CK adversary model was used to analyze key exchange protocols and the adequacy of the generated session keys. Shen et. al. [22] proposed a lightweight authentication and matrix-based key agreement scheme for healthcare. Gope Prosanta [9] proposed a scheme to reduce the verification steps. Fog nodes can be used to verify devices without involving the central server. Moreover, devices can still receive services even if the central server is broken. Guo et al. [23] designed an effective authentication scheme for fog computing, but it does not support user mobility. Many handover authentication schemes have been designed for mobile networks. The goal of these schemes is to reduce handover delays and ensure that handover schemes are secure, especially to support user's anonymity. Fan et al. [24] designed a handover authentication protocol called ReHand based on symmetric cryptography. In Fan et al.'s scheme, the long-term key of each UE is shared with the base stations of the same region, and a region key is shared between eNB and HeNBs in the same region. Symmetric key-based approaches can significantly reduce the communication cost and calculation cost of handover authentication protocols, but due to the need to pre-allocate shared keys, this makes key management complicated, has poor scalability and is difficult to resist mobile device captured attacks [25].

C. GROUP KEY AGREEMENT AND ESTABLISHMENT
Zhu, Hongfeng [26] developed an authenticated key agreement protocol with chaotic maps that can apply to a group of users without involving any central server.
Recently, the approaches [10,27,28,29] proposed group key establishment schemes based on elliptic curve cryptography. In [17], the GSK is established using point operation and exclusive-or operation. However, this protocol is vulnerable to several attacks and does not provide anonymity [10]. Moreover, the high computational costs make the scheme unsuitable for IoTs applications [30]. The group key exchange protocols based on point operation and bilinear mapping are discussed in [28] and [29]. To improve the key escrow problem in [28], Sun, Hung-Min, et al. [29] combines the advantages of public key infrastructure (PKI) and IDbased public key cryptography. They proposed a mechanism for mobile environments and used a certificate-less signature algorithm for user authentication, which not only avoids the key escrow problem in ID-based key exchange protocols but also reduces the cost of certificate management. However, the computation load of [29] is too high to exploit in IoTs environments. The mechanism [10] requires end devices to exchange information with the fog node and the cloud server, then uses Lagrange interpolation to derive the GSK after receiving certain points from other entities. However, in this protocol some points needs to be transmitted to group of devices, which will result in high latency during the transmission [31]. We will extend the concept of [9] [10] to offload some computational overheads of the cloud server, and to improve communication and computation costs. Amor et al. [32] proposed a mutual authentication scheme where the fog and server authenticate each other using a public-key cryptosystem. This scheme is based on pseudonym-based cryptography and does not reveal a users real identity, maintaining the anonymity of end users and provides the main security requirements but it doesn't protect the session key exchanged between users and fog servers. The computation cost of this protocol is heavy and hence, it may not be suitable for resource-oriented devices such as IoTs devices [33].

III. PRELIMINARIES
We first review Elliptic Curve Cryptography (ECC). Then, the detail of Elliptic Curve Qu-Vanstone (ECQV) certificate scheme is elaborated.

A. ELLIPTIC CURVE CRYPTOSYSTEM (ECC)
In public key cryptography, ECC can offer improved security with reduced computational requirements with respect to RSA and ElGamal encryption.
An elliptic curve [34] is a plane curve satisfying the equation defined to be = + + ⋯ + , where the number of G is k, and G is the generator. If k is a selected integer in the interval [1, n − 1], (k, kG) can be an elliptic key pair [35]. Moreover, the security of ECC is based on the following computational problems.
(1) Elliptic curve discrete logarithm problem (ECDLP) Given two points ∈ ( ) and ∈ ( ) of an additive group N, it is computationally hard for a polynomial time bound algorithm to calculate ∈ .
(2) Elliptic curve computational Diffie-Hellman problem (ECCDH) Given three points ∈ ( ) , ∈ ( ) and ∈ ( ), it is computationally hard for a polynomial time bound algorithm to calculate , where x and y are two unknown parameters , ∈ .
(3) Elliptic curve decisional Diffie-Hellman problem (EC-DDH) Given four points , = , = and = in ( ), where x, y and z are unknown parameters and , ∈ , it is difficult to decide if is equal to .

B. ELLIPTIC CURVE QU-VANSTONE (ECQV) CERTIFI-CATE SCHEME
ECQV is now the most commonly used implicit certificate, without the need of a secure channel between the certificate authority (CA) and the entity and provides a more efficient alternative to traditional certificates. Figure 1 presents the ECQV scheme [36], which is defined on an elliptic curve of generator G of order n. In this scheme, the encoding function Encode (ID, ) will encode the arguments, and the decoding function (•) will extract from an encoding, and a hash function (•) which hashes the input value and yields a hash value as an integer in the range [0, n-1]. The CA has private key c and public key = . The user with an identity first generates a random integer and computes = . Then the user sends A and to CA. After receiving the information, CA chooses a random integer k from [1, n-1] and computes and = + . Then CA computes the certificate by encoding and , then computes = ( ) and s = ek + c mod n. The value of s and certificate Cert are sent to the user. Utilizing the certificate and s, the user compute ′ = ( ) and his private key = ′ + ( ). Then the user extracts ′ by ( ) and computes his public key with = ′ ′ + . Finally, the user verifies if the certificate is valid by comparing the multiplication of the private key and the generator with his public key.

C. THREAT MODEL
The CK-adversary model is considered as a threat model [13]. In this model, the adversary can eavesdrop on the channel or modify the transmitted message. Moreover, the adversary can also reveal session state specific information, session keys, or long-term private keys.

IV. PROPOSED SCHEME
In the proposed approach, three different entities are involved: cloud Server, fog nodes and group of devices During the registration phase, each entity needs to generate its own identity and send it to the cloud server. Next, the cloud server will compute the verifiers for fog nodes and store the identity of each device for further authentication. Because the cloud server will allocate and distribute the responsibilities to the fog nodes; the cloud server has to authenticate the fog nodes. After mutual authentication, the fog nodes and the cloud server will agree on the GSK. Once the authenticated fog node verifies the group of devices by using their identities, the GSK will be distributed to each fog node. Finally, the cloud server, fog nodes and group of devices can use the GSK to communicate with each other.

A. SYSTEM SETUP PHASE
During the system setup stage, the CA first chooses an elliptic curve of generator G in with generator point G of order q, and a random value c is set as the private key of the CA. Next, the CA computes the corresponding public key , and determines the hash function H. Also, the CA selects a symmetric key algorithm for encryption and decryption. The CA publishes the elliptic curve, together with the public key of the CA, the hash function and the symmetric key algorithm, and each entity will get the key pair by using ECQV mechanism. The notation used in the paper is summarized in Table 1.

B. DEVICE REGISTRATION PHASE
After the setup phase, device i gets the key pair ( , ) and the cloud server gets the key pair ( , ). Before communicating with each other, the device has to generate a random variable and a random identity which will change at each session. Then the device computes the elliptic curve points = • , and sends the identity , together with the elliptic curve points and its public key to the cloud server. Receiving the values, cloud server will reply an acknowledgement (Ack) message to the device and store the three items, as illustrated in Fig. 2. Note that related values and messages are transmitted through a secure channel such as DTLS (Datagram Transport Layer Security) channel in COAP (Constrained Application Protocol). Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications

Notation Description
Identity of entity i by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained networks in the Internet of Things. In Fig. 2, parameters listed below the device and the cloud server are the values that have been stored, respectively, in each entity in the system setup phase.

C. FOG REGISTRATION PHASE
To deploy a device, it has to register with the cloud server and obtain the GSK through the nearby fog node. The fog node will generate a random identity and send public key along with the random identity to the cloud server securely. After receiving these values, the cloud server first chooses a random number and computes the verifier with the , the generated random number and the private key of its own. Then the cloud server sends the verifier to the fog node for future authentication. The steps for fog node registration are presented in Fig. 3.
Parameters listed below the fog node and the cloud server are the values that have been stored, respectively, in the system setup phase.

D. MUTUAL AUTHENTICATION AND GROUP KEY ESTAB-LISHMENT PHASE
In this stage, after the cloud server authenticating the fog node, a GSK shared between the fog node and the cloud server has been established. The GSK consists of the information of the devices, the fog node and the cloud server. Next, the fog node will authenticate joined devices and distribute the established GSK to them. The process can be divided into two parts. The first part is the mutual authentication and group key agreement process between the fog node and the cloud server. The second part is the mutual authentication and group key distribution between the fog node and each device. The steps are represented in Fig. 4 and Fig. 5. Parameters listed below the device, the fog node and the cloud server are the values that have been stored, respectively, in each entity in the system setup phase, while the parameters of the second line are values that have been stored in the previous phase.

1) MUTUAL AUTHENTICATION AND GROUP KEY AGREE-MENT PROCESS BETWEEN THE FOG NODE AND THE CLOUD SERVER (PART I)
In this part, the fog node needs to be checked by the cloud server to ensure the authenticity. If positive, the cloud server will continue to share a GSK with the fog node. Next, the fog node will conduct the following process.
(1) First, the fog node generates a random number and computes the elliptic curve point = ⋅ and the timestamp T1. Next, to prove the identity, the fog node also needs to compute the credential = ( ⋅ ) . Finally, the hash value = ( ∥ ∥ 1 ∥ ) is computed, and the message 1 = { 1 , , } is sent to the cloud server.
(2) After receiving the message 1 from the fog node, the cloud server first checks the timestamp 1 , then searches the database to verify the authenticity of the fog node. Then the cloud server will recover the verifier = ( ∥ ∥ ))and the credential = ( ⋅ the recovered verifier, the credential , timestamp 1 , and the elliptic curve point , the cloud server will check the hash value , in order to guarantee the integrity of message 1 . If the integrity of the hash value A is held, the process continues. The cloud server then generates a random number 1 and computes 1 = 1 ⋅ , = ∑ 1 ⋅ =1 + ⋅ and = + ⋅ + 1 ⋅ + ⋅ = ( , ). The group session key GSK is computed as the x-coordinate of the GK which is ( ).
Next, by generating a new random value random number 2 , the cloud server compute 2 = ( 2 + ) ⋅ , the common key 1 = ቀ( 2 + ) ⋅ ቁ with the fog node, (3) Upon receiving the message 2 from the cloud server, the fog node checks the timestamp 2 and recovers the credential = ( ⋅ ). Then the fog node verifies the integrity of 2 with the computed , the received message and the hash value 1 .
To decrypts the ciphertext S, the fog node computes the common key 1 = ( 2 ⋅ ) , and gets , 1 , 2 , … , , 1 , 1 , 2 , … , and 1 , 2 , … , . Finally, the fog node gets by ⨁ ( ), then computes GK = + ⋅ + 1 ⋅ + ⋅ = ቀ , ቁ and gets the = ( ). By checking if the hash value of the compute equals to the received hash value 2 , the fog node can verify the authenticity of the GSK and the cloud server. Therefore, the cloud server and the fog node can achieve mutual authentication. To authenticate group of devices in the next part, the fog node stores the values 1 , 2 , … , , 2 and GSK.

2) MUTUAL AUTHENTICATION AND GROUP KEY DISTRI-BUTION BETWEEN THE FOG NODE AND EACH DEVICE (PART II)
In this part, the fog node will verify joining devices to make sure the devices have already registered and have not been forged. Next, the fog node will send the masked GSK to the device and broadcast the start message as well as its public key to group of devices.
(1) Upon receiving the start message, by using the private key, the device can derive the credential = ( ⋅ ) , = ⨁ ( ) and the timestamp 3 . After combining these values in the hash value = ( ∥ ∥ 3 ), the device stores the public key of the fog node and sends the message 3 = { 3 , } to the fog node.
(2) After receiving the message, the fog node first checks the validity of the timestamp 3 and then recovers the credential = ( ⋅ ). Next, to authenticate the device, the integrity of the hash value need to be checked by using the recovered and the stored . In order to distribute the GSK to the device securely, the fog node computes the common key 2 = ( ⋅ ) and encrypts the in the ciphertext P with the common key 2 . Finally, the fog node uses the credential ′ = ( ⋅ ) and the timestamp 4 to prove the authenticity of itself. The hash values 1 = ( ∥ 4 ∥ ∥ ′ ) and 2 = ( ) are computed, and the message 4 = { , , 2 , 4 , 1 , 2 } is sent to the device.
(3) When the message 4 arrives, the device first verifies the timestamp 4 . Then the device recovers the credential ′ = ( ⋅ ) and checks the hash value 1 from the received message. To get the GSK, the common key 2 = ( ⋅ ) are derived by the device. Furthermore, the device also needs to decrypt P and ⨁ ( )⨁ ( 2 ⋅ ( + )). After getting the GSK, the device checks the correctness of the GSK by comparing the hash value of the GSK with the received hash value 2 . If hash value of the GSK is the same as 2 , the authenticity of the fog node is verified, since only the entity authenticated by the cloud server has the masked identity PID of the devices. The verification of the hash value 1 also illustrates that the fog node is not forged. Finally, the device stores the GSK for encrypting the transmitted message, and the group of devices can achieve mutual communication and transmit data to the cloud server through the fog node by using the GSK.

V. FORMAL PROOF OF SECURITY
In this section, we will prove the semantic security of the proposed protocol under the CK adversary model [13] and the random oracle model [12]. Because the registration phase is conducted through the secure channel, the proof of security will only include the mutual authentication and the group key establishment phase [37]. In this approach, four different entities are involved: the cloud server CS, the fog node FN, the devices ( = 1, … , ) and a random oracle O. By assuming the adversary will send the following queries to the oracle O, we then prove the Theorem 1 through a sequence of games based on the difference lemma [38]. Execute query. While receiving this query, the random oracle will execute the process by starting Send queries and answer all transmitted messages which are stored in the list , that is, 1 , 2 , 3 , 4 and Msg. This query models the passive attacks that the adversary can only eavesdrop the communication.

•
Corrupt query. In this query, the random oracle will return the long-term private key of a certain entity. The following results are queries returned from the random oracle. In this query, the random oracle will reveal the session specific state information that is the information of local state in each session to . The following are the outputs returned from the random oracle. • Session key reveal query (SKReveal). Upon receiving the query, the random oracle will return the GSK if the GSK has been generated.
• Test query. In this query, the random oracle flips a coin c. If the value c = 1, the random oracle will return the GSK, while the random oracle will return a random value which has the same length as the GSK if the value c = 0. This query can only be made when SKReveal or Corrupt queries has not been executed. The goal of the adversary is to distinguish the real session key from a random number, which occurs in the Test query. Let Pr(S) be the probability that succeeds in predicting the results of the Test query. The advantage of in breaking the semantic security of the proposed scheme equals to ( ) = ȁ2 ሾ ሿ − 1ȁ. If the advantage for winning the games satisfies ( ) ≤ , for any sufficiently small value > 0, our scheme offers semantic security under the CK adversary and the random oracle model.
To prove the semantic security of the proposed scheme, the following definitions are given.
(1) Partner The two participants are partners if they have authenticated each other and share a common session key. (

2) Freshness
The session is called fresh if that session has not been exposed by SKReveal or Corrupt queries. Lemma 1 (Difference Lemma). Let 1 , 2 , be events defined in some probability distribution where F is defined as the failure event. The two events 1 and 2 proceed identically unless the failure event F occurs. That is, 1 ∧ ¬ ⇔ 2 ∧ ¬ . Both ሾ 1 ሿ and ሾ 2 ሿ have values between 0 and ሾ ሿ ; therefore ȁ ሾ 1 ሿ − ሾ 2 ሿȁ ≤ ሾ ሿ.

Proof
Several games will be defined and sorted according to the probability of being attacked. We will show that the advantage in attacking the proposed scheme will be bounded above by a certain probability according to the results of the difference lemma described in Lemma 1. Five games {Game 0, Game 1, Game 2, Game 3, Game 4} are defined as following. Let to be the event that wins the Game i, where ∈ {0,1,2,3,4}, and represents the ℎ event.
(1) Game 0 This is the original attacking game described in the semantic security framework. By the definition in the semantic security framework, advantage of is ( ) = ȁ2 ሾ 0 ሿ − 1ȁ.
(2) Game 1 In this game, the oracles described above are simulated, and the results of the queries are stored in the lists , and which are the results of the Hash query, Send query and other queries. Thus, the probability that succeeds is ሾ 1 ሿ = ሾ 0 ሿ.
(1) (3) Game 2 In this game, all the queries are simulated except the following events. Event 1 ( 1 ): The collision of the output of the hash queries among different sessions. Event 2 ( 2 ): The collision of the generated random numbers among different sessions.
According to the birthday paradox, the probability that 1 happens is Since the random numbers will only be generated in Send and Execute queries, the probability that 2 happens is Consequently, according to the Difference lemma, we have ȁ ሾ 2 ሿ − ሾ 1 ሿȁ ≤ ℎ 2 2 + ( + ) 2

2
(2) (4) Game 3 In this game, is able to guess the hash value , 1 , 2 , , 1 , 2 successfully without querying the random oracles. If the guess is correct, the scheme will be aborted. This situation will only happen when the cloud server rejects the hash value A, the fog node rejects the hash values 1 , 2 and C, and the device rejects the hash value 1 and 2 in the Send query. Thus, the polynomial is formulated by ȁ ሾ 3 ሿ − ሾ 2 ሿȁ ≤ In this game, the model of the CK adversary is considered. is able to reveal either the session specific state information or the long-term private variables of each participant. Aiming to acquire the GSK, will perform the Execute and Hash queries. Additionally, the transcripts between every participant are available to . The following twelve cases are possible combinations. In each case, we first search for ( = 1, … , ) in SSReveal(CS) and SSReveal(FN) queries. Next, ( = 1, … , ) is derived to reconstruct the GSK. Moreover, to get the GSK, we need to decrypt S and ⊕ ( ) to derive first. For simplification, the notation i and j of the following cases are all ∈ {1, … , } and ∈ {1, … , } ∩ ≠ .

Case 2. SSReveal (FN), SSReveal (CS), SSReveal ( ) and
Corrupt ( ) gets ( = 1, … , ) and . Because of the lack of and of the same device, cannot get GSK from ( = 1, … , ). In another way, with , 1 , and , can recover part of GSK with . However, and are not sufficient to recover ⋅ unless solving the ECCDH problem.  1, … , ) , ( = 1, … , ) and . As a consequence, is not able to obtain GSK. Next may try to recover part of GSK with , 1 , , and . However, to recover ⋅ by using and , the attacker needs to solve the ECCDH problem first.

Store
The above cases indicate that does not have sufficient information to reconstruct GSK unless solving the ECCDH problem. The difference between Game 3 and Game 4 is ECCDH assumption. Thus, ȁ ሾ 4 ሿ − ሾ 3 ሿȁ ≤ ( ) • ℎ (4) From Game 0 to Game 4, Lemma 1 and eq. (1) to (4), we can prove Theorem 1, that is, the advantage of ( ) is bounded.

VI. SECURITY ANALYSIS
This section demonstrates that the proposed approach is secure against several attacks.
• Anonymity and un-traceability In the proposed approach, an adversary cannot retrieve the identities of other devices while transmitting messages during the mutual authentication and key establishment process. Since the whole process is combined with hash values and ciphertext. The identities are hidden in the ciphertexts . In addition, since the ciphertext is encrypted with the private key, only the authenticated devices, fog node and cloud server can recover the identities. Moreover, the entities will be authenticated at each session.
• Man in-the-middle attack Even if the transcripts are intercepted and modified by the attacker, the attacker still cannot forge each of the entity. The transcripts are composed of both the long-term variables and the session state specific information of the entity. According to the CK adversary model, the attacker cannot get both the long-term variables and the session state specific information of the same entity. If the attacker modifies the transcripts, the forged messages will not be authenticated by all entities. Hence, the proposed scheme is against man in-the-middle attacks.
• Replay attack In the proposed approach, the transmitted messages contain timestamps. Only the message with the newest time will be accepted. Thus, all the entities will reject the message without the correct timestamps.
• Perfect forward secrecy/ Group forward secrecy If the long-term private keys of all entities are compromised, the previous establish GSK will still be secure. Since the GSK is composed of both the long-term private keys and the random numbers, and the ciphertexts are encrypted with both long-term private key and state specific information, so the attacker cannot compute the GSK and cannot recover the GSK from the ciphertext A device joining a new session cannot get the former GSK from the present session. As described in Perfect forward secrecy/ Group forward secrecy, the GSK is composed of the long-term private keys and the random numbers. The state specific information and the random numbers will change at each session; therefore, the new device cannot acquire the former GSK by using the wrong key.
• Un-linkability and mobility The GSK will change at each session according to the fog node. If one of the fog nodes is compromised, the device can refuse the connection. With un-linkability, the proposed scheme can be applied to other scenarios such as mobile devices.
The analysis of security features for our proposed scheme in comparison with the recent protocols has been presented in Table2. As it can be observed, our suggested protocol is secure against all mentioned attacks and is able to provide security requirements such as anonymity and un-traceability. Hence, our proposed scheme is able to provide a high level of security, compared to other existing authentication schemes.

VII. PERFORMANCE
In this section, we compare our approach with the approach of [10], and further discuss the computational cost and communication cost of the proposed scheme.

A. COMPUTATIONAL COSTS
The computational cost is measured by counting the most computationally-intensive operations such as point multiplication, point addition, hash operation and symmetric encryption and decryption. Noted that the time for point multiplication, point addition, hash operation, symmetric encryption and symmetric decryption are , , ℎ , and . In this study, we used a personal computer with a 1.8GHz to 2.0GHz CPU. This computer is an Intel®Core™i7-8550U with 8192MB RAM, running Windows 10 operating system as a cloud server, and used Raspberry Pi 3 Model B with 1.2 GHz CPU as the fog node. An Arduino Uno with 32 KB flash memory and 2 KB static random access memory (SRAM) was used as the device. Table 3 provides the computational time of each operation. During the experiment, we used the Arduino Crypto library [42], which can implement these operations under the terms of the MIT license. In addition, the elliptic curve operation is implemented by Curve25519 that provides a 128-bit security level [43]. We also use AES with ECB mode to perform symmetric encryption/decryption operations and the key size is considered with 128 bits. We choose SHA256 as the secure hash algorithm of the hash function. Table 3 shows the results of comparing the operands proposed in this study with the operands in [10]. The parameter n represents the number of devices. Since the time of multiplication and addition of elliptic curve points is longer than that of symmetric encryption/decryption and hashing, we can consider point multiplication and addition the most. Compared with [10], the calculation computational cost of this scheme is less than [10], because the coefficient of n is smaller.

VIII. CONCLUSION
A mutual authentication group key establishment scheme is proposed to form a safe and effective environment for fog computing architecture. We have shown the semantic security of the scheme in the random oracle model under the CK adversary model. In the proposed scheme, fog nodes can be used to verify the authenticity of the device with reduced overheads of the cloud server. The result also shows that the computing and communication costs are less than the existing method. The proposed method can be deployed in practical IoTs applications with fog nodes being off-loading the cloud server.