GKDBV-EF: A Lightweight and Provably Secure Group Key Distribution with Update and Batch Verification Protocol for Cloud-Fog-Edge Computing Networks

1. Introduction

Over the past few decades, there has been significant growth in fog computing. Fog computing systems include cloud servers, nodes, and edge devices. The Internet of Things (IoT) has grown at an exponential rate, resulting in large amounts of data generated by heterogeneous devices deployed in a diversity of locations. Due to inherent drawbacks of traditional cloud-centric architectures, like high latency, bandwidth congestion, and centralized dependency, make it unable to manage this increase. By putting computational and storage resources closer to data sources, the Cloud-Fog-Edge computing system has emerged as a potential solution to these problems. The Cloud-Fog-Edge computing environment can be used to accelerate processing for delay-sensitive cloud applications by delivering services at the network's edge. In this hierarchical architecture, Edge nodes process IoT data directly, while Fog nodes collaborate and aggregate data before sending selective data to the cloud. Designing lightweight cryptographic protocol that can work efficiently on resource-constrained devices while without degrading performance is a major challenge.

The majority of existing common key distribution techniques are susceptible to various security attacks and require complex mathematical operations that lead to excessive computational and communication overhead. In addition, frequent changes in group membership, including adding or removing edge nodes, need continuous key updates and rekeying operations, which, if not handled properly, can cause greater vulnerability to attacks and synchronization delays. To overcome these challenges, a mathematically sound, lightweight, and secure key distribution framework is required that supports efficient key updates and batch verification of multiple edge nodes in Edge–Fog-Cloud networks. For secure communication in many domains such as IoT, WSNs, VANETs, IoDs, etc., many key distribution and mutual authentication protocols have been introduced using Chinese remainder theorem (CRT). The majority of these schemes compute the inverse element using the extended Euclidean method. The inverse element calculation is known to be very time-consuming. Moreover, in some cases, the inverse element may not be present, rendering the computation ineffective. Chen et al. [2] developed a new way to solve CRT using Euler’s totient function. The congruent equation system can be solved using CRT with Euler’s totient function instead of the extended Euclidean method.

To achieve computational efficiency with robust security, we present, a new group key distribution and batch verification protocol for secure communication in Cloud-Fog-Edge computing networks based on Euler’s totient function and CRT. Euler’s function makes it possible to generate cryptographic parameters to avoid the computation of inverse element with reduced complexity, whereas CRT facilitates parallel modular computations for fast group key distribution and rekeying. These number-theoretic primitives, when combined with bilinear pairing, provides a strong mathematical foundation for fast secure key distribution and effective batch verification without the need for complex computations. The proposed protocol presents a hierarchical key management structure that is compatible with the Cloud-Fog-Edge architecture. The Fog nodes act as semi-trusted entities responsible for coordinating with Edge nodes and IoT devices in group key distribution and batch verification. In the proposed protocol key distribution and retrieval functionality is achieved with drastically reduction in computation and communication overhead. Moreover, our protocol provides the functionality of batch verification, allowing multiple edge nodes to be verified simultaneously, thereby minimizing communication overhead and latency. Furthermore, the protocol maintains forward and backward secrecy, guaranteeing that a newly joined edge node is unable to access past transmissions and a departed edge node is unable to access future ones. Comprehensive security analysis confirms that our protocol is resistant to known cryptographic attacks. Formal verification through ProVerif tool demonstrates that our protocol fulfils key security properties and confidentiality. Performance evaluations further show that our protocol significantly reduces computation time and communication cost than related protocols.

1.1. Motivation

The existing protocols proposed for security in edge-fog computing networks are either insecure against various known attacks or computationally expensive, making them unsuitable for practical deployment. Wu, S. et al. [7] protocol has a major architectural overhead in which Cloud server and individual Fog nodes maintain different sets of moduli equations for key distribution. Managing distinct sets of moduli equations and computing secret parameters for key distribution at both layers are extremely difficult. A critical security gap exists in protocols Zhang J. et al. [2], Vijaykumar, P. et al. [9], Wu, S. et al. [7] and Vijaykumar, P. et al. [27] due to their reliance on simple multiplicative relationships for key distribution. In these protocols, the group key $k_{g }$is masked by a parameter $\mu$ using basic scalar multiplication, resulting in linear ciphertext ($C=k_{g }\times \mu$ ). This structure is mathematically vulnerable; because it lacks non-linear transformation, the leakage of the $\mu$ allows an attacker to obtain the group key. Therefore, these protocols fail to provide semantic security. To address these gaps, we propose a unified distributed architecture that uses a single set of moduli equations across all layers of the fog-edge computing network and shifts expensive computations to an offline pre-computation phase, which greatly decreases overhead. By incorporating a non-linear modular group key encryption logic and providing a two-factor security derivation based on both the private key and the secret parameter, rather than just the private key, the system remains resistant to collusion, modulus leakage, and other known cryptographic attacks while maintaining superior real-time performance.

1.2. Major Contributions

In this paper, we propose GKDBV-EF, a new lightweight and provably secure group key distribution for Cloud-Fog-Edge computing networks that includes key updates and batch verification.

The contributions of this paper are summarized as follows:

We present a new lightweight and robust group key distribution and updating protocol that combines the Euler function and CRT, eliminating the need for modular inverse element calculation. This design considerably simplifies essential update processes and avoids feasibility concerns caused by missing inverses, making it ideal for dynamic and large-scale networks.

The proposed protocol allows for efficient group key updates when edge nodes join or depart the group. By reconstructing broadcast parameters with Euler function attributes, the updated group key can be securely provided to valid edges nodes while preventing revoked or newly joined nodes from obtaining group key. As a result, the method provides robust forward and backward security.

Based on the updated group key, we design a message authentication mechanism that enables both single and batch signature verification. The batch verification process enables the fog node to verify several messages simultaneously, significantly reducing verification time and computational overhead compared to individual verification.

The proposed protocol’s robustness against known cryptographic attacks is proved by formal security verification using Random Oracle Model (ROM), and ProVerif tool, as well as by conducting informal security analysis.

Extensive performance analysis demonstrates that our protocol outperforms the related protocol in terms of security features, computational, and communication cost, which proves that it is suitable for deployments in the real world.

1.3. Paper Organization

The rest of this paper is organized as follows. In Section 2, we discuss some related work and highlights the limitations of existing protocols. Section 3 outlines the proposed system model and cryptographic preliminaries. Section 4 describes the proposed protocol’s design. Section 5 examines security of the proposed protocol. The performance evaluation is shown in Section 6. Finally, Section concludes the paper.

2. Related Work

In recent years, various studies have presented a variety of authentication and key distribution mechanisms to allow system entities to transmit information securely in an untrustworthy environment. In [1], the authors proposed a scheme to efficiently distributes a group key using the Generalized CRT, with low communication cost and good scalability, while ensuring legitimate user authentication. However, it has security flaws such as vulnerability to collusion and algebraic attacks, a lack of strong forward/backward secrecy, and reliance on a trustworthy KGC. Zhang et al. [2] introduced an efficient authentication technique for VANETs with conditional privacy preservation that avoids master key pre-loading, allows trusted authorities to distribute dynamic group keys using CRT. It resists side-channel leakage, and provides robust security with minimum computation and communication cost. However, its performance can degrade in highly dynamic vehicular environments. Kumar et al. [4] introduced an effective and robust authentication and key distribution technique with low rekeying cost. It uses star topology for key distribution and dramatically reduces computation and communication costs. The proposed protocol is also integrated into a distributed architecture to improve its scalability.

Kumar et al. [5] presented a cloud-based TMIS protocol that provide efficient authentication and patient privacy. However, it is vulnerable to attacks like man-in-the-middle and replay. Furthermore, it depends on a trusted cloud/server for some specific operations, which may result in a single point of failure. Amanlou et al. [6] presents an ECDHE-PSK-based authentication protocol for IoT–fog environments that strikes a balance between security and efficiency. It uses lightweight operations while providing increases security features such as perfect forward secrecy. However, its scalability in large and heterogeneous IoT networks is still a question. Kumar et al. [8] proposed a scheme that reduces key server computing and storage costs by integrating lightweight join and leave procedures. It also uses a scalable clustered-tree CGKD design to efficiently manage dynamic membership, resulting in minimal cost for both the server and members. Vijayakumar et al. [9] present a group key management and double authentication technique for safe data transmission in VANETs with increased efficiency. However, subsequent investigation demonstrates that the technique is susceptible to replay and masquerade attacks, as previously collected messages can be exploited to compromise the system. This emphasizes the need for additional enhancements to maintain strong security.

Wazid et al. [10] presented a key management technique for secure communication in fog-based IoV with formal security validation. However, the approach is mainly tested through simulations and has not been deployed in the real world, leaving open questions about its scalability and performance in large-scale vehicle networks. Awais et al. [11] presented a new fog-based key agreement and authentication technique for VANETs that ensures mutual authentication, quick key establishment without the use of bilinear pairings. The scheme requires low computing and communication cost, and its security is verified using ROM. Ali et al. [12] introduced a lightweight key agreement and anonymous authentication mechanism for fog-based IoT systems that utilizes XOR and hash operations. It facilitates secure mutual authentication while minimizing computational overhead. However, it requires enhancement in mobility support and large-scale deployment. Gupta et al. [13] introduced, a novel key management technique for securing bidirectional communication in AMI of smart grids. It ensures efficient key updates at O (1) cost during dynamic membership changes. It provides strong security assurances, such as forward and reverse secrecy, which are confirmed by formal analysis.

Gupta et al. [14] developed a mutual authentication approach based on ECC for TMIS that provide patient privacy, anonymity, and secure session key formation. It uses ROM and ProVerif for formal security validation. Moreover, it reduces computational and communication overhead. Cui et al. [22] presented a hash-based authentication technique that uses a CRT-based group key mechanism to ensure safe key distribution and updates. However, the technique has linkability issues and requires additional overhead during variable substitution. Shao et al. [23] introduced a decentralized VANET authentication scheme that utilizes a unique group signature to facilitate reliable and anonymous communication via bilinear pairing. It enables threshold verification, revocation, traceability, and fast batch authentication. Zhong et al. [24] and authentication technique that supports secure V2I communication. It uses aggregate signatures and pseudonyms to provide batch verification and conditional privacy. Moreover, Pre-computation and fixed-size aggregated signatures decrease computing, communication, and storage expenses. Ali et al. [25] introduced a hybrid signcryption technique for secure vehicular communication in heterogeneous VANETs that ensures authentication, non-repudiation, and secrecy in a single phase. It increases efficiency by batch unsigncryption and requires lower computing costs. However, using bilinear pairings may result in overhead.

In recent years, several protocols for key management based on CRT have been presented. Chen et al. [28] presented a CRT-based group signature technique that may revoke a group member while not affecting other members' keys. Zheng et al. [29] presented a secure group key updating technique for centralized environments. Members used CRT to retrieve the updated group key. Agrawal et al. [30] presented a mutual-healing mechanism for group key broadcasting. The scheme included both key confirmation and mutual authentication mechanisms. However, the scheme's scalability is limited because it is not applicable in distributed environments. The majority of earlier works have focused on updating the key group key in centralized environments and are not suitable in decentralized environments such as cloud-fog-edge networks. Many other protocols [31,32,33] have been proposed for key distribution for secure communication in different environments including smart grids, VANETs.

3. Preliminaries

3.1. System Model

The suggested protocol has three layers: 1) cloud, 2) fog, and 3) edge, which allows for easy scalability. At the first cloud layer, just one entity cloud server is available, which is responsible for generating the requisite keys and secret parameters, as well as performing various system initialization tasks. The second fog layer comprises Fog nodes that manages the associated group of edge nodes. Fog nodes are also responsible for generating the subgroup key encryption key and distributing the private keys of edge nodes for their respective groups. The last Edge layer consists of Edge nodes, which are organized into distinct subgroups known as clusters. This layer has several subgroups/clusters of edge nodes, each of which is managed by the fog node to which it is linked. These clusters communicate with the intermediate layer fog nodes, which then communicate with the root layer cloud server. Subgroups/clusters are formed based on the number of edge nodes and cluster size, which is determined by the Cloud server. Figure 1 shows the architecture of the proposed edge-fog computing network, as well as the interaction and data exchange between entities.

3.2. Security Model

The security of the proposed scheme is analysed under a standard adversarial model for decentralized IoT–fog–cloud systems. The adversary is supposed to be a probabilistic polynomial-time entity that has complete control over public transmission channels, including the capacity to intercept, edit, inject, and replay communications. The adversary may compromise a limited number of edge nodes and obtain stored information, but is assumed to be unable to recover the global group key or compromise all participating entities simultaneously. The scheme's major security goal is to establish existential unforgeability against chosen-message attacks, which ensures that no adversary can generate a valid signature on a new message that can be accepted by the fog nodes or cloud server. Hash functions are modelled as random oracles, and the security of the protocol relies on the hardness of the Computational co-Diffie–Hellman Problem (co-CDHP). The incorporation of per-message randomness and secure batch aggregation guarantees resistance against replay attacks, signature linking, and batch forgery, such that acceptance of a batch verification implies the validity of all individual signatures except with negligible probability.

3.3. Notations

Table 1. describes the notations used throughout the paper. Notations.

Notation	Descriptions
${\mathcal{F}\mathcal{N}}_{\mathit{i}},$  ${\mathit{E}\mathcal{N}}_{\mathit{i}\mathit{j}}$	Fog node and edge node
${\mathit{P}}_{\mathit{C}},$  ${\mathit{P}}_{\mathit{F}}, \mathit{a}\mathit{n}\mathit{d} {\mathit{P}}_{\mathit{E}}$	Set of private keys for cloud server, fog node and edge node
${\mathit{p}}_{\mathit{c}},$  ${\mathit{p}}_{{\mathit{f}}_{\mathit{i}}},$  ${\mathit{p}}_{{\mathit{e}}_{1\mathit{j}}}$	Private keys for cloud server, fog node and edge node
${\mathcal{S}}_{\mathit{C}},$  ${\mathcal{S}}_{\mathit{F}},$  ${\mathcal{S}}_{\mathit{E}}$	Set of secret parameters for cloud server, fog node and edge node
${\mathcal{s}}_{\mathit{c}},$  ${\mathcal{s}}_{{\mathit{f}}_1},$  ${\mathcal{s}}_{{\mathit{e}}_{1\mathit{j}}}$	Secret parameters for cloud server, fog node and edge node
${\mathit{I}\mathit{D}}_{{\mathit{f}}_{\mathit{i}}} \mathbf{a}\mathbf{n}\mathbf{d} {\mathit{I}\mathit{D}}_{{\mathit{e}}_{\mathit{i}\mathit{j}}}$	The real identity for fog node and edge node
${\mathit{h}}_0,$  ${\mathit{h}}_1,$  ${\mathit{h}}_2$	One way hash function
${\mathit{\delta }}_{\mathit{i}}$	The group key encryption key
${\mathit{T}\mathit{I}\mathit{D}}_{{\mathit{f}}_{\mathit{i}}} \mathbf{a}\mathbf{n}\mathbf{d} {\mathit{T}\mathit{I}\mathit{D}}_{{\mathit{e}}_{\mathit{i}\mathit{j}}}$	Temporary identity for fog node and edge node
${\mathit{T}}_{\mathit{i}\mathit{j}}$	Timestamps
$\mathcal{A}\mathcal{D}\mathcal{V}$	Adversary
$\mathbb{G}$ and ${\mathbb{G}}_{\mathit{T}}$	Additive and multiplicative cyclic groups
$\mathit{P}$	A generator of cyclic group $\mathbb{G}$
$\mathit{\varphi }\left(.\right)$	Euler function
$\mathit{M}$	Product of all private keys
$\mathit{n}$	No. of fog nodes
$\mathit{m}$	No. of edge nodes
${\mathcal{s}}_{{\mathit{e}}_{\mathit{i}\mathit{j}}}^{-1}$	Modular inverse of secret parameter ${\mathcal{s}}_{e_{ij}}$of edge node ${E\mathcal{N}}_{ij}$
${\mathcal{G}\mathit{K}}_{\mathit{i}},$  ${\mathcal{G}\mathit{K}}_{\mathit{i}}^{\prime },{\mathcal{G}\mathit{K}}_{\mathit{i}}^{\prime \prime }$	Group Keys
${\mathit{r}}_{{\mathit{e}}_{\mathit{i}\mathit{j}}}$	A secret random number of edge node ${E\mathcal{N}}_{ij}$

Table 1. describes the notations used throughout the paper. Notations.

Notation	Descriptions
${\mathcal{F}\mathcal{N}}_{\mathit{i}},$  ${\mathit{E}\mathcal{N}}_{\mathit{i}\mathit{j}}$	Fog node and edge node
${\mathit{P}}_{\mathit{C}},$  ${\mathit{P}}_{\mathit{F}}, \mathit{a}\mathit{n}\mathit{d} {\mathit{P}}_{\mathit{E}}$	Set of private keys for cloud server, fog node and edge node
${\mathit{p}}_{\mathit{c}},$  ${\mathit{p}}_{{\mathit{f}}_{\mathit{i}}},$  ${\mathit{p}}_{{\mathit{e}}_{1\mathit{j}}}$	Private keys for cloud server, fog node and edge node
${\mathcal{S}}_{\mathit{C}},$  ${\mathcal{S}}_{\mathit{F}},$  ${\mathcal{S}}_{\mathit{E}}$	Set of secret parameters for cloud server, fog node and edge node
${\mathcal{s}}_{\mathit{c}},$  ${\mathcal{s}}_{{\mathit{f}}_1},$  ${\mathcal{s}}_{{\mathit{e}}_{1\mathit{j}}}$	Secret parameters for cloud server, fog node and edge node
${\mathit{I}\mathit{D}}_{{\mathit{f}}_{\mathit{i}}} \mathbf{a}\mathbf{n}\mathbf{d} {\mathit{I}\mathit{D}}_{{\mathit{e}}_{\mathit{i}\mathit{j}}}$	The real identity for fog node and edge node
${\mathit{h}}_0,$  ${\mathit{h}}_1,$  ${\mathit{h}}_2$	One way hash function
${\mathit{\delta }}_{\mathit{i}}$	The group key encryption key
${\mathit{T}\mathit{I}\mathit{D}}_{{\mathit{f}}_{\mathit{i}}} \mathbf{a}\mathbf{n}\mathbf{d} {\mathit{T}\mathit{I}\mathit{D}}_{{\mathit{e}}_{\mathit{i}\mathit{j}}}$	Temporary identity for fog node and edge node
${\mathit{T}}_{\mathit{i}\mathit{j}}$	Timestamps
$\mathcal{A}\mathcal{D}\mathcal{V}$	Adversary
$\mathbb{G}$ and ${\mathbb{G}}_{\mathit{T}}$	Additive and multiplicative cyclic groups
$\mathit{P}$	A generator of cyclic group $\mathbb{G}$
$\mathit{\varphi }\left(.\right)$	Euler function
$\mathit{M}$	Product of all private keys
$\mathit{n}$	No. of fog nodes
$\mathit{m}$	No. of edge nodes
${\mathcal{s}}_{{\mathit{e}}_{\mathit{i}\mathit{j}}}^{-1}$	Modular inverse of secret parameter ${\mathcal{s}}_{e_{ij}}$of edge node ${E\mathcal{N}}_{ij}$
${\mathcal{G}\mathit{K}}_{\mathit{i}},$  ${\mathcal{G}\mathit{K}}_{\mathit{i}}^{\prime },{\mathcal{G}\mathit{K}}_{\mathit{i}}^{\prime \prime }$	Group Keys
${\mathit{r}}_{{\mathit{e}}_{\mathit{i}\mathit{j}}}$	A secret random number of edge node ${E\mathcal{N}}_{ij}$

4. Proposed Protocol

4.1. System Initialization

In our protocol, we assume that there is a cloud server and $n$ fog nodes, each of which manages $m$ edge nodes. As a result, the protocol consists of $n\times m$ edge nodes. Each fog node connects to $m$ edge nodes, forming an $m$ -node cluster. The Cloud server generates secret parameters and private keys for itself, fog nodes and edge nodes from $Z_p^{*}$. Initially, the system generates one secret parameter and one private key for the Cloud server, and $n$ secret parameters and $n$ private keys for the fog nodes. Similarly, it generates $n\times m$ private keys and $n\times m$ secret parameters for maximum number of edge nodes. The private keys are generated by the Cloud Server's Private Key Generator (PKG) component. The system initialization process is explained in the steps below.

The cloud server chooses two cyclic groups: a multiplicative group ${\mathbb{G}}_T$, and an additive group $\mathbb{G}$ of order $n$, where $n$ is a large prime integer. It also chooses a residue class ring ${\mathbb{Z}}_n$. The cloud server randomly chooses $r\stackrel{\$}{\leftarrow }{\mathbb{Z}}_n$ and computes the public element $Q=r.P$, where $P\in \mathbb{G}$ be a generator.

Figure 1. System model of proposed Edge-Fog Computing protocol.

Figure 1. System model of proposed Edge-Fog Computing protocol.

The cloud server chooses two cryptographic one-way hash functions, namely ${ h}_1 : {\left\{0 , 1\right\}}^{*}\to \mathbb{G}$ and ${ h}_2 : {\left\{0 , 1\right\}}^{*}\to {\mathbb{Z}}_{n }^{*}$. It also defines an efficient bilinear pairing ê$:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_{\mathrm{T}}$.

Cloud server generates three set of private keys $P_E=\left\{\left\{p_{e_{1j}}\right\},\left\{p_{e_{2j}}\right\},\left\{p_{e_{3j}}\right\},\dots \dots \dots .\left\{p_{e_{nj}}\right\}\right\},$ for $j=\mathrm{1,2},3,\dots \dots m$, $P_F=\left\{p_{f_1},p_{f_2},p_{f_3}\dots \dots \dots p_{f_n}\right\}$ and $P_C=\left\{p_c\right\}$ from $Z_n^{\mathrm{*}}$. The set $P_E$ consist of $n$ subsets, and each subset $p_{e_{1j}}$ contains $m$ private keys.

The private keys of all sets are co-prime to each other i.e., $\mathcal{g}\mathcal{c}\mathcal{d}\left(\left\{p_{e_{1j}}\right\},\left\{p_{e_{2j}}\right\},\left\{p_{e_{3j}}\right\},\dots \dots \dots .\left\{p_{e_{nj}}\right\},\left\{p_{f_1},p_{f_2},p_{f_3}\dots \dots \dots p_{f_n}\right\},\left\{p_c\right\}\right)=1$.

Similarly, the Cloud server generates three set of secret parameters ${\mathcal{S}}_E=\left\{\left\{{\mathcal{s}}_{e_{1j}}\right\},\left\{{\mathcal{s}}_{e_{2j}}\right\},\left\{{\mathcal{s}}_{e_{3j}}\right\},\dots \dots \dots .\left\{{\mathcal{s}}_{e_{nj}}\right\}\right\},$ for $j=\mathrm{1,2},3,\dots \dots m$, ${\mathcal{S}}_F=\left\{{\mathcal{s}}_{f_1},{\mathcal{s}}_{f_2},{\mathcal{s}}_{f_3}\dots \dots \dots {\mathcal{s}}_{f_n}\right\}$ and ${\mathcal{S}}_C=\left\{{\mathcal{s}}_c\right\}$ from $Z_n^{\mathrm{*}}$.

Cloud server computes the product $M$ of all entities’ private keys as $M={\displaystyle {\prod }_{i=1}^n}\left(p_{f_i}\right)\times {\displaystyle {\prod }_{i=1}^n}{\displaystyle {\prod }_{j=1}^m}\left(p_{e_{ij}}\right)\times p_c$. Also, computes $M_{f_i}={\displaystyle \frac{M}{p_{f_i}}}$ , $\forall i=\mathrm{1,2},3,\dots \dots n$, $M_{e_{ij}}={\displaystyle \frac{M}{p_{e_{ij}}}}$, $\forall i=\mathrm{1,2},3,\dots \dots n$, and $j=\mathrm{1,2},3,\dots \dots m$, and $M_c={\displaystyle \frac{M}{p_c}}$.

Next, Cloud server computes the following

$${\mathcal{C}}_u={\mathcal{s}}_c\times {\left(M_C\right)}^{\varphi \left(p_c\right)}$$

$${\mathcal{F}}_{u_i}={\mathcal{s}}_{f_i}\times {\left(M_{f_i}\right)}^{\varphi \left(p_{f_i}\right)},\forall i=\mathrm{1,2},3,\dots \dots n$$

$$\mathrm{nd} E_{u_{ij}}={\mathcal{s}}_{e_{ij}}\times {\left(M_{e_{ij}}\right)}^{\varphi \left(p_{e_{ij}}\right)},\forall i=\mathrm{1,2},3,\dots \dots n\mathrm{and} j=\mathrm{1,2},3,\dots \dots m.$$

The set of private keys, secret parameters, ${\mathcal{C}}_u$, ${\mathcal{F}}_{u_i}$ and $E_{u_{ij}}$ are stored in its memory.

Initially, the system has generated $n\times \left(m+1\right)+1$ private keys and $n\times \left(m+1\right)+1$ secret parameters. When the system reaches a limit of $n\times m$ edge nodes, it is re-initialized for $\mathcal{t}\times \left(n\times m\right)$ edge nodes. The factor $\mathcal{t}$ represents the number of times the edge nodes may join the system in the future.

4.2. Fog Node Registration Phase

When a fog node joins a network, it should register with the cloud server. The fog node ${\mathcal{F}\mathcal{N}}_i$ picks a unique identity ${ID}_{f_i}$ and a secret random number $r_{f_i}$ and computes $A_{f_i}={ h}_2\left({ID}_{f_i}\parallel r_{f_i}\right)$. $A_{f_i}$ is securely transmitted to the cloud server, which then generates a temporary identity ${TID}_{f_i}$ and securely transmitted to the fog node for storage. The cloud server also keeps secure $A_{f_i}$ and ${TID}_{f_i}$ in its database. The Cloud server sends secret parameter ${\mathcal{s}}_{f_i}$and private key $p_{f_i}$ to the associated fog nodes ${\mathcal{F}\mathcal{N}}_i$ from sets ${\mathcal{S}}_F$ and $P_F$ respectively. Additionally, it transmits the sets $\left\{{\mathcal{s}}_{e_{ij}}\right\}$ and $\left\{p_{e_{ij}}\right\}$ of secret parameters and private keys from the sets${\mathcal{S}}_E$ and $P_E$ respectively, to the fog node ${\mathcal{F}\mathcal{N}}_i$. The ${\mathcal{F}\mathcal{N}}_i$ keeps the sets $\left\{{\mathcal{s}}_{e_{ij}}\right\}$ and $\left\{p_{e_{ij}}\right\}$ secret in its database delivers individual ${\mathcal{s}}_{e_{ij}}$ and $p_{e_{ij}}$ to edge node ${E\mathcal{N}}_{ij}$ when they join the corresponding ${\mathcal{F}\mathcal{N}}_i$. Additionally, the cloud server also sends ${\mathcal{F}}_{u_i}$ and $E_{u_{ij}}$to the corresponding ${\mathcal{F}\mathcal{N}}_i$ and kept secret in its database for further usage.

4.3. Edge Node Registration Phase

When an edge node ${E\mathcal{N}}_{ij}$ joins a network, it should register with the corresponding fog node ${\mathcal{F}\mathcal{N}}_i$. The edge node ${E\mathcal{N}}_{ij}$ picks a unique identity ${ID}_{e_{ij}}$ and a secret random number $r_{e_{ij}}$ and computes $A_{e_{ij}}={ h}_2\left({ID}_{e_{ij}}\parallel r_{e_{ij}}\right)$. The edge node securely transmits $A_{e_{ij}}$ to the fog node ${\mathcal{F}\mathcal{N}}_i$ which then generates a temporary identity ${TID}_{e_{ij}}$ and generates $B_{e_{ij}}={ h}_2\left(A_{e_{ij}}\parallel A_{f_i}\parallel {\mathcal{s}}_{e_{ij}}\right)$. The ${\mathcal{F}\mathcal{N}}_i$ selects private key $p_{e_{ij}}$ and ${\mathcal{s}}_{e_{ij}}$ from the sets already sent by cloud server to fog node for edge nodes. The ${\mathcal{F}\mathcal{N}}_i$ then transmits $\left({TID}_{e_{ij}}, {TID}_{f_i}, A_{e_{ij}}, B_{e_{ij}},{ p}_{e_{ij}},{\mathcal{s}}_{e_{ij}}\right)$ to the edge node ${E\mathcal{N}}_{ij}$ through secure channel. The edge node ${E\mathcal{N}}_{ij}$ stores the received values in its memory.

4.4. Group Key Distribution and Extraction Phase

The ${\mathcal{F}\mathcal{N}}_i$ generates a group key ${\mathcal{G}K}_i$ as a random prime integer form $Z_n^{*}$ as ${\mathcal{G}K}_i\stackrel{\$}{\leftarrow }{Z}_n^{*}$. Additionally, the generated ${\mathcal{G}K}_i$ must be smaller than the ${ p}_{e_{ij}}$ of every edge node ${E\mathcal{N}}_{ij}$ attached with ${\mathcal{F}\mathcal{N}}_i$, such that ${\mathcal{G}K}_i<min\left\{{ p}_{e_{i1}},{ p}_{e_{i2}},{ p}_{e_{i3}}\dots \dots \dots { p}_{e_{im}}\right\}.$

The fog node ${\mathcal{F}\mathcal{N}}_i$ computes the group key encryption key ${\delta }_i$ as ${\delta }_i=E_{u_{i1}}+E_{u_{i2}}+E_{u_{i3}}\dots \dots .+E_{u_{im}}={\displaystyle {\sum }_{j=1}^m}{E}_{u_{ij}}$.

The${\mathcal{F}\mathcal{N}}_i$ computes $M_i^m={\displaystyle {\prod }_{j=1}^m}\left(p_{e_{ij}}\right)$Next, the${\mathcal{F}\mathcal{N}}_i$ encrypts the ${\mathcal{G}K}_i$ and generates the cipher text ${\mathcal{C}T}_{{{\mathcal{G}}_K}_i}$ as ${\mathcal{C}T}_{{{\mathcal{G}}_K}_i}=\left({\mathcal{G}K}_i\times {\delta }_i\right)mod{M}_i^m$. The ${\mathcal{F}\mathcal{N}}_i$ then broadcast ${\mathcal{C}T}_{{{\mathcal{G}}_K}_i}$ to all edge nodes ${E\mathcal{N}}_{i1},{E\mathcal{N}}_{i2},{E\mathcal{N}}_{i3},\dots \dots \dots \dots {E\mathcal{N}}_{im}$ in the group that are connected to it.

After receiving the ${\mathcal{C}T}_{{{\mathcal{G}}_K}_i}$, each ${E\mathcal{N}}_{ij}$ can extract the ${\mathcal{G}K}_i$ as ${\mathcal{G}K}_i=\left({\mathcal{C}T}_{{{\mathcal{G}}_K}_i}\times {\mathcal{s}}_{e_{ij}}^{-1}\right)$mod $p_{e_{ij}}$.

As a result, the total $m$ edge nodes ${E\mathcal{N}}_{ij}, \forall j=\mathrm{1,2},3,\dots \dots m$ can extract ${\mathcal{G}K}_i$ from ${\mathcal{C}T}_{{{\mathcal{G}}_K}_i}$ by their private key $p_{e_{ij}}$ and secret parameter ${\mathcal{s}}_{e_{ij}}$.

4.5. Batch Verification Based on Group Key Phase

When a node ${E\mathcal{N}}_{ij}$ collects a message $m_{ij}$, it signs it before forwarding it. For signing the message, the edge node ${E\mathcal{N}}_{ij}$ complete the following:

First, calculate blinded message hash $h_{ij}$ as $h_{ij}=h_1\left(m_{ij}\parallel {{TID}_{e_{ij}}\parallel T}_{ij}\right)$, where $T_{ij}$ is a timestamp.

Next, it computes blinding scalar ${\alpha }_{ij}=h_2\left(m_{ij}{\parallel T}_{ij}\right)\in Z_q^{\mathrm{*}}$ .

Further, it computes signature component ${\sigma }_{ij}=\left({\mathcal{G}K}_i+{\alpha }_{ij}\right).r_{e_{ij}}.h_{ij}\in \mathbb{G}$ and generates the signature.

The ${E\mathcal{N}}_{ij}$ transmits the message $\{m_{ij},{\sigma }_{ij},{TID}_{e_{ij}},T_{ij}\}$ to the ${\mathcal{F}\mathcal{N}}_i$. After receiving the message, the ${\mathcal{F}\mathcal{N}}_i$ initiates the message verification process given as follows.

Case 1: The fog node ${\mathcal{F}\mathcal{N}}_{\mathit{i}}$ requires to verify only a single message

The fog node ${\mathcal{F}\mathcal{N}}_i$ verifies a single signature using the following pairing equation – (1)

$$e\left({\sigma }_{ij}, P\right)?=e{\left(h_{ij},P_{pub}+{\alpha }_{ij}.P\right)}^{r_{e_{ij}}}$$

(1)

Correctness

$$\begin{array}{l}L.H.S.=e\left({\sigma }_{ij},P\right)\\ =e\left(\left({\mathcal{G}K}_i+{\alpha }_{ij}\right).r_{e_{ij}}.h_{ij}, P\right)\\ =e{\left(h_{ij}, P\right)}^{\left({\mathcal{G}K}_i+{\alpha }_{ij}\right).r_{e_{ij}}} \mathrm{(bilinearity)}\\ ={\left(e{\left(h_{ij}, P\right)}^{\left({\mathcal{G}K}_i+{\alpha }_{ij}\right)}\right)}^{r_{e_{ij}}}\\ ={\left(e\left(h_{ij},{\mathcal{G}K}_i.P+{\alpha }_{ij}.P\right)\right)}^{r_{e_{ij}}} \mathrm{s}\mathrm{i}\mathrm{n}\mathrm{c}\mathrm{e}, e{\left(h_{ij},P\right)}^x=e\left(h_{ij},x.P\right)\\ ={\left(e\left(h_{ij},{ P}_{pub}+{\alpha }_{ij}.P\right)\right)}^{r_{e_{ij}}} \mathrm{s}\mathrm{i}\mathrm{n}\mathrm{c}\mathrm{e} P_{pub}={\mathcal{G}K}_i.P\\ =e{\left(h_{ij},P_{pub}+{\alpha }_{ij}.P\right)}^{r_{e_{ij}}}\\ =R.H.S.\end{array}$$

Case 2: The fog node ${\mathcal{F}\mathcal{N}}_{\mathit{i}}$ requires to verify multiple messages

When the fog node ${\mathcal{F}\mathcal{N}}_i$ requires to verify multiple messages, it needs to execute the batch verification process. When ${\mathcal{F}\mathcal{N}}_i$ received $m$ signatures ${\left\{\left({{\sigma }_{ij},m}_{ij},{TID}_{e_{ij}},T_i\right)\right\}}_{i=1}^m$, it verifies that whether pairing equation (2) holds or not.

$$e\left({\displaystyle \sum _{j=1}^m}{\sigma }_{ij},P\right)?=e{\left({\displaystyle \sum _{j=1}^m}{h}_{ij},P_{pub}+{\displaystyle \sum _{j=1}^m}{\alpha }_{ij}.P\right)}^{{\displaystyle \sum _{j=1}^m}{r}_{e_{ij}}}$$

(2)

Correctness

$$\begin{array}{l} L.H.S=e\left({\displaystyle \sum _{j=1}^m}{\sigma }_{ij},P\right)\\ =e\left({\displaystyle {\sum }_{j=1}^m}\left({\mathcal{G}K}_i+{\alpha }_{ij}\right).r_{e_{ij}}.h_{ij}, P\right)\\ =e\left({\left({\displaystyle {\sum }_{j=1}^m}{h}_{ij},P\right)}^{{\displaystyle {\sum }_{j=1}^m}\left({\mathcal{G}K}_i+{\alpha }_{ij}\right)r_{e_{ij}}}\right)\\ =e{\left({\left({\displaystyle {\sum }_{j=1}^m}{h}_{ij},P\right)}^{{\displaystyle {\sum }_{j=1}^m}\left({\mathcal{G}K}_i+{\alpha }_{ij}\right)}\right)}^{{\displaystyle {\sum }_{j=1}^m}{r}_{e_{ij}}}\\ =e{\left(\left({\displaystyle {\sum }_{j=1}^m}{h}_{ij},{\mathcal{G}K}_i.P+{\displaystyle {\sum }_{j=1}^m}{\alpha }_{ij}P\right)\right)}^{{\displaystyle {\sum }_{j=1}^m}{r}_{e_{ij}}}\\ \mathrm{s}\mathrm{i}\mathrm{n}\mathrm{c}\mathrm{e} e{\left(h_{ij},P\right)}^x=e\left(h_{ij},x.P\right)\\ =e{\left(\left({\displaystyle {\sum }_{j=1}^m}{h}_{ij},P_{pub}+{\displaystyle {\sum }_{j=1}^m}{\alpha }_{ij}P\right)\right)}^{{\displaystyle {\sum }_{j=1}^m}{r}_{e_{ij}}}\\ \mathrm{s}\mathrm{i}\mathrm{n}\mathrm{c}\mathrm{e} P_{pub}={\mathcal{G}K}_i.P\\ =e{\left({\displaystyle {\sum }_{j=1}^m}{h}_{ij},P_{pub}+{\displaystyle {\sum }_{j=1}^m}{\alpha }_{ij}P\right)}^{{\displaystyle {\sum }_{j=1}^m}{r}_{e_{ij}}}\\ =R.H.S.\end{array}$$

4.6. Group Key Update Phase

Whenever the group membership changes, the group key must be updated. During this phase, our protocol mainly focuses on nodes joining/leaving the group encompassing four distinct scenarios. Case 1) Edge node(s) joining the group. Case 2) Edge node(s) exit the group. Case 3): Fog node(s) joining the group. Case 4): Fog node(s) leaving the group.

4.6.1. Single or Multiple Edge Nodes Join

It is assumed that the group has $\mathcal{l}$ edge nodes. When $k$ edge nodes join, it becomes $\mathcal{l}+k$ edge nodes in the group. After that the Fog node ${\mathcal{F}\mathcal{N}}_i$ updates the group key encryption key ${\delta }_i^m$. The fog node ${\mathcal{F}\mathcal{N}}_i$ updates and encrypts the group key ${\mathcal{G}K}_i^{\prime }$. It generates the ciphertext ${\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime }}^{\prime }$ and sent it to all edge nodes available in the group. The steps of the procedure are outlined below.

Step 1. First, ${\mathcal{F}\mathcal{N}}_i$ computes modified group key encryption key ${\delta }_i^{\mathcal{l}+k}$as ${\delta }_i^{\mathcal{l}+k}$= ${\delta }_i^{\mathcal{l}}+{\displaystyle {\sum }_{j=\mathcal{l}+1}^{\mathcal{l}+k}}{E}_{u_{ij}}$. Here, ${\delta }_i^{\mathcal{l}}$ represents the old group key encryption key before joining the new edge nodes and ${\delta }_i^{\mathcal{l}+k}$ represents the modified group key encryption key after joining the new $k$ edge nodes.

Step 2. Next, the fog node ${\mathcal{F}\mathcal{N}}_i$ updates the group key ${\mathcal{G}K}_i^{\prime }$, where ${\mathcal{G}K}_i^{\prime }<min\left(\left\{p_{f_i}\right\}\cup {\left\{p_{e_{ij}}\right\}}_{i=1}^{\mathcal{l}+k}\right)$.

Step 3. The ${\mathcal{F}\mathcal{N}}_i$ updates $M_i^{\mathcal{l}}$ as $M_i^{\mathcal{l}+k}=$ $M_i^{\mathcal{l}}\times {\displaystyle {\prod }_{j=\mathcal{l}+1}^k}\left(p_{e_{ij}}\right)$.

Step 4. The ${\mathcal{F}\mathcal{N}}_i$ recomputes a new ${\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime }}^{\prime }$ as ${\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime }}^{\prime }={\mathcal{G}K}_i^{\prime }\times {\delta }_i^{\mathcal{l}+k}mod$ $M_i^{\mathcal{l}+k}$. Then, the ${\mathcal{F}\mathcal{N}}_i$ transmits ${\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime }}^{\prime }$ to all $\mathcal{l}+k$ edges nodes available in the group.

Step 5. Upon receiving ${\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime }}^{\prime }$ from ${\mathcal{F}\mathcal{N}}_i$, the new $k$ nodes and old edge nodes can retrieve the updated ${\mathcal{G}K}_i^{\prime }$ from ${\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime }}^{\prime }$ as ${\mathcal{G}K}_i^{\prime }=$ ${\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime }}^{\prime }\times {\mathcal{s}}_{e_i}^{-1}mod{p}_{e_{ij}}$,$\forall i=\mathrm{1,2},3,\dots .\mathcal{l}+k$. In this case both newly join edge nodes and existing edge nodes derive the same updated group key ${\mathcal{G}K}_i^{\prime }$.

4.6.2. Single or Multiple Edge Nodes Leave

Assume that the group initially has $\mathcal{l}$ edge nodes. It is also assumed that the $k$ edge nodes $\left(1\le k<\mathcal{l}\right)$ depart the group. When $k$ edge nodes leave, the number of edge nodes in the decreases to $\mathcal{l}-k$. After that, the ${\mathcal{F}\mathcal{N}}_i$ updates the group key ${\mathcal{G}K}_i^{\prime \prime }$and computes modified group key encryption key ${\delta }_i^{\mathcal{l}-k}$. Furthermore, the ${\mathcal{F}\mathcal{N}}_i$ computes the updated ${\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime \prime }}^{\prime \prime }$ for the updated ${\mathcal{G}K}_i^{\prime \prime }$. The procedure is outlined in the steps below.

Step 1. The ${\mathcal{F}\mathcal{N}}_i$ reconstructs the group key encryption key ${\delta }_i^{\mathcal{l}-k}$ as ${\delta }_i^{\mathcal{l}-k}={\delta }_i^{\mathcal{l}+k}-{\displaystyle {\sum }_{i=\mathcal{l}+1}^{\mathcal{l}+k}}{E}_{u_{ij}}$ , $k<m$.

Step 2. The ${\mathcal{F}\mathcal{N}}_i$ updates the value of $M_i^{\mathcal{l}}$ as $M_i^{\mathcal{l}-k}=$ ${\displaystyle \raisebox{1ex}{$M_i^{\mathcal{l}}$}\!\left/ \!\raisebox{-1ex}{${\displaystyle {\prod }_{i=\mathcal{l}+1}^k}{p}_{e_{ij}}$}\right.}$

Step 3. Next, the fog node ${\mathcal{F}\mathcal{N}}_i$ updates the group key ${\mathcal{G}K}_i^{\prime \prime }$, where ${\mathcal{G}K}_i^{\prime \prime }<min\left(\left\{p_{f_i}\right\}\cup {\left\{p_{e_{ij}}\right\}}_{i=1}^{\mathcal{l}-k}\right)$.

Step 4. The ${\mathcal{F}\mathcal{N}}_i$ recomputes a new ciphertext message ${\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime \prime }}^{\prime \prime }$ as ${\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime \prime }}^{\prime \prime }={\mathcal{G}K}_i^{\prime \prime }\times {\delta }_i^{\mathcal{l}-k}mod$ $M_i^{\mathcal{l}-k}$.

Step 5. Upon receiving ${\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime \prime }}^{\prime \prime }$ from ${\mathcal{F}\mathcal{N}}_i$ the remaining edge nodes in the group can obtain updated ${\mathcal{G}K}_i^{\prime \prime }$ as ${\mathcal{G}K}_i^{\prime \prime }=$ ${\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime \prime }}^{\prime \prime }\times {\mathcal{s}}_{e_i}^{-1}mod$ $p_{e_{ij}}$,$\forall i=1,2,\dots .$. $\mathcal{l}-k$. The $k$ edge nodes that left the group, on the other hand, can’t retrieve it, even if they have received a ciphertext ${\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime \prime }}^{\prime \prime }$. It can be expressed as follow:

$${\mathcal{G}K}_i^{\prime \prime }\ne {\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime \prime }}^{\prime \prime }\times {\mathcal{s}}_{e_i}^{-1} mod{p}_{e_{ij}},\forall i=\mathcal{l}-k+1, \mathcal{l}-k+2, \mathcal{l}-k+3\dots \dots \dots \dots .\mathcal{l}.$$

Therefore, the edge nodes that have left the group can’t derive an updated ${\mathcal{G}K}_i^{\prime \prime }$, whereas those persisted in the group can obtain it.

5. Security Analysis

We perform a thorough informal security verification to evaluate the security strength of our proposed work. Formal security verification is performed using the ProVerif tool and the Random Oracle Model.

5.1. Informal Security Analysis

Informal security analysis examines robustness of our suggested protocol. The analysis demonstrates that the suggested work guarantees both backward and forward secrecy. The suggested method also offers protection against a number of well-known attacks and meets all the security needs desired for decentralized edge–fog–cloud computing networks.

5.1.1. Forward Secrecy

In the proposed protocol, the forward secrecy is preserved as an edge node ${E\mathcal{N}}_{ij}$ that has left the group is unable to obtain the future group keys. In our protocol, when an edge node ${E\mathcal{N}}_{ij}$ left the group, the fog node ${\mathcal{F}\mathcal{N}}_i$ updates both group key ${\mathcal{G}K}_i^{\prime \prime }$ and group key encryption key ${\delta }_i^{\mathcal{l}-j}={\delta }_i^{\mathcal{l}}-E_{u_{ij}}$. Further, it computes new cipher text ${\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime \prime }}^{\prime \prime }={\mathcal{G}K}_i^{\prime \prime }\times {\delta }_i^{\mathcal{l}-j}mod$ $M_i^{\mathcal{l}-j}$ where $M_i^{\mathcal{l}-j}=$ ${\displaystyle \raisebox{1ex}{$M_i^{\mathcal{l}}$}\!\left/ \!\raisebox{-1ex}{$p_{e_{ij}}$}\right.}$. The departed ${E\mathcal{N}}_{ij}$ cannot decrypt the updated group key even if it gets a ciphertext ${\mathcal{C}T}_{{\mathcal{G}K}_i^{\prime \prime }}^{\prime \prime }$ since its secret parameter $E_{u_{ij}}={\mathcal{s}}_{e_{ij}}\times {\left(M_{e_{ij}}\right)}^{\varphi \left(p_{e_{ij}}\right)}$ and $p_{e_{ik}}$ are not utilized to encrypt the updated group key ${\mathcal{G}K}_i^{\prime \prime }$. Therefore, our proposed work ensures forward secrecy.

5.1.2. Backward Secrecy

The backward secrecy guarantees that a new edge node ${E\mathcal{N}}_{ik}$ that has joined the group recently, cannot decrypt the old group keys. To access old communications, newly joined ${E\mathcal{N}}_{ik}$ may attempt to extract old group key from the ciphertext ${\mathcal{C}T}_{{{\mathcal{G}}_K}_i}=\left({\mathcal{G}K}_i\times {\delta }_i\right) mod M_i^m$. In our work, secret parameters $E_{u_{ik}}={\mathcal{s}}_{e_{ik}}\times {\left(M_{e_{ik}}\right)}^{\varphi \left(p_{e_{ik}}\right)}$ and $p_{e_{ik}}$ of newly joined edge node are not used in the encryption of the old group key. Thus, our proposed work provides backward secrecy.

5.1.3. Message Integrity

In our proposed work, an $\mathcal{A}\mathcal{D}\mathcal{V}$ cannot obtain the group key , thus he/she cannot forge the valid signatures component ${\sigma }_{ij}=\left({\mathcal{G}K}_i+{\alpha }_{ij}\right).r_{ij}. h_{ij}$ and signature ${sig}_{ij}=\left({\sigma }_{ij},{TID}_{e_{ij}},T_{ij}\right)$. Thus, if message and its signature satisfy $e\left({\sigma }_{ij}, P\right)=e{\left(h_{ij},P_{pub}+{\alpha }_{ij}.P\right)}^{r_{e_{ij}}}$, the suggested work guarantees the message integrity.

5.1.4. Protection Against Modification Attack

The $\mathcal{A}\mathcal{D}\mathcal{V}$ cannot modify the message $\left\{m_{ij},{\sigma }_{ij},{TID}_{e_{ij}},T_{ij}\right\}$because the message must fulfil the condition $e\left({\sigma }_{ij},P\right)?=e{\left(h_{ij},P_{pub}+{\alpha }_{ij}.P\right)}^{r_{e_{ij}}}$,where ${\sigma }_{ij}=\left({\mathcal{G}K}_i+{\alpha }_{ij}\right).r_{e_{ij}}.h_{ij}$ and ${\alpha }_{ij}=h_2\left(m_{ij}{\parallel T}_{ij}\right)$. If the message is changed, the fog node detects and rejects it. Thus, the suggested scheme provides protection against the modification attack.

5.1.5. Protection against Replay Attack

The proposed protocol uses a timestamp in the signature component ${\sigma }_{ij}=\left({\mathcal{G}K}_i+{\alpha }_{ij}\right).r_{e_{ij}}.h_{ij}$ and signature ${sig}_{ij}=\left({\sigma }_{ij},{TID}_{e_{ij}},T_{ij}\right),$where $h_{ij}=h_1\left(m_{ij}\parallel {{TID}_{e_{ij}}\parallel T}_{ij}\right)$ and ${\alpha }_{ij}=h_2\left(m_{ij}{\parallel T}_{ij}\right)$ to resist replay attack. Since, $T_{ij}$ is provided in the signature, it becomes impossible for an $\mathcal{A}\mathcal{D}\mathcal{V}$ to bypass the authentication by replaying the prior signature. Therefore, the suggested protocol is secure against replay attack.

5.1.6. Protection Against Impersonation Attack

In order to impersonate a valid edge node, the attacker must send a valid message $\left\{m_{ij},{ \sigma }_{ij}, {TID}_{e_{ij}}, T_{ij}\right\}$to the fog node. However, our proposed protocol ensures that no adversary has ability to construct the signature of the edge node with a non-negligible probability. Therefore, the proposed protocol ensures protection against an impersonation attack.

5.1.7. Data Confidentiality

In our scheme, only the authorized edge node ${E\mathcal{N}}_{ij}$ can extract the ${\mathcal{G}K}_i$ from the ciphertext ${\mathcal{C}T}_{{{\mathcal{G}}_K}_i}=\left({\mathcal{G}K}_i\times {\delta }_i\right) mod M_i^m$ and decrypt the sensitive information. Thus, our proposed scheme ensures data confidentiality.

5.2. Formal Security Verification Using ProVerif Tool

An automated tool called ProVerif is used to verify the security of cryptographic schemes. It supports various cryptographic primitives that are expressed by equations or rewriting rules [26]. Numerous security attributes, including secrecy and authentication, can be verified by it. An unlimited number of sessions and message space are taken into consideration when analysing protocols. Figure 2 shows the various functions and parameters in the ProVerif tool for the group key distribution and extraction phase of our protocol. Figure 3 shows the working of event fog and edge. Figure 4 shows the various queries. Figure 5 depicts the result obtained from ProVerif after verification. The verification results clearly shows that our protocol does not disclose group key or other secret parameters to unauthorized entities.

5.3. Security Verification Using Random Oracle Model

Theorem 1: Suppose an $\mathcal{A}\mathcal{D}\mathcal{V}$ can generate a valid signature of an edge node in polynomial time $\mathcal{T}$ with a non-negligible advantage $\mathsf{\epsilon }$; then, there is a challenger $\mathcal{C}$ capable of solving the co-CDHP with a non-negligible probability $\mathsf{\epsilon }$ in polynomial time $\mathcal{T}$.

Proof: The simulator $\mathcal{C}$ executes the initialization process and obtains the public parameter $Q=r.P$. The simulator creates the three lists-${\mathcal{L}\mathcal{H}}_1$, ${\mathcal{L}\mathcal{H}}_2$ and $\mathcal{L}\mathcal{S}$. The ${\mathcal{L}\mathcal{H}}_1$ and ${\mathcal{L}\mathcal{H}}_2$ stores the values returned by random oracle ${\mathcal{H}}_1$ and ${\mathcal{H}}_2$. The list $\mathcal{L}\mathcal{S}$ stores the values return by sign queries.

${\mathcal{H}}_1\mathit{q}\mathit{u}\mathit{e}\mathit{r}\mathit{i}\mathit{e}\mathit{s}$ : When the $\mathcal{A}\mathcal{D}\mathcal{V}$ executes a hash query with the input $m_{ij}, {{TID}_{e_{ij}}, T}_{ij}$, the $\mathcal{C}$ examines whether the input appears in the list ${\mathcal{L}\mathcal{H}}_1$. If there exists a tuple ($m_{ij}, {{TID}_{e_{ij}}, T}_{ij}, h_{ij}$) in the list ${\mathcal{L}\mathcal{H}}_1$, $\mathcal{A}\mathcal{D}\mathcal{V}$ gets $h_{ij}$ from $\mathcal{C}$. If not, $\mathcal{C}$ chooses a random number $h_{ij}\in {\mathbb{Z}}_{n }^{*}$ and includes the tuple ($m_{ij}, {{TID}_{e_{ij}}, T}_{ij}, h_{ij}$) into the list ${\mathcal{L}\mathcal{H}}_1$. Further, $\mathcal{A}\mathcal{D}\mathcal{V}$ obtains $h_{ij}$ from $\mathcal{C}$.

${\mathcal{H}}_2 \mathit{q}\mathit{u}\mathit{e}\mathit{r}\mathit{i}\mathit{e}\mathit{s}$: When the $\mathcal{A}\mathcal{D}\mathcal{V}$ executes a hash query with the input $m_{ij}{, T}_{ij}$, $\mathcal{C}$ examines whether the input present in the list ${\mathcal{L}\mathcal{H}}_2$. If there is a tuple $m_{ij}{, T}_{ij}$ in the list ${\mathcal{L}\mathcal{H}}_2$, $\mathcal{A}\mathcal{D}\mathcal{V}$ gets ${\alpha }_{ij}$from $\mathcal{C}$. If not, $\mathcal{C}$ chooses a random number ${\alpha }_{ij}\in {\mathbb{Z}}_{n }^{*}$ and adds the tuple $(m_{ij}{, T}_{ij}, {\alpha }_{ij})$ in the list ${\mathcal{L}\mathcal{H}}_2$. Further, $\mathcal{C}$ returns ${\alpha }_{ij}$ to $\mathcal{A}\mathcal{D}\mathcal{V}$.

$\mathit{S}\mathit{i}\mathit{g} \mathit{q}\mathit{u}\mathit{e}\mathit{r}\mathit{i}\mathit{e}\mathit{s}:$During sign query process, the $\mathcal{A}\mathcal{D}\mathcal{V}$ and $\mathcal{C}$communicate at most ${\mathcal{Q}}_s$ times. An $\mathcal{A}\mathcal{D}\mathcal{V}$ makes a sign query on $m_{ij}$. Then, $\mathcal{C}$checks whether ${TID}_{e_{ij}}$ and ${TID}_{e_{ij}}^{*}$ are equal or not. If ${TID}_{e_{ij}}\ne {TID}_{e_{ij}}^{*}$, $\mathcal{C}$ checks whether ($m_{ij}{, TID}_{e_{ij}}, {\sigma }_{ij}$) is present in $\mathcal{L}\mathcal{S}$ or not. If $(m_{ij}{, TID}_{e_{ij}}, {\sigma }_{ij})$ is already in $\mathcal{L}\mathcal{S}$, $\mathcal{C}$ returns ${\sigma }_{ij}$ to $\mathcal{A}\mathcal{D}\mathcal{V}$. Otherwise, $\mathcal{C}$ re-compute ${\mathcal{H}}_1$, ${\mathcal{H}}_2$and${\sigma }_{ij}$. $\mathcal{C}$ adds $(m_{ij}{, TID}_{e_{ij}}, {\sigma }_{ij})$ to $\mathcal{L}\mathcal{S}$ and return ${\sigma }_{ij}$ to $\mathcal{A}\mathcal{D}\mathcal{V}$. If ${TID}_{e_{ij}}\ne {TID}_{e_{ij}}^{*}$, $\mathcal{C}$ discards the query and ends the game.

$\mathcal{R}\mathit{e}\mathit{v}\mathit{e}\mathit{a}\mathit{l}:$ If $\mathcal{A}\mathcal{D}\mathcal{V}$ is able to win the game, it indicates that $\mathcal{A}\mathcal{D}\mathcal{V}$ is capable of forging a legitimate signature ${\sigma }_{ij}$ with the identity ${TID}_{e_{ij}}$. when $\mathcal{C}$ responds to the signing query, $\mathcal{A}\mathcal{D}\mathcal{V}$ can generate a valid signature in a polynomial time. Now, we get

$${\sigma }_{ij}^{*}=\mathcal{x}.r_{e_{ij}}^{*}. h_{ij}^{*},\mathrm{where} \mathcal{x}=\left({\mathcal{G}K}_i+{\alpha }_{ij}\right)$$

$${\sigma }_{ij}^{*}.{r_{e_{ij}}^{*}}^{-1}=\mathcal{x}.h_{ij}^{*}$$

Because the game is played in polynomial time and interactions are limited, the $\mathcal{C}$ can solve the co-CDHP in polynomial time with a non-negligible probability. This contradicts the cryptographic hard problem. Therefore, the suggested protocol is secure.

6. Performance Analysis

This section presents security features and performance analysis of our protocol and compare with the existing state-of-the-art protocols [15,16,17,18,19,20] in terms of the computation and communication costs for message signing, single message verification, and batch verification. The performance analysis is conducted based on the approach proposed by Chen et al. [20]. The computation time of edge and fog nodes is evaluated using python programming language. For experimental evaluation of our protocol, we have used a personal computer with 8^th generation Intel Core i5 processor, 8 GB RAM, Windows 11 OS using PyCharm Community Edition 2024.2.0.1. Table 2 presents the cryptographic primitives used in the protocol along with the execution time, and the Table 3 summarizes the corresponding size of the cryptographic symbols.

6.1. Security Feature Comparison

This section compares the security and functionality features of the proposed protocol to existing schemes [15,16,17,18,19,20]. Table 4 demonstrates that the related protocols [15,16,17,18,19,20] provide limited security features as compared to the proposed protocol, Bayat et al. [15] suffers from non-repudiation of batch messages and data confidentiality. Also, it does not provide the ability for secure group communication, and protection against modification attack. Similarly, Wang et al. [16] and Feng et al. [18] lack the similar security features, but resistant against modification attack. Mei et al. [17] satisfies all the security and functionality features as mentioned in the Table 4 except signature forgery and secure group communication. Qi et al. [19] and Chen et al. [20], achieves most of the security and functionality features, however, lacks the secure group communication. The proposed protocol supports non-repudiation, data confidentiality and is resistant against replay and impersonation attacks. Also, it supports message integrity and group communication, while preventing from signature forgery. Therefore, the suggested protocol outperforms the relevant protocols in terms of security and functionality.

6.2. Computation Cost

In this section, a comparative analysis of the computational cost of our protocol and the state-of-the-art protocols [15,16,17,18,19,20] is presented and summarized in Table 5. In our protocol, the edge node performs one point addition and one scalar multiplication operations for signing the message. Therefore, the total time taken for message signing is ${\mathit{t}}_{\mathcal{e}\mathcal{m}}$+${\mathit{t}}_{\mathcal{p}\mathcal{a}}$ $\approx$4.471 ms. The single verification process at the fog node involves one scalar multiplication, two bilinear pairing, one point addition, and two hash operations. Thus, the time taken in this phase is 2${\mathit{t}}_{\mathcal{b}\mathcal{p}}$+${\mathit{t}}_{\mathcal{e}\mathcal{m}}$+${\mathit{t}}_{\mathcal{p}\mathcal{a}}$+2${\mathit{t}}_{\mathit{h}}\approx$33.067 ms. The processing time of the batch verification of n message is 2${\mathit{t}}_{\mathcal{b}\mathcal{p}}$+${\mathit{t}}_{\mathcal{e}\mathcal{m}}$+2n${\mathit{t}}_{\mathcal{p}\mathcal{a}}$+2n${\mathit{t}}_{\mathit{h}}\approx$32.727+0.67n ms, where $\mathit{n}\le 5$. The computation cost of the related protocols [15,16,17,18,19,20] is computed in a similar manner. Figure 6, Figure 7, and Figure 8 illustrate the cost for signing the message, verification of the single message, and verification of the batch messages, respectively. This clearly highlights the superiority of our protocol over the related protocols [15,16,17,18,19,20].

6.3. Communication Cost

We compare the communication cost of the proposed protocol with related protocols, as listed in Table 6. We assume that the size of the signed message is identical for all protocols, therefore the communication cost of the signed message is not considered. Bayat et al. [15] illustrate that each vehicle transmits a message $〈\left({\mathit{I}\mathit{D}}_{\mathit{i},1},{\mathit{I}\mathit{D}}_{\mathit{i},2}\right),{\mathit{\sigma }}_{\mathit{i}},{\mathit{T}}_{\mathit{i}}〉$; therefore, the resulting communication cost is 3$\left|G\right|$+4=388 bytes. In Wang et al. [16], each vehicle broadcasts the message $〈\left(\mathit{P}{\mathit{I}\mathit{D}}_{\mathit{i},1},\mathit{P}{\mathit{I}\mathit{D}}_{\mathit{i},2}\right),{\mathit{M}}_{\mathit{i}},{\mathit{\sigma }}_{\mathit{i}},{\mathit{P}\mathit{K}}_{\mathit{R}\mathit{i}},{\mathit{T}}_{\mathit{i}}〉$; therefore, the communication cost is $4\left|G\right|$+4=516 bytes. In Mei et al. [17], each vehicle transmits a message $〈{\mathit{P}\mathit{S}\mathit{U}\mathit{I}\mathit{D}}_{\mathit{i}},{\mathit{I}\mathit{D}\mathit{R}}_{\mathit{s}},{\mathit{M}}_{\mathit{i}},{\mathit{\sigma }}_{\mathit{i}},{\mathit{v}\mathit{e}\mathit{p}\mathit{k}}_{\mathit{i}},{\mathit{T}}_{\mathit{i}}〉$; and hence, the communication cost is $4\left|G\right|$+4=516 bytes. In Feng et al. [18], each vehicle broadcasts a message $〈{\mathit{C}\mathit{e}\mathit{r}\mathit{t}}_{\mathit{i}},{\mathit{\sigma }}_{\mathit{i}},{\mathit{M}}_{\mathit{i}},{\mathit{T}}_{\mathit{i}}〉.$ The communication cost of Feng et al. [18] is $4\left|G\right|$+4=516 bytes. In Qi et al. [19], each vehicle broadcasts a message $〈{\mathit{P}}_{{\mathit{s}}_{\mathit{i}}},{\mathit{P}\mathit{S}}_{\mathit{s}},{\mathit{M}}_{\mathit{i}},{\mathit{P}\mathit{K}}_{\mathit{i}},{\mathit{T}}_{\mathit{i}}〉.$ Hence, the communication cost of Qi et al. [19] is $3\left|G\right|$+4=388 bytes. In the Chen et al. [20], each vehicle broadcasts a message $〈{\mathit{P}\mathit{I}\mathit{D}}_{{\mathit{i}}_{\mathit{k}}},{{\mathit{R}}_{\mathit{i}}}_{\mathit{k}},{\mathit{W}}_{\mathit{i}},{\mathit{l}}_{\mathit{i}},{\mathit{M}}_{\mathit{i}},{\mathit{\sigma }}_{\mathit{i}},{\mathit{T}}_{\mathit{i}}〉.$ Therefore, the total communication cost of Chen et al. [20] is $4\left|G\right|$+4=516 bytes. In our proposed protocol each edge node broadcasts a message $〈{\mathit{m}}_{\mathit{i},\mathit{j}},{\mathit{\sigma }}_{\mathit{i},\mathit{j}},{\mathit{T}\mathit{I}\mathit{D}}_{\mathit{i}\mathit{f}},{\mathit{T}}_{\mathit{i},\mathit{j}}〉,$ where ${\sigma }_{i,j},{TID}_{if}\in \mathbb{G}$, and $T_i$ is a timestamp. The total communication cost of our protocol is $2\left|G\right|$+4=260 bytes. Table 6 clearly highlights that our proposed protocol is better as compared to the related protocols [15,16,17,18,19,20], as demonstrated in Figure 9.

6.4. Performance Validation Using Wokwi

In this section, we have used the Wokwi platform with an ESP32 virtual environment to simulate and implement the proposed protocol in order to validate it. Wokwi is a browser-based simulator for embedded system development without physical hardware. The ESP32 Devkitc (v4) was chosen due to its simulated capability for cryptographic operations and compatibility with Fog-edge networks hardware requirements. Single message verification, Batch message verification, group key distribution and retrieval were implemented in MicroPython. Figure 10, Figure 11 and Figure 12 demonstrate the correct execution of group key distribution, Group key retrieval, single message verification and Batch verification.

Table 7. The average latency and energy consumption using MicroPython on ESP32.

Phases	Average latency ($\mathit{\mu }\mathit{s})$	Average Energy Consumption (J)
Group key distribution by fog node	27375	0.004125
Group key retrieval by edge node	7384	0.001064
Single message verification	6384	0.001203
Batch message verification	12886	0.001882

Table 7. The average latency and energy consumption using MicroPython on ESP32.

Phases	Average latency ($\mathit{\mu }\mathit{s})$	Average Energy Consumption (J)
Group key distribution by fog node	27375	0.004125
Group key retrieval by edge node	7384	0.001064
Single message verification	6384	0.001203
Batch message verification	12886	0.001882

The simulation was executed for 50 iterations in order to compute the performance. The average latency and energy consumption during group key distribution, group key retrieval, single message verification and batch verification are shown in Table 7. The average time for group key distribution and retrieval was 27375$\mu s$, and 7384$\mu s$ respectively. The average time of single message verification by fog node was 6384$\mu s$ while average time for batch verification by Fog node was 12886$\mu s$. Based on the ESP32's active current consumption of I = 30mA (=0.03A) at V = 5.0 V, the average energy consumption for group key distribution and retrieval was 0.004125 (J), 0.001064 (J) respectively. The average energy usage for single message verification was 0.001203(J), while average energy consumption for batch verification was 0.001882(J). The correctness of group key distribution and retrieval, as well as single message verification and batch verification was tested on 50 test runs (40 valid and 10 invalid credential sets). The protocol accepted 100% of valid credentials and rejected 100% of invalid attempts, with no false acceptances or rejections. The simulation results shows that the suggested protocol is efficient, robust, and suitable for implementation in Edge-Fog-Cloud Computing Networks.

7. Conclusion

In this paper, we present a lightweight and secure key distribution with update and batch verification protocol for decentralized edge–fog–cloud computing networks that eliminates the need to manage distinct and independent sets of moduli equations with multiple mathematical structures for different network layers. Our protocol uses CRT to distribute and update the group key without computing the inverse element, and by using a unique secret parameter for each edge node it provides non-linear two-factor encryption logic to mask the group key. By integrating elliptic curve cryptography, bilinear pairings, Euler’s totient function, and per-signature randomness, our protocol achieves efficient single and batch signature verification while preserving robust security. The proposed protocol significantly reduces verification overhead at the fog layer by requiring a constant number of pairing operations for batch verification. Formal security analysis shows that our protocol is secure under the hardness assumptions of the co-Computational Diffie-Hellman (co-CDH) problem in the random oracle model. Formal security verification using ProVerif tool confirms its robustness against various attacks. Furthermore, simulation on the Wokwi platform with ESP32 confirmed its correctness, efficiency, and suitability for cloud-fog-edge development. The performance analysis demonstrates that our protocol outperforms existing protocols in terms of computational and communicational efficiency, making it well suited for large-scale and latency-sensitive Edge-Fog-Cloud computing networks.