Fine-Grained Forward Secure Firmware Update in Smart Home

Abstract

Although the vigorous development of smart homes brings great convenience to people’s lives, smart homes usually suffer from various security threats due to firmware vulnerabilities. Firmware update is a possible solution, but existing methods cannot address the security issues during the update process well. To enable secure firmware updates, a Forward Secure Firmware Update (FSFU) system was realized based on the proposed Puncturable-Ciphertext Policy-Attribute-Based Encryption (P-CP-ABE) scheme. In FSFU, when the service provider delivers the latest firmware, it specifies an access policy and some tags to encrypt the data and appends its signature to achieve both fine-grained access control and authentication. Authorized customers can obtain the latest firmware by decrypting the encrypted data through their private key. In particular, after a successful update, each authorized customer can realize forward security by updating his/her puncturable key, which is an important private key component. In addition, FSFU is further enhanced by outsourcing a part of the parameters and computational tasks. Finally, FSFU was proven to be secure under the Decisional Bilinear Diffie–Hellman (DBDH) assumption. Our proposed FSFU is efficient from both the theoretical analysis and the experimental results.

1. Introduction

With the continuous development of IoT technology, smart homes have become an attractive application that can provide users with more comfort and convenience in their lives [1,2]. Major manufacturers have developed and launched their smart home systems. They provide consumers with supporting smart devices, cloud platforms, and mobile applications. Some of the more famous are Samsung’s SmartThings [3], Amazon’s AWS [4], Apple’s Home app [5], Alibaba’s AliyunloT [6], etc. Manufacturers are eager to develop new features and products to attract consumers and increase their share of the smart home market.

The potential economic benefits of smart homes have attracted many hacker groups to attack vulnerabilities in smart home systems, and many of the attacks are targeting customers’ IoT devices. Technically, IoT devices are very small embedded devices that are used for sensing, control, and so on [7]. To protect embedded devices, an effective way is to update the firmware to fix the vulnerabilities. The service provider uploads the latest firmware to the cloud platform for the authorized customers to download.

As shown in Figure 1, there are possible threats, such as pretending and eavesdropping, during the firmware update process, and therefore, its security needs to be considered. However, some existing methods do not address the security issues during firmware updates well [8]. Some state-of-the-art techniques, including differential privacy [9], opacity [10], etc., can achieve security. Differential privacy focuses on protecting the privacy of changes in the database, and opacity focuses on hiding system behavior. In smart home systems, service providers only expect authorized customers meeting certain policies to enjoy the latest firmware updates, hence Ciphertext Policy-Attribute-Based Encryption (CP-ABE) is more suitable for achieving secure firmware updates.

1.1. Contribution

To achieve secure firmware updates in the smart home, an FSFU system is proposed based on a proposed Puncturable-Ciphertext Policy-Attribute-Based Encryption (P-CP-ABE) scheme. In FSFU, the service provider is called the Data Owner (DO), and the customer is called the Data User (DU). When the DO supplies the latest firmware, it encrypts the data with a specified access policy and some tags. To enable customers to identify the source of the firmware, the DO attaches a signature to the encrypted data. The authorized DU can obtain plaintext from the encrypted data using his/her private key, which contains a puncturable key component. After a successful update, the DU can renew his/her puncturable key component, and the updated key loses the capability to decrypt the past encrypted data. We also propose extended FSFU, which outsources some parameters and operations to the fog node. Specifically, the features of FSFU are listed below:

-

Authentication: The signature allows customers to verify that the latest firmware is being delivered by the expected service provider.

-

Fine-grained access control: Upon receipt of the encrypted data, only authorized users can obtain the plaintext, where authorized users are those whose attribute sets satisfy the policy and the puncturable key does not contain the tag in the ciphertext.

-

Forward security: After successfully updating to the latest firmware, data users can update their puncturable key component by puncturing a tag attached to the ciphertext. The updated key loses the capability to decrypt the past ciphertext, ensuring the forward security of the encrypted data.

-

Outsourced capability: In extended FSFU, the DO can outsource some of the encryption work to fog nodes. Similarly, the DU can send part of the private key to the fog node for storage and, thus, outsource part of the decryption work. As a result, the storage and computation costs of the participants, especially DUs, can be reduced.

1.2. Related Work

Sahai and Waters first proposed the concept of Attribute-Based Encryption (ABE) [11], in which DUs are described by their attributes so that ABE can achieve fine-grained access control on encrypted data. In general, there are two main types of ABE: Key Policy-Attribute-Based Encryption (KP-ABE) [12] and Ciphertext Policy-Attribute-Based Encryption (CP-ABE) [13]. The difference between them is that CP-ABE’s ciphertext is related to a specified policy (or structure) and the decryption key is related to attributes, while KP-ABE is just the opposite: the ciphertext is related to the attributes, and the decryption key is related to the policy. If the attributes satisfy the policy, the plaintext can be recovered. Ibraimi, Tang, et al. proposed a selectively secure CP-ABE based on the Decisional Bilinear Diffie–Hellman (DBDH) assumption [14], which can be conveniently modified to outsource the computation during encryption and decryption. There are a large number of studies on attribute-based encryption from [15]. However, very little work considers the forward security of the encrypted data.

The survey [8] investigates various attacks against firmware updates of IoT devices from 2004 to 2018 and discusses measures for secure firmware updates. According to the survey, existing secure firmware updates can be divided into “centralized” and “distributed” categories. Centralized solutions based on the server–client model include [16,17,18], etc. Decentralized solutions, mostly based on blockchain, include [7,19,20], etc. However, as mentioned above, there is very little work that deals with forward security.

There are some proposals to add forward security to encrypted email, which is a “store and forward” messaging system [21,22,23]. However, these proposals increase complexity and introduce new points of failure. The distribution of new key components for senders requires a highly available network infrastructure [21]. The premise of secure communication is that an initial message must be exchanged [24]. Reference [25] proposed a Forward Secure-Public Key Encryption scheme (FS-PKE) in which the user could periodically update the key to revoke the decryption capability. However, it is coarse-grained. Puncturable Encryption (PE) [26], proposed in SP 2015, enables fine-grained forward security by puncturing specific tags. In this way, fine-grained revocation of the decryption capability can be achieved. What is more, users can update their keys themselves without the need for the trusted center to reissue a new key. There are some recent works related to PE still emerging [27,28,29,30].

1.3. Organization

The rest of this paper is organized as follows. Section 2 presents the system architecture and design goals. Section 3 lists the related preliminaries. Section 4 describes the formal definition of P-CP-ABE and the security model. The details of FSFU (including the extended construction) are given in Section 5. We prove the security and analyze the performance in Section 6. The conclusion of the work is given in Section 7.

2. System Architecture and Design Goal

2.1. System Architecture

The system architecture is shown in Figure 2. There are five entities in the system. The role and responsibilities of each entity are described below:

• The Trusted Authority (TA) is fully trusted. The system’s public parameters and secret keys for participants are generated by the TA. We assumed that the TA is responsible for publishing the attribute universe $\Omega =\{a_1,\dots ,a_n\}$ and a collection of possible tags.
• The Cloud Sever (CS) is semi-trusted. The CS can provide a powerful storage service for participants.
• The Fog Node (FN) is semi-trusted. FNs act as caches between the participants and the CS. FNs can provide temporary storage and outsource computing services to participants.
• The Data Owner (DO) is the service provider, which delivers the latest firmware to the DU via the FNs and the CS.
• The Data User (DU) requests data files associated with specific tags and receives them from the FN. If the DU is in the same domain as the DO, the DU can obtain the data file directly from the FN. If the DU is far away from the DO, the FN close to the DU will request the data file from the neighboring FNs and the cloud platform, and the data file will be transmitted to it and eventually forwarded to the DU.

An overview of the FSFU system can be found below:

(1)

Initialization: The system is initialized by the TA, which generates the public parameters and a master key. The public parameters of the system are public to all participants, and the master key is secret.

(2)

Authorization: The DU authenticates to the TA using his/her own set of attributes, and the TA issues a secret decryption key to the DU based on the set of attributes. Meanwhile, the DO authenticates to the TA using its ID, and the TA issues a signing key associated with the ID to the DO.

(3)

Secure latest firmware delivery: For the latest firmware, the DO specifies an access policy, uses it along with some tags to encrypt the latest firmware, and embeds its signature. The ciphertext is outsourced to the nearest fog node and then transmitted to the cloud platform.

(4)

Latest fine-grained firmware access: After receiving the latest encrypted firmware, the authorized DU first verifies the signature. Then, the plaintext is revealed from the ciphertext if each of the embedded tags has never been punctured.

(5)

Revocation of decryption capability of latest firmware: After revealing the latest firmware and successfully updating it, the DU can revoke the decryption capability for the ciphertext by puncturing a tag attached to it. If the DU has done this, he/she has updated the private key himself/herself, and malicious participants who have stolen the secret key cannot decrypt the current ciphertext.

2.2. Adversary Model and Design Goal

In FSFU, both a malicious DO and an unauthorized DU may attack the system as adversaries. For authentication, a malicious DO may deliver unexpected data, pretending to be a legitimate provider for improper gain. The encrypted data are transmitted over a public channel, so anyone can obtain the ciphertext. For data confidentiality, malicious unauthorized users may collude to recover the latest firmware. In addition, some malicious DUs may attack the devices of authorized DUs to steal private keys. Therefore, we considered the following specific security goals:

• Data confidentiality: The latest outsourced firmware should be protected from unauthorized access due to its economic value.
• Authentication: When the DO publishes the latest encrypted firmware, the DU should be able to verify that the expected service provider has published it.
• Collusion resistance: Unauthorized users with different attribute sets may collude by combining their private keys to obtain the latest firmware for free. For economic reasons, these collusion attacks must be prevented.
• Forward security: The DU’s device may be hacked, and the private key may be stolen. When the latest firmware is successfully updated, the private decryption key should be updated by the DU itself so that the current ciphertext can no longer be decrypted with the updated key.

3. Preliminaries

Table 1. Notations and descriptions.

Notation	Description
$\Omega$	The universe of attributes.
${\mathbb{G}}_1,{\mathbb{G}}_2$	Two cyclic multiplicative groups.
${\mathbb{Z}}_{{}_p}$	Integer ring with modulus p, where p is a prime number.
${\mathbb{Z}}_{{}_p}^{*}$	${\mathbb{Z}}_{{}_p}^{*}={\mathbb{Z}}_{{}_p}\setminus \left\{0\right\}$.
$H_i(·),i=1,2,3$	Hash function.
$\Gamma$	Access tree associated with the ciphertext.
$|\Gamma |$	Number of leaves in $\Gamma$.
S	Attribute set of the DU.
$S^{\prime }$	The smallest subset of S that satisfies $\Gamma$.
$t_1,\dots ,t_d$	Tags associated with the ciphertext; d is the maximum number.
$PK$	Public key, including the public system parameters.
$MSK$	Master key secretly held by the TA.
$sk$	Participant’s private key.
$KP$	Puncturable key, which is a component of the decryption key.

lists some notations and their descriptions.

3.1. Access Structures and Access Tree

Definition 1

(Access structures [14]). Let $\{P_1,P_2,\dots ,P_n\}$ be a set of parties. A collection $\mathbb{A}\subseteq 2^{\{P_1,P_2,\dots ,P_n\}}$ is monotone if $\forall B,C$: if $B\in \mathbb{A}$ and $B\subseteq C$, then $C\in \mathbb{A}$. An access structure is a collection $\mathbb{A}$, i.e., $\mathbb{A}\subseteq 2^{\{P_1,P_2,\dots ,P_n\}}\setminus \{\varnothing \}$. An authorized set is a subset in $\mathbb{A}$, and conversely, an unauthorized set is a set that is not in $\mathbb{A}$.

Access tree: One way to represent an access structure or policy is through an access tree. Each node in the access tree $\Gamma$ has at most n children. In $\Gamma$, the leaves represent attributes, and every other node is a $(t,n)$ threshold gate, which can be AND (∧) or OR (∨). During the encryption phase, each node is assigned a pair of values $(i,s_i)$, where i is the public index and $s_i$ is the corresponding value [14].

3.2. Lagrange Interpolation and Shamir’s Secret-Sharing Scheme

Given t different pairs of values $(x_1,y_1),\dots ,(x_t,y_t)$, a polynomial $f\left(x\right)$ of degree $t-1$ can be uniquely defined by the Lagrange interpolation [14], in such a way that:

$$f\left(x\right)={\sum }_{i=1}^t{y}_i{\prod }_{j=1,j\ne i}^t\frac{(x-x_j)}{(x_i-x_j)}.$$

Suppose a dealer D holds a secret s. It is divided into n shares in Shamir’s $(t,n)$ (where $t\le n$) threshold secret-sharing technique [14]. Any subset with shares greater than or equal to t can jointly reconstruct the secret s, and no subset with shares less than s can obtain the secret s. This is based on polynomial interpolation. The details of this method are given below.

The dealer D chooses a prime $p>max(s,n)$ and defines $a_0=s$. Then, D chooses $t-1$ random coefficients $a_1,\cdots ,a_{t-1},0\le a_j\le p$, and defines the random polynomial over ${\mathbb{Z}}_p$, $f\left(x\right)={\sum }_{j=0}^{t-1}{a}_j{x}^j$. According to $f\left(x\right)$, D securely sends to user $p_i$ the share $s_i=f\left(i\right)$ along with $p_i$’s index i.

Any group of t or more users can reconstruct s using their shares $(i,s_i)$ together by Lagrange interpolation, i.e., $s=f\left(0\right)={\sum }_{i=1}^t{s}_i{l}_i\left(0\right)$, where $l_i\left(0\right)={\prod }_{j=1}^t\frac{0-j}{i-j}$.

3.3. Ciphertext Policy-ABE

CP-ABE consists of four algorithms [13]:

• Setup$\left(k\right)$: Upon the input of a security parameter k, the algorithm outputs the public parameters $pk$ and a master key $msk$.
• KeyGen$(S,msk)$: Upon the input of the master key $msk$ and an attribute set S, the algorithm outputs a secret key $s{k}_S$ associated with S.
• Encrypt$(m,\Gamma ,pk)$: Upon the input of the public key $pk$, a message m, and an access tree $\Gamma$, the algorithm outputs the ciphertext $c_{\Gamma }$. The purpose of specifying $\Gamma$ is to make decryption accessible to authorized users.
• Decrypt$(c_{\Gamma },s{k}_S)$: Upon the input of a ciphertext $c_{\Gamma }$ and a secret key $s{k}_S$ associated with S, the algorithm outputs a message m or an error symbol ⊥.

3.4. Puncturable Encryption

A Puncturable Encryption (PE) scheme consists of four algorithms [26]:

• PE.KeyGen$(k,d)$: Upon the input of a security parameter k and a maximum tag number d, the algorithm outputs a public key $PK$ and an initial secret key $S{K}_0$.
• PE.Encrypt$(PK,m,t_1,\dots ,t_d)$: Upon the input of a public key $PK$, a plaintext m, and tags $t_1,\dots ,t_d$, the algorithm outputs the ciphertext c.
• PE.Puncture$(PK,S{K}_{i-1},t)$: Upon the input of a secret key $S{K}_{i-1}$ and a tag t, the algorithm outputs a new secret key $S{K}_i$. This new key $S{K}_i$ revokes the decryption capability on those ciphertexts encrypted with t, and the other decryption capabilities are the same as $S{K}_{i-1}$.
• PE.Decrypt$(PK,S{K}_i,c,t_1,\dots ,t_d)$: Upon the input of a secret key $S{K}_i$ and a ciphertext c, the algorithm outputs a message m if any tag attached to the ciphertext is not punctured or outputs an error symbol ⊥.

3.5. Bilinear Pairing and Security Assumption

Definition 2

(Bilinear pairing [14]). Let ${\mathbb{G}}_1,{\mathbb{G}}_2$ be two multiplicative cyclic groups of prime order p, and let g be a generator of ${\mathbb{G}}_1$. $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$ is a bilinear pairing (or bilinear map) with the following properties:

-

Bilinearity: $e(u^a,v^b)=e(u^b,v^a)=e{(u,v)}^{ab}$ for all $u,v\in {\mathbb{G}}_1$ and $a,b\in {\mathbb{Z}}_p$.

-

Non-degeneracy: $e(g,g)\ne 1$, where 1 is the identity element of ${\mathbb{G}}_2$.

Definition 3

(Computational Diffie–Hellman assumption [31]). Given $g,g^a,g^b\in {\mathbb{G}}_1$, for the Computational Diffie–Hellman (CDH) problem in ${\mathbb{G}}_1$, it is difficult for any PPT adversary to calculate $V=g^{ab}$.

Definition 4

(Decisional bilinear Diffie–Hellman assumption [14]). Given $g,g^a,g^b,g^c\in {\mathbb{G}}_1$ and a random element $T\in {\mathbb{G}}_2$, for the Decisional Bilinear Diffie–Hellman (DBDH) problem, it is difficult for any PPT adversary to distinguish the tuple $(g,g^a,g^b,g^c,e{(g,g)}^{abc})$ from $(g,g^a,g^b,g^c,T)$.

4. Formal Definition and Security Model

4.1. Definition of Basic P-CP-ABE

There are five algorithms included in our basic P-CP-ABE scheme. The syntax definition is as follows:

• Setup$(k,d)\to (PK,MSK)$: It takes a security parameter k and a maximum tag number d as the input. The algorithm outputs a public key $PK$ and a master secret key $MSK$.
• KeyGen$(PK,MSK,S,ID)\to (s{k}_{\sigma },sk,K{P}_0)$: It takes the master secret key $MSK$, an attribute set S, and a DO identity $ID$ as the input. The algorithm outputs a private key $s{k}_{\sigma }$ associated with $ID$ for signing, a private key $sk$, and an initial puncture key $K{P}_0$ to decrypt the ciphertext together.
• Encrypt$(PK,M,\Gamma ,s{k}_{\sigma },t_1,\dots ,t_d)\to CT$: It takes a public key $PK$, a plaintext M, an access tree $\Gamma$, a singing key $s{k}_{\sigma }$ associated with $ID$, and tags $t_1,\dots ,t_d$ as the input. The algorithm outputs the ciphertext $CT$ that contains the signature associated with $ID$.
• Puncture$(K{P}_{i-1},t)\to K{P}_i$: It takes a secret key $K{P}_{i-1}$ and a tag t as the input. The algorithm outputs an updated key $K{P}_i$ that cannot decrypt ciphertexts encrypted with t.
• Decrypt$(CT,S,sk,K{P}_i)\to M$ or ⊥: It takes a ciphertext $CT$, a secret key $sk$ associated with S, and a puncturable key $K{P}_i$ as the input. The algorithm outputs a message M or an error symbol ⊥.

4.2. Security Model

The security of our basic P-CP-ABE is defined by the IND-CPA game played by an adversary $\mathcal{A}$ and a challenger. Here, we considered selective security, i.e., $\mathcal{A}$ specifies the challenge access tree and the set of tags in the initial phase before the public parameters of the system are distributed. The formal definition of the game is given below:

• Init: The adversary $\mathcal{A}$ declares the target access tree ${\Gamma }^{*}$ and the set of tags $\{t_{{}_1}^{*},\dots ,t_{{}_d}^{*}\}$.
• Setup: The challenger initializes a tag set $P=\varnothing$ and a counter $n=0$. Then, he/she executes Setup$(k,d)\to (PK,MSK)$ and gives $PK$ to $\mathcal{A}$.
• Phase 1:$\mathcal{A}$ can adaptively issue a polynomially bounded number of queries for any of the following:

  -

  KeyGen(S): $\mathcal{A}$ queries a secret key for a set of attributes $S=\left\{a_j\right|a_j\in \Omega \}$, where $a_j\notin {\Gamma }^{*}$.

  -

  Puncture(t): The challenger sets $n=n+1$, runs Puncture$(K{P}_{n-1},t)\to K{P}_n$, and lets $P=P\cup \left\{t\right\}$.

  -

  Corrupt(): If this is the first time $\mathcal{A}$ issues this query and $\{t_{{}_1}^{*},\dots ,t_{{}_d}^{*}\}\cap P=\varnothing$, the challenger sends the current secret key $K{P}_n$ to $\mathcal{A}$ and sets $C\leftarrow P$. In all other cases, Corrupt() returns ⊥.

• Challenge:$\mathcal{A}$ sends two messages of equal length $M_0,M_1$ to the challenger. The challenger flips a random coin $\beta \in \{0,1\}$ and executes Encrypt$(PK,M_{\beta },{\Gamma }^{*},t_1^{*},\dots ,t_d^{*})\to C{T}^{*}$. The challenge ciphertext $C{T}^{*}$ is sent to $\mathcal{A}$.
• Phase 2: It is identical to Phase 1.
• Guess:$\mathcal{A}$ outputs a guess ${\beta }^{\prime }\in \{0,1\}$.

If ${\beta }^{\prime }=\beta$, the adversary $\mathcal{A}$ wins the game. The advantage of adversary $\mathcal{A}$ is characterized as $ϵ=|Pr[{\beta }^{\prime }=\beta ]-\frac{1}{2}|$.

Definition 5.

A P-CP-ABE scheme is selectively secure if any polynomial time adversary has at most a negligible advantage in the above selective game.

5. Forward Secure Firmware Update System

The details of FSFU are described in this section, and then, we extend it to outsource some parameters and computation to fog nodes.

5.1. Design Details of FSFU

(1)

Initialization: The TA first takes a security parameter k and a maximum number d as the input and generates a bilinear map $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$, where ${\mathbb{G}}_1$ is a group of prime order p and g is a generator. Then, the TA chooses three hash functions $H_1,H_2:{\{0,1\}}^{*}\to {\mathbb{G}}_1,H_3:{\{0,1\}}^{*}\to {\mathbb{Z}}_p.$ The TA sets the attribute universe as $\Omega =\{a_1,a_2,\dots ,a_n\}$ and executes the following Setup algorithm:

-

Setup$(k,d)$: The TA selects elements $\alpha ,n_1,n_2,\dots ,n_n\in {\mathbb{Z}}_{{}_p}^{*}$ at random. Compute $y=e{(g,g)}^{\alpha }$ and $T_j=g^{n_j},j=1,\dots ,n.$ Then, the TA selects a random element $a\in {\mathbb{Z}}_{{}_p}^{*}$ and chooses a d-degree polynomial $q(·)$ such that $q\left(0\right)=a$. Then, the TA defines $V\left(x\right)=g^{q\left(x\right)}$. $t_0$ is set as an initial tag that will not be used later in the encryption operation. The public system parameters are published as $PK$, and the master key is $MSK$:

$$\begin{array}{cc}\hfill PK& =(e,g,g^a,y=e{(g,g)}^{\alpha },T_j(j=1,\dots ,n),\hfill \\ \hfill & g^{q\left(l\right)},(l=1,\dots ,d),t_0,H_1,H_2,H_3),\hfill \\ \hfill MSK& =(\alpha ,a,n_j(j=1,\dots ,n)).\hfill \end{array}$$

(2)

Authorization: As shown in Figure 3, the TA grants access rights by issuing a private key to the DU based on its attribute set S and issuing a singing key $s{k}_{\sigma }$ to the DO associated with its $ID$. The TA implements these operations by executing the KeyGen algorithm:

-

KeyGen$(PK,MSK,S,ID)$: The TA first computes $P=H_1\left(ID\right)$ and sends $s{k}_{\sigma }=P^a$ to the DO. Then, the TA samples random elements $r,r_a,r^{\prime }\in {\mathbb{Z}}_{{}_p}^{*}$ and lets

$$\begin{array}{cc}\hfill sk& =(D=g^{\alpha -r}·{\left(g^a\right)}^{r_a},\forall a_j\in S,D_j=g^{r{n}_{{}_j}^{-1}}),\hfill \\ \hfill K{P}_0& =\left([k{p}_0^1,k{p}_0^2,k{p}_0^3,k{p}_0^4]\right)\hfill \\ \hfill & =\left([{\left(g^a\right)}^{-r_a+r^{\prime }},V{\left(H_3\left(t_0\right)\right)}^{r^{\prime }},g^{r^{\prime }},t_0]\right).\hfill \end{array}$$

The TA sends $(sk,K{P}_0)$ to the DU.

(3)

Latest secure firmware delivery: The DO chooses a symmetric encryption scheme and uses it to encrypt the latest firmware. Then, the DO specifies an access tree $\Gamma$ and some tags $t_1,\dots ,t_d$ and encrypts the symmetric key, which plays the role of plaintext $M\in {\mathbb{G}}_2$ in the Encrypt algorithm described below. The encryption process is considered to be two-level. The first level of encryption is associated with M and d tags, where the DO’s signature is attached. The second level of encryption is associated with access tree $\Gamma$. Finally, as shown in Figure 4, the ciphertext data are outsourced to the local fog node and then transmitted to the cloud platform:

-

Encrypt$(PK,M,\Gamma ,s{k}_{\sigma },t_1,\dots ,t_d)$: The DO first performs the first stage of encryption by selecting a random element $s\in {\mathbb{Z}}_{{}_p}^{*}$ and calculating $C_0=M·e{(g,g)}^{\alpha s},C_1=g^s,\{C_3^k=V{\left(H{}_3\left(t_k\right)\right)}^s,k=1,\dots ,d\}$.

$$\begin{array}{cc}\hfill C{T}_{first}& =(C_0,C_1,\{C_3^k,k=1,\dots ,d\})\hfill \\ \hfill & =(g^s,M·e{(g,g)}^{rs},\{V{\left(H{}_3\left(t_k\right)\right)}^s,k=1,\dots ,d\}).\hfill \end{array}$$

Then, the DO generates the signature. The DO samples a random element $r^{*}\in {\mathbb{Z}}_{{}_p}^{*}$ and calculates $P_m=H_2\left(C{T}_{first}\right)$. The signature $\sigma =(Sig=P_{{}_m}^{r*}·P^a,T=g^{r*})$.

The DO then performs the second-level encryption. In an access tree, consider an AND(∧) node as an $(n,n)$ threshold and an OR(∨) node as a $(1,n)$ threshold, where n is the number of its children. Assign values to the nodes of the access tree $\Gamma$ using a top-down recursive approach. For the root node, set its value to s so that the root is marked as assigned and all other nodes are unassigned.

Recursively, for each inner node i marked assigned, if its children are marked unassigned, its share $s_i$ is divided among its n children by Shamir’s $(t,n)$ secret-sharing scheme. Each shared secret $s_j=f\left(j\right)$ is assigned to each child node, and thus, this node is marked as assigned. For the leaf node $a_{j,i}\in \Gamma$, which represents an attribute, calculate $c_{j,i}=T_j^{s_i}$, where i is the unique attribute index according to the access tree. This process is illustrated in Figure 5.

Finally, the encrypted data are

$$CT=(\Gamma ,C_0,C_1,\{c_{j,i},\forall a_{j,i}\in \Gamma \},\{C_3^k,k=1,\dots ,d\},\sigma ).$$

(4)

Latest fine-grained firmware access: As shown in Figure 6, after the ciphertext is verified by the signature, the authorized DU can reveal the symmetric key that was used to encrypt the latest firmware so that the DU can obtain the latest firmware through the symmetric key. The authorized DU executes the Decrypt algorithm as shown below:

-

Decrypt$(CT,S,sk,K{P}_i)$: If S does not satisfy $\Gamma$ or $\{t_k,k=1,\dots ,d\}$ contains the punctured tags, return ⊥. Otherwise, the algorithm behaves as follows.

The DU first verifies the signature. Check whether the equation $e(Sig,g)=e(T,P_m)·e(g^a,P)$ holds. If not, discard the data; if true, the ciphertext is indeed from the expected DO.

Then, the DU performs the first-level decryption. Choose the smallest $S^{\prime }\subseteq S$ that satisfies $\Gamma$. For each attribute $a_j\in S^{\prime }$, calculate

$$\begin{array}{cc}\hfill \tilde{A}& =\prod _{a_j\in S^{\prime }}e{(D_j,c_{j.i})}^{L_i\left(0\right)}\hfill \\ \hfill & =\prod _{a_j\in S^{\prime }}e{(g^{r{n}_{{}_j}^{-1}},T_j^{s_i})}^{L_i\left(0\right)}\hfill \\ \hfill & =\prod _{a_j\in S^{\prime }}e{(g^{t_j{s}_i},g^{r{n}_{{}_j}^{-1}})}^{L_i\left(0\right)}\hfill \\ \hfill & =e{(g,g)}^{r{\displaystyle \sum _{a_j\in S^{\prime }}}{s}_i{L}_i\left(0\right)}\hfill \\ \hfill & =e{(g,g)}^{rs},\hfill \end{array}$$

where $L_i\left(0\right)$ is a Lagrange coefficient and can be calculated by the index of the attribute in the access tree. Then, calculate

$$\begin{array}{cc}\hfill A& =e(C_1,D)·\tilde{A}\hfill \\ \hfill & =e(C_1,D)·e{(g,g)}^{rs}\hfill \\ \hfill & =e(g^s,g^{\alpha -r}·{\left(g^a\right)}^{r_a})·e{(g,g)}^{rs}\hfill \\ \hfill & =e{(g,g)}^{\alpha s}·e{(g,g)}^{a{r}_{a}s}.\hfill \end{array}$$

Simultaneously, the DU decrypts the puncturable part. For $j=0,1,\dots ,i$, find $w_{j1},\dots ,w_{jd},w_j\ast$ such that $w_{j\ast }·q\left(H_3\left({k{p}_j}^4\right)\right)+{\sum }_{k=1}^d(w_{jk}·q\left(H_3\left(t_k\right)\right))=q\left(0\right)=a$ and compute

$$\begin{array}{cc}\hfill \overline{B}& =\frac{e(k{p}_{{}_0}^1,C_0)}{e(k{p}_{{}_0}^3,{\prod }_{k=1}^d{\left(C_3^k\right)}^{w_{0k}})·e{(k{p}_{{}_0}^2,C_0)}^{w_0\ast }}\hfill \\ \hfill & =\frac{e({\left(g^a\right)}^{r^{\prime }-r_a+r_{01}-{{\lambda }_1}^{\prime }+\dots +r_{0i}-{{\lambda }_i}^{\prime }},g^s)}{e(g^{r^{\prime }+r_{01}+\dots +r_{0i}},{\prod }_{k=1}^d{\left(V\left(H_3\left(t_k\right)\right)\right)}^{s{w}_{0k}})·e{(V{\left(H_3\left(t_0\right)\right)}^{r^{\prime }+r_{01}+\dots +r_{0i}},g^s)}^{w_0\ast }}\hfill \\ \hfill & =\frac{e{(g,g)}^{a(r^{\prime }-r_a+r_{01}-{{\lambda }_1}^{\prime }+\dots +r_{0i}-{{\lambda }_i}^{\prime })s}}{e{(g,g)}^{s(r^{\prime }+r_{01}+\dots +r_{0i})({\sum }_{k=1}^d{w}_{0k}·q\left(H_3\left(t_k\right)\right)+w_0\ast q\left(H_3\left(t_0\right)\right))}}\hfill \\ \hfill & =\frac{e{(g,g)}^{a(r^{\prime }-r_a+r_{01}-{{\lambda }_1}^{\prime }+\dots +r_{0i}-{{\lambda }_i}^{\prime })s}}{e{(g,g)}^{s(r^{\prime }+r_{01}+\dots +r_{0i})a}}\hfill \\ \hfill & =e{(g,g)}^{a(-r_a-{{\lambda }_1}^{\prime }-\dots -{{\lambda }_i}^{\prime })s},\hfill \\ \hfill \tilde{B}& ={\prod }_{j=1}^i\frac{e(kp{{}_j}^1,C_0)}{e(k{p}_{{}_j}^3,{\prod }_{k=1}^d{\left(C_3^k\right)}^{w_{j}k})·e{(k{p}_{{}_j}^{\left(2\right)},C_0)}^{w_j\ast }}\hfill \\ \hfill & ={\prod }_{j=1}^i\frac{e({\left(g^a\right)}^{{{\lambda }_j}^{\prime }+r_{1j}},g^s)}{e(g^{r_{1j}},{\prod }_{k=1}^d{\left(V\left(H_3\left(t_k\right)\right)\right)}^{s{w}_{jk}})·e{(V{\left(H_3\left(t_0\right)\right)}^{r_{1j}},g^s)}^{w\ast }}\hfill \\ \hfill & ={\prod }_{j=1}^i\frac{e{(g,g)}^{a({{\lambda }_j}^{\prime }+r_{1j})s}}{e{(g,g)}^{s{r}_{1j}({\sum }_{k=1}^d{w}_{jk}·q\left(H_3\left(t_k\right)\right)+w_j\ast q\left(H_3\left(t_0\right)\right))}}\hfill \\ \hfill & ={\prod }_{j=1}^i\frac{e{(g,g)}^{a({{\lambda }_j}^{\prime }+r_{1j})s}}{e{(g,g)}^{s{r}_{1j}a}}\hfill \\ \hfill & =e{(g,g)}^{a({{\lambda }_1}^{\prime }+\dots +{{\lambda }_i}^{\prime })s},\hfill \end{array}$$

$$B=\overline{B}·\tilde{B}=e{(g,g)}^{-r_{a}as}.$$

After that, the DU executes the second-level decryption. Output

$$\begin{array}{cc}\hfill M& =\frac{C_0}{A·B}\hfill \\ \hfill & =\frac{M·e{(g,g)}^{\alpha s}}{e{(g,g)}^{\alpha s}·e{(g,g)}^{a{r}_{a}s}·e{(g,g)}^{-r_{a}as}}.\hfill \end{array}$$

(5)

Revocation of decryption capability of latest firmware: After revealing the latest firmware and successfully updating it, as shown in Figure 7, the DU can revoke the capability to decrypt the ciphertext through the Puncture algorithm, as shown below:

-

Puncture$(K{P}_{i-1},t)$: First, parse $K{P}_{i-1}=(k{p}_0,k{p}_1,\dots ,k{p}_{i-1})$, and then, parse $k{p}_0=[k{p}_0^1,k{p}_0^2,k{p}_0^3,k{p}_0^4]$. The DU selects ${{\lambda }_i}^{\prime },r_{0i},r_{1i}\in {\mathbb{Z}}_{{}_p}^{*}$ at random and lets

$$\begin{array}{cc}\hfill k{p_0}^{\prime }& =[k{p}_0^1·{\left(g^a\right)}^{r_{0i}-{{\lambda }_i}^{\prime }},k{p}_0^2·V{\left(H{}_3\left(t_0\right)\right)}^{r_{0i}},k{p}_0^3·g^{r_{0i}},t_0]\hfill \\ & =[{\left(g^a\right)}^{r^{\prime }-r_a+r_{01}-{{\lambda }_1}^{\prime }+\dots +r_{0i}-{{\lambda }_i}^{\prime }},V{\left(H_3\left(t_0\right)\right)}^{r^{\prime }+r_{01}+\dots +r_{0i}},g^{r^{\prime }+r_{01}+\dots +r_{0i}},t_0].\hfill \\ \hfill k{p}_i& =[{\left(g^a\right)}^{{{\lambda }_i}^{\prime }+r_{1i}},V{\left(H{}_3\left(t_0\right)\right)}^{r_{1i}},g^{r_{1i}},t].\hfill \end{array}$$

Finally, the updated key is

$$K{P}_i=(k{p_0}^{\prime },k{p}_1,\dots ,k{p}_{i-1},k{p}_i).$$

5.2. Extended Construction

When firmware updates occur in the smart home system, a major problem is the limited computing power and memory of the data user nodes in the network. In the cloud–fog paradigm, some operations and parameters can be processed by fog nodes to reduce the computing and memory load of participants. In this section, we extend the basic FSFU to outsource some of the computation and parameters to the fog nodes; see Figure 8. The extended construction is described below:

(1)

Initialization: It is identical to the basic system.

(2)

Authorization: It is identical to the basic system, except that the TA chooses an additional random element $n_0\in {\mathbb{Z}}_p^{*}$ associated with a virtual attribute and generates $D_0=g^{r{n}_{{}_0}^{-1}}$.

(3)

Latest secure firmware delivery: It is identical to the basic scheme, except:

-

The DO generates the first-level ciphertext $C{T}_{first}$ and a signature $\sigma$ on it. Then, the DO passes $(C{T}_{first},\sigma )$ to the local fog node.

-

The fog node verifies the signature as the DU did above. If the ciphertext $C{T}_{first}$ is authenticated, the fog node and the DO perform the second-level encryption together to generate the final ciphertext.

-

Second-level encryption: The DO divides s into $s_0,s_1$ such that $s=s_0+s_1$. The DO generates $c_{0,0}=T_0^{s_0}$ and passes $\Gamma$ and $s_1$ as the root value to the fog node to generate ciphertext for each leaf. The fog node generates $\{c_{j,i},\forall a_{j,i}\in \Gamma \}$.

Finally, output

$$CT=(C{T}_{first},c_{0,0}={T_0}^{s_0},c_{j,i}=T_j^{s_i},\forall a_{j,i}\in \Gamma ).$$

(4)

Latest fine-grained firmware access: Some computations can be performed at the fog node. The details are described below:

-

Decryption by fog node:

∗

The fog node computes $\tilde{A}$ through $\{c_{j,i}=T_j^{s_i},\forall a_{j,i}\in \Gamma \}$ and $\{D_j,\forall a_j\in S\}$, which is received from the data-user-obtained attribute set S. The fog node computes $\tilde{A}=e{(g,g)}^{r{s}_1}$.

∗

The fog node computes $\tilde{B}=e{(g,g)}^{a({{\lambda }_1}^{\prime }+\dots +{{\lambda }_i}^{\prime })s}$ by $\{C_3^k,k=1,\cdots ,d\}$ and $K{P}_i\setminus k{p}_0$.

∗

$C{T}_{part}=(C_0,C_1,c_{0,0}=T_0^{s_0},\tilde{A},\tilde{B})$, then the fog node passes $C{T}_{part}$ to the data user.

-

Decryption by the DU: After receiving $C{T}_{part}$, the DU computes

$$\begin{array}{cc}\hfill \overline{A}& =e(T_{{}_0}^{n_0},D_0)·\tilde{A}\hfill \\ \hfill & =e(g^{s_0{n}_0},g^{r{n}_0^{-1}})·e{(g,g)}^{r{s}_1}\hfill \\ \hfill & =e{(g,g)}^{rs},\hfill \\ \hfill A& =e(C_1,D)·\overline{A},\hfill \end{array}$$

$$\overline{B}=\frac{e(k{p}_{{}_0}^1,C_1)}{e(k{p}_{{}_0}^3,{\prod }_{k=1}^d{\left(C_3^k\right)}^{w_{0k}})·e{(k{p}_{{}_0}^2,C_1)}^{w_0*}},$$

and $B=\overline{B}·\tilde{B}=e{(g,g)}^{-r_{a}as}.$

Finally, the DU can obtain the plaintext:

$$M=\frac{C_0}{A·B}.$$

(5)

Revocation of decryption capability of latest firmware: This process is identical to the basic system, except that the DO keeps $k{p}_0$ and passes $K{P}_i\setminus k{p}_0$ to the fog node for external decryption.

6. Security and Performance Analysis

6.1. Security Analysis

Our basic P-CP-ABE scheme proposed above includes the CP-ABE scheme, the identity-based signature and puncturable encryption scheme, so its security is related to these schemes. The security analysis is given below.

6.2. Authentication of P-CP-ABE

Lemma 1.

Suppose the CDH assumption holds in ${\mathbb{G}}_1$; an IBS scheme is secure against existential forgery [31], and so is the P-CP-ABE scheme.

Since the signature is attached to the components associated with the message in the ciphertext, the authenticity of the source of the message can be verified by this signature.

6.3. Data Confidentiality of P-CP-ABE

Lemma 2

([14]). Suppose that the DBDH assumption holds. Then, no polynomial adversary can break the CP-ABE scheme with a challenge access tree ${\Gamma }^{*}$.

Theorem 1.

Our basic P-CP-ABE scheme proposed above is selectively CPA-secure in the selective game mentioned in Section 4, based on the assumption in Lemma 2.

Proof. 

Suppose that there is an adversary $\mathcal{A}$ who can break our basic P-CP-ABE scheme with a non-negligible advantage $ϵ$. $\mathcal{A}$ can be used to break the CP-ABE scheme proposed in [14], which we will denote as ${\Pi }_{CP}=({\mathsf{Setup}}_{CP},{\mathsf{KeyGen}}_{CP},{\mathsf{Encrypt}}_{CP},{\mathsf{Decrypt}}_{CP})$, with a simulator $\mathcal{B}$. The simulator plays the role of the challenger and interacts with $\mathcal{A}$.

Init:$\mathcal{A}$ gives $\mathcal{B}$ the challenge access tree ${\Gamma }^{*}$ together with the tag set $\{t_{{}_1}^{*},\dots ,t_{{}_d}^{*}\}$ before the public parameters are established. Then, $\mathcal{B}$ forwards them to ${\Pi }_{CP}$.

Setup:$\mathcal{B}$ receives $PK=(e,g,g^a,g^c,y=e{(g,g)}^{\alpha },T_j=g_j^n,(j=1,\dots ,n)$ from ${\Pi }_{CP}$. First, $\mathcal{B}$ initializes a tag set $P=\varphi$ and a counter $n=0$. Then, $\mathcal{B}$ uniformly chooses $d+1$ random elements ${\theta }_0,{\theta }_1,\dots ,{\theta }_d$ from ${\mathbb{Z}}_p^{*}$, where ${\theta }_0$ is associated with $t_0$. This is performed so that $q\left(0\right)=a,q\left(H_3\left(t_i^{*}\right)\right)={\theta }_i$ is implicitly determined, and then, $V\left(H_3\left(t_i^{*}\right)\right)=g^{{\theta }_i}$. $\mathcal{B}$ passes public parameters $PK=(e,g,g^a,y=e{(g,g)}^{\alpha },T_j(j=1,\dots ,n),g^q\left(l\right)(l=1,\dots ,d),t_0)$ to $\mathcal{A}$.

Phase 1:$\mathcal{A}$ can adaptively issue a polynomially bounded number of queries for any of the following:

• KeyGen(S) query: $\mathcal{B}$ requests the decryption key for the attribute set S from ${\Pi }_{CP}$ and contains $s{k}_S=(d_0,\forall a_j\in S:D_j)$ with the form $d_0=g^{\alpha -r}$. Then, $\mathcal{B}$ uniformly selects random elements $r_a,r^{\prime }\in {\mathbb{Z}}_p^{*}$ and computes $D=d_0·{\left(g^a\right)}^{r_a}$ and $k{p}_0^1={\left(g^a\right)}^{-r_a+r^{\prime }},k{p}_0^2=g^{{\theta }_0{r}^{\prime }},k{p}_0^3=g^{r^{\prime }},k{p}_0^4=t_0$. $\mathcal{B}$ sends $(sk=(D,\forall a_j\in S:D_j),K{P}_0=\left([k{p}_0^1,k{p}_0^2,k{p}_0^3,k{p}_0^4]\right))$ to $\mathcal{A}$.
• Puncture(t) query: $\mathcal{B}$ increments n and runs Puncture$(K{P}_{n-1},t)$, sends $K{P}_i$ to $\mathcal{A}$, and sets $P=P\cup \left\{t\right\}$.
• Corrupt() query: If this is the first time $\mathcal{A}$ issues this query and $\{t_{{}_1}^{*},\dots ,t_{{}_d}^{*}\}\cap P=\varnothing$, $\mathcal{B}$ sends the current secret key $K{P}_n$ to $\mathcal{A}$ and sets $C\leftarrow P$. In all other cases, Corrupt() returns ⊥.

Challenge:$\mathcal{A}$ sends two equal-length messages $M_0,M_1$ to $\mathcal{B}$. $\mathcal{B}$ passes them to ${\Pi }_{CP}$. ${\Pi }_{CP}$ flips a fair coin $\beta \in 0,1$ and sends the challenge ciphertext $ct=(C_0,C_1,\forall a_{j,i}\in {\Gamma }^{*},c_{j,i})$ of the form $C_0=M_{\beta }·e{(g,g)}^{\alpha c},C_1=g^c,$ to $\mathcal{B}$. Then, $\mathcal{B}$ computes $C_3^k={\left(C_0\right)}^{{\theta }_k},k=1,\cdots ,d$ and sends the challenge ciphertext:

$$C{T}^{*}=(ct,\{C_3^k,k=1,\cdots ,d\})$$

to $\mathcal{A}$.

Phase 2: It is identical to Phase 1.

Guess:$\mathcal{B}$ decides its own output based on the output of $\mathcal{A}$. When ${\beta }^{\prime }\in \{0,1\}$ is the guess of $\mathcal{A}$, $\mathcal{B}$ outputs the same ${\beta }^{\prime }$ as the guess of $\beta$. Thus, $\mathcal{B}$ has the same advantage as $ϵ$ to break the CP-ABE scheme ${\Pi }_{CP}$. □

6.4. Collusion Resistance

In order to reveal a message from the encrypted data, $e{(g,g)}^{\alpha s}$ should be recovered, and the knowledge of $e{(g,g)}^{rs}$ is a precondition. Due to the random element r for each DU in the private key distribution phase, it is impossible to combine keys generated for different attribute sets to reconstruct $e{(g,g)}^{rs}$ because of the different r.

6.5. Forward Security

For a ciphertext concatenated with a list of tags $t_1,\dots ,t_d$, without loss of generality, assume that the puncturable key $KP$ has already punctured $t_1$ such that $k{p}_1^4=t_1$. As a result, whoever kept $KP$ cannot find $w_{11},\dots ,w_{1d},w_{1\ast }$ such that $w_{1\ast }·q\left(H_3\left({k{p}_1}^4\right)\right)+{\sum }_{k=1}^d(w_{1k}·q\left(H_3\left(t_k\right)\right))=q\left(0\right)=a$. Furthermore, $\tilde{B}$ cannot be recovered, and it causes $KP$ to lose its capability to decrypt the past ciphertext. This guarantees forward security.

6.6. Security Analysis of Extended Scheme

In the extended scheme, the DO outsources the second-level encryption, which is the encryption for the leaf nodes in the access tree, to the fog node and passes a part of the secret number to it as the value of the root node during encryption. The DU transmits part of the private key components to the fog node, and the fog node performs the external decryption operation, then transmits $C{T}_{part}$ to the DU such that the DU can perform the final decryption to reveal the plaintext. The extended scheme is secure under the discrete logarithm assumption on the elliptic curve.

6.7. Performance Analysis

The security of the proposed schemes was proven above; in this section, the performance analysis focused on the computational efficiency by comparing the cost of encryption and decryption.

Table 2. Feature comparison of different schemes.

Scheme	Access Structure	Outsource Ability	Authentication	Forward Security
Original CP-ABE [14]	Tree	✕ 1	✕	✕
Pt-CP-ABE [28]	Matrix	✕	✕	√2
Our basic scheme	Tree	✕	√	√
Our extended scheme	Tree	√	√	√

¹ ✕ indicates that the scheme does not has this capability. ² √ indicates that the scheme has this capability.

and

Table 3. Performance comparison of different schemes.

Scheme	Ciphertext Size		Decryption Cost			Communication Cost
	$|{\mathbb{G}}_1|$	$|{\mathbb{G}}_2|$	$\mathit{Exp}.\left({\mathbb{G}}_1\right)$	$\mathit{Exp}.\left({\mathbb{G}}_2\right)$	Pairing	DO	DU
Pt-CP-ABE [28]	$l\times n_{max}+1+d$	1	$\left|I\right|\times n_{max}+\left|I\right|$	/	$n_{max}+\left|I\right|+1+3(i+1)$	$(l\times n_{max}+1+d)|{\mathbb{G}}_1|+|{\mathbb{G}}_2|$	$(l\times n_{max}+1+d)|{\mathbb{G}}_1|+|{\mathbb{G}}_2|$
Our basic scheme	$|\Gamma |+3+d$	1	$d(i+1)$	$|S^{\prime }|+i+1$	$S^{\prime }+4+3(i+1)$	$\left(\right|\Gamma |+3+d\left)\right|{\mathbb{G}}_1|+|{\mathbb{G}}_2|$	$\left(\right|\Gamma |+3+d\left)\right|{\mathbb{G}}_1|+|{\mathbb{G}}_2|$
Our extended scheme	$2+d$	1	d	1	5	$(2+d)|{\mathbb{G}}_1|+|{\mathbb{G}}_2|+|{\mathbb{Z}}_p|$	$(5+|S^{\prime }\left|\right)|{\mathbb{G}}_1|+3|{\mathbb{G}}_2|+|tag|$

show the feature comparison and performance comparison of different schemes, where the communication cost is for the DO and the DU. In the above tables, $\Gamma$ is the access tree, l is the row number of the access matrix, while $n_{max}$ is the maximum column number, I is the index set of the authorized attribute set, $S^{\prime }$ is the smallest attribute subset that satisfies $\Gamma$, d is the maximum tag number, and i is the puncture numbers.

The cost of our basic scheme is much lower than that of Pt-CP-ABE [28], as can be clearly seen from Table 3, since in the latter, the product of each element of the access matrix with the corresponding component of the vector is used in encryption and decryption. Since key storage and computation are outsourced, the overhead of the extended scheme does not depend on the size of the universe of attributes and the puncturable numbers, as can be seen from Table 3. Participants may have to make a tradeoff between communication overhead and computation and storage costs, depending on the device.

Then, we conducted the test on a PC: the computer operating system used was Windows 10 Home Chinese Edition, and the processor was an Intel(R) Core(TM) i5-7200U CPU @ 2.50 GHz and 16 GB RAM. The test was based on a 160-bit elliptic curve group constructed on the curve $y^2=x^3+x$ over a 512-bit field.

The computation time to generate an initial puncturable key $K{P}_0$ and the subsequent puncturable key are listed in

Table 4. Puncturable key generation time.

Operation	Time (ms)
Generation for $K{P}_0$	57.21
Generation for $K{P}_{i-1}\to K{P}_i$	90.06

. In smart homes, the latest firmware is not published very often in a short period of time, so the puncturable time is reasonable. It can be seen in Figure 9 that, despite the introduction of the signature and puncturable key, the encryption and decryption were still efficient. In contrast, in the Pt-CP-ABE scheme, both the encryption time and decryption time grew very fast, and the trend was the square of the number of attributes, as analyzed above. In conclusion, our proposed FSFU is efficient from both the theoretical analysis and the experimental results.

7. Conclusions and Future Work

To enable secure firmware updates in smart home systems, we proposed an FSFU system that invokes the proposed Puncturable-Ciphertext Policy-Attribute-Based Encryption (P-CP-ABE) scheme. In addition, we described the extended version, where some of the computations and parameters were outsourced to fog nodes under the cloud–fog paradigm. In practice, user attributes and firmware tags are often monitored by different independent authorities. In addition, a multi-authority system can better protect the privacy of user identities than a single trusted authority. Key distribution and privacy protection in a multi-authority puncturable-ciphertext policy-attribute-based encryption scheme is a challenging problem for future research.