STQ-SCS: An Efficient and Secure Scheme for Fine-Grained Spatial-Temporal Top-k Query in Fog-Based Mobile Sensor-Cloud Systems

With the emergence of the fog computing and the sensor-cloud computing paradigms, end users can retrieve the desired sensory data generated by any wireless sensor network (WSN) in a fog-based sensor-cloud system transparently. However, the fog nodes and the cloud servers may suffer frommany kinds of attacks on the Internet and become semitrusted, which threatens the security of query processing in the system. In this paper, we investigated the problem of secure, fine-grained spatial-temporal Top-k query in fog-based mobile sensor-cloud systems (FMSCSs) and proposed a novel scheme named STQ-SCS to tackle the problem based on the virtual grid construction and the size-order encryption-binding techniques. STQ-SCS can preserve the privacy of the sensed data items and their scores andmake end users verify the completeness of the query results of fine-grained spatial-temporal Top-k queries with a 100% successful rate even if the fog nodes and the cloud servers are not totally trustworthy. Besides the good security performance, simulation results indicate that STQ-SCS is also an efficient scheme that incurs a much lower communication cost than the state-of-the-art schemes on securing fine-grained spatial-temporal Top-k query in FMSCSs.


Introduction
As one important component of Internet of ings (IoT) [1], wireless sensor networks (WSNs) [2] can be used in many application scenarios and are still being studied [3] by many researchers even though extensive research has been carried out on WSNs for the past two decades. However, traditional WSNs are usually single-user centric [4], where a user deploys and owns its own WSN and another party is not able to access the sensed data generated by such a WSN. To remedy this shortcoming, researchers have conceived a new paradigm, namely, the sensor-cloud paradigm [5][6][7], in recent years. A typical sensor-cloud model is shown in Figure 1(a), where the sensor-cloud architecture serves as the intermediate stratum between the end users and the physical sensor nodes [4]. However, early sensor-cloud architectures are still not perfect, and they encounter many new challenges, such as providing real-times services and efficiently managing the physical sensor nodes. In [8], a new sensor-cloud architecture, namely, the fog-based sensor-cloud framework, was proposed, and the basic model of the fog-based sensor-cloud framework is shown in Figure 1(b). e main difference between early sensor-cloud architectures and the fog-based sensor-cloud framework is that the latter has a fog layer while the former does not have. e fog layer is mainly composed of fog nodes, which can fuse and store the collected sensed data, respond to real-time applications, and efficiently manage the physical sensor nodes [8]. In the fogbased sensor-cloud framework, end users can not only retrieve the sensed data items, which they are interested in directly from the nearby fog nodes, but also obtain the shared sensed data from the cloud by sending queries to the cloud if there are no data which they want in the near fog nodes.
Although the fog-based sensor-cloud framework brings a lot of benefits as described in [8], it encounters many potential security threats. e fog nodes may be captured by the nearby attackers or may suffer from the attacks arising from the cloud. In other words, the fog nodes may become untrusted [9,10] under such attacks. Meanwhile, the application servers in the cloud are facing many kinds of attacks, and some of the cloud servers may also not be trustworthy [11][12][13]. Under this background, how to ensure the integrity and the confidentiality of the sensed data items retrieved by the end users in the fog-based sensor-cloud systems is a thorny-and-burning problem. Such a problem is much more challenging in fog-based mobile sensor-cloud systems (FMSCSs), where the sensor nodes are mobile, considering that the sensed data retrieved by end users must satisfy the spatial-temporal requirements of the queries launched by end users.
In this paper, we focus on fine-grained spatial-temporal Top-k queries and make efforts to tackle the abovementioned problem. e concept of fine-grained spatialtemporal Top-k queries is defined in Definition 1 in Section 3. In a word, a fine-grained spatial-temporal Top-k query refers to a query that tries to find out the top k sensed data items generated in a specific time interval and a specific region of a specific WSN deployment field. To our best knowledge, there is no work studying the problem of secure fine-grained spatial-temporal Top-k query in fog-based sensor-cloud systems at present. In brief, the main contributions of this paper are twofold: (i) It studies the problem of secure fine-grained spatialtemporal Top-k query in FMSCSs and proposes a novel scheme named STQ-SCS to ensure the integrity and confidentiality of the sensed data items retrieved by end users. It provides sound theoretical analysis on the security of STQ-SCS. According to the analysis, STQ-SCS is not only able to preserve the privacy of the sensed data items retrieved by end users but also detect the incomplete query results successfully for fine-grained spatial-temporal Top-k query under the security model presented in this paper. (ii) Extensive simulations were conducted in the paper, and the results show that STQ-SCS is much more efficient than the related state-of-the-art schemes. e remainder of this paper is organized as follows. Section 2 summaries the related schemes; Section 3 describes the system model, the security model, the definitions of some terminologies, and the problem statement; Section 4 presents the proposed scheme STQ-SCS in detail; Section 5 analyzes the security of STQ-SCS; In Section 6, STQ-SCS is compared with the related state-of-the-art schemes through extensive simulations; Section 7 provides performance evaluation. Section 8 concludes this study.

Related Works
Since there is no work about secure fine-grained spatialtemporal Top-k query in FMSCSs at present, we mainly investigate the related works in Cloud Computing, Twotiered Wireless Sensor Networks (TWSNs), and Two-tiered Mobile Wireless Sensor Networks (TMWSNs) in this section.

Securing Top-k Queries in Cloud
Computing. Top-k queries in the cloud are generally securely processed based on the data that are outsourced on cloud servers by the same data owner. In Cloud Computing, the data owner knows all its outsourced data and thus can construct the encrypted  data structure, such as EHL [14], the binary heap [15], or other tree-like structures [16][17][18], based on the whole data set to facilitate Top-k query without losing data privacy, while in FMSCSs, expect for the fog nodes that are considered as not fully trusted, each sensor node just knows only a small part of the whole data generated by the WSN where it is located, and it thus cannot construct the encrypted data structure of the whole data before outsourcing its data to a fog node or the cloud. Moreover, existing schemes proposed for secure Top-k query in Cloud Computing are based on the strong processing ability and rich resources of the cloud servers, and they never consider the resource-limited sensor nodes which are also weak in computing. us, they are not fit for FMSCSs.

Securing Top-k Queries in TWSNs.
e study of securing Top-k queries in TWSNs was originally launched by the authors in [19], where three schemes are proposed to preserve the completeness of the Top-k query results in TWSNs. e three schemes were proposed based on the MAC (Message Authentication Code) technique, which requires each sensed data item to be attached with an MAC as its proof data. en, many other schemes that use a similar technique appeared, such as those in [19][20][21][22][23][24]. However, the MAC-based technique is relatively less efficient because attaching an MAC to each sensed data item brings large quantity of extra data since a MAC takes almost 40% of the volume of a sensed data item according to [19].
Besides the MAC-based technique, some other methods were also proposed to ensure the privacy of the sensed data and the completeness of the Top-k query results in TWSNs, such as inserting digital watermarks or dummy readings into the normal ones [25] and constructing data aggregation trees [26,27]. However, inserting digital watermarks or dummy readings into the measure data makes it hard and complicated for the users to extract the normal readings from the hybrid ones, and it also brings a lot of redundant data, which further leads to the increase of the communication cost of both the sensor nodes and fog nodes.
What is more, one of the most important common points of these schemes is that they are all proposed for TWSNs where nodes are static [28], and they cannot perfectly treat the security threats faced by spatial-temporal Top-k query in FMSCSs, where attackers can launch much more covert attacks. When a mobile sensor node travels from the queried region to other regions or vice versa in the queried time interval, some sensed data generated by the sensor node may be in the queried region, and others may not. Obviously, the sensed data generated out of the queried region by the traveling sensor node are not the qualified ones that satisfy the requirements of the spatial-temporal Top-k query. However, few securing Top-k query schemes proposed in TWSNs consider this, which leaves leaks for the attackers to launch new kinds of covert attacks. For example, the attackers may replace the data items that are generated in the queried region by a sensor node with those produced out of the queried region by the same sensor node.

Securing Top-k Queries in TMWSNs.
e first work on securing Top-k queries in TMWSNs was done by Liu et al. in 2015 [29], when they presented a novel network architecture, namely, TMWSNs, and proposed a scheme VTMSN to ensure the completeness of spatial-temporal Top-k query in TMWSNs.
e main techniques used in VTMSN are symmetric encryption and information binding. Specifically, it binds the score of each sensed data item with its corresponding generation time, location, and value ranking order by concatenating and encrypting them with the kept symmetric key. Although VTMSN increases the difficulty for the attackers to undermine the completeness of the query results because of the binding relationships, it still has shortcomings. One is that it cannot preserve the privacy of the sensed data items since it leaves the data items disclosed to the fog nodes for ease of Top-k query processing on them; another one is that there should be a large volume of location data transported together with the sensed readings, which greatly increases the communication cost of the sensor nodes and fog nodes.
To overcome the latter shortcoming of VTMSN, Wu et al. proposed a scheme named EVTopk [30] in 2016. EVTopk achieves completeness preservation of the Top-k query results by using the HMAC (Hash Message Authentication Code), which is formed by making hashing and encryption operations on the concatenated items including the score, the location, and the neighboring HMAC. However, since each sensed data item should be attached with an HMAC in EVTopk, the HMACs account for a large proportion of the data reports of the sensor nodes and the query results. Moreover, EVTopk is not able to achieve data privacy preservation either. In [31], a comparative study was made on the two schemes, EVTopk and VTMSN. To further decrease the volume of the proof data in the data reports and the query results, in 2018, a scheme named VIP-TQ was proposed to preserve the integrity of the query results for spatial-temporal Top-k query in TMWSNs. In VIP-TQ, sensed data are bound together with their location as well as their neighboring data score using pairwise-key-based encryption. Although the binding can effectively prevent the compromised fog nodes from undermining the integrity of the Top-k query results, it leaves the scores of the sensed data disclosed to the storage nodes, which increases the risk of divulging the privacy of the sensed data. In the same year, Ma et al. proposed two other schemes, namely, SSSTQ1 and SSSTQ2 [32], for securing spatial-temporal Top-k in TMWSNs. However, a large number of original locations associated with the sensed data items are added into the data reports and the query results for integrity verification, which heavily increases the communication cost of the systems.
In summary, although there are many schemes related to secure Top-k query in existing works, they either have obvious shortcomings or cannot be used in FMSCS, which motivates us to do further work in this paper.

System Model.
e system model of FMSCSs is shown in Figure 2. In the model, TA is short for trusted authority [33], Security and Communication Networks 3 which is a trustworthy party. TA is used to authenticate the identity of end users and MWSNOs (Mobile Wireless Sensor Network Owners) and distribute the secret keys to them. Each fog node in the fog layer connects and manages one MWSN (Mobile Wireless Sensor Network), and each MWSN is assumed to be composed of N mobile sensor nodes and is owned by a MWSNO. Specifically, the main responsibility of each fog node is as follows: (1) Collecting, processing, and storing the sensed data items updated by the sensor nodes in its corresponding WSN; (2) managing the mobile sensor nodes in its corresponding MWSN; and (3) responding to the queries that may be sent from the Cloud or the end users directly. End users can retrieve the desired data by launching and sending queries to the cloud or the fog nodes directly if they are not far from the fog nodes. If a cloud server receives a query from some end user, it first determines the fog node, which satisfies the region requirement of the query, and then sends the query to the fog node; if a fog node receives a query, it processes the query locally and sends the query result to the party (the cloud or the end user) who has sent the query. e mobile sensor nodes in WSNs periodically upload their sensed data to the corresponding fog nodes in the fog layer. We divide time into epochs, and take the time length of each epoch as the period for each sensor node to upload its sensed data items. We assume that mobile sensor nodes in each WSN do not move all the time. ey stay at some target locations for certain time intervals when they reach the positions, and go on moving to other target locations if it is necessary. Moreover, we assume that the mobile sensor nodes only generate sensed data items when they are staying at their target locations. Besides, it is assumed that each mobile sensor node just moves within the WSN field where it is located, since it will cost a lot of energy for the sensor nodes to move among different WSN-deployed fields.
In this paper, we use the set D t i,j,1 , D t i,j,2 , . . . , D t i,j,μ t i,j −1 , D i,j,μ i, j t t to denote the sensed data items generated by sensor node S i at its j th target location in the t th epoch T t , where μ t i,j is the total number of the sensed data items generated by S i at its j th target location in T t . For any sensed data item D t i,j,x , its corresponding data score d t i,j,x can be worked out using a public scoring function f( * ) [19], . Without loss of generality, we assume different sensed data items have distinct scores [19]. Moreover, in order to facilitate presentation, we assume that the ranking orders of the sensed data items generated by any sensor node at a target location are consistent with their subscript digital numbers. For example, there is , where i and j are the node ID and the target location ID of S i , respectively. e specific meanings of the notations used in this paper are listed in Table 1.

Definitions.
In this section, we introduce the definitions of some terminologies used in this paper. Specifically, we define the terminologies used in this paper as follows: (i) Fine-grained spatial-temporal Top-k query: it is the query which tries to find out the top k sensed data items that have the biggest (or the smallest) scores among all the sensed data items generated in QR I MWSN in T t , where QR I MWSN is a subregion of the deployment field of the MWSN whose ID is I MWSN . e meta-language of a fine-grained spatial-temporal Top-k query Q t in FMSCSs is shown in the following equation: (1) (ii) Queried node and queried location: given a spatialtemporal Top-k query Q t � I Q t , T t , k, I MWSN, QR I MWSN }, if a target location of any mobile sensor node falls in QR I MWSN in T t , the target location is one of the queried locations of Q t ; if at least one of the target locations of a mobile sensor node is one of the queried locations of Q t , the sensor node is called a queried node of Q t . (iii) Qualified Top-k data items: given a spatial-temporal Top-k query Q t � I Q t , T t , k, I MWSN , QR I MWSN , if a sensed data item D t qualified satisfies the following two conditions, it is called the qualified Top-k data item of Q t : (1) D t qualified was generated in QR I MWSN and T t ; (2) among all the sensed data items generated in T t and T t , there are at least N Q t − k data items whose scores are smaller (or bigger) than the score of D t qualified , where N Q t refers to the total number of the sensed data items generated in QR I MWSN and T t . (iv) Data-proof Packet DPP t i,j : for any target location , Data-proof Packet DPP t i,j refers to the subreport produced by S i for the sensed data generated at Loc t i,j during T t . Specifically, DPP t i,j consists of the pairwise-key-encrypted sensed data items and the OPE-encrypted scores ("OPE" is short for "order-preserving encryption" [35]) as well as some proof information generated by S i at Loc t i,j during T t . More specific contents of DPP t i,j will be described in Algorithm 1 in Section 4.

Security Model.
In FMSCSs, fog nodes and the cloud servers are assumed to be untrusted, while most of the mobile sensor nodes and TA are trustworthy. We assume that the untrusted fog nodes and cloud servers are not only curious but also malicious. Specifically, a curious fog node or cloud server will try to disclose the sensed data items as well as the data scores computed based on the public scoring function, and a malicious fog node or cloud server will do its best to undermine the completeness of the results of the finegrained spatial-temporal Top-k queries. To execute a malicious attack, an untrusted fog node may put none or only part of the qualified top k data items into the Top-k query result, and it may also put some fabricated data items and/or the unqualified-but-real ones into the query result when processing a spatial-temporal Top-k query. For example, suppose the complete query result should be D t 1 , D t 2 , D t 3 . en, an incomplete query result may be D t where D t 4 is a real but unqualified sensed data item and D t fabricated is a fabricated data item. An untrusted cloud server may also make some wrong deletions or replacements to undermine the integrity of the query results before it transmits the query results to end users. In our security model, the privacy of the sensed data items, which are generated by the mobile sensor nodes in FMSCSs, and their corresponding scores should be

Notations
Meanings S i e sensor node whose ID is

Security and Communication Networks
protected. Other information, such as spatial-temporal Topk query and the generation locations of the sensed data items, will be leaked to fog nodes. It is hard to enable fog nodes to process spatial-temporal Top-k query smoothly and successfully without such leaks. Fortunately, the leaked information brings little threat to the safety of the systems. Moreover, we assume each mobile sensor node is assumed to be equipped with the tamper-proof hardware, with the help of which the adversaries cannot disclose the encryption materials stored in the hardware even if they capture the sensor nodes [24].

Problem Statement and Design
Goal. Under the system and the security models described above, the problem tackled in this paper can be presented as follows: how to make the end users in FMSCSs obtain the query results of the fine-grained spatial-temporal Top-k queries launched by them without disclosing the sensor data items and their corresponding scores to the fog nodes and the cloud servers and verify the completeness of the corresponding query result correctly and efficiently. Our design goal is to propose a novel scheme that enables efficient privacy-preservation and integrity-verifiable query processing for fine-grained spatial-temporal Top-k query in FMSCSs. Specifically, three objects as follows should be achieved: (i) e privacy preservation goal: our proposed scheme should preserve the privacy of the sensed data items and their scores collected from the mobile sensor nodes.
(ii) e integrity verification goal: our proposed scheme should enable end users to verify the completeness of spatial-temporal Top-k query results, no matter what attacking means introduced in the security model are adopted.
(iii) e efficiency goal: our proposed scheme should be effective in communication and computation. It should greatly decrease the additional communication cost of the sensor nodes, since the sensor nodes are energy-limited. Here, the additional communication cost mainly refers to the cost of transmitting the proof data that are used to verify the completeness of the query results.

Our Scheme STQ-SCS
is section presents our scheme STQ-SCS. We first make a high-level description of the scheme as follows. At first, each MWSNO obtains the secret keys from TA and preload the keys to its own MWSN. en, using the secret keys, each sensor node encrypts its own sensed data items and the scores, and uploads the encrypted data items and their scores to the corresponding fog node. If an end user wants to retrieve the query result of a fine-grained spatial-temporal Top-k query, it sends the query to the cloud server or to the fog node directly if it is near the fog node of the target MWSN. If a cloud server receives the query, it first determines which fog node should be the target node of the query, and then sends the query to the target fog node. If the target fog node receives the query, it will work out all the qualified Top-k data items, put them into the query result packet, and send them to the cloud server or to the end user directly if the query is received by the fog node from the end user. If a cloud server receives the query result from the fog node, it will transmit the query result to the end user who is the launcher of the query.
As a whole, STQ-SCS can be mainly divided into five parts: (1) secret key distribution; (2) virtual-location construction; (3) secure data preprocessing; (4) secure spatial-temporal Top-k query processing; (5) completeness verification of the query results. In the following sections, the five parts of STQ-SCS are described in great detail.
; all the sensed data items generated by S i in T t ; the pairwise key Key i ; the master key used for OPE; Require: RT t S i ; (1) Compute the score of each sensed data item using the public scoring function; Sort the sensed data items generated by S i at Loc t i,j in T t according to their scores; Security and Communication Networks

Secret Key Distribution.
In STQ-SCS, all secret keys used in FMSCSs are distributed by TA. To obtain the secret keys, each MWSNO sends a key-request message, which contains its own public key, the ID of its own MWSN, the IDs of the mobile sensor nodes in the MWSN, and some authentication information, to TA. After authenticating the identity of the MWSNO using some existing authentication method such as UAP-BCIoT [36], TA knows whether the MWSNO has the authority to obtain the secret keys or not. If TA determines to send the keys to the MWSNO, TA distributes a master key for the MWSN and a pairwise key for each mobile sensor node in the MWSN, encrypts them using the public key of the MWSNO, and then sends them to the MWSNO. e pairwise keys are generated based on the method in [34], while the master key is generated according to the scheme in [35]. Using the similar way, legal end users can also obtain the keys of each mobile sensor node in any MWSN from TA.
In our scheme, two encryption methods are leveraged to encrypt the sensed data items and their scores: one is the latest order preservation encryption (OPE) scheme [35] and the other one is the pairwise-key-based encryption [34]. e former is used to encrypt the scores of the sensed data items using the master keys, while the latter is used to encrypt the sensed data items and the proof data, such as the target locations of the sensor nodes and the ranking orders of the sensed data items, using the pairwise keys. Section 4.3 will describe this in detail.

Construction of the Virtual Grids.
In STQ-SCS, the sensor deployment field is divided into many virtual grids. Each virtual grid should be as small as possible so that the central location of the grid can be approximately taken as the location of every point in the grid in real applications. en, we design an ID distribution law for the virtual grids. Based on the law, the real locations of each mobile sensor node can be worked out easily if the IDs of the virtual grids where it has moved to are known.
Specifically, the ID distribution law is described as follows. Suppose the FMSCSs-deployed field is a L * L square rectangle. STQ-SCS divides the rectangle into η � (L/ζ) 2 small virtual grids, where ζ is a small digital number that can divide the length L with no remainder. Clearly, the smaller ζ is, the larger η is. en, each virtual grid is given an ID, which is a sequence number ranging from 1 to η. e virtual grids in the first row at the upper side of the rectangle are given the IDs 1, 2, 3, . . ., L/(ζ − 1), and L/ζ, respectively, from the left to the right in order; the IDs L/(ζ + 1), L/(ζ + 2), . . ., 2 * (L/ζ) − 1, and 2 * (L/ζ) are assigned to those in the second row orderly; . . .; those in the last row have the IDs η − L/(ζ + 1), η − L/(ζ + 2), . . ., η − 1, and η, respectively.
Using such an ID distribution law, each sensor node first works out the IDs of the virtual grid where it has moved to, and then takes the IDs as the coordinate values of its target locations.

Secure Data Preprocessing.
is section describes how each sensor node generates its data report, which will be uploaded to the corresponding fog node at the end of each epoch, based on its own sensed data items under the privacyand-integrity preservation requirements. Specifically, for any sensor node S i (0 < i ≤ N), the procedure of data report generation in STQ-SCS is shown in Algorithm 1.
In the protocol, S i firstly computes the score of each sensed data item generated by itself based on the public scoring function; then, it works out DPP t i,j (0 < j ≤ λ t i ) for each of its target locations which it has been moved to during epoch T t . To do this, three cases are considered: is a symmetric encrypting operation with Key i based on [34]; if μ t i,j � 1, DPP t i,j should contain E Key i 0, Loc t i,j to indicate that only one sensed data item was generated by S i at Loc t i,j in epoch T t , and it also needs to include both the pairwise-keyencrypted score and the OPE-encrypted score of the only data item. e former will be used as part of the proof information for integrity verification, and the latter will be used by fog nodes to process spatial-temporal Top-k query smoothly. e only sensed data item should also be encoded using the pairwise key and included in DPP t i,j . If μ t i,j > 1, the contents of DPP t i,j are a little complex. Specifically, it contains not only the OPE-encrypted scores and the pairwisekey-encrypted data items and scores but also the chaining relationships of the ranked sensed data items. e chaining relationships, which are used to prevent the adversaries from destroying the integrity of the Top-k query results by dropping part of the qualified Top-k data items, are achieved by encrypting each sensed data item together with its ranking order number, which is called the sequence number in the following of this paper, using the pairwise key Key i . Moreover, each sensed data item is bond together with its corresponding target location to further strengthen the integrity preservation of the Top-k query results. e final output RT t S i in Algorithm 1 is the very data report which will be uploaded to the corresponding fog node of S i .

Secure Spatial-Temporal Top-k Query Processing.
is section presents how a fine-grained spatial-temporal Top-k query is processed in FMSCSs in our proposed scheme STQ-SCS. When a cloud server receives a fine-grained spatialtemporal Top-k query from an end user, it first finds out the destination of the query according to the mapping relationships between the MWSN IDs and the fog nodes (Information about the mapping relationships is assumed to be stored in the cloud server). en, the cloud server sends the query to the target fog node. When the target fog node receives the query, it processes the query according to Algorithm 2. After that, it sends the processing result back to the cloud server. If the query is sent from an end user, the fog node will send the query result back to the end user directly.
In Algorithm 2, the fog node first processes every data report uploaded by the sensor nodes in MWSN I MWSN and then packets all the processing results of the data reports collected in the queried MWSN to form the final query result of the spatial-temporal Top-k query. Specifically, lines 1-9 Security and Communication Networks aim to find out the number of locations that fall in QR I MWSN of each sensor node in MWSN I MWSN and the corresponding Data − proofPackets generated at those locations; from lines 12 to 42, there is a big "for" loop, which is used to process every report generated in MWSN I MWSN in T t . Line 14 shows the processing result of RT t S i considering the case that no target location of S i falls in QR I MWSN in T t ; lines 16-39 describe the procedure of processing RT t S i considering the case that there is at least one location of S i that falls in QR I MWSN in T t . In the abovementioned latter case, all the Data − proofPackets end if (8) end for (9) end for (10) Find out the pairwise-key-encrypted qualified Top-k data items among all the pairwise-key-encrypted data items in set Θ according to their corresponding OPE-encrypted scores; (11) Calculate n t i,j for each i ∈ [1, N] and j ∈ [1, λ t i ]; (12) for i � 1 to N do (13) if n[i] � 0 then (14) Set ALGORITHM 2: Secure spatial-temporal Top-k query processing on the target fog node. 8 Security and Communication Networks that correspond to the target locations located in QR I MWSN are processed based on the exact values of μ t i,x j and/or n t i,x j , where μ t i,x j and n t i,x j denote the total data number and the qualified data number, respectively, corresponding to the location Loc t i,x j , which is supposed to be in the queried region QR I MWSN . During the procedure of processing the Data − proofPackets, the OPE-encrypted items are all removed from the original Data − proofPackets since the only use of them is to make fog nodes find out the qualified Top-k data items encrypted with the pairwise keys. Moreover, all the unqualified data items except for the one which follows the last qualified Top-k data item in each Data − proofPackets are also removed from each original Data − proofPackets, and the reserved one will be used for completeness verification of the spatial-temporal Top-k query results.

Completeness Verification of the Query Results.
e procedure for an end user to verify the completeness of the Top-k query result R t is presented in Algorithm 3, the output of which is the value of the Boolean variable completeness. If completeness is false, R t is considered as incomplete; otherwise, R t is complete and the final R tpk in Algorithm 3 is composed of all the qualified Top-k data items corresponding to the fine-grained spatial-temporal Top-k query Q t . e main idea of Algorithm 3 to verify the completeness of R t is to find out the minimal data score of the qualified Top-k data items and the maximal score of the unqualified ones generated in the queried region from R t , and compare them with each other. Normally, the former should be bigger than the latter if the query aims to find out the biggest top k data items. If this condition does not hold in R t , R t is considered incomplete. However, it is not correct yet to declare that R t is complete even if such a condition holds in R t . Before doing such a comparison, it is necessary to check whether each sensor report was processed properly by the compromised fog node (lines 2-53 in Algorithm 3) based on the proof information included in R t . To achieve this, each Data − proofPacket in R t should be checked. When checking the Data − proofPackets, three cases need to be considered, namely, c t i,x j � 0 (lines [16][17][18][19][20][21][22][23][24][25], c t i,x j � 1 (lines [26][27][28][29][30][31][32], and c t i,x j > 1 (lines 33-51). If c t i,x j � 0, either S i did not generate any data items at Loc t i,x j in T t or no data item generated by S i at Loc t i,x j in T t is the qualified Top-k data item. us, in such a case, either i,x j should be a qualified Top-k data item according to lines 24-26 in Algorithm 2. If c t i,x j > 1, according to lines 27-38 in Algorithm 2, the fog node must have made some illegal query-processing operations if any of the following cases happens (lines 33-35 in Algorithm 3): (a) n t i,x j is not included in DPP t i,x j in R t ; (b) no sensed data item in DPP t i,x j is encrypted with a sequence number; (c) the sequence numbers encrypted in DPP t i,x j are not sorted in ascending order from 1; (d) any sensed data item encrypted in DPP t i,x j is not originally encrypted with Loc t i,x j ; and (e) Moreover, in the case that c t i,x j > 1, c t i,x j should be equal to either n t i,x j or n t i,x j + 1 according to lines 27-38 in Algorithm 2 where n t i,x j is included in R t . us, in lines 36-50 in Algorithm 3, the abovementioned two cases are considered, respectively, to detect the integrity of R t .

Analysis of STQ-SCS on Privacy Preservation
Theorem 1. Our scheme STQ-SCS is able to preserve the privacy of both the sensed data items and its scores for finegrained spatial-temporal Top-k query in FMSCSs under the security model presented in this paper.
Proof. According to Algorithm 1, before being uploaded to fog nodes, all sensed data items are encrypted with the pairwise keys and all the data scores are encrypted with the master keys [35] by the sensor nodes in FMSCSs. Meanwhile, all the encryption keys should only be obtained from TA after authentication according to the key-distribution method used in STQ-SCS, and the fog nodes and the cloud servers are not able to obtain the keys and thus cannot disclose the values of the sensed data items and their scores. Since the cloud servers and the fog nodes are assumed to be curious and/or malicious while other parties in FMSCSs are assumed to be trustworthy in our security model, the privacy of the sensed data items and their scores can be preserved for fine-grained spatial-temporal Top-k query in FMSCSs using our scheme STQ-SCS.

Analysis of STQ-SCS on Completeness Verification
where there are n t i,j (0 < n t i,j ≤ k) qualified Top-k data items. If at least one of those qualified Topk data items is dropped from DPP t i,j (∀i ∈ [1, N], ∀j ∈ [1, λ t i ]) in the query result R t of Q t � I Q t , T t , k, I MWSN , QR I |MWSN| } by the fog node or the cloud server which generates and/or transmits R t , the incomplete R t must be detected by end users with a 100% successful rate based on our scheme STQ-SCS.
Proof. Since the fog node or the cloud server does not know Key i , if it inserts the sensed data items that are encrypted with some other keys rather than , the incomplete R t must be detected by the end user according to lines 6-9 in Algorithm 3. Moreover, according to lines 33-35 in Algorithm 3, R t must be also considered as incomplete if the fog node or the cloud server puts any encrypted data item, which was generated by S i in T t at some other location rather than Loc t i,j , into DPP t i,j . us, in the following of this proof, we need only to consider the situation that all the encrypted sensed data items left in DPP t i,j after being processed by the fog node are the real ones which were generated by S i (∀i ∈ [1, N]) at Loc t i,j in T t (but some or all of them may not be the qualified ones). en, if at least one qualified sensed data items generated by S i at Loc t i,j in T t is discarded by the fog node or the cloud server, one of Security and Communication Networks � � � � � (RST t S i contains no pairwise-key-encrypted target locations) then (4) Set Completeness � false; return Completeness; (5) end if (6) Decrypt all the ciphertext in RST t S i with Key i ; (7) if e end user cannot decrypt the ciphertext normally then (8) Completeness � false; return Completeness; (9) end if (10) Calculate the value of Ω i which is the total number of the queried locations in RST t S i ; (11) for j � 1 to Ω i do (12) if DPP t i,x j is not originally in RST t S i (DPP t i,x j is a Data-proof Packet corresponding to Loc t i,x j which is in QR I MWSN then (13) Completeness � false; return Completeness; (14) end if (15) Calculate the value of c t i,x j which is the total number of the sensed data items in DPP t i, Continue; Continue; (22) else (23) Completeness � false; return Completeness; (24) end if (25) end if (26) if (28) Completeness � false; return Completeness; (29) end if (30) R tpk � R tpk ∪ D t i,x j ,1 ; Continue; (32) end if (33) if (n t i,x j is not included in DPP t i,x j in R t ) ‖ (no sensed data item in DPP t i,x j is encrypted with a sequence number) ‖ (the sequence numbers encrypted in DPP t i,x j are not sorted in ascending order from 1) ‖ (any sensed data item encrypted in DPP t i,x j is not originally encrypted with Loc t i,x j ) ‖ (E Key i μ t i,x j , Loc t i,x j is not originally included in DPP t i,x j ) then (34) Completeness � false; return Completeness; (35) end if (36) if n t i,x j � c t i,x j then (37) if c t i,x j ≠ μ t i,x j then (38) Completeness � false; return Completeness; (39) else the following two cases must appear: (1) the fog node or the cloud server has dropped all the sensed data items from DPP t i,j when producing or transmitting R t and (2) the fog node or the cloud server has just discarded only a part of the sensed data items from DPP t i,j , and the discarded data items contain some qualified one/ones.
First of all, consider the case that the fog node or the cloud server has deleted all the sensed data items from DPP t i,j . In this case, the fog node or the cloud server should leave E Key i d t i,j,1 , Loc t i,j in DPP t i,j in RST t S i of R t to avoid being detected according to lines 16-25 in Algorithm 3 because it cannot generate the legal encryption item E Key i 0, Loc t i,j . en, d t i,j,1 should be put into V nonTop according to lines 17-18 in Algorithm 3, and some real but unqualified sensed data items generated in QR I MWSN and T t must be put into R tpk to make the number of the elements in R tpk equal to k according to lines 53-55 in Algorithm 3. If the discarded sensed data items contain some qualified one/ ones, d t i,j,1 must be the score of a qualified Top-k data item. en, f(MIN(R tpk )) must be smaller than MAX(V nonTop ) because the score of any qualified Top-k data item must be bigger than that of any real but unqualified one generated in QR I MWSN and T t assuming all data scores are distinct. us, according to lines 56-58 in Algorithm 3, the incomplete R t must be detected by the end user.
en, consider the case that the fog node or the cloud server has just deleted a part of the sensed data items from DPP t i,j , and the deleted data items contain some qualified one/ones. In this case, two situations should be discussed. One is that all the sensed data items encrypted with sequence order numbers are deleted from, while the other is that at least one sensed data item encrypted with a sequence number is left in DPP t i,j after being processed. In the first situation, E Key i D t i,j,μ t i,j , Loc t i,j must be left in DPP t i,j after being processed, and there must be DPP t i, in this situation and E Key i 1, Loc t i,j must not be included in DPP t i,j . According to lines 26-29 in Algorithm 3, the incomplete R t must be detected by the end user. en, consider the second situation. To make the sequence numbers encrypted with the sensed data items in DPP t i,j in RST t S i of R t ascends from 1 orderly (Lines 33-35 in Algorithm 3), the fog node or the cloud server must delete all the sensed data items in one of the sets Φ 1 , Φ 2 , Φ 3 , Φ 4 , and Φ 5 from DPP t i,j . e five sets are shown in equation (2), where 1 < w < μ t i,j − 1.
If the fog node or the cloud server discards the sensed data items/item in set Φ 1 or Φ 2 from DPP t i,j when processing , Loc t i,j and E Key i 1, D t i,j,1 , Loc t i,j must be left in DPP t i,j after being processed, which means that c t i,j is bigger than 1. According to lines 36-50 in Algorithm 3, the fog node has to either set n t i,j to c t i,j or c t i,j − 1 in DPP t i,j in RST t S i of R t to prevent the incomplete R t from being detected. Even though, the incomplete R t must also be detected by the end user according to lines 36-38 and 42-45 in Algorithm 3 because c t i,j must not be equal to μ t i,j in this case and E Key i D t If the fog node or the cloud server deletes the sensed data items/item in set must be f(MIN(R tpk )) < MAX(V nonTop ), and the incomplete R t must be detected by the end user according to lines 56-58 in Algorithm 3. us, if the fog node drops at least one qualified sensed data items from DPP t i,j , the end user in FMSCSs is able to detect the incomplete R t with a successful rate of 100% based on STQ-SCS, and eorem 2 holds. □ Theorem 3. Under the security model presented in this paper, any end user in FMSCSs can detect the incomplete query results of fine-grained spatial-temporal Top-k queries with a 100% successful rate based on our scheme STQ-SCS.
Proof. According to the security model, untrusted parties (the fog nodes and the cloud servers) cannot fabricate the pairwise-key-encrypted sensed data items, which cannot be detected by end users, because the untrusted parties cannot obtain the legal pairwise keys. us, for any fine-grained spatial-temporal Top-k query Q t , if its query result R t is incomplete, at least one qualified sensed data item must be discarded by the fog node or the cloud server when producing and/or transmitting R t . In other words, there must be at least one queried sensor node S i (∀i ∈ [1, N]) whose corresponding Data − proofPacket DPP t i,j at location Loc t i,j (∀j ∈ [1, λ t i ]) satisfies the following condition: at least one qualified sensed data item was deleted from DPP t i,j by the fog node or the cloud server when producing and/or transmitting R t . en, according to eorem 2, the incomplete R t must be detected by the end user in FMSCSs based on our scheme STQ-SCS. us, eorem 3 holds. □

Computation Complexity Analysis
is section analyzes the computation complexity of the three schemes presented above.
Firstly, the computation complexity of Algorithm 1 is analyzed as follows. Since most of the statements in Algorithm 1 are the loop body of the "for" loop statements in Algorithm 1, the computation complexity of Algorithm 1 should be that the loop numbers multiply the computation complexity of the loop body. In the loop body, there are only three conditional statements. us, the computation complexity of the loop body depends on the pairwise-key encryption methods used in STQ-SCS and the total length of the data that need to be encrypted as well as the computation complexity of OPE. Although different pairwise-key cryptography methods, such as [34,37], may have different computation complexities, they are considered lightweight generally and fit for the resource-limited sensor nodes [38,39], let alone the fog nodes which are much more powerful than the sensor nodes. Moreover, OPE also has low computation complexity according to [35]. For each DPP t i,j (0 < i ≤ N, 0 < j ≤ μ t i,j ), the length of the data that need to be encrypted varies according to μ t i,j , which symbolizes the total number of the sensed data items generated by S i at Loc t i,j in T t . Let l D and l d denote the bit length of a sensed data item and that of a data score, respectively, l n symbolizes not only the bit length of a sequence number but also that of μ t i,j , l Loc refers to the bit length of a virtual location, and l OPE i,j and l PW i,j denote the bit length of the data that need to be encrypted using OPE and that of those encoded adopting the pairwise-key encryption method, respectively, in DPP t i,j . en, the values of l OPE i,j and l PW i,j can be worked out using equations (3) and (4), respectively, according to Algorithm 1.
Secondly, pay attention to Algorithm 2. e computation complexity of lines 1-9 is O ( N i�1 λ t i ); the computation complexity of line 10 depends on the adopted sorting algorithm and the total number of sensed data items generated in T t and QR I MWSN ; that of line 11  Finally, it is the turn of Algorithm 3, which mainly consists of one outer "for" loop whose loop body contains an inner "for" loop. In the loop body of the outer loop, the computation complexity of line 6 is the highest among all the statements that are in the loop body of the outer loop and out of the inner loop. If decrypting one encryption item E Key i * { } is taken as one operation, the operation number of line 6

Performance Evaluation
In this section, we evaluate the performances of our proposed scheme STQ-SCS through extensive simulations taking OMNET++ as the simulation tool.

Metrics and Experimental
Setup. e performance of STQ-SCS on energy efficiency is evaluated mainly by testing the additional communication cost, which is brought by transmitting the proof data, because other data such as the sensed data items always need to be transmitted no matter what kind of methods are used to ensure the security of the query. Specifically, the metrics used in our simulations are listed as follows.  (ii) Proof-data ratio (R vs ): the ratio of C MWSN to C reports .
Here, C reports refers to the total energy consumed by transmitting all the reports generated in an MWSN and an epoch to the fog node connecting to the MWSN, where the data reports include both the sensed data items and the proof data generated by all the sensor nodes in the MWSN and the epoch. e parameters used in our simulation and their own default values are shown in Table 2, where the default values of some parameters are set by referencing [19]. In fact, static sensor nodes are also allowed to exist in FMSCSs. In the simulation, we adjust the ratio of the mobile sensor nodes to the total ones in the systems by changing the value of r mobile .

Simulation Results.
is section presents the simulation results of C MWSN and R vs with different settings of r D , N, and r mobile , respectively. We compare our scheme with VTMSN [29] and SSSTQ1 [32] in this section. VTMSN, which was proposed in 2015, is the earliest work on securing spatialtemporal Top-k query in FMSCSs, while SSSTQ1 can be considered as the state-of-the-art scheme proposed for securing spatial-temporal Top-k query in FMSCSs. Figure 3 shows the simulation results of C MWSN under different settings of r D , N, and r mobile , and Figure 4 illustrates the simulation results of R vs with different settings of r D , N, and r mobile , respectively. From Figure 3, we can see that the C MWSN lines of STQ-SCS are all lower than those of VTMSN and SSSTQ1. is indicates that our proposed scheme STQ-SCS is more energy-efficient than the other two schemes. e C MWSN lines in Figures 3(a) and 3(b) are on an upward trend because the quantity of sensed data items rises as r D or N becomes larger and larger, which causes the increase of the proof data, while those in Figure 3(c) are on a downward trend as r mobile rises from 0 to 1 because the sensor nodes are assumed to generate sensed data items only when they are static or arrive at their target locations and the quantity of the sensed data items and the corresponding proof data must decrease when more sensor nodes are set to be mobile. anks to the technology of virtual-location construction proposed in this paper, fewer bits of location information are included in the proof data in STQ-SCS than the other two schemes, which decrease the ratio of the proof data to the whole data including both sensed data items and their proof. From Figure 4, we can see that the values of R vs of STQ-SCS are all under 12% which is within the acceptable range in real applications and also lower than those of the other two schemes.

Conclusions
is paper presents a privacy-preservation and integrityverification scheme named STQ-SCS for fine-grained spatial-temporal Top-k query in FMSCSs. orough security analysis shows that STQ-SCS can make the end users in FMSCSs obtain the query results of fine-grained spatialtemporal Top-k queries without disclosing the privacy of both the sensed data items and their scores, considering that the fog nodes and the cloud servers are not trustworthy. Meanwhile, the security analysis also shows that, under the security model described in this paper, the end users in FMSCSs can detect the incomplete Top-k query results with a 100% successful rate based on our scheme STQ-SCS. Simulation results demonstrate that STQ-SCS is much more efficient than the related state-of-the-art schemes, and can be well used in FMSCSs in real applications.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.

Authors' Contributions
Jie Min conceptualized the study and wrote the original draft of the manuscript and was responsible for methodology; Junbin Liang investigated the study; Xingpo Ma performed simulation; Xingpo Ma and Hongling Chen reviewed and edited the manuscript; Xingpo Ma was involved in project administration and supervision; Hongling Chen performed formal analysis.