Lightweight Anonymous Authentication and Key Agreement Protocol for a Smart Grid

Abstract

The smart grid (SG) is an efficient and reliable framework capable of controlling computers, automation, new technologies, and devices. Advanced metering infrastructure (AMI) is a crucial part of the SG, facilitating two-way communication between users and service providers (SPs). Computation, storage, and communication are extremely limited as the AMI’s device is typically deployed outdoors and connected to an open network. Therefore, an authentication and key agreement protocol is necessary to ensure the security and confidentiality of communications. Existing research still does not meet the anonymity, perfect forward secrecy, and resource-limited requirements of the SG environment. To address this issue, we advance a lightweight authentication and key agreement scheme based on elliptic curve cryptography (ECC). The security of the proposed protocol is rigorously proven under the random oracle model (ROM), and was verified by a ProVerif tool. Additionally, performance comparisons validate that the proposed protocol provides enhanced security features at the lowest computation and communication costs.

1. Introduction

With the advancement in information, communication, and electronic technologies, traditional power grids are gradually being replaced by smart grids (SGs) [1]. The SG is a kind of power grid system that uses modern information technology, communication technology, and automation technology to upgrade the power system intelligently [2]. It not only realizes the efficient transmission and distribution of power, but also has real-time monitoring, two-way communication, and automatic adjustment functions, making the power grid more reliable, stable, and flexible [3]. By integrating advanced sensors, smart metering devices, and automated control systems, smart grids are able to obtain various data on grid operation in a timely manner, and optimize the distribution and use of power resources by analyzing these data. At the same time, the smart grid can also effectively support the access of renewable energy sources (e.g., wind and solar energy), improve the efficiency of energy utilization, and reduce the impact on the environment [4]. The SG enables users to optimize their energy usage through the communication network. In case of emergencies or price increases, load demand can be controlled to enable users to minimize or maximize the use of electricity [5].

The advanced metering infrastructure (AMI) is an integral part of the SG, and the structure is shown in Figure 1. The AMI serves as the foundational information system for the SG, functioning as an open bi-directional communication system for measures, collections, storage, and analysis of energy utilization data. This system primarily consists of smart meters (SMs), gateways, and service providers (SPs). Generally, SMs are embedded programmable bidirectional units capable of measuring electricity usage and providing time-based pricing and usage data for consumers and utility providers. Additionally, they are capable of executing control commands from SPs [6]. Typically, SMs are installed outside homes where they can be accessed. Their data of communication contain the personal information of consumers and power consumption or statistical data, enabling adversaries to analyze and predict consumers’ daily lives [7]. Furthermore, data transmitted between the SM and SP over open channels may be susceptible to eavesdropping, interception, modification, and malicious exploitation. Authentication and key agreement (AKA) protocol protects against a wide range of threats and ensures secure communication between users and the SG infrastructure.

In AKA protocol, entities can achieve secure communication over a public channel by authenticating each other and negotiating a common session key. The main task of AKA protocol is to ensure the security and efficiency of communication. Most importantly, it aims to achieve a broader range of security objectives. Communication messages in SGs contain sensitive and private information, and the transmission process of the information must ensure its confidentiality and integrity [8]. Moreover, the SG includes numerous resource-constrained devices, so the computation and communication costs directly determine the efficiency of the protocol. Devices with low efficiency cannot be deployed in realistic environments [9].

The AKA process is vulnerable to many potential cyber threats and attacks, such as man-in-the-middle attacks, replay attacks, identity theft attacks, and denial of service attacks [10]. To address these challenges, researchers have made significant efforts: multi-factor authentication [11] effectively reduces unauthorized access and potential security threats. Physical unclonable function (PUF) technology [12] provides a unique and secure method of key generation and device authentication. Quantum cryptography [13] has also demonstrated significant advantages in eavesdropping detection and key distribution. Despite the significant efforts made by researchers, various shortcomings still exist [14]. Therefore, designing schemes for a SG with a higher performance and more secure and efficient data transmission is extremely challenging and attractive [15].

2. Related Work

In recent years, researchers have proposed numerous AKA protocols for the SG. In 2020, Khan et al. [16] proposed a password-based anonymous lightweight key agreement framework, claiming to offer strong anonymity, untraceability, data confidentiality, perfect forward secrecy, and mutual authentication. Later, Safhani et al. [17] identified security vulnerabilities in [16], noting that attackers could extract users’ permanent identifiers and passwords, enabling them to carry out further attacks. Taqi et al. [18] also demonstrated that the protocol by Khan et al. [16] had two security vulnerabilities: no user anonymity and nonresistance to password guessing attacks. In the same year, Sureshkumar et al. [19] proposed another key establishment protocol, claiming that it enables all smart meters to authenticate with service providers and agree on a single session key. Later, Cheng et al. [20] pointed out that [19] lacked weak forward security and could not resist temporary private key leakage attacks. In 2021, Srinivas et al. [21] proposed a new identity authentication key exchange scheme based on anonymous signatures, aiming to improve security and functional features with a reduced communication and computation cost. Subsequently, Baruah et al. [22] demonstrated that the scheme proposed in [21] was susceptible to man-in-the-middle and impersonation attacks. Khan et al. [23] proposed a lightweight authentication and key negotiation protocol for smart grids, which they claimed to be effective at resisting replay attacks, impersonation attacks, man-in-the-middle attacks, and DoS attacks as well as more security functions. Later, Mehta et al. [24] pointed out that the protocol proposed by Khan et al. [23] does not satisfy user anonymity and session key security. In 2022, Yu et al. [25] designed an AKA scheme for SGs using fuzzy extractors, claiming it can withstand various security attacks and provide robust security features. However, Li et al. [26] proved that [25] was unable to resist ephemeral secret leakage attacks and could not provide untraceability. Khan et al. [27] introduced an identity authentication technique based on elliptic curve cryptography (ECC), aimed at secure SG communication using biometrics. However, it required heavy computation costs. In 2023, Wang et al. [28] proposed an authentication key agreement protocol based on ECC and bilinear pairing. However, with the inclusion of bilinear pairing, this scheme has heavy computation costs.

In summary, the existing AKA protocols for SGs have various shortcomings. For instance, some do not provide user anonymity [16,24]; others lack perfect forward secrecy [19]. Additionally, most are vulnerable to specific attacks, such as man-in-the-middle attacks, impersonation attacks, session key security attacks, ephemeral secret leakage attacks, key compromise impersonation attacks, and information leakage attacks [16,19,21,23,25]. Furthermore, performance analysis indicates that most schemes require heavy computation and communication costs [27,28], making them unsuitable for resource-constrained SG environments. The related work is summarized in

Table 1. Summary of related work.

Schemes	Problem Description	Vulnerability	Cause
[16]	A password-based anonymous lightweight key agreement framework is proposed.	Cannot provide user anonymity and cannot resist password guessing attacks.	The attacker extracted a fixed value from the messages transmitted over the open channel.
[19]	A lightweight scheme based on ECC with improved scheme [16].	Cannot resist temporary private key leakage attacks.	The final session key does not include the temporary keys of both parties.
[21]	A new identity authentication key exchange scheme based on anonymous signatures is proposed.	Cannot resist man-in-the-middle attacks and impersonation attacks.	Secret value leakage led to an attack.
[23]	A lightweight authentication and key agreement protocol for smart grids is proposed.	Does not meet user anonymity and session key security requirements.	The user ID was not dynamically transmitted.
[25]	An AKA scheme is designed based on a fuzzy extractor.	Cannot resist temporary secret leakage attacks and does not provide untraceability.	User IDs are not transmitted dynamically leading to tracing and random number leaks leading to session keys being computed.

.

To achieve user anonymity and untraceability, this paper obtains them by encrypting identities with hash values that include timestamps. Resist replay attacks by utilizing current system timestamp verification of communication messages. The dynamic changes in timestamps and the difficulty of computing random numbers are utilized to resist attacks such as man-in-the-middle attacks and temporary key leakage attacks.

Contribution: The main contributions of this paper are as follows:

1.

This paper proposes a lightweight identity authentication and key agreement scheme based on ECC. This scheme fully leverages the advantages of key exchange mechanisms, as well as the message authentication capabilities of ECC and one-way hash functions. Entity identities are transmitted anonymously between sessions and dynamically encrypted using random numbers that cannot be traced from session to session.

2.

To accommodate the growing number of devices and users, the scheme negotiates a new session key before each session for the next secret communication. It eliminates the need to interrupt service or store keys, and can ensure that the AKA scheme can adapt to an expanding SG scale by responding to changes in the network in real time.

3.

The security of the proposed protocol was rigorously proven under the random oracle model (ROM) and was verified by a ProVerif 2.05 tool. It achieves user anonymity, mutual authentication, perfect forward security, resistance to impersonation attacks, man-in-the-middle attacks, and resistance to ephemeral secret leakage attacks.

4.

The proposed scheme demonstrates significant reductions in computation and communication overheads compared to related schemes, while also providing improved security and functionality features. A comparison shows that the proposed scheme exhibits higher efficacy and robustness.

Organization: The rest of this paper is organized as follows: Section 3 provides an overview of preliminaries. Section 4 proposes an ECC-based AKA protocol. Section 5 presents the security analysis. Section 6 discusses the performance analysis. Finally, Section 7 concludes the paper.

3. Preliminaries

3.1. Communication Model

The National Institute of Standards and Technology (NIST) [29] has proposed a SG framework model that primarily consists of two components: smart meters and smart providers. The model can be simplified as shown in Figure 2. The model includes three participants: the smart meter ($S_i$), service provider (${SP}_j$), and trust anchor (TA). The TA is a sole trusted entity. The TA is required to complete $S_i$ and ${SP}_j$ registration, compute secret data for both parties to use in the subsequent authentication process, and does not participate in the $S_i$ and ${SP}_j$ authentication process. $S_i$ is deployed on the user side, collecting electricity usage information and transmitting accumulated data to ${SP}_j$. ${SP}_j$ serves as the control center for electricity data, gathering data generated by smart terminals and deciding the next steps in response to this information. After the TA sets up the system parameters, $S_i$ and ${SP}_j$ complete the registration with the help of the TA and get their own private keys and parties’ public keys. Then, after mutual identity verification, $S_i$ and ${SP}_j$ negotiate a session key for secure communication in subsequent sessions over a public channel.

3.2. Elliptic Curve Cryptography

Devices in SGs typically have limited computational and storage capabilities, and thus require a cryptographic scheme that provides high security while operating efficiently in resource-constrained environments. ECC is particularly suitable for use in SG environments due to its superior security and efficiency compared to traditional encryption algorithms.

• Efficient key generation and management

Compared to traditional public-key cryptographic algorithms like RSA, ECC can achieve the same level of security with much smaller key sizes [30]. This means that ECC requires fewer computational resources and less storage space, which reduces device power consumption and also minimizes network bandwidth usage. Moreover, the encryption operations of point addition and point multiplication in conjunction with the mathematical problem of elliptic curve encryption ensure that even if an attacker intercepts the communication message, the key cannot be deduced because it is an irreversible process.

• Enhanced authentication mechanisms

ECC supports authentication protocols that can incorporate timestamps or random numbers to effectively prevent replay attacks.

3.3. Elliptic Curve Cryptography Mathematical Problems

Given a large prime $q>3$, let $E_P(a,b)$ represent a nonsingular elliptic curve over the finite field $F_q$, with $P$ as the generator. Let $G$ be a subgroup of the order $p$, where $p>q$. Therefore, it can be applied to the elliptic curve discrete logarithm (ECDL) problem and the elliptic curve Diffie–Hellman (ECDH) problem [31]:

Definition 1. 

ECDL problem: Given points $X$, $aX$ on the elliptic curve $E_P$ where $X\in G$ and $a\in Z_q^{\ast }$, it is computationally difficult to find $a$.

Definition 2. 

ECDH problem: For the given points $aX and bX$ on the elliptic curve $E_P$, where $X\in G$ and$a,b\in Z_q^{\ast }$, it is computationally unfeasible to find $abX$.

4. Proposed Protocol

In this section, the proposed scheme is described in detail. The scheme consists of three phases: system setup, registration, and authentication and key agreement.

Table 2. Symbol description.

Symbol	Explanation
$TA$	Trust Anchor
$S_{i,} {ID}_S$	$i\mathrm{t}\mathrm{h}$ smart meter and its identity
${SP}_j, {ID}_{SP}$	$j\mathrm{t}\mathrm{h}$ service provider and its identity
$E_P(a,b)$	A non-singular elliptic curve: $y^2=x^3+a\cdot x+b\left(modp\right)$
P	The base point
$k_S/K_S$	Private/public key of $S_i$
$k_{SP}/K_{SP}$	Private/public key of ${SP}_j$
$H(\cdot )$	A cryptographic (collision-resistant) one-way hash function
${SSK}_S/{SSK}_{SP}$	The session key between $S_i$ and ${SP}_j$
$T_S, T_{SP}$	Timestamps
$△T$	Maximum transmission delay
$⨁$	Exclusive-or operation
$\parallel$	Concatenation operations
	Secure channel
	Public channel
𝒜	Adversary

presents the symbols and descriptions used in the subsequent phase descriptions. The process of the protocol is shown in Figure 3.

4.1. System Setup Phase

TA performs the following to choose the system parameters:

S1: The TA chooses a non-singular elliptic curve $E_p(a,b)$ and point $P\in E_p(a,b)$ as the base point.

S2: The TA chooses a collision-resistant one-way hash function $H(\cdot )$ and distributes the parameters {$E_P,P,H(\cdot )$} to the participating entities.

4.2. Registration Phase

This subsection describes the registration process of $S_i$ and ${SP}_j$, taking the registration of the $S_i$ as an example, as shown in Figure 4. The operations of the system setup and registration phases are described in Algorithm 1.

Algorithm 1 System setup phase and registration processes of $S_i$
#******************** System setup phase ********************#
1.	TA chooses $E_p(a,b)$, point $P\in E_p(a,b)$ and $H(\cdot )$.
2.	TA distributes {$E_P,P,H(\cdot )$}.
#******************** Registration processes of $S_i$ ********************#
3.	$S_i$ selects ${ID}_S$, generates $r_S\in Z_q^{\ast }$
4.	$S_i$ computes $R_S=r_S·P$
5.	$S_i$ submits $\{{ID}_S,R_S\}$ towards TA via secure channel.
6.	If ${ID}_S$ is valid and not in the database, then:
7.	TA generates $r_S^{ta}\in Z_q^{\ast }$
8.	TA computes $K_S=R_S+r_S^{ta}·P$
9.	TA stores $\{{ID}_S,K_S\}$
10.	TA sends $\{{ID}_{SP},K_{SP},r_S^{ta}\}$ to $S_i$
11.	Else:
12.	$S_i$ computes $k_S={(r}_S+r_S^{ta})modp$, $K_S^{\prime }=k_S\cdot P$
13.	If $K_S=K_S^{\prime }$ then:
14.	$S_i$ computes $W_{SP}=k_S·K_{SP}$
15.	$S_i$ stores $\{{ID}_S,k_S,W_{SP}\}$
16.	Else:
17.	Terminate session
18.	End if;
19.	End

R1: Firstly, $S_i$ chooses a random $r_S\in Z_q^{\ast }$ and its identifier ${ID}_S\in Z_q^{\ast }$, computes $R_S=r_S·P$. Then, $S_i$ transmits a registration request $\left\{{ID}_S,R_S\right\}$ to the TA securely.

R2: Upon receiving $S_i$’s registration request $\left\{{ID}_S,R_S\right\}$, the TA checks whether the ${ID}_S$ is valid or not. If ${ID}_S$ is invalid, the TA rejects $S_i$ registration request and asks $S_i$ to submit a new identifier. Then, the TA chooses $r_S^{ta}\in Z_q^{\ast }$ randomly to calculate the public key of $S_i$. $K_S=R_S+r_S^{ta}·P$. Next, the TA stores $\{{ID}_{SP},K_S\}$ in the database and sends $\{{ID}_{SP},K_{SP},r_S^{ta}\}$ to $S_i$ via a secure channel.

R3: Upon $S_i$ receiving the response from the TA, $S_i$ obtains its private key, $k_S=\left(r_S+r_S^{ta}\right)modp$. Then, $S_i$ checks whether $K_S?=k_S·P$, if it holds, $S_i$ computes $W_{SP}=k_S·K_{SP}$ and stores $\{{ID}_S,k_S,W_{SP}\}$.

Similarly, ${SP}_j$ stores $\{{ID}_{SP},k_{SP},W_S\}$ after registration.

4.3. Authentication and Key Agreement Phase

This subsection describes the authentication and key agreement between $S_i$ and ${SP}_j$; see the details in Figure 5. The operations of the authentication and key agreement phases are described in Algorithm 2.

A1: $S_i$ first chooses a random number $l_S\in Z_q^{\ast }$ and generates the current timestamp $T_S$. Then, it computes $L_S=l_S\cdot K_S$ and $M_S=H(L_S\parallel W_{SP})\cdot P$. Thirdly, $S_i$ encrypts ${ID}_S$ as ${EID}_S={ID}_S\oplus H(M_S\parallel T_S)$ and obtains the verifier $V_S=H({ID}_S{\parallel L}_S\parallel M_S{\parallel T}_S)$. Finally, $S_i$ transmits the authentication request $M_1=\{{EID}_S,L_S,V_S,T_S\}$ to ${SP}_j$.

B1: Upon receiving the request message sent by $S_i$ at $T_S^{\ast }$, ${SP}_j$ checks the condition $\left|T_S-T_S^{\ast }\right|<△T$ for validating the received timestamp $T_S$. If so, it computes $M_{SP}=H\left(L_S^{\ast }\parallel W_S\right)\cdot P$ and ${ID}_S^{\ast }={EID}_S^{\ast }⨁H(M_{SP}\parallel T_S^{\ast })$.${SP}_j$ checks if $V_S^{\ast }?=H({ID}_S^{\ast }\parallel L_S^{\ast }\parallel M_{SP}\parallel T_S)$, if it is not valid, ${SP}_j$ terminates the current session.

B2: ${SP}_j$ first chooses a random number $l_{SP}\in Z_q^{\ast }$ and generates timestamp $T_{SP}$. Secondly, it computes $L_{SP}=l_{SP}\cdot K_{SP}$ and obtains the session key as ${SSK}_{SP}=H({ID}_S^{\ast }\parallel {ID}_{SP}\parallel M_{SP}\parallel L_S^{\ast }\parallel L_{SP})$. Finally, ${SP}_j$ computes the verifier $V_{SP}=H({ID}_{SP}\parallel L_{SP}\parallel M_{SP}\parallel T_{SP})$ and transmits $M_2=\{L_{SP},V_{SP},T_{SP}\}$ to $S_i$ through a public channel.

A2: Upon receiving the response message sent by ${SP}_j$ at $T_{SP}^{\ast }$, $S_i$ checks the condition $\left|T_{SP}-T_{SP}^{\ast }\right|<△T$ for validating the received timestamp $T_{SP}$. If it is not met, the communication is terminated. Otherwise, $S_i$ checks if $V_{SP}^{\ast }?=H({ID}_{SP}\parallel L_{SP}^{\ast }\parallel M_S\parallel T_{SP})$, if it is not met, the session is terminated. $S_i$ further computes the session key ${SSK}_S=H({ID}_S\parallel {ID}_{SP}\parallel M_S\parallel L_S\parallel L_{SP}^{\ast })$.

Algorithm 2 Authentication and key agreement
#******************** Authentication and key agreement ********************#
1.	$S_i$ generates $l_s\in Z_q^{\ast }$$\mathrm{and} T_S$
2.	$S_i$ computes $L_S=l_S·K_S$, $M_S=H\left(L_S\parallel W_{SP}\right)\cdot P$, ${EID}_S={ID}_S⨁H(M_S\parallel T_S)$, $V_S=H({ID}_S{\parallel L}_S\parallel M_S{\parallel T}_S)$
3.	$S_i$ sends $M_1=\{{EID}_S,L_S,V_S,T_S\}$ to ${SP}_j$
4.	${SP}_j$ computes $M_{SP}=H\left(L_S^{\ast }\parallel W_S\right)\cdot P$, ${ID}_S^{\ast }={EID}_S^{\ast }⨁H(M_{SP}\parallel T_S)$
5.	${SP}_j$ computes $V_S^{\ast }=H({ID}_S^{\ast }\parallel L_S^{\ast }\parallel M_{SP}\parallel T_S$)
6.	If $V_S^{\ast }!=V_S$ then:
7.	Terminate session
8.	Else:
9.	${SP}_j$ generates $l_{SP}\in Z_q^{\ast }$, $T_{SP}$
10.	${SP}_j$ computes $L_{SP}=l_{SP}\cdot K_{SP}$, ${SSK}_{SP}=H({ID}_S^{\ast }\parallel {ID}_{SP}\parallel M_{SP}\parallel L_S^{\ast }\parallel L_{SP})$
11.	${SP}_j$ computes $V_{SP}=H({ID}_{SP}\parallel L_{SP}\parallel M_{SP}\parallel T_{SP})$
12.	${SP}_j$ sends $M_2=\{L_{SP},V_{SP},T_{SP}\}$ to $S_i$
13.	$S_i$ computes $V_{SP}^{\ast }=H({ID}_{SP}\parallel L_{SP}^{\ast }\parallel M_S\parallel T_{SP})$
14.	If $V_{SP}^{\ast }!=V_{SP}$ then:
15.	Terminate session
16.	Else:
17.	$S_i$ computes ${SSK}_S=H({ID}_S\parallel {ID}_{SP}\parallel M_S\parallel L_S\parallel L_{SP}^{\ast })$
18.	End if;
19.	End

5. Security Analysis

This section describes the ROM-based formal security analysis, descriptive security analysis, and automated formal verification making use of ProVerif.

5.1. Adversary Model

Suppose there are two participants in the scheme: the service provider and smart meter. There may be multiple instances of each entity, with each instance being considered an oracle. These instances may execute concurrently. Instances of the smart meter and service provider are denoted as $S_i$ and ${SP}_j$ ($i,jϵZ$), respectively. Any type of instance is represented by $I\in S_i\cup {SP}_j$.

The proposed protocol adopts the eCK adversary model [32]. Assume that 𝒜 is a probabilistic polynomial-time adversary which can completely control the public channel, meaning it can eavesdrop, intercept, replay, delete, or modify messages in the channels. Additionally, under the eCK adversary model, 𝒜 can compromise secret credentials, such as session keys, private keys, and ephemeral secrets. Therefore, a secure key agreement protocol should ensure that the leakage of certain secret values cannot affect other values’ security. 𝒜 can have a session with $S_i$ or ${SP}_j$ by the following query [33]. As shown in

Table 3. Query description.

Query Type	Significance
$Corrupt \left(I\right)$	This query can return the private keys stored in the compromised $S_i$ to 𝒜.
$SReveal \left(I\right)$	This query enables 𝒜 to obtain ${SSK}_S\left({SSK}_{SP}\right)$ generated by the entity and its partner.
$rReveal \left(I\right)$	This query allows 𝒜 to obtain the ephemeral secrets of $I.$
$Execute \left(I\right)$	This query allows 𝒜 to obtain all exchanged messages between the participants $S_i$ and ${SP}_j$.
$Send (I,M)$	In this query, 𝒜 sends a message $M$ to $I$; if the message $M$ is valid, 𝒜 outputs the response received from $I$; otherwise, the query is ignored.
Test ($I$)	This query allows 𝒜 to send a session key request to $I$, and $I$ probabilistically outputs the result of a fair coin flip $b$. If Test ($I$) does not reach an acceptance state, the result is $\perp$. Otherwise, if $b=1$, 𝒜 receives the actual session key; otherwise, 𝒜 receives a random value with the same size of the session key.
$h\left(m\right)$	This query allows 𝒜 to obtain a random number as the hash value of $m$.

.

5.2. Formal Security Analysis

In this subsection, a formal security analysis of the proposed protocol is implemented based on the ROM model.

Each oracle may have three possible states, which are:

(1)

Acceptance: If an instance receives the final expected protocol message, then $I$ enters the acceptance state.

(2)

Freshness: Instances $I$ is fresh when the following conditions are met:

• $I$ is accepted and has the session key.
• Neither $I$ nor his partner (if existing) has been queried by $SReveal \left(I\right)$.
• $Corrupt \left(I\right)$ is not queried by 𝒜.

(3)

Empty: This state indicates that the instance’s input was not answered.

Partnership: $S_i$ and ${SP}_j$ are in a partnership when the following three conditions are met:

(1)

$S_i$ and ${SP}_j$ have successfully authenticated each other and share the same session identifier.

(2)

$S_i$ and ${SP}_j$ are both in the acceptance state;

(3)

$S_i$ and ${SP}_j$ are mutual partners.

Semantic Security: In this protocol, 𝒜 attempts to break the semantic security of the protocol through multiple $Execute \left(I\right)$, $Send (I,M)$, and $h\left(m\right)$, $SReveal \left(I\right)$, $rReveal \left(I\right)$ queries, and one $Test \left(I\right)$ query. Using the message obtained in the query, 𝒜 attempts to guess the value $b^{\prime }$ of $b$ in the $Test \left(I\right)$ query. Let AKA-SG denotes the protocol designed in this paper, ${\mathrm{Adv}}_{𝒜}^{\mathrm{AKA}-\mathrm{SG}}(\mathrm{t})$ denote 𝒜’s advantage in breaking the semantic security of AKA-SG within polynomial time t, ${Win}_j(j=\mathrm{0,1},\dots ,4$) denotes the event that 𝒜 succeeds in the following series of games $G_i(i=\mathrm{0,1},\dots ,4)$, $\mathrm{Pr}\left[Win\right]$ denotes the success probability of 𝒜. Then, the advantage of 𝒜 in breaking the semantic security of AKA-SG is:

$${\mathrm{adv}}_{𝒜}^{\mathrm{AKA}-\mathrm{SG}}=|2\mathrm{Pr}[\mathrm{b}={\mathrm{b}}^{\prime }]-1|=|2\mathrm{Pr}[\mathrm{Win}]-1|$$

(1)

The AKA scheme is considered semantically secure under the eCK adversarial model when ${\mathrm{Adv}}_{𝒜}^{\mathrm{AKA}-\mathrm{SG}}<\epsilon$, where $\epsilon >0$ is a sufficiently small number.

Theorem 1. 

Let $q_e,q_s$ and $q_h$ represent the number of $Execute \left(I\right)$, $Send (I,M)$, and $h\left(m\right)$ made by 𝒜 within polynomial time $t$. Assume that the length of each hash value is $l$. The advantage of 𝒜 in breaking the semantic security of AKA-SG is:

$${\mathrm{Adv}}_{𝒜}^{\mathrm{AKA}-\mathrm{SG}}(\mathrm{t})\le {\displaystyle \frac{{\mathrm{q}}_{\mathrm{h}}^2}{2^{\mathrm{l}}}}+{\displaystyle \frac{{({\mathrm{q}}_{\mathrm{e}}+{\mathrm{q}}_{\mathrm{s}})}^2}{\mathrm{p}-1}}+{\displaystyle \frac{{(2{\mathrm{q}}_{\mathrm{h}}+{\mathrm{q}}_{\mathrm{s}})}^2+{({\mathrm{q}}_{\mathrm{h}}+{\mathrm{q}}_{\mathrm{s}})}^2}{2^{\mathrm{l}-1}}}+2{\mathrm{Adv}}_{𝒜}^{\mathrm{AKA}-\mathrm{SG}}(\mathrm{t})$$

(2)

Proof of Theorem 1. 

Through a series of gaming games $G_i$, the simulator emulates the protocol and answers 𝒜’s queries. Detailed proofs are listed as follows:

$G_0$: This game simulates the real attack under the ROM model. Hence,

$${\mathrm{Adv}}_{𝒜}^{\mathrm{AKA}-\mathrm{SG}}(\mathrm{t})=|2\mathrm{Pr}[{\mathrm{Win}}_0]-1|$$

(3)

$G_1$: In this game, 𝒜 executes $Execute\left(I\right)$ and $Test\left(I\right)$ queries to launch active attacks against the protocol. Through the $Execute\left(I\right)$ query, 𝒜 can obtain the information on the public channel, specifically $M_1=\{{EID}_S,L_S,V_S,T_S\}$ and $M_2=\{L_{SP},V_{SP},T_{SP}\}$. During the authentication phase, the $Test\left(I\right)$ query allows 𝒜 to determine whether the session key is the actual key or a random value. Clearly, 𝒜 cannot compute the session key ${SSK}_{SP}\left({SSK}_S\right)$ based on the information obtained on the public channel. Therefore, 𝒜’s advantage does not increase compared to $G_0$. That is,

$$|\mathrm{Pr}[{\mathrm{Win}}_1]-\mathrm{Pr}[{\mathrm{Win}}_0]|=0$$

(4)

$G_2$: In this game, 𝒜 can forge messages by making $Send (I,M)$ queries and $h\left(m\right)$ queries. The semantic security of the protocol is threatened only when 𝒜 finds collisions and forges a legitimate message. In this paper, 𝒜 can find the following two types of collisions:

(1)

The probability of collisions in the output of the hash function is at most: ${\displaystyle \frac{q_h^2}{2^{l+1}}}$

(2)

The probability of collisions in random numbers is at most: ${\displaystyle \frac{{{(q}_e+q_s)}^2}{2(p-1)}}$

Therefore, unless a collision occurs, games $G_2$ and $G_1$ are indistinguishable; we have:

$$|\mathrm{Pr}[{\mathrm{Win}}_2]-\mathrm{Pr}[{\mathrm{Win}}_1]|\le {\displaystyle \frac{{\mathrm{q}}_{\mathrm{h}}^2}{2^{\mathrm{l}+1}}}+{\displaystyle \frac{{({\mathrm{q}}_{\mathrm{e}}+{\mathrm{q}}_{\mathrm{s}})}^2}{2(\mathrm{p}-1)}}$$

(5)

$G_3$: In this game, 𝒜 attempts to guess certain parameters to forge a legitimate message:

(1)

If 𝒜 receives $M_1=\{{EID}_S,L_S,V_S,T_S\}$, 𝒜 performs hash queries to compute $M_1$. Thus, the probability of encountering the cases $(\ast ,M_S\parallel \ast )$, $({ID}_S\parallel L_S\parallel M_S\parallel \ast ,V_S)$ is: ${\displaystyle \frac{{({2q}_h+q_s)}^2}{2^l}}$.

(2)

If 𝒜 receives $M_2=\{L_{SP},V_{SP},T_{SP}\}$, then the probability of encountering the case $({ID}_{SP}\parallel L_{SP}\parallel M_{SP}\parallel \ast ,V_{SP})$ is: ${\displaystyle \frac{{(q_h+q_s)}^2}{2^l}}$.

Unless 𝒜 successfully obtains the aforementioned parameters, $G_2$ and $G_3$ are indistinguishable. We have:

$$|\mathrm{Pr}[{\mathrm{Win}}_3]-\mathrm{Pr}[{\mathrm{Win}}_2]|\le {\displaystyle \frac{{(2{\mathrm{q}}_{\mathrm{h}}+{\mathrm{q}}_{\mathrm{s}})}^2+{({\mathrm{q}}_{\mathrm{h}}+{\mathrm{q}}_{\mathrm{s}})}^2}{2^{\mathrm{l}}}}$$

(6)

$G_4$: In this game, 𝒜 can capture $S_i$ and ${SP}_j$ by performing a $Corrupt\left(I\right)$ query, obtaining the key $k_S$ and $k_{SP}$ stored in its memory. Additionally, 𝒜 can obtain the ephemeral secrets for $I$ through an $rReveal\left(I\right)$ query. 𝒜 can also intercept the data transmitted over the public channel, specifically $M_1=\{{EID}_S,L_S,V_S,T_S\}$ and $M_2=\{L_{SP},V_{SP},T_{SP}\}$. can use the intercepted data to compute the session key ${SSK}_S\left({SSK}_{SP}\right)$ between $S_i$ and ${SP}_j$. Due to the computational difficulty of the ECDL and ECDH problems, computing ${SSK}_S\left({SSK}_{SP}\right)$ is unfeasible. We have:

$$|\mathrm{Pr}[{\mathrm{Win}}_4]-\mathrm{Pr}[{\mathrm{Win}}_3]|\le {\mathrm{Adv}}_{𝒜}^{\mathrm{AKA}-\mathrm{SG}}(\mathrm{t})$$

(7)

After executing all relevant queries related to the aforementioned game, 𝒜 has no other significant advantage. Once the $Reveal \left(I\right)$ and $Test\left(I\right)$ queries are performed, 𝒜 can only guess the random bit $b$ to determine whether the computed ${SSK}_S\left({SSK}_{SP}\right)$ between $S_i$ and ${SP}_j$ is the actual key or a random number. Therefore:

$$\mathrm{Pr}[{\mathrm{Win}}_4]={\displaystyle \frac{1}{2}}$$

(8)

Considering all possibilities, Theorem 1 is successfully proven. □

5.3. Descriptive Security Analysis

5.3.1. Anonymity and Untraceability

In this scheme, ${ID}_S$ is encrypted before transmission and changes dynamically from session to session. Additionally, 𝒜 cannot retrieve or track participants from the transmitted messages. In other words, this scheme ensures anonymity and untraceability.

5.3.2. Perfect Forward Security

Assume that the private keys $k_S$ and $k_{SP}$ of the entities are leaked. For ${SSK}_S=H({ID}_S\parallel {ID}_{SP}\parallel M_S\parallel L_S\parallel L_{SP}^{\ast })$, where $M_S=H\left(L_S\parallel W_{SP}\right)\cdot P$, $L_S=l_S·K_S$, 𝒜 cannot obtain the random numbers $l_S$ and $l_{SP}$ for each session, thus, he/she cannot compute ${SSK}_S$. Therefore, 𝒜 cannot compute the session key. In summary, this scheme can ensure perfect forward security.

5.3.3. Mutual Authentication and Key Establishment

During the AKA process, ${SP}_j$ verifies $S_i$ by checking the correctness of $V_S$. Similarly, $S_i$ verifies $V_{SP}$ to ensure that the messages received are from $S_i$. At the same time, since ${SSK}_S=$$H\left({ID}_S\parallel {ID}_{SP}\parallel M_S\parallel L_S\parallel L_{SP}^{\ast }\right)=H\left({ID}_S\parallel {ID}_{SP}\parallel H\left(L_S\parallel W_{SP}\right)\cdot P\parallel L_S\parallel L_{SP}^{\ast }\right)=H\left({ID}_S\parallel {ID}_{SP}\parallel H\left(L_S\parallel (k_S\cdot k_{SP}\cdot P)\right)\cdot P\parallel L_S\parallel L_{SP}^{\ast }\right)=H\left({ID}_S\parallel {ID}_{SP}\parallel H\left(L_S\parallel W_S\right)\cdot P\parallel L_S\parallel L_{SP}^{\ast }\right)$$=H\left({ID}_S^{\ast }\parallel {ID}_{SP}\parallel M_{SP}\parallel L_S^{\ast }\parallel L_{SP}\right)={SSK}_{SP}$, $S_i$ and ${SP}_j$ establish the same session key.

5.3.4. Privileged-Insider Attack Resistance

Assume 𝒜 is a privilege insider attacker of the TA, who can obtain the information $\{{ID}_{SP},R_{SP},{ID}_S,K_S,r_{sP}^{ta}\}$ of $S_i$ in the registration phase. 𝒜 may attempt to compute $S_i$’s private key $k_S={(r}_S+r_S^{ta})mod p$, where $r_S$ is the random number generated by $S_i$. Since the ECDL problem, $k_S$ cannot be computed by 𝒜. Similarly, 𝒜 gets the information of ${SP}_j$ and cannot compute ${SP}_j$’s private key $k_{SP}={(r}_{SP}+r_{SP}^{ta})mod p$. Therefore, the protocol is resistant to privileged insider attacks.

5.3.5. Replay Attack Resistance

Assume that 𝒜 intercepts $M_1=\{{EID}_S,L_S,V_S,T_S\}$ and $M_2=\{L_{SP},V_{SP},T_{SP}\}$ during the AKA phase. Since these messages involve the current timestamps $T_S$ and $T_{SP}$, respectively, the verification of $M_1$ and $M_2$ is based on checking $T_S$ and $T_{SP}$. Therefore, any violation of the timestamp checking will lead us to confirm the replay of old messages by 𝒜. Thus, the scheme is resistant to replay attacks.

5.3.6. Impersonation Attacks Resistance

Taking the example of impersonating $S_i$ as an example. If 𝒜 attempts to impersonate $S_i$, it should generate the message $M_1=\{{EID}_S,L_S,V_S,T_S\}$ in a way that ${SP}_j$ believes the message is legitimate and from $S_i$. If 𝒜 does not know the secret parameters such as $k_s$,$W_{SP}$, generating a valid message within polynomial time would be a computationally expensive task. Therefore, the proposed protocol can resist impersonation attacks.

5.3.7. Man-in-Middle Attack Resistance

Assume that 𝒜 captures all messages transmitted by the participants during the AKA phases over a public channel, where $M_1=\{{EID}_S,L_S,V_S,T_S\}$ and $M_2=\{L_{SP},V_{SP},T_{SP}\}$. 𝒜 attempts to modify the transmitted messages to make the participants believe that the received messages come from legitimate parties. Taking the modifying of $M_1$ as an example, if 𝒜 attempts to modify $M_1=\{{EID}_S,L_S,V_S,T_S\}$, 𝒜 needs to know the random secret parameter $l_s$ and private key $k_s$ generated by $S_i$. It is a computationally expensive task. Therefore, the proposed protocol can resist man-in-the-middle attacks.

5.4. Automatic Formal Verification by ProVerif

This subsection utilizes ProVerif [34] to formally verify the proposed scheme. ProVerif is based on the Dolev–Yao security model [35] and is a widely used tool for testing the security of cryptographic protocols [36]. The diagram below illustrates the modeling process of $S_i$, corresponding to Section 3. The modeling process of ${SP}_j$ is similar to that of $S_i$.

The query statement for the proposed scheme with the ProVerif tool is given below:

(1)

query attacker (SSKS).

(2)

query attacker (SSKSP).

The subprocess code of $S_i$ is as follows in Figure 6:

We use Process!SPj|!Si|!TA to demonstrate the parallel execution of three entities as shown in Figure 7.

The simulation results are shown in Figure 6. The results indicate that the session key proposed is robust against common attacks. Therefore, the proposed scheme is secure under formal verification using the ProVerif framework.

6. Performance Comparison

In this section, the proposed scheme is compared with other related schemes of the SG [7,21,37,38,39] in terms of performance.

6.1. Security and Functionality Features Comparison

The comparison of the proposed scheme with related schemes in terms of security is presented in

Table 4. Functionality and Security Comparison.

Scheme	F1	F2	F3	F4	F5	F6	F7	F8	F9
ours	√	√	√	√	√	√	√	√	√
[37]	√	√	√	√	√	√	√	√	√
[38]	√	√	√	√	√	√	×	√	√
[39]	√	√	√	√	√	√	×	√	√
[7]	√	√	×	√	√	√	√	√	√
[21]	√	√	√	√	√	×	√	×	√

Notes: F1: Mutual authentication F2: Anonymity F3: Untraceability F4: Perfect forward security F5: Replay attack F6: Man-in-the-middle attack F7: Privileged-insider attack F8: Impersonation attack resistance F9: Mutual authentication without the help of other entities. √: “a scheme is secure or it supports that feature”; ×: “a scheme is insecure or it does not support that feature”.

. As shown in Table 4, the scheme in [21] is not resistant to man-in-the-middle and impersonation attacks, the schemes in [38] and LAS-SG are not resistant to insider attacks, and the scheme in [7] does not provide untraceability. Although the scheme in [37] can fulfill the nine security features in the table, it requires higher computation and communication costs. Therefore, the proposed scheme offers better security and more functional attributes than the existing schemes.

6.2. Computation Cost

Assume that $T_h, { T}_{mul}, T_{add},{ T}_{pair}$ and $T_e$ represent the running times for hash operations, point multiplication, point addition, bilinear pairing operations, and symmetric encryption/decryption, respectively, since the execution times of $\parallel$ and $\oplus$ operations are significantly lower than other operations, which are neglected. The experiments were conducted on a PC with Intel(R) Core (TM) i5-8250U CPU @ 1.60 GHz 1.80 GHz + 8 GB RAM and Windows 11. In the development environment IntelliJ IDEA (IDEA), multiple point addition and point multiplication operations are performed based on the elliptic curve equation: $y^2=x^3+a\cdot x+b\left(modp\right)$. When $p=2^{192}$, these operations were executed 1000 times. The average execution times for $T_h$, $T_{mul}$, $T_{add}$, and $T_e$ are 0.001 ms, 1.952 ms, 8.126 ms, and 0.018 ms, respectively.

In the authentication and key agreement phases, both $S_i$ and ${SP}_j$ in the proposed scheme execute five times $T_h$ and eight times $T_{mul}$, resulting in a total of 10$T_h$ + 4$T_{mul}$=7.818 (ms). Through similar calculations,

Table 5. Computation Cost.

Scheme	Computation Cost	Times (ms)
ours	10$T_h+$4$T_{mul}$	7.818
[37]	$16T_h+8T_{mul}$	15.64
[38]	$16T_h+3T_{mul}$	5.872
[39]	$6T_h$+ 7$T_{mul}$+ 10$T_e$	15.05
[7]	$8T_h$+ 6$T_{mul}$+ 2$T_{add}$	11.85
[21]	$14T_h$+ 6$T_{mul}$+ 2$T_{add}$	11.856

presents the communication overhead for each protocol in the authentication and key agreement phase. As shown in Table 5, the computational cost of the proposed scheme is the lowest among all compared schemes, except for the scheme in [38]. Although the approach in [38] requires lower computational costs, it does not account for inside attacks. Obviously, the scheme in this paper is more robust.

6.3. Communication Costs

Assuming the sizes of the identity identifier (ID), random number (R), timestamp (T), ECC point (P), hash output (H), and symmetric encryption/decryption (E) are 128 bits, 128 bits, 32 bits, 320 bits, 160 bits, and 256 bits, respectively.

In the proposed scheme, the sizes of messages $M_1=\{{EID}_S,L_S,V_S,T_S\}$ and $M_2=\{L_{SP},V_{SP},T_{SP}\}$ are (128 + 320 + 160 + 32) = 640 bits and (320 + 160 + 32) = 512 bits, respectively. Therefore, the total communication overhead is 1152 bits.

Table 6. Communication Cost.

Scheme	Communication Cost	Number of Messages	Total Bits
ours	ID + 2P + 2H + 2T	2	1152
[37]	3H + 2P + 3T + 2ID	3	1472
[38]	ID + 5H + P	2	1248
[39]	2H + 2P + 2T + 4E	2	2048
[7]	2H + 2P + 2R + 2T + 2ID	2	1536
[21]	3H + 3P + 3T	3	1536

shows the communication overhead required for all the schemes. As shown in Table 6, it is clear that the communication overhead is maximum for [39] and minimum for this paper scheme as compared to all schemes. The results indicate that the proposed protocol has the lowest communication cost during the AKA phase which is applicable to the SG.

6.4. Analysis of Performance Comparison Results

As shown in Figure 8, the comparison between computation and communication overheads is visually depicted. It can be observed that the proposed protocol has the minimal communication overhead although its computational overhead is not as good as [38]. Overall, this protocol is the most suitable for resource-constrained devices in SGs.

7. Conclusions

First, this paper reviews the existing SG AKA protocols. Then, we point out that the existing solutions cannot provide perfect forward security and user anonymity, and are unable to resist various attacks such as man-in-the-middle, ephemeral secret leakage, and key compromise impersonation, etc. Heavy computation and communication costs also mean that a number of these schemes are not appropriate for a resources-constrained SG. We proposed a lightweight authentication and key agreement scheme based on ECC to address the existing challenges. Under the eCK adversary model, the security of the session key in this scheme was rigorously proven. With ProVerif, we verified the confidentiality of the session key and the authentication properties. Though performance comparison, it was found that the scheme has advantages such as user anonymity, perfect forward security, and mutual authentication, and resists typical attacks like impersonation, man-in-the-middle, replay attacks and privileged-insider attacks. Additionally, compared to existing solutions, this scheme has minimal computation and communication overheads, making it more suitable for resource-constrained devices in an SG.

Although the scheme has many of the advantages mentioned above, we have not attempted to execute it on other experimental devices. In addition, with the continuous development of quantum computing, it brings great challenges to traditional public key encryption algorithms. In order to ensure seamless integration and compatibility of the scheme with the existing SG infrastructure, the widely accepted Smart Grid Framework model proposed by NIST is considered in this paper. Additionally, with their progressive deployment strategies, compatibility with existing hardware, and network topology adaptability, SGs enable a secure and efficient key management and agreement. In the future, we intend to implement the proposed scheme on a Raspberry Pi to demonstrate its feasibility in resource-constrained devices. Additionally, we intend to ensure that the scheme not only incorporates enhanced security attributes but also can be applied to other resource-constrained scenarios, such as smart healthcare and smart sports devices.