A Secure Lightweight Signcryption Scheme for
Smart Grid Communications Using Reliable
Physically Unclonable Function
Masoud Kaveh
Electrical Engineering
Iran University of Science and Technology,
Tehran, Iran
[email protected]
[email protected]
Diego Martin
Telecommunication
Technical University of Madrid,
Madrid, Spain
[email protected]
[email protected]
Abstract— As it is well acknowledged, by using information
and communication technology, smart grid enhances the
flexibility and efficiency of power grid networks. However,
Security is considered as the most important and inevitable
challenge of smart grid. Security itself can be interpolated to
different meanings and referred to various features based on
different needs and applications. Hence, through years many
different protocols tried to introduce a secure communication
between smart meters (𝑺𝑴) and neighborhood gateways (𝑵𝑮).
The most important goals of previous efforts were to bring
vital features like confidentiality, authentication, anonymity,
etc. alongside the lightweight design. However, the lack of
physical security is their most important drawback. To that
end, this paper proposes a novel two-way physically secure
signcryption scheme based on reliable physically unclonable
function (PUF), which not only improves the security and
functional features but also outperforms the state of the art in
term of computational cost.
Keywords— physically unclonable function, lightweight
signcryption, physical security, smart grid.
I. INTRODUCTION
Since, smart grid deploys the advantage of information
and communication technology (𝐼𝐶𝑇) to improve the safety,
efficiency and reliability of the traditional power grid,
security has been introduced as its most important issue. ICT
enables the two-way communication alongside the one-way
electrical flow where the neighborhood gateway (𝑁𝐺) can
continuously collect reports from the smart meters (𝑆𝑀𝑠)
and send control commands to them [1]-[3]. Security can be
studied based on two important kinds of attack. In the first
kind, an adversary can access to the transmitted message of
the communication link to obtain private data, or send
altered/replayed messages to both 𝑆𝑀 and 𝑁𝐺. Alternatively,
an attacker can capture 𝑆𝑀 and obtain the stored secrets from
its external memory [4]-[6].
There are many security schemes, which have proposed
secure communication protocols between the 𝑆𝑀s and 𝑁𝐺 in
recent years [7]-[12]. Although heavyweight design of the
mentioned protocols is an overriding disadvantage, the
vulnerability against physical attack can be considered as
This paper is co-funded by the Erasmus+ Programme of the European
Union. This publication reflects the views only of the author and the
commission cannot be held responsible for any use, which may be made of
the information contained therein.
978-1-7281-7455-6/20/$31.00 ©2020 IEEE
Saeed Aghapour
Electrical Engineering
Iran University of Science and Technology,
Tehran, Iran
Mohammad Reza Mosavi
Electrical Engineering
Iran University of Science and Technology,
Tehran, Iran
their most important drawback. Since these schemes use the
traditional key establishment protocols and consequently
store a longtime session key, their protocol will be easily
broken when the adversary reads the 𝑆𝑀 's memory.
Therefore, the tendency to use PUF has increased in recent
years as a primitive to generate physically resistant one-time
pad keys [13]-[15].
Mustapa et al. [13] proposed a novel authentication
scheme for communication between the utility company and
the 𝑆𝑀 network. Since each key was generated by the PUF
and used only once, the attacker cannot model the key easily.
This paper deployed the advantage of the Hamming code for
ring oscillator (RO) PUF responses. The authors in this paper
did not provide any security and performance analysis, nor
any details of the protocol. Ameri et al. [14] proposed
provably secure and broadcast authentication schemes for the
smart grid based on RO PUF and Bose, Chaudhuri, and
Hocquenghem ( 𝐵𝐶𝐻 ) codes. Although they proved their
proposed protocol can resist to some kinds of attack, it put a
lot of computing into 𝑆𝑀 s. Gope et al. [15] proposed a
secure and privacy-aware authenticated key agreement
scheme for smart grid communication based on PUF. The
authors used a BCH-based fuzzy extractor in order to PUF
reliability. It is proved that the proposed key agreement
protocol is secure against all cyber and physical attack.
However, the use of some cryptographic primitives with
significant computational cost may lead to an unpractical
protocol for the future of the smart grid.
Although the schemes presented in [13]-[15] have issued
the physical attack, they still lack on some important features
such as lightweight design and two-way communication. We
aim to design the proposed protocol in such way that 𝑆𝑀 and
𝑁𝐺 execute the encoding and decoding algorithms
respectively in order to PUF reliability. Since the encoding
algorithm is more lightweight than the decoding algorithm in
all error correction codes, the proposed scheme in this paper
outperforms the state of the art in the term of computational
cost. Moreover, due to the importance of two-way
communication in all smart grid applications, the proposed
scheme enables this feature by standing still lightweight and
satisfying data confidentially and privacy. According to the
mentioned points, this paper does not only propose a
lightweight signcryption scheme for secure two-way data
transmission in the smart grid neighborhood area network
 TABLE I
NOTATIONS AND THEIR MEANINGS
Notation Explanation
𝑆𝑀𝑗 jth smart meter
𝑁𝐺 Neighborhood gateway
Control Server
ℎ(. ) One-way hash function
𝑃𝑈𝐹(. ) Physical unclonable function
ℎ𝑑𝑖 (. ) ith helper data
𝐸𝑛𝑐𝑜𝑑𝑒(. ) Encoding operation
𝐷𝑒𝑐𝑜𝑑𝑒(.,.) Decoding operation
NG NG 𝐼𝐷 𝑗 Identity of 𝑆𝑀𝑗
𝑇𝑆 Timestamp
𝑗
𝐶𝑖 ith challenge for 𝑆𝑀𝑗
𝑗
𝑅𝑖 ith corresponding response of 𝑆𝑀𝑗
𝑟𝑖 ith generated pseudorandom number by 𝑁𝐺
𝑟𝑠𝑖 ith secret number generated by 𝑆𝑀𝑗
𝑗
HAN 𝐷𝑖 ith electricity data report of 𝑆𝑀𝑗

WAN Smart Meter 𝑚𝑖 ith control message of 𝑁𝐺

𝑉1 , 𝑉3 𝑁𝐺's verifiers which are sent to 𝑆𝑀𝑗
NAN
𝑉2 , 𝑉4 𝑆𝑀𝑗 's verifiers which are sent to 𝑁𝐺
HAN SM ⨁ The XOR operator
∥ The concatenation operator
Fig. 1. The smart grid communication layer architecture. |𝑋| Size of the parameter X

(𝑁𝐴𝑁) communication but also adds some other important
security and functional features, which make it as a practical
solution for the future smart grid communication.
The remainder of this paper is organized as follows. The
proposed lightweight signcryption scheme presented in
section II. Section III presents security analyzes of the
proposed protocol. Section VI evaluates the performance of
the proposed protocol in comparison with the related work,
and section V draws the conclusion of the paper.
II. THE PROPOSED SIGNCRYPTION SCHEME
This section represents the system model and proposed
two-way communication scheme with details. Table I
demonstrates all notations used in this paper and their
meanings.
A. System and Threat Model
As shown in Fig. 1, a home area network (𝐻𝐴𝑁) consists
of smart appliances and one 𝑆𝑀. Each 𝑆𝑀 is considered as
an extremely resource-constrained device and is equipped
with a PUF. Since the PUF is embedded to the micro-
controller, any physical attempt to separate it from the
embedded system will disable the 𝑆𝑀 and its corresponding
PUF. In the next level (𝑁𝐴𝑁), the 𝑁𝐺 collects the reports
from hundreds of 𝑆𝑀s and then send back them the control
commands. In the wide area network (𝑊𝐴𝑁), the control
center manages a few 𝑁𝐺s in the top level and makes the
final decisions. In this paper, the communications between
the 𝑆𝑀s and 𝑁𝐺 is concentrated.
In the mentioned 𝑁𝐴𝑁 communication system, an
adversary may eavesdrop, alter, and replay the messages or
impersonate both 𝑆𝑀 and 𝑁𝐺 . Furthermore, an adversary
can capture an 𝑆𝑀 in the lack of hardware protection and
then obtains the important secrets from its memory, or
disrupting the network using denial of service (𝐷𝑜𝑆) attack.
Hence, according to the system and threat model, this paper
aims at proposing a PUF-based lightweight communication
protocol that resists to all the possible attacks in the NAN
communication system.
B. The Offline Setup Phase
At this phase, the j-th smart meter, 𝑆𝑀𝑗 is registered to
𝑗
𝑁𝐺 by sharing a secret 𝑟𝑠0 and storing the first challenge-
𝑗 𝑗
response pairs (CRP), 𝐶0 , 𝑅0 in the 𝑁𝐺 's database.
Afterward, 𝑆𝑀𝑗 removes the CRP from its memory but stores
𝑗
𝑟𝑠0 . We will show that storing this secret does not only not
make system vulnerable to physical attack but also secures it
against other attacks. Depending on the system requirements,
this phase can be repeated over very long periods.
C. The Online Communication Phase
Without loss of generality, we consider the
communication between 𝑁𝐺 and one smart meter 𝑆𝑀𝑗 . To
start the communication, 𝑆𝑀𝑗 sends its identity 𝐼𝐷 𝑗 to 𝑁𝐺.
𝑁𝐺 searches the 𝐼𝐷 𝑗 in its database and finds and reads the
𝑗 𝑗
corresponding pair (𝐶𝑖 , 𝑅𝑖 ), then computes a verifier 𝑉1 =
𝑗 𝑗 𝑗
ℎ(𝑟𝑠𝑖 , 𝐼𝐷 , 𝐶𝑖 , 𝑇𝑆) and sends the packet {𝐶𝑖 , 𝑉1 , 𝑇𝑆} to 𝑆𝑀𝑗 .
It will be explained in section III that the verifier 𝑉1 is used
to prevent DoS attacks. After receiving the packet, 𝑆𝑀𝑗
𝑗
verifies 𝑉1 and computes 𝑅𝑖′ = 𝑃𝑈𝐹(𝑐𝑖 ) only if it passes the
verification process. After that, 𝑆𝑀𝑗 creates the helper data
𝑗
ℎ𝑑𝑖 = 𝐸𝑛𝑐𝑜𝑑𝑒 (𝑅𝑖′ ) and a verifier 𝑉2 = ℎ(𝑅𝑖′ , 𝑇𝑆) and sends
𝑗
the packet {ℎ𝑑𝑖 , 𝑉2 , 𝑇𝑆} to 𝑁𝐺.
Upon receiving the packet after verifying 𝑉2 , 𝑁𝐺
𝑗
computes 𝑅𝑖′ = 𝐷𝑒𝑐𝑜𝑑𝑒 (ℎ𝑑𝑖 , 𝑅𝑖 ) . Then, 𝑁𝐺 generates a
pseudorandom number 𝑟𝑖 and computes the next challenge
𝑗
𝐶𝑖+1 = ℎ(𝑟𝑖 , 𝐼𝐷 𝑗 ) and 𝐸1 = (𝑚𝑖 ∥ (𝑟𝑖 ⨁𝑚𝑖 ))⨁𝑅𝑖′ as its
encrypted message. Finally, 𝑁𝐺 computes its verifier 𝑉3 =
𝑗 𝑗
ℎ(𝐶𝑖+1 , 𝑚𝑖 , 𝑟𝑖 , 𝑇𝑆) and sends the packet {𝐸1 , 𝐶𝑖+1 , 𝑉3 , 𝑇𝑆} to 𝑺𝑴𝒋 𝑵𝑮
𝑆𝑀𝑗 . After the corresponding packet is received by 𝑆𝑀𝑗 , the {𝑰𝑫𝒋 }
first thing it does is to obtain 𝑚𝑖 , 𝑟𝑖 by computing 𝐸1 ⨁𝑅𝑖′ = ⇒
𝑚𝑖 ∥ (𝑟𝑖 ⨁𝑚𝑖 ). Then, to investigate the authenticity of the Locates 𝐼𝐷 𝑗
message, 𝑆𝑀𝑗 verifies 𝑉3 . Needless to say that at this point 𝑗 𝑗
Finds the corresponding pair (𝐶𝑖 , 𝑅𝑖 )
one way of the protocol is completed. Now, 𝑆𝑀𝑗 calculates 𝑗 𝑗
Computes 𝑉1 = ℎ(𝑟𝑠𝑖 , 𝐶𝑖 , 𝐼𝐷 , 𝑇𝑆)
𝑅𝑖+1 = 𝑃𝑈𝐹(𝐶𝑖+1 ) , 𝐸2 = ((𝑟𝑖 ⨁𝐷𝑖 ) ∥ 𝐷𝑖 )⨁𝑅𝑖′ , 𝐸3 = 𝒋
(𝑟𝑖 ∥ 𝑟𝑖 )⨁𝑅𝑖+1 , 𝑟𝑠𝑖+1 = ℎ(𝑟𝑖 , 𝑟𝑠𝑖 ) and the corresponding {𝑪𝒊 ,𝑽𝟏 ,𝑻𝑺}
verifier 𝑉4 = ℎ(𝑅𝑖+1 , 𝑟𝑖 , 𝐷𝑖 , 𝑇𝑆) and sends the packet ⇐
{𝐸2 , 𝐸3 , 𝑉4 , 𝑇𝑆} to 𝑁𝐺 and stores the parameter 𝑟𝑠𝑖+1 . It is Verifies 𝑉1
𝑗
worth mentioning that because of using PUF there will be no Computes: 𝑅𝑖′ = 𝑃𝑈𝐹(𝐶𝑖 )
need for storing additional parameters, which naturally will ℎ𝑑𝑖 = 𝐸𝑛𝑐𝑜𝑑𝑒 (𝑅𝑖′ )
𝑉2 = ℎ(𝑅𝑖′ , 𝑇𝑆)
lead to physical resistance of the scheme.
{𝒉𝒅𝒊 ,𝑽𝟐 ,𝑻𝑺}
At last, 𝑁𝐺 receives the packet {𝐸2 , 𝐸3 , 𝑉4 , 𝑇𝑆} and ⇒
decrypts 𝐸2 and 𝐸3 by using 𝐸2 ⨁𝑅𝑖′ = (𝑟𝑖 ⨁𝐷𝑖 ) ∥ 𝐷𝑖 and
Calculates 𝑅𝑖′ = 𝐷𝑒𝑐𝑜𝑑𝑒 (ℎ𝑑𝑖 , 𝑅𝑖 )
𝐸3 ⨁(𝑟𝑖 ∥ 𝑟𝑖 ) = 𝑅𝑖+1 to obtain the values 𝐷𝑖 and 𝑅𝑖+1 . Verifies 𝑉2
Moreover, to checks if the message data 𝐷𝑖 is valid or not, it Generates 𝑟𝑖
verifies 𝑉4 . Finally, 𝑁𝐺 computes 𝑟𝑠𝑖+1 = ℎ(𝑟𝑖 , 𝑟𝑠𝑖 ) and Computes 𝐶𝑖+1 = ℎ(𝑟𝑖 , 𝐼𝐷 𝑗 )
stores the values (𝐶𝑖+1 , 𝑅𝑖+1 ), 𝑟𝑠𝑖+1 , should 𝑉4 pass the 𝐸1 = (𝑚𝑖 ∥ (𝑟𝑖 ⨁ 𝑚𝑖 )) ⨁ 𝑅𝑖′
𝑗
verification process. Fig. 2 depicts the proposed protocol 𝑉3 = ℎ(𝐶𝑖+1 , 𝑚𝑖 , 𝑟𝑖 , 𝑇𝑆)
𝒋
III. Security Analysis {𝑬𝟏 ,𝑪𝒊+𝟏 ,𝑽𝟑 ,𝑻𝑺}
⇐
In this section, a thorough analysis on the security of the
Decrypts 𝐸1 and obtains 𝑟𝑖 , 𝑚𝑖
scheme on all the possible attacks is presented. Verifies 𝑉3
𝑗
A. Resistance to Message Altering and Injection Attack Computes: 𝑅𝑖+1 = 𝑃𝑈𝐹(𝐶𝑖+1 )
𝑉4 = ℎ(𝑅𝑖+1 , 𝑟𝑖 , 𝐷𝑖 , 𝑇𝑆)
In these attack models, the adversary's goal is to change 𝐸2 = ((𝐷𝑖 ⨁ 𝑟𝑖 ) ∥ 𝐷𝑖 ) ⨁ 𝑅𝑖′
or even create its own message by impersonating itself as 𝐸3 = (𝑟𝑖 ∥ 𝑟𝑖 ) ⨁ 𝑅𝑖+1
one of the involved parties of the protocol and make the 𝑟𝑠𝑖+1 = ℎ(𝑟𝑖 , 𝑟𝑠𝑖 )
Stores 𝑟𝑠𝑖+1
other party believe the message came from the trusted party
even though it was not. {𝑬𝟐 ,𝑬𝟑 ,𝑽𝟒 ,𝑻𝑺}
⇒
To thoroughly analyze this attack, because of the two
Decrypts 𝐸2 , 𝐸3 and obtains
way communication of our scheme, an adversary can 𝐷𝑖 , 𝑅𝑖+1
impersonate both 𝑁𝐺 and 𝑆𝑀 . In both cases, after Verifies 𝑉4
eavesdropping, the adversaries have the communicated Computes 𝑟𝑠𝑖+1 = ℎ(𝑟𝑖 , 𝑟𝑠𝑖 )
packets and their goal is to change the message and create its Stores (𝐶𝑖+1 , 𝑅𝑖+1 ), 𝑟𝑠𝑖+1
responding verifier in a way that it would pass the
verification process at the other end. However, because of Fig 2. The proposed PUF-based protocol.
the one way property of the hash function used in the
computation of the verifier the attack is not possible. In other
words, computing 𝑉3∗ = ℎ(𝑐𝑖+1 , 𝑇𝑠 , 𝑚𝑖∗ , 𝑟𝑖 ) and 𝑉4∗ = before 𝐸1 = (𝑚𝑖 ∥ (𝑟𝑖 ⨁ 𝑚𝑖 )) ⨁ 𝑅𝑖′ and 𝑅𝑖′ is the output of a
∗𝑗
ℎ(𝑅𝑖+1 , 𝑇𝑠 , 𝐷𝑖 , 𝑟𝑖 ) by having 𝐸1 , 𝐸2 , 𝑉3 , 𝑉4 , 𝐶𝑖+1 is PUF operation making it a random number. Moreover,
computationally infeasible for a polynomial time computer because 𝑅𝑖′ changes in each communication, finding 𝑚𝑖 or 𝑟𝑖
without the knowledge of the secret parameter 𝑟𝑖 . by having E1 is like finding the message in a one-time pad
system. Similarly, attacking 𝐸2 = ((𝐷𝑖 ⨁ 𝑟𝑖 ) ∥ 𝐷𝑖 ) ⨁ 𝑅𝑖′ and
B. Resistance against Replay Attack 𝐸3 = (𝑟𝑖 ∥ 𝑟𝑖 ) ⨁ 𝑅𝑖+1 is not practical for an adversary with
In replay attacks the adversaries use the outdated polynomial time computational power.
information which was used in former communications for
D. Resistance against physical attack
future communications. However, as in our scheme there is
always a time stamp existed in every one of the verifiers In analyzing the physical attacks only 𝑁𝑉𝑀 (non volatile
𝑉1 , 𝑉2 , 𝑉3 , 𝑉4 the attack will not be possible. Besides that, the memory) are assumed to be vulnerable by an adversary. That
key is randomly created by a PUF function and is changing means, volatile memory which is used for storing secret
in each communication; hence, the probability that the intermediary values meanwhile of the communication and
former information could become valid again is negligible. will be wiped out after the communication is finished is not
accessible by an adversary. Furthermore, it is considered that
C. Resistance against Message Analysis Attack 𝑁𝐺 is not vulnerable to the physical attack and only the 𝑆𝑀s
This attack concerns the confidentiality of messages can be captured by the adversary. However, as mentioned
meaning that adversaries try to decrypt the communicated before, as in our scheme the keys are generated through
packets to obtain the plaintext. Furthermore, as in our performing PUF operations, there is no need for 𝑆𝑀s to store
scheme the hash functions are considered one way collision any secret values and they can be recomputed by operating
free functions, hashed values are not vulnerable to this threat. the PUF again. The only value which is stored in 𝑆𝑀 's
Hence, only 𝐸1 , 𝐸2 and E3 are subjects to this attack. As seen memory is the random number 𝑟𝑠𝑖+1 . Hence, by physically
 TABLE II
SECURITY AND PERFORMANCE FEATURES OF THE PROPOSED SCHEME IN COMPARISON WITH THE OTHER METHODS

reports transmission details

Presenting key generation
Two-way communication

Physical attack resistance

Real-time authentication

Replay attack resistance

True random source of

Presenting daily usage

Mutual authentication

DoS attack resistance

cryptographic key

cryptographic key
Confidentiality

One-time pad
details
Uludag et al.’s scheme [7] Yes No No No Yes No No No No No No
Fouda et al.’s scheme [8] Yes No No No Yes No No No No No No
Mahmood et al.’s scheme [9] Yes No No No Yes No No No No No Yes
Li et al.’s scheme [10] Yes No No No Yes No No No No No Yes
Liu et al.’s scheme [11] Yes No No No Yes No No No No No Yes
Mood et al.’s scheme [12] Yes Yes No Yes Yes Yes No No No No Yes
Mustapa et al. [13] No No Yes No Yes No Yes Yes Yes Yes No
Ameri et al. [14] No No Yes No Yes Yes Yes Yes No Yes No
Gope et al. [15] No No Yes No Yes No Yes Yes Yes Yes No
Proposed scheme Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

attacking 𝑆𝑀𝑗 an adversary only has access to 𝑟𝑠𝑖 = F. Outlook to Formal Proof
ℎ(𝑟𝑖 , 𝑟𝑠𝑖 ) which is only used for preventing DoS attack and Up to this point, we analyzed the security of our
cannot achieve any information from it. proposed protocol against all of the possible attacks and
E. Resistance against DoS Attack showed that the scheme does not expose any security flaws.
Besides that, the authors believe that they can prove the
The goal of adversaries in this attack is to shut down the security of the scheme in two parts: one regards the
network by overloading it. In this attack, the adversaries do randomness of the communication key and the other one
not intend to send purposeful messages and try to legitimize concerns the security of the scheme. Table II shows the
them, they just want to force the parties involved in the security and performance features of the proposed scheme in
protocol to use extra computations. In other words, their goal comparison with the other methods.
is to make the involved parties of the protocol busy so that
they miss to receive the authentic messages sent from the As for the first part, the goal is to prove that the shared
trusted party. Similarly as our protocol is two way, DoS communication key 𝑅𝑖′ is indeed a random number which
attack can be performed on both sides. However, because of means that an adversary cannot distinguish between 𝑅𝑖′ and a
1
the high computation power of 𝑁𝐺 the DoS attack on its side pseudorandom number like 𝑟 with probability more than +
2
is infeasible so only the attack on 𝑆𝑀 is considered. The 𝑛𝑒𝑔𝑙. For this matter, we use a game in which an adversary
attack on 𝑆𝑀's side itself can be done at two occasions first queries a message from a random oracle, the oracle flips a
𝑗
when 𝑁𝐺 sends the packet {𝐶𝑖 , 𝑉1 , 𝑇𝑆} to 𝑆𝑀𝑗 and second coin and sends 𝑅𝑖′ or a pseudorandom number based on
𝑗
when it sends {𝐸1 , 𝐶𝑖+1 , 𝑉3 , 𝑇𝑆} to 𝑆𝑀𝑗 . which side of the coin occurred. Now, the adversary must
guess whether the output is a pseudorandom number created
As for the first scenario, the adversary sends bogus by the oracle or it is 𝑅𝑖′ . However, due to the fact that PUFs
𝑗
messages like {𝑋, 𝑌, 𝑍} in form of {𝐶𝑖 , 𝑉1 , 𝑇𝑆} to the 𝑆𝑀𝑗 . are true random generators and because in our scheme 𝑅𝑖′ =
However, as the first thing 𝑆𝑀𝑗 does is to verify 𝑉1 = 𝑃𝑈𝐹(𝐶𝑖 ) is the output of a PUF operation and is used
𝑗
ℎ(𝑟𝑠𝑖 , 𝐼𝐷 𝑗 , 𝐶𝑖 , 𝑇𝑆𝑗 ) by computing one hash function the directly as the communication key without alteration, no
packet will be discarded immediately. Needless to say, the adversary with polynomial computational power can
probability that the random tuple {𝑋, 𝑌, 𝑍} passes the distinguish between a pseudorandom number and 𝑅𝑖′ with
verification process is negligible due to the confidentiality of probability more than pure guess.
𝑟𝑠𝑖 existing in 𝑉1 . For the second part, we aim to prove that the scheme is
For the second scenario the adversary sends the random secure against chosen receiver and message attacks. The
𝑗 game introduced in this part is that the adversary choses a
tuple {𝑊, 𝑋, 𝑌, 𝑍} instead of {𝐸𝑟 , 𝐶𝑖+1 , 𝑉3 , 𝑇𝑆} to the random receiver and as many as arbitrary messages it wants.
corresponding 𝑆𝑀𝑗 . In this case, 𝑆𝑀𝑗 first decrypts 𝐸1 and Then, the adversary sends the messages to an oracle and
obtains 𝑚𝑖 and 𝑟𝑖 and then, verifies 𝑉3 . As a result, for obtains the packets corresponding to those messages, which
similar reasons mentioned before, the packet {𝑊, 𝑋, 𝑌, 𝑍} were supposed to be sent to the chosen receiver. Now, the
will be discarded after computing one XOR operation and adversary is successful should it be able to use those received
one hash function computation. In both cases, the extra packets to forge a new packet regarding to its specific
forced calculations are insignificant compare to 𝑆𝑀 's particular message in such a way that it would pass the
computational power that means DoS attack is not practical verification process. Nonetheless, because of the one-way
in our scheme. property of the hash functions and one time usage of the
 Communication Overhead (Byte)
TABLE III
Authentication EXECUTION TIME OF CRYPTOGRAPHIC OPERATIONS ON A SINGLE CORE 798
150 MHZ CPU AND 256 MB OF RAM
Data Transmission
Cryptographic Operation Execution Time

100 SHA-256 Hash Function 26 𝜇𝑠

Pseudo Random Number Generation 114 𝜇𝑠
BCH Encoding Algorithm 1.17 𝑚𝑠
50 BCH Decoding Algorithm 3.28 𝑚𝑠
128-bit Arbiter PUF 120 𝜇𝑠

0
Scheme [14] Scheme [15]
Fig. 3. Communication overhead comparison in terms of authentication
and data transmission for each protocol execution.
communication key, it can be proved that the probability of
success for an adversary with polynomial time computational
power is negligible hence, the attack is not practical.
IV. COMPARATIVE PERFORMANCE EVALUATION
The performance evaluation of the proposed protocol is
analyzed in this section in terms of communication overhead
and computational cost. Since there is no details presented in
[13], we only compare our scheme with the schemes
presented in [14], [15].
A. Communication Overhead
Unlike methods [14],[15], our proposed scheme presents
the key agreement and data transmission phases,
simultaneously. Therefore, in order to have a comprehensive
performance comparison, we divide the communication
overhead of our protocol into two parts: authentication and
data transmission phases.
The total communication overhead of our scheme
includes the maximum size of messages, which are
𝑗 𝑆𝑀𝑗 needs to execute 480 one-way hash functions, 96 BCH
communicated between 𝑆𝑀 and 𝑁𝐺 i. e., |𝐸1 , 𝐶𝑖+1 , 𝑉3 , 𝑇𝑆| +
|𝐸2 , 𝐸3 , 𝑉4 , 𝑇𝑆| that 𝐸1 , 𝐸2 , and 𝐸3 are considered as the data
transmission messages. Therefore, the communication
overhead of the authentication phase is ((3 × 256) +
64) b = 104 𝐵, and the communication overhead of the data
transmission phase is (3 × 256) b = 96 𝐵. Fig. 3 shows the
total communication overhead comparison between our
scheme and the proposed schemes in [14],[15] in both parts
of authentication and data transmission phases for one
protocol execution. According to this figure, although our
proposed scheme includes two-way communication, it still
has a reasonable communication cost.
B. Computational Cost
We assumed 𝑆𝑀 s as constrained-resource electronic
devices in this paper while 𝑁𝐺 is a server with a powerful
computation capacity. Therefore, only the computational cost
on 𝑆𝑀 side is considered. Nonetheless, our proposed
protocol imposes a reasonable computational cost in the 𝑁𝐺
side. For simulating the cryptographic operations on 𝑆𝑀, we
use the advantage of JCE library [16] on a single core 798
MHz CPU and 256 MB of RAM that is not very different
from a real-life smart meter [17]. To measure the
computation cost of a PUF operation, we use the
implementation result of [18] for a 128-bit arbiter PUF on an
Ours
TABLE IV
DAILY COMPUTATIONAL COST FOR TIME INTERVAL OF FIFTEEN MINUTES
Cost [14] [15] Ours
𝑇ℎ 576 672 480
𝑇𝑅𝑁𝐺  96 
𝑇𝐸𝑛𝑐𝑜𝑑𝑒   96
𝑇𝐷𝑒𝑐𝑜𝑑𝑒 96 96 
𝑇𝑃𝑈𝐹 96 192 192
Total (ms) 352.896 389.376 170.88
MSP430 micro-controller machine with the same CPU (798
MHz). Furthermore, for correcting the PUF response errors,
the BCH encoding and decoding algorithms are used in the
code-offset mechanism [19]. The execution time of the
different cryptographic primitives is shown in Table III.
Table IV shows the daily usage of encryption operators
by each scheme for the time interval of fifteen minutes,
which 𝑇ℎ , 𝑇𝑅𝑁𝐺 , 𝑇𝐸𝑛𝑐𝑜𝑑𝑒 , 𝑇𝐷𝑒𝑐𝑜𝑑𝑒 , and 𝑇𝑃𝑈𝐹 represent the
execution time of one-way hash function, pseudo-random
number generation, BCH encoding, BCH decoding, and 128-
bit PUF- based key generation, respectively. In our scheme,
encoding algorithms, and 192 128-bit Arbiter PUF.
Therefore, its total daily computational cost is (480 ×
0.026) + (96 × 1.17) + (192 × 0.24) ≈ 170.88 ms . The
results in Table IV show that our scheme significantly
improves computational cost (about twice faster than the best
previous method) even though it consists of both key
agreement (authentication) and data transmission phases.
Fig. 4 shows that our scheme has the lowest computational
cost for the time intervals from one to fifteen minutes.
Generally, the presented results in this section show that
our proposed scheme has the best performance in
computational cost, and reasonable performance in
communication overhead. However, the moderate
performance of communication cost is due to the adding
two-way communication in this paper along with the
authentication phase, while the schemes presented in
[14],[15] only address the mutual authentication. As a final
word, by implementing the proposed protocol, 𝑆𝑀 and 𝑁𝐺
can communicate and authenticate each other with a single
protocol runtime in a very short timeframe. As a result, this
scheme provides real-time authentication alongside the two-
way communication and mutual authentication. Still, our
proposed scheme has far better security features than other
schemes according to Table II.

Scheme [14]
Computational cost (second)
5
Scheme [15]
Proposed scheme
4 on Industry Applications, vol. 55, no. 5, pp. 4462-4473, 2019.
3 in Transmission Protection Systems,” IEEE Transaction on Industry
2 Scheme for Smart Grid Communications,” IEEE Transactions on
1 [8]
0 2016.
0 5 10 15
Time interval (minute)
Fig. 4. Daily computational cost for different time intervals from one to
fifteen minutes.
V. CONCLUSION
In this paper, the authors have proposed a novel two-way
physically secure signcryption protocol for smart grid NAN
communications based on reliable PUFs. The use of PUF
eliminates the need for storing secret values, thus, secures the
scheme against physical threats, which is one of the most
important necessity of smart grid applications. However, as
the real PUFs are not ideal and can have errors, using an
error correcting method is necessary. Because of the
significant computational complexity of decoding
algorithms, our proposed protocol is designed in such a way
that 𝑆𝑀s only need to encode the PUF responses. By doing
that, the overall computational cost of our scheme has been
dramatically decreased. Furthermore, our protocol enables
some important security features alongside the lightweight
design, which can make it as a practical candidate scheme for
future smart grid 𝑁𝐴𝑁 communications.
REFERENCES
[1] Y. Kabalci “A Survey on Smart Metering and Smart Grid
Communication,” Renewable and Sustainable Energy Reviews, vol.
57, pp. 302-318, 2016.
[2] J. Liu, Y. Xiao, and J. Gao, “Achieving Accountability in Smart
Grid,” IEEE Systems Journal, vol. 8, no. 2, pp. 493-508, 2014.
[3] W. L. Chin, W. Li, and H. H. Chen, “Energy Big Data Security
Threats in IoT-Based Smart Grid Communications,” IEEE
Communications Magazine, vol. 55, no. 10, pp. 70-75, 2017.
[4] M. Pérez-Jiménez, B. B. Sánchez, A. Migliorini, and R. Alcarria,
“Protecting Private Communications in Cyber-Physical Systems
through Physical Unclonable Functions,” Electronics, vol. 8, no. 4,
pp. 390, 2019.
[5] M. Babakmehr, et, al. “Compressive System Identification for
Multiple Line Outage Detection in Smart Grids,” IEEE Transaction
[6] A. Ahmed, et al., “Cyber Physical Security Analytics for Anomalies
Applications, vol. 55, no. 6, pp. 6313-6323, 2019.
[7] M. M. Fouda, et al., “A Lightweight Message Authentication
Smart Grid, vol. 2, no. 4, pp. 675–685, 2011.
K. Mahmood, et al., “A Lightweight Message Authentication
Scheme for Smart Grid Communications in Power Sector,”
Computers & Electrical Engineering, vol. 52, no. 10, pp. 114-124,
[9] S. Uludag, K. S. Lui, W. Ren, and K. Nahrstedt, “Secure and
Scalable Data Collection with Time Minimization in the Smart
Grid,” IEEE Transactions on Smart Grid, vol. 7, no. 1, pp. 43-54,
2016.
[10] H . Li, R. Lu, L. Zhou, B. Yang, and X. Shen, “An Efficient Merkle-
Tree Based Authentication Scheme for Smart Grid,” IEEE Systems
Journal, vol. 8, no. 2, pp. 655-663, 2014.
[11] Y. Liu, C. Cheng, T. Gu, T. Jiang, and X. Li, “A Lightweight
Authenticated Communication Scheme for Smart Grid,” IEEE
Sensors Journal, vol. 16, no. 3, pp. 836-842, 2016.
[12] D. Abbasinezhad-Mood and N. Nikooghadam, “An Ultra-
Lightweight and Secure Scheme for Communications of Smart
Meters and Neighborhood Gateways by Utilization of an ARM
Cortex-M Microcontroller,” IEEE Transactions on Smart Grid, vol.
9, no. 6, pp. 6194-6205, 2018.
[13] M. Mustapa et al., “Hardware-Oriented Authentication for Advanced
Metering Infrastructure,” IEEE Transactions on Smart Grid, vol. 9,
no. 2, pp. 1261-1270, 2016.
[14] M. H. Ameri, M. Delavar, and J. Mohajeri, “Provably Secure and
Efficient PUF-Based Broadcast Authentication Schemes for Smart
Grid Applications,” International Journal of Communication
Systems, vol. 32, no. 8, e3935, 2019.
[15] P. Gope and B. Sikdar, “Privacy-Aware Authenticated Key
Agreement Scheme for Secure Smart Grid Communication,” IEEE
Transactions on Smart Grid, vol. 10, no. 4, pp. 3953-3962, 2018.
[16] Oracle Technology Network. Java Cryptography Architecture (JCA).
http://docs.oracle.com/javase/6/docs/technotes/
guides/crypto/CrypoSpec.html
[17] Atmel’s family of smart power meters.
https://www.microchip.com/design-centers/smart-energy-
products/metering.
[18] C. Herder, M. D. Yu, F. Koushanfar and S. Devadas, “Physical
Unclonable Functions and Applications: A Tutorial,”In Proceedings
of the IEEE, vol. 102, no. 8, pp. 1126-1141, Aug. 2014.
[19] Y. Dodis et al., “Fuzzy extractors: How to generate strong keys from
from biometrics and other noise data. SIAM J. Compt. vol. 38, no. 1,
pp. 97-139, 2008.