A Provably Secure Anonymous Authentication Protocol for Consumer and Service Provider Information Transmissions in Smart Grids

Abstract

Smart grids integrate information technology, decision support systems, communication networks, and sensing technologies. All these components cooperate to facilitate dynamic power adjustments based on received client consumption reports. Although this brings forth energy efficiency, the transmission of sensitive data over the public internet exposes these networks to numerous attacks. To this end, numerous security solutions have been presented recently. Most of these techniques deploy conventional cryptographic systems such as public key infrastructure, blockchains, and physically unclonable functions that have either performance or security issues. In this paper, a fairly efficient authentication scheme is developed and analyzed. Its formal security analysis is carried out using the Burrows–Abadi–Needham (BAN) logic, which shows that the session key negotiated is provably secure. We also execute a semantic security analysis of this protocol to demonstrate that it can resist typical smart grid attacks such as privileged insider, guessing, eavesdropping, and ephemeral secret leakages. Moreover, it has the lowest amount of computation costs and relatively lower communication overheads as well as storage costs.

1. Introduction

Smart grid (SG) networks incorporate information technology and energy grid so as to manage energy consumptions efficiently. This is normally accomplished by offering bi-directional communication for data exchanges between consumers and power producers [1]. In addition, an SG integrates intelligent sensing, contemporary communication networks, and novel systems that support decision making in conventional grid systems. These technologies enable the effectual distribution of power from the generating stations to the consumer terminals. As explained in [2], SG bi-directional communication is achieved through Advanced Metering Infrastructure (AMI). A typical AMI comprises concentrators, smart meters, and measurement data management systems. On the other hand, a typical SG is made up of control, sensing, and communication systems and actuators [3]. Whereas smart meters (SMs) perform sensing and communication, actuation and control are executed by service providers (SPs). Therefore, SMs are located at consumer premises, where they accurately measure power consumption and transmit these data over to the SP servers. Through effective real-time processing and analyses of consumer data, the generation and distribution of power is dynamically fine-tuned in accordance with user demands. This helps in enhancing the reliability of the power grid system [4].

In spite of the benefits discussed above, the public internet is utilized for the data exchange between the SMs and the SPs [5]. As such, the SG is exposed to security and privacy threats such as eavesdropping, forgery, denial of service (DoS), tampering, and ephemeral secret leakage (EPSL) [6,7]. In addition, the misuse of consumer power consumption reports can lead to privacy leaks. By sending forged and inaccurate data, the SG network can incur additional loads [8]. All these challenges can disrupt the communication process, leading to the degradation of the SG system’s performance [9]. As such, security violations and privacy leakages are major issues during smart grid design [10]. This can be attained by perfect data encryption, mutual authentication, as well as session key establishment. In addition, Authenticated Key Exchange (AKE) is crucial for the protection of transmitted data against tampering and interception [6].

The above concerns necessitate the designing of robust, privacy-preserving, secure, and lightweight protocols to safeguard the data exchanged among legitimate SG participants. Since an SG comprises numerous SMs, each SM must be authenticated prior to information exchange. This will help curb threats exampled by impersonation, SM capture, Man-in-the-Middle (MitM), packet replays, de-synchronization, and privileged insider [7]. Upon an effectual mutual authentication process, a common session key should be created between the SM and the SPs to encipher the exchanged data. In addition, data integrity should be upheld, while preventing non-repudiation and side-channeling through a power analysis [11]. Another major concern in an SG network is the limited capabilities of smart meters in terms of communication, energy, and computation. This puts some limitations on the implementation of conventional cryptographic techniques in SG networks. Therefore, ideal SG security approaches should strive to be lightweight in addition to fulfilling numerous security requirements.

1.1. Motivation

It has been shown that a myriad of protocols have been introduced in the smart grid network to preserve its security posture. However, these solutions are based on conventional cryptographic systems such blockchain, public key infrastructure, PUF, and bilinear pairings. All these techniques have many security, performance, or privacy issues and, hence, are not suitable for resource-incapacitated SG devices such as SMs. Attacks such as de-synchronization, impersonation, privacy leaks, replays, and DoS must be prevented, as they adversely interfere with the reliability of smart grids. As such, there is a need for an effective, efficient, and robust security scheme for SGs.

1.2. Threat Model

In this section, we model attacks against our scheme using the most popular Dolev–Yao (DY) and Canetti–Krawczyk models. In these threat models, attacker Ä is capable of the following actions, compromising the private keys belonging to smart meters and service providers:

• Modifying and deleting the contents of intercepted messages;
• Generating and forwarding bogus messages to unsuspecting entities;
• Physically capturing and compromising network entities such as smart meters;
• Retrieving sensitive security tokens stored in the smart meter’s memory;
• Deploying extracted smart meter memory content to execute attacks;
• Intercepting derived session keys and other session state parameters.

1.3. Security Requirements

In the face of numerous security threats and privacy leaks, an ideal authentication scheme for smart grid networks should fulfill the following requirements:

Mutual authentication: The identities of all the communicating parties should be reciprocally verified prior to exchanging any network data.

Key agreement: To preserve confidentiality and the integrity of the communication process, a session key should be set up to encrypt all exchanged messages.

Anonymity and untraceability: An attacker should be incapable of discerning the real identity of the communicating entities based on any captured network messages. Additionally, the attacker should be incapable of tracing the communicating parties using these intercepted messages.

Key security: The captured current session key should not facilitate the derivation of past and subsequent session keys.

Formal verification: The derived session key should be mathematically sound.

Resilience against: To offer sufficient security, an ideal authentication protocol needs to withstand attacks such as EPSL, de-synchronization, DoS, eavesdropping, privileged insider, guessing, spoofing, Known Session-Secret Temporary Information (KSSTI), ephemeral secret leakage, physical capture, impersonation, replay, MitM, and forgery.

1.4. Contributions

To address the security, performance, and privacy challenges discussed above, we make the following contributions in our paper.

• We deploy shared keys and pseudo-identities to encipher the communication channel so as to enhance security and privacy preservation.
• To protect against MitM and replay attacks, each entity computes the session keys for traffic protection.
• We deploy BAN logic for the revelation of the probably secure nature of the negotiated session key.

An extensive comparative analysis shows that our protocol withstands the largest number of attacks. In addition, it incurs the lowest computation overheads and relatively lower storage and communication overheads.

The rest of this work is structured as follows: Section 2 discusses the related works in this domain, while our scheme is described in Section 3. On the other hand, Section 4 discusses the security analysis of this protocol, while Section 5 describes its evaluation in terms of performance. Finally, Section 6 presents the conclusions and gives some future research scopes.

2. Related Work

Smart grid security, privacy, and performance have attracted a lot of attention, leading to the introduction of many schemes. For instance, researchers in [10] have presented an identity-based technique, while the authors in [12,13] have developed elliptic curve cryptography (ECC)-based schemes. However, extensive ECC multiplication operations render the schemes in [12,13] inefficient [14]. Therefore, they are not ideal for deployment in computation-limited smart grid components. On the other hand, PUF-based schemes are developed in [15,16,17,18]. Although the protocol in [15] withstands modeling attacks, protocols based on PUF have stability issues [19]. In addition, the scheme in [18] offers smart meter physical security but is still vulnerable to EPSL attacks and cannot provide backward key secrecy [17]. To offer smart meter anonymity, a secure scheme is presented in [20]. However, this scheme fails to mutually authenticate the network entities and is prone to DoS attacks [21]. Although the scheme in [22] is anonymity-preserving, it cannot withstand ephemeral secret and session key leakage attacks [23]. In addition, its bilinear pairing operations result in extensive computation overheads [24], similar to the protocols in [23,25].

To reduce the computation overheads associated with bilinear pairings, a scheme based on elliptic curve cryptography is developed in [26]. However, this technique cannot offer anonymity [1] and is defenseless against ephemeral secret leakage attacks [27]. Additionally, it incurs high computation overheads during the generation of security tokens at the Trusted Authority (TA) [1]. On the same breadth, the technique introduced in [28] fails to offer untraceability and identity protection [29]. To deal with these challenges, an anonymous authentication protocol is introduced in [30]. Although identity protection is assured, this technique incurs high computation costs [6]. To offer efficiency in smart grids, lightweight authentication schemes are developed in [1,6,29,31,32,33,34]. However, the schemes in [6,31,32] have not been evaluated against de-synchronization attacks. Similarly, the protocol in [29] has not been evaluated against spoofing and guessing attacks. Although the schemes in [1,33] are resilient against de-synchronization attacks, they have not been evaluated against spoofing attacks. On the other hand, the scheme in [34] cannot withstand de-synchronization attacks [29].

To address the anonymity issues in some of the protocols above, a password-based security technique is introduced in [35]. However, this protocol has incorrect login and authentication phases [36]. Although the scheme in [37,38] overcomes this challenge, it is defenseless against de-synchronization threats. In addition, it fails to provide formal security verification and revocability. On the other hand, the usage of some fixed messages in each session in [39,40] renders said session vulnerable to traceability attacks. The protocol in [41] solves this issue by updating this message for each session. However, the service provider needs to buffer previous data for each SM so as to withstand de-synchronization attacks. Consequently, it incurs heavy storage costs especially in networks with massive SMs.

To enhance security in wireless networks, quantum computing technology has been adopted. For instance, based on quantum information engineering, a technique for local energy distribution to numerous remote nodes is presented in [42], while a verification scheme applicable in a quantum channel is developed in [43]. On the other hand, a blind quantum-based protocol is presented in [44], while a zero-knowledge proof is developed in [45]. However, comparative performance analyses have not been carried out in [42,43,44,45]. As explained in [46], blockchain technology can ensure privacy and security devoid of an authorized third party. As such, a blockchain-based protocol is presented in [47]. Although blockchain technology provides traceability, improved security, and immutability, it raises serious issues regarding transparency and privacy [48]. In addition, the blockchain-based protocol in [47] lacks evaluation against threats such as privileged insider and physical capture. To avert the misuse and malicious manipulation of battery equipment and data, a robust security scheme is presented in [49]. Although this technique protects against counterfeiting and possible software backdoors, its comparative security and performance evaluations are missing.

Based on the above discussions, it is clear that many schemes have been developed to address security and privacy issues in the smart grid environment. However, most of them still have challenges in terms of privacy, performance, or security. There is, therefore, a need for the development of novel protocols that can help alleviate these challenges.

3. The Proposed Protocol

The network model of our protocol comprises a utility service provider (USP), a trusted control server (TC), and a smart meter (SM), as evidenced in Figure 1. The TCS executes system initialization and generates the secret values for the SM and the USP during the registration phase.

The SM measures electricity usage on the client end and transmits power consumption reports to the USP over public channels. At the USP, these reports are processed and analyzed to facilitate decision making, which may include dynamic power adjustments.

Table 1. Notations.

Symbol	Descriptions
TCS	Trusted control server
SMi	ith smart meter
USP	Utility service provider
KTCS	Master key of the TCS
IDTCS	Unique identifier of the TCS
IDSM	Unique identifier of the SMi
KSM	SMi’s private key
Ri	Random nonce i
PIDSM	SM’s pseudo-identity
KTSM	Shared key between TCS and SM
IDUSP	Unique identity of the USP
KUSP	USP’s private key
PIDUSP	USP’s pseudo-identity
KUT	Shared key between USP and TCS
SKSU	Session key between SMi and USP
h (.)	Hashing function
||	Concatenation operation
⊕	XOR operation

describes the symbols used throughout this paper.

Our scheme executes five major steps, which encompass system setup, entity registration, mutual authentication, key negotiation, and parameter refresh phases. Algorithm 1 summarizes this protocol, and the sub-sections that follow give the details of these phases.

Algorithm 1 Secure and efficient authentication

Begin

#*****************System setup phase ********************#

(1) Generate KTCS, IDTCS, IDSM & KSM

#*****************Registration phase ********************#

(2) Generate R1 & derive PIDSM, then $\stackrel{ Reg-1 }{\to }$TCS

(3) Generate R2 & compute KTSM

(4) Store{PIDSM, KTSM, R1}, publish PIDSM, then $\stackrel{ Reg-2 }{\to }$ SMi

(5) Calculate A1, A2 & store {A1, A2, PIDSM}

(6) Generate R3, select IDUSP & KUSP, then $\stackrel{ \mathrm{Reg}-3 }{\to }$ TCS

(7) Compute KUT & A3

(8) Store {PIDUSP, A3, KUT}, then $\stackrel{ Reg-4 }{\to }$ USP

(9) Calculate A4, A5, B1, B2 & B3

(10) Store {A5, B1, B2, B3}

#***************** Authentication and key negotiation phase ***************#

(11) Input {IDUSP, KUSP}, then compute R3, A4 & B1*

(12) If B1*!= B1 then:

(13)     Terminate session

(14) Else:

(15)     Generate R4, derive A3, KUT, B4, B5 & C1, then $\stackrel{ \mathrm{Auth}-1 }{\to }$ TCS

(16)      Retrive A3, KUT & derive (R4*||PIDSM*), C1*

(17)      If C1*!= C1 then:

(18)       Abort session

(19)      Else:

(20)        Generate R5 & Fetch KTSM, R1

(21)       Derive C2, C3, C4 & C5, then $\stackrel{ \mathrm{Auth}-2 }{\to }$ SMi

(22)        Calculate R1, KTSM, C2* & C5

(23)       If C5*!= C5 then:

(24)         Stop session

(25)       Else:

(26)         Generate R6, derive (h(IDUSP||R4)||h (IDTCS||R5)), SKSU, D1 & D2, then $\stackrel{ \mathrm{Auth}-3 }{\to }$ TCS

(27)         Derive h (IDSM||R6) & D2*

(28)         If D2*!= D2 then:

(29)           Abort session

(30)         Else:

(31)           Derive SKSU, PIDUSP*, A3*, D3 & D4

(32)          Store {PIDUSP, A3} with {PIDUSP*, A3*}, then $\stackrel{\mathrm{Auth}-4 }{\to }$ USP

(33)          Calculate PIDUSP*, $($h (IDTCS||R5)||h (IDSM||R6)||PIDUSP*) & D4*

(34)           If D4*!= D4 then:

(35)             Stop session

(36)           Else:

(37)              Compute SKSU, A3*, B2* & B3*

(38)              Substitute {B2, B3, PIDUSP} with {B2*, B3*, PIDUSP*}

(39)              Derive D5

(40)              If D5*!= D5 then:

(41)               Terminate session

(42)               Delete{PIDUSP, A3} from database

(43)             Endif; Endif;

(44)       Endif; Endif;

(45)    Endif;

End

3.1. System Setup

In this phase, the TCS selects its master key as K_TCS. This is followed by the generation of its unique identity ID_TCS, the smart meter’s unique identity ID_SM, as well as the private key of the smart meter, K_SM, as shown in Figure 2.

3.2. Registration

In this particular phase, the smart meters are registered at the TCS before they are deployed in the actual field. In addition, the USP is also registered at the TCS prior to exchanging data with the smart meters. The following sub-sections describe this phase in more detail.

3.2.1. Smart Meter Registration

The subsequent three procedures are executed to register the smart meter SM_i to the TCS. To accomplish this, secure communication channels are deployed.

Step 1: The SM_i chooses a random nonce R₁ to derive its pseudo-identity PID_SM = h (ID_SM||R₁). It then composes registration message Reg-1 = {PID_SM, R₁} that is forwarded to the TCS over secure communication media, as shown in Figure 2.

Step 2: When it receives message Reg-1, the TCS selects a random nonce R₂ that is deployed to compute the shared key K_TSM = h (PID_SM||R₁||R₂). Next, the TCS stores {PID_SM, K_TSM, R₁} in its repository. Next, registration message Reg-2 = {K_TSM} is constructed and forwarded to the SM_i, as evidenced in Figure 2. Afterwards, the TCS publishes PID_SM.

Step 3: Upon receiving the message Reg-2, the smart meter SM_i derives A₁ = R₁$\oplus$h (ID_SM||K_SM) and A₂ = K_TSM$\oplus$h (R₁||K_SM). Thereafter, it stores {A₁, A₂, PID_SM} in its memory.

3.2.2. Utility Service Provider Registration

To register to the TCS, the USP needs to execute the following three procedures.

Step 1: The USP chooses its real identity ID_USP and secret key K_USP. Next, it generates a random nonce R₃ that is used to calculate its pseudo-identity PID_USP = h (ID_USP||R₃). Thereafter, it constructs registration message Reg-3 = {PID_USP}, which is transmitted to the TCS, as depicted in Figure 2.

Step 2: After receiving registration message Reg-3, the TCS calculates shared key K_UT = h (PID_USP||K_TCS||R₂) and A₃ = h (PID_USP||K_UT). Next, it stores {PID_USP, A₃, K_UT} in its database. Finally, registration message Reg-4 = {K_UT, A₃} is composed and sent to the USP.

Step 3: Upon receiving message Reg-4, the USP derives A₄ = h (K_USP||R₃), A₅ = R₃$\oplus$h (ID_USP||K_USP), B₁ = h (ID_USP||K_USP||R₃||A₄), B₂ = A₃$\oplus$h (R₃||A₄), and B₃ = K_UT$\oplus$h (A₃||A₄). Next, it stores {A₅, B₁, B₂, B₃} in its database.

3.3. Authentication and Key Setup

To securely exchange power consumption reports and adjustment commands, the USP and SM_i must first mutually validate one another. This is followed by the establishment of a session key for message protection over the public internet. The subsequent nine steps are utilized to accomplish these two processes.

Step 1: The USP operator supplies parameter set {ID_USP, K_USP}, after which values R₃ = A₅$\oplus$h (ID_USP||K_USP), A₄ = h (K_USP||R₃), and B₁* = h (ID_USP||K_USP||R₃||A₄) are computed. Next, it confirms if B₁* ≟ B₁ in a manner such that the communication session is aborted if these two parameters are not identical. Otherwise, the USP randomly generates nonce R₄, which is used to derive A₃ = B₂$\oplus$h (R₃||A₄), K_UT = B₃$\oplus$ h (A₃||A₄), B₄ = h (PID_USP||A₃||K_UT)$\oplus$(R₄||PID_SM), B₅ = h (ID_USP||R₄)$\oplus$h (K_UT||R₄), and C₁ = h (PID_USP||A₃||R₄||PID_SM||K_UT). At the end, message Auth-1 = {PID_USP, B₄, B₅, C₁} is constructed and transmitted to the TCS, as shown in Figure 3.

Step 2: After receiving message Auth-1, TCS retrieves A₃ and K_UT corresponding to PID_USP and derives (R₄*||PID_SM*) = B₄$\oplus$h (PID_USP||A₃||K_UT) as well as C₁* = h (PID_USP||A₃||R₄*||PID_SM*||K_UT). Thereafter, the TCS validates if C₁* ≟ C₁ such that the communication session is halted when this check flops. If not, the TCS fetches K_TSM and R₁ corresponding to PID_SM.

Step 3: The TCS randomly generates number R₅, which is used to calculate C₂ = h (R₄||R₅), C₃ = h (PID_SM||K_TSM||R₁)$\oplus$C₂, h (ID_USP||R₄) = B₅$\oplus$h (K_UT||R₄), C₄ = (h (ID_USP||R₄)||h (ID_TCS||R₅))$\oplus$h (K_TSM||R₁), and C₅ = h (PID_USP||C₂||K_TSM). Finally, message Auth-2 = {PID_USP, C₃, C₄, C₅} is composed and passed over to the SM_i.

Step 4: After receiving Auth-2, SM_i computes R₁ = A₁$\oplus$h (ID_SM||K_SM), K_TSM = A₂$\oplus$h (R₁||K_SM), C₂* = h (PID_SM||K_TSM||R₁)$\oplus$C₃, and C₅ = h (PID_USP||C₂*||K_TSM). Next, it confirms whether C₅* ≟ C₅ such that the communication session is abandoned upon validation flop. Otherwise, it chooses a random nonce R₆ and calculates (h (ID_USP||R₄)||h (ID_TCS||R₅)) = C₄$\oplus$h (K_TSM||R₁).

Step 5: The SM_i derives session key SK_SU = h (h (ID_USP||R₄)||h (ID_TCS||R₅)||h (ID_SM||R₆), D₁ = h (PID_SM||K_TSM||R₁)$\oplus$ h (ID_SM||R₆), and D₂ = h (PID_USP||PID_SM||C₂*||h (ID_SM||R₆)||K_TSM). Next, message Auth-3 = {D₁, D₂} is constructed and forwarded to the TCS.

Step 6: Upon receiving message Auth-3, the TCS calculates h (ID_SM||R₆) = D₁$\oplus$h (PID_SM||K_TSM||R₁) and D₂* = h (PID_USP||PID_SM||C₂||h (ID_SM||R₆)||K_TSM). Next, it checks if D₂* ≟ D₂ so that the authentication process is terminated upon verification failure. Otherwise, it computes session key SK_SU = h (h (ID_USP||R₄)||h (ID_TCS||R₅)||h (ID_SM||R₆), new pseudo-identity PID_USP* = h (PID_USP||R₄), A₃* = h (PID_USP*||K_UT), D₃ = h (A₃||R₄)$\oplus ($h (ID_TCS||R₅)||h (ID_SM||R₆)||PID_USP*), and D₄ = h (PID_USP||R₄||h (ID_TCS||R₅)||h (ID_SM||R₆)||PID_USP*||K_UT). The TCS stores {PID_USP, A₃} with {PID_USP*, A₃*} in its database. At the end, authentication message Auth-4 = {D₃, D₄} is composed and sent over to the USP.

Step 7: Upon receiving Auth-4, the USP derives PID_USP* = h (PID_USP||R₄), $($h (ID_TCS||R₅)||h (ID_SM||R₆)||PID_USP*) = D₃$\oplus$h (A₃||R₄), and D₄* = h (PID_USP||R₄||h (ID_TCS||R₅)||h (ID_SM||R₆)||PID_USP*||K_UT). It then confirms if D₄* ≟ D₄ such that the authentication is aborted when the verification flops. Otherwise, it derives session key SK_SU = h (h (ID_USP||R₄)||h (ID_TCS||R₅)||h (ID_SM||R₆).

Step 8: The USP derives parameters A₃* = h (PID_USP*||K_UT), B₂* = A₃*$\oplus$h (R₃||A₄), and B₃* = K_UT$\oplus$h (A₃*||A₄). Next, it replaces {B₂, B₃, PID_USP} with {B₂*, B₃*, PID_USP*} in its database. Finally, it derives D₅ = h (SK_SU||PID_USP*) and transmits it towards the TCS for the subsequent session.

Step 9: After receiving D₅, the TCS recomputes D₅* = h (SK_SU||PID_USP*). Next, it confirms if D₅*≟ D₅ such that it terminates the session when this validation fails. Otherwise, it deletes parameter set {PID_USP, A₃} from its database.

3.4. Parameter Update

In this phase, the USP’s private key KUSP is updated using the following two steps.

Step 1: The operator supplies their unique identity ID_USP as well old secret key K_USP^Old. This is followed by the derivation of parameter R₃ = A₅$\oplus$h (ID_USP||K_USP^Old), A₄ = h (K_USP^Old||R₃), and B₁* = h (ID_USP||K_USP^Old||R₃||A₄). The USP checks if B₁* ≟ B₁ such that this authentication is halted when this check fails. Otherwise, the operator is prompted to input the new secret key K_USP^New.

Step 2: The USP derives A₃ = B₂$\oplus$h (R₃||A₄), K_UT = B₃$\oplus$h (A₃||A₄), A₄^New = h (K_USP^New||R₃), A₅^New = R₃$\oplus$h (ID_USP||K_USP^New), B₁^New = h (ID_USP||K_USP^New||R₃||A₄^New), B₂^New = A₃$\oplus$h (R₃||A₄^New), and B₃^New = K_UT$\oplus$h (A₃||A₄^New). Lastly, it replaces parameter set {A₅, B₁, B₂, B₃} with its refreshed equivalents {A₅^New, B₁^New, B₂^New, B₃^New}.

4. Security Analysis

In most of the authentication protocols, both formal and informal security analyses are carried out. As such, we present these analyses in this section and provide further details in the sub-sections that follow.

4.1. Formal Security Analysis

To accomplish this analysis, BAN logic is deployed to show that USP and SM_i authenticate each other based on fresh and reliable data. Essentially, this involves the verification of the origin, freshness, and legitimacy of the exchanged messages. The notations in

Table 2. BAN logic notations.

Notation	Details
R	Secret key
A$|\equiv$X	Entity A believes statement X
A| ~ X	Entity A once said statement X
<X>M	X is combined with M
A$⊲X$	Entity A sees statement X
$A\Rightarrow X$	Entity A has jurisdiction over X
# (X)	Message X is fresh
(X)R	Message X is hashed using key R
(X, M)	X or M is part of formula (X, M)
$A\stackrel{ R }{\leftrightarrow }B$	Entities A and B share secret key R
{X}R	Message X is enciphered using key R
$\mathrm{A}\begin{array}{c} R \\ \rightleftharpoons \end{array}$ B	R is only known to A and B

are used throughout this formal analysis.

The BAN logic postulates are described using a number of rules that are detailed in

Table 3. BAN logic rules.

Rule	Details
$\frac{A|\equiv \mathrm{A}\stackrel{R}{\leftrightarrow }\mathrm{B},\mathrm{A}⊲{\left\{\mathrm{X}\right\}}_R}{A|\equiv B|~X}$	Message Meaning Rule (MMR)
$\frac{A|\equiv \#\left(X\right),A|\equiv B|~X}{A|\equiv B|\equiv X}$	Nonce Verification Rule (NVR)
$\frac{A|\equiv B|\equiv \left(X,M\right)}{A|\equiv B|\equiv X}$	Believe Rule (BR)
$\frac{A|\equiv B\Rightarrow X,A|\equiv B|\equiv X}{A|\equiv X}$	Jurisdiction Rule (JR)
$\frac{A|\equiv \#\left(X\right)}{A|\equiv \#\left(X,M\right)}$	Freshness rule (FR)

below.

Next, we lay bare that our protocol offers protected mutual validation between the SM_i and the USP. In our protocol, four messages are exchanged during the processes of entity verification and session key setup. These particular messages are idealized as follows:

Auth-1. USP → TCS: {PID_USP, B₄, B₅, C₁}

Idealized form: (PID_USP, A₃, R₄${)}_{K_{UT}}$

Auth-2. TCS→ SM_i: {PID_USP, C₃, C₄, C₅}

Idealized form: (PID_USP, h (ID_USP||R₄), h (ID_TCS||R₅), PID_SM, R₁${)}_{K_{\mathrm{TSM}}}$

Auth-3. SM_i →TCS: {D₁, D₂}

Idealized form: (PID_USP, PID_SM, h (ID_USP||R₄), h (ID_SM||R₆)${)}_{K_{\mathrm{TSM}}}$

Auth-4. TCS → USP: {D₃, D₄}

Idealized form: (A₃, h (ID_USP||R₄), h (ID_TCS||R₅), h (ID_SM||R₆)${)}_{K_{\mathrm{UT}}}$

Using the BAN logic analytic procedures, our scheme should uphold the four security goals (GLs) below.

GL₁: USP$|\equiv$($\mathrm{USP}\stackrel{ S{K}_{SU} }{\leftrightarrow }\mathrm{SM}$)

GL₂: USP| ≡ SM$|\equiv$($\mathrm{USP}\stackrel{ S{K}_{SU} }{\leftrightarrow }\mathrm{SM}$)

GL₃: SM$|\equiv$($\mathrm{USP}\stackrel{ S{K}_{SU} }{\leftrightarrow }\mathrm{SM}$)

GL₄: SM| ≡ USP$|\equiv$($\mathrm{USP}\stackrel{ S{K}_{SU} }{\leftrightarrow }\mathrm{SM}$)

To ensure that the BAN logic analysis of our scheme is successfully executed, a number of initial state assumptions (AS_i) are made as follows.

AS₁: TCS$| \equiv$($\mathrm{USP}\stackrel{ S{K}_{SU} }{\leftrightarrow }\mathrm{TCS}$)

AS₂: TCS$| \equiv$# (R₄)

AS₃: SM$| \equiv$($\mathrm{TCS}\stackrel{ K_{\mathrm{TSM}} }{\leftrightarrow }\mathrm{SM}$)

AS₄: SM$| \equiv$# (R₅)

AS₅: TCS$| \equiv$($\mathrm{TCS}\stackrel{ K_{\mathrm{TSM}} }{\leftrightarrow }\mathrm{SM}$)

AS₆: TCS$| \equiv$# (R₆)

AS₇: USP$|\equiv$($\mathrm{USP}\stackrel{ K_{\mathrm{UT}} }{\leftrightarrow }\mathrm{TCS}$)

AS₈: USP$|\equiv$# (R₅)

AS₉: USP| ≡ TCS$|\Rightarrow$ (USP$\begin{array}{c} h(I{D}_{\mathrm{TCS}}||R_5)||h(I{D}_{\mathrm{SM}}||R_6) \\ \rightleftharpoons \end{array}$SM)

AS₁₀: SM| ≡ TCS$|\Rightarrow$ (USP$\begin{array}{c} h(I{D}_{\mathrm{USP}}||R_4)||h(I{D}_{\mathrm{TCS}}||R_5) \\ \rightleftharpoons \end{array}$SM)

AS₁₁: USP| ≡ SM$|\Rightarrow$($\mathrm{USP}\stackrel{ S{K}_{SU} }{\leftrightarrow }\mathrm{SM}$)

AS₁₂: SM| ≡ USP$|\Rightarrow$($\mathrm{USP}\stackrel{ S{K}_{SU} }{\leftrightarrow }\mathrm{SM}$)

Based on message Auth-1, we obtain B_L1.

B_L1: TCS $⊲$ (PID_USP, A₃, R₄${)}_{K_{UT}}$

Deploying B_L1 and AS₁ with MMR, B_L2 is obtained.

B_L2: TCS| ≡ USP|$~$(PID_USP, A₃, R₄${)}_{K_{UT}}$

Applying FR to B_L2 and AS₂ yields B_L3.

B_L3: TCS| ≡ # (PID_USP, A₃, R₄${)}_{K_{UT}}$

Using NVR on both B_L2 and B_L3, we obtain B_L4.

B_L4: TCS| ≡ USP$|\equiv$(PID_USP, A₃, R₄${)}_{K_{UT}}$

From message Auth-2, we can obtain B_L5.

B_L5: SM $⊲$ (PID_USP, h (ID_USP||R₄), h (ID_TCS||R₅), PID_SM, R₁${)}_{K_{\mathrm{TSM}}}$

The application of MMR on both B_L5 and AS₃ results in B_L6.

B_L6: SM| ≡ TCS |$~$(PID_USP, h (ID_USP||R₄), h (ID_TCS||R₅), PID_SM, R₁${)}_{K_{\mathrm{TSM}}}$

To obtain B_L7, FR is used on B_L6 and AS₄.

B_L7: SM| ≡ # (PID_USP, h (ID_USP||R₄), h (ID_TCS||R₅), PID_SM, R₁${)}_{K_{\mathrm{TSM}}}$

On the other hand, NVR is applied to both B_L6 and B_L7 to obtain B_L8.

B_L8: SM| ≡ TCS$|\equiv$(PID_USP, h (ID_USP||R₄), h (ID_TCS||R₅), PID_SM, R₁${)}_{K_{\mathrm{TSM}}}$

Based on message Auth-3, we can obtain B_L9.

B_L9: TCS $⊲$ (PID_USP, PID_SM, h (ID_USP||R₄), h (ID_SM||R₆)${)}_{K_{\mathrm{TSM}}}$

Applying MMR on B_L9 and AS₅ yields B_L10.

B_L10: TCS| ≡ SM |$~$ (PID_USP, PID_SM, h (ID_USP||R₄), h (ID_SM||R₆)${)}_{K_{\mathrm{TSM}}}$

Using FR on B_L10 and AS₆ results in B_L11.

B_L11: TCS| ≡ # (PID_USP, PID_SM, h (ID_USP||R₄), h (ID_SM||R₆)${)}_{K_{\mathrm{TSM}}}$

On the other hand, NVR is used on both BL₁₀ and B_L11 to obtain B_L12.

B_L12: TCS| ≡ SM$|\equiv$(PID_USP, PID_SM, h (ID_USP||R₄), h (ID_SM||R₆)${)}_{K_{\mathrm{TSM}}}$

From message Auth-4, we can obtain B_L13.

B_L13: USP $⊲$ (A₃, h (ID_USP||R₄), h (ID_TCS||R₅), h (ID_SM||R₆)${)}_{K_{\mathrm{UT}}}$

The application of MMR on B_L13 and AS₇ yields B_L14.

B_L14: USP| ≡ TCS |$~$ (A₃, h (ID_USP||R₄), h (ID_TCS||R₅), h (ID_SM||R₆)${)}_{K_{\mathrm{UT}}}$

To obtain B_L15, FR is used in both B_L14 and AS₈.

B_L15: USP| ≡ # (A₃, h (ID_USP||R₄), h (ID_TCS||R₅), h (ID_SM||R₆)${)}_{K_{\mathrm{UT}}}$

However, using NVR on B_L14 and B_L15 yields B_L16.

B_L16: USP| ≡ TCS$|\equiv$ (A₃, h (ID_USP||R₄), h (ID_TCS||R₅), h (ID_SM||R₆)${)}_{K_{\mathrm{UT}}}$

Since the session key is SK_SU = h (h (ID_USP||R₄)||h (ID_TCS||R₅)||h (ID_SM||R₆), B_L17 can be obtained from B_L12, B_L16, and AS₉.

B_L17: USP| ≡ SM$|\equiv$($\mathrm{USP}\stackrel{ S{K}_{SU} }{\leftrightarrow }\mathrm{SM}$); hence, GL₂ is obtained.

From B_L4, B_L8, and AS₁₀, we obtain B_L18.

B_L18: SM| ≡ USP$|\equiv$($\mathrm{USP}\stackrel{ S{K}_{SU} }{\leftrightarrow }\mathrm{SM}$); thus, GL₄ is obtained.

Based on B_L17 and AS₁₁, we can obtain B_L19.

B_L19: USP$|\equiv$($\mathrm{USP}\stackrel{ S{K}_{SU} }{\leftrightarrow }\mathrm{SM}$), achieving GL₁.

Using B_L18 and AS₁₂, we can obtain B_L20.

B_L20: SM$|\equiv$($\mathrm{USP}\stackrel{ S{K}_{SU} }{\leftrightarrow }\mathrm{SM}$), attaining GL₃.

The effectual attainment of all the formulated security objectives implies that the USP, TCS, and SM have executed secure mutual authentication and can now proceed to exchange data.

4.2. Informal Security Analysis

In this sub-section, both the Dolev–Yao (DY) and Canetti–Krawczyk (CK) threat models are deployed to show the robustness of our protocol against typical smart grid attacks. Essentially, we make some assumptions about the attacker’s capabilities and then show how our protocol counters the attacker’s capabilities in both the DY and CK models. These attack capabilities are well articulated in [50].

Theorem 1.

Our scheme offers anonymity and untraceability.

Proof. 

Let us assume that an adversary Ä has eavesdropped on Auth-1 = {PID_USP, B₄, B₅, C₁}, Auth-2 = {PID_USP, C₃, C₄, C₅}, Auth-3 = {D₁, D₂}, and Auth-4 = {D₃, D₄}. Here, B₄ = h (PID_USP||A₃||K_UT)$\oplus$(R₄||PID_SM), B₅ = h (ID_USP||R₄)$\oplus$h (K_UT||R₄), C₁ = h (PID_USP||A₃||R₄||PID_SM||K_UT), C₃ = h (PID_SM||K_TSM||R₁)$\oplus$C₂, C₄ = (h (ID_USP||R₄)||h (ID_TCS||R₅))$\oplus$h (K_TSM||R₁), C₅ = h (PID_USP||C₂||K_TSM), D₁ = h (PID_SM||K_TSM||R₁)$\oplus$ h (ID_SM||R₆), D₂ = h (PID_USP||PID_SM||C₂*||h (ID_SM||R₆)||K_TSM), D₃ = h (A₃||R₄)$\oplus ($h (ID_TCS||R₅)||h (ID_SM||R₆)||PID_USP*), and D₄ = h (PID_USP||R₄||h (ID_TCS||R₅)||h (ID_SM||R₆)||PID_USP*||K_UT). The goal is to obtain the real identities of the USP, TCS, and SM_i that can facilitate the tracking of these entities. Evidently, these identities are encapsulated in other parameters (such as nonces R₁, R₄, R₅, and R₆) before being hashed. Towards the end of each session, secret parameter PID_USP is updated as PID_USP* = h (PID_USP||R₄). As such, all the messages are dynamic for each session. □

Theorem 2.

Spoofing and impersonation attacks are thwarted.

Proof. 

The main objective of these attacks is to spoof exchanged messages so as to masquerade oneself as a legitimate network entity. The following three cases demonstrate the resilience of our scheme against these threats. □

Case 1: Suppose that Ä wants to impersonate the USP through the interception of message Auth-1 = {PID_USP, B₄, B₅, C₁} sent from the USP towards the TCS over public channels. Here, B₄ = h (PID_USP||A₃||K_UT)$\oplus$(R₄||PID_SM), B₅ = h (ID_USP||R₄)$\oplus$h (K_UT||R₄), and C₁ = h (PID_USP||A₃||R₄||PID_SM||K_UT). However, Ä is unable to derive these parameters without knowledge of USP’s real identity (ID_USP), the shared key between USP and TCS (K_UT), and random nonce R₄, among other values.

Case 2: Let us assume that Ä has intercepted messages Auth-2 = {PID_USP, C₃, C₄, C₅} and Auth-4 = {D₃, D₄} transmitted from the TCS towards the SM_i and TCS, respectively. Here, C₃ = h (PID_SM||K_TSM||R₁)$\oplus$C₂, C₄ = (h (ID_USP||R₄)||h (ID_TCS||R₅))$\oplus$h (K_TSM||R₁), C₅ = h (PID_USP||C₂||K_TSM), D₁ = h (PID_SM||K_TSM||R₁)$\oplus$ h (ID_SM||R₆), and D₂ = h (PID_USP||PID_SM||C₂*||h (ID_SM||R₆)||K_TSM). Afterwards, an attempt is made to construct bogus messages {PID_USP^b, C₃^b, C₄^b, C₅^b} and {D₃ ^b, D₄ ^b}. However, without TCS’ real identity (ID_TCS), random nonces (R₁, R₄, R₅, and R₆), and shared key K_TSM, among other parameters, the derivation of these messages flops.

Case 3: Suppose that Ä has captured message Auth-3 = {D₁, D₂} sent from SM_i towards TCS over public channels. Here, D₁ = h (PID_SM||K_TSM||R₁)$\oplus$ h (ID_SM||R₆) and D₂ = h (PID_USP||PID_SM||C₂*||h (ID_SM||R₆)||K_TSM). Similar to Case 2 above, Ä cannot construct valid message Auth-3 without knowledge of SM_i’s real identity (ID_SM), shared key (K_TSM), and random nonces (R₁ and R₆).

Theorem 3.

Strong mutual entity verification is executed.

Proof. 

In the proposed approach, all the network parties mutually authenticate one another. For instance, upon receiving message Auth-1 = {PID_USP, B₄, B₅, C₁} from the USP, the TCS computes C₁* = h (PID_USP||A₃||R₄*||PID_SM*||K_UT) and validates USP by checking if C₁* ≟ C₁. Conversely, upon receiving Auth-2 = {PID_USP, C₃, C₄, C₅} from the TCS, the SM_i computes C₅ = h (PID_USP||C₂*||K_TSM) and verifies the TCS by confirming whether C₅* ≟ C. Similarly, the TCS receives message Auth-3 = {D₁, D₂} from SM_i, derives D₂* = h (PID_USP||PID_SM||C₂||h (ID_SM||R₆)||K_TSM), and authenticates SM_i by checking if D₂* ≟ D₂. In contrast, the USP obtains message Auth-4 = {D₃, D₄} from the TCS, computes D₄* = h (PID_USP||R₄||h (ID_TCS||R₅)||h (ID_SM||R₆)||PID_USP*||K_UT), and validates the TCS by confirming if D₄* ≟ D₄. □

Theorem 4.

The communicating entities negotiate session keys.

Proof. 

In our protocol, the TCS, SM_i, and USP autonomously calculate the session key SK_SU = h (h (ID_USP||R₄)||h (ID_TCS||R₅)||h (ID_SM||R₆). For instance, after receiving message Auth-2 from the TCS, the SM_i computes the session key as SK_SU = h (h (ID_USP||R₄)||h (ID_TCS||R₅)||h (ID_SM||R₆), together with parameters D₁ and D₂. However, upon receiving Auth-3 from the SM_i, the TCS computes the session key as SK_SU = h (h (ID_USP||R₄)||h (ID_TCS||R₅)||h (ID_SM||R₆), together with values PID_USP*, A₃*, D₃, and D₄. Similarly, the USP receives message Auth-4 from the TCS and computes the session key as SK_SU = h (h (ID_USP||R₄)||h (ID_TCS||R₅)||h (ID_SM||R₆), together with values A₃*, B₂*, and B₃*. □

Theorem 5.

Our scheme can withstand forgery and eavesdropping attacks.

Proof. 

Let us assume that adversary Ä wants to forge session key SK_SU = h (h (ID_USP||R₄)||h (ID_TCS||R₅)||h (ID_SM||R₆). Evidently, Ä must have access to identities ID_USP, ID_TCS, and ID_SM. In addition, random nonces R₄, R₅, and R₆ must be obtained by Ä. However, these identities and nonces cannot be obtained by eavesdropping messages Auth-1 = {PID_USP, B₄, B₅, C₁}, Auth-2 = {PID_USP, C₃, C₄, C₅}, Auth-3 = {D₁, D₂}, and Auth-4 = {D₃, D₄} exchanged over public channels. Let us assume that Ä has captured long-term secret keys K_TCS, K_UT, K_TSM, and K_SM. However, none of these keys is incorporated in the negotiated session key SK_SU. As such, the session keys derived in our protocol are secured. □

Theorem 6.

MitM and replay attacks are thwarted.

Proof. 

Suppose that Ä has the ability of intercepting and modifying authentication messages Auth-1 = {PID_USP, B₄, B₅, C₁}, Auth-2 = {PID_USP, C₃, C₄, C₅}, Auth-3 = {D₁, D₂}, and Auth-4 = {D₃, D₄} exchanged over insecure public channels. Here, B₄ = h (PID_USP||A₃||K_UT)$\oplus$(R₄||PID_SM), B₅ = h (ID_USP||R₄)$\oplus$h (K_UT||R₄), C₁ = h (PID_USP||A₃||R₄||PID_SM||K_UT), C₃ = h (PID_SM||K_TSM||R₁)$\oplus$C₂, C₄ = (h(ID_USP||R₄)||h (ID_TCS||R₅))$\oplus$h (K_TSM||R₁), C₅ = h (PID_USP||C₂||K_TSM), D₁ = h (PID_SM||K_TSM||R₁)$\oplus$h (ID_SM||R₆), D₂ = h (PID_USP||PID_SM||C₂*||h (ID_SM||R₆)||K_TSM), D₃ = h (A₃||R₄)$\oplus ($h (ID_TCS||R₅)||h (ID_SM||R₆)||PID_USP*), and D₄ = h (PID_USP||R₄||h (ID_TCS||R₅)||h (ID_SM||R₆)||PID_USP*||K_UT). It is clear that all these messages incorporate random nonces such as R₁, R₄, R₅, and R₆. In addition, any successful modification of these messages requires knowledge of identities (ID_USP, ID_TCS, ID_SM) and shared keys (K_UT, K_TSM), all of which are unavailable to Ä. □

Theorem 7.

Privileged insider attacks are effectively prevented.

Proof. 

Let us assume that some privileged insider Ä has accessed USP’s pseudo-identity (PID_USP) during the registration phase. In addition, Ä has access to {A₅, B₁, B₂, B₃} stored in the USP’s database. With all these parameters, Ä makes some attempts in deriving session key SK_SU = h (h (ID_USP||R₄)||h (ID_TCS||R₅)||h (ID_SM||R₆). However, Ä does not know real identities (ID_USP, ID_TCS, ID_SM) and random nonces (R₄, R₅, R₆). Therefore, this attack will fail. □

Theorem 8.

The proposed scheme can resist de-synchronization and backdoor-based DoS attacks.

Proof. 

The objective of these threats is to alter and block exchanged messages so as to interfere with future mutual verification processes among the USP, TCS, and SM_i. This can be occasioned by some SG and SM firmware-containing backdoors. Suppose that Ä wants to de-synchronize the next authentication session by modifying Auth-1, Auth-2, and Auth-3. However, Theorem 6 demonstrates the difficulty in modifying these messages devoid of random nonces, real identities, and shared keys. Let us assume that Ä wants to block all the transmitted messages so as to interfere with the synchronization procedures among the USP, TCS, and SM_i. To achieve this, USP’s pseudo-identity PID_USP, incorporated in all four authentication messages, is utilized. However, in Step 7 above, our scheme refreshes this parameter as PID_USP* = h (PID_USP||R₄) and includes it in parameters D₃ = h (A₃||R₄)$\oplus ($h (ID_TCS||R₅)||h (ID_SM||R₆)||PID_USP*) and D₄ = h (PID_USP||R₄||h (ID_TCS||R₅)||h (ID_SM||R₆)||PID_USP*||K_UT). Thereafter, authentication message Auth-4 = {D₃, D₄} is relayed to the USP. Provided that PID_USP*is valid, it then passes the D₄* ≟ D₄ check. Otherwise message Auth-4 is rejected at the USP. Upon the successful verification of PID_USP*, the USP derives and sends D₅ = h (SK_SU||PID_USP*) to the TCS for further validation through the D₅* ≟ D₅ check. It is only after the successful verification of PID_USP* that TCS deletes parameter set {PID_USP, A₃} from its database. Otherwise, the TCS continues to store these two values to stay in sync with the USP. □

Theorem 9.

Offline guessing attacks are resisted.

Proof. 

The assumption made in these attacks is that Ä is able to obtain {A₅, B₁, B₂, B₃} from the USP’s database. Here, A₃ = h (PID_USP||K_UT), A₄ = h (K_USP||R₃), A₅ = R₃$\oplus$h (ID_USP||K_USP), B₁ = h (ID_USP||K_USP||R₃||A₄), B₂ = A₃$\oplus$h (R₃||A₄), and B₃ = K_UT$\oplus$h (A₃||A₄). It is clear that these messages are encapsulated with random nonce, ID_USP, and K_USP. In accordance with Theorem 5, Ä cannot easily ascertain identity ID_USP and random nonces. Since K_USP is the USP’s private key, it is not available to Ä and cannot be eavesdropped over public channels. □

Theorem 10.

Our scheme is robust against KSSTI and ephemeral secret leakage attacks.

Proof. 

The purpose of this attack is to enable adversary Ä to access session-specific tokens such as nonces R₁, R₂, R₃, R₄, R₅, and R₆. Thereafter, Ä attempts some KSSTI under the CK-adversarial model. This might include an attempt to derive the session key SK_SU = h (h (ID_USP||R₄)||h (ID_TCS||R₅)||h (ID_SM||R₆). However, even with these ephemerals, Ä cannot derive SK_SU. This is because the real identities of the SM_i, TCS, and USP (ID_USP, ID_TCS, ID_SM) are required. Based on Theorem 5, Ä cannot easily ascertain these identities, and, hence, this attack flops. □

Theorem 11.

The proposed protocol can withstand physical attacks.

Proof. 

The assumption made here is that adversary Ä has physically obtained the SM_i upon which the stored values {A₁, A₂, PID_SM} in its memory are extracted via a power analysis. Here, A₁ = R₁$\oplus$h (ID_SM||K_SM), A₂ = K_TSM$\oplus$h (R₁||K_SM), and PID_SM = h (ID_SM||R₁). The next objective is to ascertain SM_i’s identity (ID_SM), shared key (K_TSM), and SM’s private key (K_SM). However, these values are masked with random nonces before being hashed. Since reversing the one-way hashing function is computationally cumbersome, our scheme is robust against physical attacks. □

5. Performance Evaluations

Storage, computation, supported security, and privacy features, as well as communication complexities are most often utilized as metrics to evaluate authentication protocols. As such, we deploy such metrics in our comparative performance evaluations as detailed below.

5.1. Computation Overheads

During the mutual verification and key setup phase, our scheme executes only one-way hashing (T_H) operations. Specifically, 7T_H and 16T_H operations are executed on the smart meter and utility service provider sides, respectively. The time complexities of the diverse cryptographic functions in the smart meter are computed on a 1 GB RAM, 1.2 GHz CPU, Quad-core Raspberry Pi-3, while the USP cryptographic primitives are computed on an 8 GB RAM, Core i7-6700 laptop equipped with a 3.40 GHz CPU. Under these two environments, the execution durations are presented in

Table 4. Execution durations.

Scheme	Costs (ms)
	SM	USP
Bilinear pairing operations, TBP	95.72100	9.52800
ECC point addition, TECA	0.13400	0.00700
One-way hash function, TH	0.34500	0.03900
ECC point multiplication, TPM	2.70000	0.70500
Symmetric encryption, TSE	0.41000	0.00460
Symmetric decryption, TSD	0.41000	0.00460
Esch256 one-way hash function, THE	0.33000	0.03200
Physically unclonable function, TPUF	0.00049	-
Counter-mode encryption with authentication tag, TCO	0.34900	0.04100
Bio-metric key generation and reproduction, TREP	2.70000	0.70500
Modular exponential, TE	30.7920	0.31200
Scalar multiplication, TSM	2.70000	0.70500

.

Using the execution durations in Table 4 as a basis, the total computation complexity of our scheme is 2.805 ms.

Table 5. Computation complexities.

Scheme	SM	USP	Total (ms)
Baghestani et al. [1]	5TH + 2TPM	11TH + 2TPM	17TH + 4TPM ≈ 8.964
Xia et al. [6]	19TPM	17TPM	10TH + 8TPM ≈ 63.285
Mohammadali et al. [10]	3TH + 2TPM	4TH + 3TPM	7TH + 5TPM ≈ 8.706
Kumar et al. [13]	5TH + 2TPM	6TH + 2TPM	11TH + 4TPM ≈ 8.769
Tsai & Lo [22]	5TH + 4TPM + TE	2TBP + 3TPM + TE + 5TH	2TBP + 7TPM + 2TE + 10TH ≈ 237.381
Tanveer & Alasmary [29]	2THE + 2TCO + TREP + TPUF	5THE + 2TCO	7THE + 4TCO + TREP + TPUF ≈ 4.300
Chaudhry et al. [31]	4TH + 2TSE + 3TPM	6TH + 2TSE + 4TPM	10TH + 4TSE + 7TPM ≈ 13.363
Taqi & Jalili [32]	4TH + TSE + TSD + 3TPM	3TH + TSE + TSD + 3TPM	7TH + 2TSE + 2TSD + 6TPM ≈ 12.5412
Chen et al. [33]	7TH + TSD	9TH + 2TSE + TSD	16TH + 2TSE + 2TSD ≈ 3.1898
Park et al. [47]	5TH + 2TSM	6TH + 2TSM	11TH + 4TSM ≈ 8.769
Proposed	7TH	16TH	16TH + 7TH ≈ 3.0390

details the derivation and comparison of the computation complexities of other peer approaches.

As demonstrated in Figure 4, the technique in [22] has the longest execution time of 237.381 ms. This can be explained by the computationally extensive bilinear pairings in [22]. This is followed by the protocols in [6], [31], [32], [1], [13], [47], [10], [29], and [33] respectively. Conversely, our protocol incurs the least computation complexities.

Even though the approach in [33] has a relatively lower execution time, it cannot withstand guessing, KSSTI, eavesdropping, ephemeral secret leakage, spoofing, and physical capture attacks. In the SG environment, the majority of components does not have a high computation power; hence, our protocol is the most suitable for deployment.

5.2. Communication Overheads

In our scheme, messages Auth-1, Auth-2, Auth-3, and Auth-4 are exchanged during the verification and key setup phase. The specific details of these messages are as follows.

Auth-1 = {PID_USP, B₄, B₅, C₁}

Auth-2 = {PID_USP, C₃, C₄, C₅}

Auth-3 = {D₁, D₂}

Auth-4 = {D₃, D₄}

Here, PID_USP = h (ID_USP||R₃), B₄ = h (PID_USP||A₃||K_UT)$\oplus$(R₄||PID_SM), B₅ = h (ID_USP||R₄)$\oplus$h (K_UT||R₄), C₁ = h (PID_USP||A₃||R₄||PID_SM||K_UT), C₃ = h (PID_SM||K_TSM||R₁)$\oplus$C₂, C₄ = (h (ID_USP||R₄)||h (ID_TCS||R₅))$\oplus$h (K_TSM||R₁), C₅ = h (PID_USP||C₂||K_TSM), D₁ = h(PID_SM||K_TSM||R₁)$\oplus$ h (ID_SM||R₆), D₂ = h (PID_USP||PID_SM||C₂*||h (ID_SM||R₆)||K_TSM), D₃ = h (A₃||R₄)$\oplus ($h (ID_TCS||R₅)||h (ID_SM||R₆)||PID_USP*), and D₄ = h (PID_USP||R₄||h (ID_TCS||R₅)||h (ID_SM||R₆)||PID_USP*||K_UT).

Using the values in [23,33,39], the hashing, symmetric encryption, point multiplication, timestamps, and symmetric decryption output lengths are 160 bits, 128 bits, 320 bits, 32 bits, and 128 bits, correspondingly. As such, Auth-1 = 160 + 160 + 160 + 160 = 640 bits; Auth-2 = {160 + 160 + 160 + 160} = 640 bits; Auth-3 = {160 + 160} = 320 bits; and Auth-4 = {160 + 160} = 320 bits. Consequently, the overall communication complexity of our technique is 1920 bits.

Table 6. Communication complexities.

Scheme	Messages Exchanged	Total (Bits)
Baghestani et al. [1]	$\mathrm{SM}\stackrel{ 864 }{\to }$$\mathrm{USP}\stackrel{ 832}{\leftrightarrow }$SM	1696
Xia et al. [6]	$\mathrm{SM}\stackrel{ 1664 }{\to }$$\mathrm{USP}\stackrel{ 1152 }{\leftrightarrow }$SM	2816
Mohammadali et al. [10]	$\mathrm{SM}\stackrel{ 768 }{\to }$$\mathrm{USP}\stackrel{ 608 }{\leftrightarrow }$$\mathrm{SM}\stackrel{ 160 }{\leftrightarrow }$USP	1536
Kumar et al. [13]	$\mathrm{SM}\stackrel{ 512 }{\to }$$\mathrm{USP}\stackrel{ 672 }{\leftrightarrow }$$\mathrm{SM}\stackrel{ 192 }{\leftrightarrow }$USP	1376
Tsai & Lo [22]	$\mathrm{SM}\stackrel{ 480 }{\to }$$\mathrm{USP}\stackrel{ 480 }{\leftrightarrow }$$\mathrm{SM}\stackrel{ 320 }{\leftrightarrow }$USP	1280
Tanveer & Alasmary [29]	$\mathrm{USP}\stackrel{544}{\to }$$\mathrm{TCS}\stackrel{662}{\leftrightarrow }$SM	1206
Chaudhry et al. [31]	$\mathrm{SM}\stackrel{768}{\to }$$\mathrm{USP}\stackrel{768}{\leftrightarrow }$SM	1536
Taqi & Jalili [32]	$\mathrm{SM}\stackrel{512}{\to }$$\mathrm{USP}\stackrel{896}{\leftrightarrow }$$\mathrm{SM}\stackrel{576}{\leftrightarrow }$USP	1984
Chen et al. [33]	$\mathrm{SM}\stackrel{864}{\to }$$\mathrm{USP}\stackrel{704}{\leftrightarrow }$$\mathrm{SM}\stackrel{160}{\to }$$\mathrm{USP}\stackrel{160}{\leftrightarrow }$SM	1888
Park et al. [47]	$\mathrm{SM}\stackrel{512}{\to }$$\mathrm{USP}\stackrel{672}{\leftrightarrow }$$\mathrm{SM}\stackrel{192}{\leftrightarrow }$USP	1376
Proposed	$\mathrm{USP}\stackrel{640}{\to }$$\mathrm{TCS}\stackrel{640}{\leftrightarrow }$$\mathrm{SM}\stackrel{320}{\leftrightarrow }$$\mathrm{TCS}\stackrel{320}{\leftrightarrow }$USP	1920

presents the comparative analysis of the incurred communication complexities of our protocol together with those of its peer approaches.

As evidenced in Figure 5, the technique in [6] exhibits the largest communication overheads of 2816 bits. This is followed by the protocols in [32], our proposed scheme, [33], [1], [10], [31], [13], [47], [22], and [29], in this order. Even though the technique in [29] incurs the lowest communication overheads, its design does not consider guessing, eavesdropping, and spoofing attacks. Similarly, the security scheme in [22] is defenseless against privileged insider, de-synchronization, DoS, guessing, spoofing, KSSTI, eavesdropping, EPSL, physical capture, and forgery attacks. In the same breadth, the protocol in [47] is not analyzed against attacks such as de-synchronization, privileged insider, DoS, guessing, eavesdropping, physical capture, ephemeral secret leakage, spoofing, replay, and forgery. In addition, it does not offer anonymity. On its part, the approach in [13] fails to provide session key agreement and mutual authentication. In addition, it is not analyzed against de-synchronization, DoS, privileged insider, guessing, KSSTI, eavesdropping, spoofing, and forgery attacks. Concerning the protocol in [33], it is defenseless against guessing, KSSTI, eavesdropping, EPSL, spoofing, and physical capture attacks. Likewise, the protocol in [1] cannot withstand privileged insider, physical capture, guessing, KSSTI, eavesdropping, spoofing, and forgery attacks. Regarding the protocol in [10], it cannot protect against DoS, spoofing, privileged insider, guessing, KSSTI, eavesdropping, EPSL, physical capture, and forgery.

In addition, it cannot offer entity untraceability and anonymity. Finally, the scheme in [31] is not robust against spoofing, de-synchronization, DoS, privileged insider, guessing, eavesdropping, ESPL, and forgery attacks. Evidently, our protocol provides a good balance between security and communication complexity.

5.3. Storage Overheads

In our scheme, value sets {A₅, B₁, B₂, B₃} and {A₁, A₂, PID_SM} are stored in the USP database and smart meter memory, respectively. Here, A₅ = B₁ = B₂ = B₃ = A₁ = A₂ = PID_SM = 160 bits. Consequently, the cumulative storage complexity in our scheme is 1120 bits, or 140 bytes.

Table 7. Storage overheads.

Scheme	Stored Parameters	Total (Bits)
Baghestani et al. [1]	SM: {H1, H2, n, E, P, FP, SMsj, xj, yj} USP: {SMIDj,Mk}	2432
Xia et al. [6]	SM: {xS, R2} USP: {xC}	896
Mohammadali et al. [10]	SM: {SM, RM, yM, rM} USP: {yAHE, rAHE}	1600
Kumar et al. [13]	SM: {RIDi, TCi, h (·),Ep (a, b),G} USP: {RIDj, TCj, {RIDi |i = 1, 2, …, l}, h (·),Ep (a, b),G}	2240
Tsai & Lo [22]	SM: {G1, G2, P, e,H, H1, H2, H3, H4, q, Ppub, g} USP: {G1, G2, P, e, H, H1, H2, H3, H4, q, Ppub, g}, Kj, H1 (SIDj)P + Ppub	6112
Tanveer & Alasmary [29]	SM: {CHSMi, TIDSMi, RNr, HD} USP: {SIDi, Bi, RNr}	1056
Chaudhry et al. [31]	SM: {E, P, Fp, n, SMprj, σj, idSTj, STj, H (.), SMIDj, Pidstj} USP: {Mk}	2176
Taqi & Jalili [32]	SM: {ai, Ai} USP: {aj, Aj}	896
Chen et al. [33]	SM: {IDi, N1, Xi} USP: {Si}	832
Park et al. [47]	SM: {PIDi, LSSMi, H, E(a, b), G} USP: {PCUIDj, H, E(a,b), G, PIDi=1…l}	2240
Proposed	SM: {A1, A2, PIDSM} USP: {A5, B1, B2, B3}	1120

shows the derivation of the storage complexities of our scheme as well as those ones of its peers.

The specific details of the various parameters stored in the related schemes are described in

Table 8. Details of stored parameters.

Symbol	Details
xS, SMsj, SMprj, SM	SM’s private keys
RM,	SM’s public key
R2	Keying parameter based on smart meter’s public key
xC, Kj	USP’s private keys
H1, H2, H, H (..), h (.), H1, H2, H3, H4	One-way hash functions
n, E, P	Elliptic curve E and a point P of order n
FP	Finite field
xj, yj, Xi, LSSMi, σj, STj, Ai, Aj, SIDi, Bi, yM, yAHE, g	Derived intermediary parameters
SMIDj, IDi, SMIDj	SM’s unique identity
idSTj	Unique identifier for SM
SIDj	USP’s unique identity
Mk	Master key
N1, ai, aj, RNr, rM, rAHE	Random numbers
Si	SM’s unique identification stored in the table
PIDi, Pidstj, TIDSMi, RIDi	Pseudo-identities for SM
PCUIDj, RIDj	Pseudo-identities for USP
TCi	SM’s temporal credential
TCj	USP’s temporal credential
E(a, b), G, Ep (a, b)	Elliptic curve with base point G.
P, G1, G2	Generator of G1, cyclic additive group, and cyclic multiplicative group, respectively
q	Prime order of G1 and G2
e	Pairing operation
Ppub	Public key of the trust anchor
CHSMi	Registration authority (RA) challenge parameter
HD	Helper data

.

As revealed in Figure 6, the approach in [22] incurs the highest storage complexity of 6112 bits. This is followed by the protocols in [1], [47], [13], [31], [10], the proposed scheme, [29], [6], [32], and [33] respectively. The high storage cost in [22] is due to the numerous security tokens that have to be stored in the end devices.

Although the protocols in [6,29,32,33] have slightly lower storage complexities compared to our scheme, they are susceptible to numerous threats, as shown in

Table 9. Supported functionalities.

	[10]	[13]	[22]	[29]	[6]	[1]	[31]	[32]	[33]	[47]	Proposed
Functionality
Session key agreement	√	×	√	√	√	√	√	√	√	√	√
Anonymity and untraceability	×	√	√	√	×	√	√	√	√	×	√
Key security	√	√	√	√	√	√	√	√	√	√	√
Mutual authentication	√	×	√	√	√	√	√	√	√	√	√
Formal verification	√	√	√	√	×	√	√	√	√	√	√
Resilience against
De-synchronization	√	×	×	√	×	√	×	×	√	×	√
Backdoor-based DoS	×	×	×	√	×	√	×	√	√	×	√
Privileged insider	×	×	×	√	×	×	×	×	√	×	√
Guessing	×	×	×	×	×	×	×	√	×	×	√
KSSTI	×	×	×	√	×	×	√	×	×	√	√
Eavesdropping	×	×	×	×	×	×	×	×	×	×	√
Ephemeral secret leakage	×	√	×	√	×	√	×	×	×	×	√
Spoofing	×	×	×	×	×	×	×	×	×	×	√
Physical capture	×	√	×	√	×	×	√	√	×	×	√
Impersonation	√	√	√	√	√	√	√	×	√	√	√
Replay	√	√	√	√	√	√	√	√	√	×	√
MitM	√	√	√	√	√	√	√	×	√	√	√
Forgery	×	×	×	√	×	×	×	×	×	×	√

√ Feature supported; × Feature not supported or not considered.

. Since smart devices such as SMs in the grid system have limited storage, our scheme is ideal for implementation in this environment.

5.4. Supported Functionalities

The protocol developed in this paper offers a wide range of salient security and privacy features and is robust against several attacks. Table 9 provides a comparative evaluation of the security characteristics of our scheme as well as its resilience to attacks.

As revealed in Table 9, the scheme in [6] supports only six features and, hence, is the least secure. This is followed by the protocol in [47], which supports seven features. In contrast, the schemes in [10,13,22] support eight features and, hence, have been rated third. This is followed by the protocols in [32], [31], [1], [33], and [29], which offer support for 9, 10, 11, 11, and 15 characteristics, correspondingly.

Conversely, our scheme supports all 18 security and privacy features. Using the 15 features provided in [29] as a basis, our scheme offers a 20% improvement in smart grid networks’ security posture.

6. Conclusions

The consumer consumption report and power adjustments data exchanged between SMs and SPs are exposed to many privacy and security threats. This is due to the utilization of insecure communication channels for the message communication procedures. Such attacks include ephemeral secret leakage, denial of service, eavesdropping, tampering, and forgery. To address this challenge, many security solutions have been developed recently. Nevertheless, the majority of these solutions has been shown to be inefficient or have some susceptibilities that render them inappropriate for smart meters. In this paper, a security protocol that is provably secure has been developed. It has also been demonstrated to be resilient against attacks such as privileged insider, de-synchronization, DoS, guessing, KSSTI, eavesdropping, EPSL, spoofing, physical capture, impersonation, replay, MitM, and forgery. In addition, it provides security functionalities such as anonymity, strong authentication, session key agreement, session key security, and untraceability. In terms of performance, it incurs the least computational costs and relatively lower storage and communication costs. Future work will feature the development of novel approaches that can further reduce the incurred storage and communication overheads.