Privacy-Preserving Lightweight Authentication Protocol for Demand Response Management in Smart Grid Environment

Abstract

With the development in wireless communication and low-power device, users can receive various useful services such as electric vehicle (EV) charging, smart building, and smart home services at anytime and anywhere in smart grid (SG) environments. The SG devices send demand of electricity to the remote control center and utility center (UC) to use energy services, and UCs handle it for distributing electricity efficiently. However, in SG environments, the transmitted messages are vulnerable to various attacks because information related to electricity is transmitted over an insecure channel. Thus, secure authentication and key agreement are essential to provide secure energy services for legitimate users. In 2019, Kumar et al. presented a secure authentication protocol for demand response management in the SG system. However, we demonstrate that their protocol is insecure against masquerade, the SG device stolen, and session key disclosure attacks and does not ensure secure mutual authentication. Thus, we propose a privacy-preserving lightweight authentication protocol for demand response management in the SG environments to address the security shortcomings of Kumar et al.’s protocol. The proposed protocol withstands various attacks and ensures secure mutual authentication and anonymity. We also evaluated the security features of the proposed scheme using informal security analysis and proved the session key security of proposed scheme using the ROR model. Furthermore, we showed that the proposed protocol achieves secure mutual authentication between the SG devices and the UC using Burrows–Abadi–Needham (BAN) logic analysis. We also demonstrated that our authentication protocol prevents man-in-the-middle and replay attacks utilizing AVISPA simulation tool and compared the performance analysis with other existing protocols. Therefore, the proposed scheme provides superior safety and efficiency other than existing related protocols and can be suitable for practical SG environments.

1. Introduction

In the past few years, with the advances of information and communication technologies, users can easily access any service provided in various smart grid (SG) environments, including smart home, smart building, vehicle-to-grid (V2G) and advanced metering infrastructure (AMI) [1,2,3,4]. In particular, smart grid using smart device has attracted growing attention from the academia, industries, and researchers. The SG device (sensing device, smart meter, etc.) is one of the core components, which collects various information (electricity consumption, payment, address, etc.) and transfers it to utility centers (power provider, power distributor, etc.) to provide secure, reliable, and efficient power distribution. According to the report of the U.S. Department of Energy (DoE), since 1988, electricity demand has risen by almost 30%. However, the transmission capacity of electricity has only increased by 15% [5]. Therefore, demand-response management has become an important issue to ensure reliable supply of electricity.

In SG environments, the SG devices are deployed in industries, smart buildings, smart homes, etc. and collect many data in real-time, transferring electricity demands to energy generators. However, energy generators cannot efficiently handle these demands because the data collected by SG devices is very large and is difficult to handle it. To address these problems and maintain the efficient stability of supply, utility centers (UCs) analyze the data collected by SG devices and control fault detection, dynamic pricing, load balancing, leakage power, and demand-response [6]. However, the data transmitted between the UC and the SG devices can be tampered, injected, deleted, and forged by a malicious adversary because they are transmitted over an insecure channel [7]. The result of these situations can generate energy imbalances and gaps between energy demand and response. Therefore, authentication and key agreement mechanisms have become essential security requirements for smooth functioning of the SG operations with respect to demand response and data analytics. The security requirements for the SG system are summarized as follows:

• Secure and efficient authentication and key agreement protocols are essential to ensure secure communication and privacy.
• The proposed authentication and key agreement protocol must withstand various attacks such as replay, masquerade, and off-line identity guessing attacks.
• Authentication and key agreement protocol should consider SG device limitations with respect to power consumption, communication bandwidth, and memory.

In general, for power consumption feedback purposes, a SG relies heavily on the usage of a smart metering infrastructure. For instance, the data of SG device is useful for load forecasting, demand response management, and real-time pricing. However, the recording and transmission of power consumption data may cause serious privacy issues. If fine-grained power consumption data of the SG device is exposed, it can reveal the private information of consumers related to their daily routines or the appliances in the house. In addition, the computation and communication resources at the consumer’s side in the SG environments are usually very limited. Therefore, secure and efficient authentication mechanisms for preserving user privacy with low computational costs are essential in resource-constrained SG environments.

In 2019, Kumar et al. [6] proposed an elliptic curve cryptography (ECC)-based authentication protocol for demand response management in SG system. Kumar et al. claimed that their scheme can prevent various attacks. However, this paper shows that their scheme cannot withstand various attacks, including SG device stolen, session key disclosure, and masquerade attacks and cannot ensure secure mutual authentication. Furthermore, their scheme [6] is not suitable for resource-limited smart devices because it uses ECC with high computation and communication overheads. Therefore, we propose a privacy-preserving lightweight authentication scheme for demand response management in SG environments, considering an efficiency of SG devices and improving security level.

1.1. Adversary Model

We adopted the widely known Dolev–Yao (DY) threat model [8] to evaluate the safety of proposed protocol. According to the DY model, a malicious attacker can intercept, delete, modify, and insert the transmitted data over insecure channel. In addition to the capabilities of these attackers, the specific assumptions of the threat model are as follows:

• A malicious adversary can steal or obtain the SG device of a legal user and can extract secret parameters stored in the SG device utilizing power-analysis [9,10]. We also assume that a malicious adversary is able to capture as many SG device as possible.
• A malicious adversary may attempt various attacks, including masquerade, man-in-the-middle (MITM), session key disclosure, and replay attacks [11,12].
• Trusted authority (TA) and UCs are assumed to be fully trusted and semi-trusted entities, respectively, and cannot be compromised by a malicious adversary.

1.2. Contributions

The detailed contributions in this paper are summarized as follows:

• We demonstrate that Kumar et al.’s protocol cannot withstand various attacks such as masquerade, SG devices stolen, and session key disclosure attacks. We also show that their protocol does not ensure secure mutual authentication.
• We present a privacy-preserving lightweight authentication protocol for the SG system using pseudo-identity and secret parameter to enhance the security weaknesses of Kumar et al.’s protocol. The proposed protocol can withstand against masquerade, session key disclosure, replay, and MITM attacks, as well as achieve secure mutual authentication and anonymity. Thus, the proposed protocol is more secure and efficient than Kumar et al.’s protocol because it utilizes only hash and XOR operations.
• We performed the widely known Burrows–Abadi–Needham (BAN) logic analysis [13] to prove that the proposed scheme provides secure mutual authentication. We utilized informal security analysis to prove the safety of the proposed protocol against potential attacks and also proved the session key security of proposed scheme utilizing ROR model [14].
• We performed formal security analysis utilizing the widely adopted Automated Validation of Internet Security Protocols and Applications (AVISPA) tool to evaluate that the proposed scheme is secure against replay and MITM attacks. Moreover, we present the performance analysis of the proposed protocol with existing protocols.

1.3. Organization

The rest of the article is organized as follows. Section 2 presents related works that discuss the SG environments and then Section 3 presents system model for the SG environments. In Section 4 and Section 5, we review of Kumar et al.’s scheme and analyze its security problems. In Section 6, we present a privacy-preserving lightweight authentication protocol for demand response management in SG environments to address the security shortcomings of Kumar et al.’s scheme and enhance efficiency. In Section 7, we perform the security analysis of the proposed scheme utilizing informal and formal analysis. Section 8 evaluates the security and performance features of the proposed scheme compared with existing schemes. Finally, we summarize the conclusion in Section 9.

2. Related Works

Many authentication and key agreement schemes for various environments have been presented over the last few years to ensure security and privacy of users [15,16,17]. In 2014, Rottondi et al. [15] presented the security and privacy scheme in V2G communication. In 2016, Jiang et al. [16] presented an ECC-based three-factor authentication scheme for e-health cloud to ensure privacy of health information. In 2016, Wan et al. [17] presented an efficient privacy-preserving scheme in the SG environments to provide secure communication and guarantee user’s anonymity.

Recently, SG has attracted much attention from academia, research institutes, industry, and government [18,19]. In 2016, Tsai and Lo [20] presented identity-based encryption and signature key distribution protocol for the SG. However, in 2016, Odelu et al. [21] showed that Tsai and Lo’s scheme [20] does not protect against ephemeral secret leakage attack and cannot ensure the privacy of smart meter. To resolve security drawbacks of Tsai and Lo’s scheme, Odelu et al. [21] presented a secure authentication key agreement scheme for SG. In 2015, Doh et al. [22] proposed a secure authentication scheme between smart meter and the utility system to manage information of power consumption. In 2016, Saxena et al. [23] presented an authentication scheme for SG, which performs secure user authentication for SG to provide protection against various attacks. In 2016, He et al. [24] presented ECC based lightweight anonymous key distribution scheme for SG and it was more efficient than Tsai and Lo’s scheme [20]. In 2017, Wazid et al. [25] presented secure three-factor remote user authentication scheme for renewable energy in SG system to enhance security level. In 2019, Kumar et al. [6] presented ECC-based authentication protocol for demand response management in SG system. However, as shown below, their scheme cannot prevent a variety of attacks such as SG device stolen, masquerade, and session key disclosure attacks, and it cannot ensure secure mutual authentication. Thus, we present a privacy-preserving lightweight authentication protocol for demand response management in the SG environments to address security problems of Kumar et al.’s scheme.

3. System Model

This section introduces the demand response management for the SG network model. This network model comprises two entities: a SG device and an UC, as shown in Figure 1. A SG device collects electricity data and provides efficient power management services. An UC manages monitoring data, including electricity consumption, load forecasting, demand response, real-time pricing, etc. The UC collects these data and estimates a total electricity capacity of a SG device in the power grid. However, as SG devices are deployed within the SG fields, the recording and transmission of power consumption data may cause serious privacy issues. A SG device usually sends sensitive power consumption reports via communication channel in the SG environments. A malicious adversary can intercept such reports to invade the privacy of users. For instance, it is easy to notice that inhabitants are at home or not by checking the power usage. In addition, privacy-sensitive data, such as usage of appliances, can be released to adversaries [26,27]. Consequently, privacy of users could be violated and sensitive data of users could be used for criminal purposes. Therefore, privacy-preserving authentication protocol in the SG environments should be supported.

Figure 2 introduces the authentication process of the proposed scheme in the SG environments to provide user privacy, including daily routines and electricity consumption habits. The proposed scheme comprises three parties: trust authority (TA), SG device, and UC. The SG device and the UC first register their identities to TA, and then TA issues credential information for the SG device and the UC. After that, the SG device and the UC perform mutual authentication. After authentication, the SG device and the UC use the session key to exchange power consumption reports and feedbacks, and so on. Consequently, they can communicate safely through the secure channel established by the session key. The meaning of the communication session involves identifying devices in the network and authorizing what each device should carry out in the network. The maintenance of communication session in the proposed scheme may change monthly or yearly, depending on security requirements.

4. Review of Kumar et al.’s Protocol

This section reviews Kumar et al.’s authentication protocol for SG system. Kumar et al.’s scheme is comprised of five phases: SG device registration, UC registration, authentication, dynamic SG device addition, and dynamic UC additions.

Table 1. Notations.

Notation	Description
$TA$	Trusted authority
$S{D}_i$	$SG$ device
$I{D}_i$	$SG$’s identity
$RI{D}_i$	$SG$’s pseudo-identity
$U{C}_j$	Utility center or remote control center
$I{D}_j$	$UC$’s identity
$T{C}_i$	Temporal credential
$T_i$	Timestamp
$E_p(a,b)$	A nonsingular elliptic curve $y^2=x^3+ax+b$ (mod p)
G	A base point for elliptic curve
$k.G$	An elliptic curve point multiplication
$U_i,V_j$	The public key for $S{D}_i$ and $U{C}_j$
x	$TA$’s secret key
$K_s$	$TA$’s master key
$S{K}_{ij}$	Session key
$h(·)$	Hash function
⊕	XOR operation
$||$	Concatenation operation

summarizes the notation used in the protocol.

4.1. Smart Grid Device Registration Process

The SG device is called $S{D}_i(i=1,2,\dots n)$, where n is the number of $UC$ to be deployed initially in SG system. The $S{D}_i$ must register with $TA$ to receive any services, where n is the number of the SG devices. A trusted authority $TA$ chooses a $I{D}_i$ and calculates $RI{D}_i=h(I{D}_i||x)$ and $T{C}_i=h(x||RT{S}_i)$, where $RT{S}_i$ is the registration timestamp of the SG device. After that, the $TA$ pre-loads the data $\{T{C}_i,RI{D}_i,h(),E_p(a,b),G\}$ into memory before deployment in SG system. Figure 3 describes the SG device registration process of Kumar et al.’s protocol.

4.2. Utility Center Registration Process

The utility center $U{C}_j$ must register with $TA$ to deploy the SG environments. The $U{C}_j$ is called $U{C}_j(j=1,2,\dots ,k)$, where k is the number of $UC$ to be deployed initially in SG system. $TA$ chooses an identity $I{D}_j$ and calculates $RI{D}_j=h(I{D}_j||x)$ and $T{C}_j=h(x||RT{S}_j)$, where $RT{S}_j$ is the registration timestamp of the UC. Finally, the $TA$ pre-loads the data $\{RI{D}_j,T{C}_j,h(),E_p(a,b),G,RI{D}_i|i=1,2,\dots ,n\}$ into memory before deployment in SG system. Figure 4 describes the UC registration process of Kumar et al.’s protocol.

4.3. Authentication Process

The main goal of this process is to negotiate a session key between $S{D}_i$ and $U{C}_j$. Therefore, the $S{D}_i$ and $U{C}_j$ must authenticate each other. Figure 5 describes the authentication process of Kumar et al.’s protocol. The detailed process is described below.

Step 1:

$S{D}_i$ chooses a random number $u\in Z_p^{*}$ and generates a current timestamp $T_1$. After that, $S{D}_i$ computes $U_i=u.G$ and $C_i=h(T{C}_i||T_1)\oplus h(RI{D}_i||U_i||T_1)$ and sends authentication request message $\{U_i,C_i,T_1\}$ to the $U{C}_j$ over insecure channel.

Step 2:

After receiving the message, $U{C}_j$ checks $|T_1-T_1^{*}|\le \Delta T$, where $\Delta T$ is maximum transmission delay bound and $T_1$ is current timestamp. If the condition is valid, $U{C}_j$ computes $D_j=C_i\oplus h(RI{D}_i||U_i||T_1)$ utilizing the corresponding $RI{D}_i$ of $S{D}_i$ stored in the database.

Step 3:

$U{C}_j$ then generates timestamp $T_2$ and a random number $v\in Z_p^{*}$, and calculates $V_j=v.G$, $W_j=v.U_i=(uv).G$, the session key shared with $S{D}_i$ as $S{K}_{ij}=h(W_j||D_j||h(RI{D}_j||T{C}_j||T_2))$, $SK{V}_{ij}=h(S{K}_{ij}||RI{D}_i||T_2)$ and $Z_j=h(RI{D}_j||T{C}_j||T_2)\oplus h(RI{D}_i||U_i||V_j||T_2)$. After that, $U{C}_j$ sends the authentication message $\{V_j,Z_j,SK{V}_{ij},T_2\}$ to the $S{D}_i$ over insecure channel.

Step 4:

After receiving the message, $S{D}_i$ checks condition $|T_2-T_2^{*}|\le \Delta T$. If it is correct, $S{D}_i$ further calculates $E_i=Z_j\oplus h(RI{D}_i||U_i||V_j||T_2)=h(RI{D}_j||T{C}_j||T_2)$, $W_i^{\prime }=u.V_j=(uv).G,$ and session key shared with $U{C}_j$ as $S{K}_{ij}^{\prime }=h(W_i^{\prime }||h(T{C}_i||T_1||E_i))(=S{K}_{ij})$, $SK{V}_{ij}^{\prime }=h(S{K}_{ij}^{\prime }||RI{D}_i||T_2)$. If the condition $SK{V}_{ij}^{\prime }\ne SK{V}_{ij}$, $S{D}_i$ aborts communication. Otherwise, $S{D}_i$ generates a timestamp $T_3$ and calculates $SK{V}_{ij}^{*}=h(S{K}_{ij}^{\prime }||RI{D}_i||V_j||T_3)$. After that, $S{C}_i$ sends acknowledgment message $\{SK{V}_{ij}^{*},T_3\}$ to the $U{C}_j$ over insecure channel.

Step 5:

After receiving the message, $U{C}_j$ checks the condition $|T_3-T_3^{*}|\le \Delta T$. If the condition is valid, $U{C}_j$ computes $SK{V}_{ij}^{**}=h(S{K}_{ij}||RI{D}_i||V_j||T_3)$ and checks if $SK{V}_{ij}^{**}=SK{V}_{ij}^{*}$ holds. If the condition is valid, $S{D}_i$ and $U{C}_j$ store the common session key $S{K}_{ij}(=S{K}_{ij}^{\prime })$.

4.4. Dynamic Smart Grid Device Addition Process

The main goal of this process is adding a new SG device $S{D}_i^{new}$ to provide flexibility in the system and the detailed processes are shown below.

Step 1:

Trusted authority $(TA)$ selects an identity $I{D}_i^{new}$ and calculates $RI{D}_i^{new}=h(I{D}_i^{new}||x)$ and $T{C}_i^{new}=h(x||RT{S}_i^{new})$.

Step 2:

After that, the $TA$ pre-loads the data $\{RI{D}_i^{new},T{C}_i^{new},h(),E_p(a,b),G\}$ in the memory before it is deployed.

Step 3:

$TA$ sends data $RI{D}_i^{new}$ for $S{D}_i^{new}$ to all $U{C}_j$ over secure channel. The $TA$ needs to broadcast messages to the deployed $U{C}_j$ regarding deployment of the $S{D}_i^{new}$ so that $S{D}_i^{new}$ and deployed $U{C}_j$ can establish a common session key after mutual authentication.

4.5. Dynamic Utility Center Addition Process

The main goal of this process is same as the one in Section 4.4 from the point of view of UC and the detailed processes are shown below.

Step 1:

The $TA$ selects a identity $I{D}_j^{new}$ and calculates $RI{D}_j^{new}=h(I{D}_j^{new}||x)$ and $T{C}_j^{new}=h(x||RT{S}_j^{new})$.

Step 2:

$TA$ then pre-loads the data $\{RI{D}_j^{new},T{C}_j^{new},RI{D}_i|i=1,2,\dots ,n,h(),E_p(a,b),G\}$ in the memory before it is deployed.

Step 3:

If a $S{D}_i^{new}$ is already deployment prior to $U{C}_j^{new}$, $TA$ pre-loads $RI{D}_i^{new}$ into the memory of $U{C}_j^{new}$.

After finishing this process, $TA$ broadcasts a completion statement to all entities and $U{C}_j^{new}$ is successfully registered in SG environments.

5. Cryptanalysis of Kumar et al.’s Protocol

This section demonstrates the security drawbacks of Kumar et al.’s protocol, including SG device stolen, masquerade, and session key disclosure attacks, as well as mutual authentication.

5.1. Masquerade Attack

We assume that a malicious adversary $U_{ma}$ can obtain the SG device of legal user $S{D}_i$ and intercept information transmitted in open channel, and then may attempt to masquerade $S{D}_i$. According to Section 1.1, $U_{ma}$ can extract secret information $\{RI{D}_i,T{C}_i,h(),E_p(a,b),G\}$ using power analysis attack. Finally, $U_{ma}$ performs the masquerade attack as below:

Step 1:

$U_{ma}$ generates a random number $u_{ma}\in Z_p^{*}$ and calculates $U_{ima}=u_{ma}.G$, $C_{ma}=h(T{C}_i||T_1)\oplus h(RI{D}_i||U_{ima}||T_1)$. After that, $U_{ma}$ sends message $\{U_{ima},C_{ma},T_1\}$ to $U{C}_j$ over insecure channel.

Step 2:

After receiving the message from $U_{ma}$, $U{C}_j$ checks $|T_1-T_1^{*}|\le \Delta T$. If the condition is valid, $U{C}_j$ calculates $D_j=C_{ma}\oplus h(RI{D}_i||U_{ima}||T_1)$ and generates a timestamp $T_2$. $U{C}_j$ then selects a random number $v\in Z_p^{*}$ and computes $V_j=v.G$, $W_{ma}=v.U_{ima}=(u_{ma}v).G$, $S{K}_{ma}=h(W_{ma}||D_j||h(RI{D}_j||T{C}_j||T_2)$, $SK{V}_{ma}=h(S{K}_{ma}||RI{D}_i||T_2)$, and $Z_{ma}=h(RI{D}_j||T{C}_j||T_2)\oplus h(RI{D}_i||U_{ima}||V_j||T_2)$. After that, $U{C}_j$ sends the message $\{V_j,Z_{ma},SK{V}_{ma},T_2\}$ to $U_{ma}$.

Step 3:

After receiving the message from $U{C}_j$, $U_{ma}$ checks condition $|T_2-T_2^{*}|\le \Delta T$. If the condition is valid, $U_{ma}$ computes $E_i=Z_j\oplus h(RI{D}_i||U_{ma}||V_j||T_2)=h(RI{D}_j||T{C}_j||T_2)$, $W_i^{\prime }=u_{ma}.V_j=(u_{ma}v).G$, and $S{K}_{ma}^{\prime }=h(W_{ma}^{\prime }||h(T{C}_i||T_1)||E_i)$. Then, $U_{ma}$ generates a timestamp $T_{3ma}$ and computes $SK{V}_{ma}^{\prime }=h(S{K}_{ma}^{\prime }||RI{D}_i||T_2)$. After that, $U_{ma}$ sends message $\{SK{V}_{ma}^{*},T_3\}$ to $U{C}_j$ over insecure channel.

Step 4:

After receiving the message from $U_{ma}$, $U{C}_j$ checks condition $|T_{3ma}-T_{3ma}^{*}|\le \Delta T$. If the condition is valid, $U{C}_j$ calculates $SK{V}_{ma}^{{*}^{\prime }}=h(S{K}_{ma}||RI{D}_i||V_j||T_{3ma})$ and checks if $SK{V}_{ma}^{{*}^{\prime }}=SK{V}_{ma}^{*}$ holds. If the condition is valid, $U_{ma}$ and $U{C}_j$ store session key $S{K}_{ma}(=S{K}_{ma}^{\prime })$.

Therefore, $U_{ma}$ can successfully generate a session key between $U_{ma}$ and $U{C}_j$ and send a legitimate authentication request message. Consequently, we show that Kumar et al.’s protocol does not withstand masquerade attack.

5.2. Smart Grid Device Stolen Attack

Kumar et al. claimed that their scheme could withstand SG device stolen attack because a malicious attacker $U_{ma}$ cannot calculate the correct $RI{D}_i=h(I{D}_i||x)$ and $T{C}_i=h(x||RT{S}_i)$ without knowing secret key x of the $TA$. However, according to Section 5.1, we demonstrate that $U_{ma}$ successfully impersonates legitimate user and calculates the session key. Therefore, Kumar et al.’s protocol is insecure against SG device stolen attack.

5.3. Session Key Disclosure Attack

In Kumar et al.’s scheme, they claimed that their scheme was secure against session key disclosure attack, although the secret numbers u and v are compromised to $U_{ma}$. According to the Kumar et al’s scheme, $U_{ma}$ cannot obtain session key $S{K}_{ij}$ because $U_{ma}$ does not know parameters $RI{D}_i$ and $T{C}_i$. However, in Section 5.1, we demonstrate that $U_{ma}$ can successfully generate session key $S{K}_{ij}$ using parameters obtained from SG devices of a legitimate user. Therefore, once a SG device is compromised, all its previous communications will be breached. Furthermore, since the malicious attacker $U_{ma}$ can capture as many SG devices as possible, the $U_{ma}$ can obtain the session key $S{K}_{ij}$ of other SG devices. As a result, Kumar et al.’s protocol cannot defend against session key disclosure attack.

5.4. Mutual Authentication

Kumar et al. showed that their scheme could achieve secure mutual authentication between $S{D}_i$ and $U{C}_j$. However, according to Section 5.1, $U_{ma}$ can successfully compute authentication request message $C_i=h(T{C}_i||T_1)\oplus h(RI{D}_i||U_i||T_1)$ and response message $SK{V}_{ij}^{*}=h(S{K}_{ij}^{\prime }||RI{D}_i||V_j||T_3)$. Consequently, Kumar et al.’s scheme does not achieve secure mutual authentication.

6. Proposed Scheme

This section proposes a privacy-preserving lightweight authentication scheme for demand response management in the SG environment to overcome various security drawbacks of Kumar et al.’s protocol [6]. In our scheme, the general data flow of the SG system model in public channel is the same as Kumar et al.’s scheme [6]. The proposed scheme is composed of seven process: pre-deployment, SG registration, UC registration, authentication, dynamic SG device addition, and dynamic UC addition.

6.1. Pre-Deployment Process

In this section, the SG devices $S{D}_i$ and $U{C}_j$ must register with $TA$ before its deployment in SG environments. $TA$ firstly selects unique identities $I{D}_i$ and $I{D}_j$ of $S{D}_i$ and $U{C}_j$, respectively. Then, $TA$ stores the credential information $\{I{D}_i\}$ in the memory of $S{D}_i$ and stores the credential information $\{I{D}_j\}$ in the database of $U{C}_j$ prior to its deployment in the SG environments.

6.2. Smart Grid Device Registration Process

The $S{D}_i$ must register with trusted authority $TA$ to receive the power management services. Figure 6 describes the SG device registration process of proposed scheme and the steps of this process are given below.

Step 1:

$TA$ generates a random number $x_i,a_i$ for $S{D}_i$. After that, $TA$ computes $RI{D}_i=h(I{D}_i||a_i)$, $X_i=h(RI{D}_i||K_s||x_i)$, $A_i=X_i\oplus h(RI{D}_i||a_i)$, and $B_i=h(RI{D}_i||X_i)$ and stores $\{x_i,RI{D}_i\}$ in secure database. Finally, $TA$ sends $\{A_i,B_i,a_i\}$ to $S{D}_i$.

Step 2:

After receiving the message, $S{D}_i$ computes $C_i=h(I{D}_i||B_i)\oplus a_i$ and stores $\{A_i,B_i,C_i\}$ in the memory.

6.3. Utility Center Registration Process

The $U{C}_j$ must register with $TA$ in order to provide power management services. Figure 7 describes the UC registration process of proposed scheme and the steps of this process are given below.

Step 1:

$TA$ computes $RI{D}_j=h(I{D}_j||K_s)$ and retrieves $\{RI{D}_i,x_i\}$ in secure database. Then, $TA$ computes $X_i=h(RI{D}_i||K_s||x_i)$ and sends $\{RI{D}_j,(RI{D}_i|i=1,2\dots ,l),X_i\}$ to $U{C}_j$.

Step 2:

After receiving the message, $U{C}_j$ computes $V_i=X_i\oplus I{D}_j$ and stores $\{RI{D}_j,(RI{D}_i|i=1,2\dots ,l),V_i\}$ in the database.

6.4. Authentication Process

In authentication process, the proposed scheme provides the user’s privacy by using pseudo-identity and secret parameters in the SG environments. Before the starting session, $S{D}_i$ request an authentication request to $U{C}_j$ in order to ensure secure communication and establish the session key $S{K}_{ij}$. Figure 8 describes the authentication process of proposed scheme and the steps of this process are given below.

Step 1:

$S{D}_i$ computes $a_i=C_i\oplus h(I{D}_i||B_i)$, $RI{D}_i=h(I{D}_i||a_i)$, $X_i=A_i\oplus h(RI{D}_i||a_i)$, and $B_i^{*}=h(RI{D}_i||X_i)$. Then, $S{D}_i$ checks whether $B_i^{*}\stackrel{?}{=}{B}_i$. If the condition $B_i^{*}\stackrel{?}{=}{B}_i$ is valid, $S{D}_i$ generates a random nonce $R_{SD}$ and computes $M_1=X_i\oplus R_{SD}$, $M_2=RI{D}_i\oplus h(X_i||R_{SD})$, and $M_3=h(RI{D}_i||X_i||R_{SD})$. After that, $S{D}_i$ sends authentication request message $\{M_1,M_2,M_3\}$ to $U{C}_j$ over insecure channel.

Step 2:

After receiving the message from $S{D}_i$, $U{C}_j$ retrieves $\{V_i\}$ in database and calculates $X_i=V_i\oplus I{D}_j$, $R_{SD}^{*}=M_1\oplus X_i$, and $RI{D}_i^{*}=M_2\oplus h(X_i||R_{SD})$. Then, $U{C}_j$ retrieves corresponding $\{RI{D}_i\}$ in database and checks whether $RI{D}_i^{*}\stackrel{?}{=}RI{D}_i$. If the condition $RI{D}_i^{*}\stackrel{?}{=}RI{D}_i$ is valid, $U{C}_j$ calculates $M_3^{*}=h(RI{D}_i^{*}||X_i||R_{SD}^{*})$ and checks whether $M_3^{*}\stackrel{?}{=}{M}_3$. If the condition $M_3^{*}\stackrel{?}{=}{M}_3$ is correct, $U{C}_j$ generates a random nonce $R_{UC}$ and computes $M_4=R_{UC}\oplus h(X_i||R_{UC})$, $M_5=RI{D}_j\oplus R_{UC}$, $S{K}_{ij}=h(R_{SD}||R_{UC})$ and $M_6=h(RI{D}_i||X_i||R_{SD}||R_{UC})$. Finally, $U{C}_j$ sends authentication message $\{M_4,M_5,M_6\}$ to $S{D}_i$ over insecure channel.

Step 3:

After receiving the message from $U{C}_j$, $S{D}_i$ computes $R_{UC}=M_4\oplus h(X_i||R_{UC})$, $RI{D}_j=M_5\oplus R_{UC}$, $S{K}_{ij}=h(R_{SD}||R_{UC})$, and $M_6^{*}=h(RI{D}_i||X_i||R_{SD}||R_{UC})$. After that, $S{D}_i$ checks whether $M_6^{*}\stackrel{?}{=}{M}_6$. If the condition $M_6^{*}\stackrel{?}{=}{M}_6$ is correct, the $S{D}_i$ and $U{C}_j$ achieve mutual authentication successfully.

6.5. Dynamic Smart Grid Device Addition Process

When new SG device $S{D}_i$ wants to register with the SG environments, the following steps must be performed and detailed steps are as follows. The main goal of this process is adding a new SG device to provide flexibility in SG environments. The detailed steps of this process are given below.

Step 1:

First, $TA$ chooses a new $I{D}_i^{new}$ to the $S{D}_i$ over secure channel. After receiving the message, $S{D}_i$ sends $RI{D}_i$ to the $TA$ over secure channel. Then, $TA$ generates a random number $a_i^{new},x_i^{new}$.

Step 2:

After that, $TA$ computes $RI{D}_i^{new}=h(I{D}_i^{new}||a_i^{new})$, $X_i^{new}=h(RI{D}_i^{new}||K_s||x_i^{new})$, $A_i^{new}=X_i^{new}\oplus h(RI{D}_i^{new}||a_i^{new})$, and $B_i^{new}=h(RI{D}_i^{new}||X_i^{new})$. Finally, $TA$ stores $\{x_i^{new},RI{D}_i^{new}\}$ in secure database and sends its to the $S{D}_i$ over secure channel.

Step 3:

After receiving the message, $S{D}_i$ computes $C_i^{new}=h(I{D}_i^{new}||B_i)\oplus a_i^{new}$ and stores $\{A_i^{new},B_i^{new}\}$ in the memory.

6.6. Dynamic Utility Center Addition Process

The following steps are required to deploy new $U{C}_j^{new}$ and the detailed steps are given below.

Step 1:

The $TA$ chooses a new $I{D}_j^{new}$ and sends $\{I{D}_j^{new}\}$ to $U{C}_j$ over secure channel. After receiving the message, $U{C}_j$ sends $RI{D}_j$ to the $TA$ over secure channel. After that, $TA$ computes $RI{D}_j^{new}=h(I{D}_j^{new}||K_s)$ and retrieves $\{RI{D}_i^{new},x_i\}$ in the database.

Step 2:

Then, $TA$ computes $X_i^{new}=h(RI{D}_i^{new}||K_s||x_i^{new})$ and sends $\{RI{D}_j^{new},(RI{D}_i^{new}|i=1,2,\dots ,l),X_i^{new}\}$ to the $U{C}_j$.

Step 3:

After receiving the message, $U{C}_j$ computes $V_i^{new}=X_i^{new}\oplus I{D}_j^{new}$ and stores $\{RI{D}_j^{new},(RI{D}_i^{new}|i=1,2,\dots ,l),V_i^{new}\}$ in secure database.

7. Security Analysis

In this phase, we demonstrate that the proposed scheme has the ability to resist various attacks using informal security analysis and the formal security verification tool Automated Validation of Internet Security Protocols and Applications (AVISAP). We also analyze that our proposed scheme provides session key security and secure mutual authentication using Real-or-Random (ROR) model [14] and Burrows–Abadi–Needham (BAN) logic [13]. ROR model, BAN logic, and AVISPA analysis techniques are also widely accepted to evaluate the security of protocol.

7.1. Informal Security Analysis

We performed informal security analysis to demonstrate the safety of the proposed scheme. Our protocol can defend against various attacks such as session key disclosure, SG device stolen, masquerade, and replay attacks, as well as ensure secure mutual authentication and anonymity.

7.1.1. Masquerade Attack

According to Section 1.1, a malicious adversary $U_{ma}$ can obtain SG device of legitimate user and can intercept transmitted data over insecure channel. If $U_{ma}$ tries impersonate a legitimate user, $U_{ma}$ must correctly generate an authentication request and response messages. However, $U_{ma}$ cannot generate the authentication request message $\{M_1,M_2,M_3\}$ and authentication message $\{M_4,M_5,M_6\}$ without the correct random nonces $R_{SD}$ and $R_{UC}$. Furthermore, $U_{ma}$ cannot generate a session key $S{K}_{ij}=h(R_{SD}||R_{UC})$ because secret parameter $X_i$ is not available to $U_{ma}$. Therefore, the proposed scheme is secure against masquerade attack.

7.1.2. Smart Grid Device Stolen Attack

We assume that a malicious adversary $U_{ma}$ obtains SG device of a legitimate user and extracts secret information $\{A_i,B_i,C_i\}$ stored in the memory using power analysis attack [9]. However, $U_{ma}$ cannot obtain sensitive information of a legitimate user because all information stored in the memory is masked by XOR operation and hash function. Therefore, our protocol prevents SG device stolen attack because $U_{ma}$ cannot know the user’s real identity $I{D}_i$, $a_i$, and secret parameter $X_i$.

7.1.3. Replay Attack

Our protocol withstands replay attack because all transmitted messages are changed in every session. Assuming that $U_{ma}$ tries to impersonate legal user by resending information transmitted in a previous authentication process, $U_{ma}$ cannot use the previous messages because $S{D}_i$ and $U{C}_j$ check whether $M_3^{*}\stackrel{?}{=}{M}_3$ and $M_6^{*}\stackrel{?}{=}{M}_6$, respectively. Thus, our protocol is secure against replay attack.

7.1.4. Session key disclosure attack

In the proposed scheme, $U_{ma}$ cannot calculate $S{K}_{ij}=h(R_{SD}||R_{UC})$ because $U_{ma}$ cannot compute authentication request message $\{M_1,M_2,M_3\}$ without knowing random nonce $R_{SD}$ and secret parameter $X_i$. Therefore, our protocol can withstand session key disclosure attack.

7.1.5. Insider attack

This type of attack happens when the administrator of authentication server exploits data stored in the database to legalize his authentication process on behalf of the user. Even if it is assumed that a malicious adversary $U_{ma}$ can obtain $RI{D}_i,RI{D}_j,V_i$ stored in memory of $U{C}_j$, $U_{ma}$ cannot obtain sensitive information such as user’s real identity $I{D}_i$ and $X_i$ without knowing random nonce $R_{SD}$ and $I{D}_j$. Thus, our protocol is secure against insider attack.

7.1.6. Mutual Authentication

After receiving the authentication request message $\{M_1,M_2,M_3\}$ from the $S{D}_i$, $U{C}_j$ checks whether $M_3^{*}\stackrel{?}{=}{M}_3$. If $M_3^{*}\stackrel{?}{=}{M}_3$ is valid, $U{C}_j$ authenticates $S{D}_i$ successfully. After receiving the authentication message $\{M_4,M_5,M_6\}$ from the $U{C}_j$, $S{D}_i$ also checks whether $M_6^{*}\stackrel{?}{=}{M}_6$, and then $S{D}_i$ authenticates $U{C}_j$. Therefore, our protocol ensures secure mutual authentication between $S{D}_i$ and $U{C}_j$ because $U_{ma}$ cannot generate correct authentication messages.

7.1.7. Anonymity

$U_{ma}$ does not obtain a legitimate user’s real identity $I{D}_i$ because it is masked by one-way hash function and XOR operation such as $RI{D}_i=h(I{D}_i||a_i)$. Therefore, our protocol ensures anonymity because $U_{ma}$ cannot know the user’s real identity without random nonce $a_i$ and $R_{SD}$.

7.2. Security Features

In

Table 2. A comparative summary: security features.

Security Feature	Wu–Zhou [28]	Tsai–Lo [20]	Odelu et al. [21]	Kumar et al. [6]	Ours
Masquerade attack	∘	∘	∘	×	∘
Smart grid device stolen attack	∘	∘	∘	×	∘
Replay attack	∘	∘	∘	∘	∘
Session key disclosure attack	×	×	∘	×	∘
Man-in-the-middle attack	∘	∘	∘	∘	∘
Mutual authentication	∘	∘	∘	×	∘
Anonymity	×	∘	∘	∘	∘
Dynamic node addition phase	×	×	×	∘	∘

∘: security feature is satisfied; ×: security feature is not satisfied.

, we evaluate the security features of the proposed scheme with existing schemes [6,20,21,28]. The schemes in [20,28] cannot withstand session key disclosure attack and those in [20,21,28] provide dynamic node addition phase. The scheme in [6] cannot withstand various types of attacks and cannot ensure secure mutual authentication and anonymity. Consequently, the proposed scheme ensures better security functionality than all previous schemes.

7.3. Formal Security Analysis Using BAN Logic

We performed BAN logic [13] analysis to verify that our protocol provides secure mutual authentication.

Table 3. Notations used for BAN logic.

Notation	Description
$Q|\equiv M$	Qbelieves statement M
$\#M$	Statement M is fresh
$Q⊲M$	Qsees statement M
$Q|\sim M$	Q once said M
$Q\Rightarrow M$	Qcontrols statement M
$<M{>}_N$	Formula M is combined with formula N
${\{M\}}_K$	Formula M is encrypted by key K
$SK$	Session key used in the current authentication session
$Q\stackrel{K}{\leftrightarrow }W$	Q and W communicate utilizing K as the shared key

shows the notation used for BAN logic analysis and we then defines the goals, idealized forms, and assumptions before performing BAN logic analysis.

7.3.1. BAN Logic Rule

The rules of BAN logic are as follows.

• Message meaning rule:

  $$\frac{Q|\equiv Q\stackrel{K}{\leftrightarrow }W,Q⊲{\left\{M\right\}}_K}{Q\left|\equiv W\right|\sim M}$$
• Nonce verification rule:

  $$\frac{Q\left|\equiv \#(M),Q\right|\equiv W|\sim M}{Q\left|\equiv W\right|\equiv M}$$
• Jurisdiction rule:

  $$\frac{Q\left|\equiv W\right|⟹M,Q\left|\equiv W\right|\equiv M}{Q|\equiv M}$$
• Freshness rule:

  $$\frac{Q|\equiv \#(M)}{Q|\equiv \#\left(M,N\right)}$$
• Belief rule:

  $$\frac{Q|\equiv \left(M,N\right)}{Q|\equiv M}$$

7.3.2. Goals

The goals for BAN logic analysis are as follows.

Goal 1:

$U{C}_j\mid \equiv (U{C}_j\stackrel{SK}{⟷}S{D}_i)$

Goal 2:

$U{C}_j\mid \equiv S{D}_i\mid \equiv (U{C}_j\stackrel{SK}{⟷}S{D}_i)$

Goal 3:

$S{D}_i\mid \equiv (U{C}_j\stackrel{SK}{⟷}S{D}_i)$

Goal 4:

$S{D}_i\mid \equiv U{C}_j\mid \equiv (U{C}_j\stackrel{SK}{⟷}S{D}_i)$

7.3.3. Idealized Forms

The idealized forms are formulated as follows:

${\mathit{Msg}}_{\mathbf{1}}$:

$S{D}_i\to U{C}_j$: ${(RI{D}_i,R_{SD})}_{X_i}$

${\mathit{Msg}}_{\mathbf{2}}$:

$U{C}_j\to S{D}_i$: ${(RI{D}_i,RI{D}_j,R_{UC})}_{X_i}$

7.3.4. Assumptions

We define initial assumptions to perform the BAN logic analysis.

${\mathit{A}}_{\mathbf{1}}$:

$U{C}_j\mid \equiv \#(R_{SD})$

${\mathit{A}}_{\mathbf{2}}$:

$S{D}_i\mid \equiv \#(R_{UC})$

${\mathit{A}}_{\mathbf{3}}$:

$U{C}_j\mid \equiv (U{C}_j\stackrel{X_i}{⟷}S{D}_i)$

${\mathit{A}}_{\mathbf{4}}$:

$S{D}_i\mid \equiv (U{C}_j\stackrel{X_i}{⟷}S{D}_i)$

${\mathit{A}}_{\mathbf{5}}$:

$U{C}_j\mid \equiv S{D}_i\Rightarrow (R_{SD})$

${\mathit{A}}_{\mathbf{6}}$:

$S{D}_i\mid \equiv U{C}_j\Rightarrow (R_{UC})$

${\mathit{A}}_{\mathbf{7}}$:

$U{C}_j\mid \equiv S{D}_i\Rightarrow (U{C}_j\stackrel{SK}{⟷}S{D}_j)$

${\mathit{A}}_{\mathbf{8}}$:

$S{D}_i\mid \equiv U{C}_j\Rightarrow (U{C}_j\stackrel{SK}{⟷}S{D}_j)$

7.3.5. Proof Using BAN Logic

We performed the BAN logic analysis for our protocol and the detailed proofs are below.

Step 1:

According to $Ms{g}_1$, we obtain

$$S_1:U{C}_j⊲{(RI{D}_i,R_{SD})}_{X_i}$$

Step 2:

Using the message meaning rule with $S_1$ and $A_3$, we can obtain

$$S_2:U{C}_j\mid \equiv S{D}_i\mid \sim {(RI{D}_i,R_{SD})}_{X_i}$$

Step 3:

Using the freshness rule with $A_1$, we can obtain

$$S_3:U{C}_j\mid \equiv S{D}_i\mid \equiv \#{(RI{D}_i,R_{SD})}_{X_i}$$

Step 4:

From the nonce verification rule with $S_2$ and $S_3$, we can obtain

$$S_4:U{C}_j\mid \equiv S{D}_i\mid \equiv {(RI{D}_i,R_{SD})}_{X_i}$$

Step 5:

Using the belief rule with $S_4$, we can obtain

$$S_5:U{C}_j\mid \equiv S{D}_i\mid \equiv (R_{SD})$$

Step 6:

Because of $SK=h(R_{SD}||R_{UC})$, from the $S_5$ and $A_2$ we can obtain

$$S_6:U{C}_j\mid \equiv S{D}_i\mid \equiv (U{C}_j\stackrel{SK}{⟷}S{D}_i)(\mathbf{Goal}\mathbf{2})$$

Step 7:

From the jurisdiction rule with $S_6$ and $A_7$ we can obtain

$$S_7:U{C}_j\mid \equiv (U{C}_j\stackrel{SK}{⟷}S{D}_i)(\mathbf{Goal}\mathbf{1})$$

Step 8:

According to $Ms{g}_2$, we can obtain

$$S_8:S{D}_i⊲{(RI{D}_i,RI{D}_j,R_{UC})}_{X_i}$$

Step 9:

Using the message meaning rule with $S_8$ and $A_4$, we can obtain

$$S_8:S{D}_i\mid \equiv U{C}_j\mid \sim {(RI{D}_i,RI{D}_j,R_{UC})}_{X_i}$$

Step 10:

Using the freshness rule with $A_2$, we can obtain

$$S_{10}:S{D}_i\mid \equiv U{C}_j\mid \equiv \#{(RI{D}_i,RI{D}_j,R_{UC})}_{X_i}$$

Step 11:

Using the nonce verification rule with $S_9$ and $S_{10}$, we can obtain

$$S_{11}:S{D}_i\mid \equiv U{C}_j\mid \equiv {(RI{D}_i,RI{D}_j,R_{UC})}_{X_i}$$

Step 12:

Using the belief rule with $S_{11}$, we can obtain

$$S_{12}:S{D}_i\mid \equiv U{C}_j\mid \equiv (R_{UC})$$

Step 13:

Because of $SK=h(R_{SD}||R_{UC})$, from the $S_{12}$ and $A_1$ we can obtain

$$S_{13}:S{D}_i\mid \equiv U{C}_j\mid \equiv (U{C}_j\stackrel{SK}{⟷}S{D}_i)(\mathbf{Goal}\mathbf{4})$$

Step 14:

Using the jurisdiction rule with $S_{13}$ and $A_8$ we can obtain

$$S_7:S{D}_i\mid \equiv (U{C}_j\stackrel{SK}{⟷}S{D}_i)(\mathbf{Goal}\mathbf{3})$$

Based on Goals 1–4, we proved that proposed protocol ensures secure mutual authentication between $S{D}_i$ and $U{C}_j$.

7.4. Formal Security Analysis Using ROR Model

ROR model [14] is the formal security analysis to verify session key (SK) security of protocol from active/passive attacker $U_A$. We first discuss the ROR model before performing the proof of SK security for the proposed protocol.

In our protocol, there are two participants SG device $P_{S{D}_i}^{t_1}$ and UC $P_{U{C}_j}^{t_2}$, where $P_{S{D}_i}^{t_1}$ and $P_{U{C}_j}^{t_2}$ are instances $t_1^{th}$ of $S{D}_i$ and $t_2^{th}$ of $U{C}_j$, respectively.

Table 4. Queries of ROR model.

Query	Description
$Execute(P_{S{D}_i}^{t_1},P_{U{C}_j}^{t_2})$	This query denotes that $U_A$ can eavesdrop transmitted messages between $SD$ and $UC$ over insecure channel. This query is modeled as an eavesdropping attack.
$CorruptSD(P_{S{D}_i}^{t_1})$	This corrupt SG device query means that $U_A$ can extract sensitive information stored in the SG device utilizing power-analysis attack. This query is modeled as an active attack.
$Send(P^t,M)$	This query denotes that $U_A$ can transmit message M to $P^t$ and can also receive the corresponding message from $P^t$. This query is modeled as an active attack.
$Test(P^t)$	This query means that an unbiased coin c is first flipped before the experiment begins and its output is used as a decider. $U_A$ execute this query and if session key $S{K}_{ij}$ between $SD$ and $UC$ is fresh, $P^t$ returns $S{K}_{ij}$ if $c=1$ or a random number when $c=0$. Otherwise, it returns the null value ⊥.
$Reveal(P^t)$	The query means that $U_A$ can compromise $S{K}_{ij}$ between $P^t$ and its partner in the current session.

defines queries for ROR model to perform security analysis, including $Execute$, $CorruptSD$, $Reveal$, $Send$, and $Test$ queries. $Hash$ is also a random oracle, which is a collision-resistant hash function. We uses Zipf’s law [29] to prove SK security of the proposed protocol, which has been widely applied to verify recent authentication schemes [30,31].

Theorem 1.

If $Ad{v}_{U_A}$ denotes the advantage function of a malicious attacker $U_A$ in violating SK security of the proposed authentication scheme, then

$$Ad{v}_{U_A}\le \frac{q_h^2}{|Hash|}+2\{C·q_{send}^s\}$$

where $Hash$, $q_{send}$ and $q_h$ are the number of $Hash$ query, the number of $Send$ query, and the range space of the hash function $h(.)$, respectively, and s and C are the Zipf’s parameters [29].

Proof. 

Similarly, we adopt the proof as presented in [32,33]. A sequence of four games is denoted by $G{M}_i$, where $i\in [0,3]$ are defined for demonstrating the SK security of the proposed authentication scheme. We denote that $Suc{c}_i$ is the probability a malicious attacker $U_A$ wins the game $G{M}_i$. The detailed descriptions of these four games are shown in Game 0–3. □

• Game$G{M}_0$: This game is the initial game in which $U_A$ selects the random bit c. In addition, this game denotes actual attack of $U_A$ for the protocol and c is guessed at the beginning of $G_0$. According to this game, we can get,

  $$Ad{v}_{U_A}=|2·Pr\left[Suc{c}_0\right]-1|$$

  (1)
• Game$G{M}_1$: This game denotes that $U_A$ performs an eavesdropping attack, in which it intercepts all transmitted messages $\{M_1,M_2,M_3\}$ and $\{M_4,M_5,M_6\}$ during authentication process utilizing $Execute$ query. Once the game ends, $U_A$ sends $Test$ and $Reveal$ queries. The output of the $Test$ and $Reveal$ queries decide if $U_A$ obtains random numbers and shared session key $S{K}_{ij}=h(R_{SD}||R_{UC})$ between $SD$ and $UC$. To derive $S{K}_{ij}$, $U_A$ needs secret information $R_{SD}$, $R_{UC}$, and $X_i$. Thus, $G{M}_0$ and $G{M}_1$ are indistinguishable because the winning probability of $U_A$ is not increased. We then get,

  $$Pr\left[Suc{c}_1\right]=Pr\left[Suc{c}_0\right]$$

  (2)
• Game$G{M}_2$: In this game, the $Hash$ and $Send$ queries are simulated. This game is modeled as an active attack, in which a malicious attacker $U_A$ eavesdrops all transmitted messages $\{M_1,M_2,M_3\}$ and $\{M_4,M_5,M_6\}$ during authentication process. All transmitted messages in authentication process are protected by utilizing the collision-resistant one-way hash function $h(.)$. In addition, random numbers $R_{SD}$ and $R_{UC}$ are used in the messages $\{M_1,M_2,M_3\}$ and $\{M_4,M_5,M_6\}$. However, $R_{SD}$ and $R_{UC}$ are not derived from all transmitted messages due to the collision-resistant one-way hash function $h(.)$. $U_A$ makes and sends $Hash$ query, and then we can get the result using birthday paradox.

  $$|Pr\left[Suc{c}_2\right]-Pr\left[Suc{c}_1\right]|\le \frac{q_h^2}{2|Hash|}$$

  (3)
• Game$G{M}_3$: In this the final game, the $CorruptSD$ query is simulated. Hence, a malicious attacker $U_A$ can extract the credential informations $\{A_i,B_i,C_i\}$ from memory of the SG device using power-analysis attack. Note that $A_i=X_i\oplus h(RI{D}_i||a_i)$, $B_i=h(RI{D}_i||X_i)$ and $C_i=h(I{D}_i||B_i)\oplus a_i$. It is computationally infeasible for $U_A$ to derive identity $I{D}_i$ of $S{D}_i$ correctly via the $Send$ queries without $TA$’s master key $K_s$ and secret parameter $X_i$. As a result, $G{M}_2$ and $G{M}_3$ are indistinguishable if identity guessing attack is not implemented. Consequently, utilizing Zipf’s law [29], we can get the result as below:

  $$|Pr\left[Suc{c}_3\right]-Pr\left[Suc{c}_2\right]|\le C·q_{send}^s$$

  (4)
  As all the games are executed, $U_A$ can only guess the exact bit c. Thus, we can get as below:

  $$Pr\left[Suc{c}_3\right]=\frac{1}{2}$$

  (5)
  Using Equations (1), (2), and (5), we can get the result as below:

  $$\begin{array}{cc}\hfill \frac{1}{2}Ad{v}_{U_A}& =|Pr\left[Suc{c}_0\right]-\frac{1}{2}|\hfill \\ \hfill & =|Pr\left[Suc{c}_1\right]-\frac{1}{2}|\hfill \\ \hfill & =|Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_3\right]|\hfill \end{array}$$

  (6)
  Using Equations (4)–(6), we obtain the result utilizing the triangular inequality as below:

  $$\begin{array}{cc}\hfill \frac{1}{2}Ad{v}_{U_A}& =|Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_3\right]|\hfill \\ \hfill & \le |Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_2\right]|\hfill \\ \hfill & +|Pr\left[Suc{c}_2\right]-Pr\left[Suc{c}_3\right]|\hfill \\ \hfill & \le \frac{q_h^2}{2|Hash|}+max\{C·q_{send}^s\}\hfill \end{array}$$

  (7)
  Finally, we obtain the required result by multiplying both sides of Equation (7) by a factor of 2.

  $$Ad{v}_{U_A}\le \frac{q_h^2}{|Hash|}+2max\{C^{\prime }·q_{send}^{s^{\prime }}\}$$

7.5. Formal Security Analysis Using AVISPA

AVISPA is a widely used simulation tool for checking whether authentication protocol is secure against replay and MITM attacks. To perform AVISPA simulation, the session and environment of security protocol must be defined using the High-Level Protocol Specification Language (HLPSL). We define three basic roles in HLPSL implementation for the proposed protocol: the SG device $SD$, the utility server $UC$, and the trusted authority $TA$. The $session$ and $environments$ are shown in Figure 9.

7.5.1. Detailed Specification of Roles

First, $SD$ receives the initial messages and makes a state value from 0 to 1. $SD$ generates a random number $a_i$, calculates $RI{D}_i$, and then $SD$ sends a registration request message $\{RI{D}_i,a_i\}$ to $TA$ over secure channel and changes the state value from 1 to 2. In transition 2, $SD$ receives the secret parameters $\{A_i,B_i\}$ from $TA$ over secure channel. In login and authentication process, $SD$ generates a random number $R_{SD}$ and computes an authentication request message $\{M_1,M_2,M_3\}$. Then, $SD$ sends $\{M_1,M_2,M_3\}$ to utility center $UC$ and updates the state value from 2 to 3. In the last transition, $SD$ receives a authentication message $\{M_4,M_5,M_6\}$ from the $UC$, computes the session key $S{K}_{ij}$, and declares a request function $request(SD,UC,uc\_sd\_ruc,Ru{c}^{\prime })$, which means that $uc\_sd\_ruc$ denotes a strong authentication factor. As a result, $SD$ authenticates $UC$ successfully. The specification of a SG device ($SD$) is shown in Figure 10. In Figure 11 and Figure 12, the role specifications of $UC$ and $TA$ are similarly defined with $SD$.

7.5.2. Results of AVISPA Analysis

We utilized CL-based Attack Searcher (CL-AtSe) and On-the-fly-Model-Checker (OFMC) back-ends to the verify security of our protocol. The HLPSL code was translated into intermediate format, and then converted to output format using the back-ends. Figure 13 shows the results of simulation using two back-ends. The result of CL-AtSe back-end shows that two states were analyzed and the translation time was 0.10 s. The result of OFMC back-end shows it visited node 1040 nodes with nine plies depth. According to the results of simulation, the proposed protocol is secure against replay and MITM attacks.

8. Performance Analysis

This section compares performances and security feature of proposed scheme with existing schemes [6,20,21,28].

8.1. Computation Overhead

We compared the computation costs of the proposed scheme with existing schemes [6,20,21,28]. We define the parameters based on the work of Kumar et al.’s scheme [6]. $T_{cert\_ver}$, $T_{cert}$, $T_h$$T_s$, $T_e$, $T_m$, $T_{eca}$, $T_{ecm}$, and $T_b$ denote public key certificate verification, public key certificate generation, one-way hash function, symmetric encryption/decryption, modular exponentiation, multiplication, ECC point addition, ECC point multiplication, and bilinear pairing, respectively. Based on the works in [21,34], we present the execution time for various cryptographic operations in

Table 5. Various cryptographic operations based on execution time [21,34].

Entity	${\mathit{T}}_{\mathit{b}}$	${\mathit{T}}_{\mathit{ecm}}$	${\mathit{T}}_{\mathit{mp}}$	${\mathit{T}}_{\mathit{e}}$	${\mathit{T}}_{\mathit{h}}$
Pentium IV	$3.16$ ms	$1.17$ ms	$1.17$ ms	<1 ms	$0.01$ ms
HiPerSmart Card	$0.38$ s	$0.13$ s	$0.13$ s	<0.1 s	$0.001$ s

and assume {$T_s\approx T_h$, $T_m\approx T_e$} is negligible because it requires very low execution time. We also assume $T_{eca}\ll T_e$ and $T_{eca}\approx T_h$.

In authentication process, total computation overheads of proposed scheme and Kumar et al.’s scheme are $16T_h$ and $12T_h+4T_{ecm}$, respectively. Based on the works in [21,34], the total computational overheads of our scheme is 0.011 s and 0.05 ms, which is implemented on HiPerSmart card and Pentium IV platform, respectively. Therefore, we provide better efficiency than existing schemes because our protocol utilizes only hash function and XOR operation.

Table 6. A comparative summary: computation overheads.

Schemes	Total Computation Cost
Wu–Zhou [28]	$7T_{mp}+T_m+5T_h+T_s+T_{cert}+T_{cert\_ver}\approx 528.91$ ms
Tsai–Lo [20]	$7T_{mp}+2T_e+2T_b+10T_h\approx 635.88$ ms
Odelu et al. [21]	$5T_{mp}+2T_e+2T_b+12T_h\approx 505.72$ ms
Kumar et al. [6]	$12T_h+4T_{ecm}\approx 268.40$ ms
Ours	$16T_h\approx 11.05$ ms

shows the analysis result of computation overhead compared to existing schemes.

8.2. Communication Overhead

We first define that timestamp, identity, hash, random number, and ECC cryptosystem are 32, 160, 160, 160, and 320 bits, respectively. In our protocol, transmitted messages $\{M_1,M_2,M_3\}$ and $\{M_4,M_5,M_6\}$ require (160 + 160 + 160 =) 480 and (160 + 160 + 160 =) 480 bits, respectively. As a result, the proposed scheme has more efficient than related schemes [6,20,21,28] because the total communication overhead of proposed protocol is very low compared with the others.

Table 7. A comparative summary: communication overheads.

Schemes	Communication Cost	Number of Messages
Wu–Zhou [28]	3648 bits	4 messages
Tsai–Lo [20]	1408 bits	3 messages
Odelu et al. [21]	1920 bits	3 messages
Kumar et al. [6]	1376 bits	3 messages
Ours	960 bits	2 messages

shows the analysis result of communication overhead compared to existing schemes.

8.3. Storage Overhead

We first define that identity, hash, timestamp, random number, and public key cryptosystem are 20, 20, 4, 20, and 40 bytes, respectively. In our protocol, stored messages $\{A_i,B_i,C_i\}$ and $\{RI{D}_i,RI{D}_j,X_i\}$ require (20 + 20 + 20 =) 60 and (20 + 20 + 20 =) 60 bytes, respectively. Although the proposed scheme storage overhead of somewhat higher than Kumar et al.’s scheme, it provides better efficiency and security than the other related schemes [6,20,21,28].

Table 8. A comparative summary: storage overheads.

Schemes	Stored Message (Smart Device)	Stored Message (Utility Center/Service Provider)
Wu–Zhou [28]	-	-
Tsai–Lo [20]	$K_i\approx$ 40 bytes	$K_j\approx$ 40 bytes
Odelu et al. [21]	$s_i,R_i\approx$ 80 bytes	$k_j,K_j\approx$ 80 bytes
Kumar et al. [6]	$RI{D}_i,T{C}_i\approx$ 40 bytes	$RI{D}_j,T{C}_j\approx$ 40 bytes
Ours	$A_i,B_i,C_i\approx$ 60 bytes	$RI{D}_i,RI{D}_j,X_i\approx$ 80 bytes

shows the analysis result of storage overhead compared to existing schemes.

9. Conclusions

This study demonstrated that Kumar et al.’s scheme cannot defend against various potential attacks such as masquerade, SG device stolen, and session key disclosure attacks. We also showed that Kumar et al.’s scheme does not ensure mutual authentication. To overcome these security shortcomings of Kumar et al.’s scheme, we present a privacy-preserving lightweight authentication protocol for demand response management in the SG environments. Our protocol prevents against various attacks, including masquerade, replay, SG device stolen, and session key disclosure attacks and achieves secure mutual authentication and anonymity. We proved that our protocol ensures secure mutual authentication between $S{D}_i$ and $U{C}_j$ using BAN logic, and then we showed that the proposed protocol withstands various potential attacks using informal security analysis and ROR model. We also demonstrated that our scheme was secure against replay and MITM attacks using AVISPA simulation tool. Furthermore, we compared communication overheads, computation overheads, and storage overheads with existing schemes. Therefore, our protocol is applicable for practical SG environments because it is more secure and efficient than other existing schemes.