IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS 1 Designing …iot.korea.ac.kr/file/ProfMinhojo/64. Designing Anonymous... · 2020. 7. 23. · IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS

IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS 1

Designing Anonymous Signature-BasedAuthenticated Key Exchange Scheme for

IoT-Enabled Smart Grid SystemsJangirala Srinivas, Member, IEEE, Ashok Kumar Das, Senior Member, IEEE,

Xiong Li, Muhammad Khurram Khan, Senior Member, IEEE, and Minho Jo, Senior Member, IEEE

Abstract—Recent technological evolution in the Internet ofThings (IoT) age supports better solutions to magnify themanagement of the power quality and reliability concerns, andimposes the measures of a smart grid. In smart grid environment,a smart meter needs to securely access the services from a serviceprovider via insecure channel. However, since the communicationis via public channel, it imposes various security threats byan adversary. To deal to this, in this article we design a newanonymous signature-based authenticated key exchange schemefor IoT-enabled smart grid environment, called AAS-IoTSG.The dynamic smart meter addition phase is also permissiblein AAS-IoTSG after initial deployment. The security of AAS-IoTSG has been tested rigorously using formal security analysisunder the Real-Or-Random (ROR) model which is one of thebroadly-accepted standard random oracle models, formal secu-rity verification under the broadly-used Automated Validationof Internet Security Protocols and Applications (AVISPA) tooland also using informal security analysis. Finally, an exhaustivecomparative study unveils that AAS-IoTSG supports bettersecurity & functionality features and requires less communication& computation overheads as compared to the existing state-of-artauthentication mechanisms in smart grid systems.

Index Terms—Internet of Things, smart grids, authentication,anonymity, security, AVISPA.

I. INTRODUCTION

INTERNET of Things (IoT) is right now being utilizedall around limitlessly as it comprises of various objects.

These objects are well connected through the Internet andalso these are interconnected with various sources so that theycan collect the information without any interruption and can

This research was supported by the National Research Foundation of theKorean government (Grant#: NRF-2019R1I1A3A01057514). This paper wasalso supported by Researchers Supporting Project number (RSP-2020/12),King Saud University, Riyadh, Saudi Arabia, and in part by MathematicalResearch Impact Centric Support (MATRICS), Science and Engineering Re-search Board (SERB), Government of India, File Number: MTR/2019/000699.(Corresponding Author: Minho Jo).

J. Srinivas is with the Jindal Global Business School, O. P. Jindal GlobalUniversity, Haryana 131001, India (e-mail: [email protected]).

A. K. Das is with the Center for Security, Theory and Algorithmic Research,International Institute of Information Technology, Hyderabad 500 032, India(e-mail: [email protected], [email protected]).

X. Li is with the Institute for Cyber Security, School of Computer Scienceand Engineering, University of Electronic Science and Technology of China,Chengdu 611731, China (e-mail: [email protected]).

M. K. Khan is with the Center of Excellence in Information Assurance,College of Computer and Information Sciences, King Saud University, SaudiArabia (e-mail: [email protected]).

M. Jo is with the Department of Computer Convergence Software,Korea University, Sejong Metropolitan 30019, South Korea (e-mail: [email protected]).

be transmitted depending upon the usage. One can classifythese objects as physical and virtual objects. With the physicalobjects, the collection of information can be done throughcell phones, camera, sensors, automatons, and vehicles. Usingvirtual objects, the collection of information can be done usingelectronic wallet and electronic tickets. These objects in IoTare facilitated enough to take their own decisions without thehuman involvements. This gives a tremendous advantage toIoT in integrating the computer-based systems which helps inconnecting to the real-world physical systems that are remotelyplaced. This process of integration is also economically ben-eficial, and furthermore it gives the information proficientlywith full accuracy. This is accomplished by decreasing humaninclusion as less as possible [1].

Generation Plant

Transmission DistributionCellular connectionTo headend system

Wireless connection between the smart meter and home devices

Diagnostics wireless interfaceFor technicians

Distribution Control Center

The smart meterConnects wirelessly

Or by wire to meters’collector

PLC connection to data collector

(1) Cyber

(1) Cyber(2) Cyber-

Physical

(2) Cyber-

Physical

(2) Cyber-

Physical

Fig. 1: CPS aspects in smart grid systems [2]

One of the application of Cyber-Physical Systems (CPSs)with IoT enabled in it is the Smart Grid environment. A typicalscenario in smart grids [2]is shown in Fig. 1. In this smart gridenvironment, each house is facilitated with a smart meter tooutput with more accurate electricity consumption informationto the utility providing companies. Furthermore, due to theaccurate information provided by smart grid environment, thecustomers can also easily track their electricity consumptioninformation. In the smart grid environment, all appliances fixedto the houses which consume electricity are provided withthe smart meter interfaces with a data collector. Although thepower line communications are connected through a wiredcommunications, the transmission and collection of data hap-pens through wireless communications, which is considered tobe a common means of communication in such smart grid en-


vironment. A short-range wireless interface is equipped to eachsmart meter with a diagnostics port so that the digital meterreaders and the diagnostics tools can conveniently access themin real-time [3]. Moreover, in a designated neighborhood, eachsmart meter sends the estimated meter’s data to a specialistthat aggregates the transmitted readings. The gathered data isthen transmitted by the specialist to an assigned control centerwhich is contended by the utility company. The “AdvancedMetering Infrastructure (AMI)” head-end server receives andstores the meter’s data that can offer the officials structure withthe meter data which can be managed with various systems toextract the data and utilize it, for instance, demand responsesystems, understudies of history and billing structures.

A. Motivation

As depicted in Section II, although different authenticationschemes [4], [5], [6], [7], [8] have been exhibited till date, mostof the proposed schemes fail to provide the required securityproperties (for example, “protection against privileged-insiderattack”, “anonymity preservation”, “traceability preservation”,“protection against man-in-the-middle attack”, “protectionagainst strong replay attack”, “protection against imperson-ation attacks”, “support to mutual authentication”, “strongsmart meters’ privacy protection”, “resilience against smartmeter physical capture attack”, “session key security”, and“forward secrecy preservation”), which are considered to bemajor requirements in the smart grid context. The above factsencourage us to come up with a new authentication designthat can satisfy several security features and overcome securitypitfalls and drawbacks that exist in existing authenticationschemes in the smart grid environment. Consequently, we aimto design a new “Elliptic Curve Cryptography (ECC)” enabledSchnorr’s signature based authenticated key agreement schemefor smart grid security with the following properties:

1) The participants (smart meters and service providers) arefacilitated with mutual authentication.

2) The designed scheme can withstand several attacks suchas replay, man-in-the-middle, impersonation, traceabil-ity, user anonymity, and untraceability.

3) The proposed scheme requires comparable communica-tion and computation costs as in other existing authen-tication protocols in smart grid environment.

4) The new dynamic smart meter addition is permitted inthe proposed scheme.

5) The proposed scheme also provides the session keysecurity even if the temporal secrets are leaked throughsession hi-jacking attacks.

B. System Models

In this system model, we follow two sub-models (authen-tication & threat models) in designing our proposed scheme(AAS-IoTSG).

1) Authentication Model: The “National Institute of Stan-dards and Technology (NIST)” [9] suggested a smart gridframework model that has two main components, such assmart meters and smart providers. Both the components

initially register with the Trust Anchor (TA). In the sub-portion shown in Fig. 2, the only trusted entity is the TA.Initially, the TA undergoes the system setup phase for settingthe system parameters. After the system setup setting, theparticipants (smart meters and service providers) also undergoregistration process and receive the credentials (public andprivate keys) during this process via secure channel. Later, asthe communication happens over a public channel, this drawsout an unpredictable situation due to the nature of commu-nication done among the participants. This gives a scope toan attacker to impose the security threat and create securityissues. In such situation, there is also the possibility that theattacker can breach the communication to distract the privacyof entities in the smart grid environment [9]. This demandsfor considering and handling the breach in the communicationof entities and security issues, and ensuring the smart gridcommunication security. To overcome the drawbacks foundin earlier proposed schemes, a novel authentication schemeis designed in this work which is intended to facilitate thecommunication efficiently in terms of “communication andcomputation costs”. In the smart grid environment, many smartmeters are connected in the system to communicate with theservice providers to get access to the desired information fromthe specified service provider(s). In addition to this, the newsmart meters have the facility to be deployed after initialdeployment in the proposed AAS-IoTSG.

Fig. 2: An authentication model for smart grid environment[4], [5], [8], [10]

2) Threat Model: The familiar “Dolev-Yao threat model(DY model)” [11] is considered in our proposed AAS-IoTSG.In the DY model, the participating entities communicateamong each other via insecure channel, where the smart metersare not treated as trusted entities and the service providersare considered as semi-trusted. During the communication, anattacker A would then have an option to eavesdrop, alter ordelete the communicated messages as these are communicatedover insecure channel. The trusted TA is considered as afull-trusted entity. Moreover, since the smart meters cannotbe monitored 24 × 7, some smart meters can be physicallycaptured and it leads to extract the credentials stored in those


captured smart meters using the power analysis attacks [12].Finally, we consider the current de facto standard modelin modeling key-exchange protocols, known as the “CK-adversary model” [13]. Under the CK-adversary model, A canconvey information as in the DY model, and in addition, he/shecan also compromise the secret credentials, such as “sessionkeys”, “private keys” and “session states”.

C. Research Contributions

The contributions are listed below:• We design an efficient and more secure ECC-enabled

Schnorr’s signature based authentication scheme (AAS-IoTSG) for smart grid environment that can potentiallyresist various known attacks. In AAS-IoTSG, a smartmeter SMi and a service provider SPj mutually authen-ticate among each other during the “authentication andkey agreement phase”, and they also establish a commonsession key among them for secure communication. Inaddition, the “dynamic node addition phase” is supportedin AAS-IoTSG in which a new smart meter SMnew

i

can be deployed in the network anytime after initialdeployment.

• The ROR model based formal security analysis [13]proves the strength of our AAS-IoTSG. Using such se-curity analysis, it is shown that AAS-IoTSG provides the“session key security”. Furthermore, to ensure other ex-isting known attacks, the “informal (non-mathematical)”security analysis is also presented.

• With the help of the broadly-accepted “Automated Val-idation of Internet Security Protocols and Applications(AVISPA) tool” [14], which is a formal security verifi-cation software tool, we have done the formal securityverification on the proposed AAS-IoTSG. The obtainedsimulation results using the AVISPA tool indicate thatAAS-IoTSG is secure against passive/active attacks, suchas replay and man-in-the-middle attacks.

• Furthermore, AAS-IoTSG is shown to be comparablewith other existing schemes in terms of “communication”and “computation” costs, and it also provides better“security and functionality features” as compared to thosefor other existing schemes. The comparative study showsthat AAS-IoTSG is efficient and more robust for thesmart grid systems as compared to other authenticationmechanisms.

D. Paper Organization

In the next section, the related work has been discussed.Various phases related to the proposed AAS-IoTSG have beenelaborately discussed in Section III. Next, a detailed securityanalysis is presented in Section IV wit the help of both“formal” and “informal (non-mathematical)” security analysis.To further strengthen the security of AAS-IoTSG, the “formalsecurity verification using one of the widely-accepted softwareverification tools, known as Automated Validation of InternetSecurity Protocols and Applications (AVISPA) [14]” has beencarried out on AAS-IoTSG in Section V. A comparative studyon AAS-IoTSG and other relevant existing user authentication

techniques is illustrated in Section VI. The concluding remarksare then provided in Section VII.

II. RELATED WORK

Authentication plays a very crucial security service in anetworking environment [5], [7], [10], [15], [16], [17], [18],[19], [20]. In recent studies, in the year 2011, Fouda et al.[18] presented their work by designing an “AuthenticatedKey Agreement (AKA)” scheme for smart meters. In theirmodel, they considered the smart grid environment as a com-munication framework in which the power transmission anddistribution system of smart grid are described as a separatecommunication model. They claimed that smart meters arecompatible with smart equipment which ensure to establish asecret common key for each session.

In another study, Wu and Zhou [21] proposed their proposalby designing a key management between the smart sensorand the data collectors. But, Xia and Wang [4] discussed thedrawbacks of Wu and Zhou [21] scheme, and presented animproved version by establishing the session key between thesmart meters and a service provider with the help of a trustedmediator.

To ensure the privacy of smart network, Chim et al. [22]used a tamper resistant device which is suggested to workwell in an authentication framework. Furthermore, in the sign-in phase, they introduced a time stamp, but due to the clocksynchronization problem their design proves to be inefficient.Unlike Fouda et al. [18] and Xia and Wang [4], Sule etal. [23] designed an authentication scheme. However, due tothe security issues and drawbacks, their scheme proves to beinsecure too.

Nicanfar et al. [24] proposed an ECC based authenticationprotocol which is intended to consume low computationalcomplexity with pre-loaded password facility among the dis-tinct devices and home area network (HAN ) in the smartgrid environment. Further, Nicanfar et al. [25] also presenteda password based AKA scheme which is intended to ensureforward and backward secrecy properties.

Tsai and Lo [5] designed their scheme for smart gridusing an identity-based signature to provide an anonymouskey distribution scheme where mutual authentication is es-tablished between a smart meter and the service providersso that they can communicate securely using the establishedsession key. But, their scheme has also the security issuessuch as privileged-insider attack, offline password guessingattack, session key (SK) security and smart meter privacy.Furthermore, their scheme does not provide some features,such as dynamic smart meter addition phase.

Jo et al. [19] proposed their work using two protocols (wecall them as Protocol I and Protocol II). Both the protocolsare designed using the initial setup and registration phases.Moreover, Protocol II is observed as the modified version ofProtocol I as it requires additional measures in considerationto Protocol I.

Mahmood et al. [6] designed their proposal using a hybridDiffie-Hellman authentication protocol for the smart grid envi-ronment. Their protocol is intended to achieve authentication


between the home area network, such as smart meter gateway,and building area network, such as smart meter gateway. Theirscheme fails to ensure the security and it is also found thatthe weakness such as user anonymity, session key agreementand impersonation attack exist in their scheme. Li et al.[26] proposed an authentication scheme between home areanetwork and building area network using the “Public KeyInfrastructure (PKI)”. Wazid et al. [20] also designed anefficient three-factor user authentication protocol suitable for arenewable energy-based smart grid deployment. Their protocolapplies lightweight cryptographic computations, such as “one-way hash functions”, “bitwise XOR operations” and ECC.

Mahmood et al. [7] designed their proposal for the smartgrid environment using ECC. But, their scheme fails to ensurethe security features such as password guessing attack, in-sider attack, anonymity preservation and impersonation attack.Odelu et al. [8] in their study discussed about the drawbacksand security issues of the scheme of Tsai and Lo [5]. Thesecurity issues such as ephemeral secret leakage attack andand privacy of the smart meter are not preserved in [5].Furthermore, to overcome the security issues in [5], Odelu etal. [8] proposed a provable secure authentication scheme forsmart grid. But, both the schemes [7] and [8] fail to support“dynamic smart meter addition phase”.

Abbasinezhad-Mood and Nikooghadam [10] designed anECC-based key distribution protocol that enables the smartmeters and service provides to establish session keys amongthem for secret communications. Their scheme is an anony-mous self-certified mechanism that is free from the certificatemanagement overhead and also the key escrow problem.However, their scheme fails to provide “strong replay attackprotection” and “strong smart meters’ privacy”. In addition,their scheme fails to allow new smart meters addition after ini-tial deployment. To overcome the above drawbacks/limitationsin the existing schemes, we aim to propose a new secureauthentication scheme for smart grid environment.

III. THE PROPOSED SCHEME

In this section, our proposed anonymous ECC-based self-certified authentication scheme in the IoT-enabled smart gridnetworks (AAS-IoTSG) is detailed. As illustrated in Fig. 2,AAS-IoTSG has three main phases, namely “system setup”,“registration”, and “authentication and key agreement”. Apartfrom these phases, we have also another phase, known as“dynamic node addition” which is essential to add dynamicallysome new smart meters after initial deployment, if necessary.

In the “system setup” phase, the trusted TA sets the systemparameters and publishes them. In the “registration” phase,each SMi or SPj obtains its private key with the help ofthe trusted TA. Ultimately, in the “authentication and keyagreement” phase, both SMi and SPj share a session key aftertheir mutual authentication. To accommodate the replay attackprotection, we utilize the current system timestamp validationof the communicated messages. This is a typical assumptionapplied in several authentication mechanisms across variousnetworking environments [20]. The notations along with theirdescriptions tabulated in Table I are used in discussing the

phases in the following subsections. During registration phase,we assume that there exist some secure channels amonga smart meter SMi, a trusted anchor (TA) and a serviceprovider SPj , because typically the registration process is aone-time matter. By the secure channel, we mean that theregistration credentials can be delivered via person in offlinemode or credentials can be encrypted using pre-shared secretkeys among the entities for secure communication. Thus, anadversary can not tamper the credentials sent by the entitiesduring the registration process. On the other side, by insecurechannel, we mean that the adversary not only can interceptthe messages during communication among the entities on thefly, but also can modify, delete or insert fake messages duringcommunication.

TABLE I: Notations used in this paper

Symbol SignificanceTA Trust AnchorSMi, IDSMi

ith smart meter and its identitySPj , IDSPj

jth service provider and its identitynsm, nsp Number of smart meters and service providers deployed

initially, respectivelyEq(u, v) A non-singular elliptic curve: y2 = x3 + ux + v (mod q),

u, v ∈ Zq = {0, 1, 2, . . . , q − 1}, 4u3 + 27v2 6= 0 (mod q)P A base point in Eq(u, v)P + Q An elliptic curve point addition with P,Q ∈ Eq(u, v)x ·Q An elliptic curve point multiplication; x ∈ Z∗q , Q ∈ Eq(u, v)(t, Tpub) Private-public key pair of TA, with Tpub = t · Ph(·) A cryptographic (collision resistant) one-way hash functionSKij A session key between SMi and SPj

TSi, TSj , TS′i Current timestamps∆T Maximum transmission delay⊕, ‖ Bitwise XOR and concatenation operations, respectivelyA (Passive/Active) adversary

A. System Setup Phase

The TA executes the following steps to select the systemparameters:

S1: The TA considers a non-singular elliptic curve Eq(u, v)of the form y2 = x3 + ux+ v (mod q) over a prime (finite)field Zq = {0, 1, . . . , q − 1} with a base point P .

S2: The TA then chooses a random number t ∈ Z∗q as thesystem private key and calculates the respective system publickey as Tpub = t · P .

S3: Next, the TA picks a “collision-resistant one-way hashfunction” of the form h : {0, 1}∗ → {0, 1}l which takes anarbitrarily bit-length input string and produces a fixed lengthoutput as “message digest (hash value)”.

Smart Meter Trust Anchor Service Provider(SMi) (TA) (SPj)

Select IDSMiSelect IDSPj

{IDSMi}

−−−−−−−−−−−→(Secure channel)

Generate tSMi, tSPj

∈ Z∗q{IDSPj

}←−−−−−−−−−−−(Secure channel)

Calculate TSMi= tSMi

· P ,MSMi

= tSMi+ h(TSMi

‖IDSMi) · t (mod q)

〈MSMi,TSMi

,IDSMi,{IDSPj

|(j=1,2,...,nsp)}〉←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

(Secure channel)

Calculate TSPj= tSPj

· P ,PSPj

= tSPj+ h(TSPj

‖IDSPj) · t (mod q)

〈PSPj,TSPj

,IDSPj,{IDSMi

|(i=1,2,...,nsm)}〉−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

(Secure channel)

Fig. 3: Smart meters and service providers registration phaseduring initial deployment


B. Registration Phase

This phase elaborates the registration procedure of eachsmart meter SMi and service provider SPj , which is executedby the trusted TA securely. The TA uses the Schnorr’ssignature scheme [27] to issue the private keys. The detailedsteps are as follows.

R1: Each SMi (i = 1, 2, . . . , nsm) and SPj (j =1, 2, . . . , nsp) first pick their identities IDSMi and IDSPj ,and then send them to the TA through a secure channel,respectively.

R2: The TA generates random secret numbers tSMi∈ Z∗q

and tSPj∈ Z∗q for both SMi and SPj , respectively. After

that the TA calculates TSMi= tSMi

·P and MSMi= tSMi

+h(TSMi ‖IDSMi)·t (mod q) for SMi, and also TSPj = tSPj ·P , PSPj = tSPj+ h(TSPj ‖IDSPj ) · t (mod q) for SPj .

R3: The TA sends the information 〈TSMi , MSMi , IDSMi ,{IDSPj |(j = 1, 2, . . . , nsp)}〉 to SMi via secure channel,and also the information 〈TSPj

, PSPj, IDSPj

, {IDSMi|(i =

1, 2, . . . , nsm)}〉 to SPj via secure channel. Both SMi andSPj keep the received information.

The illustration of this phase is also shown in Fig. 3.

C. Authentication and Key Agreement Phase

This phase helps mutual authentication between a registeredsmart meter SMi and another registered service provider SPj

using the following steps. At the end, both SMi and SPj

establish a session key for secret communication in future.A1: SMi first generates a random secret ri ∈ Z∗q and current

timestamp TSi, calculates Ri = h(ri‖TSi) ·P , and sends therequest message MSG1 = {Ri, TSi} to the SPj via openchannel.

A2: Upon receiving the request message at time TS∗i , SPj

validates the received timestamp by |TSi − TS∗i | < ∆T . If itsucceeds, SPj produces a random secret rj ∈ Z∗q and currenttimestamp TSj , and calculates Rj = h(rj‖TSj) · P , Sj =PSPj

·Ri, Vj = h(Ri ‖TSPj‖Sj ‖Rj ‖TSi ‖TSj). Next, SPj

sends the response message MSG2 = {Rj , Vj , TSPj , TSj} tothe SMi via open channel.

A3: Assume that SMi receives the response message fromSPj at time TS∗j . SMi then validates the received timestampTSj by the verifying criteria |TSj−TS∗j | < ∆T . If it is valid,SMi proceeds to calculate Si = h(ri‖TSi) ·(TSPj

+h(TSPj

‖IDSPj) ·Tpub) and check the authenticity of the message by

verifying the criteria Vj = h(Ri ‖TSPj ‖Si ‖Rj ‖TSi ‖TSj).If the verification fails, SMi terminates the communication.Otherwise, SMi believes the message is non-tampered andreceived from the legitimate SPj . Furthermore, SMi producescurrent timestamp TS′i, calculates Ai = MSMi

· Rj , thesession key SKij = h(Ai ‖Si ‖IDSMi ‖IDSPj ), Bi =h(Si ‖TS′i) ⊕(IDSMi ‖TSMi), Ci = h(TSPj ‖IDSMi ‖SKij

‖TSMi‖TSj ‖TS′i) and sends its acknowledgment message

MSG3 = {Bi, Ci, TS′i} to SPj via open channel.

A4: Upon receiving the acknowledgment message at timeTS∗∗i , SPj first checks genuineness of received timestampTS′i by the criteria |TS′i − TS∗∗i | < ∆T . Upon successfulvalidation, SPj recovers (IDSMi ‖TSMi) = Bi⊕ h(Sj‖ TS′i),Uj = h(rj‖ TSj) ·(TSMi+ h(TSMi ‖IDSMi) ·Tpub), the

Smart Meter (SMi) Service Provider(SPj)

Generate random secret ri ∈ Z∗q ,current timestamp TSi

Compute Ri = h(ri‖TSi) · P Check if |TSi − TS∗i | < ∆T ?MSG1={Ri,TSi}−−−−−−−−−−−→(Public channel)

If so, generate random secret rj ∈ Z∗q ,

current timestamp TSj

Calculate Rj = h(rj‖TSj) · P ,Check if |TSj − TS∗j | < ∆T ? Sj = PSPj ·Ri,If so, calculate Si = h(ri‖TSi)· Vj = h(Ri ‖TSPj

‖Sj ‖Rj ‖TSi ‖TSj)

(TSPj+ h(TSPj

‖IDSPj) · Tpub)

MSG2={Rj ,Vj ,TSPj,TSj}

←−−−−−−−−−−−−−−−−−(Public channel)

Check if Vj = h(Ri ‖TSPj

‖Sj ‖Rj ‖TSi ‖TSj)?If so, compute Ai = MSMi ·Rj ,SKij = h(Ai‖Si‖IDSMi‖IDSPj )Generate current timestamp TS′i Check validity of |TS′i − TS∗∗i | < ∆TCompute Bi = h(Si‖TS′i)⊕ If so, retrieve(IDSMi

‖TSMi), Ci = h(TSPj

‖ (IDSMi‖TSMi

) = Bi ⊕ h(Sj‖TS′i),IDSMi

‖SKij‖TSMi‖TSj‖TS′i) Compute Uj = h(rj‖TSj) · (TSMi

+h(TSMi‖IDSMi) · Tpub),

MSG3={Bi,Ci,TS′i}−−−−−−−−−−−−−→

(Public channel)SKji = h(Uj‖Sj‖IDSMi

‖IDSPj)

Check if Ci = h(TSPj‖IDSMi

‖SKji

‖TSMi‖TSj‖TS′i)?

Store SKij(= SKji) as session key If so, store SKji(= SKij) as session key

Fig. 4: Authentication and key agreement phase

session key SKji = h(Uj ‖Sj ‖IDSMi‖IDSPj

) and checksthe authenticity of the message by verifying the criteria Ci =h(TSPj ‖IDSMi ‖SKji‖TSMi ‖TSj ‖TS′i). If the verificationis justifiable, SPj believes the message is non-tampered andreceived from the legitimate SMi.

At the end of successful authentication, both SMi and SPj

use the established session key SKij (= SKij) for the futurecommunications. Finally, the illustration of this phase is givenin Fig. 4.

D. Dynamic Node Addition Phase

Suppose a new smart meter, say SMnewi needs to be

deployed in the existing network. To achieve this, SMnewi first

creates its identity IDnewSMi

and then sends it to the TA througha secure channel. Upon receiving the registration request, theTA picks a random secret number tnewSMi

∈ Z∗q for SMnewi

and calculates TnewSMi

= tnewSMi·P and Mnew

SMi= tnewSMi

+ h(TnewSMi

‖IDnewSMi

) · t (mod q). Next, the TA sends the information〈Tnew

SMi, Mnew

SMi, IDnew

SMi, {IDSPj |(j = 1, 2, . . . , nsp)}〉 to

SMnewi via secure channel. Finally, after receiving the in-

formation, SMnewi keeps these information for authentication

and key agreement process with a service provider when it isnecessary.

IV. SECURITY ANALYSIS

In this section, we first show the correctness proof of“mutual authentication between a smart meter SMi and aservice provider SPj for establishing a common sessionkey among them for the proposed AAS-IoTSG”. Next, weprovide formal and informal security analysis to show that theproposed AAS-IoTSG resists several known attacks needed inIoT-enabled smart grid environment. In addition, the formalsecurity verification based on AVISPA tool based simulation[14] is illustrated in Section V.


A. Correctness Proof

Theorem 1 proves that, in the proposed AAS-IoTSG, mutualauthentication between a smart meter SMi and a serviceprovider SPj is achieved for establishing a common sessionkey.

Theorem 1. SMi and SPj mutually authenticate each otherfor establishing a common session key between them.

Proof. In Step A3, SMi validates the message MSG2 ={Rj , Vj , TSPj

, TSj} by calculating Si = h(ri‖TSi) ·(TSPj

+h(TSPj ‖IDSPj ) ·Tpub) and then verifying whether Vj =h(Ri ‖TSPj ‖Si ‖Rj ‖TSi ‖TSj). Note that Sj = PSPj ·Ri

= (tSPj+h(TSPj

‖IDSPj) · t) · (h(ri‖TSi) ·P ) = h(ri‖TSi) ·

(tSPj· P + h(TSPj

‖IDSPj) · (t · P )) = h(ri‖TSi) · (TSPj

+h(TSPj

‖IDSPj) · Tpub) = Si. Therefore, Vj = h(Ri ‖TSPj

‖Sj ‖Rj ‖TSi ‖TSj) = h(Ri ‖TSPj ‖Si ‖Rj ‖TSi ‖TSj)as Si = Sj . Since the above condition becomes valid, SMi

treats SPj as legitimate and computes the session key SKij =h(Ai ‖Si ‖IDSMi

‖IDSPj) shared with SPj .

In Step A4, SPj calculates Uj = h(rj‖ TSj) ·(TSMi+

h(TSMi‖IDSMi

) ·Tpub). Note that Ai = MSMi· Rj =

(tSMi+h(TSMi

‖IDSMi) · t) · (h(rj‖TSj) ·P ) = h(rj‖TSj) ·

(tSMi ·P +h(TSMi‖IDSMi) · (t ·P )) = h(rj‖TSj) · (TSMi +h(TSMi‖IDSMi) · Tpub) = Uj .

After that SPj computes the session key SKji = h(Uj ‖Sj

‖IDSMi ‖IDSPj ) = h(Ai ‖Si ‖IDSMi ‖IDSPj ) = SKij

and checks the authenticity of the message MSG3 by verify-ing if Ci = h(TSPj

‖IDSMi‖SKji‖TSMi

‖TSj ‖TS′i). SinceSKji = SKij , this condition also passes the test and SPj

treats SMi as legitimate communicating entity in the network.As a result, mutual authentication between SMi and SPj isachieved and also the same session key SKij (= SKij) isestablished along them.

B. ROR-Model Based Formal Security Analysis

The Real-Or-Random (ROR) model [13] based formal secu-rity analysis has been performed in this section to analyze thesecurity of the proposed scheme. The details of ROR modeland also various random oracles are provided below.

The Real-Or-Random (ROR) model [13], [28] based formalsecurity analysis has gained popularity in analyzing the secu-rity of many recent authentication protocols in the literature[29].

Under the ROR model, an adversary, say A intercon-nects with an tth instance Pt of an executing entity (e.g.,a smart meter SMi or a service provider SPj), and hasaccess to various queries, such as CorruptSM(SMi), Test(Pt),Execute(SMi,SPj) and Reveal(Pt) needed for simulating areal attack, and the descriptions of these queries are tabulatedin Table II. The following components are associated with theROR model:

Participants. The associated participants with the proposedAAS-IoTSG are the smart meters SMi or a service providerSPj . The instances t1 and ts of SMi and SPj are marked asPt1SMi

and Pt2SPj

which are known as oracles.Accepted state. An instance Pt is in “accepted state”, if its

state goes to an accept state after reception of the last authentic

message. The “session identification sid of Pt for the runningsession” is formed after rearranging all the transmitted as wellas received messages by Pt in a sequence.

Partnering. Pt1 and Pt2 are the partners to each other whenthe following things are fulfilled:

• They are in “accepted states”.• They have the same sid and they also “mutually authen-

ticate each other”.• They are also “mutual partners of each other”.

Freshness. Pt1SMi

or Pt2SPj

is fresh when the constructedsession key between SMi and SPj is not leaked to A usingthe Reveal(Pt) query listed in Table II.

The “semantic security” of the proposed AAS-IoTSG isdefined in Definition 1.

Definition 1. If AdvAAS−IoTSGA (tp) is the “advantage of an

adversary A running in polynomial time tp in breaking thesemantic security of the proposed scheme (AAS-IoTSG ) toderive the session key (SKij) among a smart meter SMi anda service provider SPj”, AdvAAS−IoTSG

A (tp) = |2Pr[c′ =c] − 1|, where c and c′ indicate the correct & guessed bits,respectively.

TABLE II: Various queries with their descriptions

Query SignificanceCorruptSM(SMi) With the help of this query, A can extract

the credentials stored in a compromisedsmart meter SMi’s memory

Execute(SMi, SPj ) It helps A to intercept the messages ex-changed between SMi and SPj

Reveal(Pt) It helps A to acquire the session key SKij

(= SKji) that is produced among Pt andits partner

Test(Pt) It enables A to request Pt for session keySKij (= SKji), and Pt outputs proba-bilistically the result of a flipped “unbiasedcoin c”

In addition, “one-way collision-resistant hash function” and“Elliptic Curve Decisional Diffie-Hellman Problem (ECD-DHP)” are defined in Definitions 2 and 3, respectively, foranalyzing the security of the proposed AAS-IoTSG.

Definition 2. A “deterministic function”, say h: {0, 1}∗→ {0, 1}lb is a “one-way collision-resistant hash function” ifit produces fixed-length of lb bits output string h(x) ∈ {0, 1}lbas “hash value or message digest” upon an arbitrary lengthinput string x ∈ {0, 1}∗. Let an adversary A want to find ahash collision. Then, the “advantage” of A in attacking “hashcollision” is provided by AdvHash

A (th) = Pr[(x1, x2) ←r

A : x1 6= x2, h(x1) = h(x2)]. Here, Pr(X) indicatesthe probability of a “random event X” and (x1, x2) ←r Adenotes that the pair is selected at random by A. An (η, t)-adversary A attacking h(·)’s collision resistance implies that“A’s the runtime is at most th with AdvHash

A (th) ≤ η”.

Definition 3. Given an elliptic curve point P on an ellipticcurve Eq(u, v), the ECDDHP states that “for a quadruple 〈P,l1.P, l2.P, l3.P 〉, decide whether l3 = l1l2 or it is a uniformvalue”, where l1, l2, l3 ∈ Z∗q (= {1, 2, . . . , q − 1}).


In Theorem 2, we prove the semantic security of AAS-IoTSG.

Theorem 2. Suppose an adversary A is running in “polyno-mial time tp” against our scheme (AAS-IoTSG). If qh, |Hash|and AdvECDDHP

A (tp) denote the “number of hash queries”,“range space of one-way hash function h(·)” and “A’sadvantage in breaking ECDDHP in time tp (see Definition3)”, respectively, then

AdvAAS−IoTSGA (tp) ≤ q2h

|Hash|+ 2AdvECDDHP

A (tp).

Proof. The similar proof of this theorem has been carriedout here as presented in other authentication protocols [29].We have four games, say Gamj , (j = 0, 1, 2, 3) associatedwith the proof where the staring and ending games are Gam0

and Gam3, respectively. We define SuccGamj

A as “an eventwherein A can guess the random bit c in the game Gamj

correctly” and also the “advantage of A in winning the gameGamj as AdvAAS−IoTSG

A,Gamj= Pr[Succ

Gamj

A ]”. The detaileddiscussion of these games is provided below.Gam0: Usually, the starting game Gam0 is identical with

the actual protocol executing under the ROR model. Thus,according to the semantic security of AAS-IoTSG defined inDefinition 1, it follows that

AdvAAS−IoTSGA (tp) = |2 ·AdvAAS−IoTSG

A,Gam0− 1| (1)

Gam1: The “eavesdropping attack” has been modeled inthis game, wherein the adversary A can intercept all thecommunicated messages MSG1 = {Ri, TSi}, MSG2 ={Rj , Vj , TSPj

, TSj} and MSG3 = {Bi, Ci, TS′i} during

the execution of “authentication and key agreement phase” inSection III-C with the help of the Execute query as explainedin Table II. At the end, A can execute both the queriesReveal and Test to confirm that whether the “calculatedsession key SKij between SMi and SPj is real or a randomnumber”. The established session key is SKij = h(Ai ‖Si

‖IDSMi ‖IDSPj ) = h(Uj ‖Sj ‖IDSMi ‖IDSPj ) = SKji.It is worth noticing that the session key security relies onboth “temporal secrets ri and rj” and “long-term secretsMSMi

and PSPj”, which can not be known through the

eavesdropping of the messages MSG1, MSG2 and MSG3.Thus, such an “eavesdropping attack” does not increase anywinning probability of A in the game Gam1. As a result, boththe games Gam0 and Gam1 become “indistinguishable”, andhence, we have the following result:

AdvAAS−IoTSGA,Gam1

= AdvAAS−IoTSGA,Gam0

(2)

Gam2: This game involves the simulation of hash queries.In the message MSG1, both Ri and TSi are random. Simi-larily, in other messages MSG2 and MSG3 the componentsRj , Vj , TSj , Bi, Ci and TS′i are also random as these involverandom numbers and current timestamps. Thus, no collisionhappens when the hash queries are executed by A. As bothGam1 and Gam2 are “indistinguishable” except the inclusionof the simulation of the hash queries in Gam2, from the resultsof birthday paradox, we have

|AdvAAS−IoTSGA,Gam2

−AdvAAS−IoTSGA,Gam1

| ≤ q2h2|Hash|

(3)

Gam3: In this final game, the CorruptSM(SMi) query hasbeen implemented. Thus, based on the execution of such query,the adversary A will have the extracted credentials MSMi ,TSMi

, IDSMiand {IDSPj

| (j = 1, 2, . . . , nsp)} from acompromised smart meter SMi. Furthermore, A will haveall the intercepted messages MSG1, MSG2 and MSG3. Toderive the session key SKij = h(Ai ‖Si ‖IDSMi

‖IDSPj)

= h(Uj ‖Sj ‖IDSMi ‖IDSPj ) = SKji shared between SMi

and SPj , A needs to calculate Ai(= Uj) and Si = (Sj). Thisproblem leads to derivation of h(ri‖TSi) and h(rj‖ TSj),which is computationally expensive due to intracability ofECDDHP in a polynomially bounded time tp. Since the gamesGam2 and Gam3 are “indistinguishable” except the inclusionof CorruptSM(SMi) query and ECDDHP, it follows that

|AdvAAS−IoTSGA,Gam3


| ≤ AdvECDDHPA (tp)

(4)Now, all the relevant queries related to the above games areexecuted, and it is only left with guessing the random bit conce the Reveal query along with Test query are executed.Thus, we have

AdvAAS−IoTSGA,Gam3

=1

2(5)

Eqs. (1), (2) and (5) lead to the following derivation:

1

2·AdvAAS−IoTSG

A (tp) = |AdvAAS−IoTSGA,Gam0

− 1

2|

= |AdvAAS−IoTSGA,Gam1


| (6)

≤ |AdvAAS−IoTSGA,Gam1


|+|AdvAAS−IoTSG

A,Gam2−AdvAAS−IoTSG

A,Gam3|

Next, Equations (3), (4) and (6) provide to the following result:

1

2·AdvAAS−IoTSG

A (tp) ≤ q2h2|Hash|

+AdvECDDHPA (tp) (7)

Finally, multiplying both sides of Equation (7) by 2, wehave the desired result: AdvAAS−IoTSG

A (tp) ≤ q2h|Hash| +

2AdvECDDHPA (tp).

C. Informal Security Analysis

Through the following analysis, we also exhibit that theproposed AAS-IoTSG can resist several known attacks.

1) Impersonation Attacks: To attempt this attack, we con-sider an attacker A who can actively monitoring the net-work behavior and try to capture the communicated messagesMSG1, MSG2 and MSG3 which were transferred betweenSMi and SPj , over insecure channel. Here, we consider thefollowing two cases.SMi impersonation attack: If A has to impersonate SMi,

the messages produced by SMi needs to be reproduced byA on behalf of SMi to make the SPj to believe that themessage is legal and received from an authenticated SMi.Now, A tries to produce the messages MSG1 = {Ri, TSi}and MSG3 = {Bi, Ci, TS

′i} with valid credentials. But, to

produce these messages A needs to have the knowledge ofsecret parameters such as Si, ri, tSMi

and t. Therefore, dueto the lack of knowledge of these parameters, producing the


valid messages and impersonating SMi in “polynomial time”is a “computationally expensive task” for A.SPj impersonation attack: If A has to impersonate SPj ,

the messages produced by SPj needs to be reproduced by Aon behalf of SPj to make the SMi to believe the message islegal and received from an authenticated SPj . Now, assumethat A tries to produce the message MSG2 = {Rj , Vj , TSPj

,TSj} with valid credentials. But, to produce this message Aneeds to have the knowledge of other secret parameters suchas Sj , rj , tSPj

and t. Therefore, due to the lack of knowledgeof these parameters, producing the valid message and imper-sonating SPj in “polynomial time” is also a “computationallyinfeasible task” for A.

From the above two cases, we can the infer that AAS-IoTSGresists impersonation attacks.

2) Replay Attack: Consider that A captures all the trans-mitted messages MSG1, MSG2 and MSG3 between theparticipants during the “authentication and key agreementphase” over the public channel. Now, A may try to replaythe messages in order to extract some valuable informationfrom the participants. We consider the systems are timely syn-chronized, and each of the message is inbuilt with the currenttimestamp. A cannot prone the replay attack as the attackgets restricted due to the fact that each replayed messages arefurnished with the participants current timestamp and randomnumbers. If the adversary A tries to frame the replay attack,the system/scheme can detect the replay of the old messages byvalidating the threshold of the message communicated duringthe authentication process in order to get the SPj’s services.The system then detects that the message is replayed or A istrying to falsify the participants to breach the communication.

3) Privileged-insider Attack: It is genuine to consider theTA is trusted and the credentials issued over the securechannel are considered trusted. However, if we assume thatthere is an attacker A who exists as insider user of the TAdue to the unpredictability, the credentials owned by SMi andSPj may be leaked during the registration time. Furthermore,due to the randomness achieved in the registration phase, Afails to extract random numbers tSMi

and tSPjof SMi and

SPj , respectively, and a random secret t ∈ Z∗q which is thesystem’s private key. Thus, though the insider attacker existsin the system, he/she cannot achieve any valuable informationas the credentials are computed using “collision-resistant one-way hash function” and it is also “computationally infeasible”to get some information in polynomial time (see Definition 2).Hence, AAS-IoTSG resists “privileged-insider attack”.

4) Man-in-the-Middle Attack: Consider that A captures allthe transmitted messages MSG1, MSG2 and MSG3 betweenthe participants during the “authentication and key agreementphase” over the public channel. Now, A may try to modifythe transmitted messages in order to make the participants inbelieving that the received messages are originated from the le-gitimate participants. If A tries to modify the wadded MSG1,A needs to modify Ri which necessitate the knowledge of therandom secret ri ∈ Z∗q . To modify the MSG2, A needs tomodify Vj which necessitate the knowledge of Sj , TSPj

, rjand PSPj

, and also to modify MSG3 requires the knowledgeof Si, IDSMi

, TSMiand MSMi

. This shows that A cannot

modify those messages without the shared secret key betweenSMi and TA, and between TA and SPj . Furthermore, dueto the usage of random numbers and current timestamps, theattempt of this attack becomes impossible. Thus, AAS-IoTSGresists “man-in-the-middle attack”.

5) Mutual Authentication and Session key establishment:In AAS-IoTSG, the authenticity is shown through correct-ness proof in Section IV-A. This ensures that the mutualauthentication is achieved successfully in our proposed AAS-IoTSG. After that SPj calculates the session key SKji =h(Uj ‖Sj ‖IDSMi ‖IDSPj ) = h(Ai ‖Si ‖IDSMi ‖IDSPj )= SKij and validates the authenticity of the message MSG3

by verifying if Ci = h(TSPj‖IDSMi

‖SKji‖TSMi‖TSj

‖TS′i). Since SKji = SKij , this condition also passes thetest and SPj treats SMi as legitimate communicating entityin the network. As a result, mutual authentication betweenSMi and SPj is achieved, and also the same session keySKij (= SKji) is established along them. Moreover, thesession key verification happens at SPj to ensure that bothSMi and SPj share the common session key. Thus, the abovediscussion shows the participants successfully achieve “mutualauthentication and session key establishment” in AAS-IoTSG.

6) Anonymity and Untracability: Consider that A capturesall the transmitted messages MSGi (i = 1, 2, 3) amongthe participants during the “authentication and key agreementphase” over the public channel. But without the secret cre-dentials tSMi

, tSPj, t, ri, rj , PSPj

and MSMi, the identities

(IDSMi , IDSPj ) of the participants SMi and SPj cannotbe extracted. It is also “computationally expensive” for A toderive the identities of the participants from the transmittedmessages. Furthermore, each communicated message is dy-namic in nature involving randomness because of involvementof random numbers and current timestamps. This shows thatA cannot identify the actual identities of the participants, andalso fails to trace the participants. Thus, AAS-IoTSG restricts“traceability” and also ensures “anonymity”.

7) Ephemeral Secret Leakage (ESL) Attack: Based on the“CK-adversary model” [13], an attackerA can compromise thesession states and secret credentials apart from all the activitiespermitted under the DY threat model [11]. In AAS-IoTSG,if only the short term secrets (Si, Sj) are compromised, thesession key between SMi and SPj computed as SKji =h(Uj ‖Sj ‖IDSMi

‖IDSPj) = h(Ai ‖Si ‖IDSMi

‖IDSPj)

= SKij is not compromised by A.On the other hand, if only long term secrets (tSMi , tSPj ) are

compromised, the session key SKij is not compromised dueto “computationally infeasibility of ECDDHP (see Definition3)” for deriving PSPj

· P and h(ri‖TSi) · P from Sj and Si,respectively. Hence, without having “both short term secretsand long term secrets”, it is “computationally expensive prob-lem” for A to calculate the session key SKij . This conveysthat AAS-IoTSG is resilient against the ESL attack.

8) Smart Meter Physical Capture Attack: According to thethreat model discussed in Section I-B2, some smart meterscan be “physically captured” by an adversary A. Let a smartmeter SMi be “physically captured” by A and the credentials〈TSMi , MSMi , IDSMi , {IDSPj |(j = 1, 2, . . . , nsp)}〉 can beeasily extracted by A by applying the “power analysis attacks”


[12]. However, the credentials T ′SMiand M ′SMi

are distinctfor each smart meter SM ′i throughout the entire smart gridenvironment. As a result, it only incurs compromise of thesession keys between SMi and a service provide SPj , and nomatter even if some smart meters are “physically captured”by A it does not lead to leak the session keys between anon-compromised smart meter SM ′i and a service providerSPj . This means that AAS-IoTSG satisfies the “‘unconditionalsecurity against smart meter physical capture attack”.

SUMMARY

DETAILS

BOUNDED_NUMBER_OF_SESSIONS

TYPED_MODEL

PROTOCOL

/home/akdas/span−1.6−linux64−ubuntu/

span/testsuite/results/auth.if

GOAL

As specified

BACKEND

STATISTICS

Analysed : 7162 states

Reachable : 2870 states

Translation: 0.16 seconds

Computation: 168.94 seconds

% OFMC

% Version of 2006/02/13

SUMMARY

DETAILS

BOUNDED_NUMBER_OF_SESSIONS

PROTOCOL

/home/akdas/span−1.6−linux64−ubuntu/

span/testsuite/results/auth.if

GOAL

as_specified

BACKEND

COMMENTS

STATISTICS

parseTime: 0.00s

searchTime: 0.06s

visitedNodes: 9 nodes

depth: 49 plies

SAFE

CL−AtSe

SAFE

OFMC

Fig. 5: Analysis of simulation results under CL-AtSe & OFMCbackends

V. AVISPA-BASED SIMULATION: FORMAL SECURITYVERIFICATION

In AVISPA, the “High Level Protocol Specification Lan-guage (HLPSL)” is used which is treated as “an expressive lan-guage for modelling communication and security protocols”[30]. In AVISPA, there are four backends whose purposes arediscussed below [14]:• The first backend is “On-the-fly Model-Checker (OFMC)

that performs various symbolic techniques to explore thestate space in a demand-driven way”.

• The second backend is “CL-AtSe (Constraint-Logic-based Attack Searcher) that provides a translation fromany security protocol specification written as transitionrelation in intermediate format into a set of constraintswhich are effectively used to find whether there areattacks on protocols”.

• The third backend is “SAT-based Model-Checker(SATMC) that builds a propositional formula which isthen fed to a state-of-the-art SAT solver and any modelfound is translated back into an attack”.

• The last backend is “TA4SP (Tree Automata based onAutomatic Approximations for the Analysis of SecurityProtocols) that approximates the intruder knowledge byusing regular tree languages”.

HLPSL2IF is a translator that translates the HLPSL codeto an “Intermediate Format (IF)” specification. This is givenas the input to one of the four back-ends to generate the“Output Format (OF)”. The protocol specifications in HLPSLare organized into different roles. The “basic roles” describe

“the actions of one single agent in a run of a protocol or sub-protocol”. The “composed roles” instantiate “these basic rolesto model an entire protocol run (potentially consisting of theexecution of multiple sub-protocols), a session of the protocolbetween multiple agents, or the protocol model itself” [14].The “session” and “goal & environment” are the mandatorycomposite roles defined in HLPSL. In an environment role, theconcrete sessions are defined whose execution are consideredprovided a set of roles narrating the protocol. After that thesecrecy goals are also defined in the environment role. Adetailed discussions on AVISPA tool and its HLPSL can befound in [14], [30].

We implemented the AAS-IoTSG in HLPSL containingthree basic roles for a smart meter (SMi), a service provider(SPj) and the TA, and also the composite roles for the“session” and “goal & environment”. In the “goal & environ-ment”, the confidentiality or privacy is achieved by using theHLPSL declaration “secrecy_of”, whereas the authenticationproperty is achieved by the help of the HLPSL declaration“authentication_on”.

We then evaluated AAS-IoTSG against “replay” and “man-in-the-middle” attacks under the widely-applied two backends,namely OFMC and CL-AtSe using the “SPAN, the SecurityProtocol ANimator for AVISPA” tool [31]. In our HLSPLimplementation, we performed three verifications associatedwith the testing of the proposed scheme [14], which are“executability checking on non-trivial HLPSL specifications”,“replay attack checking”, and “Dolev-Yao (DY) model check-ing” [11]. In Fig. 5, the simulation results for “formal securityverification” under AVISPA tool have been demonstrated. Theresults indicate that the “replay & man-in-the middle” attacksare resisted in AAS-IoTSG.

TABLE III: Comparison of security & functionality features

Attribute [21] [4] [5] [19] [6] [26] [7] [8] [10] AAS-IoTSGA1

√ √×

√ √ √×

√ √ √

A2 × × × × ×√

×√ √ √

A3 × ×√

× ×√ √ √ √ √

A4 ×√ √ √ √

× ×√ √ √

A5√ √ √ √

× × ×√

×√

A6√

×√

× ×√

×√ √ √

A7 × ×√ √

× ×√ √ √ √

A8 × × ×√

× ×√ √

×√

A9 × ×√ √

×√

×√ √ √

A10 × × × × × ×√ √ √ √

A11 × ×√ √ √

× ×√ √ √

A12 × × × × × × × × ×√

Note: A1: “Privileged-insider attack”; A2: “Anonymity preservation”; A3: “Traceabilitypreservation”; A4: “Man-in-the-middle attack”; A5: “Strong replay attack”; A6: “Im-personation attacks”; A7: “Mutual authentication”; A8: “Strong smart meters’ privacy”;A9 “Resilience against smart meter physical capture attack”; A10: “ESL attack underCK adversary model”; A11: “Forward secrecy”; A12: “New smart meter addition”√

: “a scheme is secure or it supports an attribute”; ×: “a scheme is insecure or it doesnot support an attribute”.

VI. COMPARATIVE ANALYSIS

We perform a detailed comparative study on “security &functionality features, computation costs and communicationcosts during the authentication and key agreement phase”among the proposed AAS-IoTSG and other relevant authen-tication mechanisms in the IoT environment, such as theschemes of Wu and Zhou [21], Xia and Wang [4], Tsai and Lo[5], Jo et al. (Protocol II) [19], Mahmood et al. [6], Li et al.


[26], Mahmood et al. [7], Odelu et al. [8], and Abbasinezhad-Mood and Nikooghadam [10].

TABLE IV: Execution time of different cryptographic opera-tions [32], [33]

Entity Tbpo Tecm Texp Th

Pentium IV 3.16ms 1.17ms < 1ms 0.01msHiPerSmart Card 0.38s 0.13s < 0.1s 0.001s

A. Security and Functionality Features Comparison

In Table III, the “security and functionality features” ofAAS-IoTSG with the schemes of Wu and Zhou [21], Xiaand Wang [4], Tsai and Lo [5], Jo et al. (Protocol II) [19],Mahmood et al. [6], Li et al. [26], Mahmood et al. [7],Odelu et al. [8], and Abbasinezhad-Mood and Nikooghadam[10] have been compared with respect to twelve importantattributes (A1–A12). The scheme of Abbasinezhad-Mood andNikooghadam [10] does not provide “strong replay attack pro-tection” and “strong smart meters’ privacy”. In addition, theirscheme does not allow new smart meters addition after initialdeployment. It is worth noticing that AAS-IoTSG provides“better security and more functionality attributes” as comparedto other existing schemes.

B. Computation Cost Comparison

We use the following notations for the computational costanalysis: Tbpo, Tecm, Teca, Texp, TEnc/Dec, Tcert, Tcv , Th,Tecdsa_siggen, Tecdsa_sigver, and Tm denote time taken fora “bilinear pairing operation”, an “ECC point multiplicationoperation”, an “ECC point addition operation”, a “modular ex-ponentiation operation”, a “symmetric encryption/decryptionoperation”, a “certificate generation operation”, a “certifi-cate verification operation”, a “one-way hash operation”, an“ECDSA (elliptic curve digital signature algorithm) signa-ture generation”, an “ECDSA signature verification”, and a“modular multiplication operation”, respectively. Since theexecution time of bitwise XOR operation is negligible, wedo not consider this operation in computation time calculationas given in [5], [20].

We use the existing experimental results as reported in[5], [32]. Scott et al. [32] implemented various cryptographicpairing operations on the “Philips HiPersmart card” and alsoa “Pentium IV computer” with maximum clock speeds of36MHz and 3GHz, respectively. It is worth noticing that the“Philips HiPersmart card” supports a “32-bit RISC MIPS-based processor” with a “five-stage pipeline 2 KB instructioncache, 256 KB flash memory and 16 KB RAM”. On the otherside, the “Pentium IV computer with 512 MB RAM” supportsa “maximum clock speed of 3GHz under the Windows XPoperating system”. They implemented various bilinear pairingprimitives on the “Philips HiPersmart card”, which wereperformed under the “Ashling integrated development environ-ment (AsIDE)” with the help of the C programming language.They also implemented the bilinear pairing primitives on the“Pentium IV computer” with the help of the C programminglanguage. Furthermore, they used the “multi-precision integer

and rational arithmetic C/C++ Library (MIRACL)” on both the“Philips HiPersmart card” and the “Pentium IV computer”.

For computing the rough estimated time, we also considerthe execution time needed different cryptographic operationson different platforms are illustrated in Table IV. We alsoassume that TEnc/Dec ≈ Th. Since Teca << Texp, it isassumed that Teca ≈ Th. Furthermore, Tm << Texp. Thecomputation costs for the “authentication and key agreementphase” of AAS-IoTSG and other related schemes are tabulatedin Table V. It is assumed that the computation of “smart meterside” and “user/service provider/data collection unit side”are performed on the “HiPerSmart card” and “Pentium IV”platforms, respectively [33]. The main reason for executingthe considered authentication protocols on “Philips HiPersmartcard” is to show the feasibility of using the protocols on theresource-constrained IoT-enabled smart meters (devices). InAAS-IoTSG, the computation costs required for SMi and SPj

are 7Th+ 3Tecm+ 2Teca ≈ 0.398 seconds and 7Th+ 3Tecm+2Teca ≈ 3.59 milliseconds, respectively. From Table V, it isclear that AAS-IoTSG needs less “overall computation cost” ascompared to the schemes of Wu and Zhou [21], Xia and Wang[4], Tsai and Lo [5], Jo et al. (Protocol II) [19], Mahmood etal. [6], Li et al. [26], Mahmood et al. [7], Odelu et al. [8], andAbbasinezhad-Mood and Nikooghadam [10]. Though AAS-IoTSG needs little more computation cost as compared to thatfor the scheme of Xia and Wang [4], it offers better “securityand functionality features” as compared to these schemes (seeTable III).

C. Communication Cost Comparison

Various parameters along with their bit length sizes are con-sidered as follows: “identity”, “random nonce”, “timestamp”,“certificate (signature using elliptic curve digital signaturealgorithm (ECDSA))”, elements in “bilinear map groups G1

and G2”, “hash output (if we apply SHA-1 as h(·)” and“message authentication code (MAC)” require 160, 128, 32,320, 320 and 512, 160 and 160 bits, respectively. It is knownthat “the security of 160-bit ECC provides the same levelof security as that for 1024-bit RSA cryptosystem” [14].Therefore, an elliptic curve point of the form P = (Px, Py)demands (160 + 160) = 320 bits. In Table VI, the communi-cation overheads required for AAS-IoTSG and other schemeshave been shown. In AAS-IoTSG, the messages MSG1,MSG2 and MSG3 are of the sizes (320 + 32) = 352 bits,(320 + 160 + 320 + 32) = 832 bits and (160 + 160 + 32)= 352 bits, respectively, which together lead to the cumulativecommunication cost as (352 + 832 + 352) = 1536 bits. Theproposed AAS-IoTSG requires less communication cost inbits as compared to other authentication mechanisms, suchas the schemes of Wu and Zhou [21], Jo et al. (Protocol II)[19], Mahmood et al. [6], Li et al.[26], Mahmood et al.[7]and Odelu et al.[8]. Though AAS-IoTSG needs little morecommunication cost as compared to that for the schemesof Xia and Wang [4], Tsai and Lo [5], and Abbasinezhad-Mood and Nikooghadam [10], it offers better “security andfunctionality features” as compared to these schemes (seeTable III).


TABLE V: Comparison of computation costs during authentication & key agreement phase

Scheme smart meter side user/service provider/data collection unit sidecomputational complexity estimated time computational complexity estimated time

Wu and Zhou [21] 3Tecm + Tm + Th + Tcert ≈ 0.523s 4Tecm + 4Th + TEnc/Dec + Tcv ≈ 5.91msXia and Wang [4] TEnc/Dec + 4Th ≈ 0.005s 4Th ≈ 0.04msTsai and Lo [5] 4Tecm + Texp + 5Th ≈ 0.625s 3Tecm + 2Tbpo + Texp + 5Th ≈ 10.88msJo et al. (Protocol II) [19] Tecm + 3Th + 2Texp ≈ 0.397s 3Tecdsa_sigver + 2Tbpo +2Th ≈ 16.99ms

+2Tecdsa_siggen +2Texp + 3Tecdsa_siggenMahmood et al. [6] 5Texp + 2Th +2TEnc/Dec ≈ 0.504s 4Texp + 2Th +2TEnc/Dec ≈ 4.04msLi et al. [26] 3Texp + 4Th ≈ 0.304s 6Texp + 4Th ≈ 6.04msMahmood et al. [7] 4Tecm + 3Teca + 4Th ≈ 0.527s 5Tecm + 3Teca + 4Th ≈ 5.92msOdelu et al. [8] 3Tecm + Texp + 6Th ≈ 0.496s 2Tecm + 2Tbpo + Texp + 6Th ≈ 9.72msAbbasinezhad-Mood 4Tecm + Teca + 5Th ≈ 0.526s 4Tecm + Teca + 5Th ≈ 4.74msand Nikooghada [10]AAS-IoTSG 7Th + 3Tecm + Teca ≈ 0.398s 7Th + 3Tecm + Teca ≈ 3.59ms

TABLE VI: Comparison of communication costs during au-thentication & key agreement phase

Scheme No. of messages Communication cost (in bits)Wu and Zhou [21] 4 3648Xia and Wang [4] 5 1376Tsai and Lo [5] 3 1408Jo et al. (Protocol II) [19] 3 2464Mahmood et al. [6] 2 4352Li et al. [26] 2 4480Mahmood et al. [7] 2 2304Odelu et al. [8] 3 1920Abbasinezhad-Moodand Nikooghada [10] 3 1440AAS-IoTSG 3 1536

VII. CONCLUDING REMARKS

In this work, we particularly focused on designing a novelauthentication scheme (AAS-IoTSG) for the IoT-enabled smartgrid systems. The ECC-based Schnorr’s signature mechanismis employed in AAS-IoTSG. AAS-IoTSG permits a smartmeter to mutually authenticate each other with a serviceprovider to establish a session key for secret communication.The TA is responsible for distributing the signatures and othersecret credentials to each smart grid and service providerbefore their placement in the network. The ROR-model basedformal security on AAS-IoTSG proves its semantic securityagainst deriving the session key between a smart meter and aservice provider against an adversary. The informal analysisshows that AAS-IoTSG has potential to resist other attacks.Moreover, the formal security verification using the AVISPAsoftware tool assured that AAS-IoTSG is also safe against pas-sive and active adversaries. AAS-IoTSG provides better “secu-rity and functionality” attributes that are extremely needed foran IoT-enabled smart grid environment. Finally, AAS-IoTSGneeds less communication as well as computational costs forboth smart meter and service provider sides as compared toother existing authentication approaches.

In future, we would like to execute the proposed AAS-IoTSG on Raspberry Pi in order to exhibit its feasibility onthe resource-constrained IoT-enabled devices, which are smartmeters.

ACKNOWLEDGMENTS

The authors would like to thank the anonymous reviewersand the Associate Editor for their valuable comments andsuggestions which helped us to improve the presentation andquality of the paper.

REFERENCES

[1] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, “Internet of Things(IoT): A vision, architectural elements, and future directions,” FutureGeneration Computer Systems, vol. 29, no. 7, pp. 1645 – 1660, 2013.

[2] A. Humayed, J. Lin, F. Li, and B. Luo, “Cyber-physical systems security-A survey,” IEEE Internet of Things Journal, vol. 4, no. 6, pp. 1802–1831,2017.

[3] E. D. Knapp and R. Samani, Applied Cyber Security and the SmartGrid, 1st ed. Syngress, Elsevier, 2013.

[4] J. Xia and Y. Wang, “Secure key distribution for the smart grid,” IEEETransactions on Smart Grid, vol. 3, no. 3, pp. 1437–1443, 2012.

[5] J.-L. Tsai and N.-W. Lo, “Secure anonymous key distribution schemefor smart grid,” IEEE Transactions on Smart Grid, vol. 7, no. 2, pp.906–914, 2016.

[6] K. Mahmood, S. A. Chaudhry, H. Naqvi, T. Shon, and H. F. Ahmad, “Alightweight message authentication scheme for Smart Grid communica-tions in power sector,” Computers & Electrical Engineering, vol. 52,pp. 114–124, 2016.

[7] K. Mahmood, S. A. Chaudhry, H. Naqvi, S. Kumari, X. Li, and A. K.Sangaiah, “An elliptic curve cryptography based lightweight authen-tication scheme for smart grid communication,” Future GenerationComputer Systems, vol. 81, pp. 557–565, 2018.

[8] V. Odelu, A. K. Das, M. Wazid, and M. Conti, “Provably secureauthenticated key agreement scheme for smart grid,” IEEE Transactionson Smart Grid, vol. 9, no. 3, pp. 1900–1910, 2018.

[9] “NIST Framework and Roadmap forSmart Grid InteroperabilityStandards, Release 3.0,” 2014, NIST Special Publication 1108r3, NIST,U.S. Department of Commerce. [Online]. Available: https://www.nist.gov/sites/default/files/documents/smartgrid/NIST-SP-1108r3.pdf

[10] D. Abbasinezhad-Mood and M. Nikooghadam, “An Anonymous ECC-Based Self-Certified Key Distribution Scheme for the Smart Grid,” IEEETransactions on Industrial Electronics, vol. 65, no. 10, pp. 7996–8004,2018.

[11] D. Dolev and A. Yao, “On the security of public key protocols,” IEEETransactions on Information Theory, vol. 29, no. 2, pp. 198–208, 1983.

[12] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, “Examining smart-cardsecurity under the threat of power analysis attacks,” IEEE Transactionson Computers, vol. 51, no. 5, pp. 541–552, 2002.

[13] R. Canetti and H. Krawczyk, “Analysis of key-exchange protocols andtheir use for building secure channels,” in International Conference onthe Theory and Applications of Cryptographic Techniques– Advances inCryptology (EUROCRYPT’01). Innsbruck (Tyrol), Austria: Springer,2001, pp. 453–474.

[14] AVISPA, “Automated Validation of Internet Security Protocols andApplications,” 2019, http://www.avispa-project.org/. Accessed on March2019.

[15] C. Xu, X. Huang, M. Ma, and H. Bao, “A Secure and Efficient MessageAuthentication Scheme for Vehicular Networks based on LTE-V,” KSIITransactions on Internet and Information Systems, vol. 12, no. 6, pp.2841–2860, 2018.

[16] S. Qiu, G. Xu, H. Ahmad, G. Xu, X. Qiu, and H. Xu, “An ImprovedLightweight Two-Factor Authentication and Key Agreement Protocolwith Dynamic Identity Based on Elliptic Curve Cryptography,” KSIITransactions on Internet and Information Systems, vol. 13, no. 2, pp.978–1002, 2019.

[17] X. Zhang, L. Mu, J. Zhao, and C. Xu, “An Efficient AnonymousAuthentication Scheme with Secure Communication in Intelligent Vehic-

https://www.nist.gov/sites/default/files/documents/smartgrid/NIST-SP-1108r3.pdf

https://www.nist.gov/sites/default/files/documents/smartgrid/NIST-SP-1108r3.pdf


ular Ad-hoc Networks,” KSII Transactions on Internet and InformationSystems, vol. 13, no. 6, pp. 3280–3298, 2019.

[18] M. M. Fouda, Z. M. Fadlullah, N. Kato, R. Lu, and X. S. Shen, “Alightweight message authentication scheme for smart grid communica-tions,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 675–685,2011.

[19] H. J. Jo, I. S. Kim, and D. H. Lee, “Efficient and privacy-preservingmetering protocols for smart grid systems,” IEEE Transactions on SmartGrid, vol. 7, no. 3, pp. 1732–1742, 2015.

[20] M. Wazid, A. K. Das, N. Kumar, and J. J. P. C. Rodrigues, “SecureThree-Factor User Authentication Scheme for Renewable-Energy-BasedSmart Grid Environment,” IEEE Transactions on Industrial Informatics,vol. 13, no. 6, pp. 3144–3153, 2017.

[21] D. Wu and C. Zhou, “Fault-tolerant and scalable key management forsmart grid,” IEEE Transactions on Smart Grid, vol. 2, no. 2, pp. 375–381, 2011.

[22] T. W. Chim, S. M. Yiu, L. C. K. Hui, and V. O. K. Li, “PASS:Privacy-preserving authentication scheme for smart grid network,” inIEEE International Conference on Smart Grid Communications (Smart-GridComm’11), Brussels, Belgium, 2011, pp. 196–201.

[23] R. Sule, R. S. Katti, and R. G. Kavasseri, “A variable length fast MessageAuthentication Code for secure communication in smart grids,” in IEEEPower and Energy Society General Meeting, San Diego, CA, USA, 2012,pp. 1–6.

[24] H. Nicanfar and V. C. M. Leung, “Multilayer Consensus ECC-BasedPassword Authenticated Key-Exchange (MCEPAK) Protocol for SmartGrid System,” IEEE Transactions on Smart Grid, vol. 4, no. 1, pp. 253–264, 2013.

[25] H. Nicanfar and V. C. Leung, “Password-authenticated cluster-basedgroup key agreement for smart grid communication,” Security andCommunication Networks, vol. 7, no. 1, pp. 221–233, 2014.

[26] X. Li, F. Wu, S. Kumari, L. Xu, A. K. Sangaiah, and K.-K. R. Choo,“A provably secure and anonymous message authentication scheme forsmart grids,” Journal of Parallel and Distributed Computing, vol. 132,pp. 242 – 249, 2019.

[27] C.-P. Schnorr, “Efficient signature generation by smart cards,” Journalof Cryptology, vol. 4, no. 3, pp. 161–174, 1991.

[28] R. Canetti and H. Krawczyk, “Universally Composable Notions of KeyExchange and Secure Channels,” in International Conference on theTheory and Applications of Cryptographic Techniques– Advances inCryptology (EUROCRYPT’02), Amsterdam, The Netherlands, 2002, pp.337–351.

[29] C. Chang and H. Le, “A Provably Secure, Efficient, and FlexibleAuthentication Scheme for Ad hoc Wireless Sensor Networks,” IEEETransactions on Wireless Communications, vol. 15, no. 1, pp. 357–366,2016.

[30] D. von Oheimb, “The high-level protocol specification language hlpsldeveloped in the eu project avispa,” in Proceedings of 3rd APPSEMII (Applied Semantics II) Workshop (APPSEM’05), Frauenchiemsee,Germany, 2005, pp. 1–17.

[31] AVISPA, “SPAN, the Security Protocol ANimator for AVISPA,” 2019,http://www.avispa-project.org/. Accessed on March 2019.

[32] M. Scott, N. Costigan, and W. Abdulwahab, “Implementing Crypto-graphic Pairings on Smartcards,” in 8th International Workshop Crypto-graphic Hardware and Embedded Systems (CHES’06), L. Goubin andM. Matsui, Eds., Yokohama, Japan, 2006, pp. 134–147.

[33] Y.-M. Tseng, S.-S. Huang, T.-T. Tsai, and J.-H. Ke, “List-free ID-based mutual authentication and key agreement protocol for multiserverarchitectures,” IEEE Transactions on Emerging Topics in Computing,vol. 4, no. 1, pp. 102–112, 2015.

Jangirala Srinivas (M’18) completed his Bachelorof Science in 2003 from Kakatiya University, India,the Master of Science degree from Kakatiya Uni-versity in 2008, the Master of Technology degreefrom IIT Kharagpur in 2011, and then his PhDdegree from the Department of Mathematics, IITKharagpur in 2017. He is currently working as anassistant professor with the Jindal Global BusinessSchool, O. P. Jindal Global University, Haryana,India. Prior to that he worked as a research assistantwith the Center for Security, Theory and Algorithmic

Research, IIIT Hyderabad, India. His research interests include authenticationprotocols, information security, digital rights management, cloud computingand management of information technology. He has authored 25 papers ininternational journals and conferences in his research areas.

Ashok Kumar Das (M’17–SM’18) received a Ph.D.degree in computer science and engineering, anM.Tech. degree in computer science and data pro-cessing, and an M.Sc. degree in mathematics fromIIT Kharagpur, India. He is currently an AssociateProfessor with the Center for Security, Theory andAlgorithmic Research, IIIT, Hyderabad, India. Hisresearch interests include cryptography, network se-curity, blockchain, security in Internet of Things(IoT), Internet of Vehicles (IoV), Internet of Drones(IoD), smart grids, smart city, cloud/fog computing,

intrusion detection, and AI/ML security. He has authored over 230 papers ininternational journals and conferences in the above areas, including over 195reputed journal papers. He was a recipient of the Institute Silver Medal fromIIT Kharagpur. He is on the editorial board of IET Communications, KSIITransactions on Internet and Information Systems, and International Journalof Internet Technology and Secured Transactions (Inderscience).

Xiong Li received the Ph.D. degree in computerscience and technology from the Beijing Universityof Posts and Telecommunications, Beijing, China, in2012. He is currently a Professor with the Institutefor Cyber Security, School of Computer Science andEngineering, University of Electronic Science andTechnology of China, Chengdu, China. He has au-thored over 100 referred papers. His current researchinterests include cryptography and information se-curity. Dr. Li was a recipient of the 2020 IEEESystems Journal Best Paper Award and 2015 Journal

of Network and Computer Applications Best Research Paper Award. He is anEditor of Telecommunications Systems and the KSII Transactions on Internetand Information Systems.

Muhammad Khurram Khan (M’07-SM’12) iscurrently working as a full professor at the Centerof Excellence in Information Assurance, King SaudUniversity, Saudi Arabia. He has edited seven booksand proceedings published by Springer-Verlag andIEEE. He has published more than 370 papers ininternational journals and conferences and he isan inventor of several U.S./PCT patents. Dr. Khanis the Editor-in-Chief of a well-reputed journal‘Telecommunication Systems’ (Springer). He is afull-time Editor/Associate Editor of several inter-

national journals/magazines, including IEEE Communications Surveys &Tutorials, IEEE Communications Magazine, IEEE Internet of Things Journal,IEEE Transactions on Consumer Electronics, Journal of Network & ComputerApplications (Elsevier), IEEE Access, Security & Communication Networks,IEEE Consumer Electronics Magazine. His current research interests includeCybersecurity, biometrics, multimedia security, and digital authentication. Heis a Fellow of the IET (UK), Fellow of the BCS (UK), Fellow of the FTRA(Korea), senior member of the IEEE (USA), a member of the IEEE TechnicalCommittee on Security & Privacy, and a member of the IEEE Cybersecuritycommunity.

Minho Jo (M’07, SM’16) is the professor in theDepartment of Computer Convergence Software,Korea University, Sejong Metropolitan City, SouthKorea. He is the Director of the IoT & AI Lab,Korea University. Prof. Jo currently serves for theSouth Korea’s Presidential Commission on PolicyPlanning. He received a BA from the Departmentof Industrial Engineering, Chosun University, SouthKorea, in 1984, and received a PhD from the Depart-ment of Industrial and Systems Engineering, LehighUniversity, USA, in 1994, respectively.

He is a recipient of the 2018 IET Best Paper Premium Award by the UnitedKingdom’s Royal Institute of Engineering and Technology. He is one of thefounders of the Samsung Electronics LCD Division. He is the Founder andthe Editor-in-Chief of KSII Transactions on Internet and Information Systems(SCI/JCR and SCOPUS indexed). He is currently an Associate Editor ofIEEE Systems Journal, IEEE Access, and IEEE Internet of Things Journal,respectively. Prof. Jo is an Editor of IEEE Wireless Communications. Hiscurrent research interests include IoT, blockchain, artificial intelligence anddeep learning, big data, network security, cloud/edge computing, wirelessenergy harvesting, and autonomous vehicles.

Documents

IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS 1 Designing …iot.korea.ac.kr/file/ProfMinhojo/64. Designing Anonymous... · 2020. 7. 23. · IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS