A novel multi-stage distributed authentication scheme for smart meter communication

Related work

Authentication is a fundamental security solution and it has been extensively studied in various application areas. In smart grid smart meter communication, several authentication schemes have been proposed by numerous researchers. Even after the schemes are developed for specific architecture or application, there may be some similarities observed in terms of authentication factors, cryptographic operation, and message communication (Abbasinezhad-Mood, Ostad-Sharif & Nikooghadam, 2019). In this article, we only reviewed recent and relevant literatures, for the most part, authentication which focuses on the network architecture which includes SM, NAN, and SCADA control server. Wu & Zhou (2011) proposed an anonymous key distribution scheme for the smart grid. This scheme mainly combines the symmetric key and elliptic curve public key techniques. In the scheme, the symmetric key was based on the Needham-Schroeder authentication protocol. Wu & Zhou (2011) claimed that the proposed scheme effectively resists the man-in-the-middle attack and the replay attack. Later, Xia & Wang (2012) analysed Wu & Zhou’s (2011) scheme and identified the scheme is vulnerable to man-in-the-middle attack. To overcome the identified attack, Xia & Wang (2012) proposed a key distribution scheme. Here, the authors used a trusted third party to manage the key distribution for the smart meter and the service provider.

Nicanfar et al. (2013) proposed an efficient mutual authentication scheme. This scheme was developed to authenticate the entities that present outside of the home area network. Nicanfar et al. (2013) assumed that the authenticating participants are a smart meter and authentication server. From this literature, Nicanfar et al. (2013) also proposed a key management protocol based on identity cryptography for secure smart grid communications using the public key infrastructure. Li et al. (2013) proposed a Merkle-Tree-Based authentication scheme for secure smart grid communication. This article is more focused on eliminating message injection, message analysis, message modification, and replay attacks during communication.

Tsai & Lo (2015) reviewed Xia & Wang’s (2012) authentication scheme and identified that Xia & Wang (2012) scheme does not support smart meter anonymity and perfect forward secrecy. To overcome the identified weaknesses, Tsai & Lo’s (2015) proposed a key distribution scheme for smart grid environments. The scheme was proposed including properties of bilinear pairings. Importantly, Tsai & Lo’s (2015) scheme needed a trusted third party to distribute the private keys for smart meters and smart grid during registration. Later, Odelu et al. (2016) reviewed Tsai & Lo’s (2015) scheme and found that the scheme can reveal the smart meter’s secret credentials when the secret key has been revealed. To overcome the identified security weakness, Odelu et al. (2016) proposed a new authenticated key agreement scheme based on bilinear pairings for the smart grid. Like Tsai & Lo (2015) scheme, Odelu et al. (2016) utilized trusted third party to handle the private keys.

Further, Mahmood et al. (2016) proposed a hybrid Diffie-Hellman based lightweight authentication scheme using AES and RSA cryptography. This scheme was focused on achieving authentication between building area networks (BAN) and smart meters. The objective of the scheme was to avoid replay attack during authentication. Wazid et al. (2017) proposed a three-factor user authentication scheme for a renewable energy-based smart grid environment. Here, the objective was to authenticate vehicle user who wants to charge his/her electric vehicle battery. In this scheme, even though there are multiple authorities involved, authentication can be possible only between user and smart meter. Also, Wazid et al.’s (2017) scheme is dependent on trusted authority for smart meter registration.

Mahmood et al. (2018) proposed a lightweight ECC-based authentication scheme for smart grid communication. The aim of the scheme is to authenticate two registered users communicating in the environment. In this scheme, the trusted third party was responsible to generate preliminary parameters like selecting elliptic curve, random base point, one-way hash functions, secret key, and so on. Mahmood et al.’s (2018) scheme was also aimed to eliminate the trade-off between performance and security in smart grid communication where the scheme should provide high security with high performance. Further Abbasinezhad-Mood & Nikooghadam (2018) analyzed Mahmood et al.’s (2018) scheme and identified that the scheme cannot provide the perfect forward secrecy. Also identified that the private key of users and shared session keys can be easily compromised with an adversary. To overcome the identified weaknesses, Abbasinezhad-Mood & Nikooghadam (2018) proposed elliptic curve cryptography based lightweight authentication scheme for smart grid communications. Mahmood et al.’s (2018) scheme was also reviewed by Chen et al. (2019) and identified that the scheme could not provide the perfect forward secrecy and private key privacy. Also, the authors analyzed Abbasinezhad-Mood & Nikooghadam’s (2018) scheme and identified that the scheme is vulnerable to the replay attack. To withstand the identified weaknesses, Chen et al. (2019) proposed a bilinear map pairing-based authentication and key establishment scheme.

Zhang et al. (2019) proposed a lightweight anonymous authentication and key agreement scheme for the smart grid. This scheme allows the smart meter and the service provider to authenticate each other. The authentication scheme does not follow any hierarchical network architecture which minimizes the system applicability. Ma et al. (2019) proposed the eye-movement and iris recognition based portable remote authentication for the smart grid. It was a biometrics-based remote operator authentication scheme that uses the record of eye-movement trajectory and randomly selected iris image for authentication.

Recently, Moghadam et al. (2020) proposed a lightweight key management protocol for secure communication between substation and data center in smart grids. The scheme was based on hash functions and private keys. Irshad et al. (2020) proposed a message authentication scheme for secure communications between HAN gateway and BAN gateway in smart grids. Aghapour et al. (2020) proposed a broadcast authentication scheme for smart grid communications which uses hash functions and private key. Here, the authentication was to be done between the NAN gateway and the smart meter. Sadhukhan et al. (2020) proposed a privacy-preserving authentication scheme for smart-grid communication using elliptic curve cryptography. Here, the scheme can authenticate HAN gateway and BAN gateway in smart grids. This scheme needs a trusted third party to generate credentials, keys, and hash functions. Wu et al. (2021) reviewed Chen et al.’s (2019) scheme and identified the known session-specific temporary information attack where adversary can get the information of random nonce which needed to compute the session key. Also, Wu et al. (2021) identified that Chen et al.’s (2019) scheme is vulnerable to impersonation attack. To overcome identified weaknesses, Wu et al. (2021) proposed an improved pairing-based authentication scheme. The proposed scheme, depended upon a trusted third party to generate secret keys, cyclic groups, and hash functions.

From the above literature study we can observe that (i) most of the authentication schemes have security flaws and their improvements are also show some possible attacks. (ii) Many schemes can perform authentication either between the smart meter and NAN gateway or gateway and SCADA center. (iii) Also, the authentication schemes that implemented to the hierarchical network are dependent upon a trusted third party. Therefore, It is vary much necessary to propose an authentication scheme that can mutually authenticate smart meter, NAN gateway, and SCADA center without involvement of any third party. Hence, we have proposed a novel multistage distributed authentication scheme for smart grid communication.

The rest of the article is assembled as follows. “System Model” presents the system model used to propose the authentication scheme. “Cryptographic Preliminaries” discusses the necessary cryptographic preliminaries to understand the scheme. “The Proposed Scheme” illustrates the proposed multi-stage authentication scheme for smart meter communication. This section includes a detailed explanation of the steps of authentication in each phase. Further, “Cryptanalysis of the Proposed Scheme” presents the cryptanalysis of the proposed scheme. Here, we proved the data confidentiality, sensitivity and the security provided in the proposed scheme. The formal security verification of the proposed scheme based on the CK adversary model is illustrated in “Formal Security Proof”, followed by the results of formal security verification using AVISPA are presented in “Result of Formal Security Verification Using Avispa Tool”. “Efficiency Analysis” discusses the proposed scheme’s efficiency analysis by comparing result computation cost (“Computation Cost Analysis”) and communication cost (“Communication Cost”) of the proposed scheme with the other related schemes. This section also gives the comparison result of the essential functionalities (“Functional analysis”) in smart meter communication. Finally, the article depicts the concluding remarks.

Initialization phase

To fully describe the proposed scheme, the process of system initialization is explained first. The initialization has to be done while deploying the system. It includes selecting an elliptic curve, hash functions, public and private keys necessary to perform encryption/decryption, and hashing operation throughout the entire scheme.

SG_i choose an elliptic curve E_p over the finite field F_p where p is a large prime number. SG_i also selects an elliptic curve point P of order n and one way hash functions $h_0(.)\to Z^{\ast },h_1(.)\to Z^{\ast },h_2(.)\to Z^{\ast }$. Further SG_i picks the private key x and computes the public key P_pub = x.P. Finally, SG_i publishes the parameters {E_p, P, F_p, h₀(.), h₁(.), h₂(.), P_pub}.

Registration phase

The registration phase includes steps to register participants (e.g., SM_i, NANG_i, etc.), which take part in the system. This phase includes the registration of Neighborhood Area Network gateway NANG_i and smart meter SM_i. The details of NANG_i and SM_i registration have been presented below.

Authentication phase

The authentication phase is performed between SM_i, NANG_i, and SG_i. Here, SM_i and SG_i mutually authenticate through NANG_i. Table 4 presents the authentication phase of the proposed scheme. The steps involved in this phase are as follows:

• Smart meter SM_i generates a random number w and computes

C_sm = w.P_pub ⊕ h₀(V_m ||MID_i)

CID_i = h₁(w.P_pub|| T₁) ⊕ b_i

C₁ = h₁(CID_i ||b_i ||w.P_pub)

• Further SM_i send login request message M₁ = {C_sm, CID_i, C₁, T₁} to NAN gateway.

• NANG_i receives the message M₁ sent by SM_i and checks the validity. To verify the freshness of the received message, NANG_i takes its current timestamp T₂ and checks that whether T₂ − T₁ ≤ δ T or not. Also, NANG_i confirms that between the time (T₁ + δ T) and (T₁ − δ T) there were no other requests which contains same parameters of M₁ has not received. If these conditions are not true, then the system rejects the request message and drops the session.

• NANG_i computes the following after receiving the login request message:

w.P_pub = C_sm ⊕ H_m

bi = h₁(w.P_pub ||T₁) ⊕ CID_i

C_nan = C_sm ⊕ H_m ⊕ h₀(V_n ||NID_i)

RID_s = h₁(C_nan h₀(V_n ||NID_i)) ⊕ b_j

C₂ = h₁(C₁ ||T₂ ||C_nan b_j)

• NANG_i Sends {CID_i, C₂, C_nan, RID_s, T₂, T₁} to the server.

• SG_i receives the request message sent by NAN gateway and checks its validity to make sure that the request is made recently. SG_i takes its present timestamp T₃ and checks whether T₃ − T₂ ≤ δ T. If the condition does not satisfy, then SG_i rejects the received message and drops the session. If not, SG_i begins the authentication process.

• Once the request message accepted by the sever, it starts authenticating it. To do that SG_i computes the following: w.P_pub = C_nan ⊕ H_n

b_i = h₁(w.P_pub|| T₁) ⊕ CID_i

b_j = h₁(C_n ||H_n) ⊕ RID_s

C₁ = h₁(CID_i ||b_i ||w.P_pub)

C₂ = h₁(C1 ||T₂ ||C_nan ||b_j)

• Server compares C₂ with received C₂. If both are equal then the server completes the authentication of SM_i and begins the mutual authentication.

• To perform mutual authentication, server first generates the random number y and computes C_s = y.P_pub ⊕ h₂(H_n)

SK_s = h₂(y.P_pub ||w.P_pub ||b_i ||b_j )

C₃ = h₂(SK_s ||t₃ ||y.P_pub)

• SG_i sends a mutual authentication message M₂ = {C₃, C_s, T₃} to NAN gateway. NANG_i receives M₂ and computes y.P_pub = C_s ⊕ h₂(h₀(V_n ||NID_i))

RID_m = h₂(C_m|| H_m ) ⊕ b_j

C_m = C_s ⊕ H_m ⊕ h₀(V_n ||NID_i)

SK_N = h₂(y.P_pub|| w.P_pub ||b_i ||b_j )

C₄ = h₂(C₃ ||T₄ ||C_m ||b_j)

Sends {C_s, T₃, C₄, C_m, T₄, RID_m} to the SM_i

• Smart meter receives mutual authentication message from NAN gateway and computes

y.P_pub = C_s ⊕ h₀(V_m ||MID_i)

b_j = h₁(C_m h₀(V_m ||MID_i)) ⊕ RID_m

SK_M = h₂(y.P_pub ||w.P_pub ||b_i ||b_j )

C₃ = h₂(SK_M ||T3 ||y.P_pub )

C4 = h₂(C₃ ||T₄ ||C_m ||b_j)

• SM_i Compares C₄ with received C₄ if both are equal smart meter, NAN gateway, and the server establishes the connection successfully.

• Further communications will be done through the shared session keys. The session keys are For smart meter, SK_M = h₂(y.P_pub ||w.P_pub ||b_i ||b_j)

For NAN gateway SK_N = h₂(y.P_pub ||w.P_pub ||b_i ||b_j )

For Server SK_s = h₂(y.P_pub ||w.P_pub ||b_i ||b_j ).

Resiliency against replay attack

Resiliency against replay attacks can be possible only when the server verifies the freshness of the login message before beginning the authentication. In the proposed scheme, a timestamp has been used to check the validity of the login request message. Suppose a participant receives the message contains timestamp T, then the participant takes its current timestamp T and checks the condition T′ - T ≤ δT. If this condition is satisfied, the next step would be to proceed else participant drops the session.

Let us assume that adversary steals the previous successfully authenticated login request message {C_sm, CID_i, C₁, T₁} sent from SM_i to NANG_i and {CID_i, C₂, C_nan, RID_s, T₂, T₁} sent from NANG_i to SG_i. Attacker trying perform replay attack by resending stolen login request message. Here, both NANG_i and SG_i first verifies the message freshness by checking the validity of the time stamp. To verify the freshness, NANG_i takes its current timestamp T₂ and checks whether T₂ − T₁ ≤ δ T or not. Also, NANG_i confirms that there were no other requests with parameters have been received between the time (T₁ + δ T) and (T₁ − δ T). If the timestamp T₁ is not modified in the login request message, the condition T₂ − T₁ ≤ δ T will definitely fails and NANG_i drops the session. This procedure also happens when SG_i receives login request message from NANG_i. Therefore, the proposed scheme resists the replay attack.

Resiliency against insider attack

The proposed distributed multistage authentication scheme does not store all the information in a single system/server. The registration of SM_i is with NANG_i and the registration of NANG_i will be done by SG_i. This process distributes the necessary credentials to SM_i, NANG_i and SG_i. To perform any attack, insider must know parameters stored in other two participants SM_i and NANG_i. Hence the proposed scheme ensures resiliency against insider attack.

Resiliency against impersonation attack

When the communication has taken place in an open channel, the attacker can intercept the sent/received messages and perform an impersonation attack. Assume that an attacker $\mathcal{A}$ intercepts the login and authentication messages {C_sm, CID_i, C₁, T₁}, {CID_i, C₂, C_nan, RID_s, T₂, T₁}, {C₃, C_s, T₃}, and {C_s, T₃, C₄, C_m, T₄, RID_m} to perform impersonation attack. In the proposed scheme, computation of the communication parameters are depending upon the random nonces w, y and the parameters {NID_i, b_j, V_n} stored in SM_i. Since the random nonce and stored parameters do not communicate in the open channel as plain text, attacker $\mathcal{A}$ cannot get the knowledge of it. Therefore $\mathcal{A}$ cannot modify the login request parameters to impersonate the user.

Resiliency against man-in-the-middle attack

A man-in-the-middle attack can be possible when the adversary successfully authenticates with the server or calculate the session key correctly by intercepting communication messages. In the proposed scheme, to mitigate this attack we have applied two types of mechanism. First and foremost the communication message parameters of the proposed scheme are computed depending upon the generated random nonces w, y. Usage of random nonce prevents the impersonation and preserves the secrecy of the session key. Secondly, a timestamp has been used to check the validity of the login request message in every session. As said in “Resiliency Against Replay Attack”, checking the message freshness resists the replay attack. Hence, the attacker cannot authenticate himself by intercepting the communication messages.

Provides perfect forward secrecy

In the proposed scheme, session key calculated by SK = h₂(y.P_pub ||w.P_pub ||b_i ||b_j). An adversary $\mathcal{A}$ cannot compute SK by intercepting the mutual authentication messages {C₃, C_s, T₃}, and {C_s, T₃, C₄, C_m, T₄, RID_m}. An attacker must have the knowledge of random nonces w, y, b_i and b_j to calculate SK. The proposed scheme cannot share random nonce as plain text over the public channel. Therefore to calculate SK, an adversary has to guess all random nonces at the same time, which is not possible. Hence the proposed scheme provides perfect forward secrecy.

Provides device anonymity

In the proposed scheme, device anonymity is preserved while login into the system. A dynamic identity CID_i = h₁(w.P_pub ||T₁) ⊕ b_i has been calculated every session. The computation of the CID_i is depending on the random nonce w. Therefore the dynamic identity is different at every login attempt. Hence the proposed scheme provides reveal the device identity MID_i.

Provides data confidentiality

In the proposed scheme, the confidentiality of the communicated messages has been preserved even after authentication. The secrecy of the message after authentication can be achieved by the session key. In the proposed scheme, if the attacker tries to steal any message communicated between SM_i, NANG_i and SG_i cannot decrypt without SK. As explained in “Provides Perfect Forward Secrecy”, the session key cannot be compromised with the adversary. Moreover, during authentication, after successful verification of the login request SM_i, NANG_i and SG_i will mutually authenticate each other and compute the session key. This creates a secure channel over an insecure environment. So, the communicated message remains confidential between SM_i, NANG_i and SG_i.

From the cryptanalysis result of the proposed scheme it can be proved that the data confidentiality, sensitivity and the security has been achieved by resisting the possible attacks on the network.

Participants

A participant in the entity takes part in the authentication process. In the proposed scheme, there are three participants are involved in performing the authentication, which is named as SM_i, NANG_i, and SG_i, where SM_i is a smart meter, NANG_i for the Neighborhood Area Network gateway, and SG_i is the SCADA control center/Server. Each participant have multiple instances to run the scheme parallelly. The instances are represented as SMⁱ, NANGⁱ, and SGⁱ, where ‘i’ represents the i^th instance of the participants (Tsai & Lo, 2015).

Queries

In CK—model, adversary $\mathcal{A}$ can construct the queries to perform the attacks. The possible queries made by $\mathcal{A}$, and the attacks committed with the constructed query are illustrated below:

• Execute(SMⁱ, NANGⁱ, SGⁱ): This oracle query construct the passive attacks by eavesdropping the successful execution done between the participants SM_i, NANG_i, SG_i. Here, $\mathcal{A}$ simulates the login and authentication phase and gets the messages communicated between the participants.

• Send(SMⁱ/NANGⁱ/SGⁱ, M): $\mathcal{A}$ formulatess this query to perform active attacks. Adversary sends message to SMⁱ/NANGⁱ/SGⁱ and receives the response from SMⁱ/NANGⁱ/SGⁱ.Also, $\mathcal{A}$ can intercept communication channel and modify the communicated messages and gets the reply in return.

• EKeyReveal (SMⁱ/SGⁱ): This query allows adversary to obtain the session state ephemeral secret key information held by the instance SMⁱ/NANGⁱ/SGⁱ.

• SKReveal (SMⁱ/SGⁱ): This query allows adversary to get the session key held by the instance SMⁱ/NANGⁱ/SGⁱ.

• Corrupt (SMⁱ/SGⁱ): This query express the notion of perfect forward secrecy where long term secret key can be compromise with $\mathcal{A}$ to get the session key on the oracle SMⁱ/NANGⁱ/SGⁱ.

• Test(SMⁱ/SGⁱ): This single query can be constructed by adversary at most once. It models the semantic security of the session. Here, $\mathcal{A}$ returns the session key of SMⁱ/NANGⁱ/SGⁱ or a random string with an equal bit length of the session key. This result is depending upon tossing a coin b. If b = 1, the adversary gets the original session key. Else $\mathcal{A}$ gets a random string with the same length as the real session key.

Before presenting the security proof, it is necessary to describe some definitions, which are given below:

• Partnering: Two entities are called to be partners when they are accepted and shared a commen session key. In the proposed scheme, SM_i, NANG_i and SG_i are partners only if MID_i = NID_j = SID_k, and SK_SMi = SK_NANGi = SK_SGi.

• Freshness: It is related to the session key. Here, oracle constructs the session key. We can say that the constructed session key is fresh if the instance meets the following conditions.

1. When there is no Reveal query is done by SM_i, NANG_i and SG_i, sission key SK_i should not be null.

2. Send(SM_i, M), Send(NANG_i, M) or Send(SG_i, M) should be asked after modelling the Currupt query

• Semantic Security: The goal of semantic security is to guess the bit ′b′, which is involved in the Test(SMⁱ/SGⁱ) query. Consider an event S() that the adversary $\mathcal{A}$ guess the bit b correctly. Let SM_i, NANG_i and SG_i oracles are considered as partners when authenticating each other and share a common session key. The adversary’s goal is to differentiate the session key from a random key. $\mathcal{A}$ can model many Test queries for SMⁱ or SGⁱ. Consider queries, for instance, SMⁱ. Further, SMⁱ toss a coin b. If b=1, the adversary gets the original session key. Else A gets a random string with the same length as the real session key.

Let Pr[S] denotes the game-winning probability of $\mathcal{A}$. The advantage of the Adversary A against breaking the semantic security of the proposed scheme is Adv^AKE_P (A) = |2Pr[Succ] − 1|.

Computational problem

It is essential to describe the details of the computational problem where the security proof relies upon.

• Elliptic curve computational Diffie-Hellman problem (ECDH): Let P, xP, yP ∈ E_p where $a,b\in Z_q^{\ast }$, then it is hard to compute xyP in polynomial time without knowledge of x or y.

• Elliptic curve discrete logarithm problem (ECDLP): It says that when G ∈ E_p(x, y) of order n and G = kP ∈ E_p(x, y), it is computationally infeasible to compute k in polynomial-time.

• Reversing One way Hash function: Let H(.) is a one way hash function, then it is computationally hard to get x from H(x). Also it is hard to find x where H(x) = H(x).

Security proof

Theorem 1 Let E_p over the finite field F_p with a large prime number p and $\mathcal{D}$ be the finite set of password. Consider $\mathcal{A}$ is a adversary running in a polynomial time to perfom security attack on the proposed scheme. Let Adv^AKE_SC is the advantage of the $\mathcal{A}$ against the proposed scheme and advantage of $\mathcal{A}$ that solves ECDH in E_p. While performing the attackes over the proposed scheme $\mathcal{A}$ makes q_send Send queries, q_hsh hash oracles, and q_exe Execute queries within the time t. The advantage of $\mathcal{A}$ will be

$$Ad{v}_{AKE}^{SG}\le {\displaystyle \frac{{(q_{send}+q_{exe})}^2}{2n}+{\displaystyle \frac{{(q_{hsh})}^2}{2^k}+{\displaystyle \frac{q_{send}}{2^k+n}+q_{hsh}.Ad{v}_{EC}^{ECDH}(t+(q_{exe}+q_{send})T_{EC})}}}$$

Proof: The queries constructed by $\mathcal{A}$ has been presented in Tables 5 and 6. Based on the queries build by $\mathcal{A}$, the proof is presented. The sequence of experiments from Experiment₀ to Experiment₄ defines the proof of the proposed authenticaion scheme. Let Succ_n denotes the event that occures after the Test query made by adversary while guessing the bit b correctly.

Experiment 0: This experiment corresponds to the real experiment in the random oracle model. By the definition, we have

$$Ad{v}_{AKE}^{SG}\le 2Pr[Suc{c}_0]-1$$

Experiment 1: This experiment simulates H₀, H₁, H₂ by maintaining two hash list L_h and L_h. Here, L_h stores the oracle for H₀, H₁, H₂ and L_h is for queries asked by $\mathcal{A}$. The simulation queries are presented in Table 5. From the simulation, it is observed that the transcript distribution of Experiment 0 and Experiment 1 are indistinguishable. Hence we have

$$Pr[Suc{c}_0]=Pr[Suc{c}_1]$$

Experiment 2: This experiment simulates the oracle of Experiment 1 except the collisions occurs in the transcripts and hash queries by the adversary. In other words, the experiment aims to avoid the collision occurring in C₁, C₃, C_sm and C_s. The Experiment 1 and Experiment 2 are indistinguishable until the collision takes place. Since, w and y are randomly chosen, according to the birthday paradox, probability of the collision occurrence is at most (q_send + q_exe)²/2n. Also, the probability of the occurrence of the collision in the output of the hash oracle is at most (q_hsh)²/2^k. Hence we have

(1) $$|Pr[Suc{c}_2]-Pr[Suc{c}_1]|\le {\displaystyle \frac{{(q_{send}+q_{exe})}^2}{2n}+{\displaystyle \frac{{(q_{hsh})}^2}{2^k}}}$$

Experiment 3: This experiment aborts the scheme if the adversary succeeds in guessing the authentication value C₁ and C₃ without making the hash query. Since, Experiment 3 and Experiment 2 are indistinguishable unless smart grid SG_i rejects C₁ or smart meter SM_i rejects the authentic value C₃. Hence we have

(2) $$|Pr[Suc{c}_3]-Pr[Suc{c}_2]|\le {\displaystyle \frac{q_{send}}{2^k+n}}$$

Experiment 4: This experiment considers the session key security. $\mathcal{A}$ cannot obtain the previous session key when $\mathcal{A}$ has {w, y, s, P} but not (w, s, P) and (y, s, P). The aim of $\mathcal{A}$ is to compute the session key SK_i = h₂(y.s.P w.s.P b_i b_j) by asking Execute(SMⁱ, NANGⁱ, SGⁱ) queries and corresponding hash queries in the four cases.

case 1: $\mathcal{A}$ queries Corrupt (SMⁱ) and Corrupt (SGⁱ) to get static private key s to compute the session key SK_i. To derive the session key $\mathcal{A}$ should get w and y.

case 2: $\mathcal{A}$ queries EKeyReveal (SMⁱ) and EKeyReveal (SGⁱ) to get ephermal private key w and y. But $\mathcal{A}$ will not get the static key s.

case 3: $\mathcal{A}$ queries EKeyReveal (SMⁱ) and Corrupt (SGⁱ) and returns w and s. But $\mathcal{A}$ will not get y.

case 4: $\mathcal{A}$ queries Corrupt (SMⁱ) and EKeyReveal (SGⁱ) and returns y and s. But $\mathcal{A}$ will not get x.

In all the above four cases, $\mathcal{A}$ will get insufficient information to compute SK_i without solving the ECDH. The Experiment 3 and Experiment 4 are indistinguishable until the ECDH assumption is true. Hence we have

(3) $$|Pr[Suc{c}_4]-Pr[Suc{c}_3]|=q_{hsh}.Ad{v}_{EC}^{ECDH}(t+(q_{exe}+q_{send})T_{EC})$$

Now, $\mathcal{A}$ has to guess b to achieve the experiment by the Test query. It is clear that Pr[Succ₄] = 1/2.

Computation cost analysis

The proposed scheme’s computation cost has been calculated and compared with the other schemes. We have presented the required computation cost and estimated execution time of the proposed scheme in Smart meter, NAN gateway, and SCADA control center/Server. To measure the execution time, we have taken the results obtained by Gope & Sikdar (2018). According to the results presented by Gope & Sikdar (2018), the required execution time for one computational parameter on Smart meter, NAN gateway, and SCADA control center/Server is given in Table 7. The computational parameters are defined as follows: T_h: The time for executing a one-way hash operation, T_s: The time for symmetric key encryption/decryption execution operation, T_mp: scalar multiplication operation of an elliptic curve, T_a: Point addition operation of an elliptic curve, T_b: The time to perform one bilinear pairing operation, T_e: The time to complete the modular exponential operation, T_fe: The time to perform fuzzy extractor Gen(·)/Rep(·) operation, T_PUF: The time to perform Operation of PUF circuit.

The computation cost analysis results are given in the Table 8 and the estimated execution time analysis is presented Fig. 4. The computation cost of the proposed scheme is the sum of the costs of SM_i, NANG_i, and SG_i, which is 2T_mp + 12T_h, 1T_mp + 12T_h, and 1T_mp + 7T_h, respectively. The total computation cost of the proposed scheme is 4T_mp + 32T_h. Estimated execution time of the proposed scheme in the SM_i and NANG_i is (3 × 5.9 ms) + (24 × 0.026 ms) = 18.324 ms. The estimated execution time in the SG_i side is (1 × 2.6 ms) + (7 × 0.011 ms) = 2.677 ms. The total estimated execution time of the proposed scheme is 21.001 ms.

Comparing the proposed scheme’s results with the other schemes presented in Table 8, we can observe that the proposed scheme’s computational cost and estimated execution time is higher than Gope & Sikdar (2018), Zhang et al. (2019), Ma et al. (2019), Khan, Kumar & Ahmad (2019) schemes and lesser than all other schemes. Unlike the proposed scheme, Gope & Sikdar (2018), Zhang et al. (2019), Ma et al. (2019) schemes will not mutually authenticates every participants involved in the communication. There are some architectural limitations where the scheme can be applied only when the smart meter is directly communicates with the smart grid. As discussed in “Introduction”, smart grid topology is split into several networks which contains several smart meters, NAN gateways, and SG. Therefore, the schemes of Gope & Sikdar (2018), Zhang et al. (2019), Ma et al. (2019) are not efficient for hierarchical model of smart grid communications. The estimated execution time of Khan, Kumar & Ahmad’s (2019) scheme also less than the proposed scheme. But the khan2019elliptic scheme was limited to authenticate smart meters and NAN gateway only. The proposed scheme computation cost and estimated execution time include the mutual authentication of a smart meter, NAN gateway, and smart grid. Also, the authentication of the proposed scheme has been achieved without involvement of any third party. Therefore the computation cost looks higher than the schemes of Gope & Sikdar (2018), Zhang et al. (2019), Ma et al. (2019), Khan, Kumar & Ahmad (2019). However, the proposed scheme overcomes all the security barriers presented in “Functional Analysis”, and achieves fully distributed multistage authentication.

Communication cost

The communication cost of the proposed scheme is compared with the Tsai & Lo (2015), Wazid et al. (2017), Odelu et al. (2016), Gope & Sikdar (2018), Kumar et al. (2018), Zhang et al. (2019), Ma et al. (2019), Wu et al. (2019), Li et al. (2019) and Khan, Kumar & Ahmad (2019) schemes and presented in Table 9. It includes the cost of the communication parameters, transmitted in one complete session of the authentication phase. For consistency purpose, we assume that the length of the identity ID_i and random number is 128 bits, the output size of hash functions H₀ (.), H₁ (), and H₂ () is 160 bits, size of an elliptic curve point is 320 bits, the block size of symmetric encryption/decryption is 256 bits, size of bilinear pairing is $G_1\to 320$ bits, $G_2\to 512$ bits and a Timestamp is 32 bits. The authentication phase of the proposed scheme requires 320 + 160 + 160 + 32 = 672 bits, 160 + 160 + 160 + 160 + 32 + 32 = 704 bits, 160 + 320 + 160 + 32 = 672 bits, and 320 + 160 + 160 + 160 + 160 + 32 + 32 = 1074 bits, for the messages {C_sm, CID_i, C₁, T₁}, {CID_i, C₂, C_nan, RID_s, T₁, T₂}, {C₃, C_s, T₃}, and {C_s, T₃, C₄, C_m, T₄, RID_m}. Hence, the total communication cost required for the proposed scheme to achieve the one session is 3072 bits. The communication cost analysis result is presented in Fig. 5.

We have also calculated the energy cost of the proposed scheme and compared the result with other schemes. The energy cost gives the expected energy required to communicate the data in the communication channel. We have used De Meulenaer et al. (2008) model to compute the energy cost. According to this model, the energy required to send and receive 1 bit of data is 0.72 μJ and 0.81 μJ, respectively. The communication cost of the sent message is 1,376 bits and received message is 1,696 bits, respectively. Hence, the energy cost of the proposed scheme for send and receive messages are 1,376 × 0.72 = 990.72 μJ and 1,696 × 0.81 = 1,373.76 μJ. The total expected energy cost of the proposed scheme is 2,364.48 μJ. The result of energy cost analysis has been presented in Table 9 and also shown in Fig. 6.

According to the analysis result presented in Table 9, the communication and energy costs of the proposed scheme are higher than all other schemes. Unlike other schemes the proposed scheme cost includes the communication done between smart meter, NAN gateway, and smart grid during the authentication. In Table 9, Tsai & Lo (2015), Wazid et al. (2017), Odelu et al. (2016), Gope & Sikdar (2018), Zhang et al. (2019), Ma et al. (2019), and Khan, Kumar & Ahmad (2019) schemes, have no communication with NAN gateway during authentication. Therefore, during communication cost comparison, if we neglect the proposed scheme communication messages done with NAN gateway, the total communication cost of the messages {C_sm, CID_i, C₁, T₁}, {C₃, C_s, T₃} is 1,344 bits and the energy cost is 1,028.16 μJ which is less than other schemes. Similarly, Kumar et al. (2018), Wu et al. (2019), and Li et al. (2019) schemes have no communication between NAN gateway and smart grid, we neglect those communication done in the proposed scheme to do the comparison. Therefore the total communication cost of the messages {C_sm, CID_i, C₁, T₁}, {C_s, T₃, C₄, C_m, T₄, RID_m} is 1,746 bits and the energy cost is 1,353.78 μJ which is lesser than other compared schemes. Hence, we claim that the proposed scheme is efficient than other schemes and robust in the multistage architecture.

Functional analysis

Table 10 presents the functional analysis of the proposed scheme done with other schemes. The features and the functionalities represented in Table 8 are as follows: F1—Multistage authentication, F2—Provide perfect forward secrecy, F3—Prevents replay attack, F4— Prevents insider attack, F5—Prevents man in middle attack, F6—Prevents impersonate attack, F7—Provide mutual authentication, F8— Provide smart meter credentials privacy, F9—Provides session key security. From Table 10, it is clear that the proposed scheme meets all the functional requirements. It also achieves multistage authentication where one smart grid can authenticate the smart meter through the NAN gateway.