A Lightweight Authentication and Key Agreement Protocol for IoT-Enabled Smart Grid System

The IoT-enabled Smart Grid uses IoT smart devices to collect the private electricity data of consumers and send it to service providers over the public network, which leads to some new security problems. To ensure the communication security in a smart grid, many researches are focusing on using authentication and key agreement protocols to protect against cyber attacks. Unfortunately, most of them are vulnerable to various attacks. In this paper, we analyze the security of an existent protocol by introducing an insider attacker, and show that their scheme cannot guarantee the claimed security requirements under their adversary model. Then, we present an improved lightweight authentication and key agreement protocol, which aims to enhance the security of IoT-enabled smart grid systems. Furthermore, we proved the security of the scheme under the real-or-random oracle model. The result shown that the improved scheme is secure in the presence of both internal attackers and external attackers. Compared with the original protocol, the new protocol is more secure, while keeping the same computation efficiency. Both of them are 0.0552 ms. The communication of the new protocol is 236 bytes, which is acceptable in smart grids. In other words, with similar communication and computation cost, we proposed a more secure protocol for smart grids.


Introduction
With the rapid growth of Internet of Things (IoT), the IoT-enabled smart grid is gradually replacing the traditional power grid and becoming one of the important infrastructures in real society [1][2][3][4]. The IoT-enabled smart grid integrates wireless sensor networks into the power system, and obtains physical information such as grid operation status and parameters through wireless sensor networks. In smart grids, the wireless sensor network has become a useful supplement to the production, transmission, distribution and consumption of electric energy.
According to the latest NIST Framework and Roadmap for Smart Grid Interoperability Standards 4.0 [5], released in 2021, the smart grid model can be roughly abstracted into seven domains: customer, markets, service provider (SP), operations, generation (including DER), transmission and distribution, as shown in Figure 1. The solid blue line indicates secure communication flows and the dotted yellow line indicates electrical flows. The Customer is the end user of electricity, who may also generate, store, and manage the use of energy, which relies on smart meters (SMs) to access the smart grid. The Markets are the facilitators and participants in electricity markets and other economic mechanisms used to drive action and optimize system outcomes.The Service Provider is the organization providing services to electrical customers and to utilities.The Operations are the managers of the movement of electricity. The Generation Including DER is the producer of electricity, and may also store energy for later distribution. Transmission refers to the carriers of high voltage electricity over long distances. Distribution is the distributor of electricity to and from customers. The smart grid (SG) is superior to the traditional grid in several aspects [6], such as flexible control, efficient operation, convenient use, etc.. However, as mentioned above, the SM is deployed on the side of consumers, so it is easy for most people to contact the SM, which gives a great opportunity to malicious attackers [7,8]. On the contrary, due to the large number of SMs, it may be difficult for service providers to carry out effective security monitoring and physical protection. In other words, the security of the smart grid relies on the security of the communication protocol used in the communication between SMs and SPs in the power grid, and whether the identity authentication and information transmission can be carried out securely. On 23 December 2015, some attackers successfully forged identity authentication and attacked the control system of the smart grid by taking advantage of the loopholes in the smart grid of Ukraine's energy supply company, which resulted in unexpected hours of large-scale blackout and great damage to the normal management of the society [9].

Related Work
Many researchers have paid attention to the authentication and key agreement protocols under smart grid circumstances. In 2011, Wu and Zhou et al. presented an authentication protocol [10] which applied elliptic curve cryptography (ECC) into a smart grid to provide fault tolerance and scalability. However, it was soon pointed out that the scheme could not resist the man-in-the-middle attack. In 2012, Xia and Wang et al. proposed a new key distribution protocol [11] combined with the lightweight directory access protocol (LDAP), which improved both the security and the efficiency. Unfortunately, their scheme cannot resist impersonation attack and cannot guarantee the anonymity of users [12]. Also in 2012, Wang et al. presented an authentication protocol in identity [13], which ignores that smart meters need to be anonymous. Afterwards, Tsai and Lo [14] proposed a new smart grid authentication protocol using identity based encryption technology. However, their scheme was pointed out to be unable to guarantee the privacy of smart meter credentials [15], and cannot provide session key security under the widely accepted Canetti-Krawczyk adversary (CK-adversary) model [16,17]. In 2014, Nicanfar et al. suggested a security protocol [18] for authentication, with a key generator to update the grid's key. However, his scheme's computation cost is expensive, thus is not suitable for smart grids.
With the development of sensor equipment, lightweight authentication and key agreement schemes in smart grids have become popular. In 2018, Mohammadali et al. presented an identity-based authentication with light burden and key agreement scheme, where elliptic curve cryptography is used to establish a session key [19]. In the same year, Mahmood et al. also paid attention to the efficiency of the authentication scheme in a smart grid and designed a lightweight user authentication protocol [20] based on ECC. Unfortunately, although these two schemes are designed cleverly, they are not anonymous enough. Therefore, Kumar et al. [21] proposed a lightweight security protocol for anonymity in smart grids, but a synchronization problem was also pointed out. In 2019, Zhang et al. proposed an identity authentication communication scheme [22] in smart grids, which uses a novel dynamic verification table to protect the anonymous data, either in authentication or in the smart meters. Meanwhile, this new protocol is a fault-tolerant mechanism, and also ensures the untraceability of the user's identity. In 2020, Ferrag et al. [23] pointed out that Zhang et al.'s scheme cannot ensure authentication of all nodes, but they did not give a detailed explanation. Sadhukhan et al. [24] showed the potential performance problems of Zhang et al.'s scheme. However, there are few articles on the security analysis of Zhang et al.'s scheme. In the same year, Abbasinezhad-Mood et al. proposed an anonymous ECC-based selfcertified key distribution scheme [25], the scheme is not only free from the overhead of the certificate management and the key escrow issue, but is also more efficient than anonymous schemes in terms of both communication and computational costs.
In 2020, Khan et al. [26] suggested a novel system for smart grids PALK as a means for authenticating communication between two SG entities. Additionally, they analyzed many of PALK's security characteristics and attack resilience. However, in 2022, Mohammed Taqi et al. [27] revealed that Khan et al.'s [26] scheme is vulnerable to well-known security threats, such as user anonymity and password guessing attack. They also proposed a new protocol LSPA-SG that they claimed would withstand every known attack. In 2022, Deebak et al. proposed a seamless authentication framework with privacy-preserving (SAF-PP) protocol [28] to deal with the security and privacy issues of smart eHealth intelligence. The formal analysis proves that SAF-PP can adhere to significant security properties while improving the system efficiency rate.
In a smart grid, where communication information is vulnerable to various attack threats, a secure authentication and key agreement protocol is essential for secure communication. We present a summary of the security problems and limitations of the recently available AKE schemes in Table 1. Meanwhile, most of the existing protocols [29][30][31] do not take into account the presence of insider attackers. In conjunction with the actual deployment environment of the smart grid, it is essential to consider how the protocol can guarantee the security of communication in the presence of insider attackers. In addition, it is necessary to consider a secure authentication protocol for IoT smart devices in resource-constrained scenarios in the smart grid.

Motivation
In the smart grid environment, it is critical to realize anonymity and untraceability for the smart meter with the presence of internal attackers during the authentication process. Zhang et al. [22] presented a practical authentication and key agreement scheme, and claimed that their proposal can satisfy security requirements and outperform the current solutions. This paper analyzes the security of Zhang et al.'s protocol [22], and points out that their scheme cannot really guarantee the claimed security requirements under their adversary model. More precisely, they regard the attacker as a third party, but ignore that the attacker may also be a legitimate consumer of the smart grid, who can obtain a legal identity of a smart meter.
Based on above assumption, we review and analyze Zhang et al.'s protocol [22] and point out that their work is not secure enough to prevent an impersonation attack from an insider attacker. We then improved Zhang et al.'s protocol so that it can resist against various attacks from both outsider and insider attackers.

Contribution
The contribution of this paper is as follows: • We introduce an insider attack and take Zhang et al.'s protocol [22] as an example to improve the security. We first analyze the security of Zhang et al.'s protocol [22] and point out the reasons why their protocol cannot resist insider attack. Then, we describe the detailed steps of an insider attack, and show the potential threats of insider attack.
In addition, we have made improvements to Zhang et al.'s protocol to resist insider attack. • We analyze the security and performance of our proposed protocol and the results show that the protocol has strong security and efficiency. We analyze the security of the improved protocol in detail and prove the security of the protocol under the real-or-random oracle model. Through informal analysis, it has been shown that this protocol can resist common attacks, including insider attack. After that, we compare the proposed protocol with other schemes, indicating that the improved protocol is still lightweight.
The rest of the paper is introduced as follows. Section 3 analyzes the security of Zhang et al.'s scheme. In Section 3, an improved lightweight authentication and key agreement protocol is presented in details. Section 4 introduces the secure analysis of the improved scheme. In Section 5, a detailed comparison of the security and computational cost is conducted between the improved protocol and several other schemes. Section 7 concludes the whole paper.

Communication Model
This paper focuses on the authentication between Service Provider and Customer, and thus it is based on the sub-network, which consists of the service provider and the smart meters. A smart meter is a hardware device deployed on the legitimate user side of the power grid, which can be used to transmit information in the power grid, undertake power consumption monitoring, electricity price information and other sensing functions [32][33][34]. Service providers provide power services for consumers, i.e., receive power information through SMs, charge the users, analyze the consumer's data, and so on [35][36][37].
A secure protocol is used between SMs and SPs to provide identity authentication and key agreement. A smart meter usually registers a legal identity through a secret channel before communication. After that, the SM and SP authenticate each other through the public network and generate a secret session key at the same time. The session key is used for SM and SP subsequent session encryption, as shown in Figure 2. From a practical point of view, a smart meter is easy to be access by anyone, and is thus vulnerable to eavesdropping, modification or physical attacks. Note that it is also a tamper resistant device so that the information stored in it is difficult to be stolen, changed or destroyed.

Threat Model
Assume an attacker is a probability polynomial time (PPT) attacker, which means he can obtain all the messages transmitted in the public channel, i.e., can intercept, modify or replay all the messages, can obtain access to all the normal released information in the grid, and can access and control smart meters, but cannot obtain sensitive data stored in the tamper-resistant devices. Moreover, according to Zhang et al. [22], an attacker can acquire SPs' master keys or IDs, but not both. An attacker can also obtain the validation table used in the scheme from the providers' servers.

Security Goals
The security scheme in smart grid should meet the following security objectives: • Mutual authentication: Each session between the smart meter and service provider requires complete mutual authentication. This is to ensure that both sides of the communication are credible. • Generate security session key: The security scheme should generate a temporary session key, which is confidential and unpredictable to any third party. • Resist known security attacks: The security scheme should resist common attacks, such as man in the middle attack, replay attack, and so on. • Provide SM's anonymity: The scheme usually only needs to ensure that the third party cannot obtain the identity information of the smart meter. However, a good security protocol should make the service provider unable to figure out whether two sessions are possessed by the same SM or not.

Some Flaws of Zhang et al.'s Scheme
This section firstly exhibits Zhang et al.'s scheme, then shows how to mount an insider attack on Zhang et al.'s scheme.

Review of Zhang et al.'s Scheme
Zhang et al.'s scheme involves a registration phase and key agreement phase with authentication, which are executed by the smart meter SM i and the service provider SP j .
The smart meter SM i firstly chooses a random value with high entropy r 1 . Then, SM i sends its identification ID i and r 1 to the service provider SP j securely. • After receiving the messages from SM i , SP j computes where ID j means the identification of SP j and s means the master key of SP j . Then, SP j where E s () means the secure symmetric encryption with secret key s. Finally, SP j stores Q i into its dynamic verification table and returns M i to SM i via a secure channel. • SM i receives M i from SP j , and stores {ID i , r 1 , M i } into its own tamper-resistant device.

Authentication and Key Agreement Phase
• When the smart meter SM i attempts to start the communication with the service provider SP j , SM i produces a random value with high entropy r 2 temporarily. After that, SM i calculates , and checks whether Q * i is in its dynamic verification table or not. There are two columns, Q i and Q i o, in the table, and the values of both columns are blank at the beginning. When SM i is successfully registered, the generated ). Next, SP j chooses a random value with high entropy r 3 and generates a temporary key After that, SM i and SP j apply the session key SK = SK * into the communication.

Security Flaws of Zhang et al.'s Scheme
Under the assumption of the threat model in Zhang et al.'s scheme [22], an adversary is able to obtain either the service providers' master key or ID, but not both. Unfortunately, in the smart grid, the attacker is likely to be a insider attack, which is introduced by Kumar et al. [4] in 2019. An insider attacker A can not only intercept messages through the channel, but also register as a legitimate user.
Next, we look into Zhang et al.'s scheme and show how an insider attacker attacks the scheme step by step using the identity of consumers and the master key s.

•
Step 1. The attacker firstly registers to SP j as a legitimate user, and obtains his identity information ID A , r 1A and M A after successful registration. He/she can decrypt M A with key s to obtain (h(ID j ||s ) ⊕ ID A ), where ID A = ID A . The phase is shown in Figure 3. • Step 2. During the protocol process between a registered smart meter SM i and SP j , the attacker intercepts {X i , M i } sent by SM i to SP j . Then, he/she decrypts the information M i with key s to obtain (ID i ⊕ r 1 ) and (h(ID j ||s ) ⊕ ID i ), where ID i = ID i generally. • Step 3. The attacker computes where (h(ID j ||s ) ⊕ ID i ) comes from step 2 and (h(ID j ||s ) ⊕ ID A ) comes from step 1. This phase is shown in Figure 4.  At this time, the attacker has successfully attacked the legitimate SM i . The attacker may then use, but is not limited to, the following means of attacks.

•
The loss of smart meter anonymity: Through Step 3 above, the attacker obtains ID i of legitimate SM i , which directly leads to the loss of the user's anonymity. • Impersonate attack: The attacker can also obtain r 1 stored in SM i by calculating r 1 = (ID i ⊕ r 1 ) ⊕ ID i and M i from the intercepted message. This means that all information {ID i , r 1 , M i } stored by SM i is obtained by the attacker. The attacker can impersonate SM i and communicate with SP j . • Session key compromise attack: If the attacker knows the information {ID i , r 1 , M i }, he/she can compute X i = h(ID i ||r 1 ) ⊕ r 2 and fake SM i by sending {X i , M i } to SP j . After receiving the message {M 2 } from SP j , the attacker is able to execute all operations performed by SM i step by step, and gets the correct SK * and returns correct M 3 to SP j . • Permanent denial of service attack: Because the scheme uses a dynamic authentication table to verify SM i 's identity, SM i will lose the ability of communication with SP j permanently when the attacker disguises SM i twice in succession. In abstract, this scheme only retains the current and last session credentials of SM i in the verification table of SP j . Once the attacker successfully disguises SM i more than two times, the session credentials of SM i will expire, and this process is irreversible.

Reasons for the Weakness
The direct reason for the weakness of Zhang et al.'s scheme [22] is that SP j assigns the same information for all smart meters, which is used to meet the untraceability and the anonymity of smart meters. However, this also results in the consequence that SP j is unable to store the identity credentials used to distinguish different smart meters. To authenticate the smart meter SM i successfully, SP j has to know s and h(ID j ||s) for obtaining ID i . Unfortunately, the insider attacker can also take advantage of this to obtain SM i 's identity information, i.e., an attacker A obtains the certificate h(ID j ||s) at the time of his registration through his legal identity, and then uses h(ID j ||s) to obtain the authentication information of other SMs, and finally realizes the insider attack.

The Improved Scheme
To avoid the above insider attack, different SMs should have different authentication information. Note that the anonymity of the SM cannot be destroyed when distinguishing different SMs. Based on this analysis, this section presents an improved protocol, which involves two phases: a registration phase, and an authentication and key agreement phase. Table 2 lists the notations used in the improved scheme.

Registration Phase
Before SM i communicates with SP j , SM i firstly applies to SP j for registration, as shown in Figure 5.

•
The smart meter SM i firstly generates a random integer N 1 . Then, SM i sends its identification ID i and N 1 to SP j via a secure channel. • After receiving the message from SM i , SP j computes S i = h(N 1 ⊕ (ID j ||ID i ) ⊕ K), where K means the master key of the service providers. Next, SP j calculates where N SM is a high entropy random number generated for SM i . Then, SP j stores S i into its dynamic verification table. The dynamic verification table is shown in Figure 6. There are two columns S 1 and S 2 in the table, and the values of both columns are blank at the beginning. When SM i is successfully registered, the generated S i will be stored in a new blank of column S 1 . Each row in the table represents a registered smart meter. Finally, SP j returns X i to SM i securely. • SM i receives X i from SP j , and stores {ID i , N 1 , X i } into its own tamper-resistant device.

Authentication and Key Agreement Phase
When SM i attempts to set up a new session with SP j , it needs to perform the following steps. The details of the whole session are shown in Figure 7.

•
When SM i is willing to build the communication with the SP j , SM i needs to produce a high entropy random number N 2 temporarily. After that, SM i calculates , and checks whether S * i can be found in its dynamic verification table or not. If S * i is found in S 2 , SP j fills in the value of S 2 to S 1 . Once the value of S * i can be found in the table, SP j can obtain N * 2 = h(ID * i ||N * 1 ) ⊕ Y i . Next, SP j chooses high entropy random numbers N 3 and N * SM . It can compute X * i = E K ((ID * i ⊕ N * 2 )||N * SM ||(h(ID j ||K||N * SM ) ⊕ ID * i )) and generate a temporary key tk = h(N * 1 ⊕ N * 2 ⊕ ID * i ). After this, SP j can obtain the session key SK = h(N * ) with secret key tk and returns {Z i } to SM i .
After receiving message P i from SM i , SP j makes a check on whether h(SK||N 3 ) matches with P i . If it holds, SP j displaces (S 1 , After that, SM i and SP j apply the session key SK = SK * in the communication.

Formal Security Analysis
This section presents the rigorous security analysis of the improved scheme in formal. First, the security model of the protocol is proposed.

Security Model
Suppose the attacker can control the messages transmitted on all public channels and obtain all public parameters. An attacker cannot obtain secret information (for example, information in the tamper-resistant device), but can obtain some leaked information (for example, either the SP's master key or the SP's identity). There are two kinds of identity, i.e., the smart meters' identities and the service providers' identities, where SM i is for a smart meter's identity and SP j is for a service provider's identity. The improved protocol's security is proved in the real-or-random oracle model, and the details are represented by O. E is used to represent SM i or SP j . Corrupt (E): This operation is applied to simulate the forward security. The attacker can obtain the leaked long-term secret information, such as SP j 's master key or SP j 's identity (but not both). • Test (E): This operation is used to return the session key or a randomly generated key. This response depends on a random bit b. If b is equal to 1, the query returns the session key; if b equals 0, the query returns a random key.
Semantic security: An attacker A can perform several test (E) operations. Each time, a key is obtained based on the result of b. This process indicates that the attacker distinguishes between the session key and the random key. Pr[Success] is the probability of the attacker to be the game winner, which is expressed as follows: Now we will prove that in the improved protocol, the attacker's advantage is nonnegligible. We first show the difference lemma [38].

Theorem 1. Let Adv se
A represent the advantage of A in breaking the symmetric cipher algorithm, and l represent a security parameter. Let q send and q c represent the upper limit of hash queries when simulating an active attack and guessing key tk, respectively. The advantage of A breaking the semantic security is Adv ake We define the sequence of games GM 0 to GM 3 . Let Succ i be the event that A guesses bit b for GM i in the test session successfully. The games GM 0 to GM 3 are presented as follows.
Game GM 0 : This game is related to the real attack under the random oracle model. Therefore

Adv ake
Game GM 1 : We query Execute oracles several times to simulate A's eavesdropping attack. Because all messages are encrypted symmetrically or hashed, these operations cannot make A obtain more useful information. Thus A cannot extend the advantage of winning game GM 1 . Therefore

Pr[Succ 0 ] = Pr[Succ 1 ]
Game GM 2 : We query Send and Hash oracles to simulate A's active attack. It is impossible for A to find the collisions of Y i /P i /Q i in the way of making queries, or decrypting the information of X i /Z i without key K/tk. Hence there is no collision when querying Send oracles. Due to the birthday paradox, we obtain Game GM 3 : This game aims at simulating forward security using the Corrupt oracle query. Even if A is lucky enough to find the correct hash collision value, he still needs to find a way to obtain the long-term stored key K and the temporarily generated tk. Thus, A has to query the Corrupt and Hash Oracle, and we have A cannot receive any useful messages since all the oracles have been simulated. At this point, A has half the chance to guess the correct value of b, so the probability to win GM 3 is: As a result, the final output performs as follows:

Adv ake
The semantic security of the improved protocol is proved completely.

Informal Security Analysis
This subsection contains an informal security analysis to show that the improved protocol can resist various attacks from both outsider and insider attackers.

Insider Attack
As mentioned in Section 2, an attacker A may have a legitimate identity. Even if A obtains the master key K of the service provider, A cannot pretend to be another consumer in the improved protocol, since N SM is stored in X i = E K ((ID i ⊕ N 1 )||N SM ||((h(ID j ||K||N SM )) ⊕ID i )) during the registration phase, and (h(ID j ||K||N SM ) generated by each consumer is different. Although N SM can be obtained when decrypting X i with key K, (h(ID j ||K||N SM ) cannot be calculated without ID j or K at the same time. In addition, SP j still does not store SM i 's ID so it still meets SM i 's non-traceability.

De-Synchronization Attack
Our scheme can resist de-synchronization attacks with a dynamic verification table. If A intercepts message X i , Y i , Z i or P i , SM i 's unique identification in the table is not updated, and SM i can perform the authentication phase again. Suppose that A intercepts message Q i sent by SP j and S 1 of the dynamic verification table has been updated, while the last unique identification is also stored in S 2 . Once SM i has not received the confirmation message within the limited time, it can still use the last unique identification to authenticate, which can be found in S 2 .

Replay Attack
If A wants to replay messages {X i , Y i } sent by SM i , it can pass the first step of SP j 's verification. However, after receiving message Z i returned by SP j , A cannot generate . The attacker will not succeed in replaying message P i , because N 3 generated by SP j is different each time. If A wants to replay the messages Z i and Q i sent by SP j , SM i will find that h(ID i ||N 1 ||N 2 ) and h(N 1 ||(N 2 ⊕ N * 3 )) are not the same, since N 2 is randomly generated by SM i for each session.

Man-in-the-Middle Attack
The messages sent by SM i and SP j are processed by hash function or symmetrically encrypted. Even if A obtains the master key K, he can only decrypt the first message X i sent by SM i and cannot obtain other useful information. Because of the anonymity of SM i , A cannot obtain ID i of SM i . The random number N 1 is also not be obtained because the tamper-resistant device prevents its leakage. Therefore, even if the attacker modifies the message, A cannot mount a Man-in-the-middle attack.

Impersonation Attack
In the impersonation attack, we consider an adversary A, who can monitor the public network and capture the message {X i , Y i , Z i , P i , Q i } transferred on an insecure channel. We consider two cases.
• SM impersonation attack. If adversary A wants to impersonate the SM, he must forge the message {X i , Y i , P i } to have the SP believe that the message is legal. However, A must know secret parameters such as ID i , N 1 , N 3 in order to produce the messages as legal. Due to the lack of knowledge of these parameters, the adversary cannot implement the SM impersonation attack. • SP impersonation attack. If the adversary A wants to impersonate SP, it needs to forge the message {Z i , Q i }. The generation of the message requires SP's long-term secret as auxiliary material which the adversary cannot learn. Therefore, the improved scheme can resist the impersonation attack.

Anonymity and Untraceability
The purpose of anonymity is to prevent the adversary, who can intercept messages in an insecure channel, from obtaining the actual ID of the smart grid. At a higher level, the adversary cannot find any relationship among sessions of one entity. In the improved scheme, all the transmitted messages are {X i , Y i , Z i , P i , Q i }. The ID of SM is sent over the insecure channel with the use of a hash function. Therefore, the adversary cannot derive the actual ID from the transmitted messages. Furthermore, each communicated message is dynamically changed by involving random numbers. The adversary also fails to trace the participants.

Perfect Forward Secrecy
This property means even if the long-term secret parameters of both entities are leaked, it will not lead to the previous session key being compromised. In our protocol, if the long-term secret parameters of SM and SP are compromised, the adversary needs to know the ephemeral secret to compute. Due to the lack of the knowledge of the ephemeral secret, the session key remain secure.

Performance Analysis
How to improve security without affecting the efficiency is one of the goals of improving the protocol. This section presents a comparison between the improved protocol and four other protocols proposed recently for smart grids [19][20][21][22]27], in terms of functionality, computation efficiency and the communication efficiency. Table 3 shows the comparison of security and functionality, where F1 denotes mutual authentication, F2 denotes session-key security, F3 denotes message integrity, F4 denotes smart meters' anonymity, F5 denotes perfect forward secrecy, F6 denotes smart meters' untraceability, R1 denotes the ability to resist replay attack, R2 denotes resistance to man-inthe-middle attack, R3 denotes resistance to impersonation attack, R4 denotes resistance to de-synchronization attack, R5 denotes resistance to insider attack and R6 denotes resistance to stolen verifier attack.  Table 3, it can be seen that the improved scheme can meet the basic functionality and security requirements. In terms of functionality, our scheme can guarantee mutual authentication, session-key security, message integrity, perfect forward secrecy, smart meters' anonymity and untraceability. In terms of security, our scheme can resist replay attacks, man-in-the-middle attacks, impersonation attack, de-synchronization attacks, insider attacks and stolen verifier attacks. In addition, some protocols do not consider insider attackers [19,21,22]. Some schemes [19,20,22] do not provide smart meters' anonymity, while some [19][20][21]27] cannot resist de-synchronization attacks. To summarize, our improved protocol has advantages in security and functionality.

Computation Overhead Analysis
Only the authentication and agreement phase is compared when analyzing the computation cost, since this phase is the main part of the scheme. The executions of the concatenating operation and OR operation are not considered, because the time of these executions is negligible. Let T h denote the computation time for the one-way hash function, T e denote the computation time for symmetric encryption operation, T d denote the computation time for a symmetric decryption operation, T HMAC denote the computation time for the hash-based message authentication code (HMAC) operation, T a denote the computation time for point addition of elliptic curve and T m denote the computation time for the point multiplication of the elliptic curve. According to the literature of Abbasinezhad-Mood et al. [39], we have that T h takes 0.0023 ms, T e takes 0.0046 ms, T d takes 0.0046 ms, T HMAC takes 0.0046 ms, T a takes 0.0288 ms and T m takes 2.226 ms. Let C1 denote the computation cost in the smart meter, C2 denote the computation overhead in the service provider phase and C3 denote the total costs. Table 4 shows the computational cost including the improved protocol and other ones. It can be seen from Table 4 that the computation cost of the improved protocol at the smart meter is C 1 = 7T h + 1T d , i.e., the smart meter needs to execute seven one-way hash function operations and an encryption operation. In addition, the service provider's computation overhead is which is less computation resources than the protocols using the elliptic curve [19][20][21]27]. The new protocol has the same computation efficiency as the original protocol [22]. Both of them are 0.0552 ms. Since these two protocols have a great improvement in computation cost compared with the known protocols [19][20][21]27], our proposed protocol is still lightweight in terms of computational overhead level.

Communication Overhead Analysis
This subsection discusses the communication cost of the improved protocol. Suppose the hash function used in the improved protocol is SHA1 and the symmetric encryption algorithm is AES-128. The output of the hash function is 20 bytes (160 bits), the output of a 128 bit AES is based on the input of the plaintext, and the random number is 128 bits long. Similarly, a point of the elliptic curve is assumed to be 40 bytes (320 bits).
Let C4 denote the communication cost in the authentication and key agreement phase. Table 5 shows the communication cost including the improved protocol and others.  Table 5 shows that the communication cost of these protocols are relatively close, ranging from 200 bytes to 300 bytes. The new protocol has a communication cost of 236 bytes, which is a little higher than the original protocol [22]. However, it is still less than the communication cost of protocols [19][20][21]27]. In other words, this communication cost is acceptable in smart grids.
To sum up, the improved protocol obtains the strongest security against both the outsider attacker and the insider attacker, and is the only one obtaining all security properties. In terms of the computation efficiency and the communication efficiency, the improved protocol has low computational cost and communication cost compared with the lightweight schemes, thus is very suitable for the smart grid with limited computing resources.

Conclusions
In this paper, we analyzed the security of Zhang et al.'s protocol [22] and showed that their protocol is not secure enough to prevent an impersonation attack against an insider attacker, since different SMs hold the same confidential information. To address the flaws, we proposed an improved protocol which allows SMs and SPs to authenticate each other and establish a session key securely. Moreover, we verified the security of the improved protocol using the ROR model. By conducting an informal security analysis, we demonstrated that the new protocol is secure against various attacks from both outsider and insider attackers. In terms of the computation cost and communication cost, the improved protocol has almost the same efficiency as Zhang et al.'s protocol, while providing enhanced security. Furthermore, the proposed protocol has a significantly lower computational cost compared to the other protocols, which is well suited to smart grid environments where smart meters are resources-constrained. The limitation of our protocol is that it is not suitable in general communication models, except wireless ones. In addition, our protocol has no significant advantage over existing schemes in terms of communication cost. We will consider these two limitations in our future work.