Lightweight Hash-Based Authentication Protocol for Smart Grids

Smart grids integrate information and communications technology into the processes of electricity production, transportation, and consumption, thereby enabling interactions between power suppliers and consumers to increase the efficiency of the power grid. To achieve this, smart meters (SMs) are installed in households or buildings to measure electricity usage and allow power suppliers or consumers to monitor and manage it in real time. However, SMs require a secure service to address malicious attacks during memory protection and communication processes and a lightweight communication protocol suitable for devices with computational and communication constraints. This paper proposes an authentication protocol based on a one-way hash function to address these issues. This protocol includes message authentication functions to address message tampering and uses a changing encryption key for secure communication during each transmission. The security and performance analysis of this protocol shows that it can address existing attacks and provides 105,281.67% better computational efficiency than previous methods.


Introduction
A smart grid (SG) is an advanced power-grid system that integrates information and communications technologies to enhance the efficiency and reliability of electricity production, transportation, and consumption [1].These systems enable intelligent demand management, the linkage of new and renewable energies, and electric vehicle charging through real-time information exchange between suppliers and consumers [2].As the sales of electric vehicles and power consumption increase significantly every year, SGs and related security issues have become more important [3].One of the key components of the SG is the deployment of smart meters (SMs) in households and buildings [4][5][6][7][8][9][10], which enable the real-time monitoring and management of electricity usage by both power suppliers and consumers.
Information monitored in real time is important for security [11].For example, if electricity usage is leaked outside, an attacker can determine whether a house is empty, and by analyzing this information, they can also determine the living patterns of the individual.This is an important personal privacy issue, as individuals may become involved in crimes or undesirable events against their will.In another example, problems may occur if electricity usage is falsified.Attackers may attempt to make financial gains by reducing their own usage; conversely, attackers may increase their usage and cause inconvenience to neighbors with whom they do not get along.
However, the security of SMs and their communication protocols is of paramount importance for preventing malicious attacks and ensuring the integrity and confidentiality of data.To address these security concerns, this paper introduces a hash-based lightweight authentication scheme specifically designed for SG environments.The proposed authentication scheme aims to provide a secure and efficient method for authenticating communication between SMs and power suppliers while considering the computational and communication constraints of these devices.
The primary objective of the authentication scheme is to ensure the following: • Secure memory protection: The scheme addresses the need for secure memory protection in SMs to safeguard against the unauthorized access and tampering of sensitive data stored within the devices.

•
Robust communication security: By employing a lightweight communication protocol, the scheme ensures secure communication between SMs and power suppliers, protecting against eavesdropping, message tampering, and replay attacks.• Efficient computational requirements: Recognizing the resource limitations of SMs, the proposed scheme aims to minimize the computational overhead, ensuring efficient authentication without compromising security.
We propose a scheme that satisfies these requirements.Our scheme is designed to provide secure memory protection and has been verified to satisfy ten security requirements, ensuring robust communication security.Our scheme is based on a one-way hash function and utilizes message authentication functions and changing encryption keys to satisfy efficient computational requirements.Through a comprehensive security and performance analysis, the proposed scheme demonstrates its effectiveness in addressing existing attacks and achieving better computational efficiency than previous studies.
The remainder of this paper is organized as follows: In Section 3, we present the hash functions of the system and attack models.The target scheme is introduced in Section 4. Section 5 describes the limitations of the proposed scheme.The proposed scheme is presented in Section 6.In Section 7, we provide formal and informal security analyses.In Section 8, we present a performance analysis of the proposed scheme, and in Section 9, we discuss the results.Finally, we conclude this paper in Section 10.

Related Work
In the field of SG security, several studies have proposed lightweight authentication schemes that address the unique challenges and requirements of SG environments.
In 2018, Mahomood et al. [4] proposed an authentication scheme based on elliptic curve cryptography (ECC) to satisfy the complex security requirements of SGs.In 2021, Sadhukhan et al. [6] introduced an ECC-based SG communication authentication scheme comprising a trusted authority, an SM, and a service provider.Sadhukhan et al. [6]'s scheme defends against impersonation attacks, which Mahomood et al. [4]'s scheme fails to protect against, and additionally satisfies, SM anonymity and data confidentiality.In 2021, Sureshkumar et al. [7] designed a scheme for the communication between service providers and SMs.However, Sureshkumar's method is vulnerable because it does not use a one-time pad key.Furthermore, in 2023, Hu et al. [5] pointed out that Mahomood et al. [4]'s scheme does not ensure user anonymity and is vulnerable to ephemeral secret leakage attacks, and hence proposed an authentication and key agreement scheme for SGs with enhanced security based on ECC.
Recently, several authentication schemes for SG environments that do not use ECC have been proposed.In 2020, Kaveh and Mosavi [8] introduced an authentication scheme for SG environments using a physically unclonable function to counteract attacks involving physical replication or damage.Recently, Tanveer and Alasmary [9] proposed an authentication scheme for SG environments using the new hash function "Esch256".In 2021, Aghapour et al. [10] proposed a fully lightweight two-way communication scheme for SG environments.Aghapour et al. [10] utilized only one-way hash functions and XOR operations for authentication between the participants, making their scheme the most lightweight one.However, in this study, we identified a critical vulnerability in Aghapour et al. [10]'s scheme.Their scheme enables the extraction of keys when data reports are inferred, and messages can be recovered based on the extracted key.

Preliminaries
In this section, the hash function, system model, and attack model are described.The details are as follows:

Hash Function
In this study, we adopt a hash function as an algorithm for verifying messages or for generating keys [12][13][14].Hash functions are widely known to have the following four main characteristics:

•
Compute a hash function efficiently: The calculation of the hash value by the hash function must be fast, regardless of the size of the input data.

•
Preimage resistance: For the hash function h(•), given y = h(x), it should be computationally infeasible to find x.

•
Second preimage resistance: For the hash function h(•), given x, it should be computationally infeasible to find another Collision resistance: For the hash function h(•), it should be computationally infeasible to find x 1 and x 2 , where Furthermore, recent studies have shown that widely used hash functions, such as MD4, MD5, SHA1, RIPEMD-160, SHA2-256, and SHA-512, are prone to issues, such as collision resistance, second preimage resistance, and no length extension, owing to advances in computational speed [15].Therefore, we assume that the hash function used in our scheme is the most recently developed and has yet to be found to be vulnerable: SHA3-256.

System Model
We proposed a scheme for communication between SMs and power supplier servers in an SG environment [16,17].The two nodes that participate in the communication possess a hierarchical communication model as illustrated in Figure 1.Smart grids provide bidirectional services; thus, automated communication occurs over public channels.If certain nodes provide incorrect status and situational information, the microgrid controlled by these nodes is at risk of being compromised [18].Furthermore, while current smart grids are easily deployable and modifiable, they must be carefully designed due to the various existing cyber threats they face [19].
Smart grids have long been subject to attacks worldwide.In 2009, a senior analyst at the US CID reported that Russian and Chinese cyber spies had penetrated the US power grid [20].In December 2016, Russia attacked Ukraine's energy grid, which resulted in opening the circuit breakers of Ukraine's energy grid and caused a power outage for about an hour [21].
Attacks on smart grids typically originate from the information sent from endpoint devices to common nodes such as neighborhood gateways.Attackers who infiltrate the smart grid network through these devices can then exploit vulnerabilities in the central control system to take over the smart grid.Subsequently, attackers may attempt attacks such as power shutdowns and personal data breaches through the control system, causing damage.To defend against such attacks, the FERC uses emergency orders and sanctions related to the cyber security of the power infrastructure [22], while NIST sets standards to ensure all systems in the smart grid are interoperable [23].
The details regarding the participating smart meters (SMs) and neighborhood gateways (NG) are as follows: • Smart meter (SM): An electronic device that measures the consumption of utilities, such as electricity, gas, and water, collecting data in real time.It communicates with the neighborhood gateway to transmit data reports.Users utilize SMs to monitor their energy usage.

•
Neighborhood gateway (NG): A neighborhood gateway is configured within a neighborhood area network and communicates regularly with dozens to hundreds of smart meters.For example, it could be installed in a commercial building's technical room, where it serves the role of transmitting data to a central energy management system, or it might be placed within a home to monitor the household's energy consumption.In the case of a residential gateway, it could be connected via Bluetooth, Zigbee, or Wi-Fi, and typically supports a capacity of 128 MB or more [24,25].At a minimum, the gateway must store the information from the smart meter until it can be sent to the cloud or the company.The neighborhood gateway enables smart meters to exchange information with the cloud or the company.It requests data from each SM and collects their data.The neighborhood gateway checks the confidentiality and integrity of the data collected from the SMs.

Attack Model
We propose a scheme based on the threat model suggested by Dolev-Yao [26,27].The main characteristics of the Dolev-Yao model [26] are as follows: • The attacker eavesdrops on all the transmission packets used in the public channel.

•
The attacker attempts to decrypt the eavesdropped transmission packets to obtain the values (data report, message, etc.) intended for transmission through communication.

•
The attacker attempts to alter the messages used in communication by performing a man-in-the-middle attack.

•
The attacker attempts a replay attack.
In this paper, we propose a scheme that defends against these attacks and demonstrate its resistance to them.

Review of Aghapour et al.'s Scheme [10]
In this section, we introduce the target scheme suggested by Aghapour et al. [10].Their scheme consists of an initialization phase and a secure communication phase.

Initialization Phase
In Aghapour et al. [10]'s scheme, at this stage, each j-th SM j registers its identity ID j with a neighborhood gateway (NG).NG then transmits an initial secret key value K j 0 to each SM over a secure channel.Subsequently, NG stores the pair of the SM identity and secret key (ID j , K j 0 ) in its database, and each SM SM j stores the initial secret key value K 0 j in its memory.

Secure Communication Phase
In the stage proposed by Aghapour et al. [10] , message authentication between the j-th SM SM j and NG occurs over a public channel.The details are as follows.

First Authentication 1.
NG generates the random number r j i for SM j .NG computes , where m j i is the i-th message for SM j , T NG is a timestamp of NG, and H(•) is a one-way hash function.NG sends a message SM j receives the message M 1 = {A j i , V j i , T NG , ID j } from NG, and computes (m If it fails to verify the message, SM j stops the protocol.If its verification succeeds, the authenticity of NG is verified by SM j , and the first authentication phase ends. , where D j i is the data report from the corresponding SM, and h(•) is a different hash function with H(•).SM j creates the new key , where T j is a timestamp of SM j .It replaces the old key K j i with K j i+1 .SM j makes the verification V NG receives the message M 2 = {E j i , V ′ j i , T j } from SM j and computes (h(r ), and if its verification succeeds, NG compares D j i with the existing format and stores K j i+1 in its database.

Limitations of Aghapour et al.'s Scheme [10]
We identified a critical vulnerability in the scheme proposed by Aghapour et al. [10] as previously described.In this section, we discuss the vulnerabilities identified in Aghapour et al. [10]'s scheme.The details are as follows:

Inferrability of the Data Report
We assume that the data report D j i can be inferred because it has a similar format.This is likely because the data report D j i , such as electricity usage, tends to be within a certain range of the actual values.

Inferrability of the Message
We can obtain the values of A j i and E j i using the values in M 1 and M 2 transmitted over the public channel.Using the obtained A j i and E j i values, we derive the following equation: = ((m Here, we assume that we can estimate D j i according to Section 5.1; thus, we obtain the value of r j i .In addition, we obtain h(r j i ) using r j i .Finally, we can derive the message m j i using the previously obtained r j i , h(r j i ), and D j i .

Extraction of the Secret Key
In Section 5.2, we obtained r j i , m j i , and D j i .Using these variables, we derived the secret key value K j i using A j i .This is derived as follows: (5)

Proposed Scheme
In this section, we propose enhanced hash-based authentication in SGs to address the vulnerabilities identified in Section 5.The notations used in this paper are explained in Table 1.The details are as follows: Timestamp for NG and SM j

Initialization Phase
In this phase, NG verifies the identity of each SM and assigns an initial secret key individually.The details are shown in Figure 2.

𝑁𝐺 𝑆𝑀 𝑗
The phase of registering the identity ID j of the smart meter SM j with the neighborhood gateway NG proposed in this study.

1.
We denote the j-th SM as SM j .At this time, SM j selects its own identity information.When the identity chosen by SM j is denoted as ID j , SM j transmits the ID j information to NG through a secure channel.

2.
NG receives the identity information of each SM through a secure channel.Assuming that it receives the identity ID j of the j-th SM, NG generates an initial secret key K j 0 for communication with SM j .NG then stores the pair ID j , K j 0 in its database.NG transmits the generated K j 0 to SM j through a secret channel, and SM j receives and stores the secret key K j 0 .

First Secure Communication Phase
In this phase, NG sends information to the j-th SM SM j through a public channel, protecting it from external leakage using hashing and concatenation operations.SM j checks the message received from NG and verifies its integrity.The details are presented in Figure 3.

1.
To securely send a message to SM j , NG generates a random number r j i and a timestamp T NG .To protect the message m j i from external leakage, NG performs the following operations: Upon receiving M 1 = {A j i , V j i , T NG , ID j } from NG, SM j checks if the timestamp T NG is within an appropriate range and performs the following operations to verify the message: (m to verify the integrity of the message.If the verification fails, the protocol is immediately halted.If the verification succeeds, the next phase proceeds.

Second Secure Communication Phase
In this phase, SM j protects and transmits its data report via a public channel to prevent external leakage.NG verifies the data report received from SM j and checks its integrity.The details are presented in Figure 4.

1.
To securely send the data report D j i to NG, SM j generates a timestamp T j and performs the following operations:

2.
Upon receiving i , T j } from SM j , NG checks if the timestamp T j is within an appropriate range and performs the following operations for verification NG compares D j i with existing reports, and if it matches the established format, it is accepted.

Security Analysis of the Proposed Scheme
In this section, we describe the formal and informal security analyses of the proposed scheme.The formal security analysis is conducted using ProVerif 2.05 [28], whereas the informal security analysis includes ten different analyses, including providing mutual authentication and resisting replay attacks.

Formal Security Analysis
In this section, we discuss the results of a formal analysis of our scheme conducted using ProVerif.The analysis using ProVerif demonstrates the results of verifying and analyzing the security of the proposed scheme as in several recent studies [29][30][31][32].
We define two types of channels: privateChannel and publicChannel.The reason for setting the publicChannel as private is discussed later when explaining the SM j and NG processes.The constants are set with the SM j ID and the NG unique value as N. Functions define XOR, concatenate, and two hash operations, and events for SM j and NG are defined for both the first and second authentication phases.The detailed information is provided in Table 2.
The initial and authentication phases of SM j and NG are listed in Tables 3 and 4. The initial phases of SM j and NG are transmitted through the privateChannel.Subsequently, the first authentication begins.However, the process of omitting the part where r is concatenated cannot be implemented using ProVerif.Therefore, to modify it such that NG sends r to SM j , the publicChannel is set to private to verify the formality.
We verify the results in Table 5 using the queries listed in Table 6.The results are as follows: • Query inj-event(EVENT) ==> inj-event(EVENT) is true.

•
Query not attacker(K) is true.

Informal Security Analysis
In this section, we present an informal verification of the proposed scheme.Table 7 shows a comparison with previous studies [5,7,10,33].We conducted ten informal verifications, and the details are as follows.

Provide Mutual Authentication
The proposed scheme verifies the integrity of the message received by SM j from NG during the first authentication phase and the integrity of the message received by NG from SM j during the second authentication phase.Therefore, the proposed scheme provides mutual authentication.

Resist Replay Attack
In the proposed scheme, the decision to proceed with the subsequent operations is based on verifying the timestamps T NG and T j transmitted during the first and second authentication phases, respectively.Therefore, the proposed scheme is resistant to replay attacks.

Resist Smart Meter Impersonation Attack
For an attacker to impersonate SM j , they must be able to deceive NG into passing the V ′ j i verification during the second authentication phase.To do this, the attacker must obtain the information necessary to generate V ′ j i , which includes m j i , r j i , and K j i+1 .The information required to generate K j i+1 includes r j i and K j i .As the attacker cannot calculate these values from the information A j i and V j i available through the public channel, the attacker cannot impersonate SM j .

Resist Extraction of the Secret Key
The only way for an attacker to obtain K j i is by already knowing m j i and r j i , and then performing the operation ((m or by intercepting it from the private channel.Assuming that interception from the private channel is not possible and because m j i and r j i are neither directly disclosed nor calculated, an attacker cannot obtain K j i in our scheme.

Resist Inferrability of the Message
The message m j i is extracted by performing an XOR operation between A j i and K j i .However, as there is no way for an attacker to obtain K j i , messages cannot be inferred in our scheme.

Resist Message Altering
In our scheme, message m j i and data report D j i are included in the information contained in A j i and E j i , respectively.To verify the integrity of each message m j i and data report D j i , ensuring they have not been altered, V j i and V ′ j i are used for verification.Therefore, if an attacker arbitrarily changes the message to create A j i and E j i and attempts to extract the message, it will not pass the verification.Each message and data report can only be verified with the encryption key K j i ; however, as K j i cannot be extracted by the attacker, the attacker cannot verify the message and data report.Therefore, the proposed scheme resists message alterations.

Resist Injection Attack
In the authentication phases, as message m j i and data report D j i to be transmitted contain the verification variables V j i and V ′ j i , it is impossible to perform a data injection attack on the original message and data report.This prevents SQL injections, cross-site scripting, code injections, and other related attacks from becoming feasible.

Provide forward Secrecy
Our scheme employs a method for hashing values that include K ), which makes it impossible to deduce the value of K j i because of the one-way nature of the hash function.Thus, the proposed scheme provides forward secrecy.7.2.9.Provide One-Time Pad Key Our scheme employs a method for hashing values that include K j i to generate the new key K j i+1 .Thus, the proposed scheme provides a one-time pad key.

Resist Man-in-the-Middle Attack
In the scenario where an attacker accesses the public channel used during the first and second authentication phases of our scheme to carry out a man-in-the-middle attack, the only information they can obtain are These values include the smart meter's identity information and timestamps T NG and T j , but among the i values are hashed and therefore unusable.Even if the attacker can see the A j i or E j i values, without knowing the session key, which changes with each session, they cannot recreate these values.Therefore, a man-in-the-middle attack is not feasible.

Performance Analysis of the Proposed Scheme
In this section, we compare the performance of our paper with related studies.Performance analysis was conducted in the environment of Table 8.The time taken for a hash algorithm was measured as 0.012 ms for symmetric key encryption, decryption was 0.19 ms, and for scalar multiplication in the field, it was 28.03 ms.The computational overhead of the authentication phases for our scheme and related studies [5,7,10,33] is presented in Table 9.We compute the performance of our scheme in the environment of Table 8 using five hash functions, resulting in a total computational load of 5T h for the neighborhood gateway and 5T h for the smart meter, totaling 10T h = 0.12 ms.According to our find-ings, Hu et al. [5]'s scheme requires the neighborhood gateway to perform four field multiplications (4T m ) and use 5T h .The smart meter operates at 4T m + 5T h , totaling 8T m + 10T h = 224.36ms.In Garg et al. [33]'s scheme, the neighborhood gateway performs three field multiplications (T m ), four hash function operations (T h ), and one symmetric key encryption (T e ).Additionally, Garg et al.'s smart meter computes at 3T m + 4T h + 1T e , totaling 6T m + 8T h + 2T e = 168.656ms.Similarly, Sureshkumar et al. [7]'s scheme calculates the neighborhood gateway at 3T m + 6T h , and the smart meter at 1T m + 4T h , totaling 4T m + 10T h = 112.24ms.Furthermore, we confirmed that the vulnerable scheme by Aghapour et al. [10] involves 4T h for both the neighborhood gateway and the smart meter, resulting in a total of 8T h = 0.096 ms.

Discussion of Performance
Based on Section 8, we quantify and compare how much better our performance is.The formula we use is as follows: (t 1 − t 2 )/t 2 (6) According to Formula (6), our scheme demonstrates superior performance by 186,966.67%,140,546.67%,93,533.33%and 80.00% compared to Hu et al. [5]'s, Garg et al. [33]'s scheme, Sureshkumar et al. [7]'s scheme and Aghapour et al. [10] scheme.In contrast to other studies [5,7,10,33] which primarily utilize public key or symmetric key cryptography, our scheme mainly uses hash operations to construct lightweight protocols.
According to Table 7, which compares the security aspects of our scheme against others, we found that our scheme performs about 20% worse than Aghapour et al. [10]'s scheme in terms of efficiency.However, our scheme is significantly safer than the proposal by Aghapour et al. [10].We have developed a scheme that provides a one-time pad key, which Sureshkumar et al. [7]'s scheme failed to do.Moreover, our scheme outperforms the average of the four schemes, including those by Garg et al. [33] and Hu et al. [5], by approximately 105,281.67%.

Conclusions
In this paper, we proposed a lightweight authentication scheme for SG environments.Our scheme minimizes computational requirements by using only hash functions and XOR operations, and provides security against ten protocol vulnerabilities that previous studies failed to defend, including the extraction of secret keys and the inferrability of the message.We demonstrate that our scheme satisfies the security requirements using ProVerif, a formal verification tool.Moreover, in terms of performance, our scheme shows a superior computational speed of 105,281.67%compared with other schemes.

Figure 1 .
Figure 1.A system model where the smart meter and neighborhood gateway communicate with other neighborhoods' edge nodes over the internet.

Table 1 .
Notations used in this paper.
the verification is successful, K The second authentication phase between smart meter SM j and neighborhood gateway NG proposed in this study.

Table 7 .
Comparison of security features.