An Anonymous Authentication and Key Establish Scheme for Smart Grid : FAuth

The smart meters in electricity grids enable fine-grained consumption monitoring. Thus, suppliers could adjust their tariffs. However, as smart meters are deployed within the smart grid field, authentication and key establishment between smart grid parties (smart meters, aggregators, and servers) become an urgency. Besides, as privacy is becoming a big concern for smart meters, smart grid parties are reluctant to leak their real identities during the authentication phase. In this paper, we analyze the recent authentication schemes in smart grids and other applied fields, and propose an anonymous authentication and key establishment scheme between smart grid parties: FAuth. The proposed scheme is based on bilinear maps and the computational Diffie–Hellman problem. We changed the way the smart meter parties registered at Key Generation Center, making the proposed scheme robust against various potential attacks that could be launched by the Key Generation Center, as the scheme could avoid the private key of the smart meter parties from leaking to the Key Generation Center. Besides, the proposed scheme reduced the computational load, both at the smart meter side and at the aggregator side, which make it perfectly suitable for computation-constrained devices. Security proof results show the proposed scheme is secure under the BAN logic and random oracle model.


Introduction
The internet of things is now applied into many parts of our daily life.Smart meters are one of these.The European Commission has formulated the goal to provide 80% of all households with smart electricity meters by the year 2020 [1].As a smart meter can report its measurements periodically to the utility supplier instantaneously, the utility supplier can dynamically change the supplement according to the reported data.With more and more smart meters applied, authentication and key establishment have become an important issue in the smart grid area.According to Sanjab et al. (2016) [2], "a robust authentication protocol is needed while communicating between smart grid parties."According to the Report on Workshop on Security & Privacy in IoT of Europe (2016) [3], "identification and authentication of end-devices, gateways and servers as very first requirement."is considered to help manage scalability, evolutivity and risk assessment of the overall IoT system.Authentication enables the parties in the smart grid to authenticate each other and establish a shared key.But as privacy becomes a concern, people start trying to find ways that smart grid parties could authenticate each other without leaking their identity to adversaries.
First, as a smart meter is installed beside the house of inhabitants, as stated in [4], "this malicious attacker might be able to forge sensed data such as the amount of electricity usage at this house before sending these forged data back to the corresponding service server."Passive attacks are easily launched by an attacker, such as eavesdrop attack, and some other attacks launched by the attackers.Authentication and encryption methods should be applied in this scenario.
Second, electricity usage naturally includes personal information of the inhabitants, according to the electricity consumption, it is easy to judge if inhabitants are at home or not, and with fine-grained electricity consumption reporting instantly, privacy-sensitive information, regarding which appliances are active, can be obtained.Also, by data mining or static methods, according to the electricity consumption, the status and income of the inhabitants may be revealed, so anonymous authentication is needed; in FAuth, the identity of the smart meter is encrypted before sending.
Third, as smart meters have constrained computability compared to aggregators, it is necessary to try to lower the computation cost at the smart meter side; in FAuth, the computation cost at the smart meter side is the lowest compared to other schemes.
So, in this paper, we proposed an anonymous authentication scheme based on bilinear maps and the computational Diffie-Hellman problem: FAuth, which totally meets the above three requirements as stated.The contributions of this paper include the following three points: 1.
We changed the way smart meter parties register at the Key Generation Center, detailed in Section 6.3, and prevent the Key Generation Center from knowing the private key of the smart grid parties.Thus, some security problems are prevented, detailed in Section 8.

2.
Based on the methods of Tsai-Lo [4] and Odelu [5], we proposed FAuth, and the comparison results show that the proposed scheme greatly reduced the computation costs of smart grid parties at the authentication phase.

3.
Security analyses of BAN logic and random oracle model are conducted to show that the proposed scheme is safe.
This paper is organized as follows: We discuss the related works in Section 2. Some preliminary knowledge is described in Section 3. A review of Odelu's scheme is presented in Section 4. The security limitations of Odelu's scheme are discussed at Section 5.The scheme: FAuth is proposed in Section 6.We conduct two separate security analyses using BAN logic and random oracle model in Sections 7 and 8.We provide a comparison with the related schemes in Section 9. A brief introduction of the I3RES Project is given in Section 10.We conclude the paper with a summary of the contributions in Section 11.

Related Work
Tsai-Lo and Nai-Wei Lo proposed an authentication scheme based on bilinear map, and the computational Diffie-Hellman problem [4].The advantage of their scheme is that a smart meter can be quickly authenticated without involving the trust anchor because of the two identity based cryptosystems.Odelu et al. (2016) provide a scheme with security functionalities, including strong credentials' privacy and SK-security under the CK-adversary model [5].Their scheme provided a variety of security functionalities, and reduced computational costs for both the smart meter and service provider.Xia and Wang proposed a key distribution scheme for smart grid network [6].They used a trusted third party which can conduct key revocation, and the third party can be easily duplicated in case power outages occur.Jo et al. (2016) proposed efficient and privacy-preserving protocols for a smart grid in [7].The proposed protocols were shown to be robust against attacks of data collection unit (DCU) compromise attacks.Further, in their protocol, the response of messages were more efficient by the adoption of the distributed verification method.Zhang et al. (2017) proposed a new, efficient, certificate-less, generalized signcryption (CLGSC) scheme, and a lightweight and robust security-aware (LRSA) D2D-assist data transmission protocol that was proposed based on CLGSC [8].Their security analysis demonstrated that the LRSA protocol can achieve data confidentiality and integrity, mutual authentication, contextual privacy, anonymity, and so on.Their experimental results show that the LRSA protocol outperforms the existing schemes in terms Energies 2017, 10, 1354 3 of 23 of computational and communication overhead.Liu et al. (2014) proposed a certificate-less signature scheme based on bilinear pairings [9].And based on this scheme, they proposed two certificate-less remote anonymous schemes for wireless body area networks.A client could anonymously be authenticated and establish a key with the application provider.He et al. (2016) provided an improved scheme where the application provider does not have to store any information for the authenticating users [10].Li et al. (2013) also proposed an authentication scheme based on bilinear pairings [11].Tsai-Lo and Lo proposed a new anonymous authentication scheme based on nonce and bilinear pairing [12], which supports mutual authentication, key exchange, user anonymity, and user untraceability.It is claimed that their scheme withstands all major security threats and meets general security requirements.In addition, no verification table is required to be implemented at service providers or the trusted SCG service.He et al. (2017) proposed a data aggregation scheme [13] that can thwart internal attacks for the smart grid environment.They claimed their scheme is provably secure and can meet the security requirements, and incurs lower communication costs.
H. Xiong briefly described the work of [9] in [14], and according to their opinion, certificate managements, scalability, and forward security are the three parts that can be improved in the scheme of the work of [9].In his scheme, only registered users can authenticate each other and build a shared key, besides, this shared key is only known by the two registered users and the network manager would not know this shared key.Also, according to the public information transmitted between the two users, an adversary is unable to learn this shared key.However, in this scheme, the server does not check the validity of incoming users.Li and J. Hong proposed a modified BDCPS scheme [15], which is an efficient certificate-less access control for wireless body area networks.In this scheme, every user first generates a public key pair (x U , y U = g x U ), and then registers at a key generating center (KGC), to get a partial private key D U = 1 H 2 (y U ,ID U )+S P.After the user gets this partial private key, he can generate his public key pair (y U , h U , T U ).As only registered user could generate this public key pair, this public key pair can be used as a measure to test if a user is legal or not, as only the public key is transferred, so the identity of the user is hidden.Liu et al. (2016) proposed an authentication scheme [16] which could well protect the identity and privacy of the user, while the scheme is very cost-effective compared to [9].Islam and Khan proposed a partial public key method [17], where a user registers at the server several times in order to get more than one authentication keys, then the user uses different keys for authentication to achieve anonymity.He et al. (2015) applied the partial key concept to the vehicular ad hoc networks, and proposed an efficient identity-based privacy preserving authentication scheme, and their scheme enables batch verification of multiple messages [18].Further, they applied a similar method into public auditing in cloud-based body area networks in [19], by D. He, S. Zeadally, and L. Wu.
Porambage et al. (2014) proposed a pervasive authentication protocol and key establishment scheme [20], their scheme is also based on a partial public key method.But in their scheme, Cert U is a fixed value, so the user in this scheme could be tracked by Cert U .The registration phase of FAuth is similar to those of [13,20].Zhang et al. (2014) proposed a scheme based on ECC public key infrastructure [21], but they do not take into account the anonymity of the user, as the user names are sent directly.In [22], Tu et al. (2015) improved the scheme [21], but the username is sent without processing, too.Odelu et al. (2015) [23] proposed an authentication scheme between two users, with the help of a server node, the scheme is also based on a partial public key by elliptic curve cryptography (ECC).They also proposed a similar authentication scheme between two users, but their scheme does not need there to be a trusted server to help the two users to finish the authentication process, as the scheme uses the ECC based El-Gammal type signature [24].
The scheme in [25] is the first one that defines a formal model to capture the feature of user untraceability, and that highlights the damaging threat of de-synchronization attacks on privacy-preserving two-factor authentication schemes.The schemes in [26][27][28][29], and [30] use elliptic curve cryptography (ECC) to generate a shared key with the server.The scheme in [30] suffers from impersonation attacks in the registration phase, offline password guessing attacks in the login phase, and offline password guessing attacks in the password change phase.The schemes in [31,32] provide a lightweight scheme based on ECC, but they do not protect the privacy of the user, since the user names are sent transparently.Huang et al. (2015) provides an ECC-based authentication scheme between user and server [33], while their scheme is found to be vulnerable to inner side impersonate attacks by [34] by Chaudhry et al. (2016).Li et al. (2015) [35] provide an authentication between user and cloud server, as they use a symmetric key as a way of authentication, and an asymmetric key to establish the shared key, but the U ID i of a user is transferred transparently, so a user could be tracked.The method in [11] is similar to [35], only their shared key is based on a symmetric key, and the scheme in [11] suffers from inner side user attacks, as they shared a same key.Jiang et al. (2016) built their scheme based on the knowledge of chaotic maps [27].
The proposed scheme: FAuth is an improvement of the schemes of [4,5,36], which specially focused on the smart meter authentication problem.The second scheme of [36] could not provide smart meter anonymity at the authentication phase, and suffers from "unknown key share attacks" according to [4].According to [5], scheme [4] fails to protect the smart secret credentials if the ephemeral secret is revealed as an adversary.The registration manner of smart meters and aggregators in the proposed scheme are changed to provide better security endurance, compared to [5]; besides, a detailed computation of computation and communication costs were conducted, and all the results show the proposed scheme is more suitable for smart grid environments.

Preliminary
In this section, an introduction to basic knowledge bilinear maps and the computational Diffie-Hellman problem is introduced.

Bilinear Map
Central to pairing-based cryptosystems is a bilinear nondegenerate map, originally given as e : G 1 × G 1 → G 2 , where G 1 , G 2 are both cyclic groups of prime order q, and the discrete log problem is hard in G 1 .G 1 is a cyclic additive group, and G 2 is a cyclic multiplicative group.Bilinear maps have the following properties:

Review of Odelu's Scheme
In this section, the authentication scheme proposed by Vanga Odelu, Ashok Kumar Das, Mohammad Wazid, and Mauro Conti for smart grids is evaluated.Some notions used in their scheme are listed in Table 1.Private and public key pair of KGC; R x = k x •P (S j , Id j ) jth service provider and its identity (k j , K j ) The public key pair of S j : ith smart meter and its identity x is randomly picked from a set X || String connection symbol

Setup Phase of Odelu's Scheme
In this phase, KGC, which is a trust key generation center, sets up the parameters using the following steps: Step 1 KGC chooses bilinear map groups (G 1 , G 2 ) with a prime order, q, and generators P ∈ G 1 , and g = e(P, P) ∈ G 2 , where e : Step 2 KGC chooses the cryptographic one way hash functions q , and H 5 : {0, 1} * × G 2 → Z * q , where m = n + w, and w is a constant and it is also fixed during the setup phase as in [37], which is based on the input length of an encryption algorithm used in our authentication and key agreement phase.Note that in their proposed scheme, w is calculated such that n + w = 2|q| + |G 1 | bits, where |X| denotes the bit length of string X.
Step 3 KGC then chooses its master private key k x ← R X * q and computes the corresponding public key R x = k x •P ∈ G 1 .

Smart Meter Registration of Their Scheme
First, we have to make it clear that the registration phase is under a secure channel.Suppose a smart meter M i wants to register with the KGC.M i sends its identity, Id i , to KGC via secure channel.After receiving the identity Id i , KGC conducts the following steps: 1.
Selects a random number Computes When smart meter M i receives (k i , R m ), it stores them in the tamper-proof module.The whole process is depicted in Table 2.When smart meter gets the data { , }, will do the following steps to authenticate this message.

6.
computes the shared key using its private key :

Smart Meter
Aggregator ( , ) ( , ) Energies 2017, 10, 1354 10 of 21 When aggregator receives the data { , , , } from a smart meter, , will conduct the following steps to authenticate the meter : 1. Checks the freshness of the , if is not fresh, abandons the message.
6. Chooses a random number ← * .When smart meter gets the data { , }, will do the following steps to authenticate this message.

6.
computes the shared key using its private key : , accepts the key .Now the smart meter , and aggregator , have authenticated each other and build a shared key.The whole process is depicted in Table 8.

Service Provider Registration of Their Scheme
When a service provider S j wants to join the system, it has to first register at KGC. S j sends its identity, Id j , to KGC.After receiving the identity Id j , KGC calculates the private key K j = 1 k x + H 1 ( Id j ) •P, and sends K j to S j .When smart meter S j receives K j , it computes k j = H 5 Id j , K j , and stores k j , K j into the tamper-proof module.The whole process is depicted in Table 3.
Table 3. Registration phase of service provider in Odelu's scheme.
Service Provider S j KGC Sends Id j to TA Id j 6. computes the shared key using its private key :

Smart Meter
Aggregator ( , ) ( , ) Both agree on session key each other and build a shared key.The whole process is depicted in Table 8.
Table 8.Request and authentication phase of the proposed scheme.

Smart Meter Aggregator
random numbers Both agree on session key

Authentication and Key Establishment Phase of Their Scheme
In the authentication phase of their scheme, smart meter M i and service provider S j could authenticate each other without the help of KGC.

1.
M i chooses two random numbers x 1 , n 1 ← R Z * q , and then computes

2.
Upon receiving the message {T 1 , C 1 , A 1 } from M i , S j derives g 1 = e(T 1 , K j ), using its own private key K j .Then, it computes ; if it does not hold, S j terminates the session, otherwise, S j chooses a random number x 2 ← R X * q and computes g 2 = e((x 2 + k j )P, ) and A 2 = H 3 (sk||g 2 ||Id j ||Id i ||n 1 ||g 1 ), and S j then sends Message2 = {g 2 , A 2 } to M i .

3.
After receiving {g 2 , A 2 } from S j , M i computes the session key sk = H 4 (g . If it does not hold, M i terminates the session.Otherwise, M i authenticates S j as a valid target server, and sets sk as the session key.M i then computes It this does not hold, S j terminates the session.Otherwise, S j confirms that M i is a legitimate registered smart meter, and agrees with the session key sk.
Now both S j and M i agree on the shared key, sk, and the information flow is depicted in the following Table 4.

Smart Meter
Aggregator ( , ) ( , ) When smart meter gets the data { , }, will do the following steps to authenticate this message.

6.
computes the shared key using its private key :

Both agree on session key
Both agree on session key sk

Security Limitations of Odelu's Scheme
In the registration phase of Odelu's scheme, the private key of the smart meter which is generated by KGC, so KGC knows this private key of the smart meter M i .It is the same with the private key of the service provider S j .So as KGC knows the private keys of the smart meter parties, although KGC is trust worthy, a curious KGC can launch various attacks.

Impersonate Attack by KGC
It is obviously that with the private key of smart meters or service provider S j , KGC could easily impersonate as a smart meter M i or a service provider S j .

Tracked by KGC
Besides, the private key of the smart meter M i and the service provider S j are all known by KGC.This means in the authentication phase, the smart meter M i could be tracked by KGC.For a smart meter, it would send {T 1 , C 1 , A 1 } to a service provider S j , and KGC has the private key of S j , so KGC could decrypt C 1 to get the identity of M i , which is Id i .In this way, smart meter M i could tracked by KGC.

The Proposed Authentication Protocol for Smart Grid
In this section, an introduction of the structure of the system was given, and then we propose FAuth.A detailed description of the registration phase and the authentication phase is given in this section.

Structure of the Scheme
The model is depicted in Figure 1.The structure is divided into three layers, the first layer is the server layer, the second layer is the aggregator layer, and the third layer is the smart meter layer, the smart meters report their reading to the aggregator, the aggregator adds all the smart meters' reading in its range and reports that to the server.
tracked by .

The Proposed Authentication Protocol for Smart Grid
In this section, an introduction of the structure of the system was given, and then we propose FAuth.A detailed description of the registration phase and the authentication phase is given in this section.

Structure of the Scheme
The model is depicted in Figure 1.The structure is divided into three layers, the first layer is the server layer, the second layer is the aggregator layer, and the third layer is the smart meter layer, the smart meters report their reading to the aggregator, the aggregator adds all the smart meters' reading in its range and reports that to the server.In order for the smart meters and aggregators to authenticate each other, we introduce a Key Generation Center, which works like the Trusted Anchor in [5], which is in charge of the registration of the smart meter and the aggregators.
The abstract structure is depicted in Figure 2. The Key Generation Center is in charge of the key generation for the smart meter parties, the smart meters, and the aggregators, and the server has to register to the KGC before they enter the network.

1.
All the members of the scheme, i.e., server, smart meter, and aggregator, have to register at KGC to get their public key pairs.2.
The aggregator and smart meters have to authenticate each other and build a shared key for the smart meters to report their reading to the aggregator.The same process happens between the aggregator and the server.In this paper, we only analyze the first part, because the mutual authentication process between the aggregator and the server is the same.
Energies 2017, 10, 1354 8 of 21 In order for the smart meters and aggregators to authenticate each other, we introduce a Key Generation Center, which works like the Trusted Anchor in [5], which is in charge of the registration of the smart meter and the aggregators.
The abstract structure is depicted in Figure 2. The Key Generation Center is in charge of the key generation for the smart meter parties, the smart meters, and the aggregators, and the server has to register to the KGC before they enter the network.
1.All the members of the scheme, i.e., server, smart meter, and aggregator, have to register at KGC to get their public key pairs.2. The aggregator and smart meters have to authenticate each other and build a shared key for the smart meters to report their reading to the aggregator.The same process happens between the aggregator and the server.In this paper, we only analyze the first part, because the mutual authentication process between the aggregator and the server is the same.The proposed scheme is an anonymous mutual authentication scheme between the smart meter and the aggregator, or the aggregator and the server, and by the proposed scheme, the two parties could build a shared key for farther communication.

Setup of the Scheme
The setup phase in the proposed scheme is the same as that in [5], as we have discussed in 4.1.generates its public key pair ( , ) and sends these parameters to all the members of the scheme.The symbols we will use in the next section are summarized in Table 5.

Symbols Description Key Generation Center
The jth aggregator The proposed scheme is an anonymous mutual authentication scheme between the smart meter and the aggregator, or the aggregator and the server, and by the proposed scheme, the two parties could build a shared key for farther communication.

Setup of the Scheme
The setup phase in the proposed scheme is the same as that in [5], as we have discussed in 4.1.KGC generates its public key pair (k x , R x ) and sends these parameters to all the members of the scheme.The symbols we will use in the next section are summarized in Table 5.

Key Generation Center AG j
The jth aggregator M i The ith smart meter Id x KGC's identity Id i The ith smart meter's identity Id j The jth aggregator's identity (k x , R x ) The private key and public key of KGC (k j , R j ) The private key and public key of Aggregator (k i , R i ) The private key and public key of Smart meter Hash function || String connection symbol

Registration Phase of Smart Meter
The registration phase of M i in the proposed scheme is similar to that of the scheme [20], as depicts in Table 6.When a smart meter wants to join, it has to register first.A smart meter with identity Id i first generates a random number k u ← R X * q , R u = k u •P.Then, M i sends the registration request {Id i , R u } to KGC, and KGC generates a random number, k n ← R X * q , and calculates Then, KGC sends {e i , s i , R n } back to the smart meter.The smart meter calculates its own private Now the registration phase of the smart meter is finished, and the private key of the smart meter is only known by the smart meter itself.

Smart Meter M i KGC
Energies 2017, 10, 1354 10 of 21 When aggregator receives the data { , , , } from a smart meter, , will conduct the following steps to authenticate the meter : 1. Checks the freshness of the , if is not fresh, abandons the message.

Checks if = ( || || ||
); if they are not equal, aborts here.When smart meter gets the data { , }, will do the following steps to authenticate this message.

6.
computes the shared key using its private key :

Smart Meter
Aggregator ( , ) ( , ) When smart meter gets the data { , }, will do the following steps to authenticate this message.

6.
computes the shared key using its private key :

Registration Phase of Aggregator
The registration phase of an aggregator, AG j , is the same as with the smart meter M i , the process is depicts in Table 7. Finally, an aggregator will get a public key pair: private key k j = s j + e j •k c = e j •k m + e j •k c + k x , and public key R j = e j •R jm + R x .

Both agree on session key
Both agree on session key Stores k j , R jm , R j

Request and Authentication Phase
Smart meter, M i , with identity, Id i , first has to perform the following steps to be anonymously authenticated by an aggregator.Only after mutual authentication, can the smart meter then report its reading to the aggregator.

1.
Smart meter, M i , with identity, Id i , chooses a random number x 1 ← R X * q , and calculates

2.
Using the hashed value of g 1 to encrypt its identity, Id i , and R in : Gets the timestamp TS 1 .
When aggregator AG j receives the data {T 1 , C 1 , A 1 , TS 1 } from a smart meter, M i , AG j will conduct the following steps to authenticate the meter M i : 1.
Checks the freshness of the TS 1 , if TS 1 is not fresh, AG j abandons the message.

3.
Decrypts if they are not equal, aborts here.

5.
Calculates the public key of M i : Chooses a random number x 2 ← R X * q .7. Calculates Calculates When smart meter M i gets the data {T 3 , A 2 }, M i will do the following steps to authenticate this message.

6.
M i computes the shared key using its private key Sends Message 3 = {A 3 } to AG j .
When aggregator AG j gets the data {A 3 }, AG j will check if A 3 = H 3 sk||Id i ||g 1 ||T 3 ||Id j ; if they are equal, AG j , accepts the key sk.Now the smart meter M i , and aggregator AG j , have authenticated each other and build a shared key.The whole process is depicted in Table 8.
Table 8.Request and authentication phase of the proposed scheme.

Smart Meter M i
Aggregator AG j When smart meter gets the data { , }, will do the following steps to authenticate this message.

6.
computes the shared key using its private key :

Smart Meter
Aggregator ( , ) ( , ) Both agree on session key When smart meter gets the data { , }, will do the following steps to authenticate this message.

6.
computes the shared key using its private key :

Both agree on session key
Energies 2017, 10, 1354 10 of 21 When aggregator receives the data { , , , } from a smart meter, , will conduct the following steps to authenticate the meter : 1. Checks the freshness of the , if is not fresh, abandons the message.

Calculates
= ( , ) / using its private key .When smart meter gets the data { , }, will do the following steps to authenticate this message.

6.
computes the shared key using its private key : , accepts the key .Now the smart meter , and aggregator , have authenticated each other and build a shared key.The whole process is depicted in Table 8.

Both agree on session key
Both agree on session key sk

Security Analysis Using BAN Logic
A security analysis of the proposed scheme by using Burrows-Abadi-Needham logic (BAN logic) [38] was conducted.With the help of BAN logic, we can determine whether the exchanged information is trustworthy, and secured against eavesdropping.Now we are going to give a brief overview of the BAN logic.First some symbols used in the BAN logic are described in the Table 9, and some primary BAN logic postulates are given in Table 10.We suppose there are only two entities, smart meter M i , and aggregator AG j , in the scheme.

Symbol Meaning
P|≡X P believes X P X P sees/receives X P|∼X P once said X (or P sent X) P|⇒X P controls X #(X) X is fresh the message X is encrypted by private key K

|∼ introduction rule
Jurisdiction or control rule

Elimination of multipart messages rule
Freshness rule

The Goal of the Proposed Scheme
The goals of the proposed scheme in BAN logic are depicted in the following, and these goals could ensure M i and AG j agree on the shared key, sk, between them.

. Idealization of the Message
The messages of the proposed scheme, in idealized form in terms of the messages exchanged, is given in Table 11.
Table 11.The idealized form of the messages.

Message Flow
Idealization Form
In order to prove Theorem 1, we introduce four games, G i , and the first game represents the real attack, Succ i is the event that in Game G i the adversary correctly guesses the result of the Test (ζ).
Game G 0 : This game simulates the real scheme under random oracle, according to sematic security, and it is clear that: This game simulates all the oracles, L H stores all the answers to hash queries, if the hash query is asked by adersary, then the answer is sotred in L A , and L P stores the transcripts of all the messages, all oracles are demonstrated in in Tables 12 and 13, and an adversary is unable to distinguish between the two games: Table 12.Simulation of send queries.

Simulation of Send Queries
For a Send (M i , init) query, the simulator does the following steps:

and Calculates
Returns M1 ={ T 1 , C 1 , A 1 , TS 1 } as the answer For a Send (M i , AG j , M1) query, the simulator does the following steps: Computes g 1 = e(T 1 , P) 1/k j , and check if A 1 = H 3 (T 1 ||Id i ||R in ||TS 1 ), if they are not equal, terminates here.

as the answer
For a Send (AG j , M i , M2) query, the simulator does the following steps: Returns M3 ={ A 3 } as the answer For a Send (M i , AG j , M3) query, the simulator does the following steps: AG j will check if A 3 = H 3 (sk||Id i ||g 1 ||T 3 ||Id j ), if they are equal, then the two parties built the shared key.
Table 13.Simulation of other queries.

Simulation of Other Queries
For a Hash(i, s, ω) query, which i = 1, 2, 3, 4, 5, if the record (i, s, ω) is found in L H , return ω as result.Otherwise, chooses a random string from {0, 1} l and add the record (i, s, ω) to L H .If this query is asked by adversary, A, then the record is added to L A .
For a Execute(AG j , M i ) query, it proceeds with the Send queries successively, and outputs the matching transcripts.
For a Corrupt (ζ) query, the simulator returns private key owned by entity ζ.
For a RevealSession (ζ) query, the simulator returns session state information For a RevealSK (ζ) query, the simulator returns session key sk, if ζ has formed an session key and the instance ζ has not been aksed by a Test query, otherwise, null is returned.
For a Test (ζ) query, first obtains the shared key from a RevealSK (ζ) query, and then flips a coin b, if b = 1, returns the shared key, otherwise returns an random string from {0, 1} l .
The difference lemma was imported from [39,40] for the formal security proof.
Game G 2 : This game simulates all the oracles in Game G 1 , but two kinds of collisions are trying to be avoided here, and the results are obtained by the birthday paradox: 1.
Random numbers of x 1 and x 2 should be different in different sessions, and the probability is bounded by: O((q s +q e ) 2 ) 2(q−1) .

2.
The probability of a hash result collision is bounded by , where l is the length of a result of a hash function.
These two kinds of collisions should be avoided, so the two games differ by: Game G 3 : This game simulates the situation where an adversary may guess the result of a hash function A 1 , A 2 and A 3 without asking the random oracle.
For a Send (M i , AG j , M1) query, AG j has to check if M1 belongs to the transcripts, and check if A 1 ∈ L A ; if either of them fails, AG j terminates the session, the probability is bounded by O(q s ) 2 l ; for the checking of if H 2 (g 1 ) ∈ L A , and the probability is bounded by O(q h ) 2 l , so for a Send (M i , AG j , M1) query, the probability is bounded by . For a Send (AG j , M i , M2) or Send (M i , AG j , M3) query, the probability is bounded by , too.This game and the previous one are indistinguishable unless the smart meter and aggregator reject valid authentication information: Game G 4 : The CDH problem is brought in this game.In order to win the game, A should ask the query H 4 and broke the CDH problem; the adversary's goal is to compute the session key by asking Execute (AG j , M i ) query and the corresponding hash query, and the adversary can also get the transcripts.The proposed scheme fits the SK-security [5] in the following four cases.Case 1 RevealSession (M i ) and RevealSession (AG j ): Adversary can get the session state information x 1 , g 1 Case 2 RevealSession (M i ) and Corrupt (AG j ): Adversary can get the session state information x 1 , g 1 = g (x 1 +k i ) , T 1 = (x 1 + k i )•a•P of M i , the private key k j for the matching instance AG j without session information.Case 3 Corrupt (M i ) and RevealSession (AG j ): Adversary can get the private key {k i } of M i , but could not get the session information of M i , and can get x 2 , T 3 = x 2 + k j •b•P for the matching instance AG j .Case 4 Corrupt (M i ) and Corrupt (AG j ): Adversary can get the private key {k i } of M i , but could not get the session information, and can get the private key k j for the matching instance AG j without session information, too.
However, in all the above four cases, adversary A is unable to solve the CDH problem given the information it gets in the four cases.The shared key sk can be gotten with the probability 1 q h in the list of L A , t = O(t + (q h + q h )•T m ) be the running time in all, then it is not hard to get: Until now, through the games and using the lemma 1, theorem 1 is proven.

Computational Performance Analysis
In this section, we compared the computation cost of the proposed scheme with [4,5], and the second scheme in [36], and we use the following symbols to stand for different time costs.In order for comparison, we use the experimental results from [41], the same as in Odelu's scheme, and the results are shown in Table 14.We also "omit the modular multiplication T m .as it requires very low execution time than that for execution time of a modular exponentiation operation" [41].We also ignore the point addition and XOR operations, as the time consumption is marginal, at the same time, we "assume T h ≈ T s ".The final results are shown in Tables 15 and 16.

1.
T exp the execution time of a modular exponentiation operation in G 2 2.
T mul the execution time of a scalar multiplication operation in G 1 3.
T bp the execution time of bilinear map pairing e : T s the execution time of a symmetric encryption/decryption 5.
T H the execution time of map to point 6.
T h the execution time of general one-way hash function Aggregator * The smart meters are divided into different aggregation areas in the smart grid, the role of service provider in schemes of [4,5,36] are similar to the role of the aggregator in our scheme in an aggregation area.

Communication Performance Analysis
In this section, we compared the proposed scheme's computation cost with Tsai-Lo's scheme [4], Odelu's scheme [5], and Y. Wang et al. [36].According to Odelu et al., "the random number/nonce is 128 bits, the identity and hash output of all hash functions H 1 , H 3 , H 4 and H 5 (except the hash function H 2 ) are 160 bits each, the elements in group G 1 and G 2 are 320 bits and 512 bits, respectively, and the timestamp is 32 bits" [5].We get the following computation cost in Table 17, and for C 1 , its length is calculated as the length of (Id i , R in ), which is 480 bits.Compare * mean compare with the proposed scheme.M1 for message 1. M2 for message 2, M3 for message 3, M4 for message 4 only in [36].

Comparison of the Schemes
In this part, we compare the security features with the other schemes [4,5,36].As we discussed in Section 5, Odelu's scheme [5] suffers from KGC impersonate attacks and KGC track attacks; in Tsai-Lo's scheme [4], the private key of the smart meter and service provider is also known by KGC, so their scheme suffers from these two attacks, too.Besides, as KGC knows the private key, KGC could find out the shared key, so KGC could launch an eavesdrop attack.The second scheme of [36] does not have a KGC, but instead, a card maker, and the card maker knows the private key of the card owner.Besides, according to [4], the second scheme of [36] "does not support anonymity as it uses (smart meter) identity through its authentication process" and suffers from "unknown key share attack".
According to [5], Tsai-Lo scheme in [4] "fails to protect the smart secret credentials when the ephemeral secret is revealed to A (adversary)."We name this attack "session exposure attacks when ephemeral secrets leaked".We get Table 18 based on the security analysis in Section 5, Tables 15 and 16.

I3RES Project
Our work is part of the I3RES project (ICT-based intelligent management of integrated RES for the optimal operation of smart grid), which manages the grid capabilities, supports the deployment of services, and eases the development of user applications.The computational view of the I3RES is defined by the development of an open platform based on standardized and commercial off-the-shelf technologies, supporting the deployment of new services and decision-making mechanisms (1) to support tasks associated to monitoring in the context of the medium and low voltage network; (2) to manage the distribution of RES production in the distribution network associated to the stakeholders; and (3) to manage and control generation-consumption balance from the consumer point of view (DSM).
Our research group proposed a common middleware architecture for smart grids [42], which contributed to the standardization of designing and implementation of semantic middle architecture.It has been proven that sematic middleware architecture is a key element to create business models where new actors can join a new scenario, and where energy access and trade are democratized and more distributed than before.The general structure is depicted in Figure 3.The security component is a key part of the middleware, since it provides the required security mechanisms for the different application domains.The proposal presented in this paper was embedded within this security component, offering the security mechanisms needed for a smart grid application in an efficient way.Thus, it was feasible to deploy the security component in the different devices in smart grid.

Conclusions
In this paper, we introduced an anonymous authentication scheme based on bilinear pairing and the computational Diffie-Hellman problem.First, we improved the registration phase, so that a smart meter's private key will not be leaked to the Key Generation Center.Thus, the proposed scheme is immune to various potential attacks launched by the Key Generation Center.Besides, we greatly improved the efficiency of the scheme, the computation cost at both the smart meter side and

Conclusions
In this paper, we introduced an anonymous authentication scheme based on bilinear pairing and the computational Diffie-Hellman problem.First, we improved the registration phase, so that a smart meter's private key will not be leaked to the Key Generation Center.Thus, the proposed scheme is immune to various potential attacks launched by the Key Generation Center.Besides, we greatly improved the efficiency of the scheme, the computation cost at both the smart meter side and aggregator side is much lower compared to the existing schemes.We also use the BAN logic and random oracle model to prove that the proposed scheme is secure.As data privacy of the smart meter is becoming an urgency, in future, we want to focus on data aggregation methods in smart grids to protect the privacy of the smart meter consumption.Finally, the proposal was fitted into the security component of a common middleware architecture, in order to provide the required security mechanisms for a smart grid application.

Figure 1 .
Figure 1.The structure of the model.Figure 1.The structure of the model.

Figure 1 .
Figure 1.The structure of the model.Figure 1.The structure of the model.

Figure 2 .
Figure 2. The abstract structure of the model.

Figure 2 .
Figure 2. The abstract structure of the model.

4 .
The Proof of the Proposed Scheme 7.4.1.Analysis of Message 1 1.According to Message 1, we get:

Energies 2017 ,
10, 1354 19 of 21 application domains.The proposal presented in this paper was embedded within this security component, offering the security mechanisms needed for a smart grid application in an efficient way.Thus, it was feasible to deploy the security component in the different devices in smart grid.

Table 2 .
Registration phase of smart meter in Odelu's scheme.

Table 8 .
The whole process is depicted in Table8.Request and authentication phase of the proposed scheme.

Table 8 .
Request and authentication phase of the proposed scheme.

Table 8 .
build a shared key.The whole process is depicted in Table8.Request and authentication phase of the proposed scheme.

Table 8 .
A 1 } build a shared key.The whole process is depicted in Table8.Request and authentication phase of the proposed scheme.

Table 8 .
A 2 } build a shared key.The whole process is depicted in Table8.Request and authentication phase of the proposed scheme.

Table 8 .
build a shared key.The whole process is depicted in Table8.Request and authentication phase of the proposed scheme.

Table 5 .
Symbols used in the proposed scheme.

Table 5 .
Symbols used in the proposed scheme.

Table 6 .
Registration phase of the smart meter.

Table 8 .
build a shared key.The whole process is depicted in Table8.Request and authentication phase of the proposed scheme.

Table 8 .
Request and authentication phase of the proposed scheme.

Table 7 .
Registration phase of the aggregator.build a shared key.The whole process is depicted in Table8.

Table 8 .
Request and authentication phase of the proposed scheme.

Table 8 .
Request and authentication phase of the proposed scheme.

Table 8 .
Request and authentication phase of the proposed scheme.

Table 8 .
Request and authentication phase of the proposed scheme.

Table 9 .
Symbols of BAN logic.

Table 10 .
Some primary BAN logic postulates.

Table 14 .
Time comparison of various cryptographic operations.

Table 15 .
Computation cost of different types of calculations at the authentication phase.

Table 16 .
Computation cost at the authentication phase.
Compare * mean compare with the proposed scheme.

Table 18 .
System comparison.KGC impersonate attack, F2-KGC track attack, F3-KGC eavesdrop attack, F4-session exposure attacks if ephemeral secrets are unexpectedly revealed under the CK-adversary, F5-comparison of communication cost, F6-comparison of computation cost at smart meter side (s), F7-comparison of computation cost at aggregator side (ms).