# Efficient and Provably Secure Key Agreement for Modern Smart Metering Communications

^{1}

^{2}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

#### 1.1. Related Work

#### 1.2. Contributions

#### 1.3. Outline

## 2. Preliminaries

#### 2.1. Bilinear Pairings

- Bilinear: Given ${P}_{1},{P}_{2},Q,{Q}_{2}\in {G}_{1}$, then $e({P}_{1}+{P}_{2},{Q}_{1})=e({P}_{1},{Q}_{1})e({P}_{2},{Q}_{1})$, $e({P}_{1},{Q}_{1}+{Q}_{2})=e({P}_{1},{Q}_{1})e({P}_{1},{Q}_{2})$ and $e(a{P}_{1},b{Q}_{1})=e(ab{P}_{1},{Q}_{1})=e({P}_{1},ab{Q}_{1})=e(b{P}_{1},a{Q}_{1})=e{({P}_{1},{Q}_{1})}^{ab}$ for any $a,b\in {Z}_{q}^{*}$.
- Nondegenerate: There exist $P,Q\in {G}_{1}$, such that $e(P,Q)\ne 1$, with 1 the identity element of ${G}_{2}$.
- Computable: For any $P,Q\in {G}_{1}$, the value $e(P,Q)$ is efficiently computed.

- The Elliptic Curve Discrete Logarithm Problem (ECDLP). This problem states that given two points R and Q of an additive group G, generated by an elliptic curve (EC) of order q, it is computationally hard for any polynomial-time bounded algorithm to determine a parameter $x\in {Z}_{q}^{*}$, such that $Q=xR$.
- The Elliptic Curve Diffie Hellman Problem (ECDHP). Given two points $R=xP,Q=yP$ of an additive group G, generated by an EC of order q with two unknown parameters $x,y\in {Z}_{q}^{*}$, it is computationally hard for any polynomial-time bounded algorithm to determine the EC point $xyP$.

#### 2.2. Smart Metering Network Model

#### 2.3. Thread Model

#### 2.4. ECQV Certificates

## 3. Security Analysis of Authentication Schemes Recently Proposed in Literature

#### 3.1. Review of Odelu et al.

**Description of the scheme [10]:**

**Weaknesses in [10]:**Now we discuss the weaknesses of Odelu et al.’s scheme, as follows.

- (A)
- Security in CK model: In the CK security model, a secure session reveal on the SM and SP, i.e., SSReveal(SM) and SSReveal(SP), is possible.We can assume the leakage of ${r}_{1}+{d}_{A}$ as it represents a local session state at the side of the SM. It is a local variable needed to be stored in order to be reused after reception of $MS{G}_{2}$. Similarly, we can assume ${r}_{2}+h{d}_{B}$ as a local session state at the side of the SP. Again, this variable needs to be stored as it is used two times in the calculations of the SP. Since, $SK={H}_{4}\left({g}^{({r}_{1}+{d}_{A})({r}_{2}+h{d}_{B})}\right)$, thus only depends on these two local session states, the session key can be retrieved and the scheme turns out to be vulnerable under the CK security model.
- (B)
- Practical issues with registration phase: The generation of key material for both the SM and the SP from the TTP is not resistant against an honest but curious TTP, as the TTP derives the key material completely on its own and pushes it to the SM and SP. Consequently, the TTP can follow all the operations, and is able to track the SMs and SPs communications, and can collect the information.Moreover, in the registration phase, a secure channel is required between the SM, SP and TTP. Secure channels are often difficult to establish, especially in the case of SMs, where they are mostly in practice established through physical contact. Therefore, secure channels are not always practical.Finally, we also mention the weakness already noted by [11] regarding the key escrow problem. Once the private key of the TTP is revealed, all private keys of the SPs and SMs are easily derived. Once these private keys are revealed, impersonation attacks and many more attacks can start.
- (C)
- Late detection of MITM: Lead to DoS: The scheme behaves very weak with regard to MITM attacks that may lead to DoS attacks on the server side. Assume that an attacker (Tom) acts as MITM. Tom can capture $MS{G}_{1}$ and sends it ($MS{G}_{{1}_{Tom}}$) to the SP. Note that the SP can only decide about the validity of a request ($MS{G}_{{1}_{Tom}}$) after completing the whole process, i.e., after receiving the message $MS{G}_{3}$. As a consequence, each request opens a buffer, where first several compute intensive pairings need to be computed, followed by the submission of a response. This buffer needs to be kept open until a response of the SM is received. Consequently, the memory can easily overflow by sending a huge number of invalid requests, where valid and invalid requests cannot be distinguished due to the late detection of forged messages.

#### 3.2. Review of Chen et al.

**Description of the scheme [11]:**

**Weaknesses in [11]:**Now we discuss the weaknesses of Chen et al.’s scheme, as follows.

- (A)
- Security in CK model: A similar type of attack as in [10] is possible. In the CK security model, a secure session reveal on the SM and SP, i.e., SSReveal(SM) and SSReveal(SP), is possible.As a result, the local states ${r}_{1}+{d}_{A}$ from SM and ${r}_{2}+{d}_{B}$ from SP are leaked. Since, $SK={H}_{4}\left(({r}_{1}+{d}_{A})({r}_{2}+{d}_{B})P\right)$, the security of the session key is broken.
- (B)
- Late detection of MITM: Lead to DoS: The same issue regarding the late detection of a MITM attack also holds in this scheme. After receiving $MS{G}_{1}$, the SP is unable to check if this request is coming from a registered SM. Only after receiving the last message $MS{G}_{3}$ and verifying the hash value ${A}_{3}$, the SP can decide if the key negotiation has been successfully executed. As a result, this weakness could lead to DoS threat.

#### 3.3. Review of Abbasinezhad et al.

**Description of the scheme [12]:**

**Weaknesses in [12]:**Now we discuss the weaknesses of Abbasinezhad et al.’s scheme, as follows.

- (A)
- Security in CK model: The scheme is not resistant in the CK security model if the private keys ${d}_{A}$ and ${d}_{B}$ of the SM and SP respectively are leaked. This follows from the fact that ${C}_{A}={C}_{B}={d}_{B}{A}_{A}$ and ${D}_{A}={D}_{B}={d}_{A}{B}_{B}$. As a result, the adversary is able to compute $SK=H(I{D}_{A}\parallel I{D}_{B}\parallel {C}_{A}\parallel {D}_{A})$ and the security of the session key is broken.
- (B)
- Late detection of MITM: Lead to DoS: The same issue regarding the late detection of a MITM attack also holds in this scheme. After receiving $MS{G}_{1}$, the SP is unable to check if this request is coming from a registered SM. Only after receiving the last message $MS{G}_{3}$ and verifying the hash value ${V}_{3}$, the SP can decide if the key negotiation has been successfully executed. As a result, this weakness could lead to a DoS threat.

#### 3.4. Lessons Learned

- Resistance in CK model: Any possible definition of the SK should consist of a combination of both the local state variable and the private key of at least one entity. For instance, in [10,11], the SK can be written in a form only consisting of local state variables of the two entities and in [12], the SK is derivable to a form only consisting of the private keys of the two entities.
- Resistance to DoS attacks: In [10,11,12], the SP only retrieves the identity of the SMs after receiving a second message and is not able to detect malicious behaviour. Therefore, to avoid the SP keeping open a huge amount of (potential malicious) sessions, it is better to let the request initiated by the SP. The SM is less vulnerable since it can react when too many requests are sent as they are coming from only one entity, i.e., the SP.

## 4. Proposed Scheme

#### 4.1. Setup Phase

#### 4.2. Registration Phase

#### 4.3. Key Agreement Phase

**SP broadcast**: Every fixed period, the SP broadcasts the EC point ${M}_{0}=\left\{{R}_{2}\right\}$. This point is computed by randomly choosing a variable ${r}_{2}$ and ${R}_{2}={r}_{2}P$.

**SM response**: For each SM that wants to do a key update or start a key negotiation process, the following steps are executed. First, the SM chooses a random value ${r}_{1}$ and computes the EC point ${R}_{1}=({r}_{1}+{d}_{A})P$. Next, the SM derives the symmetric shared key with the SP by $K={H}_{1}\left(({r}_{1}+{d}_{A}){P}_{B}\right)$. This key is used to encrypt the identity information of the SM, $C={E}_{K}(I{D}_{A}\parallel cer{t}_{A})$. Also the SK is computed by $SK={H}_{3}\left((({r}_{1}+{d}_{A}){h}_{1}+{d}_{A})({h}_{2}{R}_{2}+{P}_{B})\right)$, with ${h}_{1}={H}_{2}(I{D}_{A}\parallel I{D}_{B}\parallel {R}_{1}\parallel {R}_{2}\parallel {P}_{A}\parallel {P}_{B})$ and ${h}_{2}={H}_{2}(I{D}_{B}\parallel I{D}_{A}\parallel {R}_{2}\parallel {R}_{1}\parallel {P}_{B}\parallel {P}_{A})$. Finally, a hash value is computed, ${S}_{1}={H}_{4}({R}_{1}\parallel C\parallel {P}_{A}\parallel SK)$. The message ${M}_{1}=\{{R}_{1},{C}_{,}{S}_{1}\}$ is sent to the SP.

**SP response**: Upon arrival of this message, the SP first computes the key, $K={H}_{1}\left({d}_{B}{R}_{1}\right)$ in order to decrypt ${C}_{1}$ and to derive $I{D}_{A},cer{t}_{A}$. Using these values, the public key ${P}_{A}$ of the SM can be computed (Equation (1)), ${P}_{A}={H}_{0}(cer{t}_{A}\parallel I{D}_{A})cer{t}_{A}+{P}_{pub}$. At this point, the SK can be computed by the SP as $SK={H}_{3}\left(({r}_{2}{h}_{2}+{d}_{B})({h}_{1}{R}_{1}+{P}_{A})\right)$, with again ${h}_{1}={H}_{2}(I{D}_{A}\parallel I{D}_{B}\parallel {R}_{1}\parallel {R}_{2}\parallel {P}_{A}\parallel {P}_{B})$ and ${h}_{2}={H}_{2}(I{D}_{B}\parallel I{D}_{A}\parallel {R}_{2}\parallel {R}_{1}\parallel {P}_{B}\parallel {P}_{A})$. Finally, using the received values ${R}_{1},C$ and the computed values ${P}_{A},SK$, the hash function ${H}_{4}({R}_{1}\parallel C\parallel {P}_{A}\parallel SK)$ is computed and verified if it corresponds with the actual received ${S}_{1}$ value.

**SP confirmation**: If the verification of the SP is positive, a key confirmation is sent by the SP. Therefore, the hash ${S}_{2}={H}_{5}(I{D}_{A}\parallel I{D}_{B}\parallel {R}_{1}\parallel {R}_{2}\parallel {P}_{A}\parallel {P}_{B}\parallel SK)$ is computed and ${M}_{2}=\left\{{S}_{2}\right\}$ is sent to the SM.

## 5. Security Analysis

#### 5.1. Formal Security Analysis

- Hash queries ${H}_{i}\left(m\right)$ with $i\in \{0,1,2,3,4,5\}$. If m already exists in the list ${L}_{{H}_{i}}$, the value ${H}_{i}\left(m\right)$ will be returned. Otherwise, a random value will be generated, added to the list ${L}_{{H}_{i}}$, and returned.
- Send queries. These queries simulate active attacks, in which the adversary is able to modify the transmitted messages. As a result, a corresponding reply will be generated. Since there are three communication passes, four different Send queries need to be defined.
- –
- Send(0,SP). A random value ${r}_{2}$ is chosen to compute ${R}_{2}={r}_{2}P$. The output of the query is ${M}_{0}=\left\{{R}_{2}\right\}$.
- –
- Send(${M}_{0}$,SM). A random value ${r}_{1}$ is chosen to compute ${R}_{1}=({r}_{1}+{d}_{A})P$. Next, $K={H}_{1}\left(({r}_{1}+{d}_{A}){P}_{B}\right)$ is determined, together with $C={E}_{K}(I{D}_{A}\parallel cer{t}_{A})$. Then, ${h}_{1}={H}_{2}(I{D}_{A}\parallel I{D}_{B}\parallel {R}_{1}$ $\parallel {R}_{2}\parallel {P}_{A}\parallel {P}_{B})$ and ${h}_{2}={H}_{2}(I{D}_{B}\parallel I{D}_{A}\parallel {R}_{2}\parallel {R}_{1}\parallel {P}_{B}\parallel {P}_{A})$ are computed to derive $SK={H}_{3}\left(\right(($${r}_{1}+{d}_{A}){h}_{1}+{d}_{A}\left)\right({h}_{2}{R}_{2}$ $+{P}_{B}\left)\right)$. Finally, ${S}_{1}={H}_{4}({R}_{1}\parallel $ $C\parallel {P}_{A}\parallel SK)$ is computed. The message ${M}_{1}=\{{R}_{1},$ $C,{S}_{1}\}$ is returned.
- –
- Send(${M}_{1}$,SP). First, $K={H}_{1}\left({d}_{B}{R}_{1}\right)$ is determined, leading to $I{D}_{A}\parallel cer{t}_{A}={D}_{K}\left(C\right)$. Then, ${P}_{A}={H}_{0}(cer{t}_{A}\parallel I{D}_{A})cer{t}_{A}+{P}_{TTP}$ is derived. Next, ${h}_{1}={H}_{2}(I{D}_{A}\parallel I{D}_{B}\parallel {R}_{1}\parallel {R}_{2}\parallel {P}_{A}\parallel {P}_{B})$ and ${h}_{2}={H}_{2}(I{D}_{B}\parallel I{D}_{A}\parallel {R}_{2}\parallel {R}_{1}\parallel {P}_{B}\parallel {P}_{A})$ are computed, to find $SK={H}_{3}\left(({r}_{2}{h}_{2}+{d}_{B})({h}_{1}{R}_{1}+{P}_{A})\right)$ and check ${H}_{4}({R}_{1}\parallel C\parallel {P}_{A}\parallel SK)$ against ${S}_{1}$. If the verification is unsuccessful, the session can stop, otherwise ${S}_{2}={H}_{5}(I{D}_{A}\parallel I{D}_{B}\parallel {R}_{1}\parallel {R}_{2}\parallel {P}_{A}\parallel {P}_{B}\parallel SK)$ is computed and ${M}_{2}=\left\{{S}_{2}\right\}$ is the output of the query.
- –
- Send(${M}_{2}$,SP). If ${S}_{2}={H}_{5}(I{D}_{A}\parallel I{D}_{B}\parallel {R}_{1}\parallel {R}_{2}\parallel {P}_{A}\parallel {P}_{B}\parallel SK)$ is not valid, then the session is terminated. Otherwise, both SP and SM have successfully negotiated a common secret key SK.

- Execute queries. These queries simulate the passive attacks, in which the adversary can only eavesdrop onto the channel and is able to collect the transmitted messages. We can distinguish three different execute queries resulting from the first three Send queries, as defined above.
- Session specific state reveal queries (SSReveal). According to the CK adversary model, the attacker is able to retrieve session specific state information, derived by the SM and the SP, respectively. Note that no long-term private keys are revealed in this query.
- –
- SSReveal(SM). The output of this query results in ${r}_{1}+{d}_{A},{h}_{1},{h}_{2},{R}_{1},C,{S}_{1}$.
- –
- SSReveal(SP). The output of this query results in ${r}_{2},{R}_{2},{h}_{1},{h}_{2},{S}_{2}$.

- Corrupt queries. These queries give the private key of the entity as result. Note that only Corrupt(SM) and Corrupt(SP) exist and no corrupt queries with regards to the TTP, which is considered a completely trusted entity. They are included to prove the perfect forward security of the scheme.
- Session key reveal query (SKReveal). In this query, the established symmetric SK between SP and SM is returned in case it has been successfully generated.
- Test query. In this query, either the established SK or a random value is returned, dependent on the output $c=1$ or $c=0$, respectively of a flipped coin c. Note that the test query cannot be issued when the SKReveal query, the SSReveal(SM) and Corrupt(SM), or SSReveal(SP) and Corrupt(SP), have been executed.

- The SP and SM are partners if they are exchanging messages directly and are the only entities able to successfully derive an authenticated common shared SK.
- The established shared secret key is said to be fresh if the SK has been established without SKReveal query by the adversary or Corrupt query of SM and SP.

**Lemma**

**1.**

**Theorem**

**1.**

**Proof.**

- Game GM0. This is the real game, as defined in the semantic security framework. From the definition, we have that$$\begin{array}{c}\hfill Adv\left(\mathcal{A}\right)=|2Pr\left[suc{c}_{0}\right]-1|.\end{array}$$
- Game GM1. In this game, the oracles for the different queries are simulated and the resulting outputs of the queries are stored in the lists. In the random oracle model, it holds that$$\begin{array}{c}\hfill Pr\left[suc{c}_{1}\right]=Pr\left[suc{c}_{0}\right].\end{array}$$
- Game GM2. In this game, also all oracles are simulated, but collisions are avoided in the output of the hash functions and the selection of the random values ${r}_{1},{r}_{2}$ among the different sessions. Due to the birthday paradox, the probability that these two events appear is bounded by $\frac{O{({q}_{s}+{q}_{e})}^{2}}{2q}$ and $\frac{O{\left({q}_{h}\right)}^{2}}{2q}$ respectively. Consequently, it holds$$\begin{array}{c}\hfill |Pr\left[Suc{c}_{2}\right]-Pr\left[Suc{c}_{1}\right]|\le \frac{O{({q}_{s}+{q}_{e})}^{2}}{2q}+\frac{O{\left({q}_{h}\right)}^{2}}{2q}.\end{array}$$
- Game GM3. In this game, the adversary $\mathcal{A}$ is able to find the hash values ${S}_{1},{S}_{2}$ without input of the random oracle Send queries. In this case, the scheme is simply terminated. Consequently, GM3 and GM2 are indistinguishable, if and only if the SM rejects ${S}_{2}$ or the SP rejects ${S}_{1}$. Rejection only appears when the requested message belongs to the list of stored transcripts and when the hash value is also present in the list of stored record, kept by the adversary $\mathcal{A}$. As a consequence, due to the difference lemma, we have that$$\begin{array}{c}\hfill |Pr\left[Suc{c}_{3}\right]-Pr\left[Suc{c}_{2}\right]|\le \frac{O{\left({q}_{s}\right)}^{2}}{{2}^{l}}.\end{array}$$
- Game GM4. In this game, we consider the CK adversary model and assume that either the session state variables or the long-term secret variables are revealed at each of the involved participants. The goal of the adversary is to find the SK by performing Execute and Hash queries, with four possible combinations of SSReveal and Corrupt queries. In each of the four scenarios, we show that for successfully deriving the SK, one should be able to both solve the ECDHP and to perform a successful hash query of ${H}_{1}$.
- –
- SSReveal(SM) and SSReveal(SP). As a result of these queries, the adversary $\mathcal{A}$ possesses ${r}_{1}+{d}_{A},{h}_{1},{h}_{2},{R}_{1},C,{S}_{1}$ and ${r}_{2},{R}_{2},{h}_{1},{h}_{2},{S}_{2}$, respectively. In order to compute the session key,$$\begin{array}{ccc}\hfill SK& =& {H}_{3}\left((({r}_{1}+{d}_{A}){h}_{1}+{d}_{A})({h}_{2}{R}_{2}+{P}_{B})\right)\hfill \\ & =& {H}_{3}\left(({r}_{2}{h}_{2}+{d}_{B})({h}_{1}{R}_{1}+{P}_{A})\right)\hfill \end{array}$$
- –
- SSReveal(SM) and Corrupt(SP). Here, the adversary $\mathcal{A}$ receives the information ${r}_{1}+{d}_{A},{h}_{1},{h}_{2},{R}_{1},C,{S}_{1}$ and ${d}_{B}$, respectively. For the derivation of the SK, cf. Equation (6), also ${r}_{2}$ or ${d}_{A}$ is required.
- –
- Corrupt(SM) and SSReveal(SP). After performing these queries, the adversary $\mathcal{A}$ learns the information ${d}_{A}$ and ${r}_{2},{R}_{2},{h}_{1},{h}_{2},{S}_{2}$, respectively. However, for the derivation of the SK, cf. Equation (6), also ${r}_{1}$ or ${d}_{B}$ is required.
- –
- Corrupt(SM) and Corrupt(SP). In this case, as a result of these queries, the adversary $\mathcal{A}$ possesses the information ${d}_{A}$ and ${d}_{B}$, respectively. However, for the derivation of the SK, cf. Equation (6), also ${r}_{1}$ or ${r}_{2}$ is required.

#### 5.2. Security Simulation Using AVISPA Tool [16]

#### 5.3. Informal Security Analysis

- Resistance against replay attacks. There are two options, either ${M}_{1}$ is replayed in the same period of ${R}_{2}$ usage or it is replayed when a new ${R}_{2}$ is determined by the SP. In the first case, the same key as before is derived. However by capturing ${M}_{2}$, which is a hash value containing the SK, no additional information can be derived by the attacker. If the server keeps track of the parameters ${R}_{1}$ sent during the period in which ${R}_{2}$ remains constant, further action of the SP can be avoided.In the second case, a new session key is generated by the SP. However, when checking the hash value ${S}_{1}$ a contraction is found by the SP as the SK is different. The session is then stopped immediately.
- Resistance against impersonation attacks. There are again two options, impersonation of messages ${M}_{0}$ and ${M}_{1}$. First, it is impossible to impersonate the message ${M}_{0}$ as it is used to construct the SK by both the SM and the SP. Even if the SM is using ${R}_{2}$, sent from a malicious entity, the corresponding SK computed by the SM will not correspond with the SK computed by the SP and at the point where ${S}_{1}$ is validated. At that moment, the session will be terminated.Also impersonation of the message ${M}_{1}$ sent by the SM is impossible. This follows from the fact that ${M}_{1}$ consists of the parameter ${R}_{1}$. Only the SP is able to derive from ${R}_{1}$ the common shared key K with the SM in order to decrypt the ciphertext C for finding the identity and certificate of the SM. From these two parameters and the strength of the ECQV certificate mechanism, the SP can construct the corresponding public key ${P}_{A}$ of the SM. The construction of the SK by the SP exploits the usage of this public key ${P}_{A}$ and its own private key ${d}_{B}$, which is also derivable by the SM who is in possession of the correct corresponding private key ${d}_{A}$ and the public key ${P}_{B}$ of the SP. Consequently, it is impossible for an attacker to impersonate ${M}_{1}$ without knowledge of a valid private-public key pair of a SM or to impersonate ${M}_{2}$ without knowledge of the private key ${d}_{B}$ of the SP.
- Resistance against MITM attacks. For the same reasons as explained in the replay and impersonation attacks, it is impossible to execute a MITM attack. Note that this resistance also strongly relies from the authentication feature established through the ECQV certificate mechanism.
- Anonymity. From the messages ${M}_{0},{M}_{1},{M}_{2}$ sent in the protocol, no information on the identity of the SM can be derived. The only identity related information is hidden in the message C, which is encrypted using a key only derivable by the SP.
- Resistance against DoS attacks. First of all, we here consider DoS attacks from the side of the server as resistance from the SM is easier to obtain by just blocking the amount of sent requests. Compared to the previous schemes in literature [10,11,12,14], our scheme is initiated by the SP with one single and common message to all interested SMs. Consequently, no separated buffers from received messages of different unknown SMs need to be saved by the SP. Upon arrival of a message ${M}_{1}$ from a particular SM, the SP can immediately check the validity and integrity of it in one single phase. If the check is not successful, it can drop the request and go to the next received message.

#### 5.4. Comparison of Security Features

## 6. Performance Analysis

#### 6.1. Computation Costs

#### 6.2. Communication Costs

#### 6.3. Other Simulations

## 7. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Ferrag, M.A.; Maglaras, L.A.; Janicke, H.; Jiang, J. A survey on privacy-preserving schemes for smart grid communications. arXiv, 2016; arXiv:1611.07722. [Google Scholar]
- Liang, G.; Weller, S.R.; Zhao, J.; Luo, F.; Dong, Z.Y. The 2015 ukraine blackout: Implications for false data injection attacks. IEEE Trans. Power Syst.
**2017**, 32, 3317–3318. [Google Scholar] [CrossRef] - Canetti, R.; Krawczyk, H. Analysis of key-exchange protocols and their use for building secure channels. In Advances in Cryptology EUROCRYPT 2001; Springer: Berlin, Germany, 2001; pp. 453–474. [Google Scholar]
- Boyd, C.; Mao, W.; Paterson, K. Key agreement using statistically keyed authenticators. In Proceedings of the Second International Conference on Applied Cryptography and Network Security, St. Petersburg, Russia, 21–23 May 2011; Springer: Berlin, Germany, 2021; Volume 3089, pp. 248–474. [Google Scholar]
- Wu, D.; Zhou, C. Fault-tolerant and scalable key management for smart grid. IEEE Trans. Smart Grid
**2011**, 2, 375–381. [Google Scholar] [CrossRef] - Xia, J.; Wang, Y. Secure key distribution for the smart grid. IEEE Trans. Smart Grid
**2012**, 3, 1437–1443. [Google Scholar] [CrossRef] - Mahmood, K.; Chaudry, S.A.N.; Naqvi, H.; Shon, H.-T.; Ahmad, H.F. A lightweight message authentication scheme for Smart Grid Communications in power sector. Comput. Electr. Eng.
**2016**, 52, 114–124. [Google Scholar] [CrossRef] - Mohammadali, A.; Haghighi, M.S.; Tadayon, M.H.; Nodooshan, A.M. A novel identity-based key establishment method for advanced metering infrastructure in smart grid. IEEE Trans. Smart Grid
**2016**, 9, 2834–2842. [Google Scholar] [CrossRef] - Tsai, J.-L.; Lo, N.-W. Secure anonymous key distribution scheme for smart grid. IEEE Trans. Smart Grid
**2016**, 7, 906–914. [Google Scholar] [CrossRef] - Odelu, V.; Kumar, A.; Wazid, M.; Conti, M. Provably Secure Authenticated Key Agreement Scheme for Smart Grid. IEEE Trans. Smart Grid.
**2018**, 9, 1900–1910. [Google Scholar] [CrossRef] - Chen, Y.; Martinez, J.G.; Catellejo, P.; Lopez, L. An Anonymous Authentication and Key Establish Scheme for Smart Grid: FAuth. Energies
**2018**, 10, 1345. [Google Scholar] [CrossRef] - Abbasinezhad-Mood, D.; Nikoohgadam, M. Anonymous ECC-Based Self-Certified Key Distribution Scheme for Smart Grid. IEEE Trans. Ind. Electron.
**2018**, 65, 8. [Google Scholar] [CrossRef] - Li, X.; Ma, J.; Moon, S. On the Security of the Canetti-Krawczyk Model. In Proceedings of the Computational Intelligence and Security, Xi’an, China, 15–19 December 2005; Springer: Berlin, Germany, 2005; Volume 3802, pp. 356–363. [Google Scholar]
- Gope, P.; Sikdar, B. Privacy-Aware Authenticated Key Agreement Scheme for Secure Smart Grid Communication. IEEE Trans. Smart Grid
**2018**. [Google Scholar] [CrossRef] - Yasunag, K.; Yuzawa, K. On the Limitations of Computational Fuzzy Extractors. ePrint Arch.
**2014**, 3, 7–9. [Google Scholar] - Luca, V. Automated security protocol analysis with the AVISPA tool. Electron. Notes Theor. Comput. Sci.
**2006**, 155, 61–86. [Google Scholar] - Braeken, A.; Kumar, P.; Martin, A. Efficient and Privacy-Preserving Data Aggregation and Dynamic Billing in Smart Grid Metering Networks. Energies
**2018**, 11, 2085. [Google Scholar] [CrossRef] - Kumar, P.; Gurtov, A.; Sain, M.; Martin, A.; Ha, P. Lightweight Authentication and Key Agreement for Smart Metering in Smart Energy Networks. IEEE Trans. Smart Grid
**2018**. [Google Scholar] [CrossRef] - Qu, M.; Vanstone, S.A. Implicit Certificate Scheme. US Patent 6,792,530, 14 September 2004. [Google Scholar]
- Brown, D.R.L.; Scott, R.-G.; Vanstone, A. Provably Secure Implicit Certificate Schemes. In Proceedings of the 5th International Conferenc on International Conference on Financial Cryptography, Grand Cayman, Cayman Islands, 19–22 February 2001; Volume 2339, pp. 156–165. [Google Scholar]
- Bellare, M.; Rogaway, P. The security of triple encryption and a framework for code-based game-playing proofs. In Proceedings of the 25th Eurocrypt Conference on Advances in Cryptology Eurocrypt 2006, St. Petersburg, Russia, 28 May–1 June 2006; Springer: Berlin, Germany, 2006; Volume 4004, pp. 409–426. [Google Scholar]
- Pointcheval, D.; Zimmer, S. Multi-factor authenticated key exchange. In Proceedings of the 6th International Conference Applied Cryptography and Network Security, New York, NY, USA, 3–6 June 2008; Springer: Berlin, Germany, 2008; pp. 77–95. [Google Scholar]
- Shoup, V. Sequences of Games: A Tool for Taming Complexity in Security Proofs. 2004. Available online: http://eprint.iacr.org/2004/332/ (accessed on 28 August 2018).
- Dolev, D.; Yao, A. On the security of public key protocols. IEEE Trans. Inf. Theory
**1983**, 29, 198–208. [Google Scholar] [CrossRef][Green Version] - He, D.; Zeadally, S.; Wang, H.; Liu, Q. Lightweight Data Aggregation Scheme against Internal Attackers in Smart Grid Using Elliptic Curve Cryptography. Wirel. Commun. Mob. Comput.
**2017**, 2017, 3194845. [Google Scholar] [CrossRef] - Herder, C.; Yu, M.D.; Koushanfar, F.; Devadas, S. Physical Unclonable Functions and Applications: A Tutorial. Proc. IEEE
**2014**, 102, 1126–1141. [Google Scholar] [CrossRef] - Dodis, Y.; Ostrovsky, R.; Reyzin, L.; Smith, A. Fuzzy extractors: How to generate strong keys from biometrics and other noise data. SIAM J. Compt.
**2008**, 38, 97–139. [Google Scholar] [CrossRef]

**Figure 2.**Steps and computations in the key agreement phase of [10].

**Figure 3.**Review of key agreement phase of Chen et al.’s scheme [11].

**Figure 4.**Steps and computations in the key agreement phase of Abbasinezhad et al.’s scheme [12].

Security Services | Safe From |
---|---|

Confidentiality | MITM attack |

Authentication | Replay attack |

2011 [5] | 2012 [6] | 2016 [7] | 2016 [8] | 2016 [9] | 2018 [10] | 2018 [11] | 2018 [12] | 2018 [14] | Ours | |
---|---|---|---|---|---|---|---|---|---|---|

R1 | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

R2 | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

R3 | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

R4 | No | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes |

R5 | No | No | Yes | No | No | No | No | No | Yes | Yes |

R6 | No | No | No | No | No | No | Yes | Yes | No | Yes |

R7 | No | No | No | No | No | No | No | No | No | Yes |

Scheme | Cost at SM | ms | Cost at SP | $\mathsf{\mu}$s |
---|---|---|---|---|

[9] | $4{T}_{mp}+4{T}_{ap}+{T}_{e}+5{T}_{h}$ | ≈31.59 | $3{T}_{mp}+2{T}_{ap}+2{T}_{b}+{T}_{e}+5{T}_{h}$ | ≈38.27 |

[10] | $3{T}_{mp}+{T}_{ap}+{T}_{e}+6{T}_{h}$ | ≈25.72 | $2{T}_{mp}+{T}_{ap}+2{T}_{b}+{T}_{e}+6{T}_{h}$ | ≈37.28 |

[11] | $2{T}_{mp}+{T}_{e}+5{T}_{h}$ | ≈19.79 | $3{T}_{mp}+{T}_{b}+{T}_{e}+5{T}_{h}$ | ≈21.26 |

[12] | $4{T}_{mp}+{T}_{ap}+5{T}_{h}$ | ≈23.80 | $4{T}_{mp}+{T}_{ap}+5{T}_{h}$ | ≈3.98 |

[14] | $5{T}_{h}+{T}_{PUF}+{T}_{FE.Rec}$ | ≈ 3.53 | $6{T}_{h}+{T}_{RE.Gen}$ | ≈1170 |

Ours | $4{T}_{mp}+{T}_{ap}+{T}_{s}+5{T}_{h}$ | ≈23.81 | $4{T}_{mp}+2{T}_{ap}+{T}_{s}+5{T}_{h}$ | ≈3.99 |

© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Braeken, A.; Kumar, P.; Martin, A. Efficient and Provably Secure Key Agreement for Modern Smart Metering Communications. *Energies* **2018**, *11*, 2662.
https://doi.org/10.3390/en11102662

**AMA Style**

Braeken A, Kumar P, Martin A. Efficient and Provably Secure Key Agreement for Modern Smart Metering Communications. *Energies*. 2018; 11(10):2662.
https://doi.org/10.3390/en11102662

**Chicago/Turabian Style**

Braeken, An, Pardeep Kumar, and Andrew Martin. 2018. "Efficient and Provably Secure Key Agreement for Modern Smart Metering Communications" *Energies* 11, no. 10: 2662.
https://doi.org/10.3390/en11102662