Quantum-Resistant Cryptography for Smart Metering in Smart Grid Systems

Abstract

The article proposes a cryptographic system with absolute security features for use in authenticating access to resources in smart grid systems, taking into account prosumer solutions to ensure a high level of security of transactions on the energy market that meet the requirements established in the Directive of the European Parliament of 14 December 2022 no. 2555 NIS2, requiring “dynamic authentication” prior to the release of transaction data for key services, covers energy market operators as a key service and is particularly important for ensuring security. The article presents an innovative cryptographic system that, according to the authors’ knowledge, is the only one in the world that meets the NIS2 requirements in the field of “dynamic authentication” and the Quantum-Resistant requirements intended for distributed systems and smart grids. The proposed solution eliminates vulnerabilities related to digital identity theft and its reuse, i.e., practically eliminates the possibility of impersonation.

1. Introduction

Smart Energy and Prosumer Systems are key elements of the modern energy transformation that support the development of sustainable energy systems. Prosumer Systems and Smart Energy jointly support the sustainable energy transformation, increasing the share of renewable energy sources (RES) and energy efficiency at every stage, from production to consumption. Smart Energy is a modern approach to energy management that uses digital technologies to optimize the production, distribution and consumption of energy. A prosumer is a person or entity that not only consumes energy but also produces it, most often from renewable energy sources, such as photovoltaic panels or wind turbines. The benefits of implementing Smart Energy are primarily greater efficiency and the possibility of balancing and reducing energy losses. “Smart Energy” is an increasingly popular concept of integrated energy systems that use modern and intelligent technologies to monitor, control and optimize the production, distribution and consumption of energy. The aim of “Smart Energy” is to improve energy efficiency and reduce the costs of energy production and distribution. Given the environmentally friendly energy production, reducing greenhouse gas emissions by eliminating fossil fuels from the process of generating electricity, so-called individual “prosumers” are connected to the power grid and are both consumers and producers of electricity from the sun or wind. Currently, a large-scale “Smart Grid” is distributed, consisting of millions of networked solar and wind systems, smart meters, controllers, monitoring computers, data servers, gateways, network management systems and electric vehicle charging stations. Managing such a network involves monitoring and controlling the flow of energy throughout the extensive network infrastructure. Communication between network management systems and devices that produce or store energy (e.g., photovoltaic panels, wind turbines, batteries) and consumers (e.g., electric vehicle charging stations) requires intelligent and secure management of prosumers’ access to resources. In the face of growing threats of hacker attacks, the increasing challenge facing “Smart Energy” is to ensure Cybersecurity without drastically increasing implementation costs [1]. Dynamic authentication, access control (AAA, Authentication, Authorization, Accounting; authentication, authorization and access control to devices), as well as data credibility, are the basic attributes of information security also for Industry 4.0. The attributes of information security are confidentiality, integrity, non-repudiation and availability of data and services offered by IT (Information Technology) systems [2,3]. Most of the attributes of information security are provided by cryptography and cryptographic systems, and one of the basic principles of cryptography presented in 1883 by Kerckhoffs states that the security of crypto-systems should rely on the secrecy of the key and not on the secrecy of the algorithm. Based on these sources [4,5,6] covering the theoretical and practical foundations of cryptology, breaking cryptographic security can be defined as follows:

Definition 1.

Breaking a cryptographic system is any action that allows one to obtain unauthorized access to information, cryptographic keys, or allows the execution of a cryptographic operation assumed to be impossible to perform in time and with resources smaller than those assumed by the system’s security, using analytical, computational or practical techniques.

In order to determine the vulnerability of a cryptographic system to breaking, the level of computational security expressed as a power of two or in bits is determined because the security level often corresponds to the length of the cryptographic key [4,5]. However, in practice, the bit size of the key is not synonymous with the security level of the cryptosystem because different cryptographic systems offer different levels of computational security, often independent of the key size [7]. It is assumed that the security level k means that decryption without knowledge of the decryption key requires performing 2^k decryption operations. A person who knows the decryption key assumes k = 0, so they will perform only one decryption operation. It can be assumed that the security level determines the minimum effort to recover the decryption key or to recover the message by an unauthorized user who does not know the decryption key in relation to the effort to decrypt the message by an authorized user who knows the value of the decryption key.

Definition 2.

The computational security level of a cryptosystem is a number of bits expressing the ratio of the number of calculations performed without knowing the decryption key to the number of calculations performed for decryption with knowledge of the key.

It is important to note that in 1949, Claude Shannon, based on the use of three rules, proved the following:

• The key for encrypting the message is longer than or equal to the encrypted message;
• The encryption key is generated randomly (not pseudo-randomly);
• A given key is used to encrypt no more than one message.

Referred to as one-time pad rules (OTP), it is possible to construct an unconditionally secure cryptographic system [8].

The security of a cryptosystem may decrease with progress in the number theory used in cryptanalysis and new, more efficient algorithms, as well as the increase in the computing power of computers. Considering the possible scenarios of the development of cryptanalysis methods and the rapid development of quantum computers, it is recommended to search for cryptographic algorithms and methods that provide resistance to cryptanalysis using quantum computers (Quantum-Resistant) or using known methods and unlimited computing resources, referred to as absolute security. In particular, Commission Recommendation (EU) 2024/1101 of 11 April 2024 assumes support for the use of “PostQuantum” cryptography in the implementation of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 (NIS2) concerning measures for a high common level of security across the Union [9,10]. It is worth noting that NIS2 also refers to energy systems, including Smart Energy. Particular attention is paid to the security of authentication services and electronic transactions covered by Regulation (EU) 2014/910—eIDAS. In particular, as a manifestation of concern for a high level of security and elimination of vulnerabilities related to unauthorized access to resources, including access to critical infrastructure, “minimum technical specifications” for authentication systems have been defined in Regulation (EU) 2015/1502, where a high level of trust requires the use of “dynamic authentication” defined in [11] based on one-time pad cryptography generated on the trusted side, eliminating most of the known vulnerabilities, in accordance with the definition below.

Definition 3.

Dynamic authentication means an electronic process using cryptography or other techniques to provide a means of creating on demand an electronic proof that the subject is in control or in possession of the identification data and which changes with each authentication between the subject and the system verifying the subject’s identity.

However, no practical solution or technology implementing the definitional “dynamic authentication” has been developed so far. In particular, for accountability and security in “Smart Energy”, it is necessary to develop safe and effective authentication methods operating in the environment of low-power devices, such as smart meters and sensors, which may have limited computing power, preventing the implementation of the currently recommended by FIPS Quantum-Resists cryptography based on lattice theory. Ensuring unconditional security in an environment with limited resources requires searching for cryptographic algorithms that can be effectively used and implemented in an environment with limited resources, and one-time pad cryptography in authentication may be an effective and safe alternative to currently used solutions.

In this paper, a new implementation of hybrid cryptography is proposed, and a new concept of asymmetric cryptography with one-time keys for authentication purposes (RSA with OTP) is presented. The new concept of hybrid cryptography uses the RSA algorithm with a hidden shared component of the encryption and decryption keys. A new key exchange protocol has also been proposed, replacing the previously known ones. The new RSA cryptography with OTP meets the requirements of “dynamic authentication” [11], and the key exchange protocol meets the assumptions of Quantum-Resists.

The solutions used so far for authentication systems are presented in the second section. In Section 3, a new cryptographic system for dynamic authentication and a key exchange protocol for RSA with OTP is proposed, along with a demonstrative example. This section also includes a discussion of the obtained results. The last section presents conclusions and possibilities for using the introduced solution.

2. Overview of Authentication Solutions and Systems

Experience from recent decades has shown that weak, easy-to-guess, or hard-coded passwords are a growing cyber threat [12,13]. The 2017 NIST guidelines for authentication and digital identity lifecycle management recommend the use of Password-Based Key Derivation Functions 1 and 2 (PBKDF1 and PBKDF2). PBKDF2 features the derivation of encryption keys with a sliding computational cost to reduce the vulnerability of recovering a “password” using brute-force attacks [14]. In essence, PBKDF2 is a summary of the capabilities and achievements of fixed-key asymmetric cryptography for shared secret authentication and transmitting credentials over an insecure channel in a manner similar to that presented in Algorithm 1.

Algorithm 1. Simple authentication, cryptogram ${\mathit{c}}_{\mathit{i}}$ shared secret Pass

Input: ks ← (65,537, n), kd ← (d,n), Pass ← Pass,

Output: Verify ← “Yes/No”

“User” generates a password cryptogram using (1), c ← Pass65,537 mod n, “User” sends a couple {idA,c} to “Verifier” as WEBAplAuth ← {idA,c}, “Verifier” confirms for idA’s ← Pass. “Verifier” performs decryption using (2), Pass’ ← cd mod n. “Verifier” authenticates: 5.1 Verify ← Yes if Pass’ = Pass 5.2 Verify ← No if Pass’ ≠ Pass.

Previous reference authentication methods such as RFC7519 JSON (JavaScript Object Notation) Web Token [15] or PBKDF2 [14] but also SCRAM [16] using a shared secret such as “password” and asymmetric cryptography and hashing used an authentication scheme similar to the diagram shown in Figure 1 in a manner similar to that described by Algorithm 1. The shared secret “Pass” was stored as secured with the MD5 or SHA256 hash function, and additional security elements called “salt” and “pepper” or time stamps made it difficult to guess the “password” [17]. The use of asymmetric RSA or ECC cryptography in encapsulating credentials is vulnerable to “replay” attacks and the use of quantum computers in cryptanalysis. The new FIPS 203 standard published in 2024 [18], key-encapsulation mechanism (KEM) using “lattice theory” can be used by two parties to establish a shared secret key over a public channel. KEM can then be used with symmetric-key cryptographic algorithms to perform basic tasks in secure communications, such as encryption and authentication [18]. Since KEM also uses a fixed key, it does little to address vulnerabilities associated with absolutely secure authentication.

In order to defend against unauthorized access to systems, relying on username and password combinations does not provide sufficient protection against replay attacks and does not eliminate the vulnerability of spoofing, e.g., stolen credentials [1,12,13]. Using two-factor or multi-factor authentication methods increases security by adding a layer of verification, but these solutions are still not effective enough and are not resistant to known threats. Paper [19] presents the implementation of blockchain technology as a form of 2FA. The obtained results suggest that blockchain-based 2FA methods can strengthen digital security compared to conventional 2FA methods. Paper [20] proposed a new privacy-protected authenticated key agreement scheme for secure communication between smart meters and energy suppliers. The experiments carried out showed that the proposed authentication scheme outperforms others in terms of computational costs and resistance to various types of attacks [12,13]. In particular, it is better than the security scheme based on symmetric key encryption and public key encryption combined with elliptic curve cryptography [21]. However, as Cloude Shanon [8] showed, meeting the requirements of absolute security and Quantum-Resists is only achievable by using OTP cryptography, which also provides sufficient protection against replay attacks and other known methods of breaking cryptographic systems.

The problem of distributing one-time keys is indicated as the basic problem of using OTP cryptography in authentication. Article [22] presents the first use of the quantum key distribution (QKD) protocol in authenticating communication for a smart power grid. It shows the feasibility of using QKD to improve the security of critical infrastructure, indicating its use in future distributed energy resources (DER), such as energy storage. Smart Energy management, distribution and billing systems, in particular, require secure authentication. QKD authentication in DER has a significant additional advantage because it requires fewer random bits from QKD than full data encryption; however, quantum technologies are still too expensive to use on a large scale in IoT or smart grid systems.

It is obvious that smart grid technology brings users significant benefits in terms of efficiency and savings; however, various types of attacks can destabilize the operation of smart grids and falsify electricity consumption data. Even data transmitted between smart meters and the energy distribution server can generate not only incorrect energy invoices and other inconveniences but can also disrupt the proper operation of the energy system, even leading to a blackout in the energy sector.

3. Materials and Methods

For authentication, the RSA algorithm and modular exponentiation can be used directly, with encryption described by Equation (1) and decryption described by Equation (2):

$$c_i=m_i^s \mathrm{m}\mathrm{o}\mathrm{d} n$$

(1)

$$m_i=c_i^d \mathrm{m}\mathrm{o}\mathrm{d} n$$

(2)

where n = p ∙ q—product of the prime numbers p and q, s—encryption exponent, d—decryption exponent.

Assuming notations as in (1) and (2), the encryption key is the pair {s, n} and the decryption key is the pair {d, n}. The encryption key k_s = {s, n} and the decryption key k_d = {d, n} are related by the relation (3), which allows us to determine the values of the exponents based on the following equation:

$$s·d\equiv 1 \mathrm{m}\mathrm{o}\mathrm{d} \phi \left(n\right) \mathrm{when} d\equiv e^{-1} \mathrm{m}\mathrm{o}\mathrm{d} \phi \left(n\right)$$

(3)

where $\phi \left(n\right)$= $\phi \left(pq\right)=\left(p-1\right)·\left(q-1\right)$ is the number of coprime numbers of n, otherwise known as Euler’s totient.

Knowledge of the value of φ(n) is crucial for correctly determining the values of the exponents s and d. The correct operation of the RSA algorithm requires that the greatest common divisor GCD(s,φ(n)) = 1.

The traditional use of the RSA algorithm assumes that the encryption key {s, n} is shared as a public key and the decryption key {d, n} is a secret key protected from disclosure. The key commutative principle in RSA allows the use of the RSA algorithm in authentication. Assuming that the private secret key is k_s = {s, n} and the public key is k_d = {d, n}, it is possible to use RSA to authenticate the message m_i, assuming that m_i = “Pass” is the shared secret “Pass”. Since, knowing the value of {s, n}, one can prepare the ciphertext $c_i=m_i^s\mathrm{mod}n$ from which, after decrypting $m_i=c_i^d\mathrm{mod}n$ using the public key {d, n}, the value m_i, which is the shared authentication secret “Pass”, will be recovered. It is worth emphasizing that only someone who knows the values {s, n} is able to prepare a ciphertext c_i, from which, after decrypting with the public key {d, n}, the expected value m_i of the shared secret “Pass” will be decrypted.

Regardless of whether the RSA algorithm is used to hide the shared secret “Pass” in the model with the public encryption key {s, n} as in Figure 1 or in the model with the secret encryption key {s, n}, the security of the RSA algorithm is based on the difficulty of determining the value of one of the secret keys: encryption or decryption. Determination of the secret key leads to breaking the security and compromising the cryptographic system. The assumption that finding the secret exponent of modular exponentiation in RSA requires solving the Discrete Logarithm Problem (DLP), which is the high level of security of the RSA algorithm, turned out to be incorrect.

In order to break the RSA cryptosystem, it is enough to find the factorization of n into prime factors p and q and determine $\phi \left(n\right)=\left(p-1\right)·(q-1)$ and then use Equation (3) to determine the exponent of the secret key $d\equiv s^{-1}\mathrm{m}\mathrm{o}\mathrm{d}\phi \left(n\right)$ or $s\equiv d^{-1}\mathrm{m}\mathrm{o}\mathrm{d}\phi \left(n\right)$. Using GNFS (General Number Field Sieve) or using a quantum computer and Shor’s algorithm, cryptanalysis of the RSA algorithm is possible and efficient enough that the use of quantum computing (QC) would threaten the security of RSA and other known cryptosystems.

3.1. Proposed Cryptographic System for Authentication

Considering the susceptibility of the RSA public-key algorithm to cryptanalysis using GNFS or Shor’s algorithm and quantum computers, it is possible to propose absolutely secure authentication by hiding the cryptanalysis-susceptible value of the product n = p ∙ q and changing it after each use. Furthermore, one can assume that the decryption exponent d will not change d = const. Assuming that n₀ can adopt any value of the shared secret established during the first contact with any distribution as a product of powers of prime numbers, then each subsequent module of cryptographic keys $k_{s_i}=\{s_i,n_{i+1}\}$ and $k_{d_i}=\{d_i,n_{i+1}\}$ must satisfy RSA assumptions.

Therefore, each of the modules n_i+1 = p_i+1 ∙ q_i+1 will be the product of two prime numbers and will constitute a shared secret that will change its value after each use according to Definition 3. If, in addition, d = 65,537, then the determination of the ciphertext c_i of the message m_i is described by Equation (4) and the decryption by Equation (5):

$$c_i=m_i^{s_i}\mathrm{m}\mathrm{o}\mathrm{d}{n}_{i+1}$$

(4)

$$m_i=c_i^d\mathrm{m}\mathrm{o}\mathrm{d}{n}_{i+1}=c_i^{\mathrm{65,537}}\mathrm{mod}{n}_{i+1}$$

(5)

In the proposed cryptosystem for m_i = const and decryption exponent d = 65,537, each time the value of n_i+1 changes based on (3), the value of the secret encryption key will also change $k_{s_i}=\{s_i,n_{i+1}\}$ and only knowing the values of p_i+1 and q_i+1 is it possible to determine the new exponent s_i from (3). Moreover, not knowing the proper value of each subsequent module n_i+1 being a component of the encryption and decryption key, it is possible to decrypt many different values l_i ≠ l_j from any ciphertext c_i, and only knowing the proper value of n_i+1 will correctly decrypt the value m_i from the ciphertext c_i.

Demonstration Example

For the purposes of demonstration, it is possible to assume that p_i+1 and q_i+1 are 5-bit prime numbers.

Table 1. Possible products n_i+1 = p_i+1 ∙ q_i+1 when p_i+1 ≠ q_i+1 of 5-bit size.

${\mathit{n}}_{i+1}={\mathit{p}}_{i+1}·{\mathit{q}}_{i+1}$	17	19	23	29	31
17	-	323	391	493	527
19	-	-	437	551	589
23	-	-	-	667	713
29	-	-	-	-	899
31	-	-	-	-	-

shows all possible products n_i+1 = p_i+1 ∙ q_i+1 satisfying the RSA assumptions.

The number of products n_i+1, which is the cardinality of the set |n_i|, can be determined as the number of two-element combinations without repetitions using the binomial symbol. Assuming the cardinality of the factor set as the main element ${\left|p_{i+1},q_{i+1}\right|}_5$ for prime numbers of 5-bit size (p_i+1, q_i+1) = {17, 19, 23, 29, 31}, therefore the cardinality of the set ${\left|p_{i+1},q_{i+1}\right|}_5=5$. It is possible to assume that for 5-bit factors, the products n_i+1 will be 10-bit in size and ${\left|n_i\right|}_{10}=>\left({\displaystyle \genfrac{}{}{0pt}{}{\left|p_{i,},q_i\right|}{2}}\right)=\left({\displaystyle \genfrac{}{}{0pt}{}{5}{2}}\right)={\displaystyle \frac{5!}{\left(5-2\right)!\ast 2!}}=10$, and these will be the modules n_i+1 ε {323, 391, 437, 493, 527, 551, 589, 667, 713, 899} of values from Table 1 arranged in ascending order. It should be noticed that for the assumed p_i+1, q_i+1 of the 5-bit size ${\left|n_i\right|}_{10}=10$, which, with a constant value of the decryption exponent, assumed for the purposes of the example as d = 67, meeting the RSA requirements, allows for decryption from one ciphertext, e.g., with the value c_i = 321, based on (5) ${\left|n_i\right|}_{10}=10$| different values of messages l_i, and only one of them will be the message m_i. Correct decryption of the value m_i, therefore, requires knowledge of n_i+1 used for its encryption. An example of decrypting 10 different values from one ciphertext is presented in

Table 2. Decrypted values m_i from ciphertext c_i = 321 for different n_i+1.

i+1	ni	d	ci	? li = mi	si	Φ(ni+1)
1	323	67	321	111	43	288
2	391	67	321	298	331	352
3	437	67	321	206	331	396
4	493	67	321	366	107	448
5	527	67	321	230	43	480
6	551	67	321	453	331	504
7	589	67	321	168	403	540
8	667	67	321	482	331	616
9	713	67	321	137	463	660
10	899	67	321	540	163	840

. There are as many different decrypted numerical messages l_i as |n_i|, and for a person who does not know n_i+1, all values l_i ε {111, 298, 206, 366, 230, 453, 168, 482, 137, 540} are equally probable messages m_i (marked in the Table 2 by ? l_i = m_i). Therefore, a person who does not know n_i+1 used for encryption must guess which of the values l_i is the message m_i.

In the general case, the approximation (6) can be used to determine |p_i, q_i|:

$$\pi \left(x\right)\cong {\displaystyle \frac{x}{\mathrm{l}\mathrm{n}\left(x\right)}}$$

(6)

where x represents the maximum value of p_i and q_i.

Determining the cardinality of a set of products ${\left|n_i\right|}_{256}=|p_i·q_i|$, for (p_i+1, q_i+1) of 128-bit size can be based on the determination of ${\left|p_i,q_i\right|}_{128}$ based on (6) by determining the approximate number of primes of 128-bit size and subtracting the primes of 127-bit size, as in Equation (7):

$${\left|p_i,q_i\right|}_{128}\cong \pi \left(2^{128}\right)-\pi \left(2^{127}\right)={\displaystyle \frac{2^{128}}{ln\left(2^{128}\right)}}-{\displaystyle \frac{2^{127}}{ln\left(2^{127}\right)}}\cong 2^{121}-2^{120}=2^{120}$$

(7)

Based on the estimated value of ${\left|p_i,q_i\right|}_{128}\cong 2^{120}$ one can, from (8), determine the cardinality of n_i+1 as follows:

$${\left|n_i\right|}_{256}=\left({\displaystyle \genfrac{}{}{0pt}{}{{\left|p_i,q_i\right|}_{128}}{2}}\right)=\left({\displaystyle \genfrac{}{}{0pt}{}{2^{120}}{2}}\right)={\displaystyle \frac{2^{120}!}{\left(2^{120}-2\right)!\ast 2!}}={\displaystyle \frac{\left(2^{120}-1\right)\ast 2^{120}}{2}}\cong 2^{239}$$

(8)

It should be noted that for the purposes of this paper, it was assumed that the value of n_i+1 is not disclosed because the modulus n_i+1 is a secret shared by the relying and trusted parties. This eliminates the vulnerability to attacks based on factoring n. The previous use of asymmetric cryptography and RSA, in accordance with Figure 1, assumed that n was a component of the shared public key k_s = {s, n} and the private secret decryption key k_d = {d, n}. With the proposed assumption of secrecy n_i+1, to maintain the required RSA security levels, the factors (p_i+1, q_i+1) of the product n_i+1 do not have to be carefully chosen large prime numbers of over 1024 bits, in accordance with the rules for selecting secure RSA keys. In the proposed RSA with OTP, to ensure the required security level of, e.g., 239, it is enough to guarantee that the assumption of dependence (3) is met, which comes down to checking whether the Euler totient φ(n_i+1) is relatively prime to the value of the secret encryption exponent s_i of the encryption key $k_{s_i}=\{s_i,n_{i+1}\}$.

Checking $GCD\left(s_i,\phi \left(n_{i+1}\right)\right)\ne 1$ requires much less computational effort than testing primality. Therefore, 128-bit factors can be easily implemented in real time on limited resource devices in Smart Energy grids. However, the problem of securely transferring the value n_i+1 to the other party remains to be solved, i.e., how to solve the one-time “Key Distribution Problem” between the encrypting and decrypting parties, because correct decryption of m_i without knowledge of the next n_i+1 will not be possible.

3.2. Proposed Key Exchange Protocol for RSA with OTP

Considering the vulnerability of the RSA algorithm to attacks aimed at decomposing n into prime factors (p, q) in order to determine $\phi \left(n\right)=\left(p-1\right)·\left(q-1\right)$ and then determining the exponent d of the decryption key k_d from the relation (3) and compromising the system, it was assumed that n is a secret shared between the “User” and “Verifier” parties, which changes with each use assuming n_i+1 ≠ n_i. Such an assumption, as shown in the further part of the paper, allows the use of the assumptions of cryptography with OTP keys in order to increase the level of security to the level of absolute security [8]. However, this requires the development and proposal of an absolutely secure key exchange protocol based on the secure determination of n_i+1 value between the “User” party being the “encrypting” party and the “Verifier” party being the “decrypting” party, i.e., the development of an absolutely secure protocol for exchanging n_i+1 value between the encryption participants. Based on the incremental FPGA reconfiguration protocol using a differential stream [23,24], it is possible to propose a key exchange protocol using the incremental structure not of “bitstreams” reconfiguring the FPGA but related to the difference (9) of numerical values described by Equation (9):

$$\mathsf{\Delta }{n}_i=n_{i+1}-n_i$$

(9)

Based on (9) and (2), the proposed OTP cryptographic system would use a key exchange protocol in which “User” as the encrypting participant according to (4), transmits the ciphertext to the decrypting participant “Verifier” according to (5) the ciphertext $c_i=m_i^{s_i}\mathrm{m}\mathrm{o}\mathrm{d}{n}_{i+1}$ and the value Δn_i used to reconstruct the current values of the module $n_{i+1}=n_i+\mathsf{\Delta }{n}_i$, which is used as the decryption key k_d = {65,537, n_i+1} to decrypt the message m_i. The proposed scheme for the incremental key exchange protocol in RSA authentication with OTP is presented in Algorithm 2.

Algorithm 2. Differential authentication with cryptogram ${\mathit{c}}_{\mathit{i}}$ shared secret ${\mathit{m}}_{\mathit{i}}$

Input: d ← 65,537, ni ← ni, mi ← mi,

Output: Verify ← “Yes/No”

“User” generates ni+1 ← new(pi+1 ∗ qi+1) “User” calculate Si ← 65,537−1 mod[(pi+1−1) ∗ (qi+1 − 1)] “User” encrypt (4) ci ← miSi mod(ni+1) “User” generates $\mathsf{\Delta }{n}_i\leftarrow n_{i+1}-n_i$, “user” sends WEBApplAuth ← $\{id{,c}_i,\mathsf{\Delta }{n}_i\}$ to “Verifier”, “Verifier” for id Get(ni, mi) 6.1 “Verifier” generate ni+1 ← ni + Δni 6.2 “Verifier” decrypts (5) $m_i^{\prime }\leftarrow c_i^{\mathrm{65,537}}\mathrm{mod}\left(n_{i+1}\right)$ “Verifier” authenticates: 7.1 Verify ← Yes if mi’ = mi, 7.2 Verify ← No if mi’ ≠ mi.

The diagram in Figure 2 shows the authentication process using incremental key exchange (9) and a protocol consistent with Algorithm 2.

According to the example described in Table 2, for one ciphertext value c_i, different messages l are decrypted, and only using the correct value n_i+1 allows the recovery of the message m_i. Therefore, an authentication protocol using one-time n_i+1 ≠ n_i will be secure if it is not possible to uniquely recover the value n_i+1 based on Δn_i.

3.2.1. Demonstration Example

Using the example of 5-bit factors |p_i, q_i|₅ =>{17, 19, 23, 29, 31} products satisfying the RSA requirements according to Table 1, it is |n_i| = 10, while the possible differences (9) are shown in

Table 3. Possible differences Δn_i = n_i+1—n_i for 5-bit p_i+1, q_i+1.

ni+1—ni	323	391	437	493	527	551	589	667	713	899
323	0	68	114	170	204	228	266	344	390	576
391	−68	0	46	102	136	160	198	276	322	508
437	−114	−46	0	56	90	114	152	230	276	462
493	−170	−102	−56	0	34	58	96	174	220	406
527	−204	−136	−90	−34	0	24	62	140	186	372
551	−228	−160	−114	−58	−24	0	38	116	162	348
589	−266	−198	−152	−96	−62	−38	0	78	124	310
667	−344	−276	−230	−174	−140	−116	−78	0	46	232
713	−390	−322	−276	−220	−186	−162	−124	−46	0	186
899	−576	−508	−462	−406	−372	−348	−310	−232	−186	0

.

In Table 3, the repeated values Δn_i = {46, 114, 186, 276} are marked in colors (46—blue, 114—red, 186—green, 276—brown). This means that if Δn_i = 46, then the values n_i+1 = n_i + Δn_i can be the numbers 437 = 391 + 46 or 713 = 667 + 46. Therefore, based on Table 2, from one ciphertext with the value of, for example, c_i = 316, two different values l can be decrypted, where one is l₁ = 206 for n_i+1 = 437 and the value l₂ = 137 for n_i+1 = 713, and each of these values l_i ε (206, 137) with probability equal to ½ can be the encrypted message m_i. A similar situation occurs for the remaining repeated values Δn_i. So, even knowing the value of Δn_i, there is no certainty what value of n_i+1 was used, and the probability that the decrypted message is m_i forΔn_i = {46, 114, 186, 276} is ½.

In the example for 5-bit values (p_i+1, q_i+1), not all Δn_i values are repeated, so we are not sure that for arbitrarily chosen n_i+1 and n_i, the Δn_i values will belong to the set {46, 114, 186, 276}, repeating values for which the probability that the decrypted value is m_i is ½, however, for repeating Δn_i, the general probability relation is described by (10):

$$p_{m_i={\displaystyle \raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$\left|{∆n}_i\right|$}\right.}}$$

(10)

where |Δn_i| is the cardinality of the set of difference repetitions n_i+1—n_i.

In the general case, the cardinality Δn_i can be determined from the binomial symbol of the cardinality of the set of possible products |n_i+1|_r, where r is the bit size of ${r=log}_2{n}_{i+1}$. Assuming that the products n_i are of size r = 256 bits, it is possible to assume from (8) that the cardinalities n_i+1 = |n_i|₂₅₆ ≅ 2²³⁹, then the cardinality Δn_i for n_i+1 of 256-bit size is as follows:

$${\left|{∆n}_i\right|}_{256}=\left({\displaystyle \genfrac{}{}{0pt}{}{{\left|n_i\right|}_{256}}{2}}\right)=\left({\displaystyle \genfrac{}{}{0pt}{}{2^{239}}{2}}\right)={\displaystyle \frac{2^{239}!}{\left(2^{239}-2\right)!\ast 2!}}={\displaystyle \frac{\left(2^{239}-1\right)\ast 2^{239}}{2}}\cong 2^{477}$$

(11)

It should be noted that for n_i+1 of 256-bit size, the cardinality of |Δn_i| is close to 2⁴⁷⁷, where the Δn_i values are even values of size at most 256 bits since |Δn|₂₅₆ is approximately equal to 2⁴⁷⁷; therefore, the assumed Δn_i values of 256-bit size must repeat, similarly as the selected values Δn_i ={46, 114, 186, 276} repeat in the example for p_i+1 and q_i+1 of 5-bit size. Assuming that the distribution of Δn_i values is uniform, then the average value of the repetitions of the Δn_i values expressed in the cardinality of the set of repetitions of the values |Δn_i|₂₅₆ will be as follows:

$${\left|{∆n}_i\right|}_{256}={\displaystyle \frac{{|∆n|}_{256}}{2^{256}}}={\displaystyle \frac{2^{477}}{2^{256}}}=2^{477-256}=2^{219}.$$

(12)

Thus, based on (10) for 256-bit n_i and the proposed RSA with OTP, knowledge of Δn_i and the ciphertext c_i allows us to determine m_i with the probability determined based on (10) of $p_{m_i}\cong {\displaystyle \frac{1}{2^{219}}}$ equivalent to the probability of guessing the value n_i+1. It is worth noticing that the use of quantum computers and, for example, the “Shor” or “Grover” algorithm to break the proposed key exchange protocol would first require “guessing” which of the 2²¹⁹ possible values of n_i+1 was used; at present, even quantum computers do not have the ability to “guess”.

3.2.2. Efficiency of RSA Authentication with OTP

The proposed authentication protocol, consistent with Figure 2, with RSA encryption with variable modules n_i+1 determining one-time values of the secret–private encryption exponent $k_{s_i}$ was implemented and launched as a service process called “gen” simulating activities performed on the trusted side “User” generating values n_i+1 and Δn_i, as well as preparing the ciphertext c_i. Moreover, authentication was implemented as the “auth” process of authentication with values generated by “gen”, assuming that m_i is the current time read from the system.

The implementation platform was the http server “flask” on RaspberryPi 4 ver. B with 4 GB of memory [25]. The average value of response times takes into account the Transport Control Protocol/Internet Protocol (TCP/IP). Two methods were implemented in Python 3.11.2on Raspberry Pi: “gen” run on TCP/IP port number 6000 and “auth” run on TCP/IP port number 5000. The “gen” method realizes the algorithm 2 steps “User” from 1 to 5, and the “auth” method realizes the algorithm 2 steps 6 and 7. In addition, two client programs written in Python were implemented on the PC computer in the Jupyter Notebook 3.9.5 environment. One sending data (idA, c_i, ${\mathsf{\Delta }n}_i$) via the “Post” method to the “flask” server IP port 5000 to the “auth” method, waiting for a “Yes/No” response. The second program on the PC in the Jupyter Notebook environment in Python ran the “gen” method for the “User” of idA, expecting data (idA, ci, Δn_i) in response. The programs running in the PC environment measured the time between sending the query to the “gen” and “auth” methods, as connection delays for http when performing 10 attempts for each bit size: 256, 512, 1024, 2048 and n_i ≠ n_j, are presented in

Table 4. Process times of “gen” and “auth” for different bit sizes n_i+1.

ni+1 [bits]	“gen” [ms]	“auth” [ms]
256	46	26
512	102	26
1024	511	24
2048	5788	26

.

3.3. Discussion of the Obtained Results

The key exchange protocol proposed in the paper for authentication using the proposed RSA with OTP uses n_i+1 of 256-bit size and the well-known RSA algorithm. The use of n_i+1 ≠ n_i changing with each authentication makes the proposed authentication resistant to replay attacks and fully compliant with the recommendations for “dynamic authentication”, and the key exchange protocol meets the requirements of Quantum-Resists. Moreover, subsequent values n_i+1 = p_i+1 ∙ q_i+1 are generated on the trusted side and are never disclosed, so n_i+1 does not have to meet the requirements of strong cryptographic security.

It should be noted that already for n_i of size 10 bits, for selected known and repeated values Δn_i, $p_{m_i}=1/2$, i.e., indicating the correct value of mi requires guessing. With the increase in the size n_i, the probability of indicating the correct value $p_{m_i}$ decreases, and for n_i of size 256 bits, it is $p_{m_i}=$1/2²¹⁹, and the computation time is less than 50 ms. In the implementation, the “Verifier” side should check whether Δn_i ≠ 0, as Δn_i = 0 may indicate a replay attack attempt. On the “User” side, it is necessary to verify that the values of p_i+1 or q_i+1 are not the largest possible prime numbers of the given size.

The proposed solution can be modified by replacing n_i ← n_i+1 in Algorithm 2 on the “User” and “Verifier” side after each successful authentication transaction; then, even a n_i leak is not dangerous because it loses its validity after each authentication.

It is worth noting that the algorithms based on “lattice-cryptography” still implement the traditional asymmetric cryptography model with keys of a few kilobits, while the proposed solution meets the Quantum-Resists requirements with n_i size of 256 bits and easily cooperates with hashing algorithms such as SHA256 [17]. FIPS 203 proposes a key encapsulation protocol; however, it requires careful selection of key values 10 times larger and still does not meet the probability requirement $p_{m_i}\le 1/2$.

4. Conclusions and Future Applications

Both of these areas, Prosumer Systems and Smart Energy, are changing the way we approach energy production and consumption. The phenomenon of energy decentralization, the increase in the number of prosumers, and the development of Smart Energy technologies are changing the traditional energy model to a more sustainable, flexible and technology-based one. In the future, it is expected that technologies such as the Internet of Things (IoT), 5G and smart power grids will continue to develop, supporting Prosumer Systems and Smart Energy

In relation to other solutions, this is the first hybrid cryptographic system in the full sense of the word, in which two different keys, $k_{s_i}\ne k_d$ and a “secret” shared component n_i+1, are used, the component that changes with each use of the cryptosystem. Additionally, an absolutely secure “one-time key agreement protocol” has been proposed as a key exchange protocol. The proposed RSA cryptography solution with OTP is the only one in the world that meets the requirements of “dynamic authentication” and can successfully replace QKD. The proposed dynamic authentication technology can replace existing authentication systems based on asymmetric cryptography without major changes and supplement, for example, RFC 7519 JSON WEB Token [15] with a version with one-time keys. The results from Table 4 indicate that the proposed solution performs the “gen” and “auth” operations practically in real time. The proposed solution eliminates vulnerabilities related to digital identity theft and its reuse, i.e., practically eliminates the possibility of impersonation. Already for 256 bits, it meets the requirements of Quantum-Resists and is the first in the world to meet Definition 3 for “dynamic authentication” and eIDAS for NIS2.

In further research, the authors also plan to introduce the possibility of incremental change in the decryption exponent, i.e., use variable values d_i+1 instead of the constant d = 65,537.