Privacy-Preserving Lightweight Authentication Protocol for Demand Response Management in Smart Grid Environment

: With the development in wireless communication and low-power device, users can receive various useful services such as electric vehicle (EV) charging, smart building, and smart home services at anytime and anywhere in smart grid (SG) environments. The SG devices send demand of electricity to the remote control center and utility center (UC) to use energy services, and UCs handle it for distributing electricity efﬁciently. However, in SG environments, the transmitted messages are vulnerable to various attacks because information related to electricity is transmitted over an insecure channel. Thus, secure authentication and key agreement are essential to provide secure energy services for legitimate users. In 2019, Kumar et al. presented a secure authentication protocol for demand response management in the SG system. However, we demonstrate that their protocol is insecure against masquerade, the SG device stolen, and session key disclosure attacks and does not ensure secure mutual authentication. Thus, we propose a privacy-preserving lightweight authentication protocol for demand response management in the SG environments to address the security shortcomings of Kumar et al.’s protocol. The proposed protocol withstands various attacks and ensures secure mutual authentication and anonymity. We also evaluated the security features of the proposed scheme using informal security analysis and proved the session key security of proposed scheme using the ROR model. Furthermore, we showed that the proposed protocol achieves secure mutual authentication between the SG devices and the UC using Burrows–Abadi–Needham (BAN) logic analysis. We also demonstrated that our authentication protocol prevents man-in-the-middle and replay attacks utilizing AVISPA simulation tool and compared the performance analysis with other existing protocols. Therefore, the proposed scheme provides superior safety and efﬁciency other than existing related protocols and can be suitable for practical SG environments.


Introduction
In the past few years, with the advances of information and communication technologies, users can easily access any service provided in various smart grid (SG) environments, including smart home, smart building, vehicle-to-grid (V2G) and advanced metering infrastructure (AMI) [1][2][3][4]. In particular, smart grid using smart device has attracted growing attention from the academia, industries, and researchers. The SG device (sensing device, smart meter, etc.) is one of the core components, which collects various information (electricity consumption, payment, address, etc.) and transfers it to utility centers (power provider, power distributor, etc.) to provide secure, reliable, and efficient power distribution. According to the report of the U.S. Department of Energy (DoE), since 1988, electricity demand has risen by almost 30%. However, the transmission capacity of electricity has only increased by 15% [5]. Therefore, demand-response management has become an important issue to ensure reliable supply of electricity.
In SG environments, the SG devices are deployed in industries, smart buildings, smart homes, etc. and collect many data in real-time, transferring electricity demands to energy generators. However, energy generators cannot efficiently handle these demands because the data collected by SG devices is very large and is difficult to handle it. To address these problems and maintain the efficient stability of supply, utility centers (UCs) analyze the data collected by SG devices and control fault detection, dynamic pricing, load balancing, leakage power, and demand-response [6]. However, the data transmitted between the UC and the SG devices can be tampered, injected, deleted, and forged by a malicious adversary because they are transmitted over an insecure channel [7]. The result of these situations can generate energy imbalances and gaps between energy demand and response. Therefore, authentication and key agreement mechanisms have become essential security requirements for smooth functioning of the SG operations with respect to demand response and data analytics. The security requirements for the SG system are summarized as follows: • Secure and efficient authentication and key agreement protocols are essential to ensure secure communication and privacy.

•
The proposed authentication and key agreement protocol must withstand various attacks such as replay, masquerade, and off-line identity guessing attacks.

•
Authentication and key agreement protocol should consider SG device limitations with respect to power consumption, communication bandwidth, and memory.
In general, for power consumption feedback purposes, a SG relies heavily on the usage of a smart metering infrastructure. For instance, the data of SG device is useful for load forecasting, demand response management, and real-time pricing. However, the recording and transmission of power consumption data may cause serious privacy issues. If fine-grained power consumption data of the SG device is exposed, it can reveal the private information of consumers related to their daily routines or the appliances in the house. In addition, the computation and communication resources at the consumer's side in the SG environments are usually very limited. Therefore, secure and efficient authentication mechanisms for preserving user privacy with low computational costs are essential in resource-constrained SG environments.
In 2019, Kumar et al. [6] proposed an elliptic curve cryptography (ECC)-based authentication protocol for demand response management in SG system. Kumar et al. claimed that their scheme can prevent various attacks. However, this paper shows that their scheme cannot withstand various attacks, including SG device stolen, session key disclosure, and masquerade attacks and cannot ensure secure mutual authentication. Furthermore, their scheme [6] is not suitable for resource-limited smart devices because it uses ECC with high computation and communication overheads. Therefore, we propose a privacy-preserving lightweight authentication scheme for demand response management in SG environments, considering an efficiency of SG devices and improving security level.

Adversary Model
We adopted the widely known Dolev-Yao (DY) threat model [8] to evaluate the safety of proposed protocol. According to the DY model, a malicious attacker can intercept, delete, modify, and insert the transmitted data over insecure channel. In addition to the capabilities of these attackers, the specific assumptions of the threat model are as follows: • A malicious adversary can steal or obtain the SG device of a legal user and can extract secret parameters stored in the SG device utilizing power-analysis [9,10]. We also assume that a malicious adversary is able to capture as many SG device as possible.

•
Trusted authority (TA) and UCs are assumed to be fully trusted and semi-trusted entities, respectively, and cannot be compromised by a malicious adversary.

Contributions
The detailed contributions in this paper are summarized as follows: • We demonstrate that Kumar et al.'s protocol cannot withstand various attacks such as masquerade, SG devices stolen, and session key disclosure attacks. We also show that their protocol does not ensure secure mutual authentication.

•
We present a privacy-preserving lightweight authentication protocol for the SG system using pseudo-identity and secret parameter to enhance the security weaknesses of Kumar et al.'s protocol. The proposed protocol can withstand against masquerade, session key disclosure, replay, and MITM attacks, as well as achieve secure mutual authentication and anonymity. Thus, the proposed protocol is more secure and efficient than Kumar et al.'s protocol because it utilizes only hash and XOR operations.

•
We performed the widely known Burrows-Abadi-Needham (BAN) logic analysis [13] to prove that the proposed scheme provides secure mutual authentication. We utilized informal security analysis to prove the safety of the proposed protocol against potential attacks and also proved the session key security of proposed scheme utilizing ROR model [14].

•
We performed formal security analysis utilizing the widely adopted Automated Validation of Internet Security Protocols and Applications (AVISPA) tool to evaluate that the proposed scheme is secure against replay and MITM attacks. Moreover, we present the performance analysis of the proposed protocol with existing protocols.

Organization
The rest of the article is organized as follows. Section 2 presents related works that discuss the SG environments and then Section 3 presents system model for the SG environments. In Sections 4 and 5, we review of Kumar et al.'s scheme and analyze its security problems. In Section 6, we present a privacy-preserving lightweight authentication protocol for demand response management in SG environments to address the security shortcomings of Kumar et al.'s scheme and enhance efficiency. In Section 7, we perform the security analysis of the proposed scheme utilizing informal and formal analysis. Section 8 evaluates the security and performance features of the proposed scheme compared with existing schemes. Finally, we summarize the conclusion in Section 9.
This section introduces the demand response management for the SG network model. This network model comprises two entities: a SG device and an UC, as shown in Figure 1. A SG device collects electricity data and provides efficient power management services. An UC manages monitoring data, including electricity consumption, load forecasting, demand response, real-time pricing, etc. The UC collects these data and estimates a total electricity capacity of a SG device in the power grid. However, as SG devices are deployed within the SG fields, the recording and transmission of power consumption data may cause serious privacy issues. A SG device usually sends sensitive power consumption reports via communication channel in the SG environments. A malicious adversary can intercept such reports to invade the privacy of users. For instance, it is easy to notice that inhabitants are at home or not by checking the power usage. In addition, privacy-sensitive data, such as usage of appliances, can be released to adversaries [26,27]. Consequently, privacy of users could be violated and sensitive data of users could be used for criminal purposes. Therefore, privacy-preserving authentication protocol in the SG environments should be supported.  Figure 2 introduces the authentication process of the proposed scheme in the SG environments to provide user privacy, including daily routines and electricity consumption habits. The proposed scheme comprises three parties: trust authority (TA), SG device, and UC. The SG device and the UC first register their identities to TA, and then TA issues credential information for the SG device and the UC. After that, the SG device and the UC perform mutual authentication. After authentication, the SG device and the UC use the session key to exchange power consumption reports and feedbacks, and so on. Consequently, they can communicate safely through the secure channel established by the session key. The meaning of the communication session involves identifying devices in the network and authorizing what each device should carry out in the network. The maintenance of communication session in the proposed scheme may change monthly or yearly, depending on security requirements.

Review of Kumar et al.'s Protocol
This section reviews Kumar et al.'s authentication protocol for SG system. Kumar et al.'s scheme is comprised of five phases: SG device registration, UC registration, authentication, dynamic SG device addition, and dynamic UC additions. Table 1 summarizes the notation used in the protocol.

TA
Trusted authority Utility center or remote control center ID j UC's identity The public key for SD i and UC j x TA's secret key K s TA's master key SK ij Session key h(·) Hash function ⊕ XOR operation || Concatenation operation

Smart Grid Device Registration Process
The SG device is called SD i (i = 1, 2, . . . n), where n is the number of UC to be deployed initially in SG system. The SD i must register with TA to receive any services, where n is the number of the SG devices. A trusted authority TA chooses a ID i and calculates RID i = h(ID i ||x) and TC i = h(x||RTS i ), where RTS i is the registration timestamp of the SG device. After that, the TA pre-loads the data {TC i , RID i , h(), E p (a, b), G} into memory before deployment in SG system. Figure 3 describes the SG device registration process of Kumar et al.'s protocol.

Smart grid (SD i )
Trusted authority (TA) Chooses a unique identity ID i Computes

Utility Center Registration Process
The utility center UC j must register with TA to deploy the SG environments. The UC j is called UC j (j = 1, 2, . . . , k), where k is the number of UC to be deployed initially in SG system. TA chooses an identity ID j and calculates RID j = h(ID j ||x) and TC j = h(x||RTS j ), where RTS j is the registration timestamp of the UC. Finally, the TA pre-loads the data {RID j , TC j , h(), E p (a, b), G, RID i |i = 1, 2, . . . , n} into memory before deployment in SG system. Figure 4 describes the UC registration process of Kumar et al.'s protocol.

Utility center (UC j )
Trusted authority (TA) Chooses a unique identity ID j Computes

Authentication Process
The main goal of this process is to negotiate a session key between SD i and UC j . Therefore, the SD i and UC j must authenticate each other. Figure 5 describes the authentication process of Kumar et al.'s protocol. The detailed process is described below.
Step 1: SD i chooses a random number u ∈ Z * p and generates a current timestamp T 1 . After that, SD i computes U i = u.G and C i = h(TC i ||T 1 ) ⊕ h(RID i ||U i ||T 1 ) and sends authentication request message {U i , C i , T 1 } to the UC j over insecure channel.
Step 2: After receiving the message, UC j checks |T 1 − T * 1 | ≤ ∆T, where ∆T is maximum transmission delay bound and T 1 is current timestamp. If the condition is valid, UC j computes D j = C i ⊕ h(RID i ||U i ||T 1 ) utilizing the corresponding RID i of SD i stored in the database.
Step 3: UC j then generates timestamp T 2 and a random number v ∈ Z * p , and calculates V j = v.G, . After that, UC j sends the authentication message {V j , Z j , SKV ij , T 2 } to the SD i over insecure channel.
Step 4: After receiving the message, Step 5: After receiving the message, UC j checks the condition |T 3 − T * 3 | ≤ ∆T. If the condition is valid, If the condition is valid, SD i and UC j store the common session key SK ij (= SK ij ).
Generates a random number u ∈ Z * p Selects a current timestamp T 1 Computes

Dynamic Smart Grid Device Addition Process
The main goal of this process is adding a new SG device SD new i to provide flexibility in the system and the detailed processes are shown below.
Step 1: Trusted authority (TA) selects an identity ID new i and calculates RID new Step 2: After that, the TA pre-loads the data {RID new i , TC new i , h(), E p (a, b), G} in the memory before it is deployed.
Step 3: TA sends data RID new i for SD new i to all UC j over secure channel. The TA needs to broadcast messages to the deployed UC j regarding deployment of the SD new i so that SD new i and deployed UC j can establish a common session key after mutual authentication.

Dynamic Utility Center Addition Process
The main goal of this process is same as the one in Section 4.4 from the point of view of UC and the detailed processes are shown below.
Step 1: The TA selects a identity ID new j and calculates RID new Step 2: TA then pre-loads the data {RID new j , TC new j , RID i |i = 1, 2, . . . , n, h(), E p (a, b), G} in the memory before it is deployed. After finishing this process, TA broadcasts a completion statement to all entities and UC new j is successfully registered in SG environments.

Cryptanalysis of Kumar et al.'s Protocol
This section demonstrates the security drawbacks of Kumar et al.'s protocol, including SG device stolen, masquerade, and session key disclosure attacks, as well as mutual authentication.

Masquerade Attack
We assume that a malicious adversary U ma can obtain the SG device of legal user SD i and intercept information transmitted in open channel, and then may attempt to masquerade SD i . According to Section 1.1, U ma can extract secret information {RID i , TC i , h(), E p (a, b), G} using power analysis attack. Finally, U ma performs the masquerade attack as below: Step 1: U ma generates a random number u ma ∈ Z * p and calculates Step 2: After receiving the message from U ma , UC j checks |T 1 − T * 1 | ≤ ∆T. If the condition is valid, UC j calculates D j = C ma ⊕ h(RID i ||U ima ||T 1 ) and generates a timestamp T 2 . UC j then selects a random number v ∈ Z * p and computes Step 3: After receiving the message from UC j , U ma checks condition .G, and SK ma = h(W ma ||h(TC i ||T 1 )||E i ). Then, U ma generates a timestamp T 3ma and computes SKV ma = h(SK ma ||RID i ||T 2 ). After that, U ma sends message {SKV * ma , T 3 } to UC j over insecure channel.
Step 4: After receiving the message from U ma , If the condition is valid, U ma and UC j store session key SK ma (= SK ma ).
Therefore, U ma can successfully generate a session key between U ma and UC j and send a legitimate authentication request message. Consequently, we show that Kumar et al.'s protocol does not withstand masquerade attack.

Smart Grid Device Stolen Attack
Kumar et al. claimed that their scheme could withstand SG device stolen attack because a malicious attacker U ma cannot calculate the correct RID i = h(ID i ||x) and TC i = h(x||RTS i ) without knowing secret key x of the TA. However, according to Section 5.1, we demonstrate that U ma successfully impersonates legitimate user and calculates the session key. Therefore, Kumar et al.'s protocol is insecure against SG device stolen attack.

Session Key Disclosure Attack
In Kumar et al.'s scheme, they claimed that their scheme was secure against session key disclosure attack, although the secret numbers u and v are compromised to U ma . According to the Kumar et al's scheme, U ma cannot obtain session key SK ij because U ma does not know parameters RID i and TC i . However, in Section 5.1, we demonstrate that U ma can successfully generate session key SK ij using parameters obtained from SG devices of a legitimate user. Therefore, once a SG device is compromised, all its previous communications will be breached. Furthermore, since the malicious attacker U ma can capture as many SG devices as possible, the U ma can obtain the session key SK ij of other SG devices. As a result, Kumar et al.'s protocol cannot defend against session key disclosure attack.

Mutual Authentication
Kumar et al. showed that their scheme could achieve secure mutual authentication between SD i and UC j . However, according to Section 5.1, U ma can successfully compute authentication request message . Consequently, Kumar et al.'s scheme does not achieve secure mutual authentication.

Proposed Scheme
This section proposes a privacy-preserving lightweight authentication scheme for demand response management in the SG environment to overcome various security drawbacks of Kumar et al.'s protocol [6]. In our scheme, the general data flow of the SG system model in public channel is the same as Kumar et al.'s scheme [6]. The proposed scheme is composed of seven process: pre-deployment, SG registration, UC registration, authentication, dynamic SG device addition, and dynamic UC addition.

Pre-Deployment Process
In this section, the SG devices SD i and UC j must register with TA before its deployment in SG environments. TA firstly selects unique identities ID i and ID j of SD i and UC j , respectively. Then, TA stores the credential information {ID i } in the memory of SD i and stores the credential information {ID j } in the database of UC j prior to its deployment in the SG environments.

Smart Grid Device Registration Process
The SD i must register with trusted authority TA to receive the power management services. Figure 6 describes the SG device registration process of proposed scheme and the steps of this process are given below.
Step 1: TA generates a random number x i , a i for SD i . After that, TA computes RID i = h(ID i ||a i ), Step 2: After receiving the message, SD i computes C i = h(ID i ||B i ) ⊕ a i and stores {A i , B i , C i } in the memory.

Smart grid device (SD i ) Trusted authority (TA)
Generates a random number x i , a i for SD i Computes Figure 6. Smart grid device registration process of the proposed scheme.

Utility Center Registration Process
The UC j must register with TA in order to provide power management services. Figure 7 describes the UC registration process of proposed scheme and the steps of this process are given below.

Utility center (UC j )
Trusted authority (TA) Step 1: TA computes RID j = h(ID j ||K s ) and retrieves {RID i , x i } in secure database. Then, TA computes Step 2: After receiving the message, UC j computes V i = X i ⊕ ID j and stores {RID j , (RID i |i = 1, 2 . . . , l), V i } in the database.

Authentication Process
In authentication process, the proposed scheme provides the user's privacy by using pseudo-identity and secret parameters in the SG environments. Before the starting session, SD i request an authentication request to UC j in order to ensure secure communication and establish the session key SK ij . Figure 8 describes the authentication process of proposed scheme and the steps of this process are given below.

Smart grid device (SD i )
Utility center (UC j ) Step 1: After that, SD i sends authentication request message {M 1 , M 2 , M 3 } to UC j over insecure channel.
Step 2: After receiving the message from SD i , UC j retrieves {V i } in database and calculates  = M 6 is correct, the SD i and UC j achieve mutual authentication successfully.

Dynamic Smart Grid Device Addition Process
When new SG device SD i wants to register with the SG environments, the following steps must be performed and detailed steps are as follows. The main goal of this process is adding a new SG device to provide flexibility in SG environments. The detailed steps of this process are given below.

Dynamic Utility Center Addition Process
The following steps are required to deploy new UC new j and the detailed steps are given below.

Security Analysis
In this phase, we demonstrate that the proposed scheme has the ability to resist various attacks using informal security analysis and the formal security verification tool Automated Validation of Internet Security Protocols and Applications (AVISAP). We also analyze that our proposed scheme provides session key security and secure mutual authentication using Real-or-Random (ROR) model [14] and Burrows-Abadi-Needham (BAN) logic [13]. ROR model, BAN logic, and AVISPA analysis techniques are also widely accepted to evaluate the security of protocol.

Informal Security Analysis
We performed informal security analysis to demonstrate the safety of the proposed scheme. Our protocol can defend against various attacks such as session key disclosure, SG device stolen, masquerade, and replay attacks, as well as ensure secure mutual authentication and anonymity.

Masquerade Attack
According to Section 1.1, a malicious adversary U ma can obtain SG device of legitimate user and can intercept transmitted data over insecure channel. If U ma tries impersonate a legitimate user, U ma must correctly generate an authentication request and response messages. However, U ma cannot generate the authentication request message {M 1 , M 2 , M 3 } and authentication message {M 4 , M 5 , M 6 } without the correct random nonces R SD and R UC . Furthermore, U ma cannot generate a session key SK ij = h(R SD ||R UC ) because secret parameter X i is not available to U ma . Therefore, the proposed scheme is secure against masquerade attack.

Smart Grid Device Stolen Attack
We assume that a malicious adversary U ma obtains SG device of a legitimate user and extracts secret information {A i , B i , C i } stored in the memory using power analysis attack [9]. However, U ma cannot obtain sensitive information of a legitimate user because all information stored in the memory is masked by XOR operation and hash function. Therefore, our protocol prevents SG device stolen attack because U ma cannot know the user's real identity ID i , a i , and secret parameter X i .

Replay Attack
Our protocol withstands replay attack because all transmitted messages are changed in every session. Assuming that U ma tries to impersonate legal user by resending information transmitted in a previous authentication process, U ma cannot use the previous messages because SD i and UC j check whether = M 6 , respectively. Thus, our protocol is secure against replay attack.

Session key disclosure attack
In the proposed scheme, U ma cannot calculate SK ij = h(R SD ||R UC ) because U ma cannot compute authentication request message {M 1 , M 2 , M 3 } without knowing random nonce R SD and secret parameter X i . Therefore, our protocol can withstand session key disclosure attack.

Insider attack
This type of attack happens when the administrator of authentication server exploits data stored in the database to legalize his authentication process on behalf of the user. Even if it is assumed that a malicious adversary U ma can obtain RID i , RID j , V i stored in memory of UC j , U ma cannot obtain sensitive information such as user's real identity ID i and X i without knowing random nonce R SD and ID j . Thus, our protocol is secure against insider attack. = M 6 , and then SD i authenticates UC j . Therefore, our protocol ensures secure mutual authentication between SD i and UC j because U ma cannot generate correct authentication messages.

Anonymity
U ma does not obtain a legitimate user's real identity ID i because it is masked by one-way hash function and XOR operation such as RID i = h(ID i ||a i ). Therefore, our protocol ensures anonymity because U ma cannot know the user's real identity without random nonce a i and R SD .

Security Features
In Table 2, we evaluate the security features of the proposed scheme with existing schemes [6,20,21,28]. The schemes in [20,28] cannot withstand session key disclosure attack and those in [20,21,28] provide dynamic node addition phase. The scheme in [6] cannot withstand various types of attacks and cannot ensure secure mutual authentication and anonymity. Consequently, the proposed scheme ensures better security functionality than all previous schemes.

Formal Security Analysis Using BAN Logic
We performed BAN logic [13] analysis to verify that our protocol provides secure mutual authentication. Table 3 shows the notation used for BAN logic analysis and we then defines the goals, idealized forms, and assumptions before performing BAN logic analysis.

Notation Description
Session key used in the current authentication session Q K ↔ W Q and W communicate utilizing K as the shared key

BAN Logic Rule
The rules of BAN logic are as follows.

Goals
The goals for BAN logic analysis are as follows.

Idealized Forms
The idealized forms are formulated as follows:

Assumptions
We define initial assumptions to perform the BAN logic analysis.

Proof Using BAN Logic
We performed the BAN logic analysis for our protocol and the detailed proofs are below.
Step 1: According to Msg 1 , we obtain Step 2: Using the message meaning rule with S 1 and A 3 , we can obtain Step 3: Using the freshness rule with A 1 , we can obtain Step 4: From the nonce verification rule with S 2 and S 3 , we can obtain Step 5: Using the belief rule with S 4 , we can obtain Step 6: Because of SK = h(R SD ||R UC ), from the S 5 and A 2 we can obtain Step 7: From the jurisdiction rule with S 6 and A 7 we can obtain Step 8: According to Msg 2 , we can obtain Step 9: Using the message meaning rule with S 8 and A 4 , we can obtain Step 10: Using the freshness rule with A 2 , we can obtain Step 11: Using the nonce verification rule with S 9 and S 10 , we can obtain Step 12: Using the belief rule with S 11 , we can obtain Step 13: Because of SK = h(R SD ||R UC ), from the S 12 and A 1 we can obtain Step 14: Using the jurisdiction rule with S 13 and A 8 we can obtain Based on Goals 1-4, we proved that proposed protocol ensures secure mutual authentication between SD i and UC j .

Formal Security Analysis Using ROR Model
ROR model [14] is the formal security analysis to verify session key (SK) security of protocol from active/passive attacker U A . We first discuss the ROR model before performing the proof of SK security for the proposed protocol.
In our protocol, there are two participants SG device P t 1 SD i and UC P t 2 UC j , where P t 1 SD i and P t 2 UC j are instances t th 1 of SD i and t th 2 of UC j , respectively. Table 4 defines queries for ROR model to perform security analysis, including Execute, CorruptSD, Reveal, Send, and Test queries. Hash is also a random oracle, which is a collision-resistant hash function. We uses Zipf's law [29] to prove SK security of the proposed protocol, which has been widely applied to verify recent authentication schemes [30,31]. Table 4. Queries of ROR model.

Query Description
Execute(P t 1 SD i , P t 2 UC j ) This query denotes that U A can eavesdrop transmitted messages between SD and UC over insecure channel. This query is modeled as an eavesdropping attack.
CorruptSD(P t 1 SD i ) This corrupt SG device query means that U A can extract sensitive information stored in the SG device utilizing power-analysis attack. This query is modeled as an active attack.

Send(P t , M)
This query denotes that U A can transmit message M to P t and can also receive the corresponding message from P t . This query is modeled as an active attack.

Test(P t )
This query means that an unbiased coin c is first flipped before the experiment begins and its output is used as a decider. U A execute this query and if session key SK ij between SD and UC is fresh, P t returns SK ij if c = 1 or a random number when c = 0. Otherwise, it returns the null value ⊥.

Reveal(P t )
The query means that U A can compromise SK ij between P t and its partner in the current session.

Theorem 1.
If Adv U A denotes the advantage function of a malicious attacker U A in violating SK security of the proposed authentication scheme, then where Hash, q send and q h are the number of Hash query, the number of Send query, and the range space of the hash function h(.), respectively, and s and C are the Zipf's parameters [29].
Proof. Similarly, we adopt the proof as presented in [32,33]. A sequence of four games is denoted by GM i , where i ∈ [0, 3] are defined for demonstrating the SK security of the proposed authentication scheme. We denote that Succ i is the probability a malicious attacker U A wins the game GM i . The detailed descriptions of these four games are shown in Game 0-3.
• Game GM 0 : This game is the initial game in which U A selects the random bit c. In addition, this game denotes actual attack of U A for the protocol and c is guessed at the beginning of G 0 . According to this game, we can get, It is computationally infeasible for U A to derive identity ID i of SD i correctly via the Send queries without TA's master key K s and secret parameter X i . As a result, GM 2 and GM 3 are indistinguishable if identity guessing attack is not implemented. Consequently, utilizing Zipf's law [29], we can get the result as below: As all the games are executed, U A can only guess the exact bit c. Thus, we can get as below: Using Equations (1), (2), and (5), we can get the result as below: Using Equations (4)-(6), we obtain the result utilizing the triangular inequality as below: Finally, we obtain the required result by multiplying both sides of Equation (7) by a factor of 2.
Adv U A ≤ q 2 h |Hash| + 2max{C · q s send } 7.5. Formal Security Analysis Using AVISPA AVISPA is a widely used simulation tool for checking whether authentication protocol is secure against replay and MITM attacks. To perform AVISPA simulation, the session and environment of security protocol must be defined using the High-Level Protocol Specification Language (HLPSL). We define three basic roles in HLPSL implementation for the proposed protocol: the SG device SD, the utility server UC, and the trusted authority TA. The session and environments are shown in Figure 9.

Detailed Specification of Roles
First, SD receives the initial messages and makes a state value from 0 to 1. SD generates a random number a i , calculates RID i , and then SD sends a registration request message {RID i , a i } to TA over secure channel and changes the state value from 1 to 2. In transition 2, SD receives the secret parameters {A i , B i } from TA over secure channel. In login and authentication process, SD generates a random number R SD and computes an authentication request message {M 1 , M 2 , M 3 }. Then, SD sends {M 1 , M 2 , M 3 } to utility center UC and updates the state value from 2 to 3. In the last transition, SD receives a authentication message {M 4 , M 5 , M 6 } from the UC, computes the session key SK ij , and declares a request function request(SD, UC, uc_sd_ruc, Ruc ), which means that uc_sd_ruc denotes a strong authentication factor. As a result, SD authenticates UC successfully. The specification of a SG device (SD) is shown in Figure 10. In Figures 11 and 12, the role specifications of UC and TA are similarly defined with SD.

Results of AVISPA Analysis
We utilized CL-based Attack Searcher (CL-AtSe) and On-the-fly-Model-Checker (OFMC) back-ends to the verify security of our protocol. The HLPSL code was translated into intermediate format, and then converted to output format using the back-ends. Figure 13 shows the results of simulation using two back-ends. The result of CL-AtSe back-end shows that two states were analyzed and the translation time was 0.10 s. The result of OFMC back-end shows it visited node 1040 nodes with nine plies depth. According to the results of simulation, the proposed protocol is secure against replay and MITM attacks.

Performance Analysis
This section compares performances and security feature of proposed scheme with existing schemes [6,20,21,28].

Computation Overhead
We compared the computation costs of the proposed scheme with existing schemes [6,20,21,28]. We define the parameters based on the work of Kumar et al.'s scheme [6]. T cert_ver , T cert , T h T s , T e , T m , T eca , T ecm , and T b denote public key certificate verification, public key certificate generation, one-way hash function, symmetric encryption/decryption, modular exponentiation, multiplication, ECC point addition, ECC point multiplication, and bilinear pairing, respectively. Based on the works in [21,34], we present the execution time for various cryptographic operations in Table 5 and assume {T s ≈ T h , T m ≈ T e } is negligible because it requires very low execution time. We also assume T eca T e and T eca ≈ T h .  [21,34], the total computational overheads of our scheme is 0.011 s and 0.05 ms, which is implemented on HiPerSmart card and Pentium IV platform, respectively. Therefore, we provide better efficiency than existing schemes because our protocol utilizes only hash function and XOR operation. Table 6 shows the analysis result of computation overhead compared to existing schemes. Table 6. A comparative summary: computation overheads.

Communication Overhead
We first define that timestamp, identity, hash, random number, and ECC cryptosystem are 32, 160, 160, 160, and 320 bits, respectively. In our protocol, transmitted messages {M 1 , M 2 , M 3 } and {M 4 , M 5 , M 6 } require (160 + 160 + 160 =) 480 and (160 + 160 + 160 =) 480 bits, respectively. As a result, the proposed scheme has more efficient than related schemes [6,20,21,28] because the total communication overhead of proposed protocol is very low compared with the others. Table 7 shows the analysis result of communication overhead compared to existing schemes.

Storage Overhead
We first define that identity, hash, timestamp, random number, and public key cryptosystem are 20, 20, 4, 20, and 40 bytes, respectively. In our protocol, stored messages {A i , B i , C i } and {RID i , RID j , X i } require (20 + 20 + 20 =) 60 and (20 + 20 + 20 =) 60 bytes, respectively. Although the proposed scheme storage overhead of somewhat higher than Kumar et al.'s scheme, it provides better efficiency and security than the other related schemes [6,20,21,28]. Table 8 shows the analysis result of storage overhead compared to existing schemes.

Conclusions
This study demonstrated that Kumar et al.'s scheme cannot defend against various potential attacks such as masquerade, SG device stolen, and session key disclosure attacks. We also showed that Kumar et al.'s scheme does not ensure mutual authentication. To overcome these security shortcomings of Kumar et al.'s scheme, we present a privacy-preserving lightweight authentication protocol for demand response management in the SG environments. Our protocol prevents against various attacks, including masquerade, replay, SG device stolen, and session key disclosure attacks and achieves secure mutual authentication and anonymity. We proved that our protocol ensures secure mutual authentication between SD i and UC j using BAN logic, and then we showed that the proposed protocol withstands various potential attacks using informal security analysis and ROR model. We also demonstrated that our scheme was secure against replay and MITM attacks using AVISPA simulation tool. Furthermore, we compared communication overheads, computation overheads, and storage overheads with existing schemes. Therefore, our protocol is applicable for practical SG environments because it is more secure and efficient than other existing schemes.

Conflicts of Interest:
The authors declare no conflict of interest.