A Noval and Efficient ECC ‐ Based Authenticated Key Agreement Scheme for Smart Metering in the Smart Grid

: With the gradual maturity of the smart grid (SG), security challenges have become one of the important issues that needs to be addressed urgently. In SG, the identity authentication and key agreement protocol between a smart meter ( 𝑆𝑀 ) and an aggregator ( 𝐴𝐺 ) is a prerequisite for both parties to establish a secure communication. Some of the existing solutions require high communi ‐ cation cost, some have key escrow problems and security defects. Elliptic curve cryptosystem (ECC) holds the feature of low ‐ key requirement and high security to make it more suitable for the security solutions to the communications in SG. In this paper, we propose a mutual anonymous authentica ‐ tion with an ECC ‐ based key agreement scheme to secure the communications in SG. In addition, we compare our scheme with other existing schemes by the number of encryption operations, the com ‐ putation delay, and the communication cost. The results indicate that our scheme is more efficient without the loss of safety properties.


Introduction
The traditional power grid can no longer meet people's demand for electricity, and it relies on fossil fuels, so it has an impact on the environment and energy. As a result, the smart grid (SG) was proposed at the beginning of the 21st century and developed rapidly. It uses advanced and modern technology to transmit the power efficiently and reliably, to control more effectively the cost and manage the power resources [1]. SG as the next generation of the power grid has received much attention for its efficiency, reliability, and sustainability.
SG can promote the rapid development of a country and provide convenience for people's lives, having cost-effective and reliable characteristics. However, in SG, there could be many security risks between an aggregator ( ) and a smart meter ( ), if the communication between them has not been well protected. Security issues such as software vulnerabilities have always been the key issues with its development. With the vulnerabilities, hackers can easily launch attacks to cause power supply failures, power grid overload, and energy theft. In addition, the uncoordinated planning, design, and development speed can also bring more serious security challenges [2]. Therefore, in SG, the identity authentication and key agreement protocol between an and a is a prerequisite for both parties to establish a secure communication.

Mutual authentication between an
and an is the first critical step in the design of security countermeasures. Over the last few years, various researchers have made many efforts in the design of authenticated key distribution schemes in SG [3,4]. By Gope's scheme [5], before communication, an has to check the validity of the ,

Motivation
Due to the requirements for high reliability and security for the communications in SG, each needs to be authenticated by an before entering the SG. The main design goal in SG is to provide robust quality data transmission to meet the requirements of QoS, such as reliability, throughput, latency, and security [28]. In fact, power information generated by is often transmitted over public insecure channels, which definitely gives the attackers an opportunity to break into the SG system. Secure identity mutual authentication is a critical first step in deterring attackers. Although there are many researchers working on authentication schemes, they all have their own problems, such as not providing anonymity of in [14,15,26], holding a key hosting problem in [20,21,24,26], being vulnerable to active attacks in [15,25], without the ability to resist the man-in-the-middle attacks in [15,24], lack of providing session key security in [25], requiring a high computation cost in [23][24][25][26]. Therefore, to provide thoroughly the desired security functions for the communications in SG, particularly with the ability against key compromise attacks, we put forward an efficient and anonymity self-authentication scheme between the and the based on the ECC in SG. The scheme adopts less bilinear mapping and multiplication operations to reduce the computational costs without sacrificing security function.

Contributions
To solve the above existing problems, we present our contributions as follows: (1) We propose an ECC-based authentication and key agreement scheme (EAKA) for SG. The and AG are registered with a trusted third party and conduct two-way identity authentication to provide anonymity protection for the . (2) The proposed EAKA scheme can achieve a strong voucher privacy evaluated by the CK adversary model. It is testified to be safe under the random oracle model. Theoretical safety analysis indicates that the proposed EAKA scheme can oppose some classic attacks such as replay attacks and MITM attacks. (3) The proposed EAKA scheme has more advantages on network performance. According to the number of encryption operations, the computation delay, and communication cost, we compare the proposed EAKA scheme with other schemes to demonstrate that it is effective in terms of security and computational cost in the authentication process.

Paper Organization
The rest of the paper is arranged as follows: In the second part, we present the mathematical background and the encryption concepts involved in the proposed scheme. In addition, we also introduce the system model and the threat model. In the third part, we describe the process of identity authentication of the proposed EAKA scheme in detail. In the fourth part, we perform a safety analysis of the proposed EAKA scheme using the CK adversary model and qualitative safety analysis. In the fifth part, we evaluate the performance of the proposed EAKA scheme through simulation experiments. Finally, we summarize the paper and propose the future work.

Preliminaries
In this section, we first describe the relevant content about the cryptography of the ECC. We then introduce the system model of the communication networks in SG. Finally, we discuss the threat model used in the security analysis. (1) [29,30]: Given the discrete log problem of fixed points ∈ , and ∈ , , it is very hard to calculate ∈ * .

As shown in Equation
Lemma 2. (Elliptic Curve Diffie-Helman problem (ECDHP)) [29,30]: The security of the ECDHP key exchange system works based on the security of the ECDLP. Given , , ∈ , , it is very difficult to calculate ∈ , .
We choose a random number ∈ * , the random number on the elliptic curve which meets its scalar point multiplication is defined as . . . . Let and be a cycle group of prime order q, where is an additive group of cycles and is a multiplicative cycle group. The map : → is proved to be an admissible bilinear map if it meets the following conditions.

System Model
As demonstrated in Figure 1, a communication network in SG consists of three traditional networks including a Home Area Network, a Local Area Network, and a Wide Area Network [31]. Based on the aspects of the public utilities, the Home Area Network is a group of household appliances, entertainment systems, lighting systems, energy storage, and power generation. In the Home Area Network, the is a home gateway that can gather energy depletion readings, which then transmits the collected readings to the service provider through the and performs the control command obtained from the service provider. The Local Area Network supports communication between the and the . Data concentrators and can be concentrated in the surrounding residential areas. We set up a wireless mesh network between metering gateways and the , through which the can periodically collect all the required data, and then transmit them to the utilities via fixed-line communication. The Local Area Network usually communicates through the powerline communication.
Wireless mesh networks have been widely used, where each collects its information and becomes a router for other to send consumption usage information to the data concentrator. The Wide Area Network provides connections between multiple data concentrators and the utility control centers, which is called the advanced network. In addition, the Wide Area Network can transmit and receive large amounts of smart metering infrastructure data, control commands, and signals, so it is also considered as a core network. The and the should be mutually authenticated to obtain a session key agreement. Before the authentication, and should register with the registration authority (RA) located near the utility service provider in the Wide Area Network. If the two-way communication between the and the is exposed to the public, attackers may launch malicious attacks to threaten the security of communications. If sensitive data is leaked, customer privacy will be compromised. In addition, the delay of real-time communication also affects the efficiency of the communication. Therefore, a more secure and strict authentication scheme should be adopted to protect the privacy of users.

Threat Model
This paper employs the widely-accepted and well-known Canetti and Krawczyk (CK) adversary model [27]. By the CK adversary model, a probabilistic polynomial-time adversary can control the communication channel to achieve the function of listening, modification, and free interception. In addition, the secret information can be obtained by attackers and the session key also can be further damaged to create security threats during the communication process.
can launch the following query to interact with the protocol participant , where represents the or in this paper. , AG : can only initiate a passive attack which is to eavesdrop information on the communication channel and will return the messages that participants exchange while executing this query.
, : Send query is defined on the basis of modification attacks, replay attacks, simulation attacks, etc.
can use this query to send a message m to and and will receive a response message by .
ℎ : By this query, performs a hash query on the message m and receives a random number as the hash value of m. Test : When obtaining a Test query, returns its session key or the same random value of the participating session key. An unbiased coin ∈ 0.1 is flipped, if a is 1, the realistic session key is returned. Otherwise, returns a arbitrary value with the same bit length of session key.
Corrupt : By this query, A can obtain the static privacy of to capture the concept of forward secrecy.
ESReveal : With this query, can get the brief secret held by . : can get the session key of through this query. Expire : In this query, the completed session key held by is removed. There are the following definitions found in terms for this model:

Definition 1.
If and in the receiving state can authenticate each other and establish a session key, they can be called partners.

Definition 2. If the
and Corrupt queries are made before the Expire query, the session s would be locally exposed. Conversely, if the session is not disclosed, it can be considered as having freshness.

Definition 3. The security of authenticated key agreement (AKA) is modeled by the game
, in which can send out many queries to . The purpose of is to correctly guess the hidden bit ∈ 0,1 through the Test query. It is assumed that Succ indicates the event where wins and Pr indicates the probability of wining the game , . Therefore, as shown in Equation (2), the advantage of the disruption AKA is defined as: If there exists 0 satisfying , then we argue that our scheme is safe for the CK adversarial model.

The Proposed Eaka Scheme
As depicted in Figure 2, we describe the proposed EAKA scheme in details, the whole process of which includes three stages, respectively "system initialization", "registration", and "authentication and key agreement". Table 1 presents the notations applied in this paper.

Notations
Description The ith smart meter The jth service provider , Private and public keys of RA Trusted authority , The identity of and , Private and public keys of , Private and public keys of The base point Shared session key ∥ The concatenation operator ⊕ The exclusive-or operator

System Initialization
In this stage, selects and publishes the system parameters. The steps of this phase are as follows.
(1) chooses a large prime on the non-singular elliptic curve , , and a point ∈ , as the base point or generator, also chooses a cyclic additive group and a multiplicative group → , then it calculates a bilinear mapping : → , , .

Registration
After completing the registration stage, and calculate their private keys separately by the returned values from the .
(1) first sends its own to via a secure channel. Similarly, the same process is performed for the registration of . computes ℎ , and sends to through a secure channel. also gets its private key and public key as ， . Figure 3 and Algorithm 1, Figure 4 and Algorithm 2, illustrate the and registration processes respectively.

Authentication and Key Agreement
As demonstrated in Figure 5, Algorithm 3 and Algorithm 4, AG j and SM i authenticate each other and generate a session key, and the two parties then communicate through the session key.
(1) At first, generates a random number ∈ * , and then computes ,  (4) and (5), where is 's private key. Then checks whether ℎ || || and are the same to verify the authenticity of . If false, breaks this procedure. Otherwise generates the session key ℎ || || . SM and AG complete the verification for both parties to obtain a common session key agreement. ,

Security Analysis
In this section, we evaluate our proposed EAKA scheme under the CK adversary model. By this model, an attacker can perform a series of operations to achieve the effect of controlling communication. Besides, can also interact with or .

Formal Evaluation by Random Oracle Model
By the random oracle model, all entities can interact with each other. Furthermore, they can also make oracle queries defined in Section Ⅱ-C, whose questions are answered by a function uniformly selected among all possible functions. If any adversary has only a negligible probability of success with given abilities, the scheme is described as an ideal system.

Theorem 1. The model supposes that can fight the semantic security of the protocol and issue
Execute query , Send query , and Hash query . As shown in (3), the advantages of are defined in Equation (6): where is the length of hash value.
Proof. The stochastic model defines the game sequence (i=0, 1, 2, 3, 4) to prove the semantic security of the protocol. indicates a real attack, while represents a game where lacks the superiority. represents the incident where speculates the correct random number in the Test query. □ Game : This game is a simulation of a real attack by under a random model. We can obtain Equation (7): Game G1: In this game, the query simulates a real attack. The simulation of the game which stores the results in the corresponding list is basically the same as the actual situation. If the result of the query is in the list, then we return it directly. If not, we output an arbitrary value of the same length as a result of the query and add it to the list. Thus, we have Equation (8): (8) Game : The game is identical to the previous game simulation but is terminated if the value of the query conflicts with the list. Therefore, we can derive from the birthday paradox, the probability of hash collision is at most 2 , and the collision probability of transcription to the list is at most 2 . So, we can obtain Equation (9): Game : If does not use the hash query, but can also accurately speculate the validation value and , then the game will be suspended. Therefore, we can obtain Equation (10): Game : By this game, an analysis on the security of the session key can be made. queries to to the random oracle ℎ in the test-session but it cannot implement the session key unless showing one of , or , to . Therefore, uses the query to calculate the session key with the following four scenarios: ( According to , the condition for to obtain the session key is that A must know both the brief secret and static private key of . However, for the above four cases, the session key SK cannot be calculated by without obtaining ℎ or solving the ECDHP and ECDLP assumptions. If the ECDHP and ECDLP assumptions hold, the distinction between G3 and G4 is negligible [29]. So, we can get Equation (11): Otherwise, in the game G4, the guess bit α is random and independent which is in the Test query. And there is no advantage to distinguish between real sessions and random keys for a query with incorrect input. Therefore, we have Equation (12): Finally, combining the above Equations (7)-(12), we can conclude that Equation (6) holds. So here exists 2 , 0 satisfying , then we conclude that our proposed EAKA scheme is safe for the CK adversarial model.

Informal Security Analysis
In this subsection, we qualitatively analyze the security features of the EAKA scheme as follows: ( (2) Key agreement: As we can see in Figure 5, after successful mutual authentication, both participants can get the same session key ℎ || || ℎ || || ℎ || || , Under the premise that the assumptions of the ECDH problem [30] are established, the session key cannot be obtained by A.
(3) 's identity anonymity: In the authentication phase, the which is encrypted by || ⨁ℎ || is sent to on the open channel. The random number is randomly generated and constantly changed in each session, is dynamic so that it is different in each session. Therefore, can maintain the anonymity of the identity. (4) Perfect forward confidentiality: According to and ℎ || || , needs to know the random number and private key of to get the session key. However, it is very hard for to get or which are generated by or and guess the session key. Even if the static private key and of and can be obtained by , and are different values generated randomly in each session, so any previous established session keys cannot be derived by . Due to the difficulty of the ECDHP and ECDLP assumptions, the session key cannot be cracked without knowing the random number. Therefore, our proposed EAKA scheme provides perfect forward confidentiality.
(5) Man-in-the-middle attack: By this type of attack, A tries to establish a connection with AG j and SM i individually to make AG j and SM i mistakenly believe that both parties are connected. If A wants to establish connections with SM i , it needs to obtain the random number and private key of AG j to get the session key, but A cannot access the private key . By the partial session key or , A is unable to calculate the session key. Therefore, the analysis shows that our proposed EAKA scheme is able to resist man-in-the-middle attack. (6) Replay attack: Replay attack is launched for spoofing hosts by sending previous data.
A timestamp and random number mechanism is introduced in our scheme to cope with replay attack. generates a timestamp , then verifies the freshness of the timestamp. If * ∆ , will discard this replay elimination. The replay attack fails, even if * is modified by the adversary because the original timestamp is embedded in ℎ || , and the integrity of the time can be ensured by ℎ . Similarly, verifies the freshness of the timestamp which is sent by . and validate the timestamps sent by each other to ensure the freshness of the information in each data interaction. Therefore, our proposed EAKA scheme is considered feasible and effectively effective against replay attack. (7) Key leakage attack: Even if can obtain respectively the private key of and private key of during the communication, cannot succeed in getting the session key. According to formula or , should know or to get the shared key besides the private key. Therefore, our proposed EAKA scheme can defend key leakage attack.

Comparison of Security Features
According to the security features, we compare our proposed EAKA scheme with the recently proposed solutions including the BAKA in [24], the TPPA in [25], and the SPAK in [26] schemes. As depicted in Table 2, the TPPA scheme lacks the session key security under the CK adversary model and it is unable to resist DoS attacks. In addition, the BAKA scheme has high computational and communication cost. The SPAK scheme cannot provide strong SM anonymity. Since the private key of our scheme is computed by itself in the registration phase, there is no key escrow issue. Therefore, our proposed EAKA scheme has better security properties with low computation and communication cost.

Performance Analysis
In this section, we evaluate the performance of the proposed EAKA scheme in terms of number of the number of cryptographic operations, computation delay, and communication cost. In addition, we also compare our EAKA scheme with other existing related solutions including the BAKA, the TPPA, and the SPAK schemes.

Number of Cryptographic Operations
We divide the cryptographic operations into five categories. PAD, HAS, EXP, BPA, and MUL representing point addition, hash operation, modular exponent, bilinear pairing, and scalar multiplication, respectively. The hardware of an SM as a user will use a RASPBERRY PI 3B+ with 1 GB LPDDR2 SDRAM and a BCM2837B0 system on chip with 1.4 GHZ frequency. The hardware of an as a server will use a computer with 4 GB RAM and an INTEL(R) CELERON (R) J1900 CPU. We adopt the encryption algorithm in [32][33][34] to simulate the time required to perform each of the cryptographic operations, which are shown in Table 3. From Table 3, the BPA operation spends the most time for users and the MUL operation also consumes a lot of time. So, in our scheme, high timeconsuming encryption elements should be avoided as much as possible to reduce the total authentication latency without sacrificing the security features. From Table 4, each scheme uses different numbers of the encryption operations. We compare our scheme with the other four and find that they use the cryptographic operations more to increase their authentication delays. However, our scheme avoids the number of password operations, which is the most time-consuming operation, to reduce the authentication delays.

Computation Delay
According to the data in Tables 3 and 4, we can simply calculate the time spent by each scheme for its cryptographic operations. The total number of cryptographic operations of the BAKA scheme is 24 with the time taken as 131.986 ms shown in Equation (14). The total number of password operations of the TPPA scheme is 29 with the time consumed as 95.702 ms shown in Equation (15). The total number of cryptographic operations of the SPAK scheme is 26 with the time consumed as 102.358 ms, shown in Equation (16). The total number of cryptographic operations performed by the proposed EAKA scheme is 18 with the time consumed as 74.792 ms shown in (13), which is 43% lower than that of the BAKA scheme, 22% lower than that of the TPPA scheme, and 27% lower than that of the SPAK scheme. The three schemes use more encryption components, which may increase their authentication delays.
In addition, Figure 6 details the computation delay of the SM and the AG by each scheme. On the SM side, the authentication delay by the BAKA scheme is the largest reaching 120.106 ms. The delay of the TPPA scheme and the delay of the SPAK scheme is 87.042 ms and 92.714 ms, respectively, while the delay of the EAKA scheme is minimal.
On the AG side, the delay by the BAKA scheme is the maximum as 11.88 ms, and the delay by the TPP scheme and the delay by the SPAK schemes is 8.66 ms and 9.644 ms, respectively. The delay by our scheme is slightly higher at 11.233 ms. The result shows that our scheme meets the low time-consuming requirements of the SG. C++ encoding is used to simulate the attack environment for security validation. Since there are some new types of malicious attacks which are unpredictable, and the authentication process of the four schemes may be interrupted by those unknown attacks, we simulate the attack environment as constantly changing the proportion of unknown attacks. Those attacks that can be resisted through security analysis are known as known attacks. The emergence of some new malicious attacks is unpredictable, and all these potential attacks are called unknown attacks. Assume the unknown attacks can interrupt the authentication process of these four methods. The computation delay is fixed for each type of the scheme under a known attack, while it could be uncertain under an unknown attack. We compare the computation delay in different scenarios and perform a total of 10,000 validation procedures for these four schemes by constantly varying the proportion of attack types to analyze the performance and validation delays of the different schemes.
As depicted in Figure 7, we perform specific simulations for each scheme, as the relationship between the different ratios of unknown attacks and the average computation delay by each scheme. The abscissa indicates the ratio of unknown attacks and the ordinate denotes the authentication time consumption by each of the four schemes. The ratio of unknown attacks increases from 0.1 to 0.9. Figure 7 shows that when the ratios of unknown attacks keep getting larger, the average authentication delay of each scheme also keeps increasing. The proposed EAKA scheme always has the lowest computation delay when the unknown attacks ratio is increasing. When the ratio of unknown attacks is the same, the computation delay of the proposed EAKA scheme is the lowest. Therefore, the proposed EAKA scheme has efficiency advantages even under different unknown attacks.

Communication Cost
The communication cost is also one of the important measures to evaluate the quality of a solution. We assume that the identity and the bit length of EXP are 64 b, the time stamp is 32 b, 160 b for random number verification and hash function, the operation for each point on the elliptic curve is 161 b, and an element in the multiplication group is 512 b. The statistical results of the proposed EAKA, the BAKA, the TPPA, and the SPAK schemes are respectively 706 b, 1027 b, 966 b, and 962 b which is depicted in Figure 8. The proposed EAKA scheme has a 31% lower communication cost than the BAKA scheme and 27% lower than the TPPA scheme and the SPAK scheme. Thus, the results indicate that the EAKA scheme has certain superiorities in terms of communication cost.

Conclusions
In this paper, we proposed a two-way anonymous authentication scheme based on ECC for the communications for smart metering in SG. The scheme adopts a self-authentication method to resist simulated attacks and provides the maximum protection in the authentication process. For the safety of the proposed EAKA scheme, we conducted a qualitative analysis. The proposed EAKA scheme can provide session key agreement, perfect forward secrecy, and privacy protection of . In addition, we evaluated the performance of the EAKA scheme by comparing it to other existing solutions to conclude that the proposed EAKA scheme cannot only incur a low computation delay but also can realize all the security functions provided by other schemes. In future research, we will introduce a trust-based weighted assessment pseudonymous to realize the secure storage control of distributed trust data, and we will design a comprehensive trust model approach to better study this part of identity authentication.

Conflicts of Interest:
The authors declare no conflict of interest.