A Privacy-Preserving Authentication Scheme for a Blockchain-Based Energy Trading System

Abstract

The adoption of renewable energies such as solar power, heat pumps, and wind power is on the rise, and individuals have started generating energy using their own solar panels. In recent years, many blockchain-based energy trading schemes have been proposed. However, existing schemes cannot fully address privacy issues and dependency on energy brokers during energy trading. In this paper, we propose a privacy-preserving authentication scheme for blockchain-based energy traders. An energy user encrypts a request message through lightweight attribute-based encryption, and only energy sellers who have proper attribute keys can decrypt and conduct further processes with the energy user. We analyze the proposed scheme using both informal and formal methods, such as the BAN logic, AVISPA simulation tool, and RoR model. Furthermore, we compare the computational and communication costs of our scheme with related schemes and show that the proposed scheme has competitive performance.

1. Introduction

With the increasing interest in energy efficiency, smart grid and renewable energies are drawing considerable attention. A smart grid combines information and communication technology as well as power system operation to overcome the disadvantages of the traditional power grid system [1,2]. In traditional power grid systems, the power supply is unidirectional, and it is designed to produce more electricity than required to prepare for higher-than-expected power consumption. Therefore, it is not that efficient and inevitably generates wasted power. Conversely, in smart grid systems, distributed power based on renewable energies is available, and it is bidirectional in power supply. Furthermore, it can monitor energy consumption information to determine energy production and prevent global warming by reducing the use of fossil fuels. Renewable energies include solar power, micro-wind power, heat pumps, and so on [3,4]. These energies can be generated by individuals through solar panels and wind turbines installed in their houses, and they can use the energy by themselves or sell it to others. The realization of energy trading between individuals can reduce the costs associated with time and location-dependent power supply, and energy efficiency can be considerably improved.

The concept of decentralized energy production and peer-to-peer energy trading emerged about years ago [5], yet specific methods and solutions for peer-to-peer energy trading were not discussed much due to technical issues until a few years ago. As the use of smart thermostats, rooftop photovoltaic arrays, and battery energy storage systems grows and individuals’ needs to reduce energy costs increase, discussions are underway to realize energy trading. Representatively, with the recent commercialization of electric vehicles, various solutions are being proposed for secure communication between vehicles and charging stations [6,7]. A charging station performs a similar role to a roadside unit in VANETs or an access point in mobile networks. However, P2P energy trading is more complicated because it involves communication between untrusted entities, and transparency, scalability, and reliability must be guaranteed for secure energy trading. Additionally, during the energy trading process, individual privacy must be guaranteed and protected from insider and impersonation attacks.

To resolve the problems, many blockchain-based peer-to-peer energy trading systems have been proposed during the past few years [8,9,10,11]. Blockchain technology is a suitable solution for realizing energy trading because it can guarantee the transparency and integrity of stored data [12,13,14,15,16,17]. However, public blockchains that use proof-of-work or proof-of-stake consensus algorithms have a scalability problem. The existing research solves the scalability problem of blockchain by designing energy brokers to maintain the consortium blockchain. Moreover, energy brokers perform various roles such as identity verification [18,19,20], matching [21,22], and issuing authentication tokens [23,24] for energy traders. However, existing schemes have the issue that energy traders are highly dependent on energy brokers. The energy broker is an essential entity to facilitate energy trading, but an energy broker can be an individual and can not be considered fully trusted [25]. Therefore, if energy brokers are fully aware of information about energy tradings, such as the location and status of energy users, then privacy issues can arise. To resolve these problems, it is necessary to design a mutual authentication scheme between energy traders, and it is important to consider how an energy trader initiates energy trading with the other party when energy brokers do not match energy users and sellers.

Therefore, we proposed a novel privacy-preserving authentication scheme for a blockchain-based energy trading system. We focused on preserving the privacy of energy users from energy brokers. To achieve this, we applied attribute-based encryption (ABE) to match an energy user and seller. Traditional pairing-based ABE [26] requires lots of computational cost and is difficult to make compatible with blockchain that is based on the Elliptic Curve Cryptosystem (ECC). Therefore, we adopted ECC-based lightweight ABE for the proposed scheme [27]. Compared to traditional ABE, ECC-based ABE does not perform operations that require a high amount of computation, such as bilinear pairing. Individuals have lower computation power than servers and utilizing lightweight ABE enables smooth communication. Furthermore, in the energy trading environment, energy purchasers can encrypt their request messages using ABE and disclose the message only to appropriate sellers. In the proposed scheme, when an energy user sends an energy trading request encrypted with attributes to an energy broker, the energy broker verifies the signature and then transmits the encrypted message to energy sellers. Then, an energy seller who has the proper attributes can decrypt the message and check the requested information. After that, the energy seller sends a response message to the energy user, they authenticate each other, and they can trade energy. The main contributions of this paper are as follows:

• We proposed a new blockchain-based energy trading scheme. We assumed that the energy broker is not a fully trusted entity. Therefore, energy brokers manage the blockchain and act as a middleman between energy traders but do not perform functions such as issuing an authentication token or matching energy traders.
• We adopted lightweight ABE-based access control for energy users. An energy request message of an energy user is encrypted and transmitted to the energy broker, and only energy sellers with the appropriate attributes can confirm the transaction details and respond to the energy buyer. The proposed model adopts ECC-based ABE, which has lower computational costs than pairing-based ABE and is more compatible with blockchain.
• We designed a mutual authentication scheme between energy purchasers and sellers. We analyzed the proposed scheme using informal methods and formal methods, such as the Burrows–Abadi–Needham (BAN) logic [28], the “Automated Validation of Internet Security Protocols and Applications (AVISPA)” tool [29], and the Real-or-Random (RoR) model [30] and proved that the proposed scheme is correct, has resistance to replay attacks, and guarantees semantic security.

Paper Organization

In Section 2 and Section 3, we provide related works and explain the preliminaries, respectively. In Section 4, we demonstrate the proposed system model and provide explanations of entities. In Section 5, we propose a secure authentication protocol for the blockchain-based energy trading system with access control. In Section 6, we informally and formally analyze our scheme, and, in Section 7, we compare the performance of our scheme with other schemes. We conclude this study in Section 8.

2. Related Works

In this section, we introduce recent studies conducted on blockchain-based energy trading systems and key agreement protocols in smart grids.

2.1. Blockchain-Based Energy Trading Systems

In this section, we introduce recent studies conducted on blockchain-based energy trading systems. In 2017, Li et al. [31] proposed blockchain-based energy trading for the industrial Internet of Things (IIoT) environment. They were the first to propose a secure energy trading solution using consortium blockchain, and many subsequent studies have been conducted based on this study. In their scheme, an energy purchaser sends a request to an energy broker. Next, the energy broker verifies the identity of the energy purchaser (EP), generates an authentication token, and sends the token to the EP. Then, the EP can trade the energy with an energy seller using the token. Their method does not guarantee the anonymity of energy purchasers and relies on energy brokers for the authentication process between energy traders. Gai et al. [32] highlighted that Li et al.’s scheme [31] cannot preserve the privacy of EPs. Their scheme mainly focuses on protecting privacy and ensuring the untraceability of EPs by configuring the account generation algorithm and black box operations. However, their scheme still has the problem that energy traders need to authenticate tokens issued by an energy broker to verify the legitimacy of the other party. Li et al. [33] proposed blockchain-enabled energy trading in IIoT environments. In their scheme [33], anonymous authentication was used for the users’ privacy protection. Further, attribute-based encryption was used to guarantee fine-grained access control, and a timed commitment-based mechanism was designed for the verifiable fairness of energy trading. However, their scheme [33] has a traceability problem because the public keys of users are transmitted during energy trading. Guan et al. [34] proposed privacy-preserving energy trading using blockchain and ABE. In their scheme [34], Ciphertext-Policy Attribute-Based Encryption (CP-ABE) was used for access control to protect the privacy of transaction initiators, and a credibility-based consensus algorithm was included. However, their scheme [34] does not describe which attribute value is used for encryption or decryption. It cannot guarantee the practicality of the proposed scheme.

The existing schemes [31,32,33,34] did not give much thought to mutual authentication and access control during energy trading. In this study, we design a secure authentication scheme for the blockchain-based energy trading system with access control.

2.2. Authentications in Smart Grids

In 2018, Li et al. [35] proposed an anonymous authentication scheme between the home area network gateway and the building area network gateway for smart grids. Li et al. [35] formally verified their protocol using ProVerif and asserted that their scheme was secure against various attacks. However, Li et al. did not formally prove the security of their protocol. Wu et al. [36] highlighted that the scheme in [35] could not resist impersonation attacks and was inefficient. Wu et al. proposed an efficient and anonymous scheme using ECC. They asserted that their scheme was more efficient than the other schemes in smart grids. Mahmood et al. [37] proposed an elliptic curve-based authentication scheme for smart grid communication. They claimed that their scheme was efficient and secure against various attacks. However, Abbasinezhad and Nikoogadam [38] proved that the scheme proposed by Mahmood et al. [37] could not prevent known session-specific temporary information attacks and could not guarantee perfect forward secrecy, and they proposed an enhanced scheme in the same environment. Although Abbasinezhad and Nikoogadam asserted that their enhanced scheme was secure, Chen et al. [39] showed that Abbasinezhad and Nikoogadam’s scheme could not defend against replay attacks because an adversary could make an entity inaccessible to the network. Chen et al. [39] proposed a pairing-based authentication scheme with improved security. In 2021, Wu et al. [40] found that Chen et al.’s scheme was also vulnerable to known session-specific temporary information and impersonation attacks. Wu et al. proposed a bilinear pairing-based authentication protocol considering various attacks. However, in their scheme [40], the real identity of each entity was transmitted via a public channel, and anonymity and traceability could not be guaranteed.

The existing schemes [35,36,37,38,39,40] have security issues to adopt in energy trading systems. In this study, we improved these schemes and designed a robust protocol for the energy trading system.

3. Preliminary

In this section, we provide the preliminaries of our scheme.

3.1. Access Tree

We use the access tree defined in [26] as the access structure in our scheme. Let $\Gamma$ be an access tree; then, the leaf nodes of $\Gamma$ are attributes, and the non-leaf nodes of $\Gamma$ are threshold gates. $\Gamma$ contains the following notations when x is a node of $\Gamma$:$(\gamma ,t(x),p(x),att(x),i(x),c(x\left)\right)$. $\gamma$ is the root node of $\Gamma$, $t\left(x\right)$ is a threshold value, $p\left(x\right)$ is a parent node, $att\left(x\right)$ is an attribute, $i\left(x\right)$ is an index, and $c\left(x\right)$ are child nodes of x. For example, let x be a non-leaf node. Then, if $t\left(x\right)=1$, then x is an OR gate, and, if $t\left(x\right)=c\left(x\right)$, then x is an AND gate. A user must satisfy the access tree to decrypt the ciphertext encrypted with $\Gamma$, and, when the user satisfies $\Gamma$, it means that the user has attribute keys that can pass the threshold gate of $\gamma$.

3.2. Blockchain

Blockchain can be classified into three types: public, private, and consortium blockchain [41]. Public blockchain includes Ethereum and Bitcoin, which need the consensus of all the network participants to upload transactions to the blockchain. It is completely decentralized, yet it can be difficult to ensure real-time energy tradings. A private blockchain is controlled by a single authority. Compared to a public blockchain, it has better network scalability and efficiency. However, it is centralized and cannot provide transparency because network entities do not participate in the consensus. Consortium blockchains are managed by a number of entities. Compared to the private blockchain, it is decentralized, and, compared to the public blockchain, it can provide network scalability and has better efficiency. Energy trading occurs in a decentralized manner, and a centralized network structure is not suitable. Furthermore, many users will perform energy tradings, and network capacity must be guaranteed. Therefore, we utilize consortium blockchain for secure energy trading in our scheme. In our scheme, the blockchain is managed by energy brokers and records energy trading results.

3.3. Adversary Model

We adopted the Dolev–Yao (DY) adversary model [42] which is widely accepted [43,44,45] for analyzing the security of an authentication protocol. Under the DY model, an adversary A has the following capabilities.

• A can obtain the messages transmitted through public channels. A can attempt to eavesdrop, modify, or forge the messages.
• A can obtain the smart card of a network user and can extract the stored value via power analysis attacks [46,47].
• A can guess the identity and password to log into the obtained smart card. We assume that A can try to guess the identity and password simultaneously.
• A can attempt diverse attacks such as impersonation, session key disclosure, replay, and Man-in-the-Middle (MITM) attacks.

We also apply the Canetti and Krawczyk (CK) adversary model [48] to analyze the proposed protocol. The CK model considers additional attacks such as ephemeral session random numbers or long-term keys leakage attacks.

4. System Model

We describe the proposed system model. The model comprises four entities: the trusted authority (TA), energy broker (EB), energy user (EU), and energy seller (ES). Figure 1 shows the system model and a detailed description of each entity is provided as follows:

Figure 1. The proposed blockchain-based energy trading model.

• TA: TA initializes the system, registers EBs and EUs, and issues attribute keys for ESs.
• EB: An EB acts as an intermediary between energy buyers and sellers and may be an individual or an institution [25]. An EB is not a fully trusted entity. After an EB receives an encrypted message from an EU, the EB verifies the signature of the message and then broadcasts the message to nearby ESs. When an ES receives a confirmation message, the EB verifies the message and uploads the transaction record to the blockchain.
• EU: EUs register with the TA to participate in the network. An EU generates an energy request message, which includes wallet address, energy type, demanding amount, price, location, and so on. After that, the encrypted message and the signature for the encrypted message are sent to the EB. The EB can only verify the signature without knowing the detailed information of the request message. Then, the EU mutually authenticates with an ES who has proper attribute keys and conducts energy trading with the ES.
• ES: ESs are issued attribute keys when registered with the TA. An ES receives an encrypted energy request message from the nearby EB and can decrypt the message if the ES has the proper attribute keys. After that, the ES conducts mutual authentication with the EU and transmits energy and receives payment. Then, the ES sends a confirmation message, including the EU and ES’s signatures, to the EB.

5. Proposed Scheme

The proposed scheme comprises six phases: setup, registration, login, requesting, responding, and confirmation. In the setup phase, the TA generates and publishes system parameters. In the registration phase, the TA registers the EBs, EUs and ESs, generates public keys, creates wallet addresses, and issues smart cards for the EUs and ESs. In the login phase, an EU logs into the network using the smart card issued in the registration phase. In the requesting phase, an EU generates an energy request message, encrypts it using attributes, and sends the message to a nearby EB. Next, the EB verifies the message and broadcasts it to nearby ESs. Then, an ES who has corresponding attribute keys can decrypt the message and can send a response message to the EU. Then, the EU generates a smart contract for energy trading, the ES verifies the contract, and the trading is initiated. A detailed explanation of each step is below, and Table 1 shows the notations of our scheme.

Table 1. Notations and meanings.

Notation	Meaning
$E{U}_j$	j-th energy user
$E{S}_k$	k-th energy seller
$E{B}_i$	i-th energy broker
$I{D}_j,P{W}_j$	identity and password of $E{U}_j$
$S{C}_j$	smart card of $E{U}_j$
$C_j$	encrypted message of $E{U}_j$
${\left\{s_{j,x}\right\}}_{x=1}^K$	$E{U}_j$’s K wallet addresses
${\left\{M\right\}}_k$	M is encrypted/decrypted with symmetric key k
$Re{q}_j$	request message of $E{U}_j$
${\left[M\right]}_s$	M is signed using key s with ECDSA

5.1. Setup

$TA$ inputs security parameter $\lambda$; then, an elliptic curve $(q,a,b,G,p)$ is generated. After that, $TA$ selects cryptographic hash function $h(.)$, chooses $s_{TA}\in Z_q^{*}$, selects attribute universe $\mathbb{A}=\{A_1,...,A_n\}$, and generates corresponding secret keys $s_1,s_2,...,s_n\in Z_q^{*}$. In addition, $TA$ generates $P\in G$ and computes $P_{TA}=s_{TA}.P$ and $P_m=s_m.P$ for all $m\in \{1,2,...,n\}$. The network public parameters are $\{G,P,P_{TA},P_m,q,h(.)\}$, and the secret parameters are $\{s_{TA},s_m\}$.

5.2. Registration

In the registration phase, $TA$ registers $E{B}_i$, $E{U}_j$, and $E{S}_k$. The registration phase is conducted through a secure channel.

• EB registration: $E{B}_i$ chooses a unique identity $I{D}_i$ and sends $\left(I{D}_i\right)$ to $TA$. After $TA$ receives the message, $TA$ checks whether $I{D}_i$ is registered, and, if not, $TA$ generates a random number $s_i$, computes $P_i=s_i.P$, publishes $(I{D}_i,P_i)$, and sends $s_i$ to $E{B}_i$. Then, $E{B}_i$ keeps $s_i$ secure and also writes permission for the blockchain.
• EU registration: For $E{U}_j$ registration, $E{U}_j$ chooses $I{D}_j$ and $P{W}_j$ and sends $I{D}_j$ to $TA$. Then, $TA$ checks whether $I{D}_j$ is registered, and, if not, $TA$ generates a fuzzy verifier $2^5\le l_j\le 2^{10}$ and random numbers ${\left\{s_{j,x}\right\}}_{x=1}^K$ and stores $({\left\{s_{j,x}\right\}}_{x=1}^K,l_j)$ in smart card $S{C}_j$. After that, $TA$ computes $P_{j,x}=s_{j,x}.P$ for all x, which are wallet addresses of $E{U}_j$, and sends $S{C}_j$ to $TA$. After $E{U}_j$ receives $S{C}_j$, $E{U}_j$ generates $r_j\in Z_q^{*}$ and computes $HP{W}_j=h(I{D}_j\left|\right|P{W}_j\left|\right|r_j)$, $X_j=r_j\oplus h(I{D}_j\left|\right|P{W}_j)$, $Y_j={\left\{s_{j,x}\right\}}_{x=1}^K\oplus HP{W}_j$, and $Aut{h}_j=h(HP{W}_j\left|\right|{\left\{s_{j,x}\right\}}_{x=1}^K)$ $(mod$ $l_j)$. Then, $E{U}_j$ stores $(X_j,Y_j,Aut{h}_j)$ in $S{C}_j$ and deletes ${\left\{s_{j,x}\right\}}_{x=1}^K$ from $S{C}_j$. $E{U}_j$ can guarantee anonymity for $E{B}_i$ by using multiple wallet addresses.
• ES key generation: $E{S}_k$ chooses $I{D}_k$, $P{W}_k$, and an access tree ${\Gamma }_k$ and sends $(I{D}_k,{\Gamma }_k)$ to $TA$. Then, for root node ${\gamma }_k$ of ${\Gamma }_k$, $TA$ generates a unique polynomial $q_{{\gamma }_k}\left(x\right)$ with order $t\left({\gamma }_k\right)-1$. $TA$ sets $q_{{\gamma }_k}\left(0\right)=s_{{\gamma }_k}$ and chooses other points of $q_{{\gamma }_k}\left(x\right)$ randomly. After that, $TA$ defines other polynomials for other non-leaf nodes z with $q_z\left(0\right)=q_{p\left(z\right)}\left(i\left(z\right)\right)$. Next, for leaf nodes l of ${\Gamma }_k$, $TA$ computes $D_l=q_l\left(0\right)/s_{att\left(l\right)}$. Then, the attribute keys for $E{S}_k$ are $D_k=(D_l=q_l\left(0\right)/s_{att\left(l\right)},$ and $\forall l$ are leaf nodes of ${\Gamma }_k$). This process is only executed the first time when generating attribute keys for ${\Gamma }_k$. After that, $TA$ randomly generates $s_k\in Z_q^{*}$ and $2^5\le l_k\le 2^{10}$ and computes $P_k=s_k.P$, which is a wallet address of $E{S}_k$. Furthermore, $TA$ stores $D_k$ and $l_k$ in $S{C}_k$ and sends $S{C}_k$ to $E{S}_k$. $E{S}_k$ generates $r_k\in Z_q^{*}$ and computes $HP{W}_k=h(I{D}_k\left|\right|P{W}_k\left|\right|r_k)$, $A_k=(r_k\left|\right|s_k)\oplus h(I{D}_k\left|\right|P{W}_k)$, $B_k=D_k\oplus HP{W}_j$, and $Aut{h}_k=h(HP{W}_k\left|\right|D_k\left|\right|s_k)$ $(mod$ $l_k)$. $E{S}_k$ deletes $D_k$ and stores $(A_k,B_k,Aut{h}_k)$ in $S{C}_k$. After the ES key generation phase, $P_{{\gamma }_k}=s_{{\gamma }_k}.P$ is published, and ${\Gamma }_k$ maps to $P_k$, which is a wallet address of $E{S}_k$.

5.3. Login

In the login phase, $E{U}_j$ inputs $I{D}_j$ and $P{W}_j$ to $S{C}_j$. Then, $S{C}_j$ computes $r_j=X_j\oplus h(I{D}_j\left|\right|P{W}_j)$, $HP{W}_j=h(I{D}_j\left|\right|P{W}_j\left|\right|r_j)$, and ${\left\{s_{j,x}\right\}}_{x=1}^K=Y_j\oplus HP{W}_j$ and checks $Aut{h}_j\stackrel{?}{=}h(HP{W}_j\left|\right|{\left\{s_{j,x}\right\}}_{x=1}^K)$ $(mod$ $l_j)$. If it is equal, $E{U}_j$ is logged in. $E{S}_k$ can also be logged in the network in a similar way.

5.4. Requesting

$E{U}_j$ chooses $s_j$ from ${\left\{s_{j,x}\right\}}_{x=1}^K$, computes $P_j=s_j.P$, and generates a current timestamp $T_1$ and request message $Re{q}_j=(P_j,deman{d}_j,pric{e}_j,typ{e}_j,loc{a}_j)$. These mean wallet address, demanding amount, price, charging type, and current location, respectively. Then, $E{U}_j$ generates $a_j\in Z_q^{*}$, chooses attribute sets ${\Omega }_j$, and computes $A_j=a_j.P$ and $A_{ij}=a_j.P_i$. After that, $E{U}_j$ encrypts $Re{q}_j$ with ${\Omega }_j$ using the ECC-based attribute-based encryption [27].

• Step 1: $E{U}_j$ randomly chooses $u_j\in Z_q^{*}$ and computes $u_j.P_{{\gamma }_k}=(U_x,U_y)$. If $u_j.P_{{\gamma }_k}=O$, $E{U}_j$ chooses another $u_j$ and repeats the process. Then, $U_x$ is used as a symmetric key, and $U_y$ is used to generate message authentication code (MAC).
• Step 2: $E{U}_j$ computes $C_{Re{q}_j}={\left\{Re{q}_j\right\}}_{U_x}$ and $MA{C}_{Re{q}_j}=HMAC(Re{q}_j,U_y)$. Furthermore, $E{U}_j$ computes $C_{\omega }=u.P_{\omega }$ for each $\omega \in {\Omega }_j$.
• Step 3: The encrypted message is $C_j=({\Omega }_j,C_{Re{q}_j},MA{C}_{Re{q}_j},C_{\omega })$. $E{U}_j$ computes $M_1=(C_j,P_j)\oplus h\left(A_{ij}\right)$, generates a signature $Si{g}_j={[A_j,C_j,T_1]}_{s_j}$, and transmits $(A_j,M_1,Si{g}_j,T_1)$ to $E{B}_i$.

After receiving the message, $E{B}_i$ checks the validity of $T_1$, computes $A_{ij}=s_i.A_j$ and $(C_j,P_j)=h\left(A_{ij}\right)\oplus M_1$, and checks that $Si{g}_j$ is valid. If it is, $E{B}_i$ generates a unique request number $r{n}_j$, and a random number $r_i$. Then, $E{B}_i$ computes $R_i=r_i.P$, $R_{ij}=r_i.P_j$, $M_i=r{n}_j\oplus h(A_{ij}\left|\right|R_{ij})$, and $H_i=h(r{n}_j\left|\right|R_{ij}\left|\right|A_{ij}\left|\right|T_2)$; transmits $(R_i,M_i,H_i,T_2)$ to $E{U}_j$; and broadcasts $(C_j,r{n}_j)$ to energy sellers. $E{U}_j$ receives the message; checks the validity of $T_2$, computes $R_{ij}=s_j.R_j$ and $r{n}_j=M_i\oplus \left(h\right(A_{ij}\left|\right|R_{ij}\left)\right)$; and checks that $H_i\stackrel{?}{=}h(r{n}_j\left|\right|R_{ij}\left|\right|A_{ij})$. If it is equal, $E{U}_j$ keeps $r{n}_j$ securely.

5.5. Responding

If $E{S}_k$ has the proper attribute keys, $E{S}_k$ can decrypt $C_j$ according to the following procedure.

• Step 1: For each leaf node l of ${\Gamma }_k$ and $\omega =att\left(l\right)$, $E{S}_k$ computes

  $$\begin{array}{cc}\hfill D(C_j,D_k,l)& =D_l.C_{\omega }\hfill \\ \hfill & =q_l\left(0\right).s_{att\left(l\right)}^{-1}.u.P_{att\left(l\right)}\hfill \\ \hfill & =q_l\left(0\right).s_{att\left(l\right)}^{-1}.u.s_{att\left(l\right)}.P\hfill \\ \hfill & =q_l\left(0\right).u.P\hfill \end{array}$$
• Step 2: For each non-leaf node z, let $c\left(z\right)$ be a set of child nodes of z, $c^{{}^{\prime }}\left(z\right)$ be an arbitrary subset of $c\left(z\right)$ with $t\left(z\right)$ nodes, and $c^{{}^{″}}\left(z\right)$ be a set of indexes $\forall o\in c^{{}^{\prime }}\left(z\right)$. Then, $E{S}_k$ computes

  $$\begin{array}{cc}\hfill D(C_j,D_k,z)& =\sum _{o\in c^{{}^{\prime }}\left(z\right)}{\Delta }_{i\left(o\right),c^{{}^{″}}\left(z\right)}\left(0\right).D(C_j,D_k,v)\hfill \\ \hfill & =\sum _{o\in c^{{}^{\prime }}\left(z\right)}{\Delta }_{i\left(o\right),c^{{}^{″}}\left(z\right)}\left(0\right).q_o\left(0\right).k.G\hfill \\ \hfill & =\sum _{o\in c^{{}^{\prime }}\left(z\right)}{\Delta }_{i\left(o\right),c^{{}^{″}}\left(z\right)}\left(0\right).q_z\left(i\left(o\right)\right).k.G\hfill \\ \hfill & =q_z\left(0\right).k.G\hfill \end{array}$$

$E{S}_k$ recursively repeats these processes and can finally obtain $D(C_j,D_k,{\gamma }_k)=q_{{\gamma }_k}\left(0\right).u_j.$ $P=(U_x,U_y)$. Then, $E{S}_k$ can obtain $Re{q}_j={\left\{C_{Re{q}_j}\right\}}_{U_x}$ and can check the integrity of the message using $MA{C}_{Re{q}_j}$. After that, $E{S}_k$ generates $a_k\in Z_q^{*}$ and a timestamp $T_1$; computes $a_k.P=A_k$, $a_k.P_j=A_{kj}$, $M_2=h(A_{kj}\left|\right|Re{q}_j)$, and $M_3=a_k+M_2.s_k$; and transmits $(A_k,M_3,T_1)$. $E{U}_j$ receives the message and checks the validity of $T_1$; computes $A_{kj}=A_k.s_j$, $M_2=h(A_{kj}\left|\right|Re{q}_j)$, and $P_k=M_2^{-1}(M_3.P-A_k)$; checks $M_3.P\stackrel{?}{=}{A}_k+M_2.P_k$; and retrieves $P_k$ from the blockchain. After that, $E{U}_j$ generates timestamp $T_2$ and $k_j\in Z_q^{*}$; computes $K_j=k_j.P$, $K_{jk}=k_j.P_k$, $D_{jk}=s_j.P_k$, $M_4=h(K_{jk}\left|\right|Re{q}_j\left|\right|D_{jk})$, $M_5=k_j+M_4.s_j$, $H_1=h(r{n}_j\left|\right|s_i.P_j)$, $M_6=k_j+H_1.s_j$, and $SK=h\left(K_{jk}\right|\left|D_{jk}\right)$; and sends $(K_j,M_5,T_2)$ to $E{S}_k$. $E{S}_k$ receives the message; checks the validity of $T_2$; computes $K_{jk}=a_k.K_j$, $D_{jk}=s_k.P_j$, and $M_4=h(K_{jk}\left|\right|Re{q}_j\left|\right|D_{jk})$; checks $M_5.P\stackrel{?}{=}{K}_j+M_4.P_j$; and computes $SK=h\left(K_{jk}\right|\left|D_{jk}\right)$. Then, $SK$ can be used for further communication, and $E{U}_j$ and $E{S}_k$ trade energy. When the energy trading finishes, $E{U}_j$ transmits $M_6$ to $E{S}_k$ encrypting it using $SK$. The mutual authentication in the responding phase is summarized in Figure 2.

Figure 2. Mutual authentication between $E{S}_k$ and $E{U}_j$.

5.6. Confirmation

For the trading confirmation, $E{S}_k$ generates $T_5$, $x_k\in Z_q^{*}$, and a verification message $Ve{r}_k$; computes $X_k=x_k.P$, $E_k=X_k+K_j$, $M_7=M_6+x_k+H_2.s_k$, $H_2=h(s_k.P_i\left|\right|r{n}_j\left|\right|T_5)$, and $M_8=M_6+x_k+H_2.s_k$; and transmits $(E_k,M_7,M_8,r{n}_j,T_5)$ to $E{B}_i$. $Ve{r}_k$ includes $P_k$ and the trading results. Then, $E{B}_i$ retrieves $P_j$ using $r{n}_j$ and computes $H_1=h(r{n}_j\left|\right|s_i.P_j)$, $H_2=h(s_i.P_k\left|\right|r{n}_j\left|\right|T_5)$, and $M_7.P\stackrel{?}{=}{E}_k+H_2.P_k+H_1.P_j$. If they are equal, $E{B}_i$ considers that the trading is finished successfully because the signatures of both $E{U}_j$ and $E{S}_k$ are verified, and $Ve{r}_k$ is uploaded to the blockchain. Then, energy users can check the transaction records of $E{s}_k$ in the later energy trading process.

6. Security Analysis

We provide an informal analysis of the proposed scheme under the DY and CY model and a formal analysis using the BAN logic, RoR model, and the AVISPA simulation tool.

6.1. Informal Analysis

In this subsection, we show that the proposed scheme has resistance to various attacks. We assume that an adversary A tries security attacks based on the assumptions we described in Section 3.3.

6.1.1. Smart Card Stolen Attack

A can steal $S{C}_j$ and can extract the stored values through a side-channel attack. Then, A can obtain $(X_j,Y_j,Aut{h}_j)$. However, these values are masked using $I{D}_j$ and $P{W}_j$. Therefore, A cannot know any information about $E{U}_j$ and cannot generate any messages using these values. Therefore, the proposed scheme is secure even if $S{C}_j$ is stolen.

6.1.2. Offline Guessing Attack

A can steal a smart card of $E{U}_j$ and can try to find $I{D}_j$ and $P{W}_j$. Let $I{D}_j^A$ and $P{W}_j^A$ be guessed values by A that are input to $S{C}_j$. Then, $S{C}_j$ computes $r_j^A=X_j\oplus h(I{D}_j^A\left|\right|P{W}_j^A)$, $HP{W}_A=h(I{D}_j^A\left|\right|P{W}_j^A\left|\right|r_j^A)$, and ${\left\{s_{j,k}^A\right\}}_{k=1}^K=Y_j\oplus HP{W}_j^A$. After that, $S{C}_j$ checks $Aut{h}_j\stackrel{?}{=}h(HP{W}_j^A\left|\right|{\left\{s_{j,k}^A\right\}}_{k=1}^K)$ $(mod$ $l)$, and, if it is equal, $S{C}_j$ generates a request message and sends it to $E{B}_i$. In this case, it can be equal even if $I{D}_j^A$ and $P{W}_j^A$ are not equal to $I{D}_j$ and $P{W}_j$ because $Aut{h}_j$ is masked with a fuzzy verifier $l_j$. When the bit lengths of $I{D}_j$ and $P{W}_j$ are set to 128 bits, the total guessed bit length is 256 bits. Therefore, even if A successfully logs into $S{C}_j$, the probability that $I{D}_j^A$ and $P{W}_j^A$ are correct is $\frac{2^{10}}{2^{256}}$, which is negligible.

6.1.3. Impersonation Attack

A fails to guess $I{D}_j$ and $P{W}_j$ but still can try to impersonate $E{U}_j$ or $E{S}_k$ and send a request message. However, A cannot generate a legitimate signature $Si{g}_j$ in the requesting phase or $M_3$ in the responding phase because A cannot obtain the secret key of $E{U}_j$ or $E{S}_k$ without knowing the identity and password of network participants. If the signature is not correct, the message would be considered illegitimate by the other party, and A cannot perform further communication.

6.1.4. Mutual Authentication

The mutual authentication is performed in the responding phase between $E{S}_k$ and $E{U}_j$. In the first message, $E{S}_k$ sends $(A_k,M_3,T_1)$ to $E{U}_j$. Then, $E{U}_j$ computes $A_{kj}$ using a secret key, computes $P_k=M_2^{-1}(M_3.P-A_k)$, and checks $M_3.P\stackrel{?}{=}{A}_k+M_2.P_k$. Then, $E{U}_j$ can authenticate $E{S}_k$. After that, $E{U}_j$ sends $(C_j,M_5,M_6,T_2)$ to $E{S}_k$. Similarly, $E{S}_k$ checks $M_5.P\stackrel{?}{=}{C}_j+M_4.P_j$ and can authenticate $E{U}_j$.

6.1.5. Anonymity and Untraceability

In the proposed scheme, transmitted messages through a public channel do not include a public key or the identity of $E{U}_j$. Furthermore, A has no way to track $E{U}_j$ through values obtained from transmitted messages without knowing a secret value such as a secret key or an identity. Therefore, the proposed scheme can provide anonymity and untraceability of $E{U}_j$.

6.1.6. Denial of Services (DoS) Attack

A can attempt to paralyze the network by transmitting messages indiscriminately. A can generate a request message, response message, or confirmation message. In our scheme, every message includes a timestamp and message digest value using the timestamp, and, therefore, A cannot reuse messages to paralyze the network. Furthermore, A cannot generate a legitimate message arbitrarily because the messages are masked with the secret key of the message sender. Therefore, the proposed scheme has resistance to DoS attacks.

6.1.7. Perfect Forward Secrecy

When the network is compromised or A succeeds in obtaining the long-term keys of the network, A can try to calculate the session keys of previous sessions. In the attack scenario, A can obtain $s_j$ and $s_k$, which are the secret keys of $E{U}_j$ and $E{S}_k$, respectively. In our scheme, the session key is $SK=h\left(C_{jk}\right|\left|D_{jk}\right)$. However, A can not calculate $C_{jk}$ without knowing $c_j$ and $a_k$, and these values are temporal keys used only once in each session. Therefore, the proposed scheme can guarantee perfect forward secrecy.

6.1.8. Ephemeral Session Random Number Leakage Attack

In this attack scenario, we assume that A has obtained the session random numbers $c_j$ and $a_k$ and try to calculate $SK=h\left(C_{jk}\right|\left|D_{jK}\right)$. A can obtain $C_{jk}=c_j.A_k$. However, A cannot know $s_j$ or $s_k$, which are the long-term secret keys of $E{U}_j$ and $E{S}_k$, respectively. Therefore, A cannot succeed in calculating $SK$, and the proposed scheme has resistance to ephemeral session random number leakage attacks.

6.1.9. Privileged Insider Attack

If A is a privileged insider in the network, A can obtain the message of $E{U}_j$ from the registration phase and try logging into other networks impersonating $E{U}_j$. However, in the proposed scheme, $E{U}_j$ only transmits $I{D}_j$ and does not send a password-related value. This means that A fails to log into other networks disguising themselves as $E{U}_j$. Therefore, the proposed scheme is secure against the privileged insider attack.

6.1.10. Access Control

The proposed scheme adopted lightweight ECC-based ABE to provide access control for $E{U}_j$. Each $E{U}_j$ encrypts its request message using attribute keys, and only $E{S}_k$, who has the proper attribute sets, can decrypt the message and send a response message to $E{U}_j$. Therefore, $E{U}_j$ can preserve its privacy from $E{B}_i$ and can present its message only to a valid $E{S}_k$.

6.2. Formal Proof Using BAN-Logic Analysis

We conduct BAN-logic analysis [28], which is a widely accepted verification method [49,50,51] of an authentication protocol. Then, we set goals and assumptions, describe idealized forms, and perform implementation of the BAN logic analysis. First, we demonstrate the basic rules of the BAN logic. If the above condition holds, the below condition is true. Table 2 presents the notations used in our scheme.

Table 2. Notations of BAN-logic.

Notation	Description
${\eta }_1,{\eta }_2$	two principals
${\kappa }_1,{\kappa }_2$	two statements
${\eta }_1|$≡${\kappa }_1$	${\eta }_1$ believes ${\kappa }_1$
${\eta }_1|$∼${\kappa }_1$	${\eta }_1$ once said ${\kappa }_1$
${\eta }_1$⇒${\kappa }_1$	${\eta }_1$ controls ${\kappa }_1$
${\eta }_1$⊲${\kappa }_1$	${\eta }_1$ receives ${\kappa }_1$
$\#{\kappa }_1$	${\kappa }_1$ is fresh
${\left\{{\kappa }_1\right\}}_K$	${\kappa }_1$ is encrypted with K
${\eta }_1\stackrel{K}{\leftrightarrow }{\eta }_2$	${\eta }_1$ and ${\eta }_2$ have shared key K

• Message meaning rule (MMR):

  $$\frac{{\eta }_1|\equiv {\eta }_1\stackrel{K}{\leftrightarrow }{\eta }_2,{\eta }_1⊲{\left\{{\kappa }_1\right\}}_K}{{\eta }_1|\equiv {\eta }_2|\sim K}$$
• Nonce verification rule (NVR):

  $$\frac{{\eta }_1|\equiv \#\left({\kappa }_1\right),{\eta }_1|\equiv {\eta }_2|\sim {\kappa }_1}{{\eta }_1|\equiv {\eta }_2|\equiv {\kappa }_1}$$
• Jurisdiction rule (JR):

  $$\frac{{\eta }_1|\equiv {\eta }_2|⟹{\kappa }_1,{\eta }_1|\equiv {\eta }_2|\equiv {\kappa }_1}{{\eta }_1|\equiv {\kappa }_1}$$
• Belief rule (BR):

  $$\frac{{\eta }_1|\equiv ({\kappa }_1,{\kappa }_2)}{{\eta }_1|\equiv {\kappa }_1}$$
• Freshness rule (FR):

  $$\frac{{\eta }_1|\equiv \#\left({\kappa }_1\right)}{{\eta }_1|\equiv \#({\kappa }_1,{\kappa }_2)}$$

6.2.1. Goals

The following goals have to be achieved to prove the correctness of the proposed scheme.

Goal 1: 

$E{U}_j|\equiv E{S}_k\stackrel{SK}{\leftrightarrow }E{S}_k$

Goal 2: 

$E{U}_j|\equiv E{S}_k|\equiv E{U}_j\stackrel{SK}{\leftrightarrow }E{S}_k$

Goal 3: 

$E{S}_k|\equiv E{U}_j\stackrel{SK}{\leftrightarrow }E{S}_k$

Goal 4: 

$E{S}_k|\equiv E{U}_j|\equiv E{U}_j\stackrel{SK}{\leftrightarrow }E{S}_k$

6.2.2. Assumptions

The assumptions of our scheme are as follows.

$A_1$:

$E{U}_j|\equiv \#\left(T_3\right)$

$A_2$:

$E{S}_k|\equiv \#\left(T_4\right)$

$A_3$:

$E{U}_j|\equiv E{S}_k\Rightarrow \left(E{U}_j\stackrel{A_{kj}}{\leftrightarrow }E{S}_k\right)$

$A_4$:

$E{S}_k|\equiv E{U}_j\Rightarrow \left(E{U}_j\stackrel{C_{jk}}{\leftrightarrow }E{S}_k\right)$

$A_5$:

$E{U}_j|\equiv \left(E{U}_j\stackrel{A_{kj}}{\leftrightarrow }E{S}_k\right)$

$A_6$:

$E{S}_k|\equiv \left(E{U}_j\stackrel{C_{jk}}{\leftrightarrow }E{S}_k\right)$

6.2.3. Idealized Forms

The idealized forms of our scheme are as follows.

$Ms{g}_1$:

$E{S}_k\to E{U}_j:{\{P_k,M_2,T_3\}}_{A_{kj}}$

$Ms{g}_2$:

$E{U}_j\to E{S}_k:{\{C_j,M_4,T_4\}}_{C_{jk}}$

6.2.4. BAN Logic Implementation

We implement the BAN logic of the proposed scheme as follows. We show that the proposed scheme is correct through Steps 11 and 12.

Step 1: 

$E{U}_j$ receives $Ms{g}_1$.

$$S_1:E{U}_j⊲{\{P_k,M_2,T_3\}}_{A_{kj}}$$

Step 2: 

We can obtain $S_2$ by applying the MMR using $S_1$ and $A_5$.

$$S_2:E{U}_j|\equiv E{S}_k|\sim (P_k,M_2,T_3)$$

Step 3: 

We can obtain $S_3$ by applying the FR using $A_1$ and $S_2$.

$$S_3:E{U}_j|\equiv \#(P_k,M_2,T_3)$$

Step 4: 

We can obtain $S_4$ by applying the NVR using $S_2$ and $S_3$.

$$S_4:E{U}_j|\equiv E{S}_k|\equiv (P_k,M_2,T_3)$$

Step 5: 

We can obtain $S_5$ by applying the BR to $S_4$.

$$S_5:E{U}_j|\equiv E{S}_k|\equiv P_k$$

Step 6: 

$E{S}_k$ receives $Ms{g}_2$.

$$S_6:E{S}_k⊲{\{C_j,M_4,T_4\}}_{C_{jk}}$$

Step 7: 

We can obtain $S_7$ by applying the MMR using $S_6$ and $A_6$.

$$S_7:E{S}_k|\equiv E{U}_j|\sim (C_j,M_4,T_4)$$

Step 8: 

We can obtain $S_8$ by applying the FR to $A_2$.

$$S_8:E{S}_k|\equiv \#(C_j,M_4,T_4)$$

Step 9: 

We can obtain $S_9$ by applying the NVR using $S_7$ and $S_8$.

$$S_9:E{S}_k|\equiv E{U}_j|\equiv (C_j,M_4,T_4)$$

Step 10: 

We can obtain $S_{10}$ by applying the BR to $S_9$.

$$S_{10}:E{S}_k|\equiv E{U}_j|\equiv C_j$$

Step 11: 

$E{P}_j$ can compute $SK=h\left(C_{jk}\right||s_j.P_k)$, and $E{S}_k$ can compute $SK=h\left(C_{jk}\right||s_k.P_j)$ using the obtained values. Therefore, we obtain $S_{11}$ and $S_{12}$.

$$S_{11}:E{U}_j|\equiv E{S}_k|\equiv \left(E{U}_j\stackrel{SK}{\leftrightarrow }E{S}_k\right)(\mathrm{Goal}2)$$

and

$$S_{12}:E{S}_k|\equiv E{U}_j|\equiv \left(E{U}_j\stackrel{SK}{\leftrightarrow }E{S}_k\right)(\mathrm{Goal}4)$$

Step 12: 

We obtain $S_{13}$ and $S_{14}$ by applying the JR using $S_{11}$ and $A_3$, and $S_{12}$ and $A_4$, respectively. Then, the BAN logic’s implementation is complete.

$$S_{13}:E{U}_j|\equiv \left(E{U}_j\stackrel{SK}{\leftrightarrow }E{S}_k\right)(\mathrm{Goal}1)$$

and,

$$S_{14}:E{S}_k|\equiv \left(E{U}_j\stackrel{SK}{\leftrightarrow }E{S}_k\right)(\mathrm{Goal}3)$$

6.3. RoR Model

We perform the Real-or-Random model [30] to prove the session key security of the proposed scheme. Table 3 summarizes the queries and their descriptions of the RoR model.

Table 3. Queries and their descriptions.

Query	Description
$Execute(p_i,p_j)$	This query represents an eavesdropping attack carried out by A. A can obtain messages transmitted between $p_i$ and $p_j$ during execution of the mutual authentication protocol.
$Corrcut\left(p_i\right)$	This query represents A stealing the smart card of a legitimate user and extracting the stored value using a power analysis attack.
$Send(p,M)$	This query represents active attacks, in which A can modify eavesdropped messages, send a message M to an instance p, and can receive a response message.
$Hash$	This query represents A conducting a one-way hash operation using the eavesdropped or modified messages.
$Test\left(p\right)$	We assume that there is an unbiased coin c. When A executes the $Test$ query, c is flipped, and, if the result is the tail, then a random number is given to A. If the result is the head, then the session key is given to A. A guesses whether the given value is the session key or a random number. If the probability that A answers correctly is significantly higher than $\frac{1}{2}$, the session key cannot guarantee the semantic security.

Let $Adv\left(A\right)$ be an advantage function of A in which A succeeds in distinguishing the session key and a random number. Then, we can show that the proposed scheme can guarantee the semantic security of the session key by proving the following equation:

$$\begin{array}{c}\hfill Adv\left(A\right)\le \frac{q_h^2}{\left|H\right|}+\frac{2q_s}{2^{246}}\end{array}$$

(1)

where $q_h$, $q_s$, $\left|H\right|$ are, respectively, the number of executed $Hash$ queries, the number of executed $Send$ queries, and the range space of a hash output. A plays the game $G_0$, $G_1$, $G_2$, and $G_3$. The number of queries that A can execute increases as the game progresses. At the end of each game, A performs the $Test$ query, and we calculate the advantage function that A passes the $Test$ query.

• $G_0$: In $G_0$, we assume that A cannot perform any query. Let $P\left[A_{G_0}^{Succ}\right]$ be a probability that A succeeds in guessing correctly when $Gam{e}_0$ ends. Then, the advantage function can be defined as the following:

  $$\begin{array}{c}\hfill Adv\left(A\right)=|2P\left[A_{G_0}^{Succ}\right]-1|\end{array}$$

  (2)

• $G_1$: A performs the $Execute$ query in $G_1$. In the proposed scheme, A can obtain $(A_k,M_3,T_3)$ and $(K_j,M_5,T_4)$ from a public channel. Then, A cannot guess any information about $SK$ because the obtained values from the public channel are not used to calculate $SK$. Therefore, the probability that A guesses correctly when $G_1$ is not changed is as follows:

  $$\begin{array}{c}\hfill P\left[A_{G_1}^{Succ}\right]=P\left[A_{G_0}^{Succ}\right]\end{array}$$

  (3)

• $G_2$: A can execute the $Send$ and $Hash$ queries to guess $SK$. A can arbitrarily generate a message or re-use it. However, each message contains a timestamp and the message digest, and A cannot generate a legitimate message. In order for A to win the game, A has the only way to find a hash collision to compromise $SK$, and the following equation is induced:

  $$\begin{array}{c}\hfill |P\left[A_{G_2}^{Succ}\right]-P\left[A_{G_1}^{Succ}\right]|\le \frac{q_h^2}{2\left|H\right|}\end{array}$$

  (4)
• $G_3$: A can execute the $Corrupt$ query and extracts the stored values of $S{C}_j$. In this scenario, A must guess the correct $I{D}_j$ and $P{W}_j$ to generate a legitimate message disguising itself as $E{U}_j$. Even if A succeeds in logging into $S{C}_j$, the probability that the guessed identity and password are correct is $\frac{2^{10}}{2^{256}}=\frac{1}{2^{246}}$. If the generated message is not correct, $E{B}_i$ revokes $S{C}_j$ from the network. Next, A must succeed to guess $I{D}_j$ and $P{W}_j$ within $q_h$ attempts. Then, the following equation can be induced:

  $$\begin{array}{c}\hfill |P\left[A_{G_3}^{Succ}\right]-P\left[A_{G_2}^{Succ}\right]|\le \frac{q_s}{2^{246}}\end{array}$$

  (5)

Based on the above equations, we can obtain the following equation using the triangle inequality:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill \frac{1}{2}Adv\left(A\right)& =|P\left[A_{G_0}^{Succ}\right]]-\frac{1}{2}|\hfill \\ \hfill & =|P\left[A_{G_0}^{Succ}\right]-P\left[A_{G_3}^{Succ}\right]|\hfill \\ \hfill & \le P\left[A_{G_0}^{Succ}\right]-P\left[A_{G_1}^{Succ}\right]|\hfill \\ \hfill & +|P\left[A_{G_1}^{Succ}\right]-P\left[A_{G_2}^{Succ}\right]|\hfill \\ \hfill & +|P\left[A_{G_2}^{Succ}\right]-P\left[A_{G_3}^{Succ}\right]|\hfill \\ \hfill & \le \frac{q_h^2}{2\left|H\right|}+\frac{q_s}{2^{246}}\hfill \end{array}\end{array}$$

(6)

Finally, the proof is completed, and the advantage of A to win the game is negligible.

6.4. AVISPA Simulation

We simulated the proposed scheme using the AVISPA simulation tool [29]. The AVISPA simulation tool can verify resistance to replay attacks or Man-in-the-Middle (MITM) attacks of an authentication protocol by checking the freshness and secrecy of transmitted messages during the authentication process. We wrote the proposed method in the HLPSL language [52] and simulated it with the “On-the-Fly Model Checker (OFMC) [53]” and “Constraint Logic-based Attack Searcher (CL-AtSe)” [54] models. The execution results are shown in Figure 3, and the proposed scheme is safe under the two models. Therefore, we formally verify that our scheme has resistance to replay and MITM attacks.

Figure 3. Simulation results of the proposed scheme under OFMC and CL-AtSe models.

7. Performance Analysis

We compare the proposed authentication protocol with the existing protocols suggested in smart grid environments. We show that the proposed protocol has comparable performances compared to the existing schemes in this section.

7.1. Computational Cost

We compared the computational costs generated during the mutual authentication of the proposed scheme with existing schemes [35,36,37,38,39,40]. For the comparison, we referred [55], which measured various operations used in authentication protocols. The notation of each operation and the time cost are as follows:

• $T_{bp}$: Execution time for a bilinear pairing operation ≅ 5.811;
• $T_{mul}$: Execution time for a point scalar multiplication operation ≅ 2.226 ms;
• $T_{add}$: Execution time for a point addition operation ≅ 0.0288 ms;
• $T_{mtp}$: Execution time for a map-to-point hash function ≅ 12.418 ms;
• $T_{exp}$: Execution time for a modular exponentiation ≅ 3.85 ms.

The computational cost comparison of the proposed scheme and the existing schemes are summarized in Table 4. The proposed scheme has higher costs than [35,37,38] and lower costs than [36,39,40]. Comprehensively, the proposed protocol is competitive compared to existing protocols. However, as demonstrated in Section 7.3, the proposed scheme can provide superior security to existing schemes.

Table 4. Computational cost comparison.

Scheme	Operations	Total Execution Time (ms)
Li et al. [35]	$8T_{exp}+2T_{mul}$	35.252
Wu et al. [36]	$9T_{exp}+2T_{mul}+T_{add}$	39.1308
Mahmood et al. [37]	$10T_{mul}+4T_{add}$	22.3752
Abbasinezhad et al. [38]	$8T_{mul}+4T_{add}$	17.9232
Chen et al. [39]	$2T_{bp}+7T_{mul}+2T_{mtp}+2T_{add}$	52.0976
Wu et al. [40]	$2T_{bp}+11T_{mul}+2T_{mtp}+2T_{add}$	61.0016
Proposed scheme	$17T_{mul}+6T_{add}$	38.0148

7.2. Communication Cost

We compared the communication cost of the proposed scheme and the existing schemes [35,36,37,38,39,40]. We assume that $M_1$ and $M_2$ are transmitted messages, a hash output is 256 bits, a point on the elliptic curve is 320 bits, the identity is 128 bits, and the timestamp is 32 bits. In the scheme of [35], $M_1$ is $(C_1,C_2,C_3,t_i)$, and $M_2$ is $(C_4,C_5,C_6,t_j)$. These messages include three ECC points, three hash outputs, and two timestamps. The total communication cost is 960 + 768 + 64 = 1792 bits. In the scheme of [36], $M_1$ is $(A,C,t_i)$, and $M_2$ is $(B,D,t_j)$. These messages include two ECC points, two hash outputs, an identity, and two timestamps. The total communication cost is 640 + 512 + 128 + 64 = 1344 bits. In the scheme of [37], $M_1$ is $(X_i,Y_i,K_{ip},I{D}_i,t_i)$ and $M_2$ is $(X_j,Y_j,K_{jp},I{D}_j,t_j)$. These messages include six ECC points, two identities, and two timestamps. The total communication cost is 1920 + 256 + 64 = 2240 bits. In the scheme of [38], $M_1$ is $(i{d}_A,R_A,W{T}_A)$, $M_2$ is $(i{d}_B,R_B,V_B,W{T}_B)$, and $M_3$ is $(i{d}_A,V_A)$. These messages include two ECC points, three hash outputs, three identities, and two timestamps. The total communication cost is 960 + 768 + 384 + 64 = 2176 bits. In the scheme of [39], $M_1$ is $(i{d}_i,R_{in},R_{i1},R_{si},T_1)$, and $M_2$ is $(i{d}_j,R_{jn},R_{j1},h_j)$. These messages include five ECC points, a hash output, two identities, and a timestamp. The total communication cost is 1680 + 256 + 256 + 32 = 2224 bits. In the proposed scheme, the first message is $(A_k,M_3,T_1)$, and the second message is $(C_j,M_5,M_6,T_2)$. These messages include two ECC points, three hash outputs, and two timestamps. Therefore, the total communication cost is 640 + 768 + 64 = 1472 bits. Table 5 shows a comparison of the communication costs. The proposed scheme has the lowest communication cost as compared to other schemes.

Table 5. Communication cost comparison.

Scheme	Total Communication Cost
Li et al. [35]	1792 bits
Wu et al. [36]	1344 bits
Mahmood et al. [37]	2240 bits
Abbasinezhad et al. [38]	2176 bits
Chen et al. [39]	2224 bits
Wu et al. [40]	2880 bits
Proposed	1472 bits

7.3. Security Features

We compare the security features of the proposed scheme with the existing schemes introduced in Section 2.2. We consider the following security features: A1—“resistance to offline guessing attack”, A2—“resistance to impersonation attack”, A3—“providing mutual authentication”, A4—“preservation of user anonymity”, A5—“preservation of user untraceability”, A6—“resistance to DoS attack”, A7—“preservation of perfect forward secrecy”, A8—“resistance to ephemeral session random number leakage attack”, and A9—“consideration of access control”. The proposed scheme can provide these security features, as demonstrated in Section 6.1. However, the existing schemes [35,36,37,38,39,40] do not consider or cannot satisfy some of the features. Table 6 shows that the proposed scheme is more robust than existing schemes.

Table 6. Security features comparison.

Features	[35]	[36]	[37]	[38]	[39]	[40]	Proposed
A1	O	O	O	O	O	O	O
A2	X	O	O	O	X	O	O
A3	X	O	O	O	X	O	O
A4	O	O	X	X	X	X	O
A5	O	O	X	X	X	X	O
A6	O	O	O	O	O	O	O
A7	−	O	X	O	O	O	O
A8	O	X	X	X	O	O	O
A9	−	−	−	−	−	−	O

X: Insecure. O: Secure. −: Not considered.

8. Conclusions

In this paper, we designed a privacy-preserving mutual authentication scheme between energy traders in a blockchain-based energy trading system. We adopted lightweight ABE to provide access control of energy request messages for energy users and proposed a key agreement scheme between energy traders without the participation of an energy broker. The proposed scheme reduces the dependency on energy brokers, realizes a decentralized energy trading model, and preserves the privacy of energy users. We analyzed the proposed scheme using informal and formal methods and demonstrated that the proposed scheme has resistance to various security attacks, guarantees the correctness of authentication, and provides session key security. We compared the computational and communication costs and security features of the proposed scheme with related schemes, and we showed that our scheme has competitive performance and superior security to related schemes. Overall, the proposed scheme is better than existing schemes and can be suitable for real energy trading environments. In future work, we plan to implement the proposed scheme through experiments to verify the practicality of our scheme.