A Provably Secure Anonymous Authentication Protocol for Consumer and Service Provider Information Transmissions in Smart Grids

: Smart grids integrate information technology, decision support systems, communication networks, and sensing technologies. All these components cooperate to facilitate dynamic power adjustments based on received client consumption reports. Although this brings forth energy efficiency, the transmission of sensitive data over the public internet exposes these networks to numerous attacks. To this end, numerous security solutions have been presented recently. Most of these techniques deploy conventional cryptographic systems such as public key infrastructure, blockchains, and physically unclonable functions that have either performance or security issues. In this paper, a fairly efficient authentication scheme is developed and analyzed. Its formal security analysis is carried out using the Burrows–Abadi–Needham (BAN) logic, which shows that the session key negotiated is provably secure. We also execute a semantic security analysis of this protocol to demonstrate that it can resist typical smart grid attacks such as privileged insider, guessing, eavesdropping, and ephemeral secret leakages. Moreover, it has the lowest amount of computation costs and relatively lower communication overheads as well as storage costs.


Introduction
Smart grid (SG) networks incorporate information technology and energy grid so as to manage energy consumptions efficiently.This is normally accomplished by offering bi-directional communication for data exchanges between consumers and power producers [1].In addition, an SG integrates intelligent sensing, contemporary communication networks, and novel systems that support decision making in conventional grid systems.These technologies enable the effectual distribution of power from the generating stations to the consumer terminals.As explained in [2], SG bi-directional communication is achieved through Advanced Metering Infrastructure (AMI).A typical AMI comprises concentrators, smart meters, and measurement data management systems.On the other hand, a typical SG is made up of control, sensing, and communication systems and actuators [3].Whereas smart meters (SMs) perform sensing and communication, actuation and control are executed by service providers (SPs).Therefore, SMs are located at consumer premises, where they accurately measure power consumption and transmit these data over to the SP servers.Through effective real-time processing and analyses of consumer data, the generation and distribution of power is dynamically fine-tuned in accordance with user demands.This helps in enhancing the reliability of the power grid system [4].
In spite of the benefits discussed above, the public internet is utilized for the data exchange between the SMs and the SPs [5].As such, the SG is exposed to security and privacy threats such as eavesdropping, forgery, denial of service (DoS), tampering, and ephemeral secret leakage (EPSL) [6,7].In addition, the misuse of consumer power consumption reports can lead to privacy leaks.By sending forged and inaccurate data, the SG network can incur additional loads [8].All these challenges can disrupt the communication process, leading to the degradation of the SG system's performance [9].As such, security violations and privacy leakages are major issues during smart grid design [10].This can be attained by perfect data encryption, mutual authentication, as well as session key establishment.In addition, Authenticated Key Exchange (AKE) is crucial for the protection of transmitted data against tampering and interception [6].
The above concerns necessitate the designing of robust, privacy-preserving, secure, and lightweight protocols to safeguard the data exchanged among legitimate SG participants.Since an SG comprises numerous SMs, each SM must be authenticated prior to information exchange.This will help curb threats exampled by impersonation, SM capture, Man-in-the-Middle (MitM), packet replays, de-synchronization, and privileged insider [7].Upon an effectual mutual authentication process, a common session key should be created between the SM and the SPs to encipher the exchanged data.In addition, data integrity should be upheld, while preventing non-repudiation and side-channeling through a power analysis [11].Another major concern in an SG network is the limited capabilities of smart meters in terms of communication, energy, and computation.This puts some limitations on the implementation of conventional cryptographic techniques in SG networks.Therefore, ideal SG security approaches should strive to be lightweight in addition to fulfilling numerous security requirements.

Motivation
It has been shown that a myriad of protocols have been introduced in the smart grid network to preserve its security posture.However, these solutions are based on conventional cryptographic systems such blockchain, public key infrastructure, PUF, and bilinear pairings.All these techniques have many security, performance, or privacy issues and, hence, are not suitable for resource-incapacitated SG devices such as SMs.Attacks such as de-synchronization, impersonation, privacy leaks, replays, and DoS must be prevented, as they adversely interfere with the reliability of smart grids.As such, there is a need for an effective, efficient, and robust security scheme for SGs.

Threat Model
In this section, we model attacks against our scheme using the most popular Dolev-Yao (DY) and Canetti-Krawczyk models.In these threat models, attacker Ä is capable of the following actions, compromising the private keys belonging to smart meters and service providers:

•
Modifying and deleting the contents of intercepted messages; Intercepting derived session keys and other session state parameters.

Security Requirements
In the face of numerous security threats and privacy leaks, an ideal authentication scheme for smart grid networks should fulfill the following requirements: Mutual authentication: The identities of all the communicating parties should be reciprocally verified prior to exchanging any network data.
Key agreement: To preserve confidentiality and the integrity of the communication process, a session key should be set up to encrypt all exchanged messages.
• We deploy shared keys and pseudo-identities to encipher the communication channel so as to enhance security and privacy preservation.• To protect against MitM and replay attacks, each entity computes the session keys for traffic protection.• We deploy BAN logic for the revelation of the probably secure nature of the negotiated session key.
An extensive comparative analysis shows that our protocol withstands the largest number of attacks.In addition, it incurs the lowest computation overheads and relatively lower storage and communication overheads.
The rest of this work is structured as follows: Section 2 discusses the related works in this domain, while our scheme is described in Section 3. On the other hand, Section 4 discusses the security analysis of this protocol, while Section 5 describes its evaluation in terms of performance.Finally, Section 6 presents the conclusions and gives some future research scopes.

Related Work
Smart grid security, privacy, and performance have attracted a lot of attention, leading to the introduction of many schemes.For instance, researchers in [10] have presented an identity-based technique, while the authors in [12,13] have developed elliptic curve cryptography (ECC)-based schemes.However, extensive ECC multiplication operations render the schemes in [12,13] inefficient [14].Therefore, they are not ideal for deployment in computation-limited smart grid components.On the other hand, PUF-based schemes are developed in [15][16][17][18].Although the protocol in [15] withstands modeling attacks, protocols based on PUF have stability issues [19].In addition, the scheme in [18] offers smart meter physical security but is still vulnerable to EPSL attacks and cannot provide backward key secrecy [17].To offer smart meter anonymity, a secure scheme is presented in [20].However, this scheme fails to mutually authenticate the network entities and is prone to DoS attacks [21].Although the scheme in [22] is anonymity-preserving, it cannot withstand ephemeral secret and session key leakage attacks [23].In addition, its bilinear pairing operations result in extensive computation overheads [24], similar to the protocols in [23,25].
To reduce the computation overheads associated with bilinear pairings, a scheme based on elliptic curve cryptography is developed in [26].However, this technique cannot offer anonymity [1] and is defenseless against ephemeral secret leakage attacks [27].Additionally, it incurs high computation overheads during the generation of security tokens at the Trusted Authority (TA) [1].On the same breadth, the technique introduced in [28] fails to offer untraceability and identity protection [29].To deal with these challenges, an anonymous authentication protocol is introduced in [30].Although identity protection is assured, this technique incurs high computation costs [6].To offer efficiency in smart grids, lightweight authentication schemes are developed in [1,6,29,[31][32][33][34].However, the schemes in [6,31,32] have not been evaluated against de-synchronization attacks.Similarly, the protocol in [29] has not been evaluated against spoofing and guessing attacks.Although the schemes in [1,33] are resilient against de-synchronization attacks, they have not been evaluated against spoofing attacks.On the other hand, the scheme in [34] cannot withstand desynchronization attacks [29].
To address the anonymity issues in some of the protocols above, a password-based security technique is introduced in [35].However, this protocol has incorrect login and authentication phases [36].Although the scheme in [37,38] overcomes this challenge, it is defenseless against de-synchronization threats.In addition, it fails to provide formal security verification and revocability.On the other hand, the usage of some fixed messages in each session in [39,40] renders said session vulnerable to traceability attacks.The protocol in [41] solves this issue by updating this message for each session.However, the service provider needs to buffer previous data for each SM so as to withstand desynchronization attacks.Consequently, it incurs heavy storage costs especially in networks with massive SMs.
To enhance security in wireless networks, quantum computing technology has been adopted.For instance, based on quantum information engineering, a technique for local energy distribution to numerous remote nodes is presented in [42], while a verification scheme applicable in a quantum channel is developed in [43].On the other hand, a blind quantum-based protocol is presented in [44], while a zero-knowledge proof is developed in [45].However, comparative performance analyses have not been carried out in [42][43][44][45].As explained in [46], blockchain technology can ensure privacy and security devoid of an authorized third party.As such, a blockchain-based protocol is presented in [47].Although blockchain technology provides traceability, improved security, and immutability, it raises serious issues regarding transparency and privacy [48].In addition, the blockchain-based protocol in [47] lacks evaluation against threats such as privileged insider and physical capture.To avert the misuse and malicious manipulation of battery equipment and data, a robust security scheme is presented in [49].Although this technique protects against counterfeiting and possible software backdoors, its comparative security and performance evaluations are missing.
Based on the above discussions, it is clear that many schemes have been developed to address security and privacy issues in the smart grid environment.However, most of them still have challenges in terms of privacy, performance, or security.There is, therefore, a need for the development of novel protocols that can help alleviate these challenges.

The Proposed Protocol
The network model of our protocol comprises a utility service provider (USP), a trusted control server (TC), and a smart meter (SM), as evidenced in Figure 1.The TCS executes system initialization and generates the secret values for the SM and the USP during the registration phase.
The SM measures electricity usage on the client end and transmits power consumption reports to the USP over public channels.At the USP, these reports are processed and analyzed to facilitate decision making, which may include dynamic power adjustments.Table 1 describes the symbols used throughout this paper.The SM measures electricity usage on the client end and transmits power consumption reports to the USP over public channels.At the USP, these reports are processed and analyzed to facilitate decision making, which may include dynamic power adjustments.Table 1 describes the symbols used throughout this paper.Our scheme executes five major steps, which encompass system setup, entity registration, mutual authentication, key negotiation, and parameter refresh phases.Algorithm 1 summarizes this protocol, and the sub-sections that follow give the details of these phases.Our scheme executes five major steps, which encompass system setup, entity registration, mutual authentication, key negotiation, and parameter refresh phases.Algorithm 1 summarizes this protocol, and the sub-sections that follow give the details of these phases.(13) Terminate session (14) Else:

System Setup
In this phase, the TCS selects its master key as K TCS .This is followed by the generation of its unique identity ID TCS , the smart meter's unique identity ID SM , as well as the private key of the smart meter, K SM , as shown in Figure 2.

Registration
In this particular phase, the smart meters are registered at the TCS before they are deployed in the actual field.In addition, the USP is also registered at the TCS prior to exchanging data with the smart meters.The following sub-sections describe this phase in more detail.

Smart Meter Registration
The subsequent three procedures are executed to register the smart meter SMi to the TCS.To accomplish this, secure communication channels are deployed.
Step 1: The SMi chooses a random nonce R1 to derive its pseudo-identity PIDSM = h (IDSM||R1).It then composes registration message Reg-1 = {PIDSM, R1} that is forwarded to the TCS over secure communication media, as shown in Figure 2.

Utility Service Provider Registration
To register to the TCS, the USP needs to execute the following three procedures.

Registration
In this particular phase, the smart meters are registered at the TCS before they are deployed in the actual field.In addition, the USP is also registered at the TCS prior to exchanging data with the smart meters.The following sub-sections describe this phase in more detail.

Smart Meter Registration
The subsequent three procedures are executed to register the smart meter SM i to the TCS.To accomplish this, secure communication channels are deployed.
Step 1: The SM i chooses a random nonce R 1 to derive its pseudo-identity PID SM = h (ID SM ||R 1 ).It then composes registration message Reg-1 = {PID SM , R 1 } that is forwarded to the TCS over secure communication media, as shown in Figure 2.
Step 2: When it receives message Reg-1, the TCS selects a random nonce R 2 that is deployed to compute the shared key K TSM = h (PID SM ||R 1 ||R 2 ).Next, the TCS stores {PID SM , K TSM , R 1 } in its repository.Next, registration message Reg-2 = {K TSM } is constructed and forwarded to the SM i , as evidenced in Figure 2. Afterwards, the TCS publishes PID SM .
Step 3: Upon receiving the message Reg-2, the smart meter SM i derives A 1 = R 1 ⊕h (ID SM ||K SM ) and A 2 = K TSM ⊕h (R 1 ||K SM ).Thereafter, it stores {A 1 , A 2 , PID SM } in its memory.

Utility Service Provider Registration
To register to the TCS, the USP needs to execute the following three procedures.
Step 1: The USP chooses its real identity ID USP and secret key K USP .Next, it generates a random nonce R 3 that is used to calculate its pseudo-identity PID USP = h (ID USP ||R 3 ).Thereafter, it constructs registration message Reg-3 = {PID USP }, which is transmitted to the TCS, as depicted in Figure 2.
Step 2: After receiving registration message Reg-3, the TCS calculates shared key K UT = h (PID USP ||K TCS ||R 2 ) and A 3 = h (PID USP ||K UT ).Next, it stores {PID USP , A 3 , K UT } in its database.Finally, registration message Reg-4 = {K UT , A 3 } is composed and sent to the USP.
Step 3: Upon receiving message Reg-4, the USP derives

Authentication and Key Setup
To securely exchange power consumption reports and adjustment commands, the USP and SM i must first mutually validate one another.This is followed by the establishment of a session key for message protection over the public internet.The subsequent nine steps are utilized to accomplish these two processes.
Step 1: The USP operator supplies parameter set {ID USP , K USP }, after which values in a manner such that the communication session is aborted if these two parameters are not identical.Otherwise, the USP randomly generates nonce R 4 , which is used to derive = C 1 such that the communication session is halted when this check flops.If not, the TCS fetches K TSM and R 1 corresponding to PID SM .
Step 3: The TCS randomly generates number R 5 , which is used to calculate is composed and passed over to the SM i .

TCS USP
Input {IDUSP, KUSP}  = D 5 such that it terminates the session when this validation fails.Otherwise, it deletes parameter set {PID USP , A 3 } from its database.

Parameter Update
In this phase, the USP's private key KUSP is updated using the following two steps.
Step 1: The operator supplies their unique identity ID USP as well old secret key K USP Old .This is followed by the derivation of parameter = B 1 such that this authentication is halted when this check fails.Otherwise, the operator is prompted to input the new secret key K USP New .

Security Analysis
In most of the authentication protocols, both formal and informal security analyses are carried out.As such, we present these analyses in this section and provide further details in the sub-sections that follow.

Formal Security Analysis
To accomplish this analysis, BAN logic is deployed to show that USP and SM i authenticate each other based on fresh and reliable data.Essentially, this involves the verification of the origin, freshness, and legitimacy of the exchanged messages.The notations in Table 2 are used throughout this formal analysis.

Notation Details
The BAN logic postulates are described using a number of rules that are detailed in Table 3 below.

Freshness rule (FR)
Next, we lay bare that our protocol offers protected mutual validation between the SM i and the USP.In our protocol, four messages are exchanged during the processes of entity verification and session key setup.These particular messages are idealized as follows: Auth- )) K UT Using the BAN logic analytic procedures, our scheme should uphold the four security goals (GLs) below.
To ensure that the BAN logic analysis of our scheme is successfully executed, a number of initial state assumptions (AS i ) are made as follows.
AS 1 : TCS| ≡ (USP AS 5 : TCS| ≡ (TCS AS 7 : USP| ≡ (USP The effectual attainment of all the formulated security objectives implies that the USP, TCS, and SM have executed secure mutual authentication and can now proceed to exchange data.

Informal Security Analysis
In this sub-section, both the Dolev-Yao (DY) and Canetti-Krawczyk (CK) threat models are deployed to show the robustness of our protocol against typical smart grid attacks.Essentially, we make some assumptions about the attacker's capabilities and then show how our protocol counters the attacker's capabilities in both the DY and CK models.These attack capabilities are well articulated in [50].The goal is to obtain the real identities of the USP, TCS, and SM i that can facilitate the tracking of these entities.Evidently, these identities are encapsulated in other parameters (such as nonces R 1 , R 4 , R 5 , and R 6 ) before being hashed.Towards the end of each session, secret parameter PID USP is updated as PID USP * = h (PID USP ||R 4 ).As such, all the messages are dynamic for each session.□ Theorem 2. Spoofing and impersonation attacks are thwarted.
Proof.The main objective of these attacks is to spoof exchanged messages so as to masquerade oneself as a legitimate network entity.The following three cases demonstrate the resilience of our scheme against these threats.□ It is clear that all these messages incorporate random nonces such as R 1 , R 4 , R 5 , and R 6 .In addition, any successful modification of these messages requires knowledge of identities (ID USP , ID TCS , ID SM ) and shared keys (K UT , K TSM ), all of which are unavailable to Ä. □ Theorem 7. Privileged insider attacks are effectively prevented.
Proof.Let us assume that some privileged insider Ä has accessed USP's pseudo-identity (PID USP ) during the registration phase.In addition, Ä has access to {A 5 , B 1 , B 2 , B 3 } stored in the USP's database.With all these parameters, Ä makes some attempts in deriving session key SK SU = h (h (ID USP ||R 4 )||h (ID TCS ||R 5 )||h (ID SM ||R 6 ).However, Ä does not know real identities (ID USP , ID TCS , ID SM ) and random nonces (R 4 , R 5 , R 6 ).Therefore, this attack will fail.□ Theorem 8.The proposed scheme can resist de-synchronization and backdoor-based DoS attacks.
Proof.The objective of these threats is to alter and block exchanged messages so as to interfere with future mutual verification processes among the USP, TCS, and SM i .This can be occasioned by some SG and SM firmware-containing backdoors.Suppose that Ä wants to de-synchronize the next authentication session by modifying Auth-1, Auth-2, and Auth-3.However, Theorem 6 demonstrates the difficulty in modifying these messages devoid of random nonces, real identities, and shared keys.Let us assume that Ä wants to block all the transmitted messages so as to interfere with the synchronization procedures among the USP, TCS, and SM i .To achieve this, USP's pseudo-identity PID USP , incorporated in all four authentication messages, is utilized.However, in Step 7 above, our scheme refreshes this parameter as PID USP * = h (PID USP ||R 4 ) and includes it in parameters

Proof.
The assumption made in these attacks is that Ä is able to obtain {A 5 , B 1 , B 2 , B 3 } from the USP's database.Here, , and B 3 = K UT ⊕h (A 3 ||A 4 ).It is clear that these messages are encapsulated with random nonce, ID USP , and K USP .In accordance with Theorem 5, Ä cannot easily ascertain identity ID USP and random nonces.Since K USP is the USP's private key, it is not available to Ä and cannot be eavesdropped over public channels.□ Theorem 10.Our scheme is robust against KSSTI and ephemeral secret leakage attacks.
Proof.The purpose of this attack is to enable adversary Ä to access session-specific tokens such as nonces R 1 , R 2 , R 3 , R 4 , R 5 , and R 6 .Thereafter, Ä attempts some KSSTI under the CK-adversarial model.This might include an attempt to derive the session key SK SU = h (h (ID USP ||R 4 )||h (ID TCS ||R 5 )||h (ID SM ||R 6 ).However, even with these ephemerals, Ä cannot derive SK SU .This is because the real identities of the SM i , TCS, and USP (ID USP , ID TCS , ID SM ) are required.Based on Theorem 5, Ä cannot easily ascertain these identities, and, hence, this attack flops.□ Theorem 11.The proposed protocol can withstand physical attacks.

Proof.
The assumption made here is that adversary Ä has physically obtained the SM i upon which the stored values {A 1 , A 2 , PID SM } in its memory are extracted via a power analysis.Here, A 1 = R 1 ⊕h (ID SM ||K SM ), A 2 = K TSM ⊕h (R 1 ||K SM ), and PID SM = h (ID SM ||R 1 ).The next objective is to ascertain SM i 's identity (ID SM ), shared key (K TSM ), and SM's private key (K SM ).However, these values are masked with random nonces before being hashed.Since reversing the one-way hashing function is computationally cumbersome, our scheme is robust against physical attacks.□

Performance Evaluations
Storage, computation, supported security, and privacy features, as well as communication complexities are most often utilized as metrics to evaluate authentication protocols.As such, we deploy such metrics in our comparative performance evaluations as detailed below.

Computation Overheads
During the mutual verification and key setup phase, our scheme executes only oneway hashing (T H ) operations.Specifically, 7T H and 16T H operations are executed on the smart meter and utility service provider sides, respectively.The time complexities of the diverse cryptographic functions in the smart meter are computed on a 1 GB RAM, 1.2 GHz CPU, Quad-core Raspberry Pi-3, while the USP cryptographic primitives are computed on an 8 GB RAM, Core i7-6700 laptop equipped with a 3.40 GHz CPU.Under these two environments, the execution durations are presented in Table 4. Using the execution durations in Table 4 as a basis, the total computation complexity of our scheme is 2.805 ms.Table 5 details the derivation and comparison of the computation complexities of other peer approaches.As demonstrated in Figure 4, the technique in [22] has the longest execution time of 237.381 ms.This can be explained by the computationally extensive bilinear pairings in [22].This is followed by the protocols in [6], [31], [32], [1], [13], [47], [10], [29], and [33] respectively.Conversely, our protocol incurs the least computation complexities.Even though the approach in [33] has a relatively lower execution time, it cannot withstand guessing, KSSTI, eavesdropping, ephemeral secret leakage, spoofing, and physical capture attacks.In the SG environment, the majority of components does not have a high computation power; hence, our protocol is the most suitable for deployment.

Communication Overheads
In our scheme, messages Auth-1, Auth-2, Auth-3, and Auth-4 are exchanged during the verification and key setup phase.The specific details of these messages are as follows.

Communication Overheads
In our scheme, messages Auth-1, Auth-2, Auth-3, and Auth-4 are exchanged during the verification and key setup phase.The specific details of these messages are as follows.

Storage Overheads
In our scheme, value sets {A5, B1, B2, B3} and {A1, A2, PIDSM} are stored in the USP In addition, it cannot offer entity untraceability and anonymity.Finally, the scheme [31] is not robust against spoofing, de-synchronization, DoS, privileged insider, guessing, eavesdropping, ESPL, and forgery attacks.Evidently, our protocol provides a good balance between security and communication complexity.

Storage Overheads
In our scheme, value sets {A 5 , B 1 , B 2 , B 3 } and {A 1 , A 2 , PID SM } are stored in the USP database and smart meter memory, respectively.Here, A 5 = B 1 = B 2 = B 3 = A 1 = A 2 = PID SM = 160 bits.Consequently, the cumulative storage complexity in our scheme is 1120 bits, or 140 bytes.Table 7 shows the derivation of the storage complexities of our scheme as well as those ones of its peers.The specific details of the various parameters stored in the related schemes are described in Table 8.
Feature supported; × Feature not supported or not considered.

Supported Functionalities
The protocol developed in this paper offers a wide range of salient security and privacy features and is robust against several attacks.Table 9 provides a comparative evaluation of the security characteristics of our scheme as well as its resilience to attacks.
As revealed in Table 9, the scheme in [6] supports only six features and, hence, is the least secure.This is followed by the protocol in [47], which supports seven features.In contrast, the schemes in [10,13,22] support eight features and, hence, have been rated third.This is followed by the protocols in [32], [31], [1], [33], and [29], which offer support for 9, 10, 11, 11, and 15 characteristics, correspondingly.
Conversely, our scheme supports all 18 security and privacy features.Using the 15 features provided in [29] as a basis, our scheme offers a 20% improvement in smart grid networks' security posture.

Conclusions
The consumer consumption report and power adjustments data exchanged between SMs and SPs are exposed to many privacy and security threats.This is due to the utilization of insecure communication channels for the message communication procedures.Such attacks include ephemeral secret leakage, denial of service, eavesdropping, tampering, and forgery.To address this challenge, many security solutions have been developed recently.Nevertheless, the majority of these solutions has been shown to be inefficient or have some susceptibilities that render them inappropriate for smart meters.In this paper, a security protocol that is provably secure has been developed.It has also been demonstrated to be resilient against attacks such as privileged insider, de-synchronization, DoS, guessing, KSSTI, eavesdropping, EPSL, spoofing, physical capture, impersonation, replay, MitM, and forgery.In addition, it provides security functionalities such as anonymity, strong authentication, session key agreement, session key security, and untraceability.In terms of performance, it incurs the least computational costs and relatively lower storage and communication costs.Future work will feature the development of novel approaches that can further reduce the incurred storage and communication overheads.

Theorem 9 .
D 3 = h (A 3 ||R 4 )⊕(h (ID TCS ||R 5 )||h (ID SM ||R 6 )||PID USP *) and D 4 = h (PID USP ||R 4 ||h (ID TCS ||R 5 )||h (ID SM ||R 6 )||PID USP *||K UT ).Thereafter, authentication message Auth-4 = {D 3 , D 4 } is relayed to the USP.Provided that PID USP *is valid, it then passes the D 4 * ?= D 4 check.Otherwise message Auth-4 is rejected at the USP.Upon the successful verification of PID USP *, the USP derives and sends D 5 = h (SK SU ||PID USP *) to the TCS for further validation through the D 5 * ?= D 5 check.It is only after the successful verification of PID USP * that TCS deletes parameter set {PID USP , A 3 } from its database.Otherwise, the TCS continues to store these two values to stay in sync with the USP.□ Offline guessing attacks are resisted.

Table 8 .
Details of stored parameters.SM sj , SMpr j , S M SM's private keys R M , SM's public key R 2 Keying parameter based on smart meter's public key x C , K j USP's private keys H 1 , H 2 , H, H (..), h (.), H 1 , H 2 , H 3 , H 4 One-way hash functions n, E, P Elliptic curve E and a point P of order n F P Finite field x j , y j , X i , LS SMi , σ j , ST j , A i , A j , SID i , B i , y M, y AHE , g Derived intermediary parameters SM IDj , ID i , SMID j SM's unique identity idST j Unique identifier for SM SID j USP's unique identity M k Master key N 1 , a i , a j , RN r , r M , r AHE Random numbers S i SM's unique identification stored in the table PIDi, Pidst j , TID SMi , RID i Pseudo-identities for SM PCUID j , RID j Pseudo-identities for USP TC i SM's temporal credential TC j USP's temporal credential E(a, b), G, E p (a, b) Elliptic curve with base point G.
P, G 1 , G 2 Generator of G 1 , cyclic additive group, and cyclic multiplicative group, respectively q Prime order of G 1 and G 2 e Pairing operation Ppub Public key of the trust anchor CH SMi Registration authority (RA) challenge parameter HD Helper data Cryptography 2024, 8, x FOR PEER REVIEW 21 of 24