A lightweight authentication scheme with privacy protection for smart grid communications Source: Future Generation Computer Systems Volume 100, November 2019, Pages 770-778 Authors: Liping Zhang, Lanchao Zhao, Shuijun Yin, Chi-Hung Chi, Ran Liu, Yixin Zhang Speaker: Yao-Zhu Zheng Date: 2019/08/15

Outline Introduction Proposed scheme Experimental results Conclusions

Introduction The grid

Introduction Smart grid Smart meter

Proposed scheme Registration phase Authentication and key agreement phase

Proposed scheme - Notations Description SMi i th smart meter of the smart grid SPj j th service provider of the smart grid IDi Identity of SMi IDj Identity of SPj s Master key of SPj r1, r2, r3 High entropy random numbers h() Collision-resistant hash function ⊕ Exclusive-or operation || Concatenation operation Qi Unique identifier of SMi k Symmetric encryption key Ek()/Dk() Secure symmetric encryption/decryption algorithm with secret key k

Proposed scheme - Registration Smart Meter SMi Selects a random number r1 Service Provider SPj {IDi, r1}

Proposed scheme - Registration Smart Meter SMi Stores Mi, IDi, r1 Service Provider SPj Mi = Es((IDi⊕h(IDj || s)) || (r1⊕IDi)) Qi = h((IDi || IDj)⊕s⊕r1) Stores Qi into database {Mi}

Proposed scheme - Authentication and key agreement Smart Meter SMi Selects a random number r2 Xi = r2⊕h(IDi || r1) Service Provider SPj {Mi, Xi}

Proposed scheme - Authentication and key agreement Smart Meter SMi Service Provider SPj Ds(Mi) = (IDi⊕h(IDj || s)) || (r1⊕IDi) IDi* = IDi⊕h(IDj || s))⊕h(IDj || s) r1* = (r1⊕IDi)⊕IDi* Qi* = h((IDi* || IDj)⊕s⊕r1*) Searches Qi * in Qi dynamic string

Proposed scheme - Authentication and key agreement Smart Meter SMi Service Provider SPj r2* = Xi⊕h(IDi* || r1*) Mi’ = Es((IDi*⊕h(IDj || s)) || (r2*⊕ IDi*) Selects a random number r3 k = h(IDi*⊕r1*⊕r2*)

Proposed scheme - Authentication and key agreement Smart Meter SMi Service Provider SPj Authji = Ek((h((IDi*⊕r2*) || r1*)⊕r3) || h(IDi* || r1* || r2*) || Mi’) SKSP = h(IDi* || r1* || r2* || r3) {Authji}

Proposed scheme - Authentication and key agreement Smart Meter SMi k’ = h(IDi⊕r1⊕r2) Dk’(Authji) = (h((IDi*⊕r2*) || r1*)⊕r3) || h(IDi* || r1* || r2*) || Mi’ Checks h(IDi || r1 || r2) ?= h(IDi* || r1* || r2*) Service Provider SPj

Proposed scheme - Authentication and key agreement Smart Meter SMi r3* = (h((IDi*⊕r2*) || r1*)⊕r3)⊕ h((IDi⊕r2) || r1) SKSM = h(IDi || r1 || r2 || r3*) Authij = h(SKSM || r3*) Service Provider SPj {Authij}

Proposed scheme - Authentication and key agreement Smart Meter SMi Service Provider SPj Checks Authij ?= h(SKSP || r3) Qinew = h((IDi* || IDj)⊕s⊕r2*) Replaces (Qi, Qio) with (Qinew, Qi) Ackji = h(r2*⊕r3 || r1*) {Ackji}

Proposed scheme - Authentication and key agreement Smart Meter SMi Checks Ackji ?= h(r2⊕r3* || r1) Replaces (r1 , Mi) with (r2 , Mi’) Service Provider SPj

Experimental results - Security comparison Security property [9] [12] [16] [21] Proposed scheme Replay attack O Man-in-meddle attack Impersonation attack X Perfect forward secrecy Known-key security Session-key security Mutual authentication Smart meter anonymity - Smart meter untraceability De-synchronization attack Stolen verifier attack

Experimental results - Performance comparison Schemes Smart meter Service provider Total cost [9] 3Th + 1Td 3Th 6Th + 1Td [12] 3Th + 2Tm 4Th + 3Tm 7Th + 5Tm [16] 2Th + 3Tm+ 1Ta 5Th + 5Tm+ 1Ta [21] 3Th + 1Te +1Td + 2Tm+ 2Thmac 4Th + 1Te +1Td + 3Tm+ 2Thmac 7Th + 2Te +2Td + 5Tm+ 4Thmac Proposed scheme 7Th + 1Td 9Th + 1Td+ 2Te 16Th + 2Td+ 2Te Th : Time for the execution of a one-way hash function. Te / Td : Time for the execution of a symmetric encryption/ decryption operation. Tm : Time for the execution of a point multiplication operation of elliptic curve. Ta : Time for the execution of a point addition operation of elliptic curve. Thmac : Time for the execution of a Hash-based Message Authentication Code (HMAC) operation.

Experimental results - Performance comparison Schemes Smart meter Service provider Total cost [9] 0.047 ms 0.005 ms 0.052 ms [12] 14.868 ms 0.825 ms 15.693 ms [16] 15.014 ms 0.851 ms 15.965 ms [21] 16.346 ms 0.976 ms 17.306 ms Proposed scheme 0.245 ms 0.102 ms 0.347 ms Th : Time for the execution of a one-way hash function. Te / Td : Time for the execution of a symmetric encryption/ decryption operation. Tm : Time for the execution of a point multiplication operation of elliptic curve. Ta : Time for the execution of a point addition operation of elliptic curve. Thmac : Time for the execution of a Hash-based Message Authentication Code (HMAC) operation.

Experimental results - Performance comparison Operation BCM2836 Intel Pentium G850 SHA1 (16 Bytes) 7821 ns 1599 ns Xor (16 Bytes) 2561 ns 475 ns AES-128 encryption (16 Bytes) 17614 ns 3910 ns AES-128 decryption (16 Bytes) 23135 ns 4367 ns EC point multiplication (40 Bytes) 7396729 ns 270016 ns EC point addition (40 Bytes) 215588 ns 13670 ns EC point-to-hash (40 Bytes) 29229 ns 2806 ns

Experimental results - Communication cost comparison Schemes [9] [12] [16] [21] Proposed scheme Length(Bytes) 108 248 298 254 204 [9] Xia J., Wang Y. Secure key distribution for the smart grid IEEE Trans. Smart Grid, 3 (3) (2012), pp. 1437-1443 [12] Mohammadali A., Haghighi M., Tadayon M., Nodooshan A. A novel identity-based key establishment method for advanced metering infrastructure in smart grid IEEE Trans. Smart Grid, 9 (4) (2018), pp. 2834-2842 [16] Mahmood K., Chaudhry S.A., Naqvi H., Kumari S., Li X., Sangaiah A.K. An elliptic curve cryptography based lightweight authentication scheme for smart grid communication Future Gener. Comput. Syst., 81 (2018), pp. 557-565 [21] Kumar P., Gurtov A., Sain M., Martin A., Ha P. Lightweight authentication and key agreement for smart metering in smart energy networks IEEE Trans. Smart Grid (2018), pp. 1-11

Conclusions Anonymity and untraceability can be achieved with low computational cost. The proposed scheme is actually implemented on the Raspberry Pi and PC to show its feasibility and practicability.