https://orcid.org/0000-0003-2666-6874
Figures
Abstract
Smart grids collect real-time power consumption reports that are then forwarded to the utility service providers over the public communication channels. Compared with the traditional power grids, smart grids integrate information and communication technologies, cyber physical systems, power generation and distribution domains to enhance flexibility, efficiency, transparency and reliability of the electric power systems. However, this integration of numerous heterogeneous technologies and devices increases the attack surface. Therefore, a myriad of security techniques have been introduced based on technologies such as public key cryptosystems, blockchain, bilinear pairing and elliptic curve cryptography. However, majority of these protocols have security challenges while the others incur high complexities. Therefore, they are not ideal for some of the smart grid components such as smart meters which are resource-constrained. In this paper, a protocol that leverages on digital certificates, signatures, elliptic curve cryptography and blockchain is developed. The formal verification using Real-Or-Random (ROR) model shows that the derived session keys are secure. In addition, semantic security analysis shows that it is robust against typical smart grid attacks such as replays, forgery, privileged insider, side-channeling and impersonations. Moreover, the performance evaluation shows that our protocol achieves a 17.19% reduction in the computation complexity and a 46.15% improvement in the supported security and privacy features.
Citation: Mutlaq KA-A, Nyangaresi VO, Omar MA, Abduljabbar ZA, Ma J, Al Sibahee MA, et al. (2025) Blockchain assisted signature and certificate based protocol for efficient data protection and transaction management in smart grids. PLoS One 20(5): e0318182. https://doi.org/10.1371/journal.pone.0318182
Editor: Iftekhar Salam, Xiamen University Malaysia, MALAYSIA
Received: May 9, 2024; Accepted: January 11, 2025; Published: May 28, 2025
Copyright: © 2025 Mutlaq et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Data Availability: The data underlying the results presented in the study are available from (https://figshare.com/articles/dataset/Blockchain_Assisted_Signature_and_Certificate_Based_Protocol_for_Efficient_Data_docx/27194079?file=49690452)
Funding: This research is supported by Natural Science Foundation of Top Talent of SZTU under Grant No.GDRC202137. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.
Competing interests: The authors have declared that no competing interests exist.
1. Introduction
The traditional power grid network faces numerous challenges regarding flexibility, energy utilization efficiency, safety and environmental protection [1]. This has led to the development of Smart Grids (SGs) which have advanced computing and sensing abilities using a number of sensors and actuators that generate and transmit real-time power related information in a bidirectional manner. In SGs, Information and communication Technologies (ICTs) are deployed to facilitate data exchange between Utility Service Providers (USPs) and the clients. This helps in the control, adjustments and optimization of power consumption based on real-time client needs as reported by the smart meters [1]. As explained in [2], SGs offer seamless integration of ICTs, distribution domains, cyber physical systems as well as power generation domains. Therefore, a typical smart grid comprises of automation technologies, power generation, distribution, transmission as well as advanced sensing and control components. These technologies help boost efficiency, reliability, transparency and flexibility of the electric power systems [3,4]. In addition, the advanced metering infrastructure, self-healing and demand response of the SGs result in optimum utilization of power stations as well as better control of consumer costs. The Smart Meter (SM) is the main component in the SGs and can generate real-time power consumption reports which are then periodically transmitted to the USPs. This normally happens after every 15 minutes. The analysis of these reports at the USPs facilitates the prediction of power demands as well as the adjustments in its generation and distribution. In so doing, the SGs reduce costs and energy consumptions while facilitating the integration of renewable energy sources [5].
Although the smart grid brings forth numerous merits in the face of increasing demand for electricity, these systems are vulnerable to numerous attacks. This situation is worsened by the many connected devices in a typical smart grid. Therefore, data confidentiality, integrity and authentication challenges are common in SGs. Authors in [6] attribute this to the heterogeneous connectivity in smart grid networks in which numerous Internet of Things (IoT) devices are incorporated to generate, distribute and transmit data in various systems such as smart meters and Supervisory Control And Data Acquisition (SCADA). In addition, the integration of ICTs in power systems has been noted in [7] to render the grid vulnerable to attacks such as impersonation, replay and Man-in-the Middle (MitM). As explained in [2], Demand Response Management (DRM) is crucial for improved reliability and efficiency smart grid ecosystem. This is normally enabled by the frequent data transfer between the USPs and smart meters. Unfortunately, these data transfers are prone to many threats such as tampering. This is made worse by the transmission of the data over insecure public channels [8,9]. Therefore, adversaries can intercept the communication process and recover consumer’s secret information. Consequently, the balancing of security, privacy, functionality and efficiency is one of the greatest challenges facing the SGs [10]. Authors in [6] explain that if data and device security are not handled properly, they can lead to grid failure.
In addition to security, user privacy leakage is another serious issue that must be solved in SGs. In this context, the adversaries can intercept electricity consumption data and try to associate it with particular users [11]. For instance, the tracking of power consumption patterns by various appliances may help attackers monitor consumer behavior, hobbies, future plans, and lifestyle as well as establish the status of home. This helps the attackers determine when to break-in and commit crimes [12]. It is evident that the large number of heterogeneous devices in the SGs exposes them to a myriad of security and privacy risks [13,14]. To counter these challenges, robust authentication must be executed to ensure that only authorized entities get access to system resources [15]. In addition, session keys must be established to facilitate secure message exchanges among the authenticated entities and uphold their privacy. Unfortunately, majority of the conventional authentication protocols are computationally intensive and hence not suitable for resource-limited smart grid networks [5].
1.1 Contributions
The major contributions of this paper included the following:
- We deploy digital signatures to preserve data integrity by preventing malicious tampering of the transmitted data. Since these signatures are verified at the receiver terminals, forgery and repudiation are thwarted.
- To preserve user privacy, the real identities of the users are never sent over the public channels. In addition, all exchanged messages are enciphered using the negotiated session keys to prevent attackers from eavesdropping the communication channel and obtain user sensitive information such as real-time power consumption reports.
- During transactions management, we validate all blocks before their addition to the blockchain. This makes it difficult for attackers to modify or corrupt the smart grid transactions.
- The performance evaluation is executed to show that the proposed scheme has the least computation complexity and relatively low communication costs. As such, our protocol is able to offer user privacy and real-time power consumption reports protection at improved efficiencies.
- Extensive security analysis is carried out to show that our scheme is provably secure. In addition, it is shown to support mutual authentication, key agreement, key secrecy, anonymity and untraceability. Moreover, it is demonstrated to be robust against typical smart grid attacks such as ephemeral secret leakage, eavesdropping, key escrow, session hijacking, KSSTI, replays, forgery, MitM, privileged insider, physical, side-channeling and impersonations.
The rest of this paper is structured as follows: Section 2 discusses the related works while Section 3 describes the proposed protocol. On the other hand, Section 4 presents the security analysis of the proposed protocol while Section 5 discusses its performance evaluation. Towards the end of this paper, Section 6 describes the conclusions and future works.
1.2 Motivation
The reliance on public channels for data exchanges in smart grids exposes these networks to numerous attacks such as replay, impersonation, forgery and MitM. In addition, the incorporation of ICTs has been shown to introduce numerous security threats to the SGs which can be exploited by adversaries. This might lead to the compromise of terminals such as smart meters which can then transmit falsified information to the grid, resulting in misleading data analytics, forecasting models and adjustments related to DRM. In addition, normal operations of the grid can be interfered with, or wrong power grid operations status can be fed to user terminals. Any successful interruptions on the access from smart meters to the metering system can render the control center unable to obtain real-time consumer load status, leading to power supply interruptions and grid collapse. It is also possible for attackers to monitor consumer load and correlate the time dimensions of diverse household appliances. This results in the determination of user behavioral patterns, personal preferences, activities and preferences, thereby infringing on personal privacy. Although many protocols have been developed to tackle these challenges, many of them are either vulnerable to security and privacy attacks or incur high computation [16] and communication overheads. Due to the hardware, storage capacity and computing power limitations of the smart grid components, they cannot execute highly complex cryptographic operations such as bilinear pairings. There is therefore need to develop an efficient protocol that will help address some of these performance and security issues.
1.3 Adversarial model
We deploy the widely accepted Canetti–Krawczyk (CK) threat model, in which an adversary is thought to have a range of capabilities that can compromise the smart grid communication process. The assumption in this model is that insecure public communication channels are utilized for message exchanges, and the Registration Authority (RA) is sufficiently protected. Therefore, adversary Å can eavesdrop the channel, intercept, alter, replay and delete the transmitted data but cannot compromise RA. In addition, Å can physically capture the smart grid components such as smart meters and use power analysis attacks to retrieve memory resident secrets. Moreover, session states and keys can be accessed by Å.
1.4 Key design principles
Smart grid faces numerous security, performance and privacy challenges that must be addressed. Therefore, many protocols have been developed over the recent past. For instance, to preserve privacy and integrity, aggregate signature based schemes have been presented. However, signature verification in these schemes incurs high computation complexities [11]. As explained in [17], majority of the current protocols fail to support flexible key management and conditional anonymity. In addition, most of the current authentication algorithms utilize the Rivest Shamir and Adleman (RSA) for asymmetric encryption of the digital signatures.
- Due to perfections and developments of large integer factorization, the required RSA algorithm key length has increased. Therefore, the encryption and decryption speeds have been reducing, making its hardware implementation difficult [14]. Fortunately, Elliptic Curve Encryption (ECC) algorithm attains the same enciphering strength as RSA but at shorter key lengths. Therefore, it can solve the challenges in RSA algorithm. ECC security is basically hinged on the problem of the Elliptic Curve Discrete Logarithm (ECDL) over the Galois fields. Mathematically, there is no sub-exponential algorithm to the ECDL problem. Since the chips in most of the smart grid devices have limited RAM size and processing power, the digital signatures must be implemented using public key cryptography algorithm with low computation overheads but strong encryption. As explained in [14], a 160-bit ECC algorithm offers the same level of security as the 1024-bit RSA algorithm, while a 210-bit ECC algorithm’s security level is equivalent to a 2048-bit RSA algorithm. Therefore, we adopt ECC in the proposed protocol.
- To protect the smart grid terminals, their identities and communication channels security are taken into consideration. We authenticate all terminals using digital certificates to uphold their legitimacy. On the other hand, confidentiality and integrity of the transmitted data in appendix A is protected via the negotiated session keys that are used to encipher the communication channel.
- The smart meters collect real-time data and upload it to the USPs to facilitate DRM, which is critical for the maintenance of smart grid demand and supply stability. Therefore, assigning the USPs an additional responsibility of transactions management increases their data processing pressure, communication load and system response latencies. Therefore, we reduce pressure at the USPs by incorporating the cloud servers and blockchain centers to management the smart meter transactions. This is due to their distributed nature, high storage capacity, computing power and low latencies.
1.5 Security and performance requirements
Mutual authentication: All the network entities must validate their identities before sharing their data.
Session key agreement: Upon successful mutual authentication, the communicating parties should negotiate session keys to encipher the exchanged data.
Key secrecy: An adversary in possession of the current session key should be unable to derive the keys for the previous as well as subsequent communication session.
Anonymity and untraceability: Attackers should be unable to discern the real identities of the smart grid entities upon eavesdropping the channel. In addition, it should be difficult to associate the captured data to any smart grid device or user.
Formal verification: The derived session keys for data enciphering should be mathematically secure.
Attacks resilience: To offer enhanced security and privacy protection, the proposed protocol should thwart conventional smart grid attacks such as ephemeral secret leakage, eavesdropping, key escrow, session hijacking, KSSTI, replays, forgery, MitM, privileged insider, physical, side-channeling and impersonations.
Low complexities: The smart grid supports high number of smart meters whose real-time power consumption data must be processed and responded to. Therefore, the proposed protocol must be lightweight to facilitate efficient processing of the massive smart meter data. This will ensure low network and processing latencies for delay-sensitive smart grid applications.
2. Related work
Efficient, reliable and secure communication procedures are crucial for the smart grid networks [18]. Therefore, many schemes have been put forward over the recent past. For instance, certificate based authentication protocols are presented in [2,19]. In addition, a certificate-based data aggregation technique is introduced in [20]. However, the demand response management scheme in [2] has high computation costs due to numerous elliptic curve point multiplications and has not been analyzed against attacks such as session hijacking, privileged insider and ephemeral secret leakage. Similarly, the security mechanisms in [19,20] have not been evaluated against attacks such as privileged insider and side-channeling. On its part, the scheme in [21] does not support untraceability and protection against attacks such as side-channeling. To offer enhanced security, blockchain-based schemes are developed in [5,22–26]. However, security analyses in [5,24] fail to include attacks such as privileged insider and ephemeral secret leakage. Similarly, security analysis of the scheme in [25] is missing while the privacy preserving technique in [22] is not evaluated against side-channeling and forgery attacks. On the other hand, the protocol in [23] is never analyzed against many attacks such as forgery while the scheme in [26] lacks formal security evaluation.
To support user privacy and data integrity, conventional blind signature based schemes have been developed in [27–29] while ring signature based protocol is introduced in [11]. Similarly, identity-based blind signature protocols are presented in [30–33] while signature and encryption technique is developed in [34]. In addition, group signature-based scheme is introduced in [35] while the protocol in [36] combines blind and group signatures to offer privacy protection. Moreover, certificate-less blind signature technique is developed in [1] while a certificate-based blind signature mechanism is presented in [37]. Although these signature-based schemes solve user data integrity issues, they are susceptible to quantum attacks [33]. In addition, most of these signature schemes have numerous security issues and some of them are inefficient due to bilinear pairing operations [1,38]. For instance, the scheme in [11] cannot offer key secrecy, untraceability and lacks formal verification. As explained in [11], group signature is facilitated by group administrator and hence may trace the identity of the group members. On its part, the scheme in [33] lacks semantic security analysis while the protocol in [1] has not been evaluated against attacks such as privileged insider,side-channeling and MitM. On the other hand, the protocol in [32] fails to offer support for trust measurement. Due to its requirement for the maintenance of the certificate revocation list, this approach incurs extra overheads. Although the scheme in [39] can address this problem, it relies on a third party for secure session establishment between smart grid devices.
To protect against various insider and outside attacks, an ECC-based scheme is developed in [40]. However, this scheme incurs extensive communication and computation overheads. To preserve privacy during data sharing, secure aggregation techniques are presented in [41–43]. Although the scheme in [41] does not depend on trusted third parties and can prevent collusion attacks, its fault tolerance is low [10] and the computation costs [44] at the smart meter side is high [3]. Similarly, the protocol in [42] can prevent collusion attacks but at high communication overheads and complicated key management procedures [10]. Although the Chebyshev chaotic maps based scheme in [45] addresses this problem, it lacks evaluation against forgery and session hijacking attacks. On its part, the protocol in [43] offers privacy protection and flexible user management at high computation costs due to frequent key updates for each time slot [3]. To preserve anonymity during the authentication process, bilinear pairing based security techniques are introduced [46,47]. Although the technique in [46] thwarts smart meter private key leakages, it only achieves one-way authentication which might expose intelligent terminals to malicious control and operation by adversaries. On its part, the protocol in [47] is susceptible to impersonation and ephemeral secret leakage attacks [48]. Due to the pairing operations, these two protocols have high computation costs [49]. This problem can be solved by the lightweight scheme in [50]. However, its versatility and communication complexity are increased due to the requirement that the USPs assign random nonces to the smart meters prior to each data collection. Although the protocol in [51] potentially solves this inefficiency issue, its formal security verification has not been done. To prevent cloning attacks, a physically unclonable function (PUF) based protocol are presented in [52–54]. However, PUF-based schemes have stability challenges. On the other hand, the schemes in [55,56] incur extensive computation overheads due to bilinear and scalar multiplications, respectively. Although the protocol in [57] is relatively lightweight, it is not evaluated against threats such as session hijacking and ephemeral secret leakage. Table 1 presents a summary of these current security solutions.
It is evident that many protocols have been developed for security enhancement in smart grids. However, a number of security, performance and privacy issues still lurk in these schemes. The proposed protocol is shown to be efficient, privacy preserving and thwarts most of the attacks inherent in the above schemes.
3. The proposed scheme
The Smart Meter (SM), Service Provider (SP), the Registration Authority (RA) and the Cloud Servers (CSs) are the main components of the proposed protocol as shown in Fig 1. Here, the smart meter collects and forwards power consumption reports to the utility service provider.
However, all the smart meters and service provider must first register at the registration authority so that they are assigned the security tokens to use in the later phases. As already explained, we deploy cloud servers to offload the transaction management tasks from the service providers. Table 2 presents the symbols used throughut this paper.
Basically, our protocol comprises of 5 major phases, which include system setup, registration, mutual authentication and key negotiation, key and transactions management. The sub-sections below describe these phases in greater details.
3.1 System setup
The goal of this phase is to have the RA generate security parameters for all the network entities. These parameters are then deployed in the proceeding phases of the proposed protocol. For signature generation and verification, we deply the Elliptic Curve Digital Signature Algorithm (ECDSA). However, the Practical Byzantine Fault Tolerance (PBFT) is utilized as a consensus algorithm. Here, non-singular ellipic curve (NS-EC) and Galois field (GF) are utilized as described in the following steps.
Step 1: The RA generates IDRA as its unique identity before selecting some large prime number q and NS-EC over the GF(q). Considering some two constants a and b, where a, b, then the condition 4a3 + 27b2 ≠ 0 (mod q) must be satisfied. Here, NS-EC is of the form Eq (a,b): y2 = x3 + ax + b (mod q).
Step 2: The RA picks G as the base point, whose order is g, which is as large as q. Next, it chooses h(.) as some collision-resistant one way hashing function. It also chooses Esig and Ever as ECDSA signature generation and verification algorithms respectively. Moreover, PBFT is chosen as the consensus algorithm.
Step 3: The RA selects MKRA as its secret master key before using this key to derive its corresponding public key PKRA = G. MKRA. At the end, the RA secretly stores MKRA before publishing parameter set {G, PKRA, PBFT, h(.), Eq(a, b), Esig, Ever} as shown in Fig 2.
3.2 Registration phase
The aim of this phase is to register the cloud server, smart meters and the utility service providers. This registration is carried out with the help of the RA and is one-time process which is described in the sub-sections below.
3.2.1 Cloud server registration.
The following 3 steps are executed to register cloud server CSi to the RA.
Step 1: The RA generates CSi unique identity IDCS and some symmetric n-degree bivariate polynomial f (c, d) over finite field GF(q). Here, where p (c, d) = p (d, c) and
. The RA determines the current timestamp T1 and derives CSi pseudo-identity PIDCS = h(IDCS||MKRA||T1).
Step 2: The RA generates random secret key η1 that is used to compute its corresponding public key PCS = G.η1. Next, RA creates CSi certificate as ℂCS = η1 + h(PIDCS||IDRA||PCS||PKRA) * MKRA (mod q). It then publishes PCS before constructing registration message R1 = {IDRA, ℂCS, PIDCS, f (PIDCS, d)} that is forwarded to CSi over secure channels. Finally, the RA deletes random secret key η1 as shown in Fig 2.
Step 3: Upon receiving registration message R1 from RA, CSi proceeds to generate its secret key
SKCS and computes its corresponding public key PKCS = G.SKCS. Finally, CSi stores parameter set {IDRA, ℂCS, PIDCS, f(PIDCS, d), (SKCS, PKCS)}.
3.2.2 Smart meter registration.
The following 4 steps are carried out during the registration of smart meter SMj to the RA.
Step 1: The RA determines the current timestamp T2 and generates smart meter unique identity IDSM that is used to derive its pseudo-identity PIDSM = h(IDSM||MKRA||T2). Next, it generates its random transient identity TIDSM.
Step 2: RA chooses some random private key η2 and derives its corresponding public key PSM = G.η2. This is followed by the generation of SMj certificate ℂSM = η2 + h(PIDSM||IDRA||PSM||PKRA) * MKRA (mod q).
Step 3: The RA generates secret key SKSM together with its corresponding public key PKSM = G.SKSM Next, it composes registration message R2 = {(TIDSM, PIDSM), ℂSM, f (PIDSM, d), IDRA, (SKSM, PKSM)} that is forwarded to the SMj for safe storage of this parameter set as shown in Fig 2.
Step 4: RA composes registration message R3 = {TIDSM, PIDSM} that is forwarded to CSi over secure channels. Finally, the RA erases random secret key η2.
3.2.3 Utility service provider.
The following 3 steps are involved during the registration of utility service provider SPj.
Step 1: The RA determines current timestamp T3 and selects some unique identity IDSP for SPj that is used to compute its pseudo-identity PIDSP = h (IDSP||MKRA||T3). Next, it chooses random transient identity TIDSP for SPj.
Step 2: The RA generates secret key SKSP and equivalent public key PKSP = G.SKSP. This is followed by the publishing of PKSP.
Step 3: RA securely stores parameter set {(TIDSP, PIDSP), (SKSP, PKSP)}. Next, it constructs registration message R4 = {TIDSP, PIDSP} that is sent to the associatated SPj over secure channels as shown in Fig 2.
3.3 Mutual authentication and key negotiation
During the mutual authentication between SPj and SMj, steps 1–6 are executed. Fig 3 presents a summary of the message exchanges during these procedures.
Step 1: The SPj generates random nonce ℝ1 and determines the current timestamp T4. Next, it derives A1 = G.h (ℝ1||TIDSP||PIDSP||SKSP||T4) as well as signature ℤ1 = h (ℝ1||TIDSP||SKSP||) + h(PKSP||PKSM||PKCS||T4) * SKSP (mod q). Finally, it composes message authenticatiom message AM1 = {TIDSP, A1, ℤ1, T4} that is sent over to SMj over public channels as shown in Fig 3.
Step 2: Upon receiving authentication message AM1, SMj determines current timestamp T5 and checks if | T5- T4 | < ∆ T. Basically, the session is aborted when this verification fails. Otherwise, SMj validates signature ℤ1 by confirming whether ℤ1.G ≟ A1 + h(PKSP||PKSM||PKCS||T4) * PKSP. Provided that this confirmation is valid, SMj determines the current timestamp T6 and generates random nonce ℝ2.
Step 3: The SMj derives A2 = G.h (ℝ2||TIDSM||PIDSM||SKSM||T6) and A3 = A1.h (ℝ2||TIDSM||PIDSM||SKSM||T6) as well as session key ɸSM = h (A3||ℤ1||T4||T6). Next, it computes the signature on ℝ2 and ɸSM as ℤ2 = h (ℝ2||TIDSM||PIDSM||SKSM||T6) + h(ɸSM||PKSP||PKCS||T6) * SKSM (mod q).
Step 4: SMj generates a new transient identity TIDSPNew for SPj. Next, it computes TIDSP * = TIDSPNew ⊕ h (TIDSP||ɸSM||ℤ2||T6). Finally, it composes authentication message AM2 = {TIDSP * , A2, ℤ2, T6} that is transmitted over to the SPj through public channels as shown in Fig 3.
Step 5: On receiving authentication message AM2 at timestamp T7, the SPj checks if | T7- T6 | < ∆ T. Provided that this verification fails, the session is terminated. Otherwise, it computes A4 = A2.h (ℝ1||TIDSP||PIDSP||SKSP||T4) and session key ɸSP = h (A4||ℤ1||T4||T6).
Step 6: The SPj validates signature ℤ2 by confirming if ℤ2.G ≟ A2 + h(ɸSP||PKSP||PKCS||T6). PKSM. Provided that this validation succeeds, the SPj computes TIDSPNew = TIDSP * ⊕ h (TIDSP||ɸSP||ℤ2||T6). Finally, it substitutes TIDSP with its updated version TIDSPNew in its repository.
3.4 Key management
The goal of this phase is to secure the transactions transmitted to the cloud servers from any of the smart grid device. For a given utility service area USA (SA = 1,2,3,….N), steps 1–6 are carried out to setup the session keys between the cloud server CSi and any smart device such as SMj.
Step 1: The CSi generates random nonce ℝ3 and determines the current timestamp T8. Next, it derives B1 = G.h (ℝ3||SKCS||PIDCS||T8), PIDCS * = PIDCS ⊕ h (PIDSM||IDRA||T8) and ℤ3 = h (ℝ3||SKCS||PIDCS||T8) + h (PKCS||ℂCS||PIDCS*||TIDSM) * SKCS (mod q). Finally, it constructs key management message KM1 = {TIDSM, B1, ℂCS, ℤ3, PIDCS * , T8} that is forwarded towards SMj over public channels as shown in Fig 4.
Step 2: Upon receiving message KM1 at timestamp T9, SMj confirms whether | T9- T8 | < ∆ T. On condition that this verification is successful, SMj derives PIDCS = PIDCS * ⊕ h (PIDSM||IDRA||T8). Next, it validates the received certificate ℂCS, signature ℤ3 and TIDSM by checking if ℂCS.G ≟ PCS + h(PIDCS||IDRA||PCS||PKRA) * PKRA and ℤ3.G ≟ B1 + h (PKCS||ℂCS||PIDCS*||TIDSM) * PKCS. Provided that these conditions do not hold, the session is aborted. Otherwise, SMj generates random nonce ℝ4 and determines the current timestamp T10.
Step 3: The SMj derives B2 = G.h (ℝ4||SKSM||PIDSM||T10), B3 = B1. h (ℝ4||SKSM||PIDSM||T10), ɸSC = h (B3|| f (PIDSM, PIDCS)||ℂSM||ℂCS) and ℤ4 = h (ℝ4||SKSM||PIDSM||T10) + h (PKSM||ℂSM||IDRA||ɸSC) * SKSM (mod q).
Step 4: The SMj generates TIDSMNew and computes TIDSM * = TIDSMNew ⊕ h (TIDSM|| f (PIDSM, PIDCS)||ɸSC||T10). It then composes key management message KM2 = {TIDSM * , ℂSM, B2, ℤ4, T10} that is transmitted over to CSi via public channels. Finally, SMj substitutes TIDSM with its updated version TIDSMNew.
Step 5: On receiving message KM2 at timestamp T11, the CSi checks if | T11- T10 | < ∆ T such that the session is aborted upon validation failure. Otherwise, it validates the received certificate ℂSM by confirming whether ℂSM.G ≟ PSM + h(PIDSM||IDRA||PSM||PKRA) * PKRA. Provided that this verification is unsuccessful, the session is terminated. Otherwise, it derives B4 = B2. h (ℝ3||SKCS||PIDCS||T8) and session key ɸCM = h (B4||f (PIDCS, PIDSM)||ℂSM ||ℂCS).
Step 6: CSi validates signature ℤ4 by checking if ℤ4.G ≟ B2 + h (PKSM||ℂSM||IDRA||ɸCM) * PKSM. If this verification is successful, it derives TIDSMNew = TIDSM * ⊕ h (TIDSM|| f (PIDCS, PIDSM)||ɸCM||T10). Next, both the CSi and SMj sets their respective session key for payload enciphering and substitutes TIDSM with its update version TIDSMNew in its repository.
3.5 Transactions management
The data such as in appendix A collected by the smart devices in the smart grid system are regarded as being private and confidential. As such, the data from all the utility service provider coverage area are maintained in the private blockchain. In the proposed protocol, transactions are maintained in form of connected chain of blocks stored in the cloud servers. At each particular moment, the voting based consensus algorithm is deployed to ensure that each cloud server holds a similar copy of blockchain BC. Since most of the smart devices in the smart grid system are limited in terms of computation power, they cannot be charged with the creation of transactions for the blockchain. Therefore, the cloud servers are assigned this task since they have superior computational and storage resources. The four major phases in the PBFT consensus algorithm are depicted in Fig 5 below.
Using this consensus algorithm the four steps below describe the process of block addition and verification.
Step 1: The smart meters and cloud servers deploy session keys ɸCM and ɸSC already negotiated in Section 3.4 above to exchange all the collected data of appendix A. Thereafter, for a given block βn, CSi makes κτ transactions (Ψ1, Ψ2, Ψ3, …, Ψκτ). Next, CSi enciphers these transactions using PKCS as {.
Step 2: CSi uses its secret key SKCS to create a digital signature of the κτ transactions as . Next, it constructs transaction management message TM = {(
),
} that basically uses to forward these enciphered κτ transactions to the blockchain center
as shown in Fig 6.
Step 3: Upon receiving message TM, the CB creates block βn. Basically βn contains details such as the previous block hash ℍP, the current block hash ℍC, signature , enciphered transactions κτ, Merkle tree root ℜ on κτ, as well the public key PKCS for CSi. The detailed structure of βn is depicted in Fig 7 below.
Step 4: Upon the formation of βn at the , the leader selection algorithm is invoked to choose the leader. Next, consensus is built for block verification and addition to the blockchain as detailed in Algorithm 1.
During consensus building, each of the blockchain centers is characterized by a pair of public-secret key pair {
}. Here,
is the secret key while
= G.
is its corresponding public key. Basically,
of all blockchain centers are known to each other. As shown in Algorithm 1, the inputs to the consensus process include number of faulty nodes ΧF in the
, βn and {
}. Here, the leader
is denoted by CBL and one of its responsibilities is to generate voting requests Vrs. Therefore, it initially generates numeous enciphered voting requests VRS utilizing the public keys of the receiver
, denoted as CBR. In addition, it maintains some valid vote counter CL for the received votes. Thereafter, CBL signs these VRS before forwarding them to the respective followers CBRs together with βn. Upon receiving the signed VRS, the CBR verifies the signature
in this request, deciphers it using its
and validates the timestamp
in VRS, ℜ as well as ℍP.
Provided that these validations are successful, CBR forwards its signature, voting response Vr along with the status of this verification VS to the CBL. Here, Vr is encrypted using the public key of CBL.
After getting this response, CBL validates the CBR’s signature before counting the votes maintained by CL. This happens only when both Vr is valid and βn validation is successful. Upon receiving all the responses, CBL checks whether . Provided that this condition holds, CBL sends a commit block command CBC to all CBRs. Consequently, βn is appended to the distributed ledgers of all the peer nodes.
3.6 Secure addition of new smart grid devices
In this phase, we detail how additional smart devices such as SDk may be incorporated into the existing smart grid network. This is a 4-step process as described below and summarized in Fig 8.
Step 1: The RA chooses some unique real identity for SDk. Next, it determines current timestamp and T12 derives the pseudo-identity for SDk as
= h (
||MKRA||T12) as shown in Fig 8.
Step 2: RA generates random transient identity . This is followed by the derivation of its secret key
. Next, it computes its corresponding public key as
.
Step 3: The RA makes public before securely storing parameter set {
,
} in its repository.
Step 4: RA constructs smart device registration message MSDR = {,
} that is forwarded to the smart device SDk.
4. Security analysis
In this section, the formal and informal security analysis of the proposed protocol ae presented. The sub-sections below describe these process in greater details.
4.1 Formal security analysis
In this section, we deploy the oracle model Real-Or-Random (ROR) to demonstrate that provable secure nature of the derived session keys. In our scheme, session keys are derived between utility service provider SPj and smart meter SMj, as well as between cloud server CSi and any smart device within the smart grid, such as smart meter SMj. We denote the adversary as Å, which is capable of launching Execute (), Corrupt (), Reveal () and Test () queries. Taking OT as an arbitrary outcome of a flipped a fair coin ε, these queries are described in more detail in Table 3. In addition to these queries, h (.) is modeled as random oracle Hash which is available to Å as well as all other network entities SMj, SPj and CSi. We denote the ith, jth and kth instances (random oracles) of SMj, SPj and CSi as and
. Suppose that instant
receives the final legitimate exchanged message. In this case,
is regarded as being in an accepted state. In addition, we denote the sequential ordering of all the exchanged messages in a given communication session as Ṡ. Basically, Ṡ becomes the session identifier of
for this particular communication session. When random oracles
and
are mutual associates of each other, share the same Ṡ for mutual authentication and both are in accepted states, then they become associates to each other.
Suppose that SPj and SMj share session key ɸSP = ɸSM between them. Then, random oracle or
is regarded as being fresh this session key is unknown to Å even after executing the Reveal (
) query. Similarly, random oracle
or
is fresh if session key ɸCM = ɸSC remains unknown to Å even after executing the Reveal (
) query. We let pt denote polynomial time and λCSB as the proposed certificate, signature and blockchain (CSB) based protocol. In this scenario, the advantage that Å (running in pt) has of breaking λCSB’s semantic security is represented as
. This basically involves the compromise of session key ɸSP = ɸSM established between SMj and SPj, as well as ɸCM = ɸSC negotiated between SMj and CSi during a given session. Taking ε and ε* as valid and guessed bits respectively, then,
Suppose that the Elliptic Curve Decisional Diffie-Hellman Problem (ECDDHP), volume of Hash () queries and range space of h (.) are represented by ω, |μ| and Hn respectively. Using these notations, the advantage that adversary Å (running in pt) has in breaking ω is denoted as .
With the above notations, the following hypothesis can be stated.
Hypothesis 1: Suppose that Å is running in polynomial time pt and wants to derive session key ɸSP = ɸSM negotiated between SPj and SMj, as well as session key ɸCM = ɸSC established between SMj and CSi during a certain communication session. Therefore,
Proof: We deploy three games (denoted by Ġmk, where k = 0, 1, 2) to proof the above stated hypothesis. Suppose that denotes an incident of Å winning Ġmk via the guessing of valid bit ε. Therefore, the advantage or success probability of Å winning Ġmk becomes
Thereafter, the following three adversarial games are played by Å in an effort to break the negotiated session keys.
Ġm0: In this game, adversary Å carries out the actual attack against the proposed protocol . Initially, Å chooses some random bit ε. Based on equation (1),
| (4)
Ġm1: The aim of this game is for Å to eavesdrop the communication channel. To accomplish this objective, Å carries out the Execute () query to intercept messages AM1 = {TIDSP, A1, ℤ1, T4}, AM2 = {TIDSP * , A2, ℤ2, T6}, KM1 = {TIDSM, B1, ℂCS, ℤ3, PIDCS * , T8} and KM2 = {TIDSM * , ℂSM, B2, ℤ4, T10}. Next, Å performs Reveal () and Test () queries with the aim of establishing whether the derived session keys are valid or just some stochastic parameters. However, the derivation of these keys requires a combination of long terms as well as short term security tokens. Due to the difficulties of compromising these tokens using the eavesdropped messages AM1, AM2, KM1 and KM2, the probability that Å has in successfully winning Ġm1 remain the same as that of Ġm0. Therefore,
Ġm2: The ultimate goal of this game is to perform some active attack on λCSB. To attain this goal, three queries and an attempt to solve ω are carried out. The executed queries include Corrupt (SPj), Hash () and Corrupt (SMj). The assumption made is that Å has already eavesdropped all the exchanged messages, including AM1, AM2, KM1 and KM2. At the start, Å tries to compute ɸSM = h (A3||ℤ1||T4||T6) and ɸSC = h (B3|| f (PIDSM, PIDCS)||ℂSM||ℂCS). However, this requires that Å correctly derives A1 = G.h (ℝ1||TIDSP||PIDSP||SKSP||T4), A2 = G.h (ℝ2||TIDSM||PIDSM||SKSM||T6), B1 = G.h (ℝ3||SKCS||PIDCS||T8) and B2 = G.h (ℝ4||SKSM||PIDSM||T10) among other tokens. Evidently, each of these parameters by the collision-resistant one-way hashing function h (.) and hence attacker Å needs to solve ω in polynomial time pt. As already demonstrated, the success probability of Å in solving ω in polynomial time pt is . It is also clear that these parameters also incorporate timestamps, short term secrets (such as random nonces) and long term secrets (such as private keys). To check for collisions in the message digests incorporated in the eavesdropped messages (AM1, AM2, KM1 and KM2), adversary Å executes the Hash () query. However, since the chosen h (.) is collision-resistant, the success of this query is negligible. As such, the exclusion of these four queries renders Ġm2 and Ġm1 indistinguishable. To find the hash collision, the birthday paradox is applied, yielding the following:
Upon adversarial execution of all these three games, Å finally attempts to guess the correct bit ε so as to win the game. Therefore,
Based on the semantic security definition of the proposed protocol in equation (4),
| (8)
Using the triangular inequality, equations (5), (6) and (7) on equation (8) yields the following:
Multiplying the left hand side (LHS) and right hand side (RHS) by 2 yields the following:
Since both and
are both infinitesimal, it follows that
is also infinitesimal in polynomial time pt. This effectively completes the proof of Hypothesis 1.
4.2 Informal security analysis
In this sub-section, we formulate and proof a number of theorems with the aim of demonstrating that our protocol is secure under all the adversarial capabilities in the Canetti–Krawczyk threat model.
Theorem 1: Ephemeral secret leakage attacks are prevented
Proof: During the mutual authentication between SMj and SPj, the SMj derives the session key as ɸSM = h (A3||ℤ1||T4||T6) that it shares with SPj. Here, A3 = A1.h (ℝ2||TIDSM||PIDSM||SKSM||T6) and ℤ1 = h (ℝ1||TIDSP||SKSP||) + h(PKSP||PKSM||PKCS||T4) * SKSP (mod q). Similarly, SPj computes the session key as ɸSP = h (A4||ℤ1||T4||T6), where A4 = A2.h (ℝ1||TIDSP||PIDSP||SKSP||T4) and ℤ1 = h (ℝ1||TIDSP||SKSP||) + h(PKSP||PKSM||PKCS||T4) * SKSP (mod q). The derivation of both A3 and A4 incorporates short term secrets such as random nonces ℝ2 and ℝ1 respectively. In addition, long term secrets such as private keys (SKSM and SKSP) for SMj and SPj are incorporated. As such, the adversary Å can only derive valid session keys when in possession of both long term and short term secrets (ephemerals) of SMj and SPj. Since authentication messages AM1 = {TIDSP, A1, ℤ1, T4} and AM2 = {TIDSP * , A2, ℤ2, T6} exchanged during mutual authentication do not contain these parameters in plaintext, Å cannot access them. As such, adversarial derivation of valid session keys flops.
Theorem 2: Backward and forward key secrecy is preserved
Proof: In the proposed protocol, four session keys are derived. During SMj ↔ SPj authentication, SMj derives the session key as ɸSM = h (A3||ℤ1||T4||T6) while SPj computes the session key as ɸSP = h (A4||ℤ1||T4||T6). Similarly, during CSi ↔ SMj, the CSi derives session key ɸSC = h (B3|| f (PIDSM, PIDCS)||ℂSM||ℂCS) while the SMj calculates session key ɸCM = h (B4||f (PIDCS, PIDSM)||ℂSM ||ℂCS). Here, A3 = A1.h (ℝ2||TIDSM||PIDSM||SKSM||T6), A1 = G.h (ℝ1||TIDSP||PIDSP||SKSP||T4), ℤ1 = h (ℝ1||TIDSP||SKSP||) + h(PKSP||PKSM||PKCS||T4) * SKSP (mod q), A4 = A2.h (ℝ1||TIDSP||PIDSP||SKSP||T4), A2 = G.h (ℝ2||TIDSM||PIDSM||SKSM||T6), B3 = B1. h (ℝ4||SKSM||PIDSM||T10), ℂSM = η2 + h(PIDSM||IDRA||PSM||PKRA) * MKRA (mod q), ℂCS = η1 + h(PIDCS||IDRA||PCS||PKRA) * MKRA (mod q) and B4 = B2. h (ℝ3||SKCS||PIDCS||T8). Evidently, all these session keys incorporate random nonces. These random nonces are independently derived by each of the communication entities and are never shared in plaintext over public channels. As such, even if Å captures the current session keys, adversarial derivation of session keys for past and subsequent communication session based on these keys will fail.
Theorem 3: Eavesdropping and session hijacking attacks are thwarted
Proof: Suppose that Å is interested in hijacking the communication session so as to convince unsuspecting network entities that they are communicating with legitimate entity. Therefore, an attempt is made to eavesdrop the communication channel for ephemerals that may facilitate the derivation of valid session keys. During SMj ↔ SPj authentication, messages AM1 = {TIDSP, A1, ℤ1, T4} and AM2 = {TIDSP * , A2, ℤ2, T6} are exchanged. Here, A1 = G.h (ℝ1||TIDSP||PIDSP||SKSP||T4), ℤ1 = h (ℝ1||TIDSP||SKSP||) + h(PKSP||PKSM||PKCS||T4) * SKSP (mod q), A2 = G.h (ℝ2||TIDSM||PIDSM||SKSM||T6) and ℤ2 = h (ℝ2||TIDSM||PIDSM||SKSM||T6) + h(ɸSM||PKSP||PKCS||T6) * SKSM (mod q). Next, adversarial derivation of ɸSM = h (A3||ℤ1||T4||T6) and ɸSP = h (A4||ℤ1||T4||T6) is attempted. Although timestamp T4 and T6 as well as signature ℤ1 may be obtained from the eavesdropped messages, the attacker still needs parameters A3 and A4 to successfully derive the much needed session keys ɸSM and ɸSP. While A3 is independently calculated at the SMj, A4 is independently derived at the SPj. Since these two values are never transmitted in messages AM1 and AM2 and hence cannot be eavesdropped, these attacks fail. Similarly, messages KM1 = {TIDSM, B1, ℂCS, ℤ3, PIDCS * , T8} and KM2 = {TIDSM * , ℂSM, B2, ℤ4, T10} are exchanged during CSi ↔ SMj authentication. Here, B1 = G.h (ℝ3||SKCS||PIDCS||T8), ℂCS = η1 + h(PIDCS||IDRA||PCS||PKRA) * MKRA (mod q), ℤ3 = h (ℝ3||SKCS||PIDCS||T8) + h (PKCS||ℂCS||PIDCS*||TIDSM) * SKCS (mod q), PIDCS * = PIDCS ⊕ h (PIDSM||IDRA||T8), ℂSM = η2 + h(PIDSM||IDRA||PSM||PKRA) * MKRA (mod q), B2 = G.h (ℝ4||SKSM||PIDSM||T10) and ℤ4 = h (ℝ4||SKSM||PIDSM||T10) + h (PKSM||ℂSM||IDRA||ɸSC) * SKSM (mod q). To derive session keys ɸCM = h (B4||f (PIDCS, PIDSM)||ℂSM ||ℂCS) and ɸSC = h (B3|| f (PIDSM, PIDCS)||ℂSM||ℂCS), Å still needs B4, PIDSM and B3. Whereas B4 is derived at the CSi, PIDSM is generated at the RA while B3 is calculated at the SMj. Once again, these two attacks fail since these parameters cannot be eavesdropped from the exchanged messages.
Theorem 4: Our scheme offers anonymity and untraceability
Proof: The aim of the adversary here is to listen to the communication channel with the aim of associating the communication sessions to particular network entities. As already demonstrated, messages AM1, AM2, KM1 and KM2 are exchanged over the public channels. Here, AM1 = {TIDSP, A1, ℤ1, T4}, AM2 = {TIDSP * , A2, ℤ2, T6}, KM1 = {TIDSM, B1, ℂCS, ℤ3, PIDCS * , T8} and KM2 = {TIDSM * , ℂSM, B2, ℤ4, T10}. Evidently, real identities of the communicating entities are not included in these messages. As such, only transient identities for SPj (TIDSP) and SMj (TIDSM) as well as the pseudo-identity of CSi (PIDCS*) can be deciphered. Therefore, these messages cannot be linked to any communicating entities. Random nonces are incorporated in all these messages since A1 = G.h (ℝ1||TIDSP||PIDSP||SKSP||T4), ℤ1 = h (ℝ1||TIDSP||SKSP||) + h(PKSP||PKSM||PKCS||T4) * SKSP (mod q), A2 = G.h (ℝ2||TIDSM||PIDSM||SKSM||T6), ℤ2 = h (ℝ2||TIDSM||PIDSM||SKSM||T6) + h(ɸSM||PKSP||PKCS||T6) * SKSM (mod q), B1 = G.h (ℝ3||SKCS||PIDCS||T8) and B2 = G.h (ℝ4||SKSM||PIDSM||T10). In addition, timestamps are also part of all the exchanged messages. As such, all the exchanged messages are always unique for each session and hence cannot be easily associated to the communicating parties.
Theorem 5: Known session-specific temporary information (KSSTI) are prevented
Proof: In our scheme, the session keys are computed using a number of short term and long term keys. These session keys include ɸSM = h (A3||ℤ1||T4||T6), ɸSP = h (A4||ℤ1||T4||T6), ɸCM = h (B4||f (PIDCS, PIDSM)||ℂSM ||ℂCS) and ɸSC = h (B3|| f (PIDSM, PIDCS)||ℂSM||ℂCS). Here, A3 = A1.h (ℝ2||TIDSM||PIDSM||SKSM||T6), A1 = G.h (ℝ1||TIDSP||PIDSP||SKSP||T4), ℤ1 = h (ℝ1||TIDSP||SKSP||) + h(PKSP||PKSM||PKCS||T4) * SKSP (mod q), A4 = A2.h (ℝ1||TIDSP||PIDSP||SKSP||T4), A2 = G.h (ℝ2||TIDSM||PIDSM||SKSM||T6), B3 = B1.h (ℝ4||SKSM||PIDSM||T10), ℂSM = η2 + h(PIDSM||IDRA||PSM||PKRA) * MKRA (mod q), ℂCS = η1 + h(PIDCS||IDRA||PCS||PKRA) * MKRA (mod q) and B4 = B2.h (ℝ3||SKCS||PIDCS||T8). The short term keys are exampled by random nonces such as ℝ1, ℝ2, ℝ3 and ℝ4. On the other hand, long term keys include secret keys such as SKSM, SKSP, PKSP, PKSM, PKCS, PKRA and MKRA. As such, the loss of session specific ephemerals such as short term keys does not enable the attacker to compromise the session keys.
Theorem 6: Our protocol is resilient against message replay attacks
Proof: To prevent this attack, timestamps and random nonces are incorporated in all the exchanged messages during the mutual authentication phase. For instance, messages AM1 = {TIDSP, A1, ℤ1, T4}, AM2 = {TIDSP * , A2, ℤ2, T6}, KM1 = {TIDSM, B1, ℂCS, ℤ3, PIDCS * , T8} and KM2 = {TIDSM * , ℂSM, B2, ℤ4, T10} all contain timestamps. On the other hand, ephemerals A1 = G.h (ℝ1||TIDSP||PIDSP||SKSP||T4), ℤ1 = h (ℝ1||TIDSP||SKSP||) + h(PKSP||PKSM||PKCS||T4) * SKSP (mod q), A2 = G.h (ℝ2||TIDSM||PIDSM||SKSM||T6), ℤ2 = h (ℝ2||TIDSM||PIDSM||SKSM||T6) + h(ɸSM||PKSP||PKCS||T6) * SKSM (mod q), B1 = G.h (ℝ3||SKCS||PIDCS||T8) and B2 = G.h (ℝ4||SKSM||PIDSM||T10) all incorporate random nonces in their derivations. Any replays of old messages will be easily detected by the timestamp checks and the sessions will only continue provided that | T5- T4 | < ∆ T, | T7- T6 | < ∆ T, | T9- T8 | < ∆ T and | T11- T10 | < ∆ T. Otherwise, the sessions will be aborted in all the instances.
Theorem 7: Strong mutual authentication is achieved
Proof: In our scheme, all the exchanged messages after the registration phase are mutually verified by the receivers. For instance, on receiving AM1 = {TIDSP, A1, ℤ1, T4}, SMj validates it by checking if | T5- T4 | < ∆ T and ℤ1.G ≟ A1 + h(PKSP||PKSM||PKCS||T4) * PKSP. On the other hand, upon receiving message AM2 = {TIDSP * , A2, ℤ2, T6}, the SPj checks if | T7- T6 | < ∆ T and ℤ2.G ≟ A2 + h(ɸSP||PKSP||PKCS||T6). Similarly, after getting message KM1 = {TIDSM, B1, ℂCS, ℤ3, PIDCS * , T8}, SMj confirms whether | T9- T8 | < ∆ T, ℂCS.G ≟ PCS + h(PIDCS||IDRA||PCS||PKRA) * PKRA and ℤ3.G ≟ B1 + h (PKCS||ℂCS||PIDCS*||TIDSM) * PKCS. On the other hand, upon receiving message KM2 = {TIDSM * , ℂSM, B2, ℤ4, T10}, the CSi checks if | T11- T10 | < ∆ T, ℂSM.G ≟ PSM + h(PIDSM||IDRA||PSM||PKRA) * PKRA and ℤ4.G ≟ B2 + h (PKSM||ℂSM||IDRA||ɸCM) * PKSM. In all these verification instances, the sessions are terminated upon checks failure.
Theorem 8: Session keys are negotiated
Proof: Immediately after successful mutual authentication, all the interacting parties derive the shared session keys for traffic protection. For instance, after authenticating SPj, the SMj derives session key as ɸSM = h (A3||ℤ1||T4||T6). On the other hand, after verifying SMj, the SPj computes the session keys as ɸSP = h (A4||ℤ1||T4||T6). Similarly, session key ɸSC = h (B3|| f (PIDSM, PIDCS)||ℂSM||ℂCS) is calculated by SMj upon validation of the CSi. In the same manner, session key ɸCM = h (B4||f (PIDCS, PIDSM)||ℂSM ||ℂCS) is derived by the CSi upon verification of SMj.
Theorem 9: All the blocks are validated before addition to the blockchain
Proof: In the proposed protocol, three-level validation is executed on all the blocks before their addition to the blockchain. Suppose that a verifier ℽ is interested in verifying block βn stored in a given blockchain. To accomplish this, ℽ derives ℜ * on all enciphered transactions in βn. In addition, it computes the ℍC * on βn. Thereafter, it verifies whether ℜ*≟ ℜ as well as ℍC*≟ ℍC. Basically, block βn is rejected when these two validations flop. However, if the verifications are successful, ℽ proceeds to validate signature on these transactions using Ever. Since βn incorporates ℍP (hash value of the preceding block), it is infeasible for Å to modify or corrupt the information stored in βn.
Theorem 10: Forgery and MitM attacks are prevented
Proof: The aim of these attacks is for Å to intercept exchanged messages and modify them to fool other network entities. Suppose that Å has captured authentication message AM1 = {TIDSP, A1, ℤ1, T4} and wants to generate bogus message AM1Å. Here, A1 = G.h (ℝ1||TIDSP||PIDSP||SKSP||T4), ℤ1 = h (ℝ1||TIDSP||SKSP||) + h(PKSP||PKSM||PKCS||T4) * SKSP (mod q). Evidently, Å requires private tokens such as SKSP and PIDSP as well as timestamp T4 to derive parameters A1Å and ℤ1Å. Suppose that Å is interested in the derivation of message AM2 = {TIDSP * , A2, ℤ2, T6}, where A2 = G.h (ℝ2||TIDSM||PIDSM||SKSM||T6) and ℤ2 = h (ℝ2||TIDSM||PIDSM||SKSM||T6) + h(ɸSM||PKSP||PKCS||T6) * SKSM (mod q). Clearly, this requires timestamp T6 and secret tokens SKSM and PIDSM. Similarly, KM1 = {TIDSM, B1, ℂCS, ℤ3, PIDCS * , T8} and KM2 = {TIDSM * , ℂSM, B2, ℤ4, T10} derivation requires secrets SKCS, PIDCS, SKSM, PIDSM as well as timestamps T8 and T10. This is because B1 = G.h (ℝ3||SKCS||PIDCS||T8), ℂCS = η1 + h(PIDCS||IDRA||PCS||PKRA) * MKRA (mod q), ℤ3 = h (ℝ3||SKCS||PIDCS||T8) + h (PKCS||ℂCS||PIDCS*||TIDSM) * SKCS (mod q), PIDCS * = PIDCS ⊕ h (PIDSM||IDRA||T8), ℂSM = η2 + h(PIDSM||IDRA||PSM||PKRA) * MKRA (mod q), B2 = G.h (ℝ4||SKSM||PIDSM||T10) and ℤ4 = h (ℝ4||SKSM||PIDSM||T10) + h (PKSM||ℂSM||IDRA||ɸSC) * SKSM (mod q). As such, forgery and MitM attacks are thwarted.
Theorem 11: This protocol is robust against privileged insider attacks
Proof: Suppose that the RA wants to obtain secret values for the SMj, SPj and CSi. However, none of these devices generate and submit their secret parameters to the RA. On the contrary, it is the RA that creates these security tokens including secret keys. However, the RA erases these secret keys upon sending registration messages to the recipients. For instance, after sending registration message R1 = {IDRA, ℂCS, PIDCS, f (PIDCS, d)} to CSi over secure channels, RA erases random secret key η1 used to derive some of these parameters. Similarly, after sending registration message R2 = {TIDSM, PIDSM} to CSi over secure channels, the RA erases random secret key η2. Therefore, privileged insiders at the RA are unable to access these secret values that may enable them derive ephemerals for the network entities.
Theorem 12: Physical and side-channeling attacks are prevented
Proof: The assumption made in this attack is that Å can physically capture SMj as well as any other smart device within the smart grid system. In our protocol, the SMj store parameter set {(TIDSM, PIDSM), ℂSM, f (PIDSM, d), IDRA, (SKSM, PKSM)} during the registration phase. Therefore, Å may opt to use power analysis to retrieve these parameters. Next, an attempt is made to utilize these parameters to derive session keys ɸSM = h (A3||ℤ1||T4||T6) and ɸSC = h (B3|| f (PIDSM, PIDCS)||ℂSM||ℂCS). Here, A3 = A1.h (ℝ2||TIDSM||PIDSM||SKSM||T6), ℤ1 = h (ℝ1||TIDSP||SKSP||) + h(PKSP||PKSM||PKCS||T4) * SKSP (mod q), B3 = B1.h (ℝ4||SKSM||PIDSM||T10), ℂSM = η2 + h(PIDSM||IDRA||PSM||PKRA) * MKRA (mod q), ℂCS = η1 + h(PIDCS||IDRA||PCS||PKRA) * MKRA (mod q). Evidently, Å still requires random nonces ℝ1,ℝ2 and ℝ4, timestamps T4, T6, and T10, certificate ℂCS, identity IDRA, long term key MKRA and ephemerals such as TIDSP, SKSP, B1, η1 and η2. Therefore, the communication process is still secure in the face of these two attacks.
Theorem 13: This protocol can withstand impersonation attacks
Proof: Suppose that adversary Å is interested in masquerading as legitimate SPj with the intention of generating authentication message AM1 = {TIDSP, A1, ℤ1, T4}. Here, A1 = G.h (ℝ1||TIDSP||PIDSP||SKSP||T4) and ℤ1 = h (ℝ1||TIDSP||SKSP||) + h(PKSP||PKSM||PKCS||T4) * SKSP (mod q). Let us assume that Å has generated bogus timestamp T4 * and random secret ℝ1 * and hence wants to compute legitimate A1 * and signature ℤ1 * . However, devoid of valid secret parameters SKSP and PIDSP, it is infeasible for Å to succeed in these derivations. Therefore, the construction of message AM1 = {TIDSP, A1, ℤ1, T4} flops. Suppose that Å wants to masquerade as smart meter SMj by attempting to generate message AM2 = {TIDSP * , A2, ℤ2, T6}. Here, A2 = G.h (ℝ2||TIDSM||PIDSM||SKSM||T6) and ℤ2 = h (ℝ2||TIDSM||PIDSM||SKSM||T6) + h(ɸSM||PKSP||PKCS||T6) * SKSM (mod q). Once again, this impersonation will flop if Å cannot access secret parameters PIDSM and SKSM.
Theorem 14: This protocol eliminates key escrow issues
Proof: During the registration phase, the SMj store parameter set {(TIDSM, PIDSM), ℂSM, f (PIDSM, d), IDRA, (SKSM, PKSM)}. On the other hand, the RA secretly stores MKRA as well as parameter set {(TIDSP, PIDSP), (SKSP, PKSP)}. Similarly, CSi stores parameter set {IDRA, ℂCS, PIDCS, f(PIDCS, d), (SKCS, PKCS)}. During key management, mutual authentication and key negotiation phases, our scheme does not need any verifier tables. Instead, all the required parameters are independently derived and validated by the SMj, CSi and SPj.
5. Performance evaluation
In authentication protocols, computation costs, supported security features and communication costs are the most widely deployed performance metrics during their performance evaluations. Therefore, these three metrics are deployed in this section to appraise the proposed protocol. In addition, we describe the blockchain implementation of our protocol. Moreover, comparative evaluations of this scheme are provided against other related protocols as described in the sub-sections below.
5.1 Computation complexities
In this sub-section, the computation overheads are derived for both SPj and SMj authentication. The SPj and CSi experimentations are executed on a machine running Windows 10 Pro 64 bit operating system on Intel(R) Core i5-2310M processor, installed with 2 GB of RAM, and with 3 GHz Clock frequency. On the other hand, the SMj experimentations are run on Raspberry Pi-3 quad-core, installed with a 1.2 GHz CPU and 1GB of RAM. To execute the various cryptographic primitives, the MIRACL Cryptographic library is deployed. Under these specifications, the notations and execution durations for the various cryptographic primitives are presented in Table 4.
During the SMj ↔ SPj authentication, 11TH, 8TECM and 2TECA operations are executed. Here, the SMj executes 5 TH + 3TECM + TECA while the SPj executes 6 TH + 5TECM + TECA operations. On the other hand, using the cryptographic run-times in Table 4 above, the computation complexity of the proposed protocol is detailed in Table 5. In addition, the computation complexities of other related schemes is also elaborated.
As shown in Fig 9, the protocol in [47] incurs the highest computation complexity of 269.8931ms. These high complexities can be explained by the high number of bilinear pairing operations and point multiplications that are executed in this scheme.
This is followed by the schemes in [19,40,55–57] with computation complexities of 87.0449 ms, 51.3061 ms, 42.8543 ms, 39.2284 ms and 36.7354 ms respectively. On the other hand, the proposed protocol incurs the least computation complexity of only 30.4217 ms. This is because our protocol majorly executes one-way hashing operations and a few point multiplication operations.
5.2 Communication complexities
In this section, the number and size of the messages exchanged during the mutual authentication phase, as well as the key management phase are taken into consideration. For mutual authentication, messages AM1 = {TIDSP, A1, ℤ1, T4} and AM2 = {TIDSP * , A2, ℤ2, T6} are exchanged. Here, A1 = G.h (ℝ1||TIDSP||PIDSP||SKSP||T4), ℤ1 = h (ℝ1||TIDSP||SKSP||) + h(PKSP||PKSM||PKCS||T4) * SKSP (mod q), A2 = G.h (ℝ2||TIDSM||PIDSM||SKSM||T6) and ℤ2 = h (ℝ2||TIDSM||PIDSM||SKSM||T6) + h(ɸSM||PKSP||PKCS||T6) * SKSM (mod q). Using the values in [6], Table 6 presents the sizes of the various parameters used in the proposed protocol as well as in other related schemes.
Using the values in Table 6 above, the derivation of the communication complexities of our protocol is detailed in Table 7 below.
Based on the derivations in Table 7 above, the communication complexity of the proposed protocol is 1344 bits. Table 8 presents the communication complexities of other related schemes.
As shown in Fig 10, the protocol in [21] incurs the highest communication complexity of 3424 bits. This is followed by the schemes in [40,55–57], the proposed protocol and [47] with communication complexities of 3136 bits, 2627 bits, 1920 bits, 1632 bits, 1344 bits and 1340 bits respectively.
Although the protocol in [47] incurs the lowest communication costs, it has not been evaluated against threats such as side-channeling, physical, eavesdropping and session hijacking.
5.3 Supported security features
In this section, the attacks prevented and other features supported by the proposed protocol are compared with the ones offered by other related schemes. Table 9 presents these comparisons.
As shown in Fig 11, the protocols in [21,55] support only 9 security features while the schemes in [40,56] support 11 features each. On the other hand, the schemes in [47,57] support 12 features and 13 features respectively. It is also evident that the proposed protocol offers support for all the 19 security features.
Using the scheme in [57] as the baseline, our scheme posts a 46.15% improvement in the supported security and privacy characteristics. Similarly, using the protocol in [57] as the baseline, our scheme posts a 17.19% reduction in the computation complexity. Considering smart grid components such as smart gas meters which are resource-limited, the proposed protocol is the most ideal for deployment in this environment.
5.4 Blockchain creation
To simulate the proposed protocol, we let κτ denote the transaction number threshold. When the number of transactions is equal to κτ, the cloud servers within the network have to vote to select a new CBL amongst themselves in a round-robin manner. This new CBL is now in control of block βn creation, validation and addition to BC in accordance with Algorithm 1. The Node.js was deployed as the scripting environment and the sizes of the various are presented in Table 10 below.
Each of the generated transaction is enciphered with the help of ECC and hence its output consists of two EC points. Consequently, each enciphered
is 640 bits in length and hence the total length of βn is 1184 + 640κτ bits. During the PBFT based consensus algorithm voting process, the crash fault tolerance and Byzantine tolerance were 33% while βn verification lasted between 60–70 transactions/ms. Taking m as the number of peer to peer nodes in the cloud servers, then m2 messages are exchange in each round of the four main phases of Algorithm 1. As such, the message complexity of this consensus algorithm is O(m2) and hence the cumulative volume of messages exchanged in this algorithm is given as 4m2 = O(m2). On the other hand, the computation complexity during the verification of βn is 12TECM + 6TH + 6TECA, which is 21.927 ms. Similarly, the key management between any smart grid device and cloud server CSi is 14TH + 12TECM + 4TECA + 2TPL, which is 22.6288 ms.
We then investigate the effect of increasing the number of mined blocks βns on the computation complexity of the consensus algorithm. In this simulation, the number of transactions κτ per is kept constant. The results obtained are shown in Fig 12 below.
As shown in Fig 12, there is a general increase in computation complexities upon increase in the number of mined. Next, we investigate the effect of increasing the number of transactions κτ per
on the computation complexity of the consensus procedures. Here, we keep the number of mined βns constant for each chain. The results obtained are presented in Fig 13 below.
It is evident from Fig 13 that as transactions κτ in surge, there is a corresponding increase in the computation complexities of the consensus procedures. Finally, we vary the number of nodes as the number of
and κτ are kept constant. Fig 14 shows the results obtained.
Based on the graph in Fig 14, it is clear that there is an exponential increase in computation complexity of the consensus procedures when the number of nodes is incremented. These increase in computation costs in all these three instances is attributed to the surging processing that must be accomplished during block generation, verification and addition to the blockchain.
6. Conclusion
Security and privacy issues in smart grids are serious challenges, owing to numerous vulnerabilities and threats that lurk in this environment. This has seen the development of numerous schemes to offer protection during message exchange between the smart meters and utility service providers. Majority of these security techniques are based on bilinear pairing operations and public key cryptography that are shown to incur heavy computation overheads. The frequent transmission of power consumption reports exposes these reports to security threats and results in high communication complexities. Therefore, an ideal authentication protocol has been developed in this paper to tackle these issues. Extensive security analysis has shown that it is provably secure under the ROR model. In addition, it has been shown to offers salient security and privacy features such as key agreement, mutual authentication, key secrecy, anonymity and untraceability. Moreover, it is resilient against eavesdropping, ephemeral secret leakage, key escrow, session hijacking, KSSTI, replays, forgery, MitM, privileged insider, physical, side-channeling and impersonation attacks. Therefore, it is demonstrated to be robust under all the adversarial capabilities in the Canetti–Krawczyk model. In terms of performance, it requires only 30.4217 ms computation costs, which is the lowest. Since it supports the highest number of security and privacy features, it is the most secure among its peers. Specifically, our protocol achieves a 17.19% reduction in the computation complexity and a 46.15% improvement in the supported security and privacy features. Future work lies in further reduction on the incurred communication complexities so that its efficiency can be reduced further.
References
- 1. Liu S, Zhu Y, Wang R. Pairing-free certificateless blind signature scheme for smart grid. J King Saud Univ - Comput Inf Sci. 2022;34(10):10145–56.
- 2. Chaudhry SA, Alhakami H, Baz A, Al-Turjman F. Securing demand response management: a certificate-based access control in smart grid edge computing infrastructure. IEEE Access. 2020;8:101235–43.
- 3. Wang H, Gong Y, Ding Y, Tang S, Wang Y. Privacy-preserving data aggregation with dynamic billing in fog-based smart grid. Appl Sci. 2023;13(2):748.
- 4. Nyangaresi VO, Abd‐Elnaby M, Eid MMA, Nabih Zaki Rashed A. Trusted authority based session key agreement and authentication algorithm for smart grid networks. Trans Emerging Tel Tech. 2022;33(9).
- 5.
Verma N, Purohit S, Narwal B. BASB-SG: a biohashing-based authentication scheme for secure blockchain-enabled smart grids. 2023 5th International Conference on Energy, Power and Environment: Towards Flexible Green Energy Technologies (ICEPE). IEEE; 2023. p. 1–5. https://doi.org/10.1109/ICEPE57949.2023.10201498
- 6. Sharma G, Joshi AM, Mohanty SP. Fortified-grid: fortifying smart grids through the integration of the trusted platform module in internet of things devices. Information. 2023;14(9):491.
- 7. Saxena N, Grijalva S. Dynamic secrets and secret keys based scheme for securing last mile smart grid wireless communication. IEEE Trans Ind Inf. 2017;13(3):1482–91.
- 8. Gupta R, Tanwar S, Al-Turjman F, Italiya P, Nauman A, Kim SW. Smart contract privacy protection using AI in cyber-physical systems: tools, techniques and challenges. IEEE Access. 2020;8:24746–72.
- 9. Nyangaresi VO. Provably secure authentication protocol for traffic exchanges in unmanned aerial vehicles. High-Confid Comput. 2023;3(4):100154.
- 10. Li H, Li X, Cheng Q. A fine-grained privacy protection data aggregation scheme for outsourcing smart grid. Front Comput Sci. 2022;17(3).
- 11. Wang H, Wang L, Wen M, Chen K, Luo Y. A lightweight certificateless aggregate ring signature scheme for privacy protection in smart grids. Wireless Pers Commun. 2022;126(2):1577–99.
- 12. Sultan S. Privacy-preserving metering in smart grid for billing, operational metering, and incentive-based schemes: a survey. Comput Secur. 2019;84:148–65.
- 13. Lu M, Zhang Y, Xie Q, Cai X. Vector control of brushless double fed generator based on control winding orientation on smooth switch from standalone mode to grid-tied mode. Trait du Signal. 2018;35(1):85–95.
- 14. Wu K, Cheng R, Cui W, Li W. A lightweight SM2-based security authentication scheme for smart grids. Alex Eng J. 2021;60(1):435–46.
- 15. Nyangaresi VO. Privacy preserving three-factor authentication protocol for secure message forwarding in wireless body area networks. Ad Hoc Networks. 2023;142:103117.
- 16. Al Sibahee MA, Lu S, Abduljabbar ZA, Liu X, Abdalla HB, Hussain MA, et al. Lightweight secure message delivery for E2E S2S communication in the IoT-cloud system. IEEE Access. 2020;8:218331–47.
- 17. Wang J, Wu L, Choo K-KR, He D. Blockchain-based anonymous authentication with key management for smart grid edge computing infrastructure. IEEE Trans Ind Inf. 2020;16(3):1984–92.
- 18.
Sharma R, Joshi AM, Sahu C, Sharma G, Akindeji KT, Sharma S. Semi supervised cyber attack detection system for smart grid. 2022 30th Southern African Universities Power Engineering Conference (SAUPEC). IEEE; 2022. p. 1–5. https://doi.org/10.1109/SAUPEC55179.2022.9730715
- 19. Abbasinezhad-Mood D, Nikooghadam M. An anonymous ECC-based self-certified key distribution scheme for the smart grid. IEEE Trans Ind Electron. 2018;65(10):7996–8004.
- 20. Verma G, Gope P, Saxena N, Kumar N. CB-DA: lightweight and escrow-free certificate-based data aggregation for smart grid. IEEE Trans Depend Secure Comput. 2022:1–1.
- 21. Tsai J-L, Lo N-W. Secure anonymous key distribution scheme for smart grid. IEEE Trans Smart Grid. 2015:1–1.
- 22.
Umran SM, Lu S, Abduljabbar ZA, Lu Z, Feng B, Zheng L. Secure and privacy-preserving data-sharing framework based on blockchain technology for Al-Najaf/Iraq oil refinery. 2022 IEEE Smartworld, Ubiquitous Intelligence & Computing, Scalable Computing & Communications, Digital Twin, Privacy Computing, Metaverse, Autonomous & Trusted Vehicles (SmartWorld/UIC/ScalCom/DigitalTwin/PriComp/Meta). IEEE; 2022. p. 2284–92. Available from: https://doi.org/10.1109/SmartWorld-UIC-ATC-ScalCom-DigitalTwin-PriComp-Metaverse56740.2022.00325
- 23. Wang W, Huang H, Zhang L, Su C. Secure and efficient mutual authentication protocol for smart grid under blockchain. Peer-to-Peer Netw Appl. 2020;14(5):2681–93.
- 24. M. Umran S, Lu S, Ameen Abduljabbar Z, Tang X. A Blockchain-based architecture for securing industrial IoTs data in electric smart grid. Comput Mater Contin. 2023;74(3):5389–416.
- 25.
Zhou Y, Guan Y, Zhang Z, Li F. A blockchain-based access control scheme for smart grids. 2019 International Conference on Networking and Network Applications (NaNA). IEEE; 2019. p. 368–73. https://doi.org/10.1109/NaNA.2019.00070
- 26. Umran SM, Lu S, Abduljabbar ZA, Zhu J, Wu J. Secure data of industrial internet of things in a cement factory based on a blockchain technology. Appl Sci. 2021;11(14):6376.
- 27.
Yi X, Lam KY. A new blind ECDSA scheme for bitcoin transaction anonymity. Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security; 2019. p. 613–20. https://doi.org/10.1145/3321705.3329816
- 28.
Zhang W, Lin C, Lyu Z, Cen C, Luo M. An efficient blind signature scheme with untraceability for data privacy in smart grid. Security, Privacy, and Anonymity in Computation, Communication, and Storage: SpaCCS 2020 International Workshops; Nanjing, China; 2020 Dec 18-20, Proceedings 13. Springer International Publishing; 2021. p. 586–97. https://doi.org/10.1007/978-3-030-63176-2_47
- 29.
Huang H, Liu ZY, Tso R. Partially blind ECDSA scheme and its application to bitcoin. 2021 IEEE Conference on Dependable and Secure Computing (DSC). IEEE; 2021 Jan. p. 1–8. https://doi.org/10.1109/DSC49826.2021.9346233
- 30.
Kumar M, Chand S. A pairing-less identity-based blind signature with message recovery scheme for cloud-assisted services. Information Security and Cryptology: 15th International Conference, Inscrypt 2019; Nanjing, China; 2019 Dec 6–8, Revised Selected Papers 15. Springer International Publishing; 2020. p. 419–34. https://doi.org/10.1007/978-3-030-42921-8_24
- 31. Jiang Y, Deng L, Ning B. Identity-based partially blind signature scheme: cryptanalysis and construction. IEEE Access. 2021;9:78017–24.
- 32. Xu L, Guo Q, Yang T, Sun H. Robust routing optimization for smart grids considering cyber-physical interdependence. IEEE Trans Smart Grid. 2019;10(5):5620–9.
- 33. Zhu L, Jiang F, Luo M, Li Q. An efficient identity-based signature protocol over lattices for the smart grid. High-Confid Comput. 2023;3(4):100147.
- 34. Yu H, Wang Z. Certificateless blind signcryption with low complexity. IEEE Access. 2019;7:115181–91.
- 35. Gai K, Wu Y, Zhu L, Xu L, Zhang Y. Permissioned blockchain and edge computing empowered privacy-preserving smart grid networks. IEEE Internet Things J. 2019;6(5):7992–8004.
- 36. Kong W, Shen J, Vijayakumar P, Cho Y, Chang V. A practical group blind signature scheme for privacy protection in smart grid. J Parallel Distrib Comput. 2020;136:29–39.
- 37. Verma GK, Singh BB, Singh H. Provably secure certificate-based proxy blind signature scheme from pairings. Inf Sci. 2018;468:1–13.
- 38. Nyangaresi VO. Lightweight anonymous authentication protocol for resource-constrained smart home devices based on elliptic curve cryptography. J Syst Architect. 2022;133102763.
- 39. Chaudhry SA, Shon T, Al-Turjman F, Alsharif MH. Correcting design flaws: an improved and cloud assisted key agreement scheme in cyber physical systems. Comput Commun. 2020;153:527–37.
- 40. Saxena N, Choi BJ, Lu R. Authentication and authorization scheme for various user roles and devices in smart grid. IEEE Trans Inform Forensic Secur. 2016;11(5):907–21.
- 41. Zuo X, Li L, Peng H, Luo S, Yang Y. Privacy-preserving multidimensional data aggregation scheme without trusted authority in smart grid. IEEE Syst J. 2021;15(1):395–406.
- 42. Mohammadali A, Haghighi MS. A privacy-preserving homomorphic scheme with multiple dimensions and fault tolerance for metering data aggregation in smart grid. IEEE Trans Smart Grid. 2021;12(6):5212–20.
- 43. Xue K, Zhu B, Yang Q, Wei DSL, Guizani M. An efficient and robust data aggregation scheme without a trusted authority for smart grid. IEEE Internet Things J. 2020;7(3):1949–59.
- 44.
Nyangaresi VO, Ibrahim A, Abduljabbar ZA, Hussain MA, Al Sibahee MA, Hussien ZA, et al. Provably secure session key agreement protocol for unmanned aerial vehicles packet exchanges. 2021 International Conference on Electrical, Computer and Energy Technologies (ICECET). IEEE; 2021 Dec. p. 1–6. https://doi.org/10.1109/ICECET52533.2021.9698744
- 45. Abduljabbar ZA, Omollo Nyangaresi V, Al Sibahee MA, Ghrabat MJJ, Ma J, Qays Abduljaleel I, et al. Session-dependent token-based payload enciphering scheme for integrity enhancements in wireless networks. JSAN. 2022;11(3):55.
- 46. Chen Y, Martínez J-F, Castillejo P, López L. An anonymous authentication and key establish scheme for smart grid: FAuth. Energies. 2017;10(9):1354.
- 47. Mahmood K, Li X, Chaudhry SA, Naqvi H, Kumari S, Sangaiah AK, et al. Pairing based anonymous and secure key agreement protocol for smart grid edge computing infrastructure. Future Gener Comput Syst. 2018;88491–500.
- 48.
Liang XC, Wu TY, Lee YQ, Chen CM, Yeh JH. Cryptanalysis of a pairing-based anonymous key agreement scheme for smart grid. Advances in Intelligent Information Hiding and Multimedia Signal Processing: Proceedings of the 15th International Conference on IIH-MSP in Conjunction with the 12th International Conference on FITAT, Volume 1; Jilin, China; Jul 18–20. Springer Singapore; 2020. p. 125–131. https://doi.org/10.1007/978-981-13-9714-1_14
- 49. Nyangaresi VO. Terminal independent security token derivation scheme for ultra-dense IoT networks. Array. 2022;15:100210.
- 50. Gope P, Sikdar B. Lightweight and privacy-friendly spatial data aggregation for secure power supply and demand management in smart grids. IEEE TransInformForensic Secur. 2019;14(6):1554–66.
- 51. Hussien ZA, Abdulmalik HA, Hussain MA, Nyangaresi VO, Ma J, Abduljabbar ZA, et al. Lightweight integrity preserving scheme for secure data exchange in cloud-based IoT systems. Appl Scie. 2023;13(2):691.
- 52. Zahoor A, Mahmood K, Saleem MA, Badar HMS, Le T-V, Das AK. Lightweight authenticated key agreement protocol for smart power grid systems using PUF. IEEE Open J Commun Soc. 2024;5:3568–80.
- 53. Zahoor A, Mahmood K, Shamshad S, Saleem MA, Ayub MF, Conti M, et al. An access control scheme in IoT-enabled Smart-Grid systems using blockchain and PUF. Internet Things. 2023;22:100708.
- 54. Ayub MF, Li X, Mahmood K, Shamshad S, Saleem MA, Omar M. Secure consumer-centric demand response management in resilient smart grid as industry 5.0 application with blockchain-based authentication. IEEE Trans Consum Electron. 2023.
- 55. Odelu V, Das AK, Wazid M, Conti M. Provably secure authenticated key agreement scheme for smart grid. IEEE Trans Smart Grid. 2016:1–1.
- 56. He D, Wang H, Khan MK, Wang L. Lightweight anonymous key distribution scheme for smart grid using elliptic curve cryptography. IET Commun. 2016;10(14):1795–802.
- 57. Chaudhry SA. Correcting “PALK: password-based anonymous lightweight key agreement framework for smart grid”. Int J Electr Power Energy Syst. 2021;125:106529.