Lightweight authentication protocol in edge-based smart grid environment

A smart grid (SG) is an advanced power grid system deployed in a cloud center and smart meters (at the consumer end) that provides higher reliability, better data protection, improved power efficiency, automatic monitoring, and effective management of power consumption. However, an SG also poses certain challenges that need to be addressed. For example, data provided by a smart meter are time-sensitive and cannot handle high latency in an SG. Moreover, a smart meter depends on memory, energy, and other factors. Besides, the security between a cloud center and a smart meter is a critical issue that needs to be resolved. Edge computing, an extension of cloud computing deployed in an edge network between a cloud center and the end devices, is an efficient solution to the aforementioned issues. Therefore, in this study, we propose a secure mutual authentication protocol based on edge computing for use in an SG.

data in a cloud computing data center. However, with an increasing number of IoT (end-user) devices, an SG based on cloud computing cannot meet such requirements.
On the other hand, in 2012, Cisco specified certain disadvantages of cloud computing, including a high latency, low mobility support, and low location awareness. As a result, the company proposed the concept of fog computing [8], which is a type of edge computing as previously mentioned, as an extension of cloud computing [9][10][11]. An edge layer is employed between the end devices and the cloud center; in addition, each end device is directly connected to the edge nodes, and the edge nodes are interconnected, each linked to the cloud [12]. The edge nodes in edge computing consist of certain devices with limited computation power, such as switches, routers, mobile devices, and idle servers. The main role of an edge node is to collect and process the data from the end devices, issue control commands to the actuators, locally filter the data, and send the remaining data to the cloud center [13,14]. Edge computing has the following characteristics [15]. First, with the rapid development of mobile devices, it is important for the edge nodes to directly communicate with these devices, such as mobile phones, mobile sensors, and moving cars. Second, the batch process used in cloud computing cannot facilitate real-time interactions; however, with large numbers of edge nodes deployed in distributed locations, edge computing can provide real-time interactions. Third, the edge nodes used in edge computing are distributed in different places. Although the computational abilities of the edge nodes are limited, use of a large number of nodes can solve this problem, for example, by using an SG or a smart vehicle network. Finally, in edge computing, the edge nodes are deployed in different places closer to the end-users. Cloud computing applies a centralized architecture, in sharp contrast to the distributed edge architecture. As previously mentioned, edge computing is an extension of cloud computing, which provides numerous advantages over the cloud computing infrastructure. In recent years, many researchers have attempted to extend the edge computing infrastructure for applications based on cloud computing [1,[16][17][18][19]. In this study, we extended the infrastructure of edge computing to an SG, which is different from the case of a traditional SG. The advantage of an edge-computing based SG over a traditional SG includes minimum latency, providing services to resource-constrained devices, reduced stress on the cloud center, and preprocessing of unimportant data.
It is necessary to extend edge computing to an SG; however, the deployment of an SM is unsafe, and the meter needs to be protected by a physical lock to avoid a possible attack by an adversary. An adversary can obtain the data stored in an SM and pose as an SG to communicate with the SPs or consumers. Therefore, secure communication between the SG and SP is extremely important. A key agreement and mutual authentication protocol are efficient solutions to solving this problem. Several studies have also proposed protocols related to SGs [20][21][22][23][24]. However, a mutual authentication protocol for an SG based on the use of edge computing has yet to be proposed. An SG requires real-time data transmission. Addition of edge nodes to an SG can guarantee a low latency and real-time data response. We, therefore, propose a protocol based on edge computing for use in such a grid.

Contributions
The contribution of this paper is listed as follows.
1. We propose a secure and lightweight key exchange and mutual authentication protocol for an edge-based SG environment. Our design uses one-way hash functions, XOR computations, and an elliptic curve cryptosystem (ECC) instead of another heavy cryptography functions. 2. We provide a formal proof to demonstrate the security of the proposed protocol.
Besides, we use Burrows-Abadi-Needham (BAN) logic to guarantee the security of our design. Furthermore, we describe the proposed protocol is secure against various kinds of attacks. 3. We present a performance evaluation/comparison of our protocol.

Organization
The remainder of this paper is organized as follows. Section 2 briefly presents the recent studies related to the security of an SG. In Sect. 3, we present an adversary model. The details of the proposed protocol are presented in Sect. 4. To establish the security of the proposed protocol, a security analysis is presented in Sect. 5, concluding with a formal security analysis using formal proof and BAN logic. Section 7 further discusses the proposed protocol is secure against various kinds of attacks. A comparison and performance analysis is provided in Sect. 7. Finally, some concluding remarks are presented in Sect. 8.

Related literature
With the emergence of an SG in 2001, numerous researchers have worked on ensuring security in an SG. Hassan et al. [25] encountered several problems with the use of an SG. For instance, owing to uncertainties in system planning and maintenance, it is challenging to predict real-time system controls. Besides, communication between system operators in a CC is another problem that needs to be considered. Moreover, the lack of predictive control signals for operating the devices and lack of energy storage devices also affect the deployment of SMs. In 2010, Ericsson [26] pointed out that the essential aspects of an SG infrastructure are cybersecurity and power system communication (PSC). Also, information security has become increasingly important because the deployment occurs in an exoteric and integrated energy management system instead of through isolated automation as previously applied. Moreover, with the development of the Internet, attackers can steal data from an SM and a cloud center.
To ensure the information security of an SG, researchers have proposed several security mechanisms. Kim et al. [27] proposed a security mechanism based on an SG according to the security requirements of remote meters using power-line communication (PLC), including authentication and key sharing between devices, as well as revocation management of the remaining devices. However, the SM server used in this mechanism demands authentication of all nodes, which may cause heavy stress on the SM server. When numerous devices are added to an SG environment, the mechanism will become overburdened. For the purpose of efficient resource management and information security, some researchers have begun adding edge computing to an SG; for instance, Zahoor et al. [1] introduced a new SG model based on edge computing for resource management. The proposed model is based on an edgecloud hierarchical infrastructure to separate the role of the cloud, providing different types of services to consumers. Compared with a traditional SG model, the proposed approach can improve the response time for effective resource utilization and reduce the latency. In 2016, Nazmudeen et al. [28] proposed a distributed data aggregation method based on an edge-computing architecture, limiting the amount of data sent to the centralized storage space, thereby improving the capacity of the PLC without affecting its functionality.
Although edge computing solves the problems inherent to cloud computing, information security, i.e., the security of a transmitted message through an insecure channel, is vital in an SG. A mutual authentication protocol can guarantee the security of intercommunication. In recent years, some mutual authentication protocols have been proposed to ensure the security between parties [29][30][31][32].
Zhang et al. [23] designed an authentication protocol based on elliptic curve cryptography for an SG, which can provide privacy protection. The authors claimed that the protocol has the advantages of identity protection, mutual authentication, and key agreement. However, after analyzing the protocol, we found that it cannot resist an impersonation attack on an SM or SP or a replay attack. Tsai et al. [22] proposed a new anonymous key distribution scheme in an SG environment using identity-based signature schemes and identity-based encryption schemes. The advantages of the scheme include a trusted authority separate from the authentication phases and direct access of an SM to the SP without a trusted authority, which can lower the computation time.
However, the proposed protocol is still vulnerable, cannot withstand a privileged insider attack, and provides imperfect forward secrecy.

Method
In this section, we first introduce the infrastructure of a smart grid based on edge computing. Then, we describe the adversary model used in this paper.

Edge computing infrastructure for smart grid
In this study, we proposed a protocol based on edge computing for an SG. Our SG infrastructure based on edge computing is shown in Fig. 2. An edge layer is used to join the infrastructure, acting as an SP in an SG. The cloud is separated to handle data from the edge layer and transmit them to the CC. This infrastructure using different SPs from the macro-grids, which can reduce the burden of the cloud, integrates the main capacities of the cloud to communicate with the CC and management control.
In our protocol, edge nodes act as SPs that can quickly process the data and authenticate an SM. Because of the limited computations of the edge nodes and SM, the proposed protocol only uses an ECC and a one-way hash function for encrypting the parameters. Our protocol comprises the following phases.

Adversary model
Before introducing our proposed protocol, it is important to describe the adversary model applied. A polynomial time adversary Adv has full control over the insecure network traffic desires to break the security of the proposed scheme. Adv may control limited/completed messages transmitted over an insecure channel, such as intercepting, modifying, and deleting the transmitted message. Adv can extract the security parameters stored in a smart card using a power analysis technique. Adv can try to obtain sensitive information (e.g., passwords) using off-line password guessing attacks. The gola of Adv is to achieve one of the following.
• Compute the session key after a successful run of the authentication scheme.
• Compute the long-term secret key of the server.
• Have the server falsely accept an authentication scheme when they are not communicating with a legitimate entity.

Proposed protocol
Herein, we describe the proposed protocol, which consists of three phases, an edge node registration phase, an SM registration phase, and a login and authentication phase. Table 1 summarizes the notations used in our proposed protocol.

Edge node registration phase
If an edge node ES j wants to join the system, the edge node registration phase is applied. This phase is shown in Fig. 4 and is described as follows: (i) ES j first selects an identity SID j and transmits {SID j } to TA through a secure channel. (ii) After receiving the above messages, TA checks the validity of ES j . Then, TA computes RSID j = H (SID j ||s) , stores {SID j , RSID j } in the database of TA, and transmits {RSID j } back to ES j through a secure channel. (iii) ES j stores {RSID j } in its database.

Smart meter registration phase
The SM registration phase ( Fig. 3) is executed if an SM registers with TA. We assume that an SM, whose identity is ID i , wants to join this system, and there are n edge nodes,

Login and authentication phase
When a legal SM wants to log in and communicate with ES j , the SM needs to authenticate ES j and establish a session key with ES j using the following steps.
(i) The SM first enters its identity ID i and r i , and then computes DAu j = SID j ⊕ BAu j ⊕ DAu * j , and C j = DAu j ⊕ H(ID i ||r i ) . Next, SM generates the current timestamp T i and calculates E i = ID i ⊕ H(C j ||T i ) . In addition, SM then generates a random number n i , computing N i = n i P , , and then checks the validity of M 1 to verify if SM is legal. If so, ES j generates a random number n j and current timestamp T j , and then computes N j = n j P , The SM login and authentication phase is illustrated in Fig. 5.

Security analysis of the proposed protocol
In this section, we first provide a formal proof of the proposed protocol. Then, we further evaluate the security of the proposed protocol with BAN logic.

Formal proof
Here, we prove the security of the proposed protocol under the Real-Or-Random (ROR) model. In the introduction section, we have defined the capabilities of the adversary [2]. Assume that I x SM , I y ES , and I z TA , respectively, represent the x-th instance of SM s , the y-th instance of ES j , and the z-th instance of TA. The adversary A can initiate the following queries.

Definition 1 (Elliptic Curve Discrete Logarithm Problem (ECDLP)
). Assuming that E is an elliptic curve generation group. Given points, P and aP, where P belongs to E and a belongs to F p , it is computationally infeasible to obtain a. In polynomial time ξ , the probability of an adversary A solving this problem is defined as: Adv ECDLP A (ξ ) = Pr[A(P, aP) = a : a ∈ F p , P ∈ E] . For a sufficiently small η , we have: Adv ECDLP A (ξ) < η.
Theorem: Under the ROR model, if A attempts to initiate some queries in polynomial time, then the advantage that it can break the proposed protocol P is: Adv P A (ξ ) ≤ (q send + q exe ) 2 /p + q 2 hash /2 l−1 + q send /2 l−1 + 2Adv ECDLP A (ξ ) , where q send represents the number of Send query executed, q exe represents the number of Execute query executed, q hash represents the number of Hash query executed, and l represents the bits of the hash operation.

Proof
We use the game sequence GM 0 to GM 5 to verify the above theorem. Succ GM n A (ξ ) is the probability that A succeeds in the game GM n . The specific description is as follows.
GM 0 : GM 0 represents a real attack, and A will not initiate any query at this time. Therefore, in GM 0 , the probability of A breaking P is:  A (ξ )] − Pr[Succ GM 2 A (ξ )]| ≤ q send /2 l . GM 3 : GM 3 adds Hash query based on GM 2 . According to the birthday paradox, we can get that the maximum probability of a hash collision is q 2 hash /2 l+1 ; the maximum probability of a conflict occurring in the transmitted text is (q send + q exe ) 2 /2p [4,5]. Therefore, we have: In this game, we consider the security of the session key. Here, we divide the discussion into two situations. The first is to obtain a long-term private key to verify perfect forward security; the second is temporary information leakage to verify whether can resist ephemeral secret leakage attack. ) to try to obtain temporary information from one party.
In both cases, the ECDLP needs to be solved to compute the session key are calculated by s, the random number n j is unknown. And through Corrupt(I x SM ) or Corrupt(I y ES ) to get {SID j , BAu j , DAu j } or {RSID j } , A cannot get any value in session key; in the second case, even if n j N i is calculated by n j , but the long-term private key s is unknown. Similarly, for the second formula SK i = h(ID i ||A j ||n i N j ) is also true. Therefore, we have: GM 5 : The purpose of this game is to verify the impersonation attack. The difference between GM 5 and GM 4 is that the game is terminated if A issues h(ID i ||A j ||n j N i ) query. At this point, the probability of A guessing the session key is |Pr[Succ Since GM 5 is equally successful and unsuccessful, we have: Pr[Succ In summary, we can get the following conclusion: we have Adv P A (ξ ) = (q send + q exe ) 2 /n + q 2 hash /2 l−1 + q send /2 l−1 + 2Adv ECDLP A (ξ ) .

Security analysis using BAN logic
In this subsection, we demonstrate the security of our solution during the authentication phase through the BAN logic. BAN logic was proposed by Burrows, Abadi, and Needham in 1989 and is a modal logic based on belief and knowledge. Now BAN logic has become the most well-known tools and widely used for analyzing the security of authenticated and key agreement protocols [33][34][35].
In this study, the user (SM) and the edge node ES j authenticate each other and calculate a session key. Below are some of the symbols and rules defined when using the BAN logic.

Notations used in BAN logic
• P |≡ X : The principal P believes X, or is entitled to do so. In particular, P may act as though X is true. This construct is central to the logic. • P ⊳ X : P sees X. Someone sends a message containing X to P, who can read and repeat X (possibly after a decryption). • P |∼ X : P once stated X. At some point of time, P sent a message including statement X. It is unknown whether the message was sent long ago or during the current run of the protocol, but it is known that P believed X at that time. • P |=⇒ X : P has jurisdiction over X. The principal P is an authority on X and should be trusted in this matter. For example, a server is often trusted to properly generate encryption keys. This may be expressed based on the assumption that the principals believe that the server has jurisdiction over statements regarding the quality of these keys. • ♯(X) : The formula X is fresh; that is, X has not been sent in a message at any time before the current run of the protocol. This is typically true for a nonce, that is, an expression invented for the purpose of being fresh. A nonce commonly includes a timestamp or number that is used only once. • P K ←→Q : P and Q may use a shared key K to communicate. Key K is safe in that it will never be discovered by any principal except P or Q, or by a principal trusted by either P or Q.
• P X ⇋Q : Formula X is a secret known only to P and Q and possibly to principals trusted by them. Only P and Q may use X to prove their identities to one another. An example of a secret is a password. • {X} K : Formula X is encrypted under key K. • X Y : Formula X is combined with formula Y.

BAN logic rules
(i) The message-meaning rule for shared keys is P|≡P K ←→Q,P⊳{X} K P|≡Q|∼X . This indicates that if P believes that K is a key shared with Q and if P sees X encrypted under K, then P believes that Q once stated X. . This means that if P believes that Y is a secret known only to P and Q and P sees X under Y, then P believes that Q once stated X. (iii) The nonce-verification rule is P|≡♯(X),P|≡Q|∼X P|≡Q|≡X . This means that if P believes that X is fresh and Q once stated X, then P believes that Q believes X. (iv) The jurisdiction rule is P|≡Q|=⇒X,P|≡Q|≡X P|≡X . This means that if P believes that Q has jurisdiction over X and believes that Q believes X, then P believes X.
(v) The session key rule is P|≡♯(X),P|≡Q|≡X P|≡P K ←→Q . This means that if P trusts that statement formula X is fresh and P trusts that Q trusts X, which is an essential component of the session key, then P trusts that he or she shares the session key K with Q. (vi) The freshness rule is P|≡♯(X) P|≡♯(X,Y ) . This means that if P believes that X is fresh, then he or she believes the freshness of (X, Y). (vii) The belief rule is P|≡X,P|≡Y P|≡(X,Y ) . This means that if P believes X and Y, then P believes (X, Y).

Main proofs using BAN rules and assumptions
Based on the BAN logic rules, we demonstrate that the proposed key exchange protocol can use the initial state assumptions to achieve the defined goals. Below are the steps used to prove the BAN logic.
For G1, according to the message Meg2 and using the seeing rule, we obtain S1: SM ⊳ {M 2 : A j , N j , T j C j ; K j , T j } . Using A3, S1, and the message-meaning rule, we obtain S2: SM |≡ ES j |∼ (A j , N j , T j ) . Using A3 and S2, and applying the freshness and nonce-verification rules, S3: SM |≡ ES j |≡ (A j , N j , T j ) is obtained. Applying the belief rule for each component, we obtain S4: SM |≡ ES j |≡ N i . Using A4, S4, and the jurisdiction rule, S5: SM |≡ N j is obtained. Because SK = H(ID i ||A j ||n i N j ) , we obtain S6: SM |≡ SM SK ←→ES j . For G2, according to the message Meg1 and using the seeing rule, we obtain S7: Using the seeing rule for each component, we obtain S8, i.e., ES j ⊳ {�ID i � H (C j �T i ) } , and S9, i.e., ES j ⊳ {�F i , N i , T i � ID i } . Using A5, S8, and the message-meaning rule, we obtain S10: ES j |≡ SM |∼ ID i . Using A6 and S10 and applying the nonce-verification rule, S11: ES j |≡ SM |≡ ID i is obtained. Using A7, S11, and the jurisdiction rule, we obtain S12: ES j |≡ ID i . Using A6, S11, and the session key rule, we obtain S13: ES j |≡ SM ID i ⇋ES j . Using S9, S13, and the message-meaning rule, we obtain S14: ES j |≡ SM |∼ (F i , N i , T i ) . According to A9 and S15 and using the freshness and nonce-verification rules, S15: Based on the belief rule, we obtain S16: ES j |≡ SM |≡ N i . Using A10, S16, and the jurisdiction rule, we obtain S17: SM |≡ N i . Because A j = H(ID i ||RSID j ) and SK = H (ID i ||A j ||n j N i ) , we obtain S18: ES j |≡ SM SK ←→ES j . Applying the belief rule for each component, we obtain S4: SM |≡ ES j |≡ N i . Using A4, S4, and the jurisdiction rule, S5: SM |≡ N j is obtained. Because SK = H (ID i ||A j ||n i N j ) , we obtain S6: SM |≡ SM SK ←→ES j . For G3, according to S6, A1, and the session key rule, we obtain S19: SM |≡ ES j |≡ SM SK ←→ES j . For G4, according to S18, A2, and the session key rule, we obtain S20:

Discussion
Numerous authenticated and key agreement protocols have been proven insecure against the following kinds of attacks [36][37][38][39][40]. In this section, we further discuss our protocol can resist such attacks. First, we assume that the adversary is represented as Adv.

Replay attack
A replay attack resends the messages intercepted by Adv, which can obtain the messages of {E i , G i , M 1 , T i } and {M 2 , K j , T j } . We can see that they all have a timestamp in every transmitted message, which guarantees the freshness of the messages; timestamp T i and T j are both used in a later authentication parameter to check the validity of each other. Therefore, a faked timestamp cannot pass the verification stage. As a result, an adversary cannot replay the messages, and our protocol effectively resists a replay attack.

SMs and edge node impersonation attack
If adversary Adv wants to create a login message {E a , G a , M 1a , T ai } or {M 2a , K a , T aj } to pose as a legal SM SM or legal ES j . Taking SM as an example, ES j is similar to SM. If Adv wants to log into ES j , he or she first needs the parameters of C j to calculate ID i ; however, without the knowledge of SID j and RSID j , Adv cannot obtain C j without ID i , and Adv cannot calculate F i and N i . Therefore, it is impossible for Adv to create a legal login message, and hence, our protocol can resist attacks on SMs and edge node impersonation attacks.

Man-in-middle attack
As mentioned previously, Adv cannot obtain the messages of both {E a , G a , M 1a , T ai } and {M 2a , K a , T aj } , and thus Adv cannot forge legal SMs or an edge node. Thus, our proposed protocol is resilient against a man-in-the-middle attack.

Perfect forward secrecy
In perfect forward secrecy, the long-term key s indeterminable for Adv, and the messages over an insecure channel and the parameters from the memory of the SMs are revealed to Adv; however, even with these parameters, Adv still cannot expose the session key between SMs and edge nodes. In our proposed protocol, if Adv wants to calculate a session key SK ij = H (ID i ||A j ||n i N ′ j ) , Adv needs to know the parameters, ID i and A j , and the random parameters, n i N j or n j N i , whereas ID i , A j , n i N j , and n j N i are independent of the long-term key and cannot be calculated based on messages from an insecure channel; therefore Adv cannot obtain the parameters used to compute the session key. Hence, our protocol can guarantee perfect forward secrecy.

Ephemeral secret leakage attack
As mentioned above, if Adv wants to obtain a session key, he or she needs to first obtain the ephemeral secret n i , n j . In an ephemeral secret leakage attack, Adv can obtain the random parameters n i and n j ; however, if Adv wants to obtain the session key, Adv needs another two parameters ID i and A j , which cannot be obtained from an insecure channel or the memory of the SMs. This proves that our proposed protocol is resilient against an ephemeral secret attack.

SM anonymity and untraceability attack
In our protocol, the random numbers n i and n j and timestamp T i , T i are used in the login and authentication phase. Different sessions have different messages; thus, Adv cannot trace the message to focus on specific SMs, and the proposed protocol can have security against an SM anonymity attack. In addition, the identities of the SMs and edge nodes are masked by a random number and timestamp, which is also different. Hence our protocol can resist an untraceability attack.

Experimental result and comparison
In this section, some protocols related to an SG that do not employ edge computing are listed and compared with our proposed protocol to prove the higher performance of the latter. To objectively analyze the protocols, we used an iPhone 7 for accurately determining the computational costs. In the evaluation based on experimental data, to evaluate the proposed protocol, we use T h , T d , T pa , T pm , T ae , T ad , T exp , and TG e to represent the time required for performing a one-way hash function, a symmetric decryption/encryption operation, an ECC point addition, a point multiplication, asymmetric public key encryption, asymmetric public key decryption, modular exponentiation, and a bilinear pairing operation. The time required for a bitwise XOR computation is negligible, and therefore, we do not consider the XOR computation time. Table 2 lists the computation time for these operations.
The computation times for the related SG protocols and the proposed protocol are presented in Table 3. A bar chart of the computation times is shown in Fig. 6. From the bar chart, it can be concluded that the proposed protocol involves the minimum computation time in all stages of entities. Although the computation time of Zhang et al. 's protocol was approximately 110.77 ms, which is similar to that of the proposed protocol, Zhang et al. 's protocol cannot resist a privileged insider attack or provide perfect forward secrecy. Therefore, taking all requirements into account, our proposed protocol can provide easy computations and security against various attacks.

Conclusion
In this study, we proposed using edge computing to solve the current security issues encountered in SGs. We designed a secure key exchange and mutual authentication protocol based on edge computing for such grids. To verify our proposed protocol's security, we analyzed the protocol using the automatic tool ProVerif and BAN logic to prove that it can resist various types of attacks. We also compared our proposed protocol with other protocols used in SGs without an edge computing infrastructure. We concluded that the computation time of our proposed protocol is lower than that of other protocols and that the proposed protocol is more secure and lightweight.