A provable secure and lightweight ECC-based authenticated key agreement scheme for edge computing infrastructure in smart grid

With the gradual maturity of Smart Grid (SG), security challenges become the most important issues that need to be addressed urgently. In recent years, many schemes adopt mutual authentication and key agreement to ensure secure communication in SG. However, most existing methods have their own shortcomings in either security or efficiency which make them difficult to satisfy the security requirements of SG. In this paper, we propose a provable secure and lightweight authenticated key agreement scheme based on the Elliptic Curve Cryptosystem (ECC) for the cloud-edge-end collaboration SG communication network. The proposed scheme can guarantee the security of the communication and provide anonymity for both the edge server and the smart meters. The anonymity of the smart meters can be provided by a pseudonym mechanism. By rigorous security analysis, the proposed scheme can resist to the typical attacks including replay attacks and identity forgery attacks. The security properties are also evaluated by using the Canetti and Krawczyk (CK) adversary model. The performance simulation results denotes that the proposed scheme not only owns stronger security functions but also improves computation efficiency by 24.5% on average than other four schemes. By simulation results, the proposed scheme has been shown to hold high efficiency.


Introduction
The power system is one of the most important physical infrastructures in human society [1].The Smart Grid (SG) is defined as the electric power network characterized by an efficient and reliable infrastructure with the use of sophisticated and modern control [2], which is built on the base of an integrated, high-speed two-way communication network.By the application of various system technologies such as advanced control methods, the SG becomes much more economical, efficient, and safe to use.Edge computing is an effective way to provide cloud services to the edge devices and further improving the quality of service to endusers by reducing the computing intensity of the end-users.The SG applies edge computing for data processing for the power equipment to migrate computing resources to the equipment side and reduces the overhead and delay caused by the data transmission.
The communication networks in the SG face various kinds of security risks including malicious attacks from the outside and data loading due to excessive amounts of information [3].Mutual identity authentication can effectively prevent two types of attacks from the outside and verify the identities of the participants in the communication to secure the communication [4] in the SG.It is very important to guarantee secure communication between an Edge Server (ES) and a Smart Meter (SM) because there could be many risks to impair the communication.Therefore, some security measures should be taken to protect communications in the SG.
Secure mutual authentication is the first critical step in deterring attackers.In the past decade, many solutions for authentication and key agreement schemes for the communications in the SG have been proposed.Some schemes in [5][6][7] introduced a trusted third party (TTP) or a trust anchor to participate in the mutual authentication process.However, two of them don't provide a pseudonym mechanism for SMs and ESs, which is likely to cause ID leakage risk.Some schemes suffer from malicious attacks such as Man-In-The-Middle (MITM) attacks in [8], time synchronization attack in [9], and lack of providing session key security in [3].Schemes in [10,11] require high storage and computation costs, it will reduce the robustness of the SG.Schemes in [12,13] proposed a lightweight authentication process, but these schemes can't keep session key security under the Canetti and Krawczyk (CK) adversary model.
Due to the requirements for high reliability and security for the communications in the SG, each SM needs to be authenticated by an ES before entering the communication network in the SG.Each ES will also negotiate a session key with all SMs.If a mutual authentication is not performed between the SM and the ES, there will be a risk of paralysis of the communications in the SG.Most existing authentication schemes for the communications in the SG have some drawbacks in terms of efficiency and security, which are not feasible for frequent interactions between the SM and the ES.Therefore, a secure mutual authentication process with a shared session key negotiated in advance to provide secure communications between the SM and the ES will be particularly critical.1 3 A provable secure and lightweight ECC-based authenticated… So the contribution of the paper is as follows: (1) We propose a Provable Secure and Lightweight Authenticated key agreement scheme called PSLA which is based on the Elliptic Curve Cryptosystem (ECC) for the cloud-edge-end collaboration SG communication network.The proposed PSLA scheme can guarantee the security of the secret key by the elliptical encryption and the anonymity at the ESs and the SMs by introducing a pseudonym mechanism.Our unique contributions are that our PSLA scheme has better performance without sacrificing any safety features.(2) The CK adversary model is used to analyze the security of the PSLA scheme which is secure under the random oracle model.And by informal security analysis.the PSLA scheme can resist to the typical attacks including replay attacks, MITM attacks, and identity forgery attacks.(3) Performance evaluation shows that the computation authentication delay and the communication cost of the PSLA scheme are much more lower than other solutions.
The rest of the paper is organized as follows.In Sect.2, we introduce the related works.In Sect.3, we introduce the system model.Then in Sect. 4 we explain the authentication process of the proposed PSLA scheme in details.In Sect.5, we conduct security analysis to prove that our PSLA scheme can resist various attacks under an ideal circumstance.The performance evaluation on the PSLA scheme is presented in Sect.6.Finally, we summarize our research work in Sect.7.

Related work
Due to limited resources of the devices in the communication networks in the SG, traditional public key infrastructure-based schemes are obviously not applicable for the communications in the SG.Mutual authentication is important to prevent attackers getting effective resources, and ensure the security of SG systems [14] [15].Recently, numerous interesting authentication schemes for secure communications in the SG have been presented.Yang et al. have proposed a lightweight anonymous mobile user authentication scheme for the SG in [16].However, Yang's solution needs too many redundant steps in the registration phase causing a lot of time consumption and data loading.Vanga Odelu et al.Have proposed a provably secure authenticated key agreement scheme for the SG in [17], which can greatly reduce the complexity of the registration, while the time consumption at the SM is still huge which is closed to 500 ms.Kuljeet Kaur et al. have proposed a secure lightweight and privacy preserving authentication scheme for V2G communications in the SG in [18], which separates the mutual authentication process from the key agreement process.If an attacker launches a distributed attack on the server, it can cause other devices failure to establish a connection with the server.Abbasinezhad Mood et al. have designed a scheme for isolated SMs in [19] that does not require the intervention of a service provider in the SG in the key agreement process.But, this scheme uses many scalar multiplication operations to lead its computation delay very high.Chen et al. have proposed a self-authenticated key allocation scheme for the SG in [20].However, Chen's scheme could be subject to a DoS attack with a failure to secure the session key under the CK adversary model [21].
To overcome the security vulnerabilities in the SG's communication, Fouda et al. have proposed a lightweight message authentication scheme for the SG communication in [22], by which communication parties can reduce the total communication delay by avoiding using high communication cryptographic operations and reducing unnecessary signaling messages.But, the scheme could not resist to the DoS attacks.Abdallah has proposed a scheme to utilize the lattice-based homomorphic cryptosystem in [23], while the lattice-based encryption system can incur immense computing overload and communication cost.By the Gope's scheme in [24], before receiving messages, the ES has to check the validity of the SM, which increases the computational complexity linearly with the number of SMs [25].Kumar et al. have proposed a lightweight authentication and key agreement scheme in [9] that enables trust, anonymity, integrity and adequate security in the domain of smart energy networks.But, it cannot resist ephemeral secret leakage and suffers from synchronization attacks.Tsai et al. have proposed a secure anonymous key distribution scheme for the SG by combining the advantages of identity-based signature and identity encryption in [26], but it could not resist to the MITM attacks without the ability to provide the session-key security and credentials' privacy.Braeken et al. have proposed a provably secure key agreement model for the communications in the SG in [27] which can hardly work against malicious insider attackers [28].Physical uncloneable functions (PUFs) have gained popularity as a primitive against physical attacks [29,30].But they are susceptible to the modeling attacks.PUF is a non-destructible method for protecting the security of integrated circuit chips, but it is vulnerable to modeling attacks based on machine learning [31,32].
Compared with other cryptographic operations, the ECC can reduce the computational load effectively, which can also be used in the design of the security schemes for the SG.Sureshkumar et al. improved mutual authentication and key agreement mechanism based on ECC [33], but introduced a third party into the key agreement phase may still be threatened by tracking attacks.In order to solve the security risks caused by tracking attacks, Baghestani et al. [34] and Chaudhry et al. [35] don't let the third party participate in the key agreement process.However, both schemes can not resist impersonation attack.Mahmood's scheme in [36] can achieve the mutual authentication with a low computation and communication cost with its weakness against both perfect forward insecurity and private keys leakage [30].Mohammadali et al. have proposed an identity-based key establishment protocol in [13], which employs elliptic curves for the Advanced Metering Infrastructure in the SG.But, it cannot provide users' anonymity.Wazid et al. have proposed a three factor user authentication scheme in [37] for a renewable energy based SG environment, by employing lightweight cryptographic computations such as one-way hash functions, XOR operations and ECC.Biometrics is used for the identity authentication elements, which leads to a low adaptability and scalability.Badra et al. have proposed a privacy preserving data aggregation scheme in [38], which employs a blind factor to resist the attacks from the internal members.To improve efficiency, it has adopted a very simple authentication process, 1 3 A provable secure and lightweight ECC-based authenticated… but it often leads to be less secure in fact, vulnerable to replay attacks.Jo et al. have proposed an anonymous signature-based authentication with a key exchange for an IoT-enabled SG environment in [39].However, it is unable to defend the MITM and the impersonation attacks.In addition, it does not render the anonymity feature of the SMs.Khan et al. have designed a password-based lightweight key agreement framework (PALK) by using the ECC for the SG in [6].Chaudhry has analyzed the PALK scheme to disclose that the PALK protocol is incorrect at the login and authentication phase due to the ECC operations in [35].Chaudhry has proposed an improved scheme in the same domain.But, the new scheme is not free from the PKI challenges with a high computation cost.Khan et al. have proposed a key agreement and lightweight authentication mechanism for the communications in the SG in [40].However, by the scheme, the communication goes among the user, the trusted third party and the server, that could incur security concerns due to the third party application.To mitigate the issues, a modified mutual authentication and key agreement mechanism by using the ECC has been proposed for the SG in [33], by which the system is secure under the CK adversary model with an additional security scheme required for the control center to organize and initialize the real-time information.Some other schemes in [10][11][12] can cause a significant drain on communication and computation resources due to their high computation complexity.Dariush et al. have proposed an solution named as Anonymous ECC-Based Self-certified Key distribution scheme (AESK) for the SG in [10].However, it relies on tamper-proof security modules to implement certain security functions such as perfect confidentiality.Qi et al. have proposed a scheme named as Two-pass Privacy Preserving Authenticated key agreement (TPPA) for the SG based on the elliptic curve Qu-Vanstone implicit certificates with a trusted third-party participation in the SG in [12].But, under the CK adversary model [34], the TPPA cannot guarantee the security of the session key.Jia, X. et al. have proposed a solution named as Provably Identity-based Anonymous Authentication scheme (PIAA) for mobile edge computing in [11].But, the PIAA adopts too many scalar multiplication in the certification process, which cannot meet the current low-time consumption requirements for the SG.Xiang et al. in [7] proposed a Secure Privacy-preservation Authentication Key agreement scheme (SPAK) in SG communications without providing anonymity of SMs.Thus, how to provide a better privacy-preservation and efficient authentication process deserves further study.

System model and preliminary
In this section, we discuss the details of the system model and security model under the study with the mathematical background.

System model
The architecture of the cloud-edge-end collaboration communication network in the SG is a three-layer network as shown in Fig. 1 including a Home Area Network (HAN) as the end layer, an Edge Mesh Network (EMN) as the edge computing layer and a Wide Area Network (WAN) as the cloud layer [9].Within the HAN, a SM acts as a home gateway that collects energy consumption reading from devices such charging station through Zigbee connection, sends collected readings to the edge sever acting as the aggregator or utility controller through WLAN connection.The EMN supports the communication between the ESs and the SMs.Multiple EMNs can be connected into the WAN via a wireless mesh network.Given the wireless mesh network between metering gateways and/or SMs, the ES could gather all of the required data in periodic intervals and then send them to the data concentrator (DC) through LTE connection.Finally, the DC forwards all the data to the Registration Authority (RA) located near the utility service provider in the WAN, which typically communicates over the powerline communication (PLC).
The ES and the SM should get mutual authenticated for a session key agreement.Before the authentication, the ES and the SM should register with the RA.The communication between the SM and devices such as charging station, the ES and the DC is the connection of Zigbee and LTE respectively, whose communication security has been guaranteed by mature mechanisms.The connection between the DC and the RA is wired.Since the two-way communication between ESs and SMs is a type of wireless communication, it is easy to be exposed to public, attackers may launch some malicious attacks, such as MITM attacks, replay attacks, and DoS attacks, etc.

Security model
A widely known and commonly accepted adversarial model known as the CK threat model [21] has been adopted in this work.The security model is a game played between resister D and opponent A .The game is modeled by a probabilistic polyno- mial-time (P.P. T.) turing machine.Let Π lΩ represents an instance of participant A provable secure and lightweight ECC-based authenticated… Ω , where Ω represents a SMi or an ESj.In the hypothetical model, A can perform a series of operations.In order to reduce the attack difficulty of A , D must reply in accordance with the following regulations.
Hash(m): A performs a hash query on message m.D checks whether message m has been asked before.If yes, the corresponding h(m) is returned.If not, a random number r is returned.Then this record (m,r) is stored in the list.
Execute(SMi,ESj): Execute query is defined on the basis of an passive eavesdropping attack which returns a copy of the information passed between the participants in the system.A may get the session key by collecting the information passed by both parties.
Extract(ID): This query modelsA 's ability of corrupting a legal entity and obtaining the private key of it.When A queries this oracle with identity ID, the oracle returns the private key corresponding to ID.
Send(P,m): Send query is defined on the basis of a modification attacks, replay attacks, simulation attacks, etc.By Send query,A sends message m to P and will receive a response message by P.
Test(SMi,ESj): A can submit this query for only once.When P receives a Test query, an unbiased coin c is flipped.If c = 1, the actual session key is returned.Otherwise, a random value with the same length is returned toA.

Definition 1 The scheme introduces an arbitrary polynomial function P(n). If the equation
Definition 2 Calculating Diffie-Hellman (CDH) problem.Suppose that given three elements,P,xP,yP ∈ G, which are used to calculate the value of (xy)P ∈ G. Due to x,y ∈ Z, any P.P.T. attacker cannot know these elements in a special way.

Definition 3
The AKA-Authenticated Key Agreement-Security.If the advantages Adv A ∑ (E AKA ) provided to any P.P.T. attacker A are negligible, then it can prove that the scheme is AKA safe in the mobile internet environment.

Definition 4
The Mutual Authenticated-Security.If the advantages Adv A ∑(E MA ) pro- vided to any P.P.T. attacker A are negligible, it can prove that the scheme is MA- Security in the mobile internet environment.

Elliptic curve cryptosystem and bilinear pairings
A large prime number q will be chosen.And the elliptic curved Eq(a,b) is defined by the equation E:y 2 = x 3 + ax + b(modq) where a,b,x,y ∈ Z, 4a 3 +27b 2 (modq) ≠ 0. Choosing a point P ∈ Ep as the generator of G. Scalar multiplication has been defined as nP = P + P + P + ••• + P(n times), where n ∈ Z.Let GT be a multiplicative cyclic group of the same order q.The map e: G × G → GT is proved to be an admissible bilinear map, if the following conditions could be resolved.

The proposed PSLA scheme
In this section, we illustrate the proposed PSLA scheme in details.The primitive notations pertaining to the PSLA scheme are demonstrated in Table 1.

Overview
The proposed PSLA scheme consist of five phases: system initialization, edge sever ESj registration, smart meter SMi registration, mutual authentication and key agreement between the ESj and the SMi, as shown in Fig. 2. The system initialization is issued by the RA for generation of all the required system parameters.All the users in the system can receive the system parameters.When one new ESj joins the system, the ESj firstly registers with the RA through the DC to get its pseudonym.Similarity, when one new SMi joins the system, the RA registers with the RA through the ESj and the data concentrator DC to get its pseudonym.At this phase, the ESj and the DC only forward the message between the RA and the SMi.After the registration of the SMi, the authentication phase between the ESj and the SMi is triggered.Once the ESj and the SMi get mutual authentication, at the key agreement phase a A provable secure and lightweight ECC-based authenticated… session key can be generated for further secure communication between the ESj and the SMi.

System initialization phase
In the initialization phase, the RA initializes all the required system parameters for the proposed PSLA scheme as follows: (1) On the non-singular elliptic curve, the RA chooses a large prime q, a cyclic additive group G, a multiplicative group G × G → GT, a key generator P as the generator of G and GT.The RA calculates a bilinear mapping e: G × G → GT,g = e(P,P), which is bilinear, non-degenerate and computable.(2) RA selects a random number s ∈ Z*q as its private key, and then calculates its own public key Ppub = sP.(3) RA selects four secure hash functions H0: Fig. 2 The flow chart of the proposed PSLA scheme (4) RA issues a set of system parameters (G,GT,q,P,Ppub,H0,H1,H2,H3).H0 and H1 are used to calculate the pseudonym of the SM and the ES, H2 is used to encrypt the information in the mutual authentication process.And H3 is used to calculate a session key.

Edge server registration phase
(1) Edge Server ESj selects its own real user IDj and sends a registration request to the RA through the DC.
(2) To ensure that the mutual anonymous identity authentication between SMi and ESj needs the RA to generate a pseudonym before the authentication.And the RA calculates pseudonym SIDj = P s+H 1 (ID j ) for the ESj.(3) RA sends SIDj to ESj.The process of ESj registration is shown in Fig. 3 and Algorithm 1.

Smart meter registration phase
1) Smart meter SMi selects its own real user ID and sends the IDi with a registration request to the RA through the ESj and the DC.
Fig. 3 The process of ESj registration 1 3 A provable secure and lightweight ECC-based authenticated… 2) After receiving the SMi's registration request, the RA generates a random number Ri ∈ Z*q, and generates a pseudonym SIDi = Ri + sH0(IDi),Ru = RiP for SMi.And Ru will be used for subsequent mutual authentication with the ESj.
3)RA sends back (SIDi,Ru) to the SMi through the ESj and the DC.The process of ESj registration is shown in Fig. 4 and Algorithm 2.  2) When ESj receives a session request from SMi, ESj first checks the freshness of the timestamp Tsm.Then it calculates g n x ⊕ N .g n x = g x proved as (1).Then, |T sm and verifies whether L is equal to σP as shown in (2).If it is wrong, ESj will reject the authentication request and terminate the session.Otherwise, ESj will choose a random number y ∈ Z and calculate Y = yP.ESj sets up session keys SKS − SM = H3(yX ∥ Ts), S = H1(SKS − SM), uses current time as TS and sends (S, Y, Ts) back to SMi.
3) After SMi receives the response from ESj, SMi will first check the freshness of the timestamp TS.It then sets the session key SKSM − S = H3 (xY || T s ).SMi will check whether H1(SKSM − S) is equal to S. If they are equal, the authentication with ESj is completed, and the agreement of the session key is ensured.In this phase, ESj and SMi will perform mutual authentication and negotiate a public session key SK for subsequent communications as shown in Fig. 5.The authentication details are shown in Algorithm 3 and 4. (1)

Session key agreement phase
x = e M, SID j = e x P pub + H 1 ID j P , (2) A provable secure and lightweight ECC-based authenticated… 2) After ESj receives the session key agreement information A sent by SMi, ESj needs to use the session key SKs − u to decrypt A, and then determines whether the content in A is a timestamp Tnow and checks the freshness of it.If so, ESj can guarantee that SMi holds the same session key.Until now, the agreement of session key is over.

Security analysis
In Sect.5.1, we provide probabilistic analysis to prove that the proposed scheme is MA-Security and AKA-Security under the condition of providing advantages for attackers by the CK adversary model.In Sect.5.2, we prove that our scheme has sufficient security by theoretical analysis.

3
A provable secure and lightweight ECC-based authenticated…

Provable security
Theorem 1: If the attacker A forges the pseudonym of SMi, SIDi or the pseudonym of ESj, SIDj and completes the mutual authentication process, it means that the attacker A can initiate an impersonation attack at the both sides to break the security of MA.Assuming that A knows the authentication process of the proposed scheme given a certain probability δ.After A obtains the ID of ES or SM, A will use this identity to join the network, thereby obtaining the authentication information to break the MA.The advantage of A breaking scheme ∑ is defined as As long as A breaks the two-way authentication at either side, it can be regarded as breaking the MA-secure to the protocol.Under the premise of Adv A ∑(E MA ) , the probability of A successfully destroying the MA-secure is calculated as (3): where p1, p2 represent the probability of destroying the MA-secure on the ESj side and the SMi side respectively.Where qHash, qSend, q, qe, qh, qm, qa, qb respectively represents the limit of Hash(m) queries, Send(P,m) queries, random number generation, modular exponentiation, hash function (Hash), multiplication (Multiplication), addition (Add) and bilinear pairing (BPA) operations of A.
Proof: We define the following events: (1) EExtract: A obtains the correct pseudonym of an instance.
(2) Eam: A cracks the encrypted information required in the two-way authentication process.(3) Esm-es: A successfully destroys the authentication of the smart meter to the edge server.(4) Ees-sm: A successfully destroys the authentication of the edge server to the smart meter.(5) Eam: A destroys the MA-secure in mutual authentication.
If A wants to destroy the MA on ESj, A needs to crack the encrypted information in the mutual authentication process under the premise of obtaining the pseudonym of ESj, and successfully destroys the authentication of on the ES side.The probability p1 of A destroying the MA on ESj is calculated as (4): To analyze the process of destroying MA on ESj, define the following event: 1) Eps-es: A obtains the correct pseudonym of ESj successfully. (3) 2) Egx: A uses the generated pseudonym to obtain encrypted information gx by a bilinear pairing operation.
3) ESend: When gx generated by A goes through the Send(gx) query, the resister sends back Y.The probability p1 of A destroys the MA at the ES side is also calculated as ( 5): (1) A obtains the real IDj of ESj in the network, and disguises his identity as ESj"Sf".SMi registered at RA tries to perform two-way authentication with the impersonation"ES".(2) When SMi first generates the random number x ∈ Z, and produces the authentication request message as follows:gx where Ru is sent back by the RA in the registration phase.After the calculation, SMi will send (M, N, σ) to ESj"Sf" to negotiate a session key.(3) After A intercepts the authentication information sent by SMi, A needs to crack it.
The most effective way to crack it is to calculate gn x = e(M, SID j ), H 2 gn x ⊕ N , and get IDn i ∥ R n u ∥ Xn ∥ T sm = H 2 gn x ⊕ N by forging the pseudonym SIDj of ESj.In order to improve the advantage of the attacker, we default that A only needs to crack H 2 gn x launching an impersonation attack.p1 is calculated as (6): a. First, A has to challenge the private key s of RA and random number Ri.Because of s, Ri ∈ Z*q, the probability of A generates random number s and Ri is 1 q 2 .SIDj consists of three operations: hash operation, point addition and linear multiplication twice.So the probability of cracking SIDj is 1 .b.A needs to use the generated SIDj to calculate the bilinear pairing operation, which needs to be performed with the total number of times qb power.c.Then A needs to launch Hash(gx) query to determine whether the generated gx is correct.The probability of initiating the Hash operation successfully and passing the test correctly is qHash power.
If A wants to destroy the MA at SMi, A needs to crack the random number Ri under the premise of obtaining the SIDi.So, the probability p2 of A destroying the MA at SMi is calculated as (7): A provable secure and lightweight ECC-based authenticated… We further define the following event: (1) Eps-sm: A successfully obtains the correct SIDi.
(2) Er: A cracks the random number Ri on SMi generated by RA.
(3) ESend: A launches Send(SMi, Start) query with SMi = SM i * .The probability of p2 can be calculated as ( 8): 1) A can launch an impersonation attack on SMi with the two conditions of obtaining SIDi and the random number Ri.
2) After A holds the conditions to forge SIDi, A launches Erode(SMi, Ri) query.When the resister D sends back the registered information, A has all the conditions to be able to initiate the impersonation attack on SMi.
3) A only needs to send the correct pseudonym SIDi and Ri to the resister D. So p2 is calculated as (9): a. SIDi consists of three operations: hash operation, linear multiplication, and linear addition.In addition, A wants to generate a random number Ri ∈ Z*q.So the probability of forging SIDi and Ri ∈ Z*q by A is is ) b.After A completes the generation of SIDi, there is a probability of 1 q s to send the information successfully during the postback process.c.A needs to check the correctness of generating SIDi and Ri, A needs to launch Send(SMi, Start) query to resister D. The probability of initiating Send operation with SMi = SM i * is qSend power.So we can conclude the Eq. ( 3).Since the operations in (3) are large enough, even if the attacker A has such an advantage Adv A ∑ (E MA ) , the probability of A suc- cessfully destroys the MA is still negligible.
Theorem 2: If A completes the generation of σ or S, A can destroy the AKA secure.Let EAKA represent the event A successfully wins the game and ∑ represent an identity authentication scheme.A has an probability ξ that could directly destroy the MA on the public channel.The advantage of A breaking scheme ∑ is defined as . Under the premise of Adv A ∑ (E MA ) , the probability of A successfully destroys the AKA secure is calculated as ( 10): q Send (10) where p3,p4 respectively represent the probability of A destroys AKA secure on ESj and SMi.Where qSend, q, qe, qh, qm, qa, qb respectively represents the limit of Send(P,m) queries, random number generate, modular exponentiation, hash function (Hash), multiplication (Multiplication), addition (Add) and bilinear pairing (BPA) operations of A. Proof: We define the following events: 1) Ema:A successfully destroys the MA-secure of the protocol.
3) Eaka-es: A successfully breaks the SMi to ESj authentication.4) Eaka-sm: A successfully breaks the ESj to SMi authentication.
To analyze the process of destroys AKA security on the edge server side with Adv ES ∑ (E AKA ) , we further define the these event: 1) EExecute(L): A obtains the authentication information L sent by the smart meter.
2) ESend: A successfully forges a legal login message L'.
The probability p3 of A destroys AKA security on ESj is calculated as (11): Because A has an advantage Adv ES ∑ (E AKA ) , in order to destroy the consistency of the session key, A only needs to crack the random number x in the session key.A verifies the correctness of x by verifying the correctness of Ln = P so that A could destroy the AKA security by forging session key.So p3 is calculated as in (12): a.A generates a random number x, Ru with probability ( 1 q 2 ) , and the part of ).b.A needs to connect them by linear addition, and the probability of linear addition is( 1 q a ) .A needs to launch Send(ESj,L') query to resister D to check the correctness of L'.The probability of initiating Send operation with L'= σP is qSend power.
To analyze the process of A destroys AKA security on SMi with Adv SM ∑ (E AKA ) , we further define the following event: 1) EExecute(S): A obtains the authentication information S sent by ESj.
2) ESend: A successfully forges a legal login message.
Due to A has an advantage of Adv SM ∑ (E AKA ) , in order to destroy the AKA secure, A only needs to crack the key generation process.But to judge the correctness of the key, A needs to forge the correct S and verify the correctness of S. If S is correct, it means that A has obtained the session key for communication between the two parties.So p4 is calculated as in ( 13): q Send 1 3 A provable secure and lightweight ECC-based authenticated… a.A generates the part of xY || Tms with probability ( 1 q 2 ).b.A generates the part of SK with probability ( 1 q 2 ).c.A generates the part of S with probability ( 1 q h ).
After generating S', A checks the correctness of S' = S and the probability of this part is qequ power.A needs to launch Send(SMi, S') query to resister D. The probability of initiating Send operation with S' = S is qSend power.
So we conclude the Eq.(10).Since these operations in (10) are large enough, even if A has such an advantage Adv A ∑ (E AKA ) , the probability of destroying AKA secure is still negligible.

Informal security analysis
In this subsection, we will conduct informal security analysis.The proposed PSLA scheme holds the following security properties.
1)Mutual authentication: The SM will authenticate the target ES by checking the correctness of H1(SKSM − S) = S. ES will verify the correctness of L = σP to confirm the identity of the SM.So the both sides of ES and the SM have completed a mutual authentication.
2) Session key agreement: SM and ES can maintain a good consistency with the negotiated session key SK = SKS − SM = H3(yX ||TS) = SKSM − S = H3 (xY || TS) = H3(xyP || TS).Due to the existence of the CDH problem, it can be determined that the session key will not be obtained by any other participant or adversary.
3)Perfect forward secrecy: Assuming that if the session key negotiated between SM and ES has been leaked, the attacker A intercepts all the authentication information (M, N, σ, Tsm) and (S,Y,TS) on the channel including SIDi and Y.If the attacker wants to obtain the session key SK = SKS − SM = H3(yX || TS) = SKSM − S = H3(xY || TS) = H3(xyP || TS), he/she has to know the random number x or y.Due to the difficulty of cracking in the CDH assumption, the session key cannot be compromised without knowing the random number x or y.It is easy to conclude that the PSLA scheme can provide the perfect forward secrecy.
4)Confidentiality of RA: By the PSLA scheme, the RA does not participate the MA between ES and SM.Its major responsibility is to design a pseudonym for ES and SM in the registration over a secure channel, so it is impossible for an attacker to intercept the pseudonym information in this process.
5)Edge server privacy information protection: After receiving an authentication request, the ES extracts the user identity and calculates the session key.
During the authentication process, both parties use a pseudonym generated by the RA.The pseudonym cannot be easily disclosed because it is hidden as the encrypted data.At the same time, the process of generating pseudonyms by the RA is carried out on a secure channel, which provides an effective protection for ( 13) q Send the security and privacy of pseudonyms.Furthermore, the proposed scheme can resist against the following attacks.1)Identity forgery attacks on SM: If attacker A wants to forge SMi, it must generate a legal authentication message (M, N, σ, Tsm).Among them, σ is actually the authentication information signed by the SM.Since the attacker cannot forge the pseudonym of the SM, the attacker cannot generate the correct encrypted information σ.Even if the attacker sends the encrypted information σ to the ES, the subsequent authentication will be interrupted due to L ≠ σP.
2) Identity forgery attacks on ES: In the authentication message (M, N, σ, Tsm), SMi uses the identity of the ES to encrypt (IDi, Ru, X).Without knowing the pseudonym of the ES, the attacker A cannot extract (IDi, Ru, X) from the authentication message.Since the attacker cannot achieve the forgery of the pseudonym of the ESj, the correct authentication information S cannot be generated and sent back to the SM.Therefore, the attacker cannot impersonate the ES.
3)MITM attacks: By the PSLA scheme, an ES can verify the true identity of a SM by checking the correctness of σP = L = (Ru + Ppub H0(IDi)) + X'H2(ID'i || R'u || X' || Tsm).The SM can authenticate the ES by checking correctness of H1(SKSM-S) = S. Without knowing the pseudonym SIDj of the ES and the pseudonym SIDi of the SM, the adversary cannot generate a valid message.Therefore, the proposed PSLA scheme can resist MITM attacks.
4)Replay attacks: By a replay attack, an attacker sends data that has been received by a destination with the aim to deceive the system.Since a time stamp and random number pseudonym have been introduced in the PSLA scheme, freshness of the information in each data interaction can be ensured.Even if the attacker has tampered with the timestamp and sends the data packet, in the subsequent authentication process, the replay attack can be resisted by the random number used.

Performance evaluation
In this section, we comprehensively evaluate the performance of the proposed PSLA scheme and compare it with that of other four related schemes including the TPPA [12], the AESK [10], the PIAA [11] and the SPAK [7] schemes in terms of number of the cryptography operations, computation delay and communication cost.We A provable secure and lightweight ECC-based authenticated… assume that the bit length of EXP and timestamp is 64 bits, the bit length for random number authentication and Hash function is 160 bits, the operation for each point on the elliptic curve is 161 bits, and the operation for each element in the multiplicative group is 512 bits.

Number of cryptography operations
We divide the encryption operations into five categories.Among them, PAD, HAS, EXP, BPA and MUL represents point addition, hash operation, modular exponentiation, bilinear pairing and scalar multiplication, respectively.Without any attack, the number of specific encryption operations on the SM and the ES by five schemes is shown in Table 2.
It is clear to see in Table 2 that the proposed PSLA scheme uses fewer MULs and more EXPs.It is worth noting that the EXP can effectively cut down computation delay, while the MUL takes much more time than other operations.It is obvious that the proposed PSLA scheme can guarantee the security of the authentication while incurring a low time delay to meet the efficiency requirements.

Computation delay
Due to the large difference on computing power between the SM and the ES, timeconsuming statistics has been conducted over different platforms for each party.The ES is simulated on the cloud platform provided by Alibaba,Intel(R) Xeon(R) CPU E5-26,300 @ 2.30 GHz, 1 GB RAM and Ubuntu 14.04 for 64bit operating system.The SM has been simulated over a 2 GHz ARM CPU Emulated on Google Nexus One smartphone with armeabi-v7a, 300 MB RAM and Android 4.4.2operating system.We include the statistics time of the cryptography operations in Table 3 [41,42].
The proposed PSLA scheme is compared with the TPPA, AESK, PIAA and SPAK schemes, those are much time-consuming on certification.According to the information in Tables 2 and 3, the number of specific encryption operations by the TPPA scheme is 29, which needs 95.968 ms.The number of specific encryption operations by the AESK scheme is 24, which needs 113.732 ms.The specific number of encryption operations by the PIAA scheme is 25, which needs 98.655 ms.The specific number of encryption operations by the SPAK scheme is 25, which needs 98.655 ms.The specific number of encryption operations by the SPAK scheme is 26, which needs 102.358 ms.The delay by the specific operations can be calculated by Eq. (14-18).The minimum calculation delay of the PSLA scheme is 77.329 ms, which is 19% lower than that of the TPPA scheme, 32% lower than that of the AESK scheme, 22% lower than that of the PIAA scheme, and 25% lower than that of the SPAK scheme. ( T TPPA = 4T  A provable secure and lightweight ECC-based authenticated… Figure 6 shows the computation delay comparison of the five schemes in the form of a histogram.The computation delay at the smart metre side by our proposed PSLA, the TPPA, the AESK, the PIAA and the SPAK schemes is 63.766 ms, 87.338 ms, 103.486 ms, 83.449 ms and 102.358 ms respectively.And the computation delay on the server side at the PSLA, the TPPA, the AESK, the PIAA and the SPAK schemes is 13.563 ms, 8.63 ms, 10.246 ms 15.206 ms and 9.664 ms respectively.It is clear that the computation delay by our proposed PSLA scheme is the shortest on the smart metre side.
Since the our proposed PSLA solution can resist some typical attacks, which have been verified by the security analysis and named as known attacks, the mutual authentication could not be interrupted by those known attacks.However, the authentication process can be interrupted by some new types of malicious attacks.Since the emergence of new malicious attacks is unpredictable, these potential attacks are considered as unknown attacks.Assume that during an authentication process, the mutual authentication process can be interrupted by unknown attacks.In general, if an authentication process is attacked by the known attacks, the computation delay to complete a mutual authentication is fixed.But, if the authentication process is attacked by the unknown attacks, the delay to complete the mutual authentication will be uncertain.We simulate the authentication process under the 2 different types of the attacks by using C++ coding.At each stage of an mutual authentication process, the authentication process by five authentication schemes could be interrupted due to unknown attacks.

Fig. 7 Average authentication delay under different attack ratio
In the simulation experiments, we constantly change the ratio of unknown attacks and compare the computational delay by the five different schemes.Each authentication process has been simulated to run a total of number of 10,000 times by the five authentication schemes to analyze their performance in terms of authentication delay by constantly changing the ratio of attack types.In the simulation, when the ratio of unknown attacks to known attacks changes, the computation delay are measured for each scheme.The parameter that measures performance is the average successful authentication delay defined as in (19): where timesunknown = ratiounknown•timesALL-ATTACK The specific simulation results are shown in Fig. 7, in which the abscissa represents the ratio of unknown attacks, and the ordinate represents the average authentication incurred by the five schemes.According to the results in Fig. 7, the proposed PSLA scheme can have the lowest delay when the ratio of unknown attacks increase from 0 to 0.7.The average authentication delay during the authentication process can also remain relatively stable as the ratio of the unknown attacks increases.Therefore, the proposed PSLA scheme has its efficiency advantages even under different unknown attacks.

Communication cost
There are two parts for the communication cost including transmission delay and propagation delay.For the transmission delay Ttran, as the communication between SM and ES uses WLAN connection, the experienced data rate of downlink and uplink in the urban area is 100 Mbps.For the propagation delay Tprop, the wave propagation speed is approximately equal to 3•10 8 m/s in wireless communication.It is assumed that the radius of a cell is 150 m, and the signal sent by the SMi will travel 150 m at the speed of 3•10 8 m/s to arrive at a ESj.So, the propagation delay from the SMi to the ESj is 0.5 µs.And the propagation delay from the ESj to the SMi is also 0.5 µs.The theoretical communication overhead of the proposed PSLA, the TPPA, the AESK, the PIAA and the SPAK schemes  A provable secure and lightweight ECC-based authenticated… are respectively 868 bits, 966 bits, 801 bits, 1092 bits, 1156 bits and 962 bits.The theoretical communication cost is compared in Table 4.
From the Table 4, we can conclude that the total communication cost of the proposed PSLA scheme is 12.2% lower than that of the TPPA scheme, 3.0% lower than that of the AESK scheme, 15.0% lower than that of the PIAA scheme, and 21.6% lower than that of the SPAK scheme.In summary, the proposed PSLA scheme still has a good advantage in terms of communication cost.

Conclusion
In this paper, we have proposed a mutual anonymous authentication scheme for the communications in the SG with a key management function based on the ECC.The proposed PSLA scheme applies a pseudonym to ensure the greatest degree of protection against impersonation attacks in the authentication process for secure communications.The security of the PSLA scheme has been qualitatively analyzed to show its advantages.The proposed PSLA scheme can provide session key agreement, confidentiality of the RA, perfect forward secrecy and the ES privacy protection.The performance of the proposed PSLA scheme has been evaluated and compared with other existing solutions to conclude that the proposed PSLA scheme cannot only incur a low computation delay but also can realize all the security functions provided by other schemes.In future research, we will introduce a weighted evaluation pseudonym based on trust to realize the secure storage control of distributed trust data, and design a comprehensive trust model.
Funding Open Access funding provided by the Qatar National Library.

Declarations
Conflict of interest The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material.If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.To view a copy of this licence, visit http:// creat iveco mmons.org/ licen ses/ by/4.0/.

Fig. 1
Fig. 1 Architecture of communication system in SG

Fig. 4
Fig.4The process of SMi registration

1 )
In order to ensure the agreement of the negotiated session key, if SMi authenticates ESj successfully, SMi needs to send back a verification message encrypted by the session key to ESj.SMi sends the session key agreement information A = E(Tnow, SKu − s), where Tnow is the current time, back to ES.

Fig. 6
Fig. 6 Computation delay in authentication process

( 19 )
delay AVG = delay unknown * times unknown + delay known * times known times known

Table 1
i , x, y Random numbers in Z * q SK Session key T sm Timestamp of smart meter (64-bits) T s Timestamp of edge server (64-bits) 1 3

Table 3
Execution time of basic operations (ms)

Table 4
Communication Cost for Different Schemes