LACP-SG: Lightweight Authentication Protocol for Smart Grids

Abstract

Smart grid (SG) recently acquired considerable attention due to their utilization in sustaining demand response management in power systems. Smart meters (SMs) deployed in SG systems collect and transmit data to the server. Since all communications between SM and the server occur through a public communication channel, the transmitted data are exposed to adversary attacks. Therefore, security and privacy are essential requirements in the SG system for ensuring reliable communication. Additionally, an AuthentiCation (AC) protocol designed for secure communication should be lightweight so it can be applied in a resource-constrained environment. In this article, we devise a lightweight AC protocol for SG named LACP-SG. LACP-SG employs the hash function, “Esch256”, and “authenticated encryption” to accomplish the AC phase. The proposed LACP-SG assures secure data exchange between SM and server by validating the authenticity of SM. For encrypted communication, LACP-SG enables SM and the server to establish a session key (SEK). We use the random oracle model to substantiate the security of the established SEK. Moreover, we ascertain that LACP-SG is guarded against different security vulnerabilities through Scyther-based security validation and informal security analysis. Furthermore, comparing LACP-SG with other related AC protocols demonstrates that LACP-SG is less resource-intensive while rendering better security characteristics.

1. Introduction

The Industrial Internet of Things (IIoTs) promises to elevate many communication paradigm innovations, focusing on industrial applications. Particularly, IIoT-based smart grid (SG) technology is envisioned to be a vital part of the next-generation power grid system. An SG mainly comprises four elements: sensing, control, actuation, and communication systems. The sensing and communication processes are performed by smart meters (SMs), which are the significant components of an SG, while service providers perform actuation and communication (SPs) [1].

The rapid utilization of SMs has recently been witnessed in smart homes under the SG environment to observe energy utilization in real time. To this end, the SMs communicate with SP on public communication channels. The communication between SMs and SP mandates security and privacy, as the channel used for this communication is prone to various security risks. For instance, an adversary can modify, eavesdrop, and disrupt the communication with consequent degradation in the performance of the SG system [2]. These concerns necessitate the designing of a secure, lightweight, and robust authentication (AC) protocol to guarantee information communication among the honest participants in the SG system while preserving the privacy of the entities.

1.1. Security Requirements in SG Systems

An SM transmits electricity usage information periodically to SP via the public internet. Therefore, the following security requirements are imperative for the smooth working of the SG system [3,4].

1.1.1. Security

Firstly, the SG system contains a large number of SMs. Thus, an SP must check the authenticity of the SM before commencing the information exchange process. It is worth noticing that, by authentication, the authenticity of the deployed SMs in the SG system can be verified. Therefore, the authentication protocol should be able to resist various security attacks, such as denial-of-service (DoS), SM capture, ephemeral secret leakage (EPSL), device impersonation (DIMP), man-in-the-middle (MIDM), de-synchronization (DeS), privilege-insider (PrI), replay, and SP impersonation (SPI) attacks [5]. After accomplishing the authentication process, SM and SP need to create a common session key (SEK) to protect the communicated information. Secondly, the authentication protocol needs to guarantee the authenticity of the SM and SP, verify the data’s integrity, and ensure non-repudiation. Thirdly, by capturing an SM by an adversary, the procured sensitive information from the memory of the captured SM should not breach the security of the communication between other SMs and SP [6,7].

1.1.2. Efficiency

In general, an SP has sufficient computational resources and can process a specific volume of information. However, many SMs communicate with SP concurrently in the SG system, requiring significant computational resources. Moreover, SMs are resource-limited devices with limited computational, communication, and energy resources. Thus, it is imperative to devise a resource-efficient authentication protocol that requires the least computational resources of SP and SM during the authentication process [4,8].

2. Related Work

Security and privacy are the critical parameters of concern for the SG systems. Various security schemes have been proposed to cope with the security challenges in the SG system [9,10]. Li et al. [4] proposed an AC mechanism, which is in-efficacious in thwarting replay, MIDM, and EPSL attacks. In addition, the proposed scheme is incapable of rendering MA and anonymity features. Kumar et al. [11] proposed an AC mechanism for the SG environment employing elliptic curve cryptography (ECC) and SHA. However, the scheme of Kumar et al. is incapable of restraining MIDM device impersonation. DIMP and EPSL attacks are unable to ensure mutual authentication (MA) and the security of SEK. An authentication protocol for the SG environment is presented in [12], using PUF and SHA. Similarly, a secure communication protocol for the SG environment is presented in [13], which is unable to withstand DoS and EPSL attacks. An ECC, XOR, and SHA-based lightweight AC protocol for the SG environment is presented in [14], which cannot withstand various security attacks. An authentication and SEK establishment scheme is propounded in [15], utilizing ECC, XOR, and SHA. The authors in [16] propounded a reliable AC protocol using ECC for the SG infrastructure that can hinder different security threats. In this paper, we propose a physical unclonable function (PUF)-based AC mechanism for the SG system. Li et al. [4] devised a pairing-based message AC protocol for the SG environment, unable to withstand the MIDM, DoS, EPSL, and impersonation attacks and incapable of providing security for SEK. Chen et al. [3] propounded a BP-based AC protocol for SG environments, incapable of resisting EPSL and impersonation attacks and incapable of ensuring the security of SEK. The security framework proposed in [17] cannot resist the DeS attack. An AE-based security framework is presented in [18], and its security is proved through the AVISPA. A detailed summary of various AC protocols or schemes propounded for the SG environment is presented in

Table 1. Summary of various AC protocols.

AC/AKE Protocol	Shortcomings/Security Vulnerabilities
Wu et al. [19]	Unable to thwart MIDM and EPSL attacks. Incapable of rendering anonymity and PFS features.
Mahmood et al. [20]	In-efficacious in preventing DoS, impersonation, PrI, replay, MIDM, and EPSL attacks.
Dariush et al. [21]	In-efficacious in resisting DoS attack. Incapable of rendering SM’s anonymity and SEK security.
Banerjee et al. [22]	Unable to render identity protection and traceability.
Wazid et al. [23]	Exposed to DeS attack. Incapable of rendering revocability and formal validation.
Odelu et al. [24]	In-efficacious in preventing DoS, MIDM, and impersonation attacks. Unable to assure SM’s anonymity.
Xie et al. [25]	In-efficacious in resisting replay and impersonation attacks. Incapable of rendering forward secrecy.
Li et al. [4]	In-efficacious in thwarting replay, MIDM, EPSL attacks. Incapable of rendering MA and anonymity features.
LACP-SG	Specialized hardware is required to accomplish the PUF-based AC process. In the future, we will use the AEAD schemes for designing the blockchain-enabled authentication frameworks.

Authenticated encryption with associative data (AEAD), lightweight cryptography (LWC), advance encryption standard (AES), mutual authentication (MA), perfect forward secrecy (PFS), exclusive-OR (XOR), bi-linear paring (BP), elliptic curve cryptography (ECC), authentication and key exchange (AKE), physical unclonable function (PUF), secure hash algorithm (SHA).

.

2.1. Motivation

Most of the AC protocols in the existing literature are devised using standardized symmetric encryption, such as AES, and public-key cryptography, such as ECC. These standardized cryptographic primitives are computationally expensive for resource-limited devices [14,26]. Moreover, most AC protocols are susceptible to various security risks, including DeS, replay, impersonation attacks, etc., as summarized in Section 2. Therefore, it is imperative to devise a secure and lightweight AC protocol for the SG systems.

Various AEAD schemes are devised to enable encryption and decryption services in resource-limited IoT devices. The main features of AEAD schemes are given to clarify why adopting the LWC primitives is essential when devising an AC protocol. This property of AEAD schemes makes them efficacious in reducing the encryption/decryption operations required to perform the AC process. (i) LWC-based AEAD schemes achieve message authenticity, integrity, and confidentiality simultaneously with a single encryption/decryption operation. (ii) AEAD schemes demand less computational and energy resources with reduced message overhead. (iii) The LWC-based hash function (Esch256) demands fewer computational resources than the existing hash functions while proffering the same security level.

Figure 1 presents the high-level working of an AEAD scheme, which is the base mechanism of the proposed AC protocol. Here, the AEAD scheme at the source node accepts the key along with associative data ($AD$), initialization vector/nonce, and plaintext as inputs to return output in the form of ciphertext ($CT$) and authentication parameters ($AP$). Moreover, the source generates a message with credentials $\{AD,CT,AP\}$ and sends this message to the destination to accomplish MA. In the proposed protocol, $AD$ comprises the temporary identity of the source node, i.e., $AD=\{temporaryidentity,IPheader,etc.\}$. SP uses the temporary identity to find the record associated with the source from its memory. $CT$ is obtained after encrypting the random numbers and other parameters used in the construction of SEK. At the destination, decryption is performed by using the AEAD scheme. The AEAD scheme generates the $PT$ and $A{P}_d$ after taking the same input parameters as taken at the source node. To authenticate the validity of the obtained message, the destination node checks the condition $AP=A{P}_d$. If it holds, the received message is valid. We adopt the same methodology to propose a secure and lightweight AC protocol for the SG environment.

2.2. Research Contributions

The paper comprises the subsequent contributions.

• This paper proffers a new lightweight AC protocol for SGs, called LACP-SG, which utilizes “Counter Mode Encryption with authentication Tag” (COMET) [27] along with a lightweight hash function “Esch256”. LACP-SG enables SP to check the authenticity of SM installed in the SG system before commencing the information exchange process. In addition, LACP-SG enables both the SM and SP to generate a shared SEK for future indecipherable communications.
• The random oracle model (ROM) is utilized to corroborate the security of the established shared SEK. Moreover, security analysis utilizing the Scyther tool is executed to demonstrate that LACP-SG is resilient against MIDM, DeS, and replay attacks. Informal security is performed to illustrate that LACP-SG is resistant to SM capture and impersonation attacks. Moreover, LACP-SG allows the sensitive credentials associated with SM to be stored in ciphertext form in the database of SP, thereby restraining the PrI attack.
• The meticulous comparative analysis is conducted to illustrate that LACP-SG renders enhanced security features while requiring low communication, storage, and computational overheads, respectively, than the related eminent AC protocols.

The subsequent paper is formed as follows. The system models, such as the network and attack model for LACP-SG, are illustrated in Section 3. Section 4 explicates the preliminary knowledge used in designing LACP-SG. The propounded LACP-SG is explicated in Section 5. The resiliency of LACP-SG against various attacks is furnished in Section 6. The significance of the LACP-SG is studied in Section 7. The paper concludes with concluding statements in Section 8.

3. System Model

3.1. Network Model

For the authentication process, we contemplate the SG network model as depicted in Figure 2, which constitutes registration authority (RA), smart meter ($S{M}_i|i=1,2,\cdots ,n$), where “n” symbolizes the installed SMs and $\left(S{P}_k\right|k=1,2,\cdots ,N)$, where “N” symbolizes the number of SPs installed by RA. RA is liable for the registration of $S{P}_k$. $S{P}_k$ stores the data or information sent by $S{M}_i$. $S{P}_k$ pre-loads the confidential credentials into $S{M}_i^{\prime }s$ memory before its deployment in the SG environment. $S{M}_i$ collects the sensitive information and transmits the accumulated information to $S{P}_k$ via an openly available wireless channel, which is imperiled by different security vulnerabilities. Thus, ensuring the transmitted information’s integrity and confidentiality is inevitable. In the subsequent sections, the propounded secure AC protocol is elaborated, which validates the authenticity of the deployed $S{M}_i$. For encrypted communications, it sets up a secret key between $S{P}_k$ and $S{M}_i$.

3.2. Threat Model

We are considering the broadly utilized Dolev–Yao (DY) model for the proposed LACP-SG for the SG system [16,28]. The adversary $\mathcal{A}$ is able to alter and remove the content of the captured message. Furthermore, after updating the content of the captured message with malicious code, $\mathcal{A}$ can generate a malicious message. Network entities such as $S{M}_i$ can be physically compromised by $\mathcal{A}$. Moreover, $\mathcal{A}$ can obtain sensitive data loaded in the memory of $S{M}_i$. In addition to this, $\mathcal{A}$ can use the procured information to carry out various attacks. In addition, $S{P}_k$ is contemplated as the trusted entity of the SG system. As in the DY model, in the CK-adversary model, $\mathcal{A}$ can not only intercept communications in the SG environment, but the secret parameters, such as session keys and state and private keys, can also be compromised by $\mathcal{A}$.

4. Preliminaries

4.1. COMET

We use CHAM-based block cipher COMET-128 as the encryption/decryption scheme in the proposed LACP-SG. COMET is an AEAD scheme [27]. We express the encryption and decryption of COMET by ($CTx$, $A{P}_{tag}$) = ${\mathcal{E}}_K$$\left\{\right(N,AD),PTx\}$ and ($PTx$, $A{P}_{tag}^{{}^{\prime }}$) = ${\mathcal{D}}_K$$\left\{\right(N,AD),CTx\}$, respectively, where K, N, $AD$, $CTx$, $A{P}_{tag}$, and $PTx$ signifies “secret key”, “nonce”, “associative data”, “ciphertext”, “authentication parameter”, and “plaintext”, respectively. COMET decryption process will retrieve the plaintext if the condition $A{P}_{tag}^{}=A{P}_{tag}^{\prime }$ holds.

4.2. Esch256

We use the hash function “Esch256” in designing LACP-SG, which is faster than SHA-160/256 and requires fewer computational resources. In addition, Esch256 renders the same functionality as provided by SHA-160/256 with an output size of 256 bits. Moreover, Esch256 renders enhanced security features.

4.3. Physical Unclonable Function

(PUF) is a one-way function. PUF produces a unique output (response) after taking the challenge as the input parameter. The operation of PUF can be represented as $R=PUF\left(CH\right)$.

4.4. Fuzzy Extractor

(FE) comprises two algorithms, namely, Generator $Gen(·)$ and Reproducer $Rep(·)$. The probabilistic algorithm $Gen(·)$ produces key $K_{S{M}_i}$ and Helper Data $\left(HD\right)$ by taking bio-metric R of user, i.e., $(K_{S{M}_i},HD)=Gen\left(R\right)$. $Rep(·)$ is a deterministic algorithm that reproduce $K_{SM}$ by considering the inputs R and $HD$, if the condition $HM(R,R^{{}^{\prime }})\le et$ holds, where $HM$ is the hamming distance between R and $R^{\prime }$ and $et$ is the error tolerance.

5. The Proposed LACP-SG Protocol

The proposed LACP-SG protocol comprises four phases: (1) SM deployment phase; (2) SP Deployment Phase; (3) AC Phase; and (4) New SM Deployment. The subsequent subsections explain the details of the designed LACP-SG protocol. It is assumed that all the participants in the SG environment are time-synchronized to cope with replay attacks.

Table 2. Notations used in LACP-SG.

Notation	Description
$S{M}_i$, $S{P}_k$	Smart meter (SM) and Service Provider (SP), respectively
$PUF$, $CH$, R	Physically unclonable function, challenge, and response, respectively
$C{P}_{S{P}_k}$	Common parameter of SP, which is known only to SP
$TI{D}_{S{M}_i}$	Temporary-Identity of smart meter (SM)
$I{D}_{S{M}_i}$, $I{D}_{S{P}_k}$, $K_{S{P}_k}$	Real-Identity SM, SP, and secret key of SP
$CT$ and $A{P}_{tag}$	Ciphertext and authentication parameter ($Tag$)
$PT$ and $A{P}_{tag}^{\prime }$	Plaintext and authentication parameter ($Tag$)
$T{S}_1$, $T{S}_2$	Timestamps in LACP-SG’s AC phase
$T_{mrc}$, $T_{dly}$	Received and maximum delay time of a message
$A{D}_1$, $A{D}_2$	designates the associative data
$N_1$, $N_2$, $N_3$	Signifies the nonce or initialization vector
${\mathcal{E}}_{\mathcal{K}}\left(msge\right)$, ${\mathcal{D}}_{\mathcal{K}}\left(msge\right)$	designates COMET based encryption/decryption of message $“msge”$ employing secret $key$
$Gen(·)$, $HD$, $Rep(·)$	Signifies $FE$ based key production, helper data, and key re-production function, respectively
$R{N}_1$, $R{N}_2$, $R{N}_3$	designates the random numbers
$\mathcal{A}$, ‖, $H(.)$, $\oplus$,	Signifies attacker/adversary, concatenation, hash-function, and XOR, respectively
$Adv$, $INT-CTXT$	“Advantage of $\mathcal{A}$ and ciphertext integrity”
$OPRP-CPA$	“Online pseudo-random permutation chosen-plaintext attack”

lists the notations utilized in devising LACP-SG.

5.1. SP Deployment Phase

The SP deployment phase is accomplished by RA to deploy $S{P}_k$. For this, RA picks a unique identity $I{D}_{S{P}_k}$ and computes the secret key for the $S{P}_k$ deployed in SG environment as $K_{S{P}_k}=H(K_{RA}\Vert I{D}_{S{P}_k})$, where $K_{RA}$ is the private key of RA. In addition, RA stores the list of credentials {$I{D}_{S{P}_k}$, $K_{S{P}_k}$} in the temper-resistance database of $S{P}_k$. RA also stores the credentials {$I{D}_{S{P}_k}$, $K_{S{P}_k}$} in its own database.

5.2. SM Deployment Phase

$S{M}_i$ deployment phase (SDP) is executed by RA. RA stores the secret credentials before $S{M}_i$ deployment in the SG environment by performing the trailing necessary steps.

5.2.1. Step SDP-1

$S{M}_i$ picks a real identity $I{D}_{S{M}_i}$ of size 128 bits and a random number $R{N}_r$ of size 128 bits. $S{M}_i$ fabricates a message with parameters {$I{D}_{S{M}_i}$, $R{N}_r$} and sends it to RA through a secure channel. RA picks a challenge parameter $C{H}_{S{M}_i}$ and computes temporary identity $TI{D}_{S{M}_i}$ = $(I{D}_{S{M}_i}$‖$R{N}_{S{M}_i})$$\oplus$$C{P}_{S{P}_k}$, where $C{P}_{S{P}_k}$ = $H(I{D}_{S{P}_k}$‖$K_{S{P}_k})$. In addition to this, RA computes $U=H\left(I{D}_{S{M}_i}\right)$ and determines $SI{D}_i$ = $(U_1$$\oplus$$U_2)$, where $U_1$ and $U_2$ are derived by splitting U into two same-sized chunks, each with the size of 128 bits. RA sends the credentials {$C{H}_{S{M}_i}$, $TI{D}_{S{M}_i}$} to $S{M}_i$ via the secure channel.

5.2.2. Step SDP-2

After receiving the parameters {$C{H}_{S{M}_i}$, $TI{D}_{S{M}_i}$} from RA, $S{M}_i$ generates a response by using $PUF$ function as $R_i$ = $PUF\left(C{H}_{S{M}_i}\right)$. In addition, $S{M}_i$ by using $FE$ computes $(K_{S{M}_i}$, $HD)$ = $Gen\left(R_i\right)$ and sends $K_{S{M}_i}$ to $S{P}_k$ through a protected channel. Finally, $S{M}_i$ keeps the credentials {$TI{D}_{S{M}_i}$, $C{H}_{S{M}_i}$, $R{N}_r$, $HD$} in its own memory.

5.2.3. Step SDP-3

Upon obtaining $K_{S{M}_i}$ from $S{M}_i$, RA computes $B_i$ = ($K_{S{M}_i}$‖$R{N}_r$) $\oplus$$C{P}_{S{P}_k}$. Finally, RA stores the parameters {$SI{D}_i$, $B_i$} in the database of $S{P}_k$.

5.3. AC Phase

In AC phase (ACP), $S{M}_i$ achieves MA with $S{P}_k$. Moreover, $S{M}_i$ establishes a secret SEK with $S{P}_k$ to achieve encrypted communication. The trailing steps provide a detailed explanation of the AC phase.

5.3.1. Step ACP-1

$S{M}_i$ retrieves $C{H}_{S{M}_i}$ from its memory, stored in the $S{M}_i$ memory during its deployment phase and computes $R_i=PUF\left(C{H}_{S{M}_i}\right)$. $S{M}_i$ regenerates $K_{S{M}_i}$ by using $FE$ as $K_{S{M}_i}$ = $Rep(R_i,HD)$, where the size of $K_{S{M}_i}$ is 128 bits. In addition, $S{M}_i$ selects the current timestamps $T{S}_1$ with size 32 bits, the random number $R{N}_1$ with size 128 bits, and computes $A_{}=H(T{S}_1\Vert R{N}_r)$ and nonce $N_1=A_1\oplus A_2$, where $A_1$ and $A_2$ are procured by splitting A into two same-sized chunks, each with the size of 128 bits. In addition, $S{M}_i$ computes the associative data $A{D}_1=X_1\oplus X_2$, where $X_1$ and $X_2$ are two equal parts of $TI{D}_{S{M}_i}$. The size of $N_1$ and $A{D}_1$ is 128 bits. $S{M}_i$ by using COMET computes ($C{T}_1,A{P}_{tag1}$) = ${\mathcal{E}}_{K_{S{M}_i}}$$\{(N_1,A{D}_1)$, $R{N}_1\}$, where $C{T}_1$, $A{P}_{tag1}$, and $R{N}_1$ denote ciphertext, authentication parameter (Tag), and plaintext, respectively. Finally, $S{M}_i$ constructs a message $M_1$: {$T{S}_1$, $TI{D}_{S{M}_i}$, $C{T}_1$, $A{P}_{tag1}$} and sends $M_1$ to $S{P}_k$ through a public communication channel.

5.3.2. Step ACP-2

Upon procuring $M_1$ form $S{M}_i$, $S{P}_k$ checks the condition $T_{dly}\ge |T_{mrc}-T{S}_1|$ to validate the $M_1$ freshness, where $T_{dly}$ is the allowed time delay, $T_{mr}$ is the $M_1$ received time, and $T{S}_1$ designates the $M_1$ generation time. If the condition holds, $S{P}_k$ considers $M_1$ as the authentic message and proceeds with the AC process. Otherwise, $S{P}_k$ discards $M_1$ and obstructs the AC process. $S{P}_k$ determines the common parameter $C{P}_{S{P}_k}$ as $C{P}_{S{P}_k}$ = $H(I{D}_{S{P}_k}$‖$K_{S{P}_k})$. Moreover, $S{P}_k$ retrieves $I{D}_{S{M}_i}$ and $R{N}_{S{M}_i}$ by computing $TI{D}_{S{M}_i}$$\oplus$$C{P}_{S{P}_k}$ = ($I{D}_{S{M}_i}$‖$R{N}_{S{M}_i}$), where $TI{D}_{S{M}_i}$ is received with $M_1$ and $C{P}_{S{P}_k}$ is computed at $S{P}_k$. Additionally, $S{P}_k$ picks the retrieved $I{D}_{S{M}_i}$ and computes $Q_{}=H\left(I{D}_{S{M}_i}\right)$ and $SI{D}_i=Q_1\oplus Q_2$, where $Q_1$ and $Q_2$ are two chunks of $Q_{}$ each of 128 bits. In addition, $S{P}_k$ checks if $SI{D}_i$ is located in its database (memory). If $SI{D}_i$ is found, $S{P}_k$ retrieves the credential {$B_i$} corresponding to $SI{D}_i$, stored in the database (memory) of $S{P}_k$. In addition to this, $S{P}_k$ computes $C{P}_{S{P}_k}$$\oplus$$B_i$ = $(R{N}_r$‖$K_{S{M}_i})$. Additionally, $S{P}_k$ determines $A{A}_{}$ = $H(T{S}_1$‖$R{N}_r)$ and nonce $N_2$ = $A{A}_1\oplus A{A}_2$, where $A{A}_1$ and $A{A}_2$ are procured by splitting $AA$ into two same-sized chunks, each with the size of 128 bits. Furthermore, $S{M}_i$ computes $A{D}_2$ = $X_1^a$$\oplus$$X_2^a$, where $X_1^a$ and $X_2^a$ are two equal parts of $TI{D}_{S{M}_i}$. Finally, $S{P}_k$ by using COMET computes ($R{N}_1$, $A{P}_{tag2}$) = ${\mathcal{D}}_{K_{S{M}_i}}$$\{(N_2,A{D}_2)$, $C{T}_1\}$, where $A{D}_2$, $N_2$, $C{T}_1$, $A{P}_{tag2}$, and $R{N}_1$ denote associative data, nonce, ciphertext, authentication parameter (Tag), and plaintext, respectively. To validate the authenticity of $M_1$, $S{P}_k$ checks the condition $A{P}_{tag1}=A{P}_{tag2}$. If it holds, $S{P}_k$ considers $M_1$ as the authentic message, which is received from a valid $S{M}_i$. Otherwise, $S{P}_k$ discards $M_1$ and aborts the AC process.

5.3.3. Step ACP-3

After substantiating the authenticity of $M_1$, $S{P}_k$ picks timestamp $T{S}_2$, $R{N}_2$, $R{N}_{S{M}_i}^n$, and computes the new temporary identity $TI{D}_{S{M}_i}^{new}$ as ($I{D}_{S{M}_i}$‖$R{N}_{S{M}_i}^n$) $\oplus$$C{P}_{S{P}_k}$ = $TI{D}_{S{M}_i}^{new}$, where $I{D}_{S{M}_i}$ is real identity of $S{M}_i$ and $R{N}_{S{M}_i}^n$ is a new random number. Moreover, $S{P}_k$ computes $K_{S{M}_i}^1$ = ($K_{S{M}_i}$$\oplus$$R{N}_1$), which is used in the encryption process. For encrypted communication in future, $S{P}_k$ computes SEK as $S{K}_{S{P}_k}$ = $H(TI{D}_{S{M}_i}$‖$R{N}_1$‖$R{N}_2$$\oplus$$I{D}_{S{M}_i}$‖$T{S}_2$‖$TI{D}_{S{M}_i}^{new})$ and calculates $S{K}_{v1}$ = $S{K}_{S{P}_k}^a$$\oplus$$S{K}_{S{P}_k}^b$. Furthermore, $S{P}_k$ determines $N_3=(R{N}_r\oplus R{N}_1)$, and $P{T}_1=(TI{D}_{S{M}_i}^{new}\Vert (R{N}_2\oplus I{D}_{S{M}_i})\Vert S{K}_{v1})$. In addition to this, by using COMET, $S{P}_k$ computes ($C{T}_2$, $A{P}_{tag3}$) = ${\mathcal{E}}_{K_{S{M}_i}^1}$$\{(N_3,A{D}_2)$, $P{T}_1\}$, where $A{D}_2$, $N_3$, $C{T}_2$, $A{P}_{tag3}$, and $P{T}_1$ denote associative data, nonce, ciphertext, authentication parameter, and plaintext, respectively. Finally, $S{P}_k$ contrives a message $M_2$: {$T{S}_2$, $C{T}_2$, $A{P}_{tag3}$} and dispatches $M_2$ to $S{M}_i$ via an open/wireless channel.

5.3.4. Step ACP-4

After acquiring $M_2$ from $S{P}_k$, $S{M}_i$ checks the condition $T_{dly}\ge |T_{mrc}-T{S}_2|$ to validate the freshness of $M_2$. If $M_2$ is fresh, $S{M}_i$ determines $N_4=(R{N}_r\oplus R{N}_1)$, $K_{S{M}_i}^2$ = $(K_{S{M}_i}\oplus R{N}_1)$, and by using COMET computes ($P{T}_1$, $A{P}_{tag4}$)= ${\mathcal{D}}_{K_{S{M}_i}^2}$$\{(N_4,A{D}_1)$, $C{T}_2\}$, where $A{D}_1$, $N_4$, $C{T}_2$, and $A{P}_{tag4}$ denote associative data, nonce, ciphertext, authentication parameter (Tag), and plaintext, respectively. Moreover, $S{M}_i$ checks the condition $A{P}_{tag3}=A{P}_{tag4}$. If it holds, $S{M}_i$ procures the plaintext $P{T}_1=(TI{D}_{S{M}_i}^{new}\Vert (R{N}_2\oplus I{D}_{S{M}_i})\Vert S{K}_{v1})$ from the decryption process. For indecipherable communication, $S{M}_i$ computes the SEK as $S{K}_{S{M}_i}$ = $H(TI{D}_{S{M}_i}$‖$R{N}_1$‖$R{N}_2$$\oplus$$I{D}_{S{M}_i}$‖$T{S}_2$‖$TI{D}_{S{M}_i}^{new})$. In addition to this, $S{M}_i$ calculates $S{K}_{v2}$ = $S{K}_{S{M}_i}^a$$\oplus$$S{K}_{S{M}_i}^b$ and checks the condition $S{K}_{v1}=S{K}_{v2}$. If it holds, both $S{K}_{S{M}_i}^{}$ and $S{K}_{S{P}_k}^{}$ are equal. Otherwise, it terminates the AC process. Finally, $S{M}_i$ updates $TI{D}_{S{M}_i}$ with $TI{D}_{S{M}_i}^{new}$ in its own memory. Figure 3 summarizes the LACP-SG AC phase.

5.4. New SM Deployment Phase

RA performs the subsequent steps to deploy a new $S{M}_i^n$.

5.4.1. Step SDP-1

$S{M}_i^n$ picks a real identity $I{D}_{S{M}_i}^n$ and $R{N}_r^n$ and sends {$I{D}_{S{M}_i}^n$, $R{N}_r^n$} to RA through a protected channel. RA picks a new challenge $C{H}_{S{M}_i}^n$ and computes the new temporary identity $TI{D}_{S{M}_i}^n$ = $(I{D}_{S{M}_i}^n$‖$R{N}_{S{M}_i}^n)$$\oplus$$C{P}_{S{P}_k}$. Moreover, RA computes $U^n=H\left(I{D}_{S{M}_i}^n\right)$ and derives $SI{D}_i^n=(U_1^n\oplus U_2^n)$, where $U_1^n$ and $U_2^n$ are derived by splitting $U^n$ into two same-sized chunks, each with the size 128 bits. RA sends the credentials {$C{H}_{S{M}_i}^n$, $TI{D}_{S{M}_i}^n$} to $S{M}_i^n$ via a secure channel.

5.4.2. Step SDP-2

After receiving a challenge $C{H}_{S{M}_i}^n$ from RA, $S{M}_i^n$ generates a response by using the PUF function as $R_i^n=PUF\left(C{H}_{S{M}_i}^n\right)$. In addition, $S{M}_i^n$ by using $FE$ computes $(K_{S{M}_i}^n$, $H{D}^n)$ = $Gen\left(R_i^n\right)$ and sends $K_{S{M}_i}^n$ to RA via secure channel. Furthermore, $S{M}_i$ stores {$TI{D}_{S{M}_i}^n$, $C{H}_{S{M}_i}^n$, $R{N}_r^n$} in its own memory. Upon receiving $K_{S{M}_i}^n$ from $S{M}_i^n$, RA computes. In addition, $S{P}_k$ computes $B_i^n$ = ($K_{S{M}_i}^n$‖$R{N}_r^n$) $\oplus$$C{P}_{S{P}_k}$. Finally, RA stores the parameters {$SI{D}_i^n$, $B_i^n$} in the $S{P}_k$ database.

6. Security Analysis

6.1. Informal Security Analysis

6.1.1. Anonymity and Untraceability

Assume $\mathcal{A}$ eavesdrops the communicated messages, such as $M_1$: {$T{S}_1$, $TI{D}_{S{M}_i}$, $C{T}_1$, $A{P}_{tag1}$} and $M_2$: {$T{S}_2$, $C{T}_2$, $A{P}_{tag3}$}, which are exchanged during the AC phase of the proposed LACP-SG. $\mathcal{A}$ cannot determine the real identity of SM of SP, which are $I{D}_{S{M}_i}$ and $I{D}_{S{P}_k}$, respectively, from the captured $M_1$ and $M_2$. $\mathcal{A}$ by capturing $M_1$ and $M_2$ cannot procure the real identities of SM and SP.

6.1.2. Replay Attack

$\mathcal{A}$ after expropriating all the messages, such as $M_1$: {$T{S}_1$, $TI{D}_{S{M}_i}$, $C{T}_1$, $A{P}_{tag1}$} and $M_2$: {$T{S}_2$, $C{T}_2$, $A{P}_{tag3}$} tries to regenerate the captured messages to obtain helpful information from the participants of the AC phase. However, we assume the system is time-synchronized, and each message bears the newest timestamp and random numbers. $\mathcal{A}$ cannot frame the replay attack because the entities $S{M}_i$ and $S{P}_k$ verify the newness/oldness of the obtained message by confirming the condition $T_{dly}\ge |T_{mrc}-T{S}_1|$ and $T_{dly}\ge |T_{mrc}-T{S}_2|$, respectively. If the obtained transmission is delayed, the entity of the receiving will dump the obtained message. In this way, the proposed LACP-SG detects the replayed messages and discards such received messages. Hence, LACP-SG is protected against replay attacks.

6.1.3. DeS Attack

The proposed LACP-SG renders resistance against DeS attack. For anonymous communication, $S{M}_i$ uses $TI{D}_{S{M}_i}$, which is updated by $S{P}_k$ during the accomplishment of every new AC session. $S{P}_k$ constructs $TI{D}_{S{M}_i}$ by concatenating $I{D}_{S{M}_i}$ and a fresh random number $R{N}_{S{M}_i}$, i.e., $(I{D}_{S{M}_i}\Vert R{N}_{S{M}_i})\oplus C{P}_{S{P}_k}$, where $I{D}_{S{M}_i}$ remains constant and $R{N}_{S{M}_i}$ is updated to $R{N}_{S{M}_i}^n$. Suppose $\mathcal{A}$ drops $M_2$ during the execution of the AC phase. This action of $\mathcal{A}$ cannot affect the execution of the new AC session because $I{D}_{S{M}_i}$ is constant, which is extracted by $S{P}_k$ to compute the $SI{D}_i$. $SI{D}_i$ is used to find the record at $S{P}_k$ related to $S{M}_i$. So, LACP-SG is capable of resisting the DeS attack.

6.1.4. Privilege Insider Attack

To accomplish the authentication phase in the proposed LACP-SG scheme, $S{P}_k$ stores the parameters {$SI{D}_i$, $B_i$} in the database. Thus, to fabricate a valid messages, such as $M_1$: {$T{S}_1$, $TI{D}_{S{M}_i}$, $C{T}_1$, $A{P}_{tag1}$} and $M_2$: {$T{S}_2$, $C{T}_2$, $A{P}_{tag3}$}, it is imperative for $\mathcal{A}$ to compute $C{P}_{S{P}_k}$$\oplus$$B_i$ = $(R{N}_r$‖$K_{S{M}_i})$. However, without knowing the secret key of $S{P}_k$, it is hard for $\mathcal{A}$ to extract $R{N}_r$ and $K_{S{M}_i}$, which are required to construct $M_1$ and $M_2$. Hence, LACP-SG can resist the PrI attack.

6.1.5. MIDM Attack

Assume that $\mathcal{A}$ expropriates all the exchanged messages $M_1$ and $M_2$ between the entities during the AC phase over the wireless/open communication channel. Now, $\mathcal{A}$ may attempt to reconstruct the seized messages to make the participants of the system believe that the received messages are generated by licit entities. To simulate a licit message $M_1$ on behalf of $S{M}_i$, $\mathcal{A}$ requires to have all the confidential/secret credentials of $S{M}_i$, i.e., {$I{D}_{S{M}_i}$, $C{H}_i$, $K_{S{M}_i}$}. Similarly, $\mathcal{A}$ needs to extricate all the secret/confidential parameters of $S{P}_k$ to construct a valid response message on behalf of $S{P}_k$. However, without having all the confidential credentials of $S{M}_i$ and $S{P}_k$, it is impractical for $\mathcal{A}$ to construct a valid message. Therefore, LACP-SG can restrain MIDM attacks.

6.1.6. Impersonation/Modification/Injection Attack

To impersonate as $S{P}_k$, A has to regenerate the message $M_2$ on behalf of $S{P}_k$ to make $S{M}_i$ believe that the message is licit and obtained from an honest $S{P}_k$. Now, suppose $\mathcal{A}$ attempts to generate $M_1$ with valid credentials. However, to generate $M_2$, $\mathcal{A}$ requires knowing the confidential credentials of $S{P}_k$. However, $\mathcal{A}$ cannot produce a valid message $M_2$ in polynomial time without knowing the secret credentials to emulate as legitimate $S{P}_k$. Similarly, $\mathcal{A}$ requires knowing the confidential credentials of $S{M}_i$. Therefore, LACP-SG is protected against $S{M}_i$ and $S{P}_k$ impersonation attacks.

6.1.7. Key Compromise Impersonation Attack

In this attack, $\mathcal{A}$ tries to impersonate as a valid $S{M}_i$ by compromising the long-term secret key of $S{P}_k$. However, to construct a valid message $M_1$: {$T{S}_1$, $TI{D}_{S{M}_i}$, $C{T}_1$, $A{P}_{tag1}$}, it is necessary for $\mathcal{A}$ to obtain the secret parameters, such as $R{N}_r$ and $K_{S{M}_i}$. Thus, without having these confidential parameters, it is hard for $\mathcal{A}$ to impersonate a valid $S{M}_i$. Similarly, without having the confidential parameters of $S{P}_k$, $\mathcal{A}$ cannot impersonate a licit $S{P}_k$. In this way, LACP-SG can resist key compromise impersonation attacks.

6.1.8. Known Session-Specific Temporary Information Leakage/EPSL Attack

According to the CK-adversary model, $\mathcal{A}$ can compromise the secret credentials (Long Term Secrets (LTS), Ephemeral Secrets (ES)), and session states aside from all the actions allowed under the DY model. In LACP-SG, the session key is created using both LTS and ES, i.e., $S{K}_{S{M}_i}(=S{K}_{S{P}_k})$ = $H(TI{D}_{S{M}_i}\Vert R{N}_1\Vert (R{N}_2\oplus I{D}_{S{M}_i})\Vert T{S}_2\Vert TI{D}_{S{M}_i}^{new})$. Therefore, it is imperative for $\mathcal{A}$ to guess that both LTS and ES construct the session key.

6.1.9. SM Capture/Memory Modification Attack

According to the DY threat model, $\mathcal{A}$ can seize some of the SMs from in the SG environment. $\mathcal{A}$ can extricate the secret credentials by using a power analysis attack kept in the memory of SM. However, the parameters $C{H}_i$, $R{N}_r$, and $TI{D}_{S{M}_i}$ are unlike for all SMs installed in the SG environment. Therefore, by capturing some of the installed SMs, $\mathcal{A}$ cannot compromise the security of the whole SG environment. Hence, LACP-SG is resilient against SM capture attacks.

6.2. ROM-Based Formal Security Analysis

This section provides a ROM-based analysis of the SEK security between $S{M}_i$ and $S{P}_k$ during the execution of the AC phase of LACP-SG. The subsequent components are described in the ROM model.

Participants: Suppose that ${\mathsf{\Psi }}_{RA}^{t1}$, ${\mathsf{\Psi }}_{S{M}_i}^{t2}$, and ${\mathsf{\Psi }}_{S{P}_k}^{t3}$ represent instances $t1$, $t2$, and $t3$ of the participants RA, $S{M}_i$, and $S{P}_k$, denoted as oracles.

Accepted state: When an instance ${\mathsf{\Psi }}^t$ acquires the last message, it will be in the accepted state. The session identification (Sid) of ${\mathsf{\Psi }}^t$ for the current session prescribes the ordered sequence of all exchanged messages (i.e., messages sent/received by ${\mathsf{\Psi }}^t$).

Partnering: Two instances ${\mathsf{\Psi }}^{t2}$ and ${\mathsf{\Psi }}^{t2}$ are partners only if both are in an acceptable state and share similar session keys.

Freshness:$\mathcal{A}$ is unable to obtain the SEK established between $S{M}_i$ and $S{P}_k$ by running the $Reveal$ query presented in

Table 3. ROM-based queries.

Query	Purpose
$Execute({\mathsf{\Psi }}_{S{M}_i}^{t2},{\mathsf{\Psi }}_{S{P}_k}^{t3})$	Perpetration of this query enables $\mathcal{A}$ to seize all the transmitted messages between $S{M}_i$ and $S{P}_k$.
$Send({\mathsf{\Psi }}^t,Msg)$	Perpetration of this query enables $\mathcal{A}$ to yield an active attack by dispatching a message $Msg$ to ${\mathsf{\Psi }}^{t2}$ and ${\mathsf{\Psi }}^{t1}$ also respond to $Msg$ accordingly.
$Reveal\left({\mathsf{\Psi }}^t\right)$	Perpetration of this query enables $\mathcal{A}$ to get the shared SEK, utilized to guarantee the secure transmission between ${\mathsf{\Psi }}^{t1}$ and its interrelated entity.
$CorruptSM\left({\mathsf{\Psi }}_{S{M}_i}^{t2}\right)$	Perpetration of this query helps $\mathcal{A}$ to acquire the secret/private parameters loaded in the storage of $S{M}_i$ by operating PA attack.
$Test\left({\mathsf{\Psi }}^t\right)$	Perpetration of this query enables $\mathcal{A}$ to ascertain whether the guessed SEK is licit or random output, just like the outcome of a flipped coin, say C.

.

Adversary:$\mathcal{A}$ can fully control and seize all the messages and alter, falsify, and infiltrate messages by employing the queries expressed in Table 3. $\mathcal{A}$ can execute the hash function $H(.)$, referred to as random oracle $ESHah$.

Definition 1.

Online chosen ciphertext attack (OCCA3) advantage of $\mathcal{A}$, which is executing against an AEAD scheme in polynomial-time $\left(pt\right)$, can be defined as follows.

$$\begin{array}{c}\hfill Ad{v}_{\phi }^{OCCA3}\left(\mathcal{A}\right)\le Ad{v}_{\phi }^{OPRP-CPA}(que,len,pt)\\ \hfill +Ad{v}_{\phi }^{INT-CTXT}(que,len,pt),\end{array}$$

(1)

Theorem 1.

Let $\mathcal{A}$ run against LACP-SG in $pt$ to derive the established SEK between $S{M}_i$ and $S{P}_k$ during the AC phase. Let $H_{que}$ signify Esch256 queries, $\left|ESHah\right|$ designates the range space of Esch256 output, $H_{puf}$ represents PUF quires, $\left|PUF\right|$ designates the range space of PUF output, and $Ad{v}_{COMET,\mathcal{A}}^{OCCA3}(que,len,pt)$ is the advantage in compromising the security of an online AEAD scheme (COMET) (Definition 1). The maximum advantage of $\mathcal{A}$ for compromising the security of SEK, established between $S{M}_i$ and $S{P}_k$, can be described as follows:

$$\begin{array}{c}\hfill Ad{v}_{\mathcal{A}}^{LACP-SG}\left(pt\right)\le \frac{H_{que}^2}{\left|ESHah\right|}+\frac{H_{puf}^2}{\left|PUF\right|}\\ \hfill +2.Ad{v}_{COMET,\mathcal{A}}^{OCCA3}(que,len,pt).\end{array}$$

(2)

Proof. 

The succeeding five games $\left(G{M}_z\right|z=0,1,2,3,4)$ are executed to prove Theorem 1. We heed the identical means to establish the proof of Theorem 1 as followed in [29,30,31,32,33]. In addition to this, we characterize the $\mathcal{A}$ advantage in compromising the security of SEK by $Ad{v}_{\mathcal{A}}^{LACP-SG}\left(pt\right)$ = $|2·Pr[SuS]-1|$, where $“Pr\left[SuS\right]”$ indicates the possibility of a circumstance where $\mathcal{A}$ can achieve/win the game. LACP-SG is defended if $Ad{v}_{\mathcal{A}}^{LACP-SG}$$\left(pt\right)$ is insignificant.

$GA{M}_0$: In this game, $\mathcal{A}$ performs an active attack against LACP-SG under ROM. $\mathcal{A}$ at the commencement of $G{M}_0$ guesses the bit $C^{\prime }$ randomly. Then, trailing can be achieved

$$Ad{v}_{\mathcal{A}}^{LACP-SG}\left(pt\right)=|2.Pr\left[SuS0\right]-1|.$$

(3)

$GA{M}_1$: In $GA{M}_1$, $\mathcal{A}$ makes the $execute$ query to effectuate the eavesdrop attack. By effectuating eavesdrop attack during the execution of AC phase, $\mathcal{A}$ can intercept all the exchanged messages, such as $M_1$: {$T{S}_1$, $TI{D}_{S{M}_i}$, $C{T}_1$, $A{P}_{tag1}$} and $M_2$: {$T{S}_2$, $C{T}_2$, $A{P}_{tag3}$}. $\mathcal{A}$ effectuates $Test$ at the end of this game and validates whether the outcome of the $Test$ query is a random number or a real session key, i.e., $S{K}_{S{M}_i}(=S{K}_{S{P}_k})$ = $H(TI{D}_{S{M}_i}\Vert R{N}_1\Vert (R{N}_2\oplus I{D}_{S{M}_i})\Vert T{S}_2\Vert TI{D}_{S{M}_i}^{new})$, where $TI{D}_{S{M}_i}^{new}=(I{D}_{S{M}_i}\Vert RN)\oplus C{P}_{S{P}_k}$. The session key is produced in the proposed LACP-SG using the LTS and ES. Therefore, to reveal the session key established between $S{M}_i$ and $S{P}_k$, it is imperative for $\mathcal{A}$ to guess both the ES and LTS simultaneously. However, it is impractical for $\mathcal{A}$ to procure all the secret parameters by capturing $M_1$ and $M_2$. So, the winning chance of this game for $\mathcal{A}$ will not increase by effectuating the eavesdrop attack:

$$Pr\left[SuS0\right]=Pr\left[SuS1\right].$$

(4)

$GA{M}_2$: In this game, the aim of $\mathcal{A}$ is to deceive an entity to receive a mutated message. $\mathcal{A}$ is authorized to make various $ESHah$ queries to check the presence of the hash collisions. All the exchanged messages, such as $M_1$: {$T{S}_1$, $TI{D}_{S{M}_i}$, $C{T}_1$, $A{P}_{tag1}$} and $M_2$: {$T{S}_2$, $C{T}_2$, $A{P}_{tag3}$} during the AC phase indirectly include the associative data and nonce, and temporary identities, which are protected by the collision-resistant Esch256 hash function. Therefore, there will be no collision when $\mathcal{A}$ performs $Send$ queries. The consequences of the birthday paradox confer

$$|Pr\left[SuS1\right]-Pr\left[SuS2\right]|\le \frac{H_{que}^2}{2\left|ESHah\right|}.$$

(5)

$GA{M}_3$: This game is considered a continuation of $GA{M}_2$ that simulates PUF queries. According to $GA{M}_2$, it follows that

$$|Pr\left[SuS3\right]-Pr\left[SuS2\right]|\le \frac{H_{puf}^2}{2\left|PUF\right|}.$$

(6)

$GA{M}_4$: In this game, $\mathcal{A}$ attempts to construct the session key by capturing $M_1$ and $M_2$, which are protected by AEAD scheme. In LACP-SG the session key in constructed as $S{K}_{S{M}_i}(=S{K}_{S{P}_k})$ = $H(TI{D}_{S{M}_i}\Vert R{N}_1\Vert (R{N}_2\oplus I{D}_{S{M}_i})\Vert T{S}_2\Vert TI{D}_{S{M}_i}^{new})$. Therefore, $\mathcal{A}$ has to procure $R{N}_1$ and $R{N}_2$, which are encrypted using AEAD scheme (COMET). Moreover, the associative data and the initialization vector used in the encryption process are random. In addition, secret keys are required to decrypt $C{T}_1$ and $C{T}_2$. It is computationally impractical to perform the decryption process in polynomial time. Due to OCCA3 property (Definition 1), it then follows that

$$\begin{array}{c}\hfill |Pr\left[SuS3\right]-Pr\left[SuS4\right]|\le Ad{v}_{COMET,\mathcal{A}}^{OCCA3}(que,len,pt).\end{array}$$

(7)

As all the queries are performed, $\mathcal{A}$ executes the $Test$ queries to presume bit $C^{\prime }$ for winning the game. Thus, we obtain

$$Pr\left[SuS4\right]=1/2.$$

(8)

From (3) and (4), we obtain

$$Ad{v}_{\mathcal{A}}^{LACP-SG}\left(pt\right)=|2.Pr\left[SuS0\right]-\frac{1}{2}|.$$

(9)

From (9), we obtain

$$\frac{1}{2}.Ad{v}_{\mathcal{A}}^{LACP-SG}\left(pt\right)=|Pr\left[SuS0\right]-\frac{1}{2}|.$$

(10)

By using (8) and (10), we obtain

$$\frac{1}{2}.Ad{v}_{\mathcal{A}}^{LACP-SG}\left(pt\right)=|Pr\left[SuS1\right]-Pr\left[SuS4\right]|$$

(11)

Through triangular inequality, we obtain

$$\begin{array}{c}\hfill \left|Pr\right[SuS1]-Pr[SuS4\left]\right|\le \left|Pr\right[SuS1]-Pr[SuS2\left]\right|\\ \hfill +\left|Pr\right[SuS2]-Pr[SuS4\left]\right|\\ \hfill \le \left|Pr\right[SuS1]-Pr[SuS2\left]\right|+\left|Pr\right[SuS2]-Pr[SuS3\left]\right|\\ \hfill +\left|Pr\right[SuS3]-Pr[SuS4\left]\right|.\end{array}$$

(12)

By utilizing (5), (6), (7) and (12), we obtain

$$\begin{array}{c}\hfill Ad{v}_{\mathcal{A}}^{LACP-SG}\left(pt\right)\le \frac{H_{que}^2}{\left|ESHah\right|}+\frac{H_{puf}^2}{\left|PUF\right|}\\ \hfill +2.Ad{v}_{COMET,\mathcal{A}}^{OCCA3}(que,len,pt).\end{array}$$

(13)

□

6.3. Scyther Based Formal Security Verification

We investigated the formal security of LACP-SG by utilizing the widely adopted validation tools, i.e., Scyther. Scyther is a Python-based software designed to formally analyze the security of the authentication schemes, their security claims, and potential vulnerabilities. Scyther employs the Security Protocol Description Language (SPDL) for describing a devised security scheme and is also utilized to determine the weaknesses of a security scheme by demonstrating any potential threats or risks. In the proposed LACP-SG, two roles are defined, such as $S{M}_i$ and $S{P}_k$. There are two manually specified claims, such as $claim(SM,Secret,SK)$ and $claim(SP,Secret,SK)$, which are validated by Scyther, as shown in Figure 4. In addition, Scyther also generates the claims, such as $claim(SM,Alive)$, $claim(SM,Nisynch)$, and $claim(SM,Niagree)$, which are validated as demonstrated in Figure 4.

7. Performance Evaluation

LACP-SG is contrasted with other protocols, such as in Bera et al. [29], Chaudhry et al. [30], Bera et al. [34], Kumar et al. [11], Chaudhry et al. [35], and Mehmood et al. [20]. We use the Python-based library “PyCrypto” along with COMET code to acquire the time complexity of cryptographic primitives and COMET.

Table 4. Time complexity of different cryptographic operations.

Notations	Operation	Time on R-Pi3	Time on ${\mathit{SP}}_{\mathit{k}}$
$T_{ecc}$	ECC-based point multiplication	2.70 ms	0.705 ms
$T_{en}$	Symmetric key encryption	0.41 ms	0.015 ms
$T_{eca}$	ECC-based point addition	0.134 ms	0.007 ms
$T_H$	One-way hash function (16 bytes)	0.345 ms	0.039 ms
$T_{HE}$	Esch256 one-way hash function (32 bytes)	0.330 ms	0.032 ms
$T_{pu}$	Physical-unclonable-function	0.49 $\mathsf{\mu }$s	-
$T_{CO}$	COMET	0.349 ms	0.041 ms
$T_{rep}\approx T_{ecc}$	Bio-metric key generation and reproduction	2.70 ms	0.705 ms

Time complexities are computed on Quad-core Raspberry Pi-3 (R-Pi3) with CPU @1.2 GHz, and 1GB of RAM″ and “Core(TM) i7-6700 system with CPU @3.40 GHz, and RAM 8 GB” to simulate $S{M}_i$ $S{P}_k$, respectively.

depicts the time complexities of different cryptographic operations.

7.1. Security Comparison

A comparison of the security properties of LACP-SG and other related AC schemes is demonstrated in

Table 5. Security comparison.

Features	Chaudhry et al. [30]	Bera et al. [29]	Bera et al. [34]	Mehmood et al. [20]	Kumar et al. [11]	Chaudhry et al. [35]	LACP-SG
PrI	✓	✓	✓	×	✓	✓	✓
DIMP	×	✓	✓	✓	×	×	✓
SPI	✓	✓	✓	✓	✓	×	✓
DCA	×	✓	✓	✓	✓	×	✓
MIDM	✓	✓	✓	×	×	✓	✓
DeS	✓	×	×	✓	✓	✓	✓
DoS	✓	✓	✓	×	✓	✓	✓
RA	✓	✓	✓	×	✓	✓	✓
SEKS	✓	✓	✓	×	×	×	✓
EPSL	✓	✓	×	×	×	✓	✓
ROM	✓	✓	✓	×	✓	✓	✓
MA	✓	✓	✓	✓	×	✓	✓
SCER	×	✓	✓	✓	✓	×	-

SCER: secure certificate computation; DCA: device capture attack; ✓: indicates the supported functionality; ×: represents the functionality is not available.

. That of Bera et al. [29] cannot restrain the DeS attack, that of Bera et al. [34] is unprotected against the DeS attack, and that of Mehmood et al. [20] is insecure against the DoS, MIDM, PrI, EPSL, RA attacks and does not provide the SEK security. The scheme of Kumar et al. [11] is against DIMP, MIDM, and EPSL attacks and does not provide SEK security. In addition to this, the scheme of Chaudhry et al. [35] is incapable of resisting EPSL, SIMP, DIMP, device capture, and SEK disclosure attacks. Moreover, Chaudhry et al. [30] provide insecure certificate computation, which causes various attacks, such as device capture and DIMP attacks. However, the proposed LACP-SG is secure and protected against various pernicious attacks, such as MIDM and DeS attacks.

7.2. Communication Overhead Comparison

For analyzing the communication overhead that occurred during the AC phase, we suppose that the length of the ECC point, identity, hash function output, initialization vector/random number/nonce, and timestamp are 320, 128, 256, 128, and 32 bits, respectively. There are two messages required to accomplish the AC phase of LACP-SG, i.e., $M_1$: {$T{S}_1$, $TI{D}_{S{M}_i}$, $C{T}_1$, $A{P}_{tag1}$}, $M_2$: {$T{S}_2$, $C{T}_2$, $A{P}_{tag3}$}. The sizes of $M_1$ and $M_2$ are {32 + 256 + 128 + 128} = 544 bits and {32 + 512 + 128} = 662 bits. Hence, the communication cost of LACP-SG is {662 + 544} = 1206 bits, which is 56.68%, 10.27%, 49.07%, 12.35%, 27.52%, and 10.27% lesser than the scheme of Bera et al. [29], Chaudhry et al. [30], Bera et al. [34], Kumar et al. [11], Chaudhry et al. [35], and Mehmood et al. [20], respectively. The comparison between LACP-SG and the related AC protocol communication overhead is given in

Table 6. Communication overhead comparison.

AC Protocol	Disseminated Messages During AC Phase	Total (Bits)
Bera et al. [29]	$S{M}_i\stackrel{1120}{\to }S{P}_k/GS\stackrel{1376}{\to }{D}_k/S{M}_i\stackrel{288}{\to }S{P}_k$	2784
Chaudhry et al. [30]	$S{M}_i\stackrel{832}{\to }S{P}_k\stackrel{512}{\to }S{M}_i$	1344
Bera et al. [34]	$D_k/S{M}_i\stackrel{864}{\to }S{P}_k/GS\stackrel{1216}{\to }{D}_k/S{M}_i\stackrel{288}{\to }S{P}_k$	2368
Kumar et al. [11]	$S{M}_i\stackrel{512}{\to }S{P}_k\stackrel{672}{\to }S{M}_i\stackrel{192}{\to }S{P}_k$	1376
Chaudhry et al. [35]	$S{M}_i\stackrel{832}{\to }S{P}_k\stackrel{832}{\to }S{M}_i$	1664
Mehmood et al. [20]	$S{M}_i\stackrel{672}{\to }S{P}_k\stackrel{672}{\to }S{M}_i$	1344
LACP-SG	$S{M}_i\stackrel{544}{\to }S{P}_k\stackrel{662}{\to }S{M}_i$	1206

and Figure 5.

7.3. Computational Overhead Comparison

We employ the time complexity of different cryptographic operations, shown in Table 4, to estimate the computational overhead of LACP-SG and relevant AC protocol. LACP-SG requires the computational overhead of $7T_{HE}+4T_{co}+T_{rep}+T_{pu}\approx 4.34$ ms in the AC phase. The schemes of Bera et al. [29], Chaudhry et al. [30], Bera et al. [34], Mehmood et al. [20], Kumar et al. [11], and Chaudhry et al. [35] require $22T_H+8T_{ecc}+2T_{eca}\approx 17.82$ ms, $8T_H+9T_{ecc}+2T_{eca}\approx 17.93$ ms, $18T_H+4T_{en}+4T_{ecc}+2T_{eca}\approx 11.12$ ms, $12T_H+4T_{ecc}\approx 14.42$ ms, $8T_H+10T_{ecc}+4T_{eca}\approx 18.79$ ms, and $8T_H+9T_{ecc}+5T_{eca}\approx 18.18$ ms, respectively, which are 75.14%, 75.29%, 60.16%, 69.28%, 76.42%, and 75.63% higher than the proposed LACP-SG, respectively, as shown in

Table 7. Computational overhead comparison.

Protocol/Scheme	${\mathit{SM}}_{\mathit{i}}$ Side	${\mathit{SP}}_{\mathit{k}}$ Side	Total Time
Bera et al. [29]	$11T_H+4T_{ecc}+T_{eca}$	$11T_H+4T_{ecc}+T_{eca}$	$22T_H+8T_{ecc}+2T_{eca}\approx 17.82$ ms
Chaudhry et al. [30]	$4T_H+5T_{ecc}+T_{eca}$	$4T_H+4T_{ecc}+T_{eca}$	$8T_H+9T_{ecc}+2T_{eca}\approx 17.93$ ms
Bera et al. [34]	$9T_H+2T_{en}+2T_{ecc}+T_{eca}$	$9T_H+2T_{en}+2T_{ecc}+T_{eca}$	$18T_H+4T_{en}+4T_{ecc}+2T_{eca}\approx 11.12$ ms
Kumar et al. [11]	$6T_H+2T_{ecc}$	$6T_H+2T_{ecc}$	$12T_H+4T_{ecc}\approx 14.42$ ms
Chaudhry et al. [35]	$4T_H+5T_{ecc}+2T_{eca}$	$4T_H+5T_{ecc}+3T_{eca}$	$8T_H+9T_{ecc}+5T_{eca}\approx 18.79$ ms
Mehmood et al. [20]	$4T_H+5T_{ecc}+2T_{eca}$	$4T_H+5T_{ecc}+2T_{eca}$	$8T_H+10T_{ecc}+4T_{eca}\approx 18.18$ ms
LACP-SG	$2T_{HE}+2T_{co}+T_{rep}+T_{pu}$	$5T_{HE}+2T_{co}$	$7T_{HE}+4T_{co}+T_{rep}+T_{pu}\approx 4.34$ ms

. Moreover, the computational cost needed at the $S{P}_k$ and $S{M}_i$ side is shown in Figure 6, where it is obvious that LACP-SG incurs lesser computational cost than the related AC protocols. Furthermore, Figure 7 illustrates the comparison of the computational cost at $S{P}_k$ with increasing the authentication requests, which are generated by $S{M}_i$ in the SG environment.

7.4. Storage Overhead Comparison

In LACP-SG, the smart meter $S{M}_i$ and $S{P}_k$ requires storing {$C{H}_{S{M}_i}$, $TI{D}_{S{M}_i}$, $R{N}_r$, $HD$} and {$SI{D}_i$, $B_i$, $R{N}_r$} size of { 256 + 256 + 160} = 672 bits and {128 + 256 } = 384 bits. To execute the AC phase, the aggregated storage overhead of LACP-SG is {672 + 384} = 1056 bits. The schemes of Bera et al. [29], Chaudhry et al. [30], Bera et al. [34], Mehmood et al. [20], Kumar et al. [11], and Chaudhry et al. [35] require storing 3008 bits, 1280 bits, 2752 bits, 1120 bits, 1240 bits, and 2400 bits, respectively, which are 64.89%, 17.5%, 61.63%, 5.71%, 14.84%, 56%, 37.26% higher than the proposed LACP-SG, respectively. The comparison of LACP-SG and the related AC protocols’ storage overhead is given in Figure 8.

8. Conclusions

This paper presents an AC protocol called LACP-SG, which enables secure communication in the resource-constrained SG environment. To this end, LACP-SG validates the authenticity of the deployed SM and establishes a SEK between the SM and server to accomplish secure communications. The security of the established SEK is validated through ROM-based analysis. Moreover, through Scyther-based analysis, LACP-SG is found to be secure against MIDM and replay attacks. Informal security analysis reveals that the protocol is protected against de-synchronization and SM capture attacks. Finally, a rigorous comparative analysis shows that LACP-SG renders superior security and requires lower computational, storage, and communication cost than the related AC protocols, thereby advocating the feasibility of LACP-SG for SG applications.