OPEN ACCESS
Smart grid is a great revolution in communications that has succeeded in overcoming traditional network problems. However, smart grid components may face many security challenges that make the smart grid vulnerable to many attacks such as impersonation and replay attacks and user privacy disclosure. To cope with these challenging problems, we propose a lightweight authenticated key establishment scheme depending on data aggregation by using elliptic curve cryptography to create shared keys between smart meter and data aggregator, and between data aggregator and service provider. The data aggregator reduces the burden on smart meters and transfers consumption data safely as it is the mediator between the smart meter and the service provider. The proposed scheme can provide mutual authentication, anonymity and untraceability of smart meter, and can resist impersonation and replay attacks. In addition, the proposed scheme reduces the overall computation costs compared to other recent related schemes.
smart grid, key establishment, authentication, anonymity, untraceability
Nowadays, the most prominent defects that affect the traditional network are that it is oneway communication, blackouts resulting from human error that is due to damage in electric transmission lines, and other defects such as the increased demand for electricity. Hence, the trend towards the socalled smart grid begins.
Smart grid is the next generation of the electric power system that uses computer technology to improve communication between different components and increase the use of digital information to improve the reliability and security of the grid. Smart grids progress the most efficient electric grid operations based on the received client data via twoway communications between the different entities in the grid. Customers can choose the most appropriate way to use the energy facilities based on the dynamic price data obtained from the smart grid in every period [1].
Smart grids consist of many components, with three most distinct and main components: Smart meters, aggregators, and service providers. The smart meter is a solidstate programmable device that is responsible for recording the amount of energy consumed and provide the electricity price information for the customers [2]. Usually, smart meters record power frequently and report daily at least. Data aggregator is responsible for collecting data from different smart meters and forwards them to the service provider [3]. Then it directs the data coming from the service provider to the smart meters. Service provider is responsible for giving each user the required amount of power according to the message received from the smart meters through the aggregator [4].
Smart meters are usually placed outside of the home and protected with a box [5]. Therefore, the attacker could penetrate the box and get the data from the smart meter, in addition to the information exchange between the smart meter and the other components communicate with each other is via the wireless communication channel [1]. Due to the nature of the wireless connection, the smart grid is exposed to many security issues. These issues might allow attackers to threaten network security. Some of the most important of these types are: a) Impersonation attack: an attack in which the opponent tries to impersonate one of the legitimate components of the network, and b) Replay attack: it is a shape of network attack that occurs when an attacker tries to eavesdrop on messages that are exchanged between network components, intercept them, and then resend them again or delay them.
To protect the security of data transmission and maintain the network's privacy, several security services must be met. The most prominent of these services are that:
 Mutual authentication: it is a process in which both components authenticate each other. Usually, the authentication process takes place between the smart meter and the data collector, or between the data collector and the service provider.
 Anonymity of smart meter: this service prevents the attacker from knowing the identity of the smart meter that sent the metering data in the network.
 Untraceability of smart meter: this service prevents the attacker from monitoring the amount of power consumed by the smart meter that is collected and sent in the network. The anonymity and untraceability can protect the privacy of consumers.
 Forward secrecy: this service prevents any attacker from breaking into session keys even if the private key of the entity is compromised.
1.1 Related work
Many researchers have sought to provide many different schemes to achieve security services and get rid of different types of attacks. A secure Key distribution scheme [6] has been proposed between smart meter and service provider for the smart grid. The proposed scheme has succeeded to prevent replay attack; however, it has not only failed to achieve perfect secrecy, mutual authentication, anonymity, untractability, but also the authors claimed that their scheme could prevent impersonation attack; however, this was found to be incorrect. A faulttolerant and scalable key management scheme [7] has been proposed; the proposed scheme combines symmetric key technique and elliptic curve public key technique. Although, it has failed to provide mutual authentication, anonymity, forward secrecy and intractability, but it has succeeded in preventing replay and impersonation attack.
Maier et al. [8] proposed a message authentication based on hash message authentication code and DiffieHellman key agreement protocol. The proposed scheme has achieved mutual authentication, but has not achieved anonymity and untractability, in addition to very high communication cost because of RSA. Mahmood et al. [9] achieved forward secrecy, mutual authentication between home area network gateways and building area network gateways using hybrid DiffieHellman key agreement protocol, and the authentication of message based on hash message authentication code by proposing a lightweight message authentication scheme. Although the proposed scheme has failed to achieve anonymity and untraceability, it has succeeded in reducing the communication cost compared to Maier et al.'s scheme [8]. Aziz et al. [10] applied a lightweight scheme to achieve the authentication between the smart breaker and the control center and preventing several types of attacks in the smart grid. Although this scheme has succeeded in reducing the communication cost compared to Mahmood et al's scheme [9]. Despite that, the authors claimed to achieve anonymity, which is not true.
A new anonymous metering scheme [3] has been proposed based on direct anonymous attestation and identitybased signatures. The proposed scheme has succeeded in achieving the mutual authentication, anonymity and untraceability; however, the scheme has failed to resist replay attack and impersonation attack and has failed to achieve forward secrecy. An authentication scheme based on the Merkle hash tree technique [11] has been implemented to achieve the authentication and resist of replay attacks. This scheme is more efficient of the schemes depended on RSA. This scheme also has failed to achieve anonymity and untraceability. The authentication between smart meters and the neighborhood gate way based on a lightweight authentication scheme and Lagrange interpolation formula [12]. The communication cost for this scheme is much better than the previous schemes. It also has succeeded in getting rid of replay attack.
An identitybased key establishment scheme [13] has been proposed to provide mutual authentication and forward secrecy in addition to preventing the replay attacks and impersonation attacks. However, it has failed to achieve anonymity and untraceability. Also, an anonymous key distribution scheme based on utilized identitybased encryption and signature [14] has been proposed to achieve the mutual authentication between the smart meter and service provider. Moreover, it can provide smart meters' anonymity and perfect forward secrecy. However, this scheme has failed to achieve the strong credentials’ privacy of the smart meter and failed to resist against replay attack, impersonation attack, and the ephemeral secret leakage attack.
A new secure authenticated shared key establishment scheme [15] has been proposed to beat the security weaknesses of the pervious scheme, also it has succeeded in reducing the communication cost compared to the previous scheme. However, the authors claimed that their scheme has achieved untraceability of the smart meter and has prevented the impersonation attack, which has proved to be incorrect. Later, an anonymous authentication and key establish scheme has been proposed [16] to avoid the disadvantages of the previous scheme [15], but the computational cost of this scheme is very high where it depends on bilinear maps and the computational Difﬁe–Hellman problem.
A lightweight anonymous key distribution scheme [17] has been implemented based on Elliptic Curve Cryptography (ECC); the proposed scheme has achieved the mutual authentication between smart meter and service provider and also has achieved smart meter anonymity. Moreover, the scheme also has succeeded in preventing the replay attacks and impersonation attacks and provided less communication cost compared to scheme [14, 15]. Despite all the accomplishments of this scheme, it has failed to achieve untraceability of smart meter. Kumar et al. [5] proposed a different scheme of lightweight authentication and key agreement for smart metering in smart energy network. They have utilized hybrid cryptography (the ECC and symmetric encryption) to achieve the mutual authentication, anonymity, perfect forward secrecy, preventing the several types of attacks, and has provided less communication cost compared to the schemes [14, 15, 17]. Despite all the advantages and security services achieved by Kumar et al.'s scheme [5], it has failed to achieve untraceability of smart meter.
Zhang et al. [18] have applied ECCbased authentication with identity protection; their scheme is secure against replay attacks and impersonation attacks. Moreover, the scheme has achieved the mutual authentication between smart meter and control center, and anonymity. However, this scheme has failed to achieve forward secrecy. The proposed ECCbased lightweight authentication scheme [19] has succeeded in achieving several security services and provided less communication cost compared to the schemes [8, 18], but it failed to achieve anonymity.
Farhadi et al. [20] have approached a lightweight key management protocol for secure communication in smart grids based on time constraints for two sensitive protocols (GOOSE, SV) in communication between substations and a data center. This scheme has provided the mutual authentication and forward secrecy. Other features have been provided by this scheme such as anonymity, thwarting replay and impersonation attacks; however, it has failed to achieve the untraceability. Moreover, the authors claimed that their scheme has provided less communication cost compared to the schemes [8, 14, 1719], which is untrue.
Abbasinezhadmood [21] proposed an anonymous key distribution scheme based on ECC which counteracts against replay and impersonation attacks, and has provided mutual authentication, forward secrecy and anonymity, and reduced the communication cost compared to schemes [8, 14, 15, 17]; but it has failed to achieve untraceability. Garg et al. [22] proposed a lightweight authentication scheme which has provided less communication cost compared to Abbasinezhadmood's scheme [21]. This scheme was also able to solve the problems of the pervious scheme, but it has failed to achieve untraceability of smart meter.
An EECbased privacy preserving data aggregation scheme has been proposed [23]; the proposed scheme has succeeded in achieving privacy preserving and authentication, but it has failed to achieve anonymity and untraceability of smart meter, and forward secrecy. In addition, it could not resist against replay and impersonation attack. Kong et al. [24] proposed a group blind signature scheme for privacy protection in smart grid based on RSA; the proposed scheme relays on data aggregator to achieve anonymity and untraceability; the scheme could also provide mutual authentication, but it has failed to achieve forward secrecy and failed also in preventing replay attack and impersonation attack. Wu et al. [25] introduced a different approach to preserve privacy with identity traceable property; the scheme can provide less communication cost compared to Kong et al.'s scheme [24]. However, both schemes have failed to achieve untraceability and forward secrecy.
A Dynamic Membership Data Aggregation (DMDA) protocol [26] has been proposed based on the homomorphic encryption and IDbased signature; the proposed scheme has provided mutual authentication, privacy and forward secrecy, but it has failed to prevent replay and impersonation attacks and failed to achieve anonymity, untraceability. Tahir et al. [27] introduced a new scheme depending on data aggregation; the scheme has succeeded in preventing the replay attacks and impersonation attacks, but it has failed to achieve anonymity, untraceability and forward secrecy. Boudia et al. [28] implemented an ECCbased multidimensional aggregation scheme; the idea of the proposed scheme is based on determining the type of data and collecting readings from all smart meters. After that, the data aggregator sends data of all smart meters to the service provider. The proposed scheme has been proved to be more efficient compared to Tahir et al.'s scheme [27]. However, Boudia et al. [28] has failed to achieve anonymity, untraceability and forward secrecy.
A privacypreserving scheme for data collection in smart grid has been proposed [29]; the proposed scheme is depending on the blind signature and the key distribution to achieve mutual authentication and forward secrecy and preventing the replay attacks, but it has failed to achieve anonymity, untraceability and could not prevent impersonation attack. Zhang and Shen [30] proposed an efficient privacypreserving multidimensional data aggregation scheme; the performance evaluations of this scheme have showed that it is more efﬁcient and low computational cost for no maptopoint hash and bilinear pairing operations are used. However, it has failed to achieve anonymity, untraceability and forward secrecy.
1.2 Contributions
The proposed scheme in this paper succeeds in offering the following significant contributions in the field of smart grid communications.
 We utilized the elliptic curve cryptography to design a lightweight authenticated key establishment scheme depending on data aggregation.
 Our proposed scheme provides the required security services for smart grid communications and resists against impersonation attack and replay attack.
 The performance of the proposed scheme is also better than existing schemes that depend on data aggregation idea.
In this section, we will state the required preliminaries and describe the communication model.
2.1 Preliminaries
Elliptic Curve Cryptography (ECC) is used to achieve security for smart network entities and not only that, but also reduces the computational cost compared to other methods as the key size used in the cryptographic curve is much less than the size of the keys used in other techniques, such as RSA, digital signature algorithm and Diffie Hellman. ECC is applied to many different tasks, the most prominent of these tasks is encryption and the key agreement.
The equation of the elliptic curve $E_{p}(a, b): y^{2}=x^{3}+$ $a x+b \bmod p$ is used to define the mathematical operations, where $a, b \in Z_{p}$ and $4 a^{3}+27 b^{2}$ mod $p \neq 0$ such that $p$ is a large prime number. The values $a$ and $b$ are used to specify the elliptic curve while the points $(x, y)$ inclusive a point at infinity depend on the elliptic curve if it satisfies the last given statement.
2.2 Communication model
In this paper, the communication model consists of a group of communities where each community has a number of smart meters; the model also has a group of aggregators, a group of service providers, and finally one TTP as shown in Figure 1.
Figure 1. Communication model
In the following, we explain in detail every entity in this model.
First, the required notations and their descriptions throughout the paper are listed in Table 1. The proposed scheme is consisted of three stages: initialization stage, registration stage, mutual authentication and key establishment stage which are explained as follows:
3.1 Initialization
In this stage, the TTP chooses an elliptic curve over a finite field E(F_{P} ), a random generator (G), a secret key (S), and oneway hash functions. The TTP computes its public key as:
PK= SG (1)
And subsequently, the TTP broadcasts the parameters {PK,G,E(F_{P}),H(.)}.
3.2 Registration
In this stage, service providers, data aggregators, and smart meters are registered in the system.
3.2.1 SP registration
A service provider SP_{k} chooses its identity ID_{k} and computes IDS_{k} according to Eq. (2), where TSP defines the entity type as service provider. Then it sends its IDS_{k }to TTP in a secure channel.
$\mathrm{IDS}_{\mathrm{k}}=\mathrm{TSP} \ \mathrm{ID}_{\mathrm{k}}$ (2)
The $T T P$ chooses a nonce value $a_{S P_{k}} \in Z_{p}$ and computes the public and private keys of $S P_{k}$ according to Eq. (3) and $\mathrm{Eq}$. (4). Then, the $T T P$ sends the private key $\left(S K_{S P_{k}}\right)$ in a secure channel to $S P_{k},$ and broadcasts the public key $\left(P K_{S P_{k}}\right)$ of $S P_{k}$.
$\mathrm{PK}_{\mathrm{SP}_{\mathrm{k}}}=\mathrm{a}_{\mathrm{SP}_{\mathrm{k}}} \mathrm{G}$ (3)
$\mathrm{SK}_{\mathrm{SP}_{\mathrm{k}}}=\mathrm{a}_{\mathrm{SP}_{\mathrm{k}}}+\mathrm{S.H}\left(\mathrm{IDS}_{\mathrm{k}}, \mathrm{PK}_{\mathrm{SP}_{\mathrm{k}}}\right)$ (4)
Table 1. Table of notations
Icons 
Descriptions 
F_{P} 
A finite field that is decided by prime p 
Z_{P} 
Multiplicative group of integers modulo p 
G 
Random generator of E(F_{P}) 
E(F_{P}) 
An elliptic curve its equation y^{2}=x^{3}+ax+b mod p 
TTP 
Trusted Third Party 
Pk,S 
Public key &Private key of the TTP 
H(.) 
Oneway hash functions 
SM_{i} & ID_{i} 
ith smart meter and its identity 
DA_{j} & ID_{j} 
jth data aggregator and its identity 
SP_{k} & ID_{k} 
kth service provider and its identity 
A data aggregator DA_{j} chooses its identity ID_{j} and computes IDA_{j} according to Eq. (5), where TDA defines the entity type as data aggregator. Then, it sends IDA_{j} to TTP in a secure channel.
$\mathrm{IDA}_{\mathrm{j}}=\mathrm{TDA} \ \mathrm{ID}_{\mathrm{j}}$ (5)
The TTP chooses a nonce value $a_{D A_{j}} \in Z_{p}$ and computes the public and private keys of DA_{j} as.
$\mathrm{PK}_{\mathrm{DA}_{\mathrm{j}}}=\mathrm{a}_{\mathrm{DA}_{\mathrm{j}}} \mathrm{G}$ (6)
$\mathrm{SK}_{\mathrm{DA}_{\mathrm{j}}}=\mathrm{a}_{\mathrm{DA}_{\mathrm{i}}}+\mathrm{S.H}\left(\mathrm{IDA}_{\mathrm{j}}, \mathrm{PK}_{\mathrm{DA}_{\mathrm{j}}}\right)$ (7)
Then, the TTP sends the private key (SK_{DAj}) in a secure channel to DA_{j}, and broadcasts the public key (PK_{DAj}) of DA_{j} and its certificate.
3.2.3 SM registration
A smart meter SM_{i} chooses its identity ID_{i}and computes $I D S M_{i}$ according to Eq. (8), where TSM defines the entity type as smart meter, and sends it to TTP in a secure channel.
$\mathrm{IDSM}_{\mathrm{i}}=\mathrm{TSM} \ \mathrm{ID}_{\mathrm{i}}$ (8)
The TTP chooses a nonce value $a_{S M_{i}} \in Z_{p}$ and computes the public and private keys for SM_{i} according to Eq. (9) and Eq. (10).
$\mathrm{PK}_{\mathrm{SM}_{\mathrm{i}}}=\mathrm{a}_{\mathrm{SM}_{\mathrm{i}}} \mathrm{G}$ (9)
$\mathrm{SK}_{\mathrm{SM}_{\mathrm{i}}}=\mathrm{a}_{\mathrm{SM}_{\mathrm{i}}}+\mathrm{S} \cdot \mathrm{H}\left(\mathrm{IDSM}_{\mathrm{i}} \ \mathrm{PK}_{\mathrm{SM}_{\mathrm{i}}}\right)$ (10)
Then, the $T T P$ sends the private key $\left(S K_{S M_{i}}\right)$ in a secure channel to $S M_{i},$ and encrypts and sends the identity and the public $\quad \mathrm{key} \quad\left(P K_{S M_{i}}\right)$of$E_{S}\left(\operatorname{IDSM}_{i} \ P K_{S M_{i}}\right) \ H\left(\operatorname{IDSM}_{i} \ P K_{S M_{i}}\right)$ to $D A_{j}$.
DA_{j} verifies the identity and public key of each smart meter SM_{i} in its community and stores the verified identities and public keys in its data base.
3.3 Authentication and key agreement
In this stage, an authenticated session key will be established between SM_{i} and DA_{j} (Figure 2 describes the steps of this stage), and another authenticated session key will be established between DA_{j} and SP_{k} (Figure 3 describes the steps of this stage).
3.3.1 Mutual authentication between SM_{i}and DA_{j}
Firstly, SM_{i} chooses a nonce value $w \in Z_{p}$ and computes
A_{1}, A_{2}, A_{3}, and C_{1} as:
$A_{1}=w G$ (11)
$A_{2}=H\left(w P K_{D A_{j}}+w H\left(I D A_{j} \ P K_{D A_{j}}\right) P K\right)\oplus I D S M_{i}$ (12)
Smart Meter $S M_{i}$ 

Data Aggregator $D A_{j}$ 
Choose $w \in Z_{p}$ $A_{1}=w G$ $A_{2}=H\left(w P K_{D A_{j}}+w H\left(I D A_{j} \ P K_{D A_{j}}\right) P K\right) \oplus$ $I D S M_{i}$ $A_{3}=H\left(A_{1}\left\P K_{S M_{i}}\right\ P K_{D A_{j}}\left\I D S M_{i}\right\ I D A_{j} \ t_{1}\right)$ $C_{1}=E_{a_{S M_{i}}}\left(A_{3}\right)$ 



$\stackrel{\left\{A_{1}, A_{2}, C_{1}, t_{1}\right\}}{\rightarrow}$ 



$t_{1}t_{2} \leq \Delta t,$ revokes if not fresh. Else, $I D S M_{i}=A_{2} \oplus H\left(S K_{D A_{j}}, A_{1}\right)$ Computes $A_{3}^{*}=D_{P K_{S M_{i}}}\left(C_{1}\right)$ $A_{3}^{*} \stackrel{?}{=} H\left(A_{1}\left\P K_{S M_{i}}\right\ P K_{D A_{j}}\left\I D S M_{i}\right\ I D A_{j} \ t_{1}\right)$ Chooses $x \in Z_{p}$ $A_{4}=x G$ $S K_{j i}=H\left(A_{1}\left\A_{4}\right\ x A_{1}\right)$ $A_{5}=H\left(x P K_{S M_{i}}+x H\left(I D S M_{i} \ P K_{S M_{i}}\right) P K\right)$ $\oplus I D A_{j}$ $A_{6}=H\left(\operatorname{IDSM}_{i}\left\I D A_{j}\right\ A_{1}\left\A_{4}\right\ S K_{j i} \ t_{2}\right)$ $C_{2}=E_{a_{D A_{i}}}\left(A_{6}\right)$ 

$\stackrel{\left\{A_{4}, A_{5}, C_{2}, t_{2}\right\}}{\leftarrow}$ 

$t_{2}t_{3} \leq \Delta t,$ revokes if not fresh. Else $I D A_{j}=A_{5} \oplus H\left(S K_{S M_{i}}, A_{4}\right)$ $S K_{i j}=H\left(A_{1}\left\A_{4}\right\ w A_{4}\right)$ $A_{6}^{*}=D_{P K_{D A j}}\left(C_{2}\right)$ $A_{6}^{*} \stackrel{?}{=} H\left(\operatorname{IDSM}_{i}\left\\operatorname{IDA}_{j}\right\ A_{1}\left\A_{4}\right\ S K_{i j} \ t_{2}\right)$ 


$A_{3}=H\left(A_{1}\left\P K_{S M_{i}}\right\ P K_{D A_{j}}\left\I D S M_{i}\right\ I D A_{j} \ t_{1}\right)$ (13)
$C_{1}=E_{a_{S M_{i}}}\left(A_{3}\right)$ (14)
Then, $S M_{i}$ sends $\left\{A_{1}, A_{2}, C_{1}, t_{1}\right\}$ to $D A_{j}$.
Secondly, when $D A_{j}$ receives the message from $S M_{i},$ it starts off checking $t_{1}t_{2} \leq \Delta t,$ it rejects the message if not fresh; otherwise, it extracts the identity of $S M_{i}$ and gets the public key of $S M_{i}$ from its data base to extract $A_{3}{ }^{*}$ as:
$I D S M_{i}=A_{2} \oplus H\left(S K_{D A j}, A_{1}\right)$ (15)
$A_{3}^{*}=D_{P K_{S M_{i}}}\left(C_{1}\right)$ (16)
Then, $\quad$ it $\quad$ checks $\quad D_{P K_{S M_{i}}}\left(C_{1}\right) \stackrel{\text { ? }}{=}H\left(A_{1}\left\P K_{S M_{i}}\right\ P K_{D A_{j}}\left\I D S M_{i}\right\ I D A_{j} \ t_{1}\right) ;$ if true, $D A_{j}$ chooses a nonce value $x \in Z_{p}$ and computes $A_{4}, S K_{j i}, A_{5}, A_{6},$ and $C_{2}$ as:
$A_{4}=x G$ (17)
$S K_{i i}=H\left(A_{1}\left\A_{4}\right\ x A_{1}\right)$ (18)
$A_{5}=H\left(x P K_{S M_{i}}+x H\left(I D_{i} \ P K_{S M_{i}}\right) P K\right) \oplus I D A_{j}$ (19)
$A_{6}=H\left(I D S M_{i}\left\I D A_{j}\right\ A_{1}\left\A_{4}\right\ S K_{D A_{j}}\right)$ (20)
$C_{2}=E_{a_{D A_{i}}}\left(A_{6}\right)$ (21)
Then, it sends $\left\{A_{4}, A_{5}, C_{2}, t_{2}\right\}$ to $S M_{i}$.
Finally, when $S M_{i}$ receives the message from $D A_{j},$ it starts off checking $t_{2}t_{3} \leq \Delta t,$ it rejects the message if not fresh; otherwise, extracts the identity of $D A_{j}$ and extracts $A_{6}^*$ as:
$I D A_{j}=A_{5} \oplus H\left(S K_{S M_{i}}, A_{4}\right)$ (22)
$A_{6}^{*}=D_{P K_{D A_{j}}}\left(C_{2}\right)$ (23)
Then, it checks if ${A_{6}}^* \stackrel{?}{=} \underline{H}\left(\operatorname{IDSM}_{i}\left\I D A_{j}\right\ A_{1}\left\A_{4}\right\ S K_{S M_{i}}\right)$ if true, $S M_{i}$ computes:
$S K_{i j}=H\left(A_{1}\left\A_{4}\right\ w A_{4}\right)$ (24)
This shared key will be used to encrypt the messages and to provide secure communication between $S M_{i}$ and $D A_{j}$.
3.3.2 Mutual authentication between $D A_{j}$ and $S P_{k}$
Firstly, $D A_{j}$ chooses a nonce value $b_{1} \in Z_{p}$ and computes $B_{1}$ and $R_{1}$ according to Eq. (25)$\&$ Eq. $(26) .$ Then, it sends $\left\{B_{1}, R_{1}, I D A_{j}, P K_{D A_{j}}, t_{3}\right\}$ to $S P_{k}$.
$B_{1}=b_{1} G$ (25)
$R_{1}=b_{1}+S K_{D A_{j}} \cdot H\left(I D S_{k}, B_{1}, t_{3}\right)$ (26)
Data Aggregator $D A_{j}$ 

Service Provider $\boldsymbol{S P}_{\boldsymbol{k}}$ 
Chooses $b_{1} \in Z_{p}$ $B_{1}=b_{1} G$ $R_{1}=b_{1}+S K_{D A_{j}} . H\left(I D S_{k}, B_{1}, t_{3}\right)$ 



$\stackrel{\left\{B_{1}, R_{1}, I D A_{j}, P K_{D A_{j}}, t_{3}\right\}}{\rightarrow}$ 



$t_{3}t_{4} \leq \Delta t,$ revokes if not fresh. Else, checks $\quad R_{1} \cdot G \stackrel{?}{=}\left(B_{1}+P K_{D A_{j}}+\right.\left.H\left(I D A_{j}, P K_{D A_{j}}\right) P K\right) \cdot\left(H\left(I D S_{k}, B_{1}, t_{3}\right)\right)$ Chooses $b_{2} \in Z_{p}$ $B_{2}=b_{2} G$ $R_{2}=b_{2}+S K_{S P_{k}} \cdot H\left(I D A_{j}, B_{2}, t_{4}\right)$ $S K_{j k}=H\left(b_{2} \cdot B_{1}\right)$ 

$\stackrel{\left\{B_{2}, R_{2}, I D S_{k}, P K_{S P_{k}}, t_{4}\right\}}{\leftarrow}$ 

$t_{4}t_{5} \leq \Delta t,$ revokes if not fresh. Else, checks $R_{2} \cdot G \stackrel{2}{=}\left(B_{2}+P K_{S P_{k}}+\right.\left.H\left(I D S_{k}, P K_{S P_{k}}\right) P K\right) \cdot\left(H\left(I D A_{j}, B_{2}, t_{4}\right)\right)$ $S K_{k j}=H\left(b_{1} \cdot B_{2}\right)$ 


$B_{2}=b_{2} G$ (27)
$R_{2}=b_{2}+S K_{S P_{k}} \cdot H\left(I D A_{j}, B_{2}, t_{4}\right)$ (28)
$S K_{j k}=H\left(b_{2} \cdot B_{1}\right)$ (29)
Then, it sends $\left\{B_{2}, R_{2}, I D S_{k}, P K_{S P_{k}}, t_{4}\right\}$ to $D A_{j}$.
Finally, when DA receives the message from $S P_{k}$, it starts ff checking $\mathrm{t}_{4}\mathrm{t}_{5} \leq \Delta \mathrm{t},$ it rejects the message if not fresh; therwise, $\quad$ it $\quad$ checks $\quad R_{2} . G \stackrel{?}{=}\left(B_{2}+P K_{S P_{k}}+\right.\left.H\left(I D S_{k}, P K_{S P_{k}}\right) P K\right) \cdot\left(H\left(I D A_{j}, B_{2}, t_{4}\right)\right) .$ Then, it computes $S K_{k j}$ as:
$S K_{k j}=H\left(b_{1} \cdot B_{2}\right)$ (30)
This shared key will be used to encrypt the messages and to provide secure communication between $S P_{k}$ and $D A_{j}$.
This section analyzes the security of the proposed authenticated key establishment scheme.
4.1 Mutual authentication
Between $S M_{i}$ and $D A_{j}:$ In the proposed scheme, $D A$ authenticates $S M_{i}$ by computing $A_{3}^{*}=D_{P K_{S M_{i}}}\left(C_{1}\right)$ and the verifying $A_{3}^{*} \stackrel{?}{=} H\left(A_{1}\left\P K_{S M_{i}}\right\ P K_{D A_{j}}\left\I D S M_{i}\right\ I D A_{j} \ t_{1}\right)$ the attack cannot compute $C_{1}$ as the encryption depends on th secret nonce $a_{S M_{i}}$ of $S M_{i},$ and using the public key of $S M_{i}$ t decrypt $C_{1}$ ensures that the message is from the authorize $S M_{i} .$ Likewise, $S M_{i}$ authenticates $D A_{j}$ by computing $A_{6}^{*} =D_{P K_{D A j}}\left(C_{2}\right)$ and $\quad$ then $\quad$ verifying $\quad A_{6}^{*} \stackrel{?}=H\left(I D S M_{i}\left\I D A_{j}\right\ A_{1}\left\A_{4}\right\ S K_{i j} \ t_{2}\right)$ as the attack canno compute $C_{2}$ as the encryption depends on the secret nonce $a_{D A_{j}}$ of $D A_{j},$ and using the public key $P K_{D A_{j}}$ of $D A_{j}$ te decrypt $C_{2}$ ensures that the message is from the authorized $D A_{j} .$ Hence, the proposed scheme can provide the mutua authentication between $S M_{i}$ and $D A_{j}$
Between $D A_{j}$ and $S P_{k}:$ In the proposed scheme, $D A_{j}$ compute $B_{1}=b_{1} G$ and $R_{1}=b_{1}+S K_{D A j} \cdot H\left(I D S_{k}, B_{1}, t_{3}\right)$and sends $\left\{B_{1}, R_{1}, I D A_{j}, P K_{D A_{j}}, t_{3}\right\}$ to $S P_{k} \quad, \quad$ then $S P_{k}$ authenticates $D A_{j}$ by verifying $R_{1} . G \stackrel{?}{=}\left(B_{1}+P K_{D A_{j}}+\right.$ $\left.H\left(I D A_{j}, P K_{D A_{j}}\right) p k\right) \cdot\left(H\left(I D S_{k}, B_{1}, t_{3}\right)\right)$ as the computation of $R_{1}$ includes the private key $S K_{D A j}$ of $D A_{j}$ which is difficult for the attack to know; therefore, the attack cannot compute a valid $R_{1} .$ Likewise, $S P_{k}$ computes $B_{2}=b_{2} G$ and $R_{2}=b_{2}+$ $S K_{S P_{k}} \cdot H\left(I D A_{j}, B_{2}, t_{4}\right)$ and sends $\left\{B_{2}, R_{2}, I D S_{k}, P K_{S P_{k}}, t_{4}\right\}$ to $D A_{j},$ then $D A_{j}$ authenticates $S P_{k}$ by verifying $R_{2} . G \stackrel{?}{=}\left(B_{2}+\right.$ $\left.P K_{S P_{k}}+H\left(I D S_{k}, P K_{S P_{k}}\right) P K\right) \cdot\left(H\left(I D A_{j}, B_{2}, t_{4}\right)\right) \quad$ as $\quad$ the computation of $R_{2}$ includes the private key $S K_{S P_{k}}$ of $S P_{k}$ which it is difficult for the attack to know; therefore, the attack cannot compute a valid $R_{2} .$ Hence, the proposed scheme can provide the mutual authentication between $D A_{i}$ and $S P_{k}$.
4.2 Anonymity of $S M_{i}$
The identity of smart meter $\mathrm{i}\left(\mathrm{IDSM}_{i}\right)$ is hidden by using xor operation and secure hash function which is expressed as $H\left(w P K_{D A j}+w H\left(I D A_{j} \ P K_{D A_{j}}\right) P K\right) \oplus I D S M_{i} .$ Moreover the extraction of IDSM $_{\mathrm{i}}$ requires the secret key of $D A_{j}$ as $I D S M_{i}=A_{2} \oplus H\left(S K_{D A_{j}}, A_{1}\right) ;$ therefore, the identity of $S M_{i}$ is protected.
4.3 Untraceability of $\boldsymbol{S M}_{\boldsymbol{i}}$
During every session, a new nonce $w$ is generated by $S M_{i}$ hence, the message $\left\{A_{1}, A_{2}, C_{1}, t_{1}\right\}$ that is sent through the channel will be changed in each new session as the w is used to $\quad$ calculate $\quad A_{1}=w G, \quad$ and $\quad A_{2}=H\left(w P K_{D A_{j}}+\right.$ $\left.w H\left(I D A_{j} \ P K_{D A_{j}}\right) P K\right) \oplus I D S M_{i} .$ Finally, $C_{1}=E_{a_{S M_{i}}}\left(A_{3}\right)$ will be also changed every session as $A_{3}$ includes $A_{1}$ which depends on the new $w$. Thus, the attack cannot trace the messages sent by the same $S M_{i}$.
4.4 Forward secrecy
An authentication scheme satisfies the forward secrecy when the security of the shared keys created in preceding sessions is not affected due to disclosure of the private keys of the participant entities.
Between $S M_{i}$ and $D A_{j}:$ Suppose the attack knows all the secret keys of $S M_{i}$ and $D A_{j},$ it is not easy for an attacker to calculate an agreed shared key $S K_{j i}=H\left(A_{1}\left\A_{4}\right\ x A_{1}\right)$ or $S K_{i j}=H\left(A_{1}\left\A_{4}\right\ w A_{4}\right)$ because the attack cannot obtain $w$ from $A_{1}=w G$ nor $x$ from $A_{4}=x G$ due to ECDLP. The random numbers $w$ and $x$ are created by $S M_{i}$ and $D A_{j}$ respectively. Therefore, it is hard for the attack to disclose the previously created shared keys without having multiple session parameters.
Between $D A_{j}$ and $S P_{k}:$ Suppose the attack knows all the secret keys of $D A_{j}$ and $S P_{k},$ the attack cannot compute $S K_{j k}=$ $H\left(b_{2} . B_{1}\right)$ because the attack cannot obtain $b_{1}$ from $B_{1}=b_{1} G$ due to ECDLP. Alternately, the attack cannot compute $S K_{k j}=$ $H\left(b_{1} \cdot B_{2}\right)$ because the attack cannot obtain $b_{2}$ from $B_{2}=b_{2} G$ also due to ECDLP. Every time both the participants use new random numbers, so it is hard for the attack to guess previous shared keys.
4.5 Impersonation attack
Between $S M_{i}$ and $D A_{j}:$ Suppose that the attack tries to impersonate as a legal $S M_{i}$ to $D A_{j} ;$ to do that, the attack generates nonce number $w$ ' and computes $A_{1}^{\prime}=w^{\prime} G, A_{2}^{\prime}=$ $H\left(w^{\prime} P K_{D A_{j}}+w^{\prime} H\left(I D A_{j} \ P K_{D A_{j}}\right) P K\right) \oplus I D S M_{i}^{\prime}$, and $A_{3}^{\prime}=H\left(A_{1}^{\prime}\left\{P K_{S M_{i}}}^{\prime}\right\ P K_{D A_{j}}\left\{I D S M_{i}}^{\prime}\right\ I D A_{j} \ t_{1}^{\prime}\right),$ fabricates a fallse $C_{1}^{\prime}$, and sends $\left\{A_{1}^{\prime}, A_{2}^{\prime} ; {C_{1}}^{\prime}\right.$,$\left., t_{1}\right\}$ to $D A_{j}$. The $D A_{j}$ extracts $I D S M_{i}^{\prime}=A_{2}^{\prime} \oplus H\left(S K_{D A_{j}}, A_{1}^{\prime}\right)$ and obtains $S M_{i}^{\prime} s$ corresponding public key to decrypt $C_{1}$, and checks if $D_{P K_{S M_{i}}}\left(C_{1}^{\prime}\right) \stackrel{?}{=} H\left(A_{1}^{\prime}\left\P K_{S M_{i}}^{\prime}\right\ P K_{D A_{j}}\left\I D S M_{i}^{\prime}\right\ I D A_{j} \ t_{1}^{\prime}\right)$ It is obvious that the equality will not be valid as it is difficult for the attack to know the secret parameter $a_{S M_{i}}$ of $S M_{i}$ that is used to encrypt $C_{1}$ where $C_{1}=E_{a_{S M_{i}}}\left(A_{3}\right)$ even if the attack knew the identity and public key of the $S M_{i} .$ Also, suppose that the attack tries to impersonate as a legal $D A_{j}$ to $S M_{i} ;$ to do that, the attack generates a nonce number x’ and $\quad$ computes $\quad A_{4}{ }^{\prime}=x^{\prime} G \quad, \quad \mathrm{A}_{5}=\mathrm{H}\left(\mathrm{x}^{\prime} \mathrm{PK}_{\mathrm{SM}_{\mathrm{i}}}+\right.$$\left.\mathrm{x}^{\prime} \mathrm{H}\left(\mathrm{IDSM}_{\mathrm{i}} \ \mathrm{PK}_{\mathrm{SM}_{\mathrm{i}}}\right) \mathrm{PK}\right) \oplus \mathrm{IDA}_{\mathrm{j}}^{\prime}$,$A_{6}^{\prime}=\mathrm{H}\left(\mathrm{IDSM}_{\mathrm{i}}\left\\mathrm{IDA}_{\mathrm{j}}^{\prime}\right\ \mathrm{A}_{1}\left\\mathrm{A}_{4}^{\prime}\right\ \mathrm{SK}_{\mathrm{ji}}^{\prime} \ \mathrm{t}_{2}^{\prime}\right),$ fabricates a false $C_{2}^{\prime}$ and sends $\left\{A_{4}^{\prime} ; A_{5}^{\prime}, C_{2}^{\prime} ; t_{2}^{\prime}\right\}$ to $S M_{i} .$ The $S M_{i}$ decrypts $C_{2}^{\prime}$ using the public key of $D A_{j}$ and checks if $D_{P K_{D A j}}\left(C_{2}^{\prime}\right) \stackrel{?}{=} H\left(I D S M_{i}\left\I D A_{j}^{\prime}\right\ A_{1}\left\A_{4}^{\prime}\right\ S K_{j i}^{\prime} \ t_{2}^{\prime}\right)$. It is obvious that the equality will not be valid as it is difficult for the attack to know the secret parameter $a_{S M_{i}}$ of $S M_{i}$ that is used to encrypt $C_{2}$ where $C_{2}=E_{a_{D A_{j}}}\left(A_{6}\right)$.
Between $D A_{j}$ and $S P_{k}:$ Suppose the attack tries to impersonate as a $D A_{j}$ to $S P_{k} ;$ to do that, the attack generates a nonce number $b_{1}^{\prime}$, computes $B_{1}^{\prime}=b_{1}^{\prime} G,$ fabricates a false $R_{1}^{\prime}=b_{1}^{\prime}+S K_{D A_{j}} \cdot H\left(I D S_{k}, B_{1}^{\prime}, t_{3}^{\prime}\right)$ and sends $\left\{B_{1}^{\prime}, R_{1}^{\prime}, I D A_{j}, P K_{D A_{j}}, t_{3}^{\prime}\right\}$ to $S P_{k} .$ The $S P_{k}$ checks if $R_{1}^{\prime} \cdot G\stackrel{?}{=} \left(B_{1}+P K_{D A_{j}} H\left(I D A_{j}, P K_{D A_{j}}\right) P K\right) \cdot\left(H\left(I D S_{k}, B_{1}, t_{3}\right)\right)$; however, it is obvious that the equality will not be valid due to the fabricated $R_{1}$ as it is difficult for the attack to know the private key of the $D A_{j}$.
Also, suppose the attack tries to impersonate as $S P_{k}$ to $D A_{j}$; to do that, the attack generates a nonce number $b_{2}$ ', computes $B_{2}^{\prime}=b_{2}^{\prime} G \quad$ fabricates $\quad$ a $\quad$ false $\quad R_{2}^{\prime}=b_{2}^{\prime}+S K_{S P_{k}^{\prime}}: H\left(I D A_{j}^{\prime}, B_{2}^{\prime} , t_{4}^{\prime}\right)$ sends $\left\{B_{2}^{\prime}, R_{2}^{\prime}, I D S_{k^{\prime}}, P K_{S P_{k}}^{\prime}, t_{4}^{\prime}\right\}$ to $D A_{j} .$ The $D A_{j}$ checks if $R_{2}^{\prime} \cdot G \stackrel{?}{=}\left(B_{2}+P K_{S P_{k}}+\right.\left.H\left(I D S_{k}, P K_{S P_{k}}\right) S . G\right) \cdot\left(H\left(I D A_{j}, B_{2}, t_{4}\right)\right)$; however, it is obvious that the equality will not be valid due to the fabricated $R_{2}'$ as it is difficult for the attack to know the private key of $S P_{k}$ .
4.6 Replay attack
Between $S M_{i}$ and $D A_{j}:$ when the request message $\left\{A_{1}, A_{2}, A_{3}, C_{1}, t_{1}\right\}$ is received and it is clear that $A_{3}=$ $H\left(A_{1}\left\P K_{S M_{i}}\right\ P K_{D A_{j}}\left\I D S M_{i}\right\ I D A_{j} \ t_{1}\right)$ includes the time stamp $t_{1}, D A_{j}$ starts checking the freshness of the timestamp by using $t_{1}t_{2} \leq \Delta t .$ If the replay attack initiates at time $\left(t^{\prime}\right)$ the attack resends $\left\{A_{1}, A_{2}, A_{3}, C_{1}, t^{\prime}\right\}$ to $D A_{j},$ but this message will be rejected because of the verification of the time stamp,i.e., $t^{\prime}t_{2} \leq \Delta t .$ Moreover, the request will fail to verify $D_{P K_{S M_{i}}}\left(C_{1}\right) \stackrel{?}{=} H\left(A_{1}\left\P K_{S M_{i}}\right\ P K_{D A_{j}}\left\I D S M_{i}\right\ I D A_{j} \ t^{\prime}\right)$. Likewise, replay attack will be prevented due to the existence of $t_{2}$ in response message $\left\{A_{4}, A_{5}, A_{6}, t_{2}\right\}$ and is also hidden in $A_{6}=H\left(I D S M_{i}\left\I D A_{j}\right\ A_{1}\left\A_{5}\right\ S K_{D A_{j}} \ t_{2}\right) \quad$ and $\quad A_{6} \stackrel{?}{=}$ $H\left(I D S M_{i}\left\I D A_{j}\right\ A_{1}\left\A_{4}\right\ S K_{S M_{i}} \ t_{2}\right)$.
Between $D A_{j}$ and $S P_{k}:$ when the request message $\left\{B_{1}, R_{1}, I D A_{j}, P K_{D A, j}, t_{3}\right\}$ is received and it is clear that $R_{1}=$ $b_{1}+S K_{D A_{j}} . H\left(I D S_{k}, B_{1}, t_{3}\right)$ includes the time stamp $t_{3}, S P_{k}$ starts checking the freshness of the timestamp by using $t_{3}$ $t_{4} \leq \Delta t .$ If the replay attack initiates at time $\left(\mathrm{t}^{*}\right),$ the attack resends $\left\{B_{1}, R_{1}, I D A_{j}, P K_{D A_{j}}, t^{*}\right\}$ to $D A_{j},$ but this message will be rejected because of the verification of the time stamp, i.e., $t^{*}t_{4} \leq \Delta t .$ Moreover, the request will fail to verify $R_{1} \cdot G \stackrel{?}{=}\left(B_{1}+P K_{D A_{j}}+H\left(I D A_{j}, P K_{D A_{j}}\right) S . G\right) \cdot\left(\mathrm{H}\left(I D S_{k}, B_{1}\right.\right.$ $\left.t^{*}\right)$ ). Likewise, replay attack will be prevented due to the existence of $t_{4}$ in response message $\left\{B_{2}, R_{2}, I D S_{k}, P K_{S P_{k}}, t_{4}\right\}$ and is also hidden in $R_{2} . G \stackrel{?}{=}\left(B_{2}+P K_{S P_{k}}+\right.\left.H\left(I D S_{k}, P K_{S P_{k}}\right) S . G\right) \cdot\left(H\left(I D A_{j}, B_{2}, t_{4}\right)\right)$.
In this section, we analyze the performance of the proposed scheme and compare it with a number of recent considerable schemes in terms of security services and complexity.
5.1 Performance analysis
The important notations required for performance analysis of our proposed scheme and for the comparison with the recent related schemes and its execution time are given in Table 2.
Table 2. Required notations and execution time for all the cryptooperation
Notation 
Description 
Execution time (ms) 
$T_{S}$ 
Time of ECC Scalar multiplication. 
2.226 
$T_{P A}$ 
Time of point addition. 
0.0288 
$T_{h}$ 
Time of oneway hash function. 
0.0023 
$T_{A E D}$ 
Time of asymmetric key encryption/decryption. 
4.4808 
$T_{S E D}$ 
Time of symmetric key encryption/decryption. 
0.0046 
$T_{\mathrm{pr}}$ 
Time of a bilinear pairing operation. 
5.811 
$T_{m u l}$ 
Time of bilinear scalar multiplication. 
2.2260 
$T_{\mathrm{exp}}$ 
Time of a modular exponentiation. 
3.85 
$T_{\mathrm{hp}}$ 
Time of the maptopoint function. 
12.418 
$T_{\log }$ 
Time of Solving the DL operation mod p . 
190.189*10^{6} 
$T_{C}$ 
Time of Chebyshev map operation. 
1.113 
Table 3. Complexity of our proposed scheme
Stage 
TTP 
SM 
DA 
SP 
Initialization stage 
$\mathrm{T}_{\mathrm{s}}$ 
 
 
 
Registration stage 
$6 T_{S}+3 T_{P A}+4$ $T_{h}+T_{A E D}$ 
 
 
 
Authentication and key agreement stage 
 
$4 T_{s}+T_{P A}+6 T_{h}+2 T_{A E D}$ 
$9 T_{s}+4 T_{P A}+10 T_{h}+2 T_{A E D}$ 
$5 T_{s}+3 T_{P A}+4 T_{h}$ 
5.2 Security comparison
As the proposed authenticated key establishment scheme depends on the idea of data aggregation to reduce the burden on smart meters and transfers consumption data safely, we compare our proposed scheme with the schemes that depend on data aggregation [3, 28] in Table 4. From Table 4, it is obvious that our scheme and the other schemes support the authentication service. However, only our scheme and the anonymous metering scheme [3] can provide anonymity and untraceability of SM, while only our proposed scheme and Boudia et al.'s scheme [28] can resist against impersonation attack and replay attack. Finally, only our scheme can provide forward secrecy. From the previous comparison, we can conclude that our proposed scheme can provide more security services than other schemes [3, 28] that depend on using the same idea of data aggregation.
Table 4. Security comparison
Security service 
[3] 
[28] 
Ours 
Mutual Authentication 
√ 
√ 
√ 
Anonymity of SM 
√ 
x 
√ 
Untraceability of SM 
√ 
x 
√ 
Forward Secrecy 
x 
x 
√ 
Impersonation attack Resilience 
x 
√ 
√ 
Replay attack Resilience 
x 
√ 
√ 
In Table 5, we compare our scheme with the anonymous metering scheme [3] and multidimensional aggregation scheme [28]. In our proposed scheme, SM requires four ECC scalar multiplication operations, onepoint addition operation, six hash function operations, and two asymmetric key encryption/decryption operations. Hence the SM’s complexity is $\left(4 T_{s}+T_{P A}+6 T_{h}+2 T_{A E D}\right)$ which needs 17.9082 ms to be executed. For the anonymous metering scheme [3], SM requires one bilinear pairing operation, six bilinear scalar multiplication operations, one modular exponentiation operation, and three maptopoint function operations. Hence the SM’s complexity is $\left(1 T_{p r}+6 T_{m u l}+1 T_{e x p}+3 T_{h p}\right)$ which needs 60.271 ms to be executed. It is well known that bilinear pairing operation is very complex than any other computations. For the multidimensional aggregation scheme [28], SM requires (2n+2) ECC scalar multiplication operations where n is the number of data types. Hence the SM’s complexity is $(2 n+2) T_{S}$ which needs 4.452n+4.452 ms to be executed.
Secondly, the complexity of DA in each scheme is obtained. In our scheme, the DA requires nine ECC scalar multiplication operations, fourpoint addition operations, ten hash function operations, and two asymmetric key encryption/decryption operations. Hence, the DA’s complexity is $\left(9 T_{s}+4 T_{P A}+10 T_{h}+2 T_{A E D}\right)$ which will be executed in 29.1338 ms. In the anonymous metering scheme [3], the DA requires one bilinear pairing operation, six bilinear scalar multiplication operations, five modular exponentiation operation, and five maptopoint function operations. Hence, the DA’s complexity is $\left(1 T_{p r}+6 T_{m u l}+5 T_{e x p}+5 T_{h p}\right)$ which will be executed in 100.507 ms. In the multidimensional aggregation scheme [28], the DA requires (w+2) ECC scalar multiplication operations where w is the number of SMs. Hence the DA’s complexity is $(w+2) T_{s}$ which will be executed in 4.452w+4.452 ms.
Finally, the complexity at SP in each scheme is computed successively. In our scheme, SP requires five scalar multiplication operation in ECC, threepoint addition operation, and four hash function operations. Hence the SP’s complexity is $\left(5 T_{s}+3 T_{P A}+4 T_{h}\right)$ which will be executed in 11.2256ms. In the anonymous metering scheme [3], SP requires one bilinear pairing operation, one bilinear scalar multiplication operation, one modular exponentiation operation, and two maptopoint function operations. Hence the SP’s complexity is $\left(1 T_{p r}+1 T_{m u l}+1 T_{e x p}+2 T_{h p}\right)$ which will be executed in 36.723 ms. In the multidimensional aggregation scheme [28], SP requires (w+2) ECC scalar multiplication operations and n solving the DL operation mod p . Hence, the SP’s complexity is $(w+2) T_{s}+n T_{\log }$. Solving the DL operation needs too long time to be executed; however, parallel Pollard‟s Rho method can be used to speed up the computations. By implementing the algorithm on a cluster of 256 octacore computers having PFLOPs capacity, solving the ECDLP requires 190189.061 sec. Hence, the execution of Boudia et al.'s scheme [28] requires $4.4524 .452(w+2)+190189061$ ms.
The real time complexity of our proposed scheme, the anonymous metering scheme [3], and multidimensional aggregation scheme [28] are given in Table 6. The real time complexity of Boudia et al.'s scheme [28] at the SM is dependent on the number of data types n, and it will be equivalent to our scheme at n=3. However, the real time complexity of Boudia et al.'s scheme [28] at the DA is dependent on the number of SMs (w), and it will be equivalent to our scheme at w=6. Lastly, the time complexity of Boudia et al.'s scheme [28] at the SP is dependent on the number of data type, the number of SMs, and the complexity of solving the DL. However, the real time of solving the DL operation which too long compared to the real time complexity of our proposed scheme at the SP regardless of the number of data type or the number of SMs.
Table 5. Complexity comparison
Scheme 
SM 
DA 
SP 
[3] 
$\left(1 T_{p r}+6 T_{m u l}\right.\left.+1 T_{e x p}+3 T_{h p}\right)$ 
$\left(1 T_{p r}\right.+6 T_{m u l}+5 T_{e x p}\left.+5 T_{h p}\right)$ 
$\left(1 T_{p r}\right.+1 T_{m u l}+1 T_{e x p}\left.+2 T_{h p}\right)$ 
[28] 
$(2 n+2) T_{s}$ 
$(w+2) T_{s}$ 
$(w+2)T_{s}+n T_{\log }$ 
Ours 
$\left(4 T_{s}+T_{P A}+\right.\left.6 T_{h}+2 T_{A E D}\right)$ 
$\left(9 T_{S}+4 T_{P A}\right.+10 T_{h}\left.+2 T_{A E D}\right)$ 
$\left(5 T_{S}+3 T_{P A}\right.\left.+4 T_{h}\right)$ 
Scheme 
SM (ms) 
DA (ms) 
SP (ms) 
[3] 
60.271 
100.507 
36.723 
[28] 
4.452(n+1) 
4.452(w+1) 
4.452(w+1) + 190189061n 
Ours 
17.9082 
29.1338 
11.2256 
In this paper, we relied on the idea of data aggregator to maintain the user's privacy and reduce the burden on smart meters, which has made us proposing a scheme for establishing keys between the smart meter and the data aggregator, and also between the data aggregator and the service provider by using elliptic curve cryptography. The proposed scheme has managed to overcome all the safety problems that are exposed to the related schemes. The proposed scheme can achieve mutual authentication between the different entities in smart grid, anonymity and untraceability of SM, and get rid of replay attack and impersonation attack. We have analyzed the efficiency of the proposed scheme in term of complexity; the proposed scheme also has managed to reduce the complexity compared to related schemes at the meter side, data aggregator side, and service provider side. In conclusion, the results demonstrate that our proposed scheme is a suitable key establishment scheme considering both security and efﬁciency.
[1] Wu, F., Xu, L., Li, X., Kumari, S., Karuppiah M., Obaidat, S. (2019). A lightweight and provably secure key agreement system for a smart grid with elliptic curve cryptography. IEEE Systems Journal, 13(3): 28302838. https://doi.org/10.1109/JSYST.2018.2876226
[2] Zhang, H., Wang J., Ding, Y. (2019). Blockchainbased decentralized and secure keyless signature scheme for smart grid. International Journal of Energy, 180: 955967. https://doi.org/10.1016/j.energy.2019.05.127
[3] Xie, S., Zhang, F., Lin, H., Tian, Y. (2019). A new secure and anonymous metering scheme for smart grid communications. International Journal of Energies, 12(24): 116. https://doi.org/10.3390/en12244751
[4] Aloul, F., AlAli, A.R., AlDalky, R., AlMardini M., ElHajj. W. (2012). Smart grid security: threats, vulnerabilities and solutions. International Journal of Smart Grid Clean Energy, 1(1): 16. https://doi.org/10.12720/sgce.1.1.16
[5] Kumar, P., Gurtov, A., Sain, M., Martin, A., Ha, P.H. (2019). Lightweight authentication and key agreement for smart metering in smart energy networks. International Journal of IEEE Transactions on Smart Grid, 10(4): 43494359. https://doi.org/10.1109/TSG.2018.2857558
[6] Xia, J., Wang, Y. (2012). Secure key distribution for the smart grid. International Journal of IEEE Transactions on Smart Grid, 3(3): 14371443. https://doi.org/10.1109/TSG.2012.2199141
[7] Wu, D., Zhou, C. (2011). Faulttolerant and scalable key management for smart grid. International Journal of IEEE Transactions on Smart Grid, 2(2): 375381. https://doi.org/10.1109/TSG.2011.2120634
[8] Maier, M., Ghazisaidi, N., Maier, M., Ghazisaidi, N. (2012). A lightweight message authentication scheme for smart grid communications. International Journal of FiWi Access Networks, 2(4): 207217. https://doi.org/10.1016/j.compeleceng.2016.02.017
[9] Mahmood, K., Ashraf, S., Naqvi, H., Shon, T. (2016). A lightweight message authentication scheme for smart grid communications in power sector. International Journal of Computers and Electrical Engineering, 52: 114124. https://doi.org/10.1016/j.compeleceng.2016.02.017
[10] Aziz, I.T., Jin, H., Abdulqadder, I.H. (2018). A lightweight scheme to authenticate and secure the communication in smart grids. Applied Sciences, 8(9): 1508. https://doi.org/10.3390/app8091508
[11] Li, H., Lu, R., Zhou, L., Yang, B., Shen, X.S. (2014). An efficient Merkletreebased authentication scheme for smart grid. International Journal of IEEE System, 8(2): 655663. https://doi.org/10.1109/JSYST.2013.2271537
[12] Liu, Y., Cheng, C., Gu, T., Jiang, T., Member, S., Li, X. (2016). A lightweight authenticated communication scheme for smart grid. International Journal of IEEE Sensors, 16(3): 836842. https://doi.org/10.1109/JSEN.2015.2489258
[13] Mohammadali, A., Haghighi, M.S. (2016). A novel identitybased key establishment method for advanced metering infrastructure in smart grid. International Journal of IEEE Transactions on Smart Grid, 9(4): 28342842. https://doi.org/10.1109/TSG.2016.2620939
[14] Tsai, J., Lo, N. (2015). Secure anonymous key distribution scheme for smart grid. International Journal of IEEE Transactions on Smart Grid, 7(2): 906914. https://doi.org/10.1109/TSG.2015.2440658
[15] Odelu, V., Das, A.K., Wazid, M., Conti, M., Member, S. (2016). Provably secure authenticated key agreement scheme for smart grid. International Journal of IEEE Transactions on Smart Grid, 9(3): 19001910. https://doi.org/10.1109/TSG.2016.2602282
[16] Chen, Y., Castillejo, P. (2017). An anonymous authentication and key establish scheme for smart grid: FAuth. Energies, 10(9): 1354. https://doi.org/10.3390/en10091354
[17] He, D., Wang, H., Khan, M.K., Wang, L. (2016). Lightweight anonymous key distribution scheme for smart grid using elliptic curve cryptography. IET Communications, 10(14): 17951802. https://doi.org/10.1049/ietcom.2016.0091
[18] Zhang, L., Tang, S., Luo, H. (2016). Elliptic curve cryptographybased authentication with identity protection for smart grids. PLoS ONE, 11(3): 115. https://doi.org/10.1371/journal.pone.0151253
[19] Mahmood, K., Ashraf, S., Naqvi, H., Kumari, S. (2018). An elliptic curve cryptography based lightweight authentication scheme for smart grid communication. Future Generation Computer Systems, 81: 557https://doi.org/10.1016/j.future.2017.05.002
[20] Farhadi, M., Nikooghadam, M., Hossein, A. (2020). A lightweight key management protocol for secure communication in smart grids. Electric Power Systems Research, 178: 106024. https://doi.org/10.1016/j.epsr.2019.106024
[21] Abbasinezhadmood, D. (2018). An anonymous ECCbased selfcertified key distribution scheme for the smart grid. IEEE Transactions on Industrial Electronics, 65(10): 79968004. https://doi.org/10.1109/TIE.2018.2807383
[22] Garg, S., Kaur, K., Kaddoum, G., Rodrigues, J.J.P.C., Member, S., Guizani, M. (2020). Secure and lightweight authentication scheme for smart metering infrastructure in smart grid. IEEE Transactions on Industrial Informatics, 16(5): 35483557. https://doi.org/10.1109/TII.2019.2944880
[23] Vahedi, E., Bayat, M., Pakravan, M.R., Aref, M.R. (2017). A secure ECCbased privacy preserving data aggregation scheme for smart grids. International Journal of Computer Networks, 129: 2836. https://doi.org/10.1016/j.comnet.2017.08.025
[24] Kong, W., Shen, J., Vijayakumar, P., Cho, Y., Chang, V. (2020). A practical group blind signature scheme for privacy protection in smart grid. Journal of Parallel and Distributed Computing, 136: 2939. https://doi.org/10.1016/j.jpdc.2019.09.016
[25] Wu, F., Li, X., Xu, L., Kumari, S. (2020). A privacypreserving scheme with identity traceable property for smart grid. Computer Communications, 157: 3844. https://doi.org/10.1016/j.comcom.2020.03.047
[26] Song, J., Liu, Y., Shao J., Tang, C. (2020). A dynamic membership data aggregation (DMDA) protocol for smart grid. International Journal of IEEE System, 14(1): 900908. https://doi.org/10.1109/JSYST.2019.2912415
[27] Tahir, M., Khan, A., Hameed, A., Alam, M., Khan, M.K., Jabeen, F. (2017). Towards a set aggregationbased data integrity scheme for smart grids. Annals of Telecommunications, 72: 551561. https://doi.org/10.1007/s1224301706027
[28] Merad Boudia, O.R., Senouci, S.M., Feham, M. (2017). Elliptic curvebased secure multidimensional aggregation for smart grid communications. IEEE Sensor Journal, 17(23): 77507757. https://doi.org/10.1109/JSEN.2017.2720458
[29] Chen, J., Shi, J., Zhang, Y. (2015). EPPDC: An efficient privacypreserving scheme for data collection in smart grid. International Journal of Distributed Sensor Networks, 11(5): 112. https://doi.org/10.1155/2015/656219
[30] Zhang, X., Shen, X. (2019). Efficient privacypreserving multidimensional data aggregation scheme in smart grid. IEEE Access, 7: 3290732921. https://doi.org/10.1109/ACCESS.2019.2903533