This article has been accepted for inclusion in a future issue of this journal.
Content is final as presented, with the exception of pagination.
IEEE TRANSACTIONS ON SMART GRID
Secure Anonymous Key Distribution
Scheme for Smart Grid
Jia-Lun Tsai and Nai-Wei Lo, Member, IEEE
Abstract—To fully support information management among
various stakeholders in smart grid domains, how to establish
secure communication sessions has become an important issue
for smart grid environments. In order to support secure com-
munications between smart meters and service providers, key
management for authentication becomes a crucial security topic.
Recently, several key distribution schemes have been proposed to
provide secure communications for smart grid. However, these
schemes do not support smart meter anonymity and possess
security weaknesses. This paper utilizes an identity-based signa-
ture scheme and an identity-based encryption scheme to propose
a new anonymous key distribution scheme for smart grid environ-
ments. In the proposed scheme, a smart meter can anonymously
access services provided by service providers using one private
key without the help of the trusted anchor during authentication.
In addition, the proposed scheme requires only a few of com-
putation operations at the smart meter side. Security analysis is
conducted to prove the proposed scheme is secure under random
oracle model.
Index Terms—Identity-based encryption, identity-based signa-
ture, key distribution, privacy, smart grid.
I. I NTRODUCTION
HE SMART grid is an advanced metering infrastruc-
T ture for automatically gathering and utilizing information
generated from different stakeholders in order to replace tradi-
tional electricity infrastructure [1], [2]. This new infrastructure
makes electricity grids more efficient, secure, and reliable
through bidirectional transmission flows of electric power and
data communication. A smart grid usually contains four com-
ponents: 1) sensing; 2) communication; 3) control; and 4) actu-
ation systems [3]. Usually, end user devices for smart grid
such as smart meter are composed of sensing and communica-
tion modules. Service systems from service providers contain
communication, control, and actuation modules. Nowadays,
thousands of smart meter are installed in homes to monitor
energy consumption in real time and to provide power pric-
ing information to consumers. A smart meter has a processing
chip and a small, nonvolatile memory space to perform crypto-
graphic operations on sensed data before sending the processed
Manuscript received October 2, 2014; revised January 7, 2015 and
April 20, 2015; accepted May 28, 2015. This work was supported in part
by the Taiwan Information Security Center, and in part by the National
Science Council of Taiwan under Grant MOST 103-2221-E-011-091-MY2.
Paper no. TSG-00977-2014. (Corresponding author: Jia-Lun Tsai.)
The authors are with the Department of Information Management, National
Taiwan University of Science and Technology, Taipei 106, Taiwan (e-mail:
crousekimo@yahoo.com.tw; nwlo@cs.ntust.edu.tw).
Digital Object Identifier 10.1109/TSG.2015.2440658
1949-3053 c 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
1
data to a designated receiving service server. As smart grid
brings huge and mutual benefits among utility companies, ser-
vice providers, and electricity consumers, information security
between smart meters and backend service servers has become
a very important and practical issue [4]–[11].
As a smart meter is usually installed at the front of a house
and only protected with a physical lock, it is relatively easy to
be attacked by malicious attackers in comparison with back-
end service servers. An intruder may break the physical lock
of a smart meter and then compromise and control this smart
meter. As a result, this malicious attacker might be able to
forge sensed data such as the amount of electricity usage at
this house before sending these forged data back to the cor-
responding service server. In addition, it is also possible for
an adversary to eavesdrop, modify, and interrupt data (or mes-
sages) transmitted from a smart meter, since insecure wireless
environment is usually adopted by smart meter to establish
communication sessions with designated services.
Privacy protection of citizens [12], [13] is another security
concern for smart grid. An adversary compromising a smart
meter of a citizen’s house can link personal information of
this citizen with the status or statistics of his/her electric-
ity usage. With data analysis tools and proper deduction, the
adversary can profile the daily life of the targeted citizen or
even predict when the citizen will be at home. Based on the
information, the adversary could break into the citizen’s house
when the citizen is absent. Thus, secure message/data trans-
mission with anonymity property between meters and backend
servers is the key factor for service providers to prevent
data leakage and protect user privacy. However, it is difficult to
design such scheme, since a smart meter cannot afford heavy
cryptographic operations due to the limitation of embedded
computing resources. One of the best ways to build a secure
anonymous communication session between a smart meter and
its designated service server is to utilize authenticated key
management scheme.
Key management schemes generally are divided into two
categories [8]: 1) public key infrastructure (PKI) [14] for
key management; and 2) symmetric key management. In
PKI, a trusted certificate authority (CA) is required to gen-
erate certificates for communicating parties; two commu-
nicating parties authenticate each other by verifying the
validity of received certificate sent from its peer. In sym-
metric key management, a secret key is shared between two
or more communicating parties. Usually, the secret key is
stored in a tamper-proof hardware at each communicating
party. Communicating parties use this shared secret key to
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
2 IEEE TRANSACTIONS ON SMART GRID
encrypt/decrypt messages transmitted between them to achieve
secure communication.
PKI may be one of the promising solutions for smart
grid. It is feasible for service providers to provide smart
meter anonymity using PKI mechanism, since the service
server can decrypt received encrypted messages using its
master private key directly without the need of knowing cor-
responding smart meter identity in advance. Unfortunately,
PKI usually requires more computing resources for certificate
verification and management operation of certificate revoca-
tion list (CRL) [4], [14]. The ever-growing size of CRLs and
heavy certificate verification computation will become two
practical challenges for smart grid to adopt PKI-based key
management schemes. Symmetric key management is usually
efficient. However, it is dangerous if all smart meters share
the same key for secure communication. If an adversary has
found a way to learn the shared key, communication secu-
rity between each smart meter and backend servers will be
in danger. To overcome this weakness, it is better to intro-
duce a trusted third party to distribute distinct private key to
every smart meter, respectively. However, this approach often
requires this trusted third party participating in online mutual
authentication process, so it offers an opportunity for an adver-
sary to attack the trusted third party via network to learn smart
meters’ keys. In addition, it is troublesome for symmetric key
management scheme to support smart meter anonymity with-
out spending extra computing resources for key search and
identification. In order to overcome those identified perfor-
mance and security issues, a new anonymous key distribution
scheme based on identity-based public key cryptosystems is
developed in this paper.
The concept of identity-based public key cryptosystem was
first introduced by Shamir [15]. The main idea of identity-
based cryptosystem is to use user identities as their public
keys such that certificate management can be simplified. In
identity-based cryptosystems, a trusted third party is required.
This trusted third party utilizes a user identity and the chosen
master secret key to generate a corresponding private key for
this user, where the user identity is also his/her public key.
In recent years, elliptic curve cryptosystem (ECC) [16], [17]
has become one of the most popular public key cryptosys-
tems. Compared with other public key cryptosystems based
on RSA and discrete logarithm problem (DLP), ECC achieves
the same level of security strength with smaller key size and
less computational cost [18]. Therefore, ECC is more suitable
for devices with limited computing resources such as smart
meters. Unfortunately, ECC can only be used to construct
identity-based signature schemes. Boneh and Franklin [19]
first used bilinear pairings to construct an identity-based
encryption scheme, where bilinear pairing is a mathemati-
cal function on elliptic curve. The proposed key distribution
scheme utilizes identity-based cryptosystems to fulfill anony-
mous secure communication between two communicating
parties.
A. Related Works
A new key management scheme for smart grid was pro-
posed by Wu and Zhou [20]. A public key cryptosystem and
a symmetric key cryptosystem are used in their scheme to sim-
plify key management. The symmetric key cryptosystem used
in their scheme is based on the Needham–Schroeder authenti-
cation protocol and the public key cryptosystem used in their
scheme is based on ECC. The key management scheme of
Wu and Zhou [20] supports strong security, scalability, fault-
tolerance, accessibility, and efficiency. Since both PKI and
a trusted anchor are used in their scheme, their scheme requires
at least two distinct servers. In addition, certificate verifica-
tion from PKI usually consumes heavy computing resources
in which a smart meter might not be affordable.
Xia and Wang [21] found the scheme of Wu and Zhou [20]
is vulnerable to man-in-the-middle attacks. They then pro-
posed a new key distribution scheme for smart grid. In the
scheme of Xia and Wang [21], a lightweight directory access
protocol (LDAP) server is used as the trusted third party. The
advantage of this scheme is that the operation cost is less than
others since the LDAP server is cheaper. In addition, multi-
ple LDAP servers can be deployed to prevent single point of
failure on the LDAP server. However, Park et al. [22] showed
that the scheme of Xia and Wang [21] is vulnerable to imper-
sonation attack and unknown key share (UKS) attack. The
scheme of Xia and Wang [21] does not support smart meter
anonymity and perfect forward secrecy of smart meters and
service servers. Hence, if an adversary can get the private key
of a smart meter, the adversary can learn the session keys
constructed in previous communicating sessions of this smart
meter (or this service server). In addition, this paper discovers
that all these schemes reveal that the trusted anchor has to
participate in each authentication process between two com-
municating parties. The trusted anchor involving in online
session authentication may raise security risk of the whole
system. If the trusted anchor was compromised, an adversary
can easily learn the master key and then generate the same
private keys assigned to all communicating parties. This secu-
rity risk can be reduced by removing the trusted anchor from
online session authentication.
In recent years, several identity-based authenticated key
agreement protocols [23], [24] have been proposed. These
protocols allow two parties to authenticate each other and share
a session key after authentication. However, they are unsuit-
able for smart grid, since they do not consider parties with
limited computing resources such as smart meters, and do not
support user (smart meter) anonymity. Wang [25] proposed
four new authentication schemes using smart card. The first
one is a symmetric key-based scheme. The second and fourth
ones are based on identity-based key authenticated agreement
protocol. The third one is based on HMQV protocol [26].
However, all of them do not support user (smart meter)
anonymity.
B. Our Contributions
This paper proposes a new anonymous key distribution
scheme for smart grid. The proposed scheme adopts identity-
based encryption scheme [27] and identity-based signature
scheme [28] such that a smart meter can anonymously access
services provided by service providers using one private key
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
TSAI AND LO: SECURE ANONYMOUS KEY DISTRIBUTION SCHEME FOR SMART GRID
without the help of the trusted anchor. In addition, this scheme
does not require heavy computing resources at smart meter
side, while achieving mutual authentication and smart meter
anonymity at the same time. With security analysis, we also
show that the proposed scheme is secure under random ora-
cle model. Comparisons on security and efficiency among the
proposed scheme and other existing ones indicate that the
proposed scheme is secure without sacrificing performance
efficiency.
II. P RELIMINARIES
We briefly introduce fundamental cryptography used for our
proposed scheme including properties of bilinear pairings and
mathematical problems as follows.
A. Bilinear Pairings
The properties of bilinear pairings are defined as follows.
Let G1 be an additive cyclic group, G2 be a multiplicative
cyclic group, and P be a generator of G1 , where G1 and G2
have the prime order q. The bilinear pairing equation e :
G1 × G1 → G2 satisfies the following properties [27]–[30].
1) Bilinear: Given P1 , P2 , Q1 , Q2 ∈ G1 , e(P1 +
P2 , Q1 ) = e(P1 , Q1 )e(P2 , Q1 ), and e(P1 , Q1 + Q2 ) =
e(P1 , Q1 )e(P1 , Q2 ).
Besides, given a, b ∈ Zq , e(aP, bQ) = e(abP, Q) =
e(P, abQ) = e(P, Q)ab = e(bP, aQ).
2) Nondegenerate: There exists P ∈ G1 and Q ∈ G1 such
that e(P, Q) = 1, where 1 is the identity element of G2 .
3) Computable: For any P, Q ∈ G1 , the value e(P, Q) is
efficiently computed.
B. Mathematical Problems
Let G1 be a cyclic additive group, let G2 be a cyclic mul-
tiplicative group and let e : G1 × G1 → G2 be a bilinear map
function, where G1 and G2 have the same prime order q and P
is the generator of G1 . The mathematical problems used in this
paper are introduced as follows [27]–[30].
Definition 1 Collusion Attack Algorithm With k-Traitors
(k-CAA Problem): Given P ∈ G1 , sP ∈ G1 , {e1 , e2 , . . . ,
ek ∈ Zq∗ } and {(1/s + e1 )P, (1/s + e2 )P, . . . , (1/s + ek )P} for
an integer k and s ∈ Zq∗ , P ∈ G1 , it is infeasible to compute
(s + e)−1 P, where e ∈ / {e1 , e2 , . . . , ek }.
Definition 2 Computational Diffie-Hellman Problem (CDH
problem): Given P, xP, yP, ∈ G1 for x, y ∈ Zq∗ , it is infeasible
to compute xyP.
Definition 3 Modified Bilinear Inverse Diffie-Hellman With
k Values (k-mBIDH) Problem: Given P, sP, tP ∈ G1 ,
h, h1 , h2 , . . . , hk ∈ Zq∗ , (1/s + h1 )P, (1/s + h2 )P, . . . , and
−1
(1/s + hk )P, it is infeasible to compute e(P, P)(s+h) t .
III. S YSTEM C OMPONENTS AND THE P ROPOSED S CHEME
We present the proposed anonymous key distribution
scheme in this section. In Section III-A, we describe the sys-
tem components of the proposed scheme. Then, we introduce
the proposed scheme in Section III-B.
3
TABLE I
S YMBOL N OTATIONS
A. System Components
This paper focuses on secure communication between smart
meters and service providers in a smart grid. Hence, there
are three roles in our scheme: 1) a trust anchor; 2) multi-
ple service providers SP = {SPj | j = 1, . . . , m}; and 3) a set
of remote smart meters SM = {SMi |i = 1, . . . , n}. A smart
meter is responsible for collecting the data from sensors
installed in a household, and then sends the collected data to
its corresponding service provider. A service provider is the
data aggregator in our proposed scheme, so it is responsi-
ble for monitoring the electric flows and sending real-time
electric information to a user or a smart meter. The trusted
anchor is a trusted third party in our scheme; it is responsible
for distributing the private keys of smart meters and service
providers during registration. When a smart meter or a service
provider learns a private key from the trusted anchor, it stores
the learned private key into its tamper-proof module.
B. Proposed Scheme
We present the proposed scheme in this section. Our
scheme is divided into three phases: 1) system setup;
2) extraction; and 3) mutual authentication phases. Details of
each phase are described as follows. The notations are defined
in Table I.
1) System Setup: Let G1 be a cyclic additive group, P be the
generator of G1 , and let G2 be a cyclic multiplicative group,
where G1 and G2 have the same prime order q. First of all, the
trust anchor chooses a bilinear map e : G1 ×G1 → G2 and five
one-way hash functions H : {0, 1}∗ → G1 , H1 : {0, 1}∗ → Zq∗ ,
H2 : {0, 1}∗ → Zq∗ , H3 : {0, 1}∗ → Zq∗ , H4 : {0, 1}∗ → Zq∗ ,
and H5 : {0, 1}∗ → Zq∗ . Next, the trust anchor chooses a ran-
dom number s as its master private key and then computes
g = e(P, P) and Ppub = sP, where Ppub is the mas-
ter public key of the trust anchor. Next, the trust anchor
publishes {G1 , G2 , P, e, H, H1 , H2 , H3 , H4 , q, Ppub , g} as the
public parameters and keeps s as its secret.
2) Extraction: In our scheme, smart meters and service
providers are required to register on the trust anchor in
advanced; therefore, the extraction phase includes smart meter
extraction process and service provider extraction process.
Details of each process are described as follows.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

4 IEEE TRANSACTIONS ON SMART GRID

Fig. 1. Mutual authentication of the proposed scheme.

3) Smart Meter Extraction: If a smart meter SMi wants to where ai and NC are two random numbers. SMi
register on the trust anchor, the smart meter SMi sends its iden- then sends (C1 , C2 ) to SPj .
tity IDi to the trust anchor via a secure channel. Upon receiving Step 2: Upon receiving (C1 , C2 ) from SMi , SPj retrieves
IDi from a smart meter SMi , the trust anchor computes the IDi by computing the following equations:
private key
 
1 1
Di = P (1) ki = e   P, C1 (5)
s + qi s + H1 SIDj
for the corresponding smart meter SMi , where qi = H1 (IDi )  
Vi = H2 ki , SIDj (6)
is the corresponding public key of the smart meter SMi .
Next, the trust anchor sends Di and {G1 , G2 , P, e, H, H1 , H2 , (IDi , NC ) = C2 ⊕ Vi . (7)
H3 , H4 , q, Ppub , g} to the smart meter SMi via a secure
channel. Upon receiving Di and {G1 , G2 , P, e, H, H1 , H2 , After retrieving (IDi , NC ) from C2 , SPj computes
H3 , H4 , q, Ppub , g} from the trust anchor, the smart meter SMi
stores them into its tamper-proof module. SK = bi C1 (8)
4) Service Provider Extraction: If a service provider SPj    
R1 = bi H1 SIDj P + Ppub (9)
joins the system, SPj also needs to send its identity SIDj to  
the trust anchor. The trust anchor uses the service provider’s R2 = H3 qi , qj , NC , IDi , SIDj , SK (10)
identity SIDj and the trust anchor’s master private key s to
compute the master private key of the service provider SPj and then sends (R1 , R2 ) back to SMi , where
1 bi is a random number. Notice that the value
Kj = P (2) H1 (SIDj )P + Ppub can be computed and stored in
s + hj
advance, so SPj does not have to compute the value
where hj = H1 (SIDj ) is the corresponding public key of every time within a mutual authentication session.
the service provider SPj . Next, the trust anchor sends K Step 3: Upon receiving (R1 , R2 ) from SPj , SMi computes
and {G1 , G2 , P, e, H, H1 , H2 , H3 , H4 , q, Ppub , g} to the ser-
vice provider SPj via a secure channel. Upon receiving Kj
SK = H5 (ai · R1 ) (11)
and {G1 , G2 , P, e, H, H1 , H2 , H3 , H4 , q, Ppub , g} from the trust  
anchor, the service provider SPj computes H1 (SIDj )P + Ppub , R2 = H3 qi , qj , NC , IDi , SIDj , SK (12)
and then stores {G1 , G2 , P, e, H, H1 , H2 , H3 , H4 , q, Ppub , g},
Kj , and H1 (SIDj )P + Ppub into its tamper-proof module. and then checks whether the computed R2 is equal
5) Mutual Authentication: The mutual authentication phase to the received R2 . If both values are equivalent,
of our scheme is depicted in Fig. 1. In this phase, a smart SPj is authenticated. Next, SMi computes
meter SMi and a service provider SPj authenticate each other
  
without the help of the trust anchor. The smart meter SMi and C3 = ai + H4 SIDj , SK, R2 , C1
the service provider SPj perform the following steps.  
1
Step 1: SMi computes × P (13)
    s + H1 (IDi )
C1 = ai · Ppub + H1 SIDj P (3)
 a 
C2 = H2 g , SIDj ⊕ (IDi , NC )
i (4) and then returns C3 to SPj .
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
TSAI AND LO: SECURE ANONYMOUS KEY DISTRIBUTION SCHEME FOR SMART GRID
Step 4: Upon receiving C3 from SMi , SPj verifies the valid-
ity of the signature C3 by checking whether the
following equation holds:
  
e C3 , Ppub + H1 (IDi )P = ki · gH4 (SIDj ,SK,R2 ,C1 ) .
(14)
If (12) holds, SMi is authenticated.
IV. S ECURITY A NALYSIS
The security model and security analysis of the proposed
scheme are described as follows.
A. Security Model
This section defines the security model of ID-based mul-
tiservice provider authentication scheme in smart grids. The
proposed security model is based on the security model
of [31]–[33]. In the multiservice provider authentication
scheme, a participant is one of the following roles: 1) legal
smart meter SMi ; 2) service provider SPj ; and 3) the trust
anchor RC. For each P ∈ {SMi , SPj , RC}, where SMi is
the instance i of smart meter and SPj is the instance j of
service provider, the probabilistic polynomial time adver-
sary A knows the all public parameters and can invoke
queries that are defined as follows. Notice that, all hash lists
LH1 , LH2 , LH3 , LH4 , and LH5 are initially empty.
1) Extract (IDi ): This query operation is used to simulate
an ID attack. In this query, the adversary A sends a cho-
sen IDi to the oracle. The oracle checks whether the
value pair [IDi , H1 (IDi )] exists in the list LH1 . If the
oracle cannot find the value pair in LH1 , the oracle then
calculates H1 (IDi ) and returns the public key H1 (IDi )
of corresponding smart meter or corresponding service
provider according to the identity IDi .
2) Hi (M): When an adversary A invokes this query on
a message M, the oracle returns the hashed message to
the adversary A and then stores it into the hash list LHi .
3) Send(M, P): This query simulates an active attack, in
which the adversary A can modify the message transmit-
ted between a smart meter SMi and a service provider
SPj . When the adversary A sends a modified message M
to the oracle P through this query, the oracle P returns
a corresponding reply to the adversary A.
4) Execute(P, M): This query simulates passive attacks.
This query allows the adversary A to learn all commu-
nication messages between a smart meter and service
provider.
5) Reveal(P): This query allows the adversary A to learn
the session key held by the oracle P.
6) Corrupt(P): This query is used to evaluate the property
preservation of forward secrecy on the oracle P; it allows
the adversary A to compromise the long-term private key
of the oracle P.
7) Test(P): This query simulates semantic security of ses-
sion key. In this query, the oracle P flips a coin b. If
b = 1, the oracle P returns the real session key to the
adversary A. Otherwise, the adversary A learns a random
bits string from the oracle P.
5
Two definitions are introduced as follows.
Definition 4: An oracle SMi and an oracle SPj are partners if
they authenticate each other and then construct a session key.
Definition 5: An oracle SMi constructs a fresh session key
with an oracle SPj if the following conditions hold.
1) The session key SK(= NULL) is accepted by
SMi and SPj if neither SMi nor SPj has been operated
by the adversary A through reveal queries.
2) No corrupt query is invoked by the adversary A before
calling queries Send(M, SMi ) or Send(M, SPj ).
Pr[Succ] is defined as the probability that the adver-
sary A wins the game. Let SM2SP be an event which
will be generated when an adversary successfully compro-
mises smart meter-to-service provider authentication and let
SP2SM be an event which will be generated when an adver-
sary successfully compromises service provider-to-smart meter
authentication. The advantage of the multiservice provider
authentication scheme (MSAS) for the adversary A is defined
as AdvMSAS (A) = |2 · Pr [Succ] − 1|. An MSAS supports
mutual authentication, if both Pr[SM2SP] and Pr[SP2SM] are
negligible during an authentication session.
B. Security Analysis
This section shows that our scheme supports smart meter-
to-service provider authentication, service provider-to-smart
meter authentication, and key agreement under the random
oracle model as follows. Hash, extract, execute, reveal, send,
corrupt, and test queries are invoked based on different attack
patterns to simulate real attacks.
Theorem 1: Adversary A can break smart meter-to-service
provider authentication successfully if adversary B can utilize
adversary A for solving the k-CAA problem.
Proof: First of all, an instance {P, sP, {e1 , e2 , . . . , ek ∈ Zq∗ },
{(1/s + e1 )P, (1/s + e2 )P, . . . , (1/s + ek )P}} of the k-CAA
problem is given to adversary B. Adversary B then tries to
compute (1/s + e0 )P in order to solve the k-CAA problem.
To achieve this goal, adversary B simulates the attack envi-
ronment with adversary A. First, adversary B runs the system
setup algorithm to generate all the public parameters, and then
returns them to adversary A. Next, A can perform the following
queries with B.
1) H1 Hash Query: If A invokes an H1 query for IDi
(or SIDj ), B returns H1 (IDi ) (or H1 (SIDj )) to A if
H1 (IDi ) (or H1 (SIDj )) exists in LH1 . Otherwise, B calcu-
lates and returns H1 (IDi ) (or H1 (SIDj )) and then stores
{IDi , H1 (IDi )} (or {SIDj , H1 (SIDj )}) in LH1 .
2) H2 Hash Query, H3 Hash Query, H4 Hash Query, and
H5 Hash Query: If A invokes an Hk query on a mes-
sage m, B finds whether m exists in LHk , where k = 2−5.
If the message m is in LHk , B then returns hk to A; other-
wise, B calculates and returns hk and then stores a new
tuple (m, hk ) into LHk .
3) Extract: When an extract query on IDi (or SIDj ) is
invoked by A, B finds qi (or qj ) from LH1 according
to IDi (or SIDj ). Then, adversary B computes Di =
(1/s + H1 (IDi ))P (or Kj = (1/s + H1 (SIDj ))P) and then
sends it back to A.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
6 IEEE TRANSACTIONS ON SMART GRID
4) Send: Adversary A can invoke the following send queries
during smart meter-to-service provider authentication.
a) Send(“start,” SM i ): If A invokes a Send(“start,”
SMi ) query, B computes a login request (C1 , C2 )
and then returns it back to A.
b) Send((R1 , R2 ), SMi ): When adversary A calls
a Send((R1 , R2 ), SMi ) query, adversary B computes
SK and R2 , and checks whether the computed R2 is
equal to the received R2 . If both values are equivalent,
B computes C3 and then returns it to A. Otherwise,
adversary B returns a failure message to A.
5) Analysis: According to forking lemma [34], adversary
A outputs two valid signatures {C1 , C3 } and {C1 , C3 },
where H4 (SIDj , SK, R2 , C1 ) = H4 (SIDj , SK, R2 , C1 ).
Adversary B can compute
C1 − C1
   
H4 SIDj , SK, R2 , C1 − H4 SIDj , SK, R2 , C1
1
= P
s + q0
and then solves the k-CAA problem. The probability
that adversary B returns the correct values of h and h
is only (1/qH1 )2 . Thus, we prove that the probability
of breaking our scheme is equal to the probability of
solving the k-CAA problem. Notice that, we have shown
that the signature used in our scheme is secure under
random oracle as well.
Theorem 2: Adversary A can break service provider-to-smart
meter authentication successfully if adversary B is able to use
adversary A for solving the k-mBIDH problem.
Proof: Adversary B is given an instance of the
k-mBIDH problem. To solve the k-mBIDH problem, adver-
sary B runs adversary A and then simulates our authen-
tication scheme. Adversary B first runs the system setup
algorithm to generate all the public parameters {G1 , G2 , P, e,
H, H1 , H2 , H3 , H4 , q, Ppub , g} and then returns these public
parameters to adversary A. In order to break service provider-
to-smart meter authentication, adversary A needs to com-
pute R2 = H3 (hi , NC , IDi , SIDj , SK) to pass the verification
process.
1) H1 Hash Query: If A makes an H1 query for IDi (or SIDj ),
B sends qi (or qj ) back to A if qi (or qj ) exists in LH1 .
Otherwise, B computes qi (or qj ) and then stores {IDi , qi }
(or {SIDj , qj }) in LH1 . Next, B returns qi (or qj ) to A.
2) H2 Hash Query, H3 Hash Query, H4 Hash Query, and H5
Hash Query: If A invokes an Hk query on a message m,
B checks whether m exists in LHk , where k = 2 − 5.
If the message m is in LHk , B sends hk = Hk (m) back
to A. Otherwise, B computes hk and then sends it back
to A. Next, a new tuple (m, hk ) is stored in LHk by B.
3) Extract: If A invokes an extract query for IDi (or SIDj ),
B finds qi (or qj ) from the hash list LH1 according to
IDi (or SIDj ). Next, B computes Di = (1/s + H1 (IDi ))P
(or Kj = (1/s + H1 (SIDj ))P) and then returns it to A.
4) Send: Adversary A can invoke the following send queries
during service provider-to-smart meter authentication.
a) Send((C1 , C2 ), SPj ): If A invokes a Send((C1 , C2 ),
SPj ) query, B computes ki and Vi , and then retrieves
IDi and NC from the received C2 . Next, B com-
putes SK, R1, and R2 and then sends them back
to A.
b) Send((C3 ), SPj ): If A invokes a Send((C3 ), SPj )
query, B verifies the validity of the received C3 . If
C3 is valid, B accepts the login session. Otherwise,
B returns a failure message to A.
5) Corrupt: If A invokes a corrupt query for SIDj ,
B finds {IDi , H1 (IDi )} from the hash list LH1 accord-
ing to IDi . Next, B then sends (1/s + H1 (IDi ))P to
adversary A.
6) Reveal: Upon receiving a reveal query from A, B sends
a random number back to A.
7) Test: If A invokes a test query, B checks whether adver-
sary A asked in the lth session. If the condition does not
hold, B terminates the simulation. Otherwise, B selects
a bit b. If b = 1, B sends a session key back to A.
Otherwise, B returns a random bits string.
8) Analysis: Let qu be the number of instances of smart
meter invoked in the game, n be the size of the point,
k be the output size of the H4 query, ε be the prob-
ability of adversary A correctly guessing the value of
b when calling a test query and ε be the probabil-
ity that the adversary B solves the k-mBIDH problem.
We claim that adversary A can break smart meter-to-
service provider authentication if adversary A makes the
authentic message R2 = H3 (qi , qj , NC , IDi , SIDj , SK)
successfully. There are three scenarios for adversary A
to get correct R2 .
a) Adversary A correctly guesses R2 = H3 (qi , qj ,
NC , IDi , SIDj , SK) without asking H3 hash query
and knowing session key SK = ai R1 . The
probability for this situation to occur is less
than 1/k.
b) The tuple value (C1 , C2 , R1 , R2 , IDi , SIDj ) in the
current session is equal to the tuple value
(C1 , C2 , R1 , R2 , IDi , SIDj ) in a previous session.
The probability for this situation to occur is less
than (qu /l2 ).
c) Adversary A invokes test query in the
lth session to learn a secret value ki =
e((1/s + H1 (SIDj ))P, C1 ). The probability
that A invokes test query in the lth session is ε .
In summary, the probability for adversary B to solve the
k-mBIDH problem is ε ≥ ε − 1/k − (qu /l2 ).
Theorem 3: Adversary B can use adversary A to solve the
CDH problem if adversary A can correctly guess the value of
coin b tossed in a test query.
Proof: Let Pr[SM2SP] be the probability for an adversary
to break smart meter-to-service provider authentication and
SM2SP be the event that the smart meter-to-service provider
authentication scheme is under adversary attack. Based on our
previous analysis, adversary A must invoke H3 hash query
with the tuple (qi , qj , NC , IDi , SIDj , SK) to gain advantage
ε for correctly guessing the value of coin b when calling
a test query. Let Ask be the event that the query (bi C1 ) corre-
sponding to the test query has been asked to H5 ; then the
probability for the event Ask to occur is Pr [Ask ] ≥ ε/2.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
TSAI AND LO: SECURE ANONYMOUS KEY DISTRIBUTION SCHEME FOR SMART GRID
Thus, we have
  
Pr[Ask ∧ Test(SMi )] + Pr Ask ∧ Test SPj ∧ SM2SP
   ε
+ Pr Ask ∧ Test SPj ∧ ¬SM2SP ≥ .
2
The equation can be further derived as
  
Pr[Ask ∧ Test(SMi )] + Pr Ask ∧ Test SPj ∧ ¬SM2SP
ε
≥ − Pr [SM2SP].
2
Since event Test(SPj ) ∧ ¬SM2SP implies event Test(SMi ),
we have
ε
Pr[Ask ∧ Test(SMi )] ≥ − Pr [SM2SP].
2
The value of probability Pr[SM2SP] is negligible and advan-
tage ε is non-negligible based on Theorems 1 and 2; therefore,
the value (ε/2) − Pr [SM2SP] is also non-negligible. Thus, the
CDH problem can be solved if A can correctly guess the coin
b tossed in a test query.
V. C OMPARISONS
This section compares the proposed scheme with other
related schemes, including the scheme of Wu and Zhou [20],
the scheme of Xia and Wang [21], and the second scheme of
Wang [25]. Notice that, we select the second scheme in [25]
because this scheme is based on identity-based authenticated
key agreement protocol. The last (fourth) scheme of Wang [25]
is also based on identity-based cryptosystem, but it requires
a database at the server side to store all password validation
data. In addition, this scheme does not support smart meter
anonymity. The other two schemes in [25] are not quite suitable
for multiservice provider environment such as smart grid. Based
on the design of these two schemes, each smart meter requires
storing all public keys from different service providers in a smart
grid environment. It is difficult for smart meters to manage and
maintain these public keys. Therefore, we do not include the
first, third, and fourth schemes in [25] into our comparison.
The proposed scheme is based on an identity-based sig-
nature scheme and an identity-based encryption scheme such
that a smart meter and a service provider can authenticate
each other without the involvement of the trusted anchor. It
is also impossible for an adversary to masquerade as a smart
meter, a service provider (or a backend server) or the trusted
anchor in our scheme, since the adversary would need to break
these two identity-based cryptosystems that are secure against
known attacks under random oracle. Man-in-the-middle attack
and UKS attack also cannot succeed their assaults on our
scheme due to these identity-based cryptosystems. The pro-
posed scheme also supports smart meter anonymity as an
identity-based encryption scheme is adopted to protect smart
meter identities. Without knowledge of the service provider’s
private key, it is impossible for an adversary to retrieve the
identity of communicating smart meter from authentic mes-
sages. In addition, the Diffie–Hellman key agreement protocol
is applied in our scheme; therefore, the proposed scheme
supports perfect forward secrecy. As shown in Table II, the
proposed scheme achieves all required security properties. On
the contrary, Wu and Zhou’s scheme [20], Xia and Wang’s
7
TABLE II
C OMPARISON ON S ECURITY F EATURES
scheme [21], and the second scheme of Wang [25] have
a number of shortcomings.
1) They do not support perfect forward secrecy. The sec-
ond scheme of Wang [25] only supports weak perfect
forward secrecy.
2) Wu and Zhou’s scheme [20] and Xia and Wang’s
scheme [21] require the trusted anchor participates in
the authentication process. If the trusted anchor was
compromised, an adversary can easily learn the master
key and then generate the same private keys assigned
to all communicating parties. This security risk can be
reduced by removing the trusted anchor from online
session authentication as our proposed scheme does.
3) The scheme proposed of Wu and Zhou [20] is vulnera-
ble to man-in-the-middle attack.
4) The scheme of Xia and Wang [21] is vulnerable to an
impersonating service provider attack and a UKS attack.
5) In the scheme of Wu and Zhou [20], the certificate can
be used to find out who logs into the service provider;
therefore, the scheme does not support anonymity.
6) In the scheme of Xia and Wang [21], a smart meter iden-
tity is sent to the trusted anchor; therefore, this scheme
does not support anonymity, either. The second scheme
of Wang [25] also does not support anonymity as it user
uses (smart meter) identity through its authentication
process. Next, we give the efficiency comparison among
these three existing schemes and the proposed one in
terms of computation cost.
Let Tb be the time to perform one bilinear pairing operation,
Tmp be the time to perform one multiplication point operation,
Tm be the time to perform one multiplication operation, Te be
the time to perform one modular exponentiation operation, Ts
be the time to perform one symmetric encryption/decryption
operation, Tcert be the time to perform a certificate generation
operation, Tcert_ver be the time to perform a certificate verifi-
cation operation, TH be the time for performing a MapToPoint
operation, and Th be the time to perform one one-way
hash operation. Since execution time for the point addition
operation and time for XOR operation are much less than time
required by other operations; therefore, the computation time
consumed by these two operations is ignored. In our scheme,
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
8 IEEE TRANSACTIONS ON SMART GRID
TABLE III
C OMPARISON ON C OMPUTATION C OSTS
a smart meter requires 3Tmp +Te +3Th and Tmp +2Th to authen-
ticate the corresponding service provider in steps 1 and 3 of the
mutual authentication phase, respectively. The service provider
requires 2Tb + 3Tmp + Te + 5Th to perform steps 2 and 4 of
the mutual authentication phase. The trusted anchor does not
consume any time, since it does not participate in the mutual
authentication phase. Table III illustrates the computation costs
for our scheme and the others. Based on [35], the computation
cost to perform one pairing operation is approximately equal
to the computation cost of computing three scalar multiplica-
tions. From Table III, Xia and Wang’s scheme [21] has the
best performance at smart meter side, followed by the pro-
posed scheme. However, all comparing schemes in Table III
are vulnerable to certain attacks and do not support smart
meter anonymity and perfect forward secrecy. Hence, the pro-
posed scheme is more practical and suitable for smart grid
than other related schemes.
VI. C ONCLUSION
This paper introduced a new secure key distribution scheme
for smart grid environments. The proposed scheme allows
a smart meter to anonymously access services from ser-
vice providers with one private key. The advantage of the
proposed scheme is that a smart meter can be quickly authen-
ticated by responding service providers without involving the
trusted anchor, because two identity-based cryptosystems are
adopted in our scheme. Unlike other existing schemes, the
proposed scheme supports mutual authentication and smart
meter anonymity. We also conduct security analysis to prove
the proposed scheme is secure under random oracle model.
R EFERENCES
[1] The Smart Grid: An Introduction, U.S. Dept. Energy, Washington, DC,
USA, 2008.
[2] National Institute of Standards and Technology Draft, NIST
Standard 1.0 SP 800-52, 2009.
[3] S. Amin, “For the good of the grid,” IEEE Power Energy Mag., vol. 6,
no. 6, pp. 48–59, Nov./Dec. 2008.
[4] P. McDaniel and S. McLaughlin, “Security and privacy challenges
in the smart grid,” IEEE Security Privacy, vol. 7, no. 3, pp. 75–77,
May/Jun. 2009.
[5] X. Wang and P. Yi, “Security framework for wireless communications
in smart distribution grid,” IEEE Trans. Smart Grid, vol. 2, no. 4,
pp. 809–818, 2011.
[6] T. Flick, “Hacking the smart grid,” in Proc. Black Hat, Las Vegas, NV,
USA, 2009, pp. 1–7.
[7] Guidelines for Smart Grid Cyber Security, NIST Standard IR 7628,
Aug. 2010.
[8] H. Khurana, M. Hadley, N. Lu, and D. A. Frincke, “Smart grid security
issues,” IEEE Security Privacy, vol. 8, no. 1, pp. 71–85, Jan./Feb. 2010.
[9] Nat. Inst. Stand. Technol. (Aug. 2010). Guidelines for Smart Grid Cyber
Security: Vol. 3 Supportive Analyses and References. [Online]. Available:
http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628v ol3.pdf
[10] Y. Strengers, “Smart metering demand management programs:
Challenging the comfort and cleanliness habitus of households,” in
Proc. 20th Australasian Conf. Comput.-Human Interact. Design. Habitus
Habitat, vol. 8. Cairns, QLD, Australia, 2010, pp. 41–48.
[11] S. Finster, “Smart meter speed dating, short-term relationships for
improved privacy in smart metering,” in Proc. IEEE Int. Conf. Smart
Grid Commun. (SmartGridComm), Vancouver, BC, Canada, 2013,
pp. 426–431.
[12] J. L. Tsai, N. W. Lo, and T. C. Wu, “Novel anonymous authentication
scheme using smart cards,” IEEE Trans. Ind. Informat., vol. 9, no. 4,
pp. 2004–2013, Nov. 2013.
[13] J. L. Tsai, “An improved cross-layer privacy-preserving authentication
in WAVE-enabled VANETs,” IEEE Commun. Lett., vol. 18, no. 11,
pp. 1931–1934, Nov. 2014.
[14] M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. (Jun. 1999).
X.509 Internet Public Key Infrastructure Online Certificate Status
Protocol—OCSP. [Online]. Available: http://www.ietf.org/rfc/rfc2560.txt
[15] A. Shamir, “Identity-based cryptosystems and signature schemes,”
in Proc. Adv. Cryptol. (CRYPTO), Santa Barbara, CA, USA, 1984,
pp. 47–53.
[16] N. Koblitz, “Elliptic curve cryptosystems,” Math. Comput., vol. 48,
no. 177, pp. 203–209, 1987.
[17] V. Miller, “Use of elliptic curves in cryptography,” in Proc. Adv.
Cryptol. (CRYPTO), Santa Barbara, CA, USA, 1985, pp. 417–426.
[18] Recommendation for Key Management, Part 1: General, NIST
Standard SP 800-57, 2007.
[19] D. Boneh and M. K. Franklin, “Identity-based encryption from the
Weil pairing,” in Proc. CRYPTO, Santa Barbara, CA, USA, 2001,
pp. 213–229.
[20] D. Wu and C. Zhou, “Fault-tolerant and scalable key management
for smart grid,” IEEE Trans. Smart Grid, vol. 2, no. 2, pp. 371–378,
Jun. 2011.
[21] J. Xia and Y. Wang, “Secure key distribution for the smart grid,” IEEE
Trans. Smart Grid, vol. 3, no. 3, pp. 1437–1443, Aug. 2012.
[22] J. H. Park, M. Kim, and D. Kwon, “Security weakness in the smart grid
key distribution proposed by Xia and Wang,” IEEE Trans. Smart Grid,
vol. 4, no. 3, pp. 1613–1614, Sep. 2013.
[23] Y. Wang. (2005). Efficient Identity-Based and Authenticated Key
Agreement Protocol. [Online]. Available: http://eprint.iacr.org/2005/108
[24] Y. Wang, “Efficient identity-based and authenticated key agreement
protocol,” in Transactions on Computational Science XVI. Berlin,
Germany: Springer-Verlag, 2013, pp. 172–197.
[25] Y. Wang, “Password protected smart card and memory stick authentication
against off-line dictionary attacks,” in Information Security and Privacy
Research. Berlin, Germany: Springer-Verlag, 2012, pp. 489–500.
[26] H. Krawczyk, “HMQV: A high-performance secure Diffie–Hellman pro-
tocol,” in Proc. CRYPTO, Santa Barbara, CA, USA, 2005, pp. 546–566.
[27] R. Sakai and M. Kasahara, “ID based cryptosystems with pairing on
elliptic curve,” Cryptol. ePrint Archive, Report 2003/054, 2003. [Online].
Available: http://eprint.iacr.org/2003/054.pdf
[28] P. S. L. M. Barreto, B. Libert, N. McCullagh, and J. J. Quisquater,
“Efficient and provably-secure identity-based signatures and signcryp-
tion from bilinear maps,” in Advances in Cryptology—ASIACRYPT.
Berlin, Germany: Springer-Verlag, 2005, pp. 515–532.
[29] H. J. Yoon, J. H. Cheon, and Y. D. Kim, “Batch verifications with
ID-based signatures,” in Information Security and Cryptology—ICISC.
Berlin, Germany: Springer-Verlag, 2005, pp. 233–248.
[30] K. A. Shim, “An ID-based aggregate signature scheme with constant pair-
ing computations,” J. Syst. Softw., vol. 83, no. 10, pp. 1873–1880, 2010.
[31] M. Bellare, D. Pointcheval, and P. Rogaway, “Authenticated key
agreement secure against dictionary attacks,” in Proc. Adv.
Cryptol. (EUROCRYPT), Bruges, Belgium, 2000, pp. 139–155.
[32] M. Jakobsson and D. Pointcheval, “Mutual authentication for low-power
mobile devices,” in Proc. Int. Conf. Financ. Cryptography (FC), 2001,
pp. 178–195.
[33] E. Bresson, O. Chevassut, and D. Pointcheval, “Security proofs for
an efficient password-based key exchange,” in Proc. 10th ACM Conf.
Comput. Commun. Security, Washington, DC, USA, 2003, pp. 241–250.
[34] D. Pointcheval and J. Stern, “Security arguments for digital signatures
and blind signatures,” J. Cryptol., vol. 13, no. 3, pp. 361–396, 2000.
[35] P. S. L. M. Barreto, H. Y. Kim, B. Lynn, and M. Scott, “Efficient algo-
rithms for pairing-based cryptosystems,” in Advances in Cryptology—
CRYPTO. Berlin, Germany: Springer-Verlag, 2002, pp. 354–369.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
TSAI AND LO: SECURE ANONYMOUS KEY DISTRIBUTION SCHEME FOR SMART GRID
Jia-Lun Tsai received the M.S. degree in e-learning
from National Chiao Tung University, Hsinchu,
Taiwan, in 2007, and the Ph.D. degree in infor-
mation management from the National Taiwan
University of Science and Technology (NTUST),
Taipei, Taiwan, in 2013.
He is currently with the Department of
Information Management and the Taiwan
Information Security Center, NTUST. His cur-
rent research interests include cryptography,
wireless security, and network security. He has
authored/co-authored over 20 papers in journals and at conferences.
9
Nai-Wei Lo (S’94–M’99) received the B.S. degree
in engineering science from National Cheng Kung
University, Tainan, Taiwan, in 1988, and the M.S.
and Ph.D. degrees in computer science and electrical
engineering from the State University of New York,
Stony Brook, NY, USA, in 1992 and 1998, respec-
tively.
He is currently an Associate Professor with the
Department of Information Management, National
Taiwan University of Science and Technology,
Taipei, Taiwan. His current research interests include
cryptography, radio-frequency identification applications and security, wireless
network routing and security, Web technology, and fault tolerance.