See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/344725564

Secure and Efficient Mutual Authentication Protocol for Smart Grid under
Blockchain

Article  in  Peer-to-Peer Networking and Applications · September 2021

DOI: 10.1007/s12083-020-01020-2

CITATIONS READS

27 318

4 authors, including:

Weizheng Wang Huakun Huang

City University of Hong Kong The University of Aizu
20 PUBLICATIONS   189 CITATIONS    39 PUBLICATIONS   292 CITATIONS   

SEE PROFILE SEE PROFILE

Chunhua Su

96 PUBLICATIONS   852 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Resilient Self-Driving Networks View project

FM-based localization View project

All content following this page was uploaded by Weizheng Wang on 14 November 2020.

The user has requested enhancement of the downloaded file.

Peer-to-Peer Networking and Applications
https://doi.org/10.1007/s12083-020-01020-2

Secure and efficient mutual authentication protocol for smart grid

under blockchain
Weizheng Wang1 · Huakun Huang1,2 · Lejun Zhang3 · Chunhua Su1,4

Received: 21 August 2020 / Accepted: 16 October 2020

© Springer Science+Business Media, LLC, part of Springer Nature 2020

Abstract
Smart grid has been acknowledged as the next-generation intelligent network that optimizes energy efficiency. Primarily
through a bidirectional communication channel, suppliers and users can dynamically adjust power transmission in real time.
Nonetheless, many security issues occur with the widespread deployment of smart grid, e.g., centralized register authority
and potential Distributed-Denial-of-Service (DDoS) attack. These existing problems threaten the availability of smart grid.
In this paper, we mainly focus on solving some identity authentication issues remained in the smart grid. Combined with
blockchain, Elliptic Curve Cryptography (ECC), dynamic Join-and-Exit mechanism and batch verification, a reliable and
efficient authentication protocol is proposed for smart meters and utility centers. Simultaneously, the provable security of
this protocol is assured by the computational hard problem assumptions. Experiment results show that our protocol has
achieved security and performance improvement compared with the other ECC related schemes.

Keywords Smart grid · Authentication · Blockchain · Elliptic Curve Cryptography (ECC) · Security · Privacy

1 Introduction same time. In traditional power grid, the conventional

resources (e.g., gas, oil, coal) are continuously used
As the Internet of Things (IoT) proliferates [1], a large for power generation. The consumption of fossil energy
amount of electricity must be supplied sufficiently at the resources brings out many problems, such as rarely high
cost, more and more carbon dioxide (CO2 ) emission and
This article belongs to the Topical Collection: Special Issue environment pollution. Thus, renewable energy resources,
on Blockchain for Peer-to-Peer Computing such as wind energy, solar energy and tide energy, become
Guest Editors: Keping Yu, Chunming Rong, Yang Cao, significant options to satisfy the increasing requirements
and Wenjuan Li
of power consumption. Unfortunately, since the traditional
 Huakun Huang power grid is a one-way interaction system, the power plant
huanghuakun13@gmail.com can not obtain useful feedbacks from users to adjust the
 Chunhua Su
power supply strategy in time.
chsu@u-aizu.ac.jp Recently, along with the advent of smart grid (SG),
the aforementioned problems existed in the electric power
Weizheng Wang industry for a long period could be well solved. The
m5232117@u-aizu.ac.jp
intelligent SG can efficiently convert renewable energy
Lejun Zhang and minimize the cost of power generation. The detailed
zhanglejun@yzu.edu.cn comparison between traditional power grid and smart
grid could be found in Fig. 1. The interaction in SG
1 School of Computer Science and Engineering, is bidirectional and adjustable. In SG’s framework, smart
University of Aizu, Aizu-Wakamatsu, Fukushima, Japan meter (SM) is an essential part. The SM records the
2 School of Artificial Intelligence, Guilin University electricity data of user consumption, then collected data
of Electronic Technology, Guilin-City, Guangxi, China is transmitted to a utility center (UC). By analyzing the
3 College of Information Engineering, Yangzhou University, received information, the UC can make a power supply plan
Jiangsu, China to notify power plants for reasonable power production,
4 Cyberspace Security Research Center, Peng Cheng Labora- aiming to balance the electricity consumption during peak
tory, Shenzhen, 518055 China and off-peak periods [2].

Fig. 1 Comparison of the organizations of traditional power grid and smart grid
Although the two-way wireless communication channel
brings us many benefits, such as smart power management,
lower power generation costs. Due to the enlargement
of data interaction, a potential adversary also has more
probability of intruding into this channel. If the medium
is hijacked, the transmitted messages between SM and
UC could be interrupted, modified or eavesdropped. A
widely known intrusion incident occurred in Ukraine Power
Grid in 2015 [3]. The hackers conducted cyberattacks on
three power distributors, resulting in severe power outages.
Approximately 225,000 residents’ lives have been affected
for several hours. Concurrently, this catastrophic hack
also incurred substantial economic losses in Ukraine. This
serious security breach reminds us of the significance of
communication security in SG systems.
A series of cryptography-based authentication methods
have been proposed for reliable communication in SGs.
Due to the lightweight and unbreakable features of the
Elliptic Curve Cryptography (ECC), ECC authentication
methods are widely used among the related plans. ECC is an
approach to public-key cryptography based on the algebraic
structure of elliptic curves over finite fields. Compared
with other traditional cryptography, e.g., RSA and DSA,
ECC can provide the same security level with smaller key
size (i.e., 256-bit ECC key is equivalent to 3,072-bit RSA
key) [4]. Simultaneously, the discrete logarithm problem
provided by ECC ensures that a polynomial-time adversary
Peer-to-Peer Netw. Appl.
can not crack this scheme. Despite the ECC scheme is
able to make SG authentication more lightweight and
dependable, it remains some unsolved security issues in the
ECC-based authentication methods. We comprehensively
illustrate the current shortcomings in three points.
Firstly, the crucial register authority (RA) is centralized.
If an adversary invades and takes full control of RA, all
the key pairs will be leaked. Then this adversary can
impersonate any SM or UC to intercept useful messages.
The disclosure of SM data is quite dangerous. According
to data analysis of power consumption, the adversary could
even master the daily life of target users [5].
Secondly, most of the schemes do not consider concur-
rent authentication in the part of UC. They just suggest
single authentication each time. As the speedy expansion
of SG, there will be millions of authentication happen
all around the world. Therefore, the UC model must be
equipped with the batch verification technique. Otherwise,
the network delay is unavoidably.
Thirdly, in some schemes [2, 6, 7], both SM and UC
can not join and exit flexibly. Due to the occurrence of
abnormal events, SM may be passively disconnected to UC.
Nevertheless, this UC does not know the offline of SM,
which continues to monitor the channel. Another possible
case is that though SM and UC have perceived the malicious
actions of RA, no one can initiatively quit. Both conditions
will result in unnecessary energy costs and potential risks.
Peer-to-Peer Netw. Appl.
1.1 Our contributions
To solve the above-mentioned problems, we propose
a blockchain-based secure and efficient authentication
protocol for SG. At first, participants send their hashed
ID and function requests to any RA node. Because the
RAs constitute the blockchain, they can promptly deal
with requests according to the response rules pre-defined
in smart contracts. The smart contract issues a generated
public key and a digital signature to the corresponding SG
or UC. Subsequently, if the identity of RA is suspected, by
switching to another RA, SG and UC can check whether
the returned information is right. Finally, the SG and UC
conduct mutual authentication. Furthermore, in the light
of SG’s population by and by, the rapid and large scale
authentication will be the future trend. Thus, the batch
authentication technique inspired by the work in [8] is
applied to the side of UC. When the authentication is passed,
the exchanged session key (SK) can ensure follow-up
communication. On the other side, to increase the scalability
and dynamic of our protocol, we introduce a novel Join-and-
Exit mechanism. Both SM and UC are thereby able to freely
participate in or break off the communication.
The major contributions of our study are summarized as
follows:
1. We utilize the decentralized blockchain technology
to alleviate third party RA problems that have not
been well solved until now. Based on the existing
authentication schemes for SG, a more lightweight
authentication protocol is proposed in this work.
2. We implement batch verification technique in the
mutual authentication, which dramatically polishes
up the authentication speed and scale. After veri-
fication, the SK is figured out for further reliable
communications.
3. We thoroughly analyze the security and the perfor-
mance of our scheme in terms of theory and exper-
iments, respectively. The security of our scheme is
assured by computational hard problems. Simultane-
ously, the performance of our scheme has been greatly
improved as compared to the other existing ECC
authentication schemes.
1.2 Organization of the paper
The rest of this article is organized as follows. Section 2
introduces the development of Blockchain, Smart Contract
and authentication methods of SG. In Section 3, the system
architecture and cryptographic primitives of the proposed
protocol are presented. In Section 4, we illustrate each
phrase of our proposed protocol in detail. In Section 5,
security analysis proves the reliability of our protocol.
In Section 6, multi-dimensional comparison for related
protocols is given. Finally, Section 7 concludes this article
and illustrates the future work.
2 Related work
In this section, we first summarize some basic knowledge
of blockchain and smart contracts. The recent researches
related to authentication in SG are then introduced
comprehensively.
2.1 Blockchain and smart contract
The initial conception of blockchain was proposed by
Satoshi Nakamoto in his famous paper “Bitcoin: A peer-
to-peer electronic cash system” [9]. Blockchain is a
decentralized and distributed ledger made up of a time-
stamped series of immutable records of data. Any single
entity can not fully control the whole blockchain; Instead, a
cluster of distributed computers manages the generated data
in the form of block. Furthermore, to strengthen blockchain
security, cryptographic hash values link each block [10].
Another significant issue is that there are two common
categories of blockchain: permissioned blockchains and
permissionless blockchains. The permissioned blockchain
is built to allow an organization or a consortium of
organizations to efficiently exchange information and
record transactions. Because there are no incentives to
motivate members to join and perform mining, typical
crash fault-tolerant (CFT) or byzantine fault-tolerant (BFT)
consensus protocols are often adopted. On the contrary,
the incentive is the only impulse for every participant
to maintain the permissionless blockchain. Therefore, the
consensuses are always some competitive schemes, such as
PoW (Proof of Work), PoS (Proof of stake), PoA (Proof of
Activity). No matter which one is selected, the consensus
should guide all the nodes in the network as honest as
possible [11–13].
Besides, blockchain as a distributed computing platform
also enables users to execute self-defined programs, which
are called smart contracts for next-generation decentral-
ized applications without a trusted third-party [14]. The
smart contract code is stored on the blockchain and auto-
matically execute once some transactions invoke predefined
functions. The mainstream programming language of smart
contracts is solidity and serpent.
2.2 Authentication methods in SG
In order to solve the secure identity authentication
problems in SG, countless authentication schemes have
been submitted. For example, Tsai et al. [5] proposed

a secure anonymous key distribution scheme for smart
grid. The SM and service provider utilized identity-based
encryption to authenticate each other. After successful
verification, an SK is generated for further communication.
Although this scheme seems reliable and efficient, Odelu et
al. [15] noticed that Tsai et al.’s method [5] can not ensure
SM secret credentials’ privacy and SK-security under
the Canetti-Krawczyk adversary (CK-adversary) model
[16]. Therefore, Odelu et al. [15] proposed an improved
authentication scheme for the SG by ECC-based EI-Gamal
type signature technique. Odelu et al.’s method [15] has
successfully solved the potential privacy breach remained in
Tsai et al.’s scheme [5]. Nevertheless, the adopted bilinear
pairing operation in Odelu et al.’s scheme [15] augments
some computation cost in the communication process.
When it comes to multifactor authentication, there are
likewise several classical schemes. For example, Chan
et al. [17] proposed a two-factor cyber-physical device
authentication framework for SG. They incorporated the
conventional authentication factor into the contextual factor,
effectively defending cyber-physical attacks in the SG
environment. Closely following, Wazid et al. [18] suggested
a secure three-factor (i.e., user’s mobile device, user’s
password and biometrics) user authentication scheme for
SG. The three factors combine fingerprint identification
with password authentication, which brings high-level
security insurance for SG infrastructure. Simultaneously, Li
et al. [19] also focus on the potential cyber-physical threats.
They proposed a provably anonymous and secure message
authentication scheme for SG. Unfortunately, Wu et al. [20]
pointed out Li et al.’s scheme [19] fails to prevent distributed
DDoS and provide reliable mutual authentication. Although
multifactor authentication can bring us stronger secure
assurance, the communication process is sophisticated.
Concerning this point, an increasing number of
researchers turn to implement their SG authentication pro-
tocols on lightweight ECC without bilinear pairing. For
example, He et al. [6] presented a new key distribution
and authentication protocol, which is completely dependent
on ECC. Kumar et al. [21] suggested a novel ECC-based
authentication protocol for protecting demand response in
SG architecture. When the two-party identities are con-
firmed, the SG and UC can utilize the SK agreement
for secure transmission. Garg et al. [4] designed another
mutual authentication-based key agreement protocol, which
leverages hashed menezes-qu-vanstone key exchange mech-
anism, ECC along with one-way hash functions. However,
the interaction process of the aforementioned schemes is
relatively complicated, which needs two rounds at least.
The schemes mentioned above have well addressed
most of the key distribution and authentication issues,
but centralized SG architecture is still an open problem.
Peer-to-Peer Netw. Appl.
Most recently, Wang et al. [22] proposed a blockchain-
based anonymous authentication with crucial management
for SG. They initiatively combines SG authentication
with blockchain, whereas we notice the RA in their
protocol is centralized. The half decentralized scheme still
can not mitigate some potential attacks or single point
failure. Thus, in this paper, we attempt to construct a
fully decentralized blockchain-based SG authentication.
Untrusted RAs are connected to build up a blockchain.
Furthermore, the transaction from SG and UC with issued
key pairs can trigger a smart contract to process function
requests and record critical data automatically. Besides, two
novel strategies support for batch verification and dynamic
participation.
3 Preliminaries
In this section, we first summarize the notations in Table 1.
Then the system model is illustrated in Fig. 2. Meanwhile,
two computational hard assumptions for security proof are
also referred to. Finally, the detail of Schnorr Signature
scheme is presented.
3.1 System model
1. SMi represents the ith smart meter in the smart
grid, which firstly registers in the RA. After the
correctness of issued keys from RA is verified, SMi
uses them to pass U Cj ’s authentication. Finally, SMi
can utilize SK exchanged to interact with U Cj for
further communication.
2. U Cj represents the j th utility center in the smart grid,
which also needs to register in the RA. While issued
keys are confirmed, U Cj proves its identity to SMi by
Table 1 Notations
Notation Description
G A general cyclic group
E(Fp ) An ellipitic curve (y 2 = x 3 + a · x + b mod p)
G A generator of Fp with the order q
Ppub The system master public key
k The system master private key
h1 , h2 Cryptographic hash functions
H I DSMi , H I DU Cj Hashed ID of SMi , U Cj
I PSMi IP address of SMi
SigSMi , SigU Cj Signature of SMi , U Cj
t Acceptable temporal threshold
Peer-to-Peer Netw. Appl.
Fig. 2 System model
using the related data. At last, U Cj can employ SK to
communicate with SMi .
3. RAk represents the kth register authority in the smart
grid, which relays SMi ’s and U Cj ’s function requests
to the smart contract. Once the access is permitted, the
RAk returns the corresponding public key and signature
to the registrant. If the RAk is suspected as a malicious
node, the SMi and U Cj can switch to another RAk for
validation again.
4. SC represents the smart contract existed in this
protocol. SC processes the requests from RAk and
issues public key and signature of SMi and U Cj . The
initialized data of this system is also stored in the SC.
Only the authorized user can retrieve some private data.
However, the signature verification function is public
for anyone.
5. BC represents blockchain in this protocol, which is
maintained by RAk .
3.2 Computational hard assumptions
In our protocol, we use two computational hard assumption
for scheme construction. The detailed definition is presented
as follows.
Elliptic Curve Discrete Logarithm (ECDL) assumption :
Given an element X ∈ G. It is not possible for any
probabilistic polynomial time (P.P.T) adversary A to figure
out X = x · G, where x ∈ Zp∗ .
Elliptic Curve Computational Diffie-Hellman (ECCDH)
assumption Given two elements X = x · G, Y = y · G,
where X, Y ∈ G. It is not possible for any probabilistic
polynomial time (P.P.T) adversary A to figure out x · y · G.
3.3 Schnorr signature scheme
The Schnorr Signature is considered as the simplest digital
signature without losing provably secure in a random oracle
model. The detailed step of this algorithm is illustrated as
follows (Suppose we have two users—Alice (sender) and
Bob (receiver)):
3.3.1 Signature generation
1. Alice generates a nonce r (an arbitrary number used
only once in a cryptographic communication)
2. Alice obtains a public key R by multiplying r and G,
where is R = r · G.
 Peer-to-Peer Netw. Appl.

3. Alice sends message m, R and her public key P = k · G query for participants. The second requirement is
to the Bob, where k is private key selected by Alice. user registration. The third requirement is signature
verification. The last requirement is user logout.
3.3.2 Signature verification

1. Alice and Bob generate a common challenge e by

hashing the combination of the above transmitted data,
where is e = H (R||P ||m).
2. Then Alice figures out the signature s = r + k · e.
3. Since Bob does not know the value of r and k, he can
only obtain (r + k · e) · G = r · G + (k · G) · e = R + P · e
4. Finally, Bob sends the result of R + P · e to the Alice
?
for verification which is s · G = R + P · e.
Our proposed authentication method is based on the algo-
rithm mentioned above, but there are some modifications in
our proposed scheme that the readers should pay attention
to.

4 Proposed protocol

4.1 Smart contract deployment process

In this process, the system parameters are incorporated into

the smart contract. Besides smart contract an initiator, no
one can know the real value of the systems. Afterward, the
users can invoke some functions pre-defined in the smart
contract to query some data. The comprehensive steps are
presented as follows.
1. System Parameters Initialization: The initiator selects
an elliptic curve E(Fp ) whose prime order is p and
generator is G. The E(Fp ) is defined on the finite field
(Fp ). Then initiator chooses a random number k ∈ Zp∗
as the master private key, the corresponding master
public key is Ppub = k · G. Finally, two secure hash
functions are picked by the initiator h1 : {0, 1}∗ →
{0, 1}2κ , where κ = log2 q is the security parameter;
h2 : {0, 1}∗ × G → Zp∗ .
2. BC Initialization: There are two options available to the
initiator. The hard one is to customize a blockchain,
which needs initiator to create a genesis file including
the system parameters and consensus mechanism,
for example, Proof of Work (PoW), Proof of Stake
(PoS), Delegated Proof-of-Stake (DPoS) and Proof-of-
Authority (PoA). Otherwise, for simplicity, the initiator
can utilize some mature blockchain technologies (e.g.,
Ethereum, EOS and Hyperledger Fabric) to deploy
smart contracts.
3. Smart Contract Deployment: In our proposal, there
are four types of interaction requirements between RA
and SMi , U Cj . The first requirement is parameters
The Initialization function is presented in Algorithm 1
comprehensively.
4.2 SM/UC registration process
In this process, the SMi , U Cj register their hashed
identities with the RAk . Then RAk issues the necessary
communication keys to SMi , U Cj . The detailed processes
are described in the following.
1. SMi sends H I DSMi = h1 (I DSMi ) to the RAk through
a secure channel.
2. RAk firstly invokes Registration function defined in the
smart contract to register the state of SMi . If the record
of SMi is existed in the blockchain, this request will be
declined. Subsequently, RAk checks whether the local
database has the record of I PSMi . While the record does
not exist, RA writes I PSMi and current timestamp tI P
into the database. Otherwise, RAk needs to compare
received I PSMi ’s timestamp tI P with related data in
local database. Once tI P −tI P ≤ t, the current request
is prohibited.
3. RAk invokes Registration function. At first, Registra-
tion function checks whether the record of SMi is
existed in the blockchain. If the data exists, this request
Peer-to-Peer Netw. Appl.
will be declined. Then this function selects a ran-
dom number rSMi ∈ Zq∗ , computes RSMi = rSMi ·
G, eSMi = h1 (Ppub ||RSMi ||H I DSMi ). Signature of
SMi : SigSMi = k + rSMi · eSMi is generated by using
Schnorr’s signature scheme. Finally, the SigSMi and
RSMi are retrieved by SMi through the same RAk
again.
4. If SMi or U Cj observes the abnormal activity of RAk ,
it can change the connetction to another RAk at any
time.
5. Before formal authentication, SMi verifies the valid-
?
ness of its own signature SigSMi · G = Ppub + eSMi ·
RSMi .
6. The registration process of U Cj is similar to SMi .
Therefore, the steps are omitted here.
Correctness: If the above parameters are not tampered
by A , we can obtain the following equation to identify:
SigSMi · G = (k + rSMi · eSMi ) · G
= k · G + rSMi · eSMi · G
= Ppub + eSMi · RSMi .
The details of Register function can be referred to
Algorithm 2
4.3 Collaborative authentication process
In this process, SMi and U Cj conduct mutual
authentication.
1. SMi firstly selects a random number a ∈ Zp∗ and
computes A = a · G, V1 = SigSMi · a. Afterward, SMi
sends {RSMi , A, t1 , H I DSMi , V1 } to U Cj , where t1 is
current timestamp.
2. When current timestamp t1 is fresh (t1 − t1 ≤ t),
U Cj invokes SignatureVerify function to check the
correctness of received signature. Only if the SigSMi
?
is admitted by SC, SM begins to verify V1 · G2 =
A · (h1 (Ppub ||RSMi ||H I DSMi ) · RSMi + Ppub ). If
this equation does not hold, the U Cj terminates the
authentication. Otherwise, U Cj chooses a random
number b ∈ Zp∗ then computes B = b · G, SKU Cj =
h2 (A||B)⊕SigSMi and V2 = SigU Cj ·A·B⊕SigSMi . At
last, U Cj transmits {B, SKU Cj , V2 , t2 } to SMi , where
t2 is current timestamp.
3. Before SMi proves V1 , it needs to check (t2 − t2 ≤
t), where t2 is current timestamp. If time does
not expire, just like aforementioned steps, the cor-
rectness of SigU Cj should be identified by invoking
SignatureV erify function. Subsequently, SMi veri-
?
fies V2 = a · B · (Ppub + h1 (Ppub ||RU Cj ||H I DU Cj ) ·
(1) RSMi ) ⊕ SigSMi . If verification is successful, SMi dis-
?
tinguishes SKU Cj ⊕SigSMi = h2 (A||B). If session key
agreement is achieved, SKSMi = h2 (A||B) ⊕ SigSMi
and SKU Cj are remarked as further communication
keys for SMi , U Cj , respectively.
Correctness : From the above equations, we can verify:
V1 · G2 = A · (h1 (Ppub ||RSMi ||H I DSMi ) · RSMi + Ppub )
= A · (eSMi · RSMi + Ppub )
= a · G · (eSMi · RSMi + Ppub )
= a · (eSMi · rSMi + k) · G2
= SigSMi · a · G2 . (2)
V2 = a · B · (Ppub + h1 (PP ub ||RU Cj ||H I DU Cj ) · RU Cj )
⊕SigSMj
= a ·b·G·(Ppub + h1 (PP ub ||RU Cj ||H I DU Cj ) · RU Cj )
⊕SigSMj
= A · b · (Ppub + eU Cj · RU Cj ) ⊕ SigSMj
= A · b · G · (eU Cj · rU Cj + k) ⊕ SigSMj
= A · B · SigU Cj ⊕ SigSMj . (3)
 Peer-to-Peer Netw. Appl.

The mechanism of DataRetrieve function and Sig- The Dynamic Join-and-Exit Mechanism can be referred
natureVerify function can be referred to Algorithm 3, to Algorithm 5 and Algorithm 6.
Algorithm 4.

4.4 Dynamic join-and-exit mechanism

To increase the flexibility of our protocol, here we

import the Join-and-Exit Mechanism. The whole process is
coordinated by smart contract.
Join: If there is a new SGi or U Cj which wants to
participate in our protocol, it can just invoke the Join
function defined in the smart. After identity verification, the
new one is authorized immediately. The detailed steps could
be referred to the above mentioned subsection 4.2 SM/UC
Registration Process.
Exit: If the existing new SGi or U Cj requests to quit the
protocol, the same as the join process, it needs to construct a
transaction to trigger the smart contract’s Exit function. All
the related data existed in the blockchain will be removed
soon.
4.5 Batch verification
To meet the needs of the speedy batch verification, we use
the small exponent test technology [8] to ensure the valid-
ness of signatures. A cluster of SMi send multiple messages
{RSM1 , A, t11 , H I DSM1 , V1 }, {RSM2 , A, t12 , H I DSM2 , V2 },...,
{RSMn , A, t1n , H I DSMn , Vn } to U Cj , then the U Cj uses
the {A, Ppub , RSMi , H I DSMi , RSMi , Ppub , G, h1 } to verify
the correctness of those messages in the following steps.
1. At first, the U Cj checks the freshness of t1n , where
i = 1, 2, ..., n. If any timestamp is not fresh, the U Cj
rejects the message.
2. The U Cj selects a vector v = [v1 , v2 , ..., vn ], where
v1 is a small random integer among [1, 2t ] and t is a
small integer with low computation overhead.
n Finally,
the
n U C j checks whether the formula
n i=1 V 1 · G2 =
i=1 V1 · A · eSMi · RSMi + i=1 Ppub · G is hold. If
the equation is hold, the U Cj pass these authentication
requests. Otherwise, these visits are declined.
3. During batch verifaction, to prohibit forgery attack, the
U Cj randomly chooses a few parts of signatures to
verify by calling the DataRetrieve function defined in
the smart contract
Correctness : From the above equations, we can verify:

 

n 
n
V1 · G =
2
V1 · a · (eSMi · RSMi + Ppub ) · G
i=1 i=1
 n 
 
n
= V1 · a · eSMi · RSMi + Ppub · G
i=1 i=1
Peer-to-Peer Netw. Appl.


n 
n ((V1 −V1 )·+a  ·eSM
 
·rSMi
−a·eSM ·rSM )
i
i i
= V1 · A · eSMi · RSMi + Ppub · G. (4) The a−a  is the answer
i=1 i=1 to the instance. This situation violates the Elliptic
Curve Discrete Logarithm (ECDL) Assumption we
have defined before, hence it is not possible for any
5 Security analysis probabilistic polynomial time (P.P.T) adversary A to
break up this authentication. The similar steps for
In this section, we list several common security requirements SMi − to − U Cj authentication. If A exists in the
for the smart grid authentication. Based on the most recent interaction process, we can find the following equation
researches [23–27], we illustrate our proposed protocol holds.
about how to satisfy the mentioned requirements in detail.
(V2 − V2 ) = A · b · G · (eU Cj · rU Cj + k) ⊕ SigSMj
– Decentralization: To prevent any part from taking
−A · b · G · (eU
 
Cj · rU Cj + k) ⊕ SigSMj
full control of SG, we construct a decentralized
authentication protocol with the aid of blockchain. = (A·b·G · eU Cj · rU Cj −A · b · G · eU
 
Cj · rU Cj
According to the famous phenomenon—51% attack +A · b · G · k − A · b · G · k) ⊕ SigSMj
in the blockchain, if the A tries to manipulate the
= (A · B · eU Cj · rU Cj − A · B  · eU
 
Cj · rU Cj
system, which requires him to seize computation power:
HA +A · B · G · k − A · B  · G · k) ⊕ SigSMj
Ht ≥ 51%, where HA , Ht mean the A ’s computation
power and total computation power, respectively. Due = A · (B · eU Cj · rU Cj − B  · eU
 
Cj · rU Cj )
to the consensus mechanism such as Pow and PoS in +A · k · G · (B − B  ) ⊕ SigSMj . (8)
blockchain, it is rarely difficult for an adversary to
own such enormous computation power to break our
protocol. Transforming the Eq. 8, we can obtain
– Mutual authentication: Firstly, SMi −to−U Cj authen-
(V2 −V2 ) ⊕ SigSMj −A·(B ·eU Cj ·rU Cj −B  ·eU
 
Cj ·rU Cj )
tication, suppose that A can forge a valid authenti- a·k·G = .
(B − B  ) · G
cation message {RSMi , A, t1 , H I DSMi , V1 }. According
(9)
to the forking lemma [28], adversary A runs the ora-
cle model with the same input randomness again. The
model returns different hash oracle answers. Subse- It is obvious that this equation breaches the Ellip-
quently, the corrupted SMi counterfeits {RSM  , A , t1 ,
i
tic Curve Computational Diffie-Hellman (ECCDH)
H I DSM , V1 } to pass U Cj ’s verification, i.g., V1 ·G2 = Assumption. In conclusion, there are no potential attack-
i

A · (h1 (Ppub ||RSM  
||H I DSM 
) · RSM + Ppub ). Thus, ers in the mutual authentication process.
i i i
we obtain the following – SK agreement: Owing to the successful mutual authen-
tication, there are no potential adversaries who can
(V1 − V1 ) · G = a · (eSMi · RSMi + Ppub ) − a  impersonate any side. Thus, only the real SMi and U Cj
 
·(eSMi
· RSMi
+ Ppub ) can get the fair results computed by Diffie-Hellman key
= a · eSMi ·RSMi + a · Ppub − a  · eSM

i
exchange, SKU Cj ,SMi = h2 (A||B) ⊕ SigSMi .

·RSM − a  · Ppub – Fully anonymity: All the ids of SMi and U Cj are
i
hashed, H I DSMi /U Cj = h1 (I DSMi /U Cj ). Besides,
= a · eSMi · RSMi − a  · eSM
 
· RSM
i i throughout the whole process, the referred computation
+Ppub (a − a  ). (5) breaches nothing about the real identity.
Transforming the Eq. 5, we can obtain – Perfect forward secrecy: Because the exchanged A, B
is a one-time secret key, which gives assurances
(a − a  ) · Ppub = (V1 − V1 ) · G + a  · eSM

i for previously transmitted messages. SK will not be

·RSMi
− a · eSMi compromised even if the private keys of the SM and UC
= ((V1 − V1 ) + a  · eSM
 
· rSM are compromised.
i i
– DDoS Attack (Malicious Registration): Every RAk
−a · eSMi rSMi ) · G. (6)
maintains a database about the IP and access time of
Moving (a −a  ) to the right side of equation, we can get the visitors. As long as the DDoS attack happens, the
RAk can decline the malicious request for the first
((V1 −V1 ) · +a  · eSM
 
· rSM − a · eSMi · rSMi ) time. Furthermore, whenever the registration function
Ppub = i i
·G.
a − a is invoked by any RAk , the smart contract modifier
(7) function will check whether the same address exists
 Peer-to-Peer Netw. Appl.

Table 2 Security and functionality system features comparison

Papers
Metrics Ours Tsai et al. [5] Odelu et al. [15] He et al. [6]

Mutual authentication    
SK communication    
Anonymity    ×
Forward secrecy    
Replay mitigation    
Impersonation attack resistance  × × 
MITM attack defence  × × 
DDoS prevention  × × ×
RA decentralization  × × ×
Batch verification  × × ×
Dynamic join-and-exit  × × ×

: the protocol supports this feature. ×: the protocol does not support this feature

in the smart contract. A double defense strategy
prevents the occurrence of DDoS attacks and malicious
registration.
– Repaly attack: According to the specification of the
collaborative authentication phase, both sides will
check the freshness of the message in every information
exchange (t2 − t2 ≤ t). We can conclude that our
BlockSLAP scheme can resist the replay attack.
6 Performance evaluation
In this section, we compare performance of our scheme
with Tsai et al. [5], Odelu et al. [15], He et al. [6] from
multi-perspective analysis.
6.1 Security and functionality performance
comparison
In Table 2, we choose some common features to compare
our proposed protocol with the related protocols Tsai et
al. [5], Odelu et al. [15], He et al. [6]. The basic security
needs such as Mutual Authentication, SK Communication,
Anonymity, Forward Secrecy, and Replay Mitigation are
met by most protocols, other than He et al. [6]. Most
of the aforementioned researches overlooked the necessity
of privacy protection, both SG and U C use the original
ID for communication directly. This action could leak the
user information indeliberately in the future. Subsequently,
the Impersonation Attack Resistance and MITM Attack
Defence are not supported by Tsai et al. [5], Odelu et al.
[15]. Although Tsai et al. [5] and Odelu et al. [15] imported
some advanced cryptographic and computational hard
assumptions to construct feasible schemes, a malicious actor
can still pretend him as a relay/proxy into a communication
session between people or systems. Except for our protocol,
all remaining protocols cannot provide the services of DDoS
prevention, RA decentralization, Batch verification, and
Dynamic Join-and-Exit. Our protocol includes nearly all the
potential security and function demands from the user side.
Thus, combined with multiple state-of-art techniques (e.g.,
blockchain, ECC, Schnorr Signature), a more secure and
efficient mutual authentication protocol is proposed for SG.
6.2 Computation overhead
In Jia et al.’s scheme [29], the mobile device is simulated
on a Google Nexus One smart phone with 2 GHz ARM

Table 3 Computation overhead comparisons

Reference SM UC Total computation cost

Tsai et al. [5] 4Tm + Te + 5Th + Ta 3Tm + Te + 5Th + 2Tb + Ta 7Tm + 2Te + 10Th + 2Tb + 2Ta
Odelu et al. [15] 3Tm + Te + 6Th + 3Ta 2Tm + Te + 6Th + 2Tb + 3Ta 5Tm + 2Te + 12Th + 2Tb + 6Ta
He et al. [6] 4Tm + 5Th + Ta 6Tm + 6Th + 2Ta 10Tm + 11Th + 3Ta
Our proposed 4Tm + 2Th + Ta 6Tm + 2Th + Ta 10Tm + 4Th + 2Ta

Tm : ECC point multiplication; Te : exponentiation operation; Th : one-way hash function; Tb : Bilinear pairing; Ta : group addition
Peer-to-Peer Netw. Appl.
Fig. 3 Comparative computation cost for authentication
CPU armeabi-v7a, 300 MiB RAM, and Android 4.4. The
computation of current smart grid is close to this type of
mobile device. Therefore, when evaluating the computation
overhead of different plans, we refer to some cryptographic
operations’ time measured by Jia et al. [29]. Since most
of the cost is produced during the authentication period,
we omit the costs in the registration period. The Table 3
shows that the computation overhead of Tsai et al. [5] and
Odelu et al. [15] requires 7Tm + 2Te + 10Th + 2Tb + 2Ta
and 5Tm + 2Te + 12Th + 2Tb + 6Ta in total, respectively.
The heavy bilinear pairing operations used in their scheme
are the primary cause. From the Fig. 3, we can see that
the execution time for Tsai et al. [5] and Odelu et al.
[15] are 244.5 ms and 205.3 ms. Because He et al. [6]
replaces bilinear pairing with ECC, overall computation
cost of their method is reduced to 10Tm + 11Th + 3Ta
(200.5 ms). However, He et al.’s scheme [6] still can
not solve the centralized RA problems and requires two
round interaction. In our proposed protocol, not only the
interaction round is simplified to one round, but also we
construct a RA-based decentralized authentication protocol.
The experiment result also proves our proposed protocol
is the most lightweight among all mentioned schemes, the
computation cost is only 10Tm + 4Th + 2Ta (200.5 ms). The
comprehensive system parameters are presented in Table 4.
Table 4 Execution time of different cryptographic operations
Operation Tm Te Th Tb Ta
Time cost 19.919 ms 3.328 ms 0.089 ms 48.660 ms 0.118 ms
7 Conclusion and future work
In this paper, we have proposed a secure and efficient
mutual authentication protocol for SG. With the aid
of cutting-edge blockchain technology, the long-term
centralized register authority problem has been well
addressed. Then, we further consider security and speed
requirements, batch verification and dynamic Join-and-
Exit mechanisms are imported for SM authentication.
Also, interaction rounds between SM and UC have been
reduced to one round. The practical security of our
protocol is testified by in-depth analysis comprehensively.
Finally, comparative experiments based on real data have
demonstrated the high performance of our proposed
scheme. In future work, to strength the security in
communication processes, we will attempt to further exploit
cryptographic primitives of secure multi-party computation
in our scheme.
Acknowledgements This work is partly supported by JSPS Kiban(B)
18H03240, JSPS Kiban(C) 18K11298, Natural Science Foundation of
Heilongjiang Province of China under Grant No. LC2016024, Natural
Science Foundation of the Jiangsu Higher Education Institutions
under Grant No. 17KJB520044 and Six Talent Peaks Project in
Jiangsu Province No.XYDXX-108, and the National Natural Science
Foundation of China under Grant 62001126.
Compliance with Ethical Standards
Conflict of interest The authors declare that they have no conflict of
interest.
References
1. Huang H, Ding S, Zhao L, Huang H, Chen L, Gao H, Ahmed SH
(2020) Real-time fault detection for iiot facilities using gbrbm-
based dnn. IEEE Internet Things J 7(7):5713–5722
2. Guan Z, Zhang Y, Zhu L, Wu L, Yu S (2019) Effect: an
efficient flexible privacy-preserving data aggregation scheme with
authentication in smart grid. Sci China Inf Sci 62(3):32103
3. Defense Use Case (2016) Analysis of the cyber attack on the
Ukrainian power grid
4. Garg S, Kaur K, Kaddoum G, Rodrigues JJPC, Guizani M (2019)
Secure and lightweight authentication scheme for smart metering
infrastructure in smart grid. IEEE Trans Ind Inf 16(5):3548–3557.
IEEE
5. Tsai J-L, Lo N-W (2015) Secure anonymous key distribution
scheme for smart grid. IEEE Trans Smart Grid 7(2):906–914
6. He D, Wang H, Khan MK, Wang L (2016) Lightweight
anonymous key distribution scheme for smart grid using elliptic
curve cryptography. IET Commun 10(14):1795–1802
7. Song J, Zhong Q, Wang W, Su C, Tan Z, Liu Y (2020) FPDP:
flexible privacy-preserving data publishing scheme for smart
agriculture. IEEE Sens J. IEEE
8. He D, Zeadally S, Xu B, Huang X (2015) An efficient identity-
based conditional privacy-preserving authentication scheme for
 Peer-to-Peer Netw. Appl.

vehicular ad hoc networks. IEEE Trans Inf Forens Secur 27. Su C, Santoso B, Li Y, Deng RH, Huang X (2015) Universally
10(12):2681–2691 composable rfid mutual authentication. IEEE Trans Depend
9. Nakamoto S (2019) Bitcoin: a peer-to-peer electronic cash system. Secure Comput 14(1):83–94
Technical report Manubot 28. Pointcheval D, Stern J (2000) Security arguments for digital
10. Huang H, Zhou S, Lin J, Zhang K, Guo S (2020) Bridge signatures and blind signatures. J Cryptol 13(3):361–396
the trustworthiness gap amongst multiple domains: a practical 29. Jia X, He D, Kumar N, Choo K-KR (2019) A provably secure
blockchain-based approach. In: Proceedings of the 11th IEEE and efficient identity-based anonymous authentication scheme for
international conference on communications (ICC), pp 1–6 mobile edge computing. IEEE Syst J 14(1):560–571
11. Wang W, Su C (2020) Ccbrsn: a system with high embedding
capacity for covert communication in bitcoin. In: IFIP interna- Publisher’s note Springer Nature remains neutral with regard to
tional conference on ICT systems security and privacy protection. jurisdictional claims in published maps and institutional affiliations.
Springer, pp 324–337
12. Zhang L, Zhang Z, Wang W, Waqas R, Zhao C, Kim S, Chen
H (2020) A covert communication method using special bitcoin
addresses generated by vanitygen. CMC-Comput Mater Contin Weizheng Wang received his
65(1):597–616 B.S. degree in software engi-
13. Li Z, Yang Z, Xie S, Chen W, Liu K (2019) Credit-based payments neering from Yangzhou Uni-
for fast computing resource trading in edge-assisted internet of versity, Jiangsu, China, in
things. IEEE Internet Things J 6(4):6606–6617 2019. He is currently pursu-
14. Singh A, Parizi RM, Zhang Q, Choo K-KR, Dehghantanha ing the M.S. degree at the
A (2020) Blockchain smart contracts formalization: approaches School of Computer Science
and challenges to address vulnerabilities. Comput Secur 88: and Engineering, the Uni-
101654 versity of Aizu, Fukushima,
15. Odelu V, Das AK, Wazid M, Conti M (2016) Provably secure Japan. His current research
authenticated key agreement scheme for smart grid. IEEE Trans interests include applied cryp-
Smart Grid 9(3):1900–1910 tography, blockchain technol-
16. Canetti R, Krawczyk H (2001) Analysis of key-exchange ogy and IoT system.
protocols and their use for building secure channels. In:
International conference on the theory and applications of
cryptographic techniques. Springer, pp 453–474
17. Chan AC-F, Zhou J (2014) Cyber–physical device authentication
Huakun Huang received
for the smart grid electric vehicle ecosystem. IEEE J Sel Areas
the bachelor’s degree from
Commun 32(7):1509–1517
the Guangzhou University,
18. Wazid M, Das AK, Kumar N, Rodrigues JJPC (2017) Secure
Guangzhou, China, in 2014
three-factor user authentication scheme for renewable-energy-
and 2016, and Ph.D. degree in
based smart grid environment. IEEE Trans Ind Inf 13(6):3144–
Computer Science and Engi-
3153
neering from the University
19. Li X, Wu F, Kumari S, Xu L, Sangaiah AK, Choo K-KR (2019) A
of Aizu, Japan, in 2019. He
provably secure and anonymous message authentication scheme
is currently a research fellow
for smart grids. J Parallel Distrib Comput 132:242–249
with the University of Aizu.
20. Wu L, Wang J, Zeadally S, He D (2019) Anonymous and efficient
His research interests mainly
message authentication scheme for smart grid. Secur Commun
include blockchain, Internet of
Netw, 2019. Hindawi
Things (IoT), intelligent edge
21. Kumar N, Aujla GS, Das AK, Conti M (2019) Eccauth: a secure
computing, signal processing,
authentication protocol for demand response management in a
and machine learning.
smart grid system. IEEE Trans Ind Inf 15(12):6572–6582
22. Wang J, Wu L, Choo K-KR, He D (2019) Blockchain based
anonymous authentication with key management for smart grid
edge computing infrastructure. IEEE Trans Ind Inf 16(3):1984–
1992. IEEE Lejun Zhang received his
23. Lin C, He D, Huang X, Khan MK, Choo K-KR (2020) Dcap: M.S. degree in computer sci-
a secure and efficient decentralized conditional anonymous ence and technology in Harbin
payment system based on blockchain. IEEE Trans Inf Forens Institute of Technology and
Secur 15:2440–2452 the Ph.D. degrees in com-
24. Ma S, Yi D, He D, Zhang J, Xie X (2020) An efficient puter science and technology
nizk scheme for privacy-preserving transactions over account- at Harbin Engineering Uni-
model blockchain. IEEE Trans Dependable Secure Comput. versity, now he is a profes-
https://doi.org/10.1109/TDSC.2020.2969418 sor at Yangzhou University.
25. Feng Q, He D, Zeadally S, Khan MK, Kumar N (2019) A survey His research interests include
on privacy protection in blockchain system. J Netw Comput Appl computer network, social net-
126:45–58 work analysis, dynamic net-
26. Lu Z, Yeh K-H, Hancke G, Liu Zhe, Su C (2018) Security work analysis and information
and privacy for the industrial internet of things: an overview of security.
approaches to safeguarding endpoints. IEEE Signal Process Mag
35(5):76–87
Peer-to-Peer Netw. Appl.

Chunhua Su received the B.S.

degree for Beijing Electronic
and Science Institute in 2003
and received his M.S. and PhD
of computer science from Fac-
ulty of Engineering, Kyushu
University in 2006 and 2009,
respectively. He is currently
working as a Senior Asso-
ciate Professor in Division of
Computer Science, University
of Aizu. He has worked as
a postdoctoral fellow in Sin-
gapore Management Univer-
sity from 2009–2011 and a
research scientist in Cryptog-
raphy & Security Department of the Institute for Infocomm Research,
Singapore from 2011–2013. From 2013–2016, he has worked as an
Assistant professor in School of Information Science, Japan Advanced
Institute of Science and Technology. From 2016–2017, he worked as
Assistant Professor in Graduate School of Engineering, Osaka Uni-
versity. His research interests include cryptanalysis, cryptographic
protocols, privacy-preserving technologies in machine learning and
IoT security & privacy. He has published more than 100 papers in
international journals and conferences.

View publication stats