A Lightweight Anonymous Device Authentication Scheme for Information-Centric Distribution Feeder Microgrid

: Distribution feeder microgrid (DFM) built based on existing distributed feeder (DF), is a promising solution for modern microgrid. DFM contains a large number of heterogeneous devices that generate heavy network traffice and require a low data delivery latency. The information-centric networking (ICN) paradigm has shown a great potential to address the communication requirements of smart grid. However, the integration of advanced information and communication technologies with DFM make it vulnerable to cyber attacks. Adequate authentication of grid devices is essential for preventing unauthorized accesses to the grid network and defending against cyber attacks. In this paper, we propose a new lightweight anonymous device authentication scheme for DFM supported by named data networking (NDN), a representative implementation of ICN. We perform a security analysis to show that the proposed scheme can provide security features such as mutual authentication, session key agreement, defending against various cyber attacks, anonymity, and resilience against device capture attack. The security of the proposed scheme is also formally verified using the popular AVISPA (Automated Validation of Internet Security Protocols and Applications) tool. The computational and communication costs of the proposed scheme are evaluated. Our results demonstrate that the proposed scheme achieves significantly lower computational, communication and energy costs than other state-of-the-art schemes.

a limited number of connection points to the utility grid such that it can operate in either gridconnected or islanded mode.
Distribution feeder microgrid (DFM) has been proposed as a solution of modern microgrid which is built based on existing distribution feeder (DF) [3,4]. DFM utilizes advanced communication, control, and protection technologies to increase the sustainability, reliability, and resiliency of the grid and support very high penetration of distributed energy resources (DERs) [3,5]. The architecture of DFM is illustrated in Fig. 1, which contains a variety of demand and load entities such as consumer appliances, generators, energy storage, electrical vehicles (EVs), DERs, smart meters, synchrophasor devices etc. The DFM gateway (DG) serves as the central control and management entity that connects the DFM to the utility grid. One of the major technical challenges faced by DFM is the communication demand of a large number of heterogeneous devices. A scalable networking and communication architecture is needed that can meet requirements such as low data delivery latency and heavy network traffic [6]. The information centric networking (ICN) paradigm has been explored recently to address the requirements of smart grid communication [6][7][8][9]. Unlike the host-centric IP-based networking architecture, ICN adopts a content-centric communication model with novel features like data caching in network edge, data provenance, inherent multicast support, etc. which make it suitable for smart grid applications. C-DAX (Cyber-secure Data and Control Cloud) is an ICN-based solution proposed for the monitoring and control of smart grids [8]. Tourani et al. [6] proposed an ICN-based smart grid networking architecture called iCenS, which was shown to be effective in serving various types of smart grid traffic. Yu et al. [9] proposed a Content-Centric Networking (CCN) based advanced metering system (CCN-AMI) for smart grids. The CCN-AMI system is comprised of several components such as smart meters, demand response management system (DRMS), which provides better traffic congestion control, mobility and cyber security. Ravikumar et al. [7] proposed an ICN-based smart grid architecture that consists of a three-level hierarchy for information flow including physical level, aggregation level, and computation level. The hierarchy specifies constituents and the interaction mechanism at each level. The proposed architecture adopts IEC 61850 as underlying communication stack for backward compatibility and adds the Information-Centric Network Protocol (ICNP) layer. Both work of [7,9] and have conducted a comprehensive performance analysis of the proposed ICN architectures and the results show a great potential of applying ICN for smart grids.
In this paper, we consider a named data networking (NDN) based architecture to address the communication demand of DFM. NDN is a representative ICN architecture which has been shown as a promising solution for not only smart grid communication [6,7] but also the communication needs of applications of smart cities [10], smart campus [11], smart home [12], and smart healthcare [13]. In addition to communication requirements, another key technical challenge faced by DFM is to ensure the security and privacy of the grid. The integration of advanced ICT technologies in DFM makes it vulnerable to a number of cyber attacks such as man-inthe-middle (MITM) attacks, reply attacks, impersonation attacks, etc. Adequate authentication is essential for preventing unauthorized access to the grid network and defending against cyber attacks. There are lots of authentication and key agreement protocols proposed for smart grids based on IP networking architecture. For example, Garg et al. [14] proposed an ECC (Elliptic Curve Cryptography) and FHMQV (Fully Hashed Menezes-Qu-Vanstone) based authentication scheme for smart metering infrastructure (SMI). Kumar et al. [15] proposed another ECC-based authentication scheme for smart grid device and utility center communication. Chen et al. [16] proposed an ECC and bilinear pairing-based authentication scheme for smart grid communication. Zhang et al. [17] proposed a lightweight authentication scheme using symmetric cryptography, hash, and other lightweight operations.
There are some works on authentication protocols designed for ICN-based networking architectures, mainly for supporting various IoT communication scenarios. Similar to IP-based networking architecture, authentication also brings significant security benefits to ICN-based networking architecture [18]. Compagno et al. [18] proposed a secure IoT device onboarding protocol for ICN called OnboardICNg based on symmetric-key cryptography. It was shown in [19] that OnboardICNg incurs significant lower time and energy overheads compared with the design based on asymmetric-key cryptography. LASeR, a secure IoT device authentication and routing scheme for NDN-based smart cities, was proposed in [20]. The device authentication of LASeR is based on the Pre-Shared Key Extensible Authentication Protocol (EAP-PSK). For ICN based DFM, the authentication scheme should provide various security features including mutual authentication, session key agreement, defending against various attacks, anonymity, and resilience against device capture attack [15]. In addition, majority of smart devices in DFM are resource-limited which requires the authentication scheme to have low computational, communication, and energy costs.
The contributions of this paper are: (1) we propose a lightweight anonymous device authentication scheme for NDN-based DFM; (2) we perform an analysis of security requirements satisfied by the proposed scheme and formally verify its security by using the popular AVISPA (Automated Validation of Internet Security Protocols and Applications) tool [21]; and (3) we conduct a performance comparison of the proposed scheme with existing schemes to demonstrate that the proposed scheme achieves lower computational, communication, and energy costs. The rest of this paper is organized as follows: Section 2 introduces system models and assumptions adopted in this paper. The proposed device authentication scheme for NDN-based DFM is presented in Section 3. In Section 4, we analyze security requirements satisfied by the proposed scheme followed by a formal security verification with the AVISPA tool. The performance of the proposed scheme in terms of computational, communication, and energy costs is evaluated and compared with other state-of-the-art schemes in Section 5. Finally, the conclusion of this paper is drawn in Section 6.

System Models and Assumptions
In this section, we introduce the network model of NDN based DFM, the threat model, and their assumptions after an overview of NDN.

NDN Overview
NDN is a new ICN paradigm proposed as a candidate for future internet architecture. NDN assigns a unique name to a trunk of data or a so-called content object. NDN has two types of packets: Interest and Data packets. The Interest packet is issued by a consumer to request the desired data content using the unique name. The network will forward the Interest packet to the provider of the data content. The provider will reply with a Data packet back to the consumer which contains the name and actual content of the data. Interest and Data packets can have other fields besides the name of the data content. In our scheme, we only consider the name field in the Interest packet, and the name, content, and signature fields in the Data packet.
Routing of NDN is done through three data structures maintained by each NDN router: a Pending Interest Table (PIT), a Forwarding Information Base (FIB), and a Content Store (CS). The CS serves as the data cache of an NDN router. When an Interest packet arrives, the router will check if the name of the requested data content matches any record in the CS and serves the data if there is a match. Otherwise, the router will check the PIT table to avoid forwarding duplicated Interest packet. If no PIT entry can be found, the router will use the FIB table to determine the appropriate interface to forward the Interest packet. In the meantime, the PIT table will also be updated to indicate that the Interest packet is forwarded. The routing of the corresponding Data packet will simply use the reverse path identified in the PIT.
In NDN, a Data packet usually contains the name of the corresponding Interest packet. This duplication will tremendously increase the size of a Data packet when a long name is used for the corresponding Interest packet. This causes a significant problem when transmitting an NDN packet over a low power wireless link such as an IEEE 802.15.4 link due to its limited maximum physical packet size. Solutions relying on fragmentation and reassembly [22] could result in a significant increase in memory storage, processing complexity, and traffic amount. In this paper, we adopt a solution proposed in [23] that replaces a long Interest name with a short 1-byte HopID. The solution extends the PIT table with two new columns: HID i and HID o . For an Interest packet, each hop generates a 1-byte HopID and includes it in the name. The HopID will be stored in the HID o column which should be unique within the local PIT table and has the same lifetime as the corresponding PIT entry. When an Interest packet arrives at a hop, the HopID will be extracted from the Interest name and stored in the HID i column of the corresponding PIT entry. A new HopID will then be generated by the hop and stored in the HID o column of the same PIT entry.
The new HopID will be included in the name of the outgoing Interest packet. This process will be performed in each intermediate hop until the Interest is served by the producer. The producer will extract HopID from the HID i column and use it as the name of the responded Data packet.
Intermediate hops that forward the Data packet will simply extract the HopID and lookup HID o column of the PIT table for a match. If a match is found, the hop will replace the HopID of the Data packet with the new HopID from the HID i column of the matched PIT entry before forwarding the Data packet.

Network Model and Assumptions
We consider that all entities of a DFM shown in Fig. 1 are wirelessly connected to form a mesh network topology. The load and demand entities with communication and control capabilities in a DFM are referred as smart devices. The majority of them have limited computational, memory, and energy resources. Each device has a unique and immutable real identity such as a Silicon-ID number [24]. The deployment of smart devices is done over time. The connection of a DFM to the utility grid is done through the DG, which is considered as resource un-constrained. A smart device in a DFM may connect to the DG through a multi-hop path with the help of other devices. We also assume that a Trust Authority (TA) is existed to serve DFMs of a utility service provider as shown in Fig. 1. The TA provides authentication and authorization services to bootstrap new smart devices into a DFM network.

Threat Model and Assumptions
The basic adversary model considered for the proposed scheme is the widely used Dolev-Yao (DY) model [25]. According to the model, all entities including smart devices and DG are not trustworthy. The messages between the entities are transferred through an open channel which can be eavesdropped, intercepted, and modified by an adversary. In addition, we assume that an adversary can compromise a session key and session states according to Canetti and Krawczyk (CK) adversary model [26]. The adversary can also physically capture a device to extract the stored secret credentials by using the sophisticated power analysis attacks [27]. Finally, we assume that the TA is a fully trusted entity and can't be compromised.
Based on the threat model and assumptions, the proposed scheme aims to satisfy security requirements including message integrity, mutual authentication and session key agreement, perfect forward secrecy, anonymity, and resistance to various attacks.

Proposed Scheme
The proposed scheme consists of two phases: (1) device registration phase; (2) network discovery and authentication phase. Note that the TA is only involved in the device registration phase. Tab. 1 lists the notations and their descriptions used in this paper.

Device Registration Phase
Before deployed in a DFM, a smart device S(SD S ) needs to be registered offline at the TA by the owner who brings the device to the TA's office to complete the registration through a secure channel [28]. During the registration process, SD S first sends its real identity ID S to TA. TA then generates a master secret k S and two random numbers r TA−DG , and r TA−SD S for SD S . The pseudo-identity of SD S is then computed as PID S = H(ID S ||k S ). TA also computes two secrets A S = H(ID G ||PID S ||r TA−DG ) and B S = H(ID S ||PID G ||r TA−SD S ). Note that ID G and PID G are the real identity and pseudo-identity of DG, respectively. Finally, TA sends PID S , A S , and r TA−SD S to SD S , and then sends PID S , B S , and r TA−DG to DG. The device registration phase is illustrated in Fig. 2. Pseudo-identity of entity X HopID X HopID generated by entity X k X Master secret for entity X r * Random number Session key between entities X and Y H ( ) One-way hash function Sign message M using key K || Message concatenation

Network Discovery and Authentication Phase
After the registration, SD S performs the network discovery and authentication phase to join the trusted network of a DFM. The procedure of this phase is illustrated in Fig. 3 and described as follows: • SD S generates a random number r SD s −DG and a HopID HopID S , and then computes C 1 = E A S (r SD S −DG ) and S 1 = S A S (PID S ||r SD S −DG ). After that, SD S generates an Interest with the name as /Discover/PID S /C 1 /S 1 /HopID S . A PIT entry will be created with name prefix /Discover/PID S /C 1 /S 1 and HopID S is stored in the HID o column of this entry. This Interest will then be broadcast to all neighbors of SD S .
• Upon receiving the broadcast Interest, a trusted neighbor device N(SD N ) can choose to help the network discovery and authentication process of SD S or not. If SD N wants to help the process, it will extract HopID S and S 1 from the received Interest. A PIT entry for the received Interest is created with name prefix /Discover/PID S /C 1 /S 1 and the HID i column as HopID S . SD N then generates a new HopID HopID N and stores it in the HID o column of the newly created PIT entry. A signature S 2 will be computed as When the new Interest is forwarded through the trusted network of the DFM to DG, the HopID part of the Interest name will be replaced by a new HopID generated at each hop. Supposing the hop before DG is a smart device M(SD M ) and its generated HopID is HopID M , the name of the Interest received by DG will be /Auth/PID G /PID S /C 1 /PID N /S 2 /HopID M . Without loss of generality, we assume that the Interest sent by SD N will be received by DG directly.
• When DG receives the Interest, a PIT entry with the name prefix /Auth/PID G /PID S /C 1 / PID N /S 2 will be created with the corresponding HID i set as HopID N . It extracts PID * S and C * 1 from the Interest name. Then A * S is computed as If not, the authentication process will be aborted. Otherwise, SD S is authenticated at DG which will then generate two random numbers r DG−SD S and r SD s −SD N . The two random numbers are used to generate the session key between SD S and SD N as SK SD S −SD N = H(A * S ||B S ||r SD s −DG * ||r SD s −SD N ) and the session key between SD S and DG as SK SD S −DG = H(A * S ||B S ||r SD s −DG * ||r DG−SD S ). DG will prepare the Data packet by computing C 2 = E SK SD N −DG (SK SD S −SD N ), C 3 = E B S (r DG−SD s ||r SD S −SD N ), and S 3 = S B S (r DG−SD S ||r SD S −SD N ||PID G ||PID N ), which are included as the content. DG will generate a signature for the Data packet as S 4 = S SK SD N −DG (C 3 ||S 3 ||SK SD S −SD N ). Then HopID N is retrieved from the HID i column of the corresponding PIT entry which will be used as the name of the Data packet. The Data packet will be sent back to SD N .
• When SD N receives the Data packet, it first extracts HopID N from the name and look up the HID i column of the matched PIT entry to find the next hop's HopID HopID S , which will be used as the name of the new Data packet sent back to SD S . Then SD N will extract C * 2 , C * 3 , S * 3 from the content of the received Data and obtain the session key SK SD S −SD N by decrypting C * 2 with SK SD N −DG . After that, it generates S * 4 = S SK SD N −DG (C * 3 ||S * 3 ||SK * SD S −SD N ) and verifies if S * 4 == S 4 . If not, the authentication process will be aborted. Otherwise, SD N sends a Data packet to SD S whose content includes PID G , PID N , and C 3 with the name as HopID S and the signature as S 3 .
• Upon receiving the Data packet from SD N , SD S first computes B * S = H(ID S ||PID * G ||r TA−SD S ) and obtains r * DG−SD S and r * SD S −SD N by decrypting C * 3 with B * S . Then SD S computes S * 3 = S B * S (r * DG−SD S ||r * SD S −SD N ||PID * G ||PID * N ) and verifies if S * 3 == S 3 . If not, the authentication process will be aborted. Otherwise, SD S authenticates DG as legitimate and computes the two session keys SK SD S −SD N = H(A S ||B * S ||r SD s −DG ||r * SD s −SD N ), and SK SD S −DG = H(A S ||B * S ||r SD s −DG ||r * DG−SD S ). Note that there could be multiple neighboring devices helping the authentication of SD S . For Interest packets received from different neighboring devices, DG will keep using the same r DG−SD S so that the session key between SD S and DG remains the same. DG will generate different r SD S −SD N for neighboring devices so that the session keys between SD S and neighboring devices are different.

Security Analysis
In this section, we perform an analysis of security requirements satisfied by the proposed scheme and formally verify its security by using the AVISPA tool.

Informal Security Analysis
Based on the threat model specified in Section 2.3, the proposed scheme can satisfy the following security requirements.

1) Message integrity:
The proposed scheme generates a message signature by using the AES-CMAC algorithm to ensure message integrity. Secrets A S , B S and secure session key SK SD SN −DG are used as keys for the AES-CMAC algorithm. Since an adversary can't obtain these cryptographic materials from intercepted messages, they can't forge a legitimate message signature after modifying a message.

2) Mutual authentication and session key agreement:
Mutual authentication is performed to verify the legitimacy of participating entities. In the proposed scheme, the mutual authentication between SD S and DG is achieved by using secrets A S and B S . DG authenticates SD S by verifying S * 2 with secret A S and session key SK SD SN −DG . Similarly, SD S authenticates DG by verifying S * 3 with secret B S .
In the proposed scheme, after performing mutual authentication for a session, a symmetric session key is established between SD S and DG as SK SD S −DG = H(A S ||B S ||r SD s −DG ||r DG−SD S ), which can be used to encrypt subsequent communication. Similarly, a symmetric session key between SD S and its neighbor SD N is established as SK SD S −SD N = H(A S ||B S ||r SD s −DG ||r SD S −SD N ), which can be used to support secure communication between neighboring devices.
3) Perfect forward secrecy: Perfect forward secrecy ensures that the compromising of longterm secret information of legitimate entities (smart devices and DG) by an adversary should not compromise the session keys established in previous sessions. The proposed scheme generates three random numbers r SD s −DG , r DG−SD S , and r SD S −SD N to compute the two session keys SK SD S −DG and SK SD S −SD N in each session. Without knowing the random numbers, the adversary can't obtain the session keys of previous sessions. Thus, perfect forward secrecy is held by the proposed scheme.

4) Anonymity:
Anonymity ensures that the real identity of an entity can't be revealed by an adversary through intercepted messages. The proposed scheme uses a pseudo-identity for each entity that is computed from the real identity and a master secret generated by the TA. It's infeasible for an adversary to compute the real identity without the knowledge of the master secret. Thus, anonymity is satisfied by the proposed scheme.

5) Resistance to impersonation attacks:
We consider three cases of impersonation attacks for the proposed scheme: • New device impersonation attack: To impersonate a legitimate new smart device SD S , an adversary needs to generate a valid Interest as the network discovery and authentication request broadcast to neighboring devices. However, the adversary doesn't have the knowledge of A S to compute C 1 and S 1 to generate a valid Interest. Thus, the proposed scheme can resist the new device impersonation attack. • Neighboring device impersonation attack: To impersonate a legitimate neighboring device, an adversary needs to generate a valid Interest sent to DG. However, the adversary doesn't have the knowledge of SK SD SN −DG to compute S 2 to generate a valid Interest. Thus, the proposed scheme can resist the neighboring device impersonation attack. • DG impersonation attack: To impersonate a legitimate DG, an adversary needs to interpret a received Interest and generate a valid Data as the response which is impossible since the adversary doesn't have the knowledge of A S and B S . Thus, it's infeasible for an adversary to launch the DG impersonation attack.

6) Resistance to replay attacks:
An adversary can intercept the transmitted messages and reply them back in a later time. In the proposed scheme, the adversary can't generate the session keys from the intercepted messages. To generate the session keys, the adversary needs to know A S and B S , and the three random numbers r SD s −DG , r DG−SD S , and r SD S −SD N which can't be obtained from the intercepted messages. Therefore, the proposed scheme can resist replay attacks.

7) Resistance of MITM attacks:
An adversary can launch MITM attacks by intercepting the transmitted messages and try to make two legitimate entities believe that they communicate with each other directly. To make this happen, the adversary has to know A S and B S , or SK SD N −DG which are infeasible to be obtained from the intercepted messages. Thus, the proposed scheme can resist MITM attacks.

8) Resilience against devices capture attack:
A smart device deployed in the wild could be physically captured by an adversary. Based on the threat model discussed in Section 2.3, the adversary can obtain the secret credentials for authentication such as PID S , A S , and B S from a stolen device by using the power analysis attacks [27]. Such side-channel attacks are difficult to defend unless the device is tamper-resistant [29]. However, the computation of the secret credentials such as A S and B S involves ID S , a unique and immutable identity, so that they are distinct for all smart devices in the DFM network. Thus, the adversary can't compute the session keys between DG and other non-compromising devices using the secret credentials of the captured device. Such security property is called unconditional security against device capture attack [15,24,[30][31][32]. Therefore, the proposed scheme is resilient against device capture attack.

Formal Security Verification
In this section, we formally verify the security of the proposed scheme by using the AVISPA tool, which is designed for the analysis of large-scale internet security-sensitive protocols [21].
In AVISPA, the protocol actions and security requirements are described with a language called the High-Level Protocol Specification Language (HLPSL). AVISPA generates an intermediate file (IF) from the input HLPSL file by using the HLPSL2IF translator and passes the intermediate file to an AVISPA backend. The backend will verify the protocol security and generates a security report. AVISPA has four different backends: On-the-fly Model-Checker (OFMC), CL-based Attack Searcher (CL-AtSe), SAT-based Model-Check (SATMC), and Tree Automata-based Protocol Analyzer (TA4SP). User can choose suitable backends for protocol security verification.
HLPSL is a role-based language that contains two types of roles: basic role and composition role. Figs. 4−6 describe the initial parameters, states, and transitions for the three basic roles (SD S , SD N , and DG) involved in the authentication process. The composition roles are specified in Fig. 7. The session role instantiates the parameters of the basic roles. The environment role contains the global variables and specifies the sessions of the protocol. Finally, the security goals of the proposed scheme are also specified in Fig. 7, which test the strength of session keys against various attacks and verify the establishment of mutual authentication. Fig. 8 shows the outputs of the OFMC and CL-AtSe backends, which prove the proposed scheme is safe against both backends.

Performance Analysis
In the following sections, we evaluate the communication, computation, and energy costs of the proposed scheme and compare them with those of OnboardICNg [18] and LASeR [20]. OnboardICNg and LASeR adopt similar system architectures as the proposed scheme. Tab. 2 shows the mapping of the entities of OnboardICNg and LASeR to those of the proposed scheme. Since DG is resource-unconstrained, our analysis concentrates on resource-limited smart devices. We assume that there are n neighbor devices helping the authentication process.

Communication Cost
In this section, we evaluate the communication cost of the proposed scheme during the network discovery and authentication phase in terms of the number of exchanged messages and the number of bytes sent and received by smart devices. We use IEEE 802.15.4 as the underlying link-layer which has a maximum frame size of 127 bytes.   Since the communication between SD S and SD N is untrusted during the authentication process, an 802.15.4 frame exchanged between SD S and SD N does not carry the signature which results in a size of 36 bytes for the header and footer. On the other hand, a frame exchanged within the trusted network of DFM requires the full 52-byte 802.15.4 header and footer. In addition, we consider the 1 + 0 encoding proposed for NDN packets [33]. Tab. 3 shows the fields and their corresponding sizes for NDN Interest and Data packets, where S T is the total size of name components TL (1B * number of name components), S N is the total size of the name values, and S C is the total size of the content. We assume that ID and PID are 4 bytes, a random number is 8 bytes, and outputs of electric signature, hash, and encryption operations are 16 bytes. Prefixes ( /Discover and /Auth) are encoded in 1 byte. Based on the above assumptions, we compare the communication cost of the proposed scheme with those of OnboardICNg and LASeR in Tab. 4. For the two reference schemes, we compute the number of bytes sent and received by smart devices with and without HopID implemented. It can be seen that HopID can significantly reduce the communication overheads of the reference schemes, especially for LASeR which also has long Interest names. Overall, the results show that the proposed scheme is significantly lightweight than the two reference schemes in terms of the number of exchanged messages and the number of bytes sent/received by smart devices.

Computational Cost
Tab. 5 compares the cryptographic operations performed by the proposed scheme with those of OnboardICNg and LASeR. In the table, 'T H ', 'T E ', 'T D ', 'T M ', and 'T HM ' represent execution times of operations of hash. AES-128 encryption and decryption, AES-CMAC, and HMAC, respectively. To measure the computation times of cryptographic operations, we used a Raspberry Pi 3 board as the smart device running OpenSSL C programming language libraries. The measured computation times of AES-128 encryption, AES-128 decryption, SHA-256, AES-CMAC, and HMAC are 4.36 µs, 4.47 µs, 2.69 µs, 5.54 µs, and 10.9 µs, respectively. We then compared the computation time of the proposed scheme with those of OnboardICNg and LASeR. As shown in Tab. 5, both the proposed scheme and LASeR are more computationally efficient than OnboardICNg. The new joining device of the proposed scheme has a lower computational time than that of LASeR when n is less than 18. Note that LASeR does not establish session keys between the new joining device and its neighbor devices.

Energy Cost
We estimated the computational energy cost by using the formula E = V * I * t, where V is the voltage of the input power, I is the current of the circuit, and t is the computation time. Both V and I were obtained from the Raspberry Pi data sheet [34,35]. We estimated the communication energy cost by using the energy cost of sending and receiving one bit on the Raspberry Pi, which was measured as 0.029 µJ and 0.033 µJ, respectively. Fig. 9 compares the energy costs of a new joining device of the three schemes under different number of neighbor devices. Note that the communication costs of OnboardICNg and LASeR in Fig. 9 were estimated with HopID implemented for a fair comparison. The results show that the proposed scheme is more energyfriendly than the two reference schemes.

Conclusion
In this paper, we propose a new lightweight anonymous device authentication scheme for NDN-based DFM. We perform an informal analysis of security requirements satisfied by the proposed scheme. Formal security verification of the proposed is also carried out by using the popular AVISPA tool. We conduct a performance evaluation to compare the computational, communication, and energy costs of the proposed scheme with those of other schemes. The results of our security analysis and performance evaluation reveal that the proposed scheme has lower computational and communication overheads than other state-of-the-art schemes. In future, we plan to develop an efficient group key agreement scheme for smart devices in information-centric DMF. We will also research how to perform secure and reliable access control of smart devices in information-centric DMF.
Funding Statement: This material is based upon work funded by the National Science Foundation EPSCoR Cooperative Agreement OIA-1757207.