A novel multi-stage distributed authentication scheme for smart meter communication

Smart meters have ensured effective end-user energy consumption data management and helping the power companies towards network operation efficiency. However, recent studies highlighted that cyber adversaries may launch attacks on smart meters that can cause data availability, integrity, and confidentiality issues both at the consumer side or at a network operator’s end. Therefore, research on smart meter data security has been attributed as one of the top priorities to ensure the safety and reliability of the critical energy system infrastructure. Authentication is one of the basic building blocks of any secure system. Numerous authentication schemes have been proposed for the smart grid, but most of these methods are applicable for two party communication. In this article, we propose a distributed, dynamic multistage authenticated key agreement scheme for smart meter communication. The proposed scheme provides secure authentication between smart meter, NAN gateway, and SCADA energy center in a distributed manner. Through rigorous cryptanalysis we have proved that the proposed scheme resist replay attack, insider attack, impersonation attack and man-in-the-middle attack. Also, it provides perfect forward secrecy, device anonymity and data confidentiality. The proposed scheme security is formally proved in the CK—model and, using BAN logic, it is proved that the scheme creates a secure session between the communication participants. The proposed scheme is simulated using the AVISPA tool and verified the safety against all active attacks. Further, efficiency analysis of the scheme has been made by considering its computation, communication, and functional costs. The computed results are compared with other related schemes. From these analysis results, it is proved that the proposed scheme is robust and secure when compared to other schemes.


INTRODUCTION
The smart grid is one of the critical infrastructures for any nation. The traditional energy system equipped with advanced sensing, communication and control technologies transforms the decades old power system into a smart grid. While the smart grid provides a wide range of utilities and help the end-users to improve their lifestyle and minimize the manner, which means the authentication of SM, NANG, and SCADA control server does not depending upon any third party. The proposed scheme achieves the authentication in a fully hierarchical manner which is suitable for smart grid smart meter communication architecture. The proposed security scheme is formally proved in the CK -model. The scheme is simulated using AVISPA tool to verify the security against all active attacks. The proposed scheme's efficiency analysis has been made, considering its computation, communication, and functional costs. The computed results are compared with the other related schemes.

Related work
Authentication is a fundamental security solution and it has been extensively studied in various application areas. In smart grid smart meter communication, several authentication schemes have been proposed by numerous researchers. Even after the schemes are developed for specific architecture or application, there may be some similarities observed in terms of authentication factors, cryptographic operation, and message communication (Abbasinezhad-Mood, Ostad-Sharif & Nikooghadam, 2019). In this article, we only reviewed recent and relevant literatures, for the most part, authentication which focuses on the network architecture which includes SM, NAN, and SCADA control server. Wu & Zhou (2011) proposed an anonymous key distribution scheme for the smart grid. This scheme mainly combines the symmetric key and elliptic curve public key techniques. In the scheme, the symmetric key was based on the Needham-Schroeder authentication protocol. Wu & Zhou (2011) claimed that the proposed scheme effectively resists the man-in-the-middle attack and the replay attack. Later, Xia & Wang (2012) analysed Wu & Zhou's (2011) scheme and identified the scheme is vulnerable to man-in-the-middle attack. To overcome the identified attack, Xia & Wang (2012) proposed a key distribution scheme. Here, the authors used a trusted third party to manage the key distribution for the smart meter and the service provider. Nicanfar et al. (2013) proposed an efficient mutual authentication scheme. This scheme was developed to authenticate the entities that present outside of the home area network. Nicanfar et al. (2013) assumed that the authenticating participants are a smart meter and authentication server. From this literature, Nicanfar et al. (2013) also proposed a key management protocol based on identity cryptography for secure smart grid communications using the public key infrastructure. Li et al. (2013) proposed a Merkle-Tree-Based authentication scheme for secure smart grid communication. This article is more focused on eliminating message injection, message analysis, message modification, and replay attacks during communication. Tsai & Lo (2015) reviewed Xia & Wang's (2012) authentication scheme and identified that Xia & Wang (2012) scheme does not support smart meter anonymity and perfect forward secrecy. To overcome the identified weaknesses, Tsai & Lo's (2015) proposed a key distribution scheme for smart grid environments. The scheme was proposed including properties of bilinear pairings. Importantly, Tsai & Lo's (2015) scheme needed a trusted third party to distribute the private keys for smart meters and smart grid during registration. Later, Odelu et al. (2016) reviewed Tsai & Lo's (2015) scheme and found that the scheme can reveal the smart meter's secret credentials when the secret key has been revealed. To overcome the identified security weakness, Odelu et al. (2016) proposed a new authenticated key agreement scheme based on bilinear pairings for the smart grid. Like Tsai & Lo (2015) scheme, Odelu et al. (2016) utilized trusted third party to handle the private keys.
Further, Mahmood et al. (2016) proposed a hybrid Diffie-Hellman based lightweight authentication scheme using AES and RSA cryptography. This scheme was focused on achieving authentication between building area networks (BAN) and smart meters. The objective of the scheme was to avoid replay attack during authentication. Wazid et al. (2017) proposed a three-factor user authentication scheme for a renewable energy-based smart grid environment. Here, the objective was to authenticate vehicle user who wants to charge his/her electric vehicle battery. In this scheme, even though there are multiple authorities involved, authentication can be possible only between user and smart meter. Also, Wazid et al.'s (2017) scheme is dependent on trusted authority for smart meter registration.
Mahmood et al. (2018) proposed a lightweight ECC-based authentication scheme for smart grid communication. The aim of the scheme is to authenticate two registered users communicating in the environment. In this scheme, the trusted third party was responsible to generate preliminary parameters like selecting elliptic curve, random base point, oneway hash functions, secret key, and so on. Mahmood et al.'s (2018) scheme was also aimed to eliminate the trade-off between performance and security in smart grid communication where the scheme should provide high security with high performance. Further Abbasinezhad-Mood & Nikooghadam (2018) analyzed Mahmood et al.'s (2018) scheme and identified that the scheme cannot provide the perfect forward secrecy. Also identified that the private key of users and shared session keys can be easily compromised with an adversary. To overcome the identified weaknesses, Abbasinezhad-Mood & Nikooghadam (2018) proposed elliptic curve cryptography based lightweight authentication scheme for smart grid communications. Mahmood et al.'s (2018) scheme was also reviewed by Chen et al. (2019) and identified that the scheme could not provide the perfect forward secrecy and private key privacy. Also, the authors analyzed Abbasinezhad-Mood & Nikooghadam's (2018) scheme and identified that the scheme is vulnerable to the replay attack. To withstand the identified weaknesses, Chen et al. (2019) proposed a bilinear map pairing-based authentication and key establishment scheme. Zhang et al. (2019) proposed a lightweight anonymous authentication and key agreement scheme for the smart grid. This scheme allows the smart meter and the service provider to authenticate each other. The authentication scheme does not follow any hierarchical network architecture which minimizes the system applicability. Ma et al. (2019) proposed the eye-movement and iris recognition based portable remote authentication for the smart grid. It was a biometrics-based remote operator authentication scheme that uses the record of eye-movement trajectory and randomly selected iris image for authentication.
Recently, Moghadam et al. (2020) proposed a lightweight key management protocol for secure communication between substation and data center in smart grids. The scheme was based on hash functions and private keys. Irshad et al. (2020) proposed a message authentication scheme for secure communications between HAN gateway and BAN gateway in smart grids. Aghapour et al. (2020) proposed a broadcast authentication scheme for smart grid communications which uses hash functions and private key. Here, the authentication was to be done between the NAN gateway and the smart meter. Sadhukhan et al. (2020) proposed a privacy-preserving authentication scheme for smart-grid communication using elliptic curve cryptography. Here, the scheme can authenticate HAN gateway and BAN gateway in smart grids. This scheme needs a trusted third party to generate credentials, keys, and hash functions. Wu et al. (2021) reviewed Chen et al.'s (2019 scheme and identified the known session-specific temporary information attack where adversary can get the information of random nonce which needed to compute the session key. Also, Wu et al. (2021) identified that Chen et al.'s (2019) scheme is vulnerable to impersonation attack. To overcome identified weaknesses, Wu et al. (2021) proposed an improved pairing-based authentication scheme. The proposed scheme, depended upon a trusted third party to generate secret keys, cyclic groups, and hash functions.
From the above literature study we can observe that (i) most of the authentication schemes have security flaws and their improvements are also show some possible attacks. (ii) Many schemes can perform authentication either between the smart meter and NAN gateway or gateway and SCADA center. (iii) Also, the authentication schemes that implemented to the hierarchical network are dependent upon a trusted third party. Therefore, It is vary much necessary to propose an authentication scheme that can mutually authenticate smart meter, NAN gateway, and SCADA center without involvement of any third party. Hence, we have proposed a novel multistage distributed authentication scheme for smart grid communication.
The rest of the article is assembled as follows. "System Model" presents the system model used to propose the authentication scheme. "Cryptographic Preliminaries" discusses the necessary cryptographic preliminaries to understand the scheme. "The Proposed Scheme" illustrates the proposed multi-stage authentication scheme for smart meter communication. This section includes a detailed explanation of the steps of authentication in each phase. Further, "Cryptanalysis of the Proposed Scheme" presents the cryptanalysis of the proposed scheme. Here, we proved the data confidentiality, sensitivity and the security provided in the proposed scheme. The formal security verification of the proposed scheme based on the CK adversary model is illustrated in "Formal Security Proof", followed by the results of formal security verification using AVISPA are presented in "Result of Formal Security Verification Using Avispa Tool". "Efficiency Analysis" discusses the proposed scheme's efficiency analysis by comparing result computation cost ("Computation Cost Analysis") and communication cost ("Communication Cost") of the proposed scheme with the other related schemes. This section also gives the comparison result of the essential functionalities ("Functional analysis") in smart meter communication. Finally, the article depicts the concluding remarks.

SYSTEM MODEL
In this section, we present the system model which involves key components towards a smart meter communication between the consumers and SCADA control centres. As discussed in the "Introduction", the system model described in the article is from the data communications point of view. The active participants are Smart Meter (SM), Home Area Network (HAN), Neighborhood Area Network Gateway (NANG) and SCADA control center/Server. These participants are well connected in a hierarchical manner. In the considered system architecture, HAN has been considered as the bottom layer. Within a HAN, home appliances are connected to a Smart Meter (SM). The purpose of SM is to collect the aggregated consumption (e.g., dishwasher, electric oven, etc) and generation (e.g., solar PV) profiles of the home devices. The collected data can be transferred to the SCADA control center/Server or smart grid (SG) for data storage and analysis. The communication happens via NANG that has been considered as the middle layer of the system. The complete system architecture is presented in Fig. 1.

CRYPTOGRAPHIC PRELIMINARIES
This section discusses the cryptographic preliminaries necessary to understand the proposed scheme. The necessary encryption/decryption operations are done using Elliptic Curve Cryptography (ECC). The security strength of ECC relies heavily on the hardness of solving the elliptic curve discrete logarithm problem (ECDLP). Compared to any other public-key cryptosystems, ECC can provide significant security strength to any communication system with less key size (Hancock, 2001). This property reduces the algorithmic computational cost and makes the protocol more lightweight.
Elliptic curve cryptography: The equation of the elliptic curve E p (a, b) over F p (p > 3 and is a large prime number) is defined as y 2 mod p = (x 3 + ax + b) mod p where (4a 3 + 27b 2 ) mod p = 0; x, y, a, b ∈ [0, p − 1]. Any points (x, y) ∈ E p (a, b) are denoted as E(F p ) = {(x, y) : x, y in F p satisfy y 2 ¼ ðx 3 þ ax þ bÞg [ O where O is a point at infinity. The point multiplication is computed by repeated addition as k.P = P + P + P + ….. + P K times (Koblitz, 1987).
Elliptic Curve Discrete Logarithm Problem(ECDLP): An elliptic curve E defined over a finite field GF(q) and two points P, Q ∈ E, it is hard to find an integer x ∈ Z p * such that Q = xP.
Elliptic Curve Diffie Hellman (ECDH): Elliptic Curve Diffie Hellman (ECDH) key exchange is the the classical Diffie-Hellman key exchange which exchanges secret information or secure keys between two parties. The keys are exchanged between A and B as follows.
System selects an elliptic curve E p over the prime finite field F p where p is a large prime number and select a point on elliptic curve P of order n. The algorithm is as follows.

1.
A generates a random number k A in the interval [1, n − 1] and performs a scalar multiplication Q A = k A × P Then, sends Q A to B 2. B also generates a random number k B and computes Q B = k B × P by scalar multiplication in the same way as described above and sends Q B to A.

4.
A and B shares K 1 and K 2 between them. Thus, two entities exchanges the keys securely.

THE PROPOSED SCHEME
This section presents the proposed novel distributed dynamic multistage authenticated key agreement scheme for the smart grid. The proposed scheme contains three phases (1) Initialization phase, (2) Registration phase and (3) Authentication phase. The notations used throughout the scheme are presented in Table 1.

Initialization phase
To fully describe the proposed scheme, the process of system initialization is explained first. The initialization has to be done while deploying the system. It includes selecting an elliptic curve, hash functions, public and private keys necessary to perform encryption/ decryption, and hashing operation throughout the entire scheme. SG i choose an elliptic curve E p over the finite field F p where p is a large prime number. SG i also selects an elliptic curve point P of order n and one way hash functions h 0 ð:Þ ! Z Ã ; h 1 ð:Þ ! Z Ã ; h 2 ð:Þ ! Z Ã . Further SG i picks the private key x and computes the public key P pub = x.P. Finally, SG i publishes the parameters {E p , P, F p , h 0 (.), h 1 (.), h 2 (.), P pub }.

Registration phase
The registration phase includes steps to register participants (e.g., SM i , NANG i , etc.), which take part in the system. This phase includes the registration of Neighborhood Area Network gateway NANG i and smart meter SM i . The details of NANG i and SM i registration have been presented below.

NAN gateway registration phase
In the proposed scheme, NANG i registration is done with a SCADA control center/server. The steps involved in the NANG i registration have been illustrated as follows: SG i receives the request message, generates the random number e and computes m i = h 0 (s ||e), V n = h 0 (m i ||A i ).P pub and H n = h 0 (V n || NID i ) Timestamps generated by SM i , NANG i , SG i SG i stores H n into the database and sends V n to the NANG i . NAN gateway receives V n and stores {NID i , b j , V n } into its database. The registration phase of NAN gateway has been presented in the Table 2.

Smart meter registration phase
The registration of the SM i is with NANG i . The registration of SM i has been presented below: The Smart meter registration phase has been presented in Table 3.

Authentication phase
The authentication phase is performed between SM i , NANG i , and SG i . Here, SM i and SG i mutually authenticate through NANG i . Table 4 presents the authentication phase of the proposed scheme. The steps involved in this phase are as follows: Smart meter SM i generates a random number w and computes Receives message and generates the random number e Stores H n into the database and sends V n to the NANG i NANG i receives the message M 1 sent by SM i and checks the validity. To verify the freshness of the received message, NANG i takes its current timestamp T 2 and checks that whether T 2 − T 1 ≤ δ T or not. Also, NANG i confirms that between the time (T 1 + δ T) and (T 1 − δ T) there were no other requests which contains same parameters of M 1 has not received. If these conditions are not true, then the system rejects the request message and drops the session. NANG i computes the following after receiving the login request message: SG i receives the request message sent by NAN gateway and checks its validity to make sure that the request is made recently. SG i takes its present timestamp T 3 and checks whether T 3 − T 2 ≤ δ T. If the condition does not satisfy, then SG i rejects the received message and drops the session. If not, SG i begins the authentication process.
Once the request message accepted by the sever, it starts authenticating it. To do that SG i computes the following: w.P pub = C nan 4 H n Stores H m into its database and sends V m to the SM i .
Receives the message sent and checks

Receives the request message and checks whether
Computes the following: Checks C 2 ? = C 2 If both are equal then.
Generates y and computes Receives M 2 and computes Server compares C 2 with received C 2 . If both are equal then the server completes the authentication of SM i and begins the mutual authentication.
To perform mutual authentication, server first generates the random number y and computes C s = y.P pub 4 h 2 (H n ) Smart meter receives mutual authentication message from NAN gateway and computes SM i Compares C 4 with received C 4 if both are equal smart meter, NAN gateway, and the server establishes the connection successfully. Further communications will be done through the shared session keys. The session keys are For smart meter, SK M = h 2 (y.P pub ||w.P pub ||b i ||b j ) For NAN gateway SK N = h 2 (y.P pub ||w.P pub ||b i ||b j ) For Server SK s = h 2 (y.P pub ||w.P pub ||b i ||b j ).
Smart meter session key NAN Gateway session key Server session key

CRYPTANALYSIS OF THE PROPOSED SCHEME
This section presents the cryptanalysis of the proposed multistage authentication scheme. This analysis helped us to prove the sensitivity of the obtained results where stored and communication parameters does not impact on the systems privacy and the security.

Resiliency against replay attack
Resiliency against replay attacks can be possible only when the server verifies the freshness of the login message before beginning the authentication. In the proposed scheme, a timestamp has been used to check the validity of the login request message. Suppose a participant receives the message contains timestamp T, then the participant takes its current timestamp T and checks the condition T′ -T ≤ δT. If this condition is satisfied, the next step would be to proceed else participant drops the session. Let us assume that adversary steals the previous successfully authenticated login request message {C sm , CID i , C 1 , T 1 } sent from SM i to NANG i and {CID i , C 2 , C nan , RID s , T 2 , T 1 } sent from NANG i to SG i . Attacker trying perform replay attack by resending stolen login request message. Here, both NANG i and SG i first verifies the message freshness by checking the validity of the time stamp. To verify the freshness, NANG i takes its current timestamp T 2 and checks whether T 2 − T 1 ≤ δ T or not. Also, NANG i confirms that there were no other requests with parameters have been received between the time (T 1 + δ T) and (T 1 − δ T). If the timestamp T 1 is not modified in the login request message, the condition T 2 − T 1 ≤ δ T will definitely fails and NANG i drops the session. This procedure also happens when SG i receives login request message from NANG i . Therefore, the proposed scheme resists the replay attack.

Resiliency against insider attack
The proposed distributed multistage authentication scheme does not store all the information in a single system/server. The registration of SM i is with NANG i and the registration of NANG i will be done by SG i . This process distributes the necessary credentials to SM i , NANG i and SG i . To perform any attack, insider must know parameters stored in other two participants SM i and NANG i . Hence the proposed scheme ensures resiliency against insider attack.

Resiliency against impersonation attack
When the communication has taken place in an open channel, the attacker can intercept the sent/received messages and perform an impersonation attack. Assume that an attacker A intercepts the login and authentication messages {C sm , CID i , C 1 , T 1 }, {CID i , C 2 , C nan , RID s , T 2 , T 1 }, {C 3 , C s , T 3 }, and {C s , T 3 , C 4 , C m , T 4 , RID m } to perform impersonation attack. In the proposed scheme, computation of the communication parameters are depending upon the random nonces w, y and the parameters {NID i , b j , V n } stored in SM i . Since the random nonce and stored parameters do not communicate in the open channel as plain text, attacker A cannot get the knowledge of it. Therefore A cannot modify the login request parameters to impersonate the user.

Resiliency against man-in-the-middle attack
A man-in-the-middle attack can be possible when the adversary successfully authenticates with the server or calculate the session key correctly by intercepting communication messages. In the proposed scheme, to mitigate this attack we have applied two types of mechanism. First and foremost the communication message parameters of the proposed scheme are computed depending upon the generated random nonces w, y. Usage of random nonce prevents the impersonation and preserves the secrecy of the session key. Secondly, a timestamp has been used to check the validity of the login request message in every session. As said in "Resiliency Against Replay Attack", checking the message freshness resists the replay attack. Hence, the attacker cannot authenticate himself by intercepting the communication messages.

Provides perfect forward secrecy
In the proposed scheme, session key calculated by SK = h 2 (y.P pub ||w.P pub ||b i ||b j ). An adversary A cannot compute SK by intercepting the mutual authentication messages {C 3 , C s , T 3 }, and {C s , T 3 , C 4 , C m , T 4 , RID m }. An attacker must have the knowledge of random nonces w, y, b i and b j to calculate SK. The proposed scheme cannot share random nonce as plain text over the public channel. Therefore to calculate SK, an adversary has to guess all random nonces at the same time, which is not possible. Hence the proposed scheme provides perfect forward secrecy.

Provides device anonymity
In the proposed scheme, device anonymity is preserved while login into the system. A dynamic identity CID i = h 1 (w.P pub ||T 1 ) 4 b i has been calculated every session. The computation of the CID i is depending on the random nonce w. Therefore the dynamic identity is different at every login attempt. Hence the proposed scheme provides reveal the device identity MID i .

Provides data confidentiality
In the proposed scheme, the confidentiality of the communicated messages has been preserved even after authentication. The secrecy of the message after authentication can be achieved by the session key. In the proposed scheme, if the attacker tries to steal any message communicated between SM i , NANG i and SG i cannot decrypt without SK. As explained in "Provides Perfect Forward Secrecy", the session key cannot be compromised with the adversary. Moreover, during authentication, after successful verification of the login request SM i , NANG i and SG i will mutually authenticate each other and compute the session key. This creates a secure channel over an insecure environment. So, the communicated message remains confidential between SM i , NANG i and SG i .
From the cryptanalysis result of the proposed scheme it can be proved that the data confidentiality, sensitivity and the security has been achieved by resisting the possible attacks on the network.

FORMAL SECURITY PROOF
This section presents the formal security analysis to prove that the proposed scheme is secure against the adversary modeled in Odelu et al. (2016) and Tsai & Lo (2015) proposed by Canetti & Krawczyk (2001). According to this mode, adversary A has full control over the transmission channel. Therefore A can eavesdrop, intercept, alter the communication messages, and knows all the public parameters. The adversary cannot access the secret parameter directly but can construct queries to capture the information leakage.

Participants
A participant in the entity takes part in the authentication process. In the proposed scheme, there are three participants are involved in performing the authentication, which is named as SM i , NANG i , and SG i , where SM i is a smart meter, NANG i for the Neighborhood Area Network gateway, and SG i is the SCADA control center/Server. Each participant have multiple instances to run the scheme parallelly. The instances are represented as SM i , NANG i , and SG i , where 'i' represents the i t h instance of the participants (Tsai & Lo, 2015).

Queries
In CK-model, adversary A can construct the queries to perform the attacks. The possible queries made by A, and the attacks committed with the constructed query are illustrated below: Execute(SM i , NANG i , SG i ): This oracle query construct the passive attacks by eavesdropping the successful execution done between the participants SM i , NANG i , SG i . Here, A simulates the login and authentication phase and gets the messages communicated between the participants. Send(SM i /NANG i /SG i , M): A formulatess this query to perform active attacks. Adversary sends message to SM i /NANG i /SG i and receives the response from SM i / NANG i /SG i .Also, A can intercept communication channel and modify the communicated messages and gets the reply in return. EKeyReveal (SM i /SG i ): This query allows adversary to obtain the session state ephemeral secret key information held by the instance SM i /NANG i /SG i . SKReveal (SM i /SG i ): This query allows adversary to get the session key held by the instance SM i /NANG i /SG i . Corrupt (SM i /SG i ): This query express the notion of perfect forward secrecy where long term secret key can be compromise with A to get the session key on the oracle SM i / NANG i /SG i . Test(SM i /SG i ): This single query can be constructed by adversary at most once. It models the semantic security of the session. Here, A returns the session key of SM i /NANG i /SG i or a random string with an equal bit length of the session key. This result is depending upon tossing a coin b. If b = 1, the adversary gets the original session key. Else A gets a random string with the same length as the real session key.
Before presenting the security proof, it is necessary to describe some definitions, which are given below: Partnering: Two entities are called to be partners when they are accepted and shared a commen session key. In the proposed scheme, SM i , NANG i and SG i are partners only if MID i = NID j = SID k , and SK SMi = SK NANGi = SK SGi . Freshness: It is related to the session key. Here, oracle constructs the session key. We can say that the constructed session key is fresh if the instance meets the following conditions.

Computational problem
It is essential to describe the details of the computational problem where the security proof relies upon.
Elliptic curve computational Diffie-Hellman problem (ECDH): Let P, xP, yP ∈ E p where a; b 2 Z Ã q , then it is hard to compute xyP in polynomial time without knowledge of x or y. Elliptic curve discrete logarithm problem (ECDLP): It says that when G ∈ E p (x, y) of order n and G = kP ∈ E p (x, y), it is computationally infeasible to compute k in polynomial-time. Reversing One way Hash function: Let H(.) is a one way hash function, then it is computationally hard to get x from H(x). Also it is hard to find x where H(x) = H(x).

Security proof
Theorem 1 Let E p over the finite field F p with a large prime number p and D be the finite set of password. Consider A is a adversary running in a polynomial time to perfom security attack on the proposed scheme. Let Adv AKE SC is the advantage of the A against the proposed scheme and advantage of A that solves ECDH in E p . While performing the attackes over the proposed scheme A makes q send Send queries, q hsh hash oracles, and q exe Execute queries within the time t. The advantage of A will be Adv SG AKE ðq send þ q exe Þ 2 2n þ ðq hsh Þ 2 2 k þ q send 2 k þ n þ q hsh :Adv ECDH EC ðt þ ðq exe þ q send ÞT EC Þ Proof: The queries constructed by A has been presented in Tables 5 and 6. Based on the queries build by A, the proof is presented. The sequence of experiments from Experiment 0 to Experiment 4 defines the proof of the proposed authenticaion scheme. Let Succ n denotes the event that occures after the Test query made by adversary while guessing the bit b correctly.
Experiment 0: This experiment corresponds to the real experiment in the random oracle model. By the definition, we have Adv SG AKE 2Pr½Succ 0 À 1 Experiment 1: This experiment simulates H 0 , H 1 , H 2 by maintaining two hash list L h and L h . Here, L h stores the oracle for H 0 , H 1 , H 2 and L h is for queries asked by A. The simulation queries are presented in Table 5. From the simulation, it is observed that For EKeyReveal (SM i /SG i ) query return Ephermal Secret key w from SM i and y from SG i For SKReveal (SM i /SG i ) query return static private key s from SM i or SG i the transcript distribution of Experiment 0 and Experiment 1 are indistinguishable. Hence we have Experiment 2: This experiment simulates the oracle of Experiment 1 except the collisions occurs in the transcripts and hash queries by the adversary. In other words, the experiment aims to avoid the collision occurring in C 1 , C 3 , C sm and C s . The Experiment 1 and Experiment 2 are indistinguishable until the collision takes place. Since, w and y are randomly chosen, according to the birthday paradox, probability of the collision occurrence is at most (q send + q exe ) 2 /2n. Also, the probability of the occurrence of the collision in the output of the hash oracle is at most (q hsh ) 2 /2 k . Hence we have jPr½Succ 2 À Pr½Succ 1 j ðq send þ q exe Þ 2 2n þ ðq hsh Þ 2 2 k (1) For Send (P i , Start) query Generate random number w and computes C sm = w.P pub 4 h 0 (V m || MID i ), CID i = h 1 (w.P pub ||T 1 ) 4 b i , For Send (C sm , CID i , C 1 , T 1 ) query Generate random number y and computes C s = y.P pub 4 h 2 (H n ) SK s = h 2 (y.P pub ||w.P pub' ||b i '||b j' ) C 3 = h 2 (SK s t 3 y.P pub ) For Send (C 3 , C s , T 3 ) query y.P pub' = C s 4 h 0 (V m ||MID i ) b j' = h 1 (C m ||h 0 (V m ||MID i )) 4 RID m SK M = h 2 (y.P pub' || w.P pub ||b i ||b j' ) If C4 = C4 SM i , NANG i and SG i Else Terminated Experiment 3: This experiment aborts the scheme if the adversary succeeds in guessing the authentication value C 1 and C 3 without making the hash query. Since, Experiment 3 and Experiment 2 are indistinguishable unless smart grid SG i rejects C 1 or smart meter SM i rejects the authentic value C 3 . Hence we have Experiment 4: This experiment considers the session key security. A cannot obtain the previous session key when A has {w, y, s, P} but not (w, s, P) and (y, s, P). The aim of A is to compute the session key SK i = h 2 (y.s.P w.s.P b i b j ) by asking Execute(SM i , NANG i , SG i ) queries and corresponding hash queries in the four cases.
case 1: A queries Corrupt (SM i ) and Corrupt (SG i ) to get static private key s to compute the session key SK i . To derive the session key A should get w and y.
case 2: A queries EKeyReveal (SM i ) and EKeyReveal (SG i ) to get ephermal private key w and y. But A will not get the static key s.
case 3: A queries EKeyReveal (SM i ) and Corrupt (SG i ) and returns w and s. But A will not get y.
case 4: A queries Corrupt (SM i ) and EKeyReveal (SG i ) and returns y and s. But A will not get x.
In all the above four cases, A will get insufficient information to compute SK i without solving the ECDH. The Experiment 3 and Experiment 4 are indistinguishable until the ECDH assumption is true. Hence we have Now, A has to guess b to achieve the experiment by the Test query. It is clear that Pr [Succ 4 ] = 1/2.

RESULT OF FORMAL SECURITY VERIFICATION USING AVISPA TOOL
The results of the security verification using the AVISPA tool are presented in this section. AVISPA is a protocol analysis tool that provides a platform to implement the schemes and verify its security. To implement schemes, AVISPA uses High-Level Protocol Specification Language (HLPSL). It is a role-based language where every participant in the network plays a role during the execution. In HLPSL, the Doley-Yao model has been used to build the intruder. During the execution of schemes, the HLPSL code is converted into an Intermediate Format (IF) through a translator called hlpsl2if. Further, the translated IF is read by backends and analyses security goals. There are four backends are used in AVISPA used for security analysis known as On-the-fly Model-Checker (OFMC) (Basin, Mödersheim & Vigano, 2005), CL-AtSe (Constraint Logic-based Attack Searcher) (Turuani, 2006), SAT-based Model checker (Armando & Compagna, 2004) and Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP) (Boichut et al., 2004). If the scheme achieves all defined goals, then the output is given as SAFE else, the output will be UNSAFE.
The results of the security verification obtained from the AVISPA tool are presented in Figs. 2 and 3. The presented results are obtained through OFMC, and CLAtSe back ends. The other two backends SATMC and TA4SP, do not support the XOR feature. Hence the results were received as "Inconclusive". Therefore the OFMC and CLAtSe results are considered and claimed that the obtained result is SAFE against the intruder. Hence, we can clearly say that the proposed scheme achieves all the specified goals and remains secure against all the attacks.

Computation cost analysis
The proposed scheme's computation cost has been calculated and compared with the other schemes. We have presented the required computation cost and estimated execution time of the proposed scheme in Smart meter, NAN gateway, and SCADA control center/Server. To measure the execution time, we have taken the results obtained by Gope & Sikdar (2018). According to the results presented by Gope & Sikdar (2018), the required execution time for one computational parameter on Smart meter, NAN gateway, and SCADA control center/Server is given in Table 7. The computational parameters are The computation cost analysis results are given in the Table 8 and the estimated execution time analysis is presented Fig. 4. The computation cost of the proposed scheme is the sum of the costs of SM i , NANG i , and SG i , which is 2T mp + 12T h , 1T mp + 12T h , and 1T mp + 7T h , respectively. The total computation cost of the proposed scheme is 4T mp +   32T h . Estimated execution time of the proposed scheme in the SM i and NANG i is (3 × 5.9 ms) + (24 × 0.026 ms) = 18.324 ms. The estimated execution time in the SG i side is (1 × 2.6 ms) + (7 × 0.011 ms) = 2.677 ms. The total estimated execution time of the proposed scheme is 21.001 ms.
Comparing the proposed scheme's results with the other schemes presented in Table 8, we can observe that the proposed scheme's computational cost and estimated execution time is higher than Gope & Sikdar (2018) Table 9. It includes the cost of the communication parameters, transmitted in one complete session of the authentication phase. For consistency purpose, we assume that the length of the identity ID i and random number is 128 bits, the output size of hash functions H 0 (.), H 1 (), and H 2 () is 160 bits, size of an elliptic curve point is 320 bits, the block size of symmetric encryption/decryption is 256 bits, size of bilinear pairing is G 1 ! 320 bits, G 2 ! 512 bits and a Timestamp is 32 bits. The authentication phase of the proposed scheme requires 320 + 160 + 160 + 32 = 672 bits, 160 + 160 + 160 + 160 + 32 + 32 = 704 bits, 160 + 320 + 160 + 32 = 672 bits, and 320 + 160 + 160 + 160 + 160 + 32 + 32 = 1074 bits, for the messages {C sm , CID i , C 1 , T 1 }, {CID i , C 2 , C nan , RID s , T 1 , T 2 }, {C 3 , C s , T 3 }, and {C s , T 3 , C 4 , C m , T 4 , RID m }. Hence, the total communication cost required for the proposed scheme to achieve the one session is 3072 bits. The communication cost analysis result is presented in Fig. 5.
We have also calculated the energy cost of the proposed scheme and compared the result with other schemes. The energy cost gives the expected energy required to   Table 9 and also shown in Fig. 6. According to the analysis result presented in Table 9, the communication and energy costs of the proposed scheme are higher than all other schemes. Unlike other schemes the proposed scheme cost includes the communication done between smart meter, NAN gateway, and smart grid during the authentication. In Table 9  NAN gateway and smart grid, we neglect those communication done in the proposed scheme to do the comparison. Therefore the total communication cost of the messages {C sm , CID i , C 1 , T 1 }, {C s , T 3 , C 4 , C m , T 4 , RID m } is 1,746 bits and the energy cost is 1,353.78 μJ which is lesser than other compared schemes. Hence, we claim that the proposed scheme is efficient than other schemes and robust in the multistage architecture. Table 10 presents the functional analysis of the proposed scheme done with other schemes. The features and the functionalities represented in Table 8 are as follows: F1-Multistage authentication, F2-Provide perfect forward secrecy, F3-Prevents replay attack, F4-Prevents insider attack, F5-Prevents man in middle attack, F6-Prevents impersonate attack, F7-Provide mutual authentication, F8-Provide smart meter credentials privacy, F9-Provides session key security. From Table 10, it is clear that the proposed scheme meets all the functional requirements. It also achieves multistage authentication where one smart grid can authenticate the smart meter through the NAN gateway.

CONCLUSIONS
The security of smart meter communication is critical for reliable, efficient and stable operation of a contemporary smart grid. This paper addresses the security issues by considering a novel authentication scheme for smart meter communication with the energy control center. The proposed method is based on a novel formulation, where the authentication scheme is dynamic, multi-stage and distributed in nature. The formal proves presented in this paper validate that the proposed model can establish a secure authentication path between a smart meter, NAN gateway, and a SCADA energy center in a distributed manner. We also verified the effectiveness of the proposed authentication scheme against adversarial attacks using a simulation tool AVISPA. Considering the computation, communication and functional costs, this article also presented the efficiency analysis of the proposed authentication scheme. Based on comparative analyses, we can conclude that the proposed scheme is robust and secure as compared to the existing related schemes. Hence, the proposed authentication scheme has the potential to secure smart meter communication between the energy consumers and utility control centers to foster an attack resilient sustainable energy grid.

APPENDIX
The implementation of the proposed scheme in AVISPA includes the registration phase and the login and authentication phase. Here, three leading roles are named as meter, gateway, and server, represented as SM i , NANG i and S j . The role specification of the meter is presented in Fig. 7. Here, the process begins by receiving a start signal. The gateway and server roles implementations are given in Figs. 8 and 9. SM i , NANG i and S j use symmetric key SKuisj for the communication in the channel. The send and receive channels required for communication between meter, gateway, and server are represented by Snd() and Rcv() functions. Figures 10 and 11 present the session and environment roles. The session role includes the primary roles for composition and the channels of all roles involved in communication. The environment role specifies the global constants and sessions for an adversary to play as legitimate user roles. It also defines the goals of the proposed scheme.