A Certificateless Authenticated Key Agreement Scheme for the Power IoT

Abstract

Power Internet of Things (IoT) is the application of IoT technology in the field of power grid, which can better control all kinds of power equipment, power personnel and operating environment. However, access to mass terminals brings higher requirements for terminal authentication and key management for the power IoT. And the traditional public key infrastructure (PKI) and identity-based public key cryptography (IB-PKC) exist the problems of certificate management and key escrow. Therefore, the paper proposes a novel authenticated key agreement scheme based on the certificateless public key cryptography (CL-PKC) mechanism. In addition, the proposed scheme is proven with the improved extended Canetti-Krawczyk (eCK) security model. Finally, the implementation of the authenticated key agreement protocol is given based on the actual application requirement of the power IoT, and the analysis and comparison of the simulation demonstrates that the proposed scheme has higher efficiency and would be suitable for the power IoT.

1. Introduction

Power IoT is the specific application, implementation and evolution direction of the IoT technology in the power grid [1]. The power IoT can dynamically adjust the whole power grid in an all-round way according to the state data of the equipment which locates in all areas of power grid. For example, the traditional power plants can transform into smart power plants by combing with IoT, artificial intelligence and some other technologies to achieve interconnection and information sharing between equipment and equipment, person and equipment [2].

By the end of 2018, State Grid Corporation of China had accessed 540 million power terminals and basically realized the comprehensive information collection of control operation and electricity metering in the grid [3,4]. With the advancement of the construction of the power IoT, A large number of the IoT terminals would be deployed in the whole areas in power plants, transmission line, power substation, distribution station and consumers to realize the real-time monitoring of the grids. Therefore, the process of designing an efficient authenticated key agreement protocol, achieve identity authentication and develop a key agreement that includes the privacy, integrality and undeniability of communication data with massive power IoT terminals has become a focus in current research.

The authenticated key agreement scheme could be implemented by three cipher systems: PKI, IB-PKC and CL-PKC. In the PKI system, the users or the terminals could implement identity authentication by the digital certificate, which contained the public key, and was issued by the certificate authority (CA). However, with the increase of the users or terminals will bring a heavy burden of management certificate such as certificate generation, issuance, savings, verification, and revocation to the PKI system. The IBC system uses a device’s own unique identifier, such as a CPU or disk code, to replace the digital certificate and solve the PKI system’s complicated certificate management problem [5]. However, in the IB-PKC system, the user’s private key is fully generated by one authoritative private key generator (PKG). Since the PKG has the master key of the system, the entire system is insecure if an attacker obtains the master key of the PKG or the PKG itself is an attacker. The problem of the key escrow existing in the IB-PKC system could be solved in the CL-PKC system. In the CL-PKC system as the users’ keys are co generated by the users and the master key of the trusted key generating center (KGC). Therefore, even if the master key of the system is obtained by an attacker, the attacker cannot obtain the user’s private key.

Compared with the PKI and IB-PKC, the CL-PKC system has critical advantages in certificate management and key escrow. Therefore, this paper proposes a novel authenticated key agreement scheme that could be suitable for the power IoT, which can effectively improve the security of the power IoT and the grids.

In this paper, our main contributions are as follows:

(1)

An efficient authenticated key agreement scheme based on CL-PKC has been proposed, which uses simple point multiplication of elliptic curves to replace complex bilinear pairing to make it simpler and more practical for the terminals with limited computing resources in power IoT.

(2)

The security of the proposed authenticated key agreement scheme has been proved by the the e²CK security model where e²CK security model is more secure and it have defined the authenticated key agreement protocol is secure as long as any secret value of both parities is not disclosed.

(3)

We program and implement the proposed scheme and protocol and make it more applicable for the power IoT, while the performance of other protocols is compared.

In this paper, the introduction and background of the power IoT and CL-PKC are describled in Section 1 and some related works has been summarized in Section 2. Section 3 presents some basic knowledge that would need in the paper as the preliminaries. The detailed design and principle of our proposed scheme based on CL-PKC are introduced in Section 4. The analysis and comparison of the simulation are given in Section 5 and our current and upcoming work have been concluded in Section 6.

2. Related Work

Since Al-Riyami et al., put forward the first concept of CL-PKC [6], many works and researches have been raised to enhance the key agreement scheme based on their work. Mandt et al., pointed out that it is unable to resist temporary key leakage attacks and proposed a new scheme. However, the new scheme was at risk of key compromise impersonation (KCI) [7]. Zhang et al., proposed a modified Bellare-Rogaway (mBR) model applicable to certificateless systems and two-party key agreement protocols based on the IB-PKC and proved it under mBR model [8]. He et al., also presented a novel authenticated key agreement protocol with point multiplication and proved it under the mBR model [9]. Sun et al., proved that the two above schemes were vulnerable, meaning that the session key could be calculated by the adversary who could acquire the ephemeral secret keys in the communication between the two parties [10]. Wu et al., proposed a scheme based on the eCK model, but it was also at risk of a KCI attack [11]. Kim et al., Also bring a two-party CLAKA scheme with pairing-free and proved the secure with the eCK model [12]. Bala et al., reminded that the scheme [12] was vulnerable to KCI attacks [13]. Tu et al., proposed a very reliable and secure authenticated key agreement protocol with pairing-free based on CL-PKC. It is suitable for smart media and mobile environment, while proving its security using the eCK model [14]. Sun et al., also proposed a secure pairing-free authenticated key agreement protocol based on CL-PKC, and the strengthened eCK model was used to prove it, but the scheme had heavy communication and calculation costs because the lengths of the users’ public and private keys were twice as long as those of other schemes [15]. Collen et al., improved the eCK model and presented a one-way two-party authenticated key agreement scheme [16]. Lippold et al., enhanced the eCK model to the e²CK model and proposed an authenticated key agreement scheme under the model to formally prove its security [17]. All of the schemes mentioned above used bilinear pairings; hence, the cost of the calculations was reasonable. Yang et al., proposed a new certificateless model and proposed a two-party agreement scheme under the model [18]. Huang et al., designed a security model of a one-way two-party authentication key agreement that was suitable for the CL-PKC system, and they formally proved its security with the eCK security model. However, the scheme only ensured one-way identity security and exhibited temporary secret value leakage attacks [19].

In terms of the state grid, there has also been much research focused on an authenticated key agreement. For example, State Grid issued a set of standard security access specifications that stipulated that the grid terminals need to use the PKI system and the SM2 digital certificate to complete identity authentication and key agreement in 2014 [20]. Lin et al., proposed an improved safety communication scheme based on [20], which enhanced the security of network communication by adding time stamps and digital signatures to the messages [21]. Tsai et al., proposed a novel authentication protocol which could be applied in the smart grid, but employed bilinear pairing that had a heavy computational cost [22]. Fouda et al., presented a lightweight authentication way for the smart meters in the distributed network with the Diffie-Hellman exchange protocol [23]. However, the scheme leads to high computational complexity. Mahmood et al., pointed out that the scheme is computational expensive and presented one authentication scheme based on the elliptic curve cryptography (ECC) that could implement the mutual identity authentication [24]. Li et al., presented one two-way authentication scheme based on SM2 for the radio frequency identification system and proved it with BAN logic [25]. Li et al., proposed an improved SM2-based key agreement and a mutual identify authentication scheme for smart grid [26]. However, the security schemes above were all achieved by PKI systems, which have complicated certificate management and were not suitable for the power IoT with a large number of terminals. Deng et al., presented a two parties’ authenticated key agreement protocol for smart grids based on CL-PCK [27], and Batamuliza et al., introduced a certificateless “signcryption” for a key distribution scheme in a state grid, but he did not give detailed proofs of the scheme’s security [28].

According to the above analysis, most of the papers used PKI system to achieve the mutual authenticated key agreement in the state grid, but these schemes were not suited for the power IoT with massive terminals and also some certificateless schemes had heavy communication and calculation costs as they used bilinear pairing and exponential operations. So before introducing the proposed scheme, some basic knowledge will be presented in the following section.

3. Preliminaries

In this section, the basis knowledge of ECC and the computational Diffie–Hellman (CDH) assumption will be described as the preliminaries.

3.1. Elliptic Curve

The elliptic curve on the finite field is the set of points. The equation of elliptic curve $\mathrm{E}$ on $\mathrm{FG}\left(\mathrm{p}\right)$ can be expressed as below and p is one prime greater than 3 and $\mathrm{a},\mathrm{b}\in \mathrm{FG}\left(\mathrm{p}\right)$.

$${\mathrm{y}}^2={\mathrm{x}}^3+\mathrm{ax}+\mathrm{b}\left(\mathrm{mod}\mathrm{p}\right)\mathrm{and}4{\mathrm{a}}^3+27{\mathrm{b}}^2\ne 0.$$

Based on the elliptic curve, ECC was proposed to implement the asymmetric encryption and decryption as it can use smaller secret keys while ensuring the same security level. And the security of the ECC is defined by the elliptic curve discrete logarithms (ECDLP) which is a hard number theoretic problem. In the ECDLP, it is difficult to assign one integer $\mathrm{r}\in \left[0,\mathrm{n}-1\right]$ to make $\mathrm{Q}=\left[\mathrm{r}\right]\mathrm{P}$, where n is the order of the elliptic curve, P is one point in the elliptic curve and Q belongs to the cyclic group generated by point P [29].

3.2. CDH Assumption

An algorithm that can solve the CDH problem in polynomial time is a probabilistic turing machine. The algorithm can be presented as below, with the input of a tuple (G, aG, bG) and output the abG according to the input, where G is the generator of the cyclic group P and a, b belongs to ${\mathrm{Z}}_{\mathrm{r}}$ and r is the order of P. The algorithm should be with non-negligible probability. And CDH assumption means that there is no such a probabilistic polynomial time Turing machine to solve the CDH problem [29].

4. Proposed Scheme

In this section, we will introduce the security model and propose a novel authenticated key agreement scheme that can support the two-way authenticated key agreement between the power terminals and management system based on CL-PKC. To prove the security of our proposed scheme under CDH, we now provide the e²CK security model of our proposed scheme based on Lippold [17] before describing the scheme.

4.1. Security Model

The security model defines a security game between adversary $\vartheta$ and simulator $ℬ$. We assume that the set $\mathrm{U}=\left\{{\mathrm{U}}_1,{\mathrm{U}}_2,\dots ,{\mathrm{U}}_{\mathrm{n}}\right\}$ contains the users participating in the authenticated key agreement. Each user has its own private key and public key. The adversary controls the whole channel, and the simulator generates the public parameters and user information, while simulating the operation of the proposed scheme. Session ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$ indicates the n’th time of an authenticated key agreement between i and j, and the ID of session ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$ refers to the set of messages transmitted in the connection and the public keys of both parties.

Definition 1.

Matched session: Sessions ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$ and ${\Pi }_{\mathrm{j},\mathrm{i}}^{\mathrm{s}}$ are matched sessions if their session IDs are the same.

The model will be divided into two stages. Stage 1: In the first stage, the adversary can query the following oracle in any order:

Create (ID_i): $ℬ$ generates the public key and private key for the user ID_i after receiving the oracle;

Reveal_SessionKey (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$): $ℬ$ returns the session key of ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$ or ⊥ if the session key does not exist and ⊥ means null;

Reveal_Partial_PrivateKey (ID_i): $ℬ$ returns the user’s partial private key of the user ID_i after receiving the oracle;

Reveal_SecretValue (IDi): $ℬ$ returns the secret value of the user ID_i after receiving the oracle;

Replace_PublicKey (ID_i, X’): The public key of the user ID_i will be replaced with X’ by $ℬ$;

Reveal_EphemeralKey (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$): $ℬ$ returns the ephemeral key of session ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$ after receiving the oracle;

Send (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$, M): The adversary $\vartheta$ sends M message to session ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$ and obtains the response message according to the proposed scheme.

Stage 2: In the second stage, the adversary will choose one fresh session ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$ and query the oracle of Test (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$) while the first stage is over.

Definition 2.

Freshness of the session: The session ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$ is fresh if

(1) 

${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$ already has the session key;

(2) 

The adversary does not query the oracle of Reveal_SessionKey in session ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$ and matched session ${\Pi }_{\mathrm{j},\mathrm{i}}^{\mathrm{s}}$ of ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$;

(3) 

Neither of the two parties involved in session ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$ is fully exposed.

Test (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$): The oracle chooses $\mathsf{\beta }\in \left\{0,1\right\}$ randomly and computes the session key of ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$ if $\mathsf{\beta }=0$ or one random value as the session key if $\mathsf{\beta }=1$.

The adversary can repeat the above queries, but the session must be kept fresh. After finishing the game, the adversary must submit a guess value ${\mathsf{\beta }}^{\prime }\in \left\{0,1\right\}$. The adversary wins the game if ${\mathsf{\beta }}^{\prime }=\mathsf{\beta }$, with the advantage is defined as $\mathrm{Adv}\left(\mathrm{k}\right)=\left|\mathrm{Pr}[{\mathsf{\beta }}^{\prime }=\mathsf{\beta }]-\frac{1}{2}\right|$. The authenticated key agreement model could be secure if the advantage Adv (k) is negligible.

4.2. Proposed Scheme

Our proposed scheme consists of five parts as below: initialization, private key generation, public key generation and key agreement. The detailed description of the scheme is as follows.

1.

Initialization

This function is mainly responsible for generating some public parameters for the scheme by KGC; KGC chooses one elliptic curve E which has been defined in above and selects one random value $\mathrm{s}\in {\mathrm{Z}}_{\mathrm{r}}$ as the master secret key to generate the master public key ${\mathrm{P}}_{\mathrm{pub}}=\mathrm{s}*\mathrm{G}$ and two hash function H₁ and H₂ are chosen for the public parameters where ${\mathrm{H}}_1:{\left\{0,1\right\}}^{*}\to {\mathrm{Z}}_{\mathrm{r}}^{*}$ could map the users’ identity to the elements in ${\mathrm{Z}}_{\mathrm{r}}$, and hash function ${\mathrm{H}}_2:\left\{0,1\right\}\to {\left\{0,1\right\}}^{\mathrm{k}}$ is chosen to compute the session key. The public parameter is $\mathrm{PP}=\left\{\mathrm{GF}\left(\mathrm{q}\right),\mathrm{G},\mathrm{E},{\mathrm{P}}_{\mathrm{pub}},{\mathrm{H}}_1,{\mathrm{H}}_2\right\}$, and the KGC exposes the $\mathrm{PP}$ to all users in the system.

2.

Partial Private Key Generation

The KGC computes the partial private key ${\mathrm{d}}_{\mathrm{i}}={\mathrm{sH}}_1\left({\mathrm{ID}}_{\mathrm{i}}\right)$, while user i sends its ID_i to the KGC and returns the key to the user through the secret channel.

3.

Private Key Generation

User i selects one random value ${\mathrm{x}}_{\mathrm{i}}\in {\mathrm{Z}}_{\mathrm{r}}$ and composes the private key ${\mathrm{s}}_{\mathrm{i}}=\left({\mathrm{x}}_{\mathrm{i}},{\mathrm{d}}_{\mathrm{i}}\right)$ where the partial private key ${\mathrm{d}}_{\mathrm{i}}$ is from the KGC.

4.

Public Key Generation

The user i takes ${\mathrm{X}}_{\mathrm{i}}={\mathrm{x}}_{\mathrm{i}}\mathrm{G}$ as its public key.

5.

Key Agreement

User A with identity ID_A and user B with identity ID_B can establish the connection and obtain the same session key after finishing the following steps:

(1)

User A chooses one random ephemeral key ${\mathrm{t}}_{\mathrm{A}}\in {\mathrm{Z}}_{\mathrm{r}}$ and sends (ID_A, X_A, T_A) to B, where ${\mathrm{T}}_{\mathrm{A}}={\mathrm{t}}_{\mathrm{A}}\mathrm{G}$ and X_A is the public key described above.

(2)

After receiving the message (ID_A, X_A, T_A) from A, user B also chooses one random ephemeral key ${\mathrm{t}}_{\mathrm{B}}\in {\mathrm{Z}}_{\mathrm{r}}$ and sends (ID_B, X_B, T_B) to A.

(3)

B computes ${\mathrm{K}}_{\mathrm{BA}}^1=\left({\mathrm{t}}_{\mathrm{B}}+{\mathrm{s}}_{\mathrm{B}}\right)\left({\mathrm{T}}_{\mathrm{A}}+{\mathrm{X}}_{\mathrm{A}}+{\mathrm{H}}_1\left({\mathrm{ID}}_{\mathrm{A}}\right){\mathrm{P}}_{\mathrm{pub}}\right)$ and ${\mathrm{K}}_{\mathrm{BA}}^2={\mathrm{t}}_{\mathrm{B}}{\mathrm{T}}_{\mathrm{A}}$, while also obtaining the session key ${\mathrm{sk}}_{\mathrm{BA}}={\mathrm{H}}_2\left({\mathrm{ID}}_{\mathrm{A}}\left|\left|{\mathrm{ID}}_{\mathrm{B}}\right|\right|{\mathrm{T}}_{\mathrm{A}}\left|\left|{\mathrm{T}}_{\mathrm{B}}\right|\right|{\mathrm{K}}_{\mathrm{BA}}^1\parallel {\mathrm{K}}_{\mathrm{BA}}^2\right)$.

(4)

When receiving the message from B, A will compute ${\mathrm{K}}_{\mathrm{AB}}^1=\left({\mathrm{t}}_{\mathrm{A}}+{\mathrm{s}}_{\mathrm{A}}\right)\left({\mathrm{T}}_{\mathrm{B}}+{\mathrm{X}}_{\mathrm{B}}+{\mathrm{H}}_1\left({\mathrm{ID}}_{\mathrm{B}}\right){\mathrm{P}}_{\mathrm{pub}}\right)$ and ${\mathrm{K}}_{\mathrm{AB}}^2={\mathrm{t}}_{\mathrm{A}}{\mathrm{T}}_{\mathrm{B}}$, while obtaining the session key ${\mathrm{sk}}_{\mathrm{AB}}={\mathrm{H}}_2\left({\mathrm{ID}}_{\mathrm{A}}\parallel {\mathrm{ID}}_{\mathrm{B}}\parallel {\mathrm{T}}_{\mathrm{A}}\parallel {\mathrm{T}}_{\mathrm{B}}\parallel {\mathrm{K}}_{\mathrm{AB}}^1\parallel {\mathrm{K}}_{\mathrm{AB}}^2\right)$.

Figure 1 shows the complete processes of authentication and key agreement of the proposed scheme.

SK_AB and SK_BA can be calculated as follows to prove the correctness of the proposed scheme if ${\mathrm{SK}}_{\mathrm{BA}}={\mathrm{SK}}_{\mathrm{AB}}$:

$$\begin{array}{l}{\mathrm{K}}_{\mathrm{AB}}^1=\left({\mathrm{t}}_{\mathrm{A}}+{\mathrm{s}}_{\mathrm{A}}\right)\left({\mathrm{T}}_{\mathrm{B}}+{\mathrm{X}}_{\mathrm{B}}+{\mathrm{H}}_1\left({\mathrm{ID}}_{\mathrm{B}}\right){\mathrm{P}}_{\mathrm{pub}}\right)\\ =\left({\mathrm{t}}_{\mathrm{A}}+{\mathrm{s}}_{\mathrm{A}}\right)\left({\mathrm{t}}_{\mathrm{B}}+{\mathrm{x}}_{\mathrm{B}}+{\mathrm{H}}_1\left({\mathrm{ID}}_{\mathrm{B}}\right)\mathrm{s}\right)\mathrm{G}\\ =\left({\mathrm{t}}_{\mathrm{B}}+{\mathrm{s}}_{\mathrm{B}}\right)\left({\mathrm{T}}_{\mathrm{A}}+{\mathrm{X}}_{\mathrm{A}}+{\mathrm{H}}_1\left({\mathrm{ID}}_{\mathrm{A}}\right){\mathrm{P}}_{\mathrm{pub}}\right)\\ ={\mathrm{K}}_{\mathrm{BA}}^1\\ {\mathrm{K}}_{\mathrm{AB}}^2={\mathrm{t}}_{\mathrm{A}}{\mathrm{T}}_{\mathrm{B}}={\mathrm{t}}_{\mathrm{A}}{\mathrm{t}}_{\mathrm{B}}\mathrm{G}={\mathrm{t}}_{\mathrm{B}}{\mathrm{T}}_{\mathrm{A}}={\mathrm{K}}_{\mathrm{BA}}^2\end{array}$$

Thus, the two parities can transmit data with the same session key for the subsequent communication.

4.3. Security Analysis

We will demonstrate the proposed scheme is secure under the CDH assumption and random oracle, with a security game where the simulator can query the value that cannot be calculated through the CDH assumption and the adversary’s interaction with the random oracles in this section. For example, the simulator cannot obtain x_AT_B without x_A, t_B. At this point, the simulator can judge $\mathrm{CDH}\left({\mathrm{X}}_{\mathrm{A}},{\mathrm{T}}_{\mathrm{B}},{\mathrm{x}}_{\mathrm{A}}{\mathrm{T}}_{\mathrm{B}}\right)=1$ in $K_{AB}^1$ by the H₂ oracle queried by the adversary.

Theorem 1.

In the case of benign adversaries and random oracles, the two matched oracles will always obtain the same session key, and the key is evenly distributed in {0,1}.

Proof of Theorem 1.

A and B can obtain the same session key as the proposed scheme defined in Section 4.2. K¹ and K² are randomly generated as the ephemeral keys, while t_A and t_B are random values. Therefore, the session key SK is evenly distributed in {0,1} based on the random H₂ oracle. □

Theorem 2.

If the adversary has the advantage Adv (k) to win the game, then we can find a simulator that can solve the CDH problem with the advantage $\frac{1}{4m{p}^2}Adv\left(k\right)$ at least. m is the number of sessions and p is the number of users.

Proof of Theorem 2.

The simulator is constructed to solve abG under the CDH problem with the input (aG, bG). Before the game, the simulator needs to choose the two parties A and B, where A and B are the users that query the H₁ oracle for the i’th and j’th times and $\mathrm{i},\mathrm{j}\in \left\{1,\cdots ,\mathrm{m}\right\}$ when $\mathrm{i}\ne \mathrm{j}$. Then, $ℬ$ generates the public parameters PP and sends them to the adversary $\vartheta$. We complete the security proof by classifying the information that was not disclosed in the game. Thus, the following four cases should be considered:

Case 1: The adversary can not obtain the private key x_A and x_B.

In this case, the simulator $ℬ$ sets ${\mathrm{X}}_{\mathrm{A}}=\mathrm{aG}$ and ${\mathrm{X}}_{\mathrm{B}}=\mathrm{bG}$ to guess the test session ${\Pi }_{\mathrm{A},\mathrm{B}}^{\mathrm{T}}$ with an advantage of more than 1/mp². According to the security model, the simulator will answer the queries of the following oracles:

H₁ (ID_i, R_i): $ℬ$ maintains an empty list L_H1 (ID_i, R_i, r_i), $ℬ$ returns r_i if (ID_i, R_i) exists in L_H1 or returns a random r_i and adds ${\mathrm{R}}_{\mathrm{i}}={\mathrm{r}}_{\mathrm{i}}\mathrm{G}$ to L_H1.

Create (ID_i): $ℬ$ maintains an empty list L_create (ID_i, x_i, d_i, X_i); if ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{A}}$, $ℬ$ sets ${\mathrm{x}}_{\mathrm{A}}=\perp$ and computes ${\mathrm{d}}_{\mathrm{A}}={\mathrm{sH}}_1\left({\mathrm{ID}}_{\mathrm{A}}\right)$ and ${\mathrm{X}}_{\mathrm{A}}=\mathrm{aG}$; if ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{B}}$, $ℬ$ sets ${\mathrm{x}}_{\mathrm{B}}=\perp$ and computes ${\mathrm{d}}_{\mathrm{B}}={\mathrm{sH}}_1\left({\mathrm{ID}}_{\mathrm{B}}\right)$ and ${\mathrm{X}}_{\mathrm{B}}=\mathrm{bG}$. Otherwise, $ℬ$ chooses the random xi and computes ${\mathrm{d}}_{\mathrm{i}}={\mathrm{sH}}_1\left({\mathrm{ID}}_{\mathrm{i}}\right)$ and ${\mathrm{X}}_{\mathrm{i}}={\mathrm{x}}_{\mathrm{i}}\mathrm{G}$, then adds (ID_i, x_i, d_i, X_i) to the list L_create.

Reveal_Partial_PrivateKey (ID_i): $ℬ$ looks up the tuple (ID_i, x_i, d_i, X_i) from L_create and returns d_i.

Reveal_SecretValue (ID_i): $ℬ$ looks up the tuple (ID_i, x_i, d_i, X_i) from L_create and returns x_i where ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{A}}$, ID_B and ${\mathrm{X}}_{\mathrm{i}}={\mathrm{x}}_{\mathrm{i}}\mathrm{G}$ or returns ⊥.

Replace_PublicKey (ID_i, X’): $ℬ$ looks up the tuple (ID_i, x_i, d_i, X_i) from L_create and replaces X’ with X_i if ${\mathrm{ID}}_{\mathrm{i}}\ne {\mathrm{ID}}_{\mathrm{A}}$, ID_B or return ⊥ if it cannot find the tuple.

Reveal_SessionKey (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$): $ℬ$ looks up the tuple (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$, ID_i, ID_j, X_i, X_j, T_i, T_j, t_ij, SK_ij) from L_send and returns SK_ij if SK_ij exists. If the ${\mathrm{SK}}_{\mathrm{ij}}=\perp$ and the tuple exists, then look up the tuple (ID_i, ID_j, X_i, X_j, T_i, T_j, $K_{ij}^1$, $K_{ij}^2$, h_i) from L_H2 where ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{A}}$, ${\mathrm{ID}}_{\mathrm{j}}={\mathrm{ID}}_{\mathrm{B}}$, ${\mathrm{X}}_{\mathrm{i}}={\mathrm{X}}_{\mathrm{A}}$, ${\mathrm{X}}_{\mathrm{j}}={\mathrm{X}}_{\mathrm{B}}$, ${\mathrm{T}}_{\mathrm{i}}={\mathrm{T}}_{\mathrm{A}}$, ${\mathrm{T}}_{\mathrm{j}}={\mathrm{T}}_{\mathrm{B}}$, which returns h_i as SK_ij.

Send (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$, M): $ℬ$ maintains an empty list L_send (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$, ID_i, ID_j, X_i, X_j, T_i, T_j, t_ij, SK_ij), and the elements (ID_i, X_i, T_i) and (ID_j, X_j, T_j) represent the messages sent and received by ID_i. $ℬ$ looks up the tuples (ID_i, x_i, d_i, X_i) and (ID_j, x_j, d_j, X_j) from L_create. If $\mathrm{M}=\mathsf{\lambda }$, which means that this is the new session created by ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$, $ℬ$ chooses a random ${\mathrm{t}}_{\mathrm{i}}^{\prime }$ as t_ij and computes ${\mathrm{T}}_{\mathrm{i}}={\mathrm{t}}_{\mathrm{i}}^{\prime }\mathrm{G}$, and adds (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$, ID_i, ID_j, X_i, X_j, T_i, T_j, t_ij, SK_ij) into L_send, where ${\mathrm{SK}}_{\mathrm{ij}}=\perp$. Otherwise, if $\mathrm{M}\ne \mathsf{\lambda }$, let ${\mathrm{SK}}_{\mathrm{ij}}=\perp$ and ${\mathrm{t}}_{\mathrm{ij}}=\perp$, ${\mathrm{T}}_{\mathrm{j}}=\mathrm{M}$, ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{B}}$, ${\mathrm{ID}}_{\mathrm{j}}={\mathrm{ID}}_{\mathrm{A}}$, ${\mathrm{X}}_{\mathrm{i}}={\mathrm{X}}_{\mathrm{B}}$, ${\mathrm{X}}_{\mathrm{j}}={\mathrm{X}}_{\mathrm{A}}$, then add the tuple into L_send.

Reveal_EphemeralKey (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$): $ℬ$ looks up the tuple (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$, ID_i, ID_j, X_i, X_j, T_i, T_j, t_ij, SK_ij) from L_send and returns t_ij.

H₂ (ID_i, ID_j, X_i, X_j, T_i, T_j, $K_{ij}^1$, $K_{ij}^2$, h_i): $ℬ$ looks up the tuple (ID_i, ID_j, X_i, X_j, T_i, T_j, $K_{ij}^1$, $K_{ij}^2$, h_i) in list L_H2 and returns h_i if the tuple exists, or $ℬ$ looks up the tuple in L_send where ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{A}}$, ${\mathrm{ID}}_{\mathrm{j}}={\mathrm{ID}}_{\mathrm{B}}$, ${\mathrm{X}}_{\mathrm{i}}={\mathrm{X}}_{\mathrm{A}}$, ${\mathrm{X}}_{\mathrm{j}}={\mathrm{X}}_{\mathrm{B}}$, ${\mathrm{T}}_{\mathrm{i}}={\mathrm{T}}_{\mathrm{A}}$, ${\mathrm{T}}_{\mathrm{j}}={\mathrm{T}}_{\mathrm{B}}$, ${\mathrm{SK}}_{\mathrm{AB}}\ne \perp$ and returns SK_AB as h_i. Otherwise, $ℬ$ chooses a random h_i and returns it to $\vartheta$.

Test (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$): If ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}={\Pi }_{\mathrm{A},\mathrm{B}}^{\mathrm{T}}$, $ℬ$ outputs a random $\mathsf{\beta }\in \left\{0,1\right\}$. If $\vartheta$ wins the game, the H₂ oracle must have been issued; thus, $ℬ$ can find the corresponding tuple with the correct elements of K¹ in L_H2 with a probability of at least 1/4. Then, $ℬ$ computes $\mathrm{abG}=\left({\mathrm{K}}_{\mathrm{AB}}^1-\left({\mathrm{t}}_{\mathrm{A}}+{\mathrm{s}}_{\mathrm{A}}\right)\left({\mathrm{T}}_{\mathrm{B}}+{\mathrm{X}}_{\mathrm{B}}+\mathrm{H}\left(\mathrm{B}\right){\mathrm{P}}_{\mathrm{pub}}\right)-\left({\mathrm{t}}_{\mathrm{B}}+{\mathrm{s}}_{\mathrm{B}}\right){\mathrm{X}}_{\mathrm{A}}\right)$ with ${\mathrm{X}}_{\mathrm{A}}=\mathrm{aG}$ and ${\mathrm{X}}_{\mathrm{B}}=\mathrm{bG}$; therefore, the CDH problem can be solved by $ℬ$ with the non-negligible advantage $\frac{1}{4{\mathrm{mp}}^2}\mathrm{Adv}\left(\mathrm{k}\right)$, which contradicts the CDH assumption.

Case 2: The adversary $\vartheta$ cann not obtain the ephemeral key t_A and the private key x_B.

In this case, the simulator $ℬ$ sets the ephemeral public key ${\mathrm{T}}_{\mathrm{A}}=\mathrm{aG}$ and public key of B ${\mathrm{X}}_{\mathrm{B}}=\mathrm{bG}$ to guess the test session ${\Pi }_{\mathrm{A},\mathrm{B}}^{\mathrm{T}}$ with an advantage of more than 1/mp². According to the security model, the simulator will answer the queries of the following oracles:

H₁ (ID_i, R_i): Same as $\mathrm{the}$ H₁ oracle in case 1.

H₂ (ID_i, ID_j, X_i, X_j, T_i, T_j, $K_{ij}^1$, $K_{ij}^2$, h_i): Same as the $\mathrm{the}$ H₂ oracle in case 1.

Reveal_Partial_PrivateKey (ID_i): Same as $\mathrm{the}$ Reveal_Partial_PrivateKey oracle in case 1.

Reveal_SessionKey (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$): Same as the Reveal_SessionKey oracle in case 1.

Create (ID_i): $ℬ$ maintains an empty list L_create (ID_i, x_i, d_i, X_i). If ${\mathrm{ID}}_{\mathrm{i}}\ne {\mathrm{ID}}_{\mathrm{B}}$, $ℬ$ chooses the random x_i and computes ${\mathrm{d}}_{\mathrm{i}}={\mathrm{sH}}_1\left({\mathrm{ID}}_{\mathrm{i}}\right)$ and ${\mathrm{X}}_{\mathrm{i}}={\mathrm{x}}_{\mathrm{i}}\mathrm{G}$, or lets ${\mathrm{x}}_{\mathrm{B}}=\perp$ and computes ${\mathrm{d}}_{\mathrm{B}}={\mathrm{sH}}_1\left({\mathrm{ID}}_{\mathrm{B}}\right)$, ${\mathrm{X}}_{\mathrm{B}}=\mathrm{bG}$ if ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{B}}$, then adds (ID_i, x_i, d_i, X_i) into the list L_create.

Reveal_SecretValue (ID_i): $ℬ$ looks up the tuple (ID_i, x_i, d_i, X_i) from L_create and returns x_i, where ${\mathrm{ID}}_{\mathrm{i}}\ne {\mathrm{ID}}_{\mathrm{B}}$ and ${\mathrm{X}}_{\mathrm{i}}={\mathrm{x}}_{\mathrm{i}}\mathrm{G}$.

Replace_PublicKey (ID_i, X’): $ℬ$ looks up the tuple (ID_i, x_i, d_i, X_i) from L_create and replaces X’ with X_i if ${\mathrm{ID}}_{\mathrm{i}}\ne {\mathrm{ID}}_{\mathrm{B}}$.

Send (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$, M): $ℬ$ looks up the tuples (ID_i, x_i, d_i, X_i) and (ID_j, x_j, d_j, X_j) from L_create. If ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}={\Pi }_{\mathrm{A},\mathrm{B}}^{\mathrm{T}}$, let ${\mathrm{t}}_{\mathrm{ij}}=\perp$, ${\mathrm{SK}}_{\mathrm{ij}}=\perp$ and ${\mathrm{T}}_{\mathrm{i}}=\mathrm{aG}$, then add (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$, ID_i, ID_j, X_i, X_j, T_i, T_j, t_ij, SK_ij) into L_send; or if ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}\ne {\Pi }_{\mathrm{A},\mathrm{B}}^{\mathrm{T}}$, with the case $\mathrm{M}=\mathsf{\lambda }$, $ℬ$ chooses a random ${\mathrm{t}}_{\mathrm{i}}^{\prime }$ as t_ij and computes ${\mathrm{T}}_{\mathrm{i}}={\mathrm{t}}_{\mathrm{i}}^{\prime }\mathrm{G}$, then adds (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$, ID_i, ID_j, X_i, X_j, T_i, T_j, t_ij, SK_ij) into L_send, where ${\mathrm{SK}}_{\mathrm{ij}}=\perp$, ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{A}}$, ${\mathrm{ID}}_{\mathrm{j}}={\mathrm{ID}}_{\mathrm{B}}$, ${\mathrm{X}}_{\mathrm{i}}={\mathrm{X}}_{\mathrm{A}}$, ${\mathrm{X}}_{\mathrm{j}}={\mathrm{X}}_{\mathrm{B}}$. Otherwise, if $\mathrm{M}\ne \mathsf{\lambda }$, let ${\mathrm{SK}}_{\mathrm{ij}}=\perp$, ${\mathrm{t}}_{\mathrm{ij}}=\perp$, ${\mathrm{T}}_{\mathrm{j}}=\mathrm{M}$, ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{B}}$, ${\mathrm{ID}}_{\mathrm{j}}={\mathrm{ID}}_{\mathrm{A}}$, ${\mathrm{X}}_{\mathrm{i}}={\mathrm{X}}_{\mathrm{B}}$, ${\mathrm{X}}_{\mathrm{j}}={\mathrm{X}}_{\mathrm{A}}$, then add the tuple into L_send.

Reveal_EphemeralKey (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$): If ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}\ne {\Pi }_{\mathrm{A},\mathrm{B}}^{\mathrm{T}}$, $ℬ$ looks up the tuple (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$, ID_i, ID_j, X_i, X_j, T_i, T_j, t_ij, SK_i) from L_send and returns t_ij.

Test (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$): If ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}={\Pi }_{\mathrm{A},\mathrm{B}}^{\mathrm{T}}$, $ℬ$ outputs a random $\mathsf{\beta }\in \left\{0,1\right\}$. If $\vartheta$ wins the game, the H₂ oracle must have been issued; thus, $ℬ$ can find the corresponding tuple with the correct elements of K¹ in L_H2 with a probability of at least 1/4. Then, $ℬ$ computes $\mathrm{abG}=\left({\mathrm{K}}_{\mathrm{AB}}^1-\left({\mathrm{x}}_{\mathrm{A}}+{\mathrm{s}}_{\mathrm{A}}\right)\left({\mathrm{T}}_{\mathrm{B}}+{\mathrm{X}}_{\mathrm{B}}+\mathrm{H}\left(\mathrm{B}\right){\mathrm{P}}_{\mathrm{pub}}\right)-\left({\mathrm{x}}_{\mathrm{B}}+{\mathrm{s}}_{\mathrm{B}}\right){\mathrm{T}}_{\mathrm{A}}\right)$ with ${\mathrm{T}}_{\mathrm{A}}=\mathrm{aG}$ and ${\mathrm{X}}_{\mathrm{B}}=\mathrm{bG}$; therefore, the CDH problem can be solved by $ℬ$ with the non-negligible advantage $\frac{1}{4{\mathrm{mp}}^2}\mathrm{Adv}\left(\mathrm{k}\right)$, which contradicts the CDH assumption.

Case 3: The adversary can not obtain the private key x_A and the ephemeral key t_B.

Case 3 is symmetric to case 2, and we will not give the details here to save space.

Case 4: The adversary can not obtain the ephemeral key t_A and t_B.

In this case, the simulator $ℬ$ sets the ephemeral public key ${\mathrm{T}}_{\mathrm{A}}=\mathrm{aG}$ and ${\mathrm{T}}_{\mathrm{B}}=\mathrm{bG}$ to guess the test session ${\Pi }_{\mathrm{A},\mathrm{B}}^{\mathrm{T}}$ with an advantage of more than 1/mp². According to the security model, the simulator will answer the queries of the following oracles.

H₁ (ID_i, R_i): Same as $\mathrm{the}$ H₁ oracle in case 1.

H₂ (ID_i, ID_j, X_i, X_j, T_i, T_j, $K_{ij}^1$, $K_{ij}^2$, h_i): Same as the $\mathrm{the}$ H₂ oracle in case 1.

Reveal_Partial_PrivateKey (ID_i): Same as $\mathrm{the}$ Reveal_Partial_PrivateKey oracle in case 1.

Reveal_SessionKey (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$): Same as the Reveal_SessionKey oracle in case 1.

Replace_PublicKey (ID_i, X’): Same as the Replace_PublicKey oracle in case 1.

Create (ID_i): $ℬ$ maintains an empty list L_create (ID_i, x_i, d_i, X_i); if ${\mathrm{ID}}_{\mathrm{i}}\ne {\mathrm{ID}}_{\mathrm{A}}$, IDB, $ℬ$ chooses the random x_i and computes ${\mathrm{d}}_{\mathrm{i}}={\mathrm{sH}}_1\left({\mathrm{ID}}_{\mathrm{i}}\right)$ and ${\mathrm{X}}_{\mathrm{i}}={\mathrm{x}}_{\mathrm{i}}\mathrm{G}$; if ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{A}}$, $ℬ$ chooses the random x_i and computes ${\mathrm{d}}_{\mathrm{A}}={\mathrm{sH}}_1\left({\mathrm{ID}}_{\mathrm{i}}\right)$ and ${\mathrm{X}}_{\mathrm{A}}={\mathrm{x}}_{\mathrm{i}}\mathrm{G}$; if ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{B}}$, $ℬ$ chooses the random x_i and computes ${\mathrm{d}}_{\mathrm{B}}={\mathrm{sH}}_1\left({\mathrm{ID}}_{\mathrm{i}}\right)$ and ${\mathrm{X}}_{\mathrm{B}}={\mathrm{x}}_{\mathrm{i}}\mathrm{G}$; then, adds (ID_i, x_i, d_i, X_i) into the list L_create.

Reveal_SecretValue (ID_i): $ℬ$ looks up the tuple (ID_i, x_i, d_i, X_i) from L_create and returns x_i.

Send (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$, M): $ℬ$ looks up the tuples (ID_i, x_i, d_i, X_i) and (ID_j, x_j, d_j, X_j) from L_create. If ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}={\Pi }_{\mathrm{A},\mathrm{B}}^{\mathrm{T}}$, let ${\mathrm{t}}_{\mathrm{ij}}=\perp$, ${\mathrm{SK}}_{\mathrm{ij}}=\perp$ and ${\mathrm{T}}_{\mathrm{i}}=\mathrm{aG}$, then add (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$, ID_i, ID_j, X_i, X_j, T_i, T_j, t_ij, SK_ij) into L_send; or if ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$ is the matched session of ${\Pi }_{\mathrm{A},\mathrm{B}}^{\mathrm{T}}$, let ${\mathrm{t}}_{\mathrm{ji}}=\perp$, ${\mathrm{SK}}_{\mathrm{ji}}=\perp$ and ${\mathrm{T}}_{\mathrm{j}}=\mathrm{bG}$, then add (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$, ID_i, ID_j, X_i, X_j, T_i, T_j, t_ij, SK_ij) into L_send.

Test (${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}$): If ${\Pi }_{\mathrm{i},\mathrm{j}}^{\mathrm{n}}={\Pi }_{\mathrm{A},\mathrm{B}}^{\mathrm{T}}$, $ℬ$ outputs a random $\mathsf{\beta }\in \left\{0,1\right\}$. If $\vartheta$ wins the game, the H₂ oracle must have been issued; thus, $ℬ$ can find the corresponding tuple with the correct elements of K² in L_H2 with a probability of at least 1/4. Then, $ℬ$ computes $\mathrm{abG}=\left({\mathrm{K}}_{\mathrm{AB}}^2-{\mathrm{t}}_{\mathrm{A}}{\mathrm{T}}_{\mathrm{B}}\right)$ with ${\mathrm{T}}_{\mathrm{A}}=\mathrm{aG}$ and ${\mathrm{T}}_{\mathrm{B}}=\mathrm{bG}$; therefore, the CDH problem can be solved by $ℬ$ with the non-negligible advantage $\frac{1}{4{\mathrm{mp}}^2}\mathrm{Adv}\left(\mathrm{k}\right)$, which contradicts the CDH assumption. From the above theories, we can conclude that the proposed scheme is a secure authenticated key agreement model based on CL-PKC. □

5. Performance Analysis

The terminals of power IoT need to carry a lot of data acquisition and business computing and most of them are embedded systems with limited CPU and memory resource. The performance of the proposed scheme should be considered according to the actual application scenarios. So in this section, the comparison and analysis of the security model and computation and communication cost with the previous schemes and the proposed scheme will be presented in a detailed account in

Table 1. Comparison of the schemes.

Scheme	Computation Cost	Communication Cost	Security Model
Zhang [8]	1P + 5S + 1H	|ID| + 2$\left|\mathrm{G}\right|$	mBR
He [9]	5S + 2H	|ID| + 3$\left|\mathrm{G}\right|$	mBR
Wu [11]	7S + 2H	|ID| + 4$\left|\mathrm{G}\right|$	e2CK
Tu [14]	5S + 4H	|ID| + 2$\left|\mathrm{G}\right|$	e2CK
Sun [15]	12S + 7H	|ID| + 2$\left|\mathrm{G}\right|$	eCK
Lippold [17]	10P + 6S + 4E + 3H	|ID| + 2$\left|\mathrm{G}\right|$	e2CK
Deng [27]	4S + 3H	|ID| + 2$\left|\mathrm{G}\right|$	eCK
Our scheme	3S + 1H	|ID| + 2$\left|{\mathrm{G}}^{\prime }\right|$	e2CK

.

The computational cost is measured by point multiplication S, exponential operation E, bilinear pairing P and hash operation H. And as a comparison, the computation cost of P operation is two or three times higher than S operation with the same elliptic curve [30]. The proposed scheme only needs three S operations and one hash operation in one round, and it has obvious advantages over other schemes.

As the both parties of the schemes need to communicate and exchange data, the communication cost should consider the length of the necessary messages and the integrity of the communication. In the above schemes, we summarize the message as IDs, public keys and ephemeral keys. The other schemes choose a 1024 bits Group G with order $\mathrm{r}$, where r is 512 bits and we use $\left|\mathrm{G}\right|$ to identify the size of Group G. Consequently, the size of the point is 2$\left|\mathrm{G}\right|$ and |ID| has 16 bits. However, the elliptic curve used in the proposed schemes is 256 bits, and the size of the point is 2$\left|{\mathrm{G}}^{\prime }\right|$ (512 bits) where $\left|{\mathrm{G}}^{\prime }\right|$ is the size of the group in our elliptic curve.

In addition, in order to meet the application requirements of the power IoT, we use three gateways with Intel Xeon E3 CPU at 3.4 GHz and 8 GB memory to build the test network topology that depicted in Figure 2. The terminal simulator server and security gateway are the two parities of the communication and we program the test routines with C programming language and Openssl libraries which have implemented the algorithms of point multiplication. The power IoT management system is designed to be responsible for the interaction of business data with the terminals that have completed the authentication. As a comparison, we also implement the key agreement protocol used in the voltage monitoring device of the state grid, as well as some of the other improved versions based on it.

To ensure the integrity and the confidentiality of the proposed scheme and the communications, we encrypt and sign the messages with the standard SM2 algorithm [31,32]. A confirmation step is added to ensure the reliability of the session key. In addition, we add the time stamps in the message to keep the freshness of the session, thus resisting replay attacks and making protocols more robust with some other flags. The pseudo codes are below:

(1)

Terminal A sends the request of a key agreement to a security gateway B;

//Encrypt data

Create_EcPoint (PP, t_A, T_A);

Get_CurrentTime (Time_A);

Sm2_Encrypt (ID_B, ID_A + X_A + T_A + Time_A, Buffer + 40);

//Pack data

Buffer [TYPE] = 0x01; Buffer[SUBTYPE] = 0x01;

* ((u16 *) (Buffer + LENGTH)) = Change_Int (Length);

* ((u16 *) (Buffer + VER)) = Change_Int (0x0100);

* ((u16 *) (Buffer + SN_REQ)) = Change_Int (8000);

memcpy (Buffer + IDX_SIM_CARD_ID, SIM_ID, 16);

memcpy (Buffer + IDX_DEVICE_ID, CHIP_ID, 16);

TempBuffer = Buffer + Length—64;

//Signature data

Hash (Buffer, Length—64, TempBuffer);

Sm2_Sign (Pri_A,TempBuffer, Buffer + 165);

(2)

The gateway decrypts and verifies the received message, and then sends the response message to A, while the gateway computes the session key using the proposed model.

//Decrypt data

Sm2_Decrypt (Pri_B, Buffer, ID_A + X_A + T_A + Time_A);

//Compare freshness

strcmp (Time_A,Get_CurrentTime (Time));

//Verify

Hash (Buffer, Length—64, TempBuffer);

Sm2_Verify (ID_A, TempBuffer, Buffer + 165);

//Encrypt data

Create_EcPoint (PP, t_B,T_B);

Get_CurrentTime (Time_B);

Sm2_Encrypt (ID_B, ID_B + X_B + T_B + Time_B, Buffer + 40);

//Pack data

Buffer [TYPE] = 0x01; Buffer [SUBTYPE] = 0x02;

* ((u16 *) (Buffer + LENGTH)) = Change_Int (Length);

* ((u16 *) (Buffer + VER)) = Change_Int (0x0100);

* ((u16 *) (Buffer + SN_REQ)) = Change_Int (8001);

TempBuffer = Buffer + Length—64;

//Signature data

Hash (Buffer, Length—64, TempBuffer);

Sm2_Sign (Pri_B, TempBuffer, Buffer + 133);

//Compute the session key

DK = Hash (ID_A + X_A + T_A + K¹_BA + K²_BA, 16);

(3)

The terminal decrypts and verifies the received message and computes the session key, sending the acknowledged message, including the hash value of the session key, to B.

//Decrypt data

Sm2_Decrypt (Pri_A, Buffer, ID_B + X_B + T_B + Time_B);

//Compare freshness

strcmp (Time_B, Get_CurrentTime (Time));

//Verify

Hash (Buffer, Length—64, TempBuffer);

Sm2_Verify (ID_B, TempBuffer, Buffer + 133);

//Compute the session key

DK = Hash (ID_B + X_B + T_B + K¹_AB + K²_AB, 16);

//Pack data

Buffer [TYPE] = 0x01;Buffer [SUBTYPE] = 0x03;

* ((u16 *) (Buffer + LENGTH)) = Change_Int (Length);

* ((u16 *) (Buffer + VER)) = Change_Int (0x0100);

* ((u16 *) (Buffer + SN_REQ)) = Change_Int (8002);

//Hash

Hash (Buffer, Length—32, TempBuffer);

memcpy (Buffer + Length—64, TempBuffer, 32);

(4)

The gateway compares the received hash value and the hash of its own session. The session key will be established if the results are consistent, else the gateway will close the connection.

Figure 3 shows the comparison of the execution time in the proposed scheme and schemes [20,21,26]. We calculate the processing time of security gateway by increasing the number of the simulated concurrency from 1 to 10,000. As the authenticated key agreement protocols used in the other three schemes are implemented by the traditional digital certificates, their execution time and computation cost are much greater than our proposed scheme. Conversely, it also shows that the proposed authenticated key agreement has higher efficiency.

In contrast, the proposed scheme only needs approximately 500 bytes to implement the whole authenticated key agreement, while the other three schemes need at least 1500 bytes for communication. This scheme consumes fewer communication and computing resources, which makes the execution time relatively low, the efficiency higher, and it becomes more suitable for the secure access of mass power IoT terminals.

6. Conclusions

In order to protect the security of the communication in power IoT, this paper proposes a novel authenticated key agreement model based on CL-PKC and simplify the communications to improve the performance of the key agreement protocol according the requirement of power IoT and by uses simple point multiplication of elliptic curves to replace complex bilinear pairing make it is simpler and more practical for the terminals with limited computing resources in power IoT. The proposed scheme has provable security with the e²CK security model under the CDH assumption with detailed proof thereof. Finally, the authenticated key agreement protocol based on the proposed scheme has been programmed and implemented, then the analysis and comparison of the simulation proves that our scheme has higher efficiency.

However, there is also some work that needs to be improved in our scheme. We use the standard SM2 algorithm to perform asymmetric encryption and signature in the key agreement protocol of the test routine. In the future, we could design a certificateless public key encryption and digital signature algorithm based on SM2 and a certificateless key agreement based on SM2, which will be our upcoming research.