Identity-Based Efficient Secure Data Communication Protocol for Hierarchical Sensor Groups in Smart Grid

1. Introduction

With the wide application of machine learning and network technology, the power system has been rapidly developed, forming the idea of the smart grid consisting of multilayer smart sensors. Smart grids leverage and aggregate information collected by sensors to assist in making power management decisions [1,2]. As a new generation of power systems, the smart grid provides users with stable and reliable power services and achieves efficient operation and intelligent management [3,4]. However, since electric power information is relevant to user privacy, data communication among various sensors and the power service center leads to significant security concerns [5].

To achieve efficient communication while guaranteeing data privacy in smart grid systems, existing secure data communication protocols [6,7] combine asymmetric and symmetric encryption algorithms. With the high efficiency of symmetric encryption methods [8,9], sensitive electric data is masked by a predetermined symmetric secret key, which is only accessed by authorized groups. Due to the security of asymmetric encryption methods [10,11], a pair of asymmetric secret keys is utilized to share the symmetric secret key in a smart grid system.

Recently, identity-based encryption is one of the most effective asymmetric encryption methods for authentication among dynamic hierarchical sensor groups [12]. Specifically, the identity-based encryption method utilizes identity information to guarantee that only authorized users can obtain valuable information from ciphertext. Gupta et al. [13] propose an efficient identity-based protocol for authentication in transport systems. Zhao et al. [14] further introduce an identity-based broadcast signcryption scheme in the Internet of Vehicles. Shen et al. [15] focus on security enhancement and present an identity-based higncryption protocol. Particularly, for hierarchical architecture scenario applications, Pavithran et al. [16] propose a blockchain-aided protocol to utilize hierarchical identity-based encryption in the Internet of Things systems and Badar et al. [17] propose an identity-based authentication protocol using the physical unclonable function, particularly for smart grid scenarios.

However, these data encryption methods involve complex computations, such as pairing and modular inversion operations. In practice, smart sensors deployed on the terminal side have limited computing resources, while data communication and collaborative analysis require real-time feedback. To match the requirements of real-time grid data processing, developing a secure data communication protocol with efficiency improvement has become a hot topic.

Additionally, the dynamic sensor group leads to a huge cost for secret group key updates [18], particularly in smart grid scenarios. On the one hand, the dense update frequency of the sensor group has a significant impact on the performance of the smart grid system. On the other hand, the change of group members causes forward and backward security concerns for the secret group key.

Based on the analysis above, this paper proposes an identity-based efficient secure data communication protocol for hierarchical sensor groups in smart grid systems. The main contributions of this paper can be summarized in three aspects:

1. We propose a novel secure data communication protocol for sensor groups in the smart grid system, leveraging the symmetric encryption method to transmit obscured data and the identity-based encryption method to share group secret keys. Identities of authorized users are encoded by bloom filter and a cloud-aided pre-verification procedure is introduced. Efficient authentication is achieved by searching the pre-calculated authentication array table in the cloud server.

2. A dynamic update mechanism of the group secret key is designed corresponding with the proposed protocol for lower resource costs in smart grid scenarios. When the sensor group is changed, the proposed mechanism utilizes lightweight operations to implement dynamic updates of the group secret key, which guarantees forward and backward security for the smart grid system.

3. Theoretical analysis demonstrates that our protocol achieves forward and backward security of a dynamic sensor group and has the capability to resist the replay attack and impersonation attack. Experimental evaluation indicates that our protocol performs better than the state-of-the-art protocols. Specifically, for computation cost, the proposed protocol is 73.94% superior to others on average in the authentication process, 37.77% in the encryption process, and 55.75% in the decryption process. For communication cost, the proposed protocol is 79.98% superior to others on average in the authentication process.

The remainder of this paper is organized as follows: The subsequent section presents current research work relevant to this study. Section 3 introduces the system model. The definition related to this study is detailed in Section 4. Section 5 introduces the specific content of this protocol. Section 6 is the security analysis of this protocol, and Section 7 introduces performance analysis. The concluding section encapsulates the research presented in this paper.

2. Related Works

2.1. Broadcast Encryption Algorithm

Broadcast encryption was first proposed in 1993 [19]. Recently, Boneh et al. [20] proposed a broadcast encryption scheme using bilinear mapping. The private key and ciphertext of the scheme reached the constant level, which supports the anti-collusion attack and proves that the broadcaster could no longer be a trusted authority but any legitimate user. However, the number of users for this solution has been set at the beginning of the solution, and subsequent users cannot be added. Lewko et al. [21] proposed a broadcast encryption scheme that supports the user’s cancellation and non-monotonic mechanism, making the application of broadcast encryption more flexible. However, although the above scheme and subsequent schemes [22,23] realize the advantages of multiple users sharing the same message, they cannot achieve good access control. Kumar [24] et al. proposed a broadcast encryption technology based on threshold and wildcard. This technique uses hidden access policies to provide security for sensitive data broadcast over insecure channels. In addition, for any number of attributes, the technology realizes the fixed-length ciphertext, which greatly reduces the communication overhead and computational complexity. However, the proposed scheme does not consider the direct withdrawal of users and the dynamic addition of users in the system.

2.2. Authentication Protocol

Wazid et al. [25] proposed a three-factor authentication protocol for remote users in a smart grid environment based on renewable energy. The protocol uses one-way hash functions, bitwise OR operations, and ECC operations to achieve lightweight encryption, the protocol supports the dynamic addition of smart sensors, flexibility of password and biometric updates, user anonymity, and non-traceability. Mahmood et al. [26] proposed a lightweight authentication protocol based on ECC, which used ProVerif, an automatic verification tool, to analyze its own security, and adopted Burrows-Abadi-Needham (BAN) logic to prove the completeness and completeness of the protocol. The downside is that the protocol does not support the anonymity of smart sensors. Kumar et al. [27] proposed a lightweight authentication and key agreement protocol that achieves anonymity, integrity, and security based on ECC, symmetric encryption, hash functions, and message authentication codes. Wang et al. [28] proposed a mutual authentication protocol based on edge computing in a smart grid system, which supports efficient conditional anonymity and key management based on blockchain technology. The proposed protocol ensures mutual authentication and anti-replay attacks and supports efficient key renewal and revocation to achieve conditional anonymity with lower computing and communication costs.

2.3. Key Updating Protocol

Group multicast effectively improves the efficiency of group communication. How to generate and update multicast keys efficiently has important practicability and wide application prospects in the smart grid. At present, a large number of group key generation and updating protocols have been proposed, which can be divided into three categories: key updating protocol based on binary key tree, key updating protocol based on multi-fork key tree, and key updating protocol based on polynomial. Lin et al. [29] proposed an M-fork tree key management and digital signature protocol based on elliptic curves. At the time of transmission, the protocol provides several flexible and scalable schemes to manage security issues that dynamically adapt the framework to the rapidly changing IoV topology, speeding up the time to synchronize system key reconstruction and reducing the number of stages to resynchronize system keys. Tan et al. [30] proposed a dynamic key management scheme based on attribute-based encryption. In the vehicular ad hoc network, identity authentication plays an important role in privacy protection. This protocol guarantees non-repudiation and authenticity properties while achieving efficient vehicular communications.

3. System Model

As shown in Figure 1, the system model consists of three entities: cloud server, authorization center, and smart sensor devices.

Cloud server: As one of the components of the power service center, the cloud server has sufficient computing resources and storage capacity, it is responsible for storing ciphertext and performing pre-authentication operations for device access requests.

Authorization center: The authorization center is a trusted entity that is responsible for generating system parameters, public and private key pairs, user keys, and session keys based on the identity of the smart device, authorization center sends them to the smart device. In addition, the authorization center is responsible for the plaintext encryption to generate ciphertext and send it to the cloud server.

Smart sensor device: The smart sensor devices consist of a master station system, gateway devices, and smart sensors. The smart sensor device has limited computing power and storage capabilities, and every device has a public-private key pair, a user key, and a session key. The smart sensor devices use the session key to communicate with the power service center and decrypt the ciphertext using their private keys.

4. Definition

4.1. Bloom Filter

Bloom filter is a random data structure with high special efficiency. The set $S=\{x_1,x_2,\dots ,x_n\}$ is encoded in an array of W bits and the bloom filter determines whether an element x belongs to the set S. The steps to build the (w, m, k, H) -Bloom filter BFS for set S are as follows. First, the set of hash functions $H=\{h_0,h_1,\dots ,h_{k-1}\}$ is selected, where the hash functions $h_0,h_1,\dots ,h_{k-1}$ are independent of each other and have the range $[0,w-1]$, All bits of BFS are then set to 0 initially. Finally, for all $x\in S$and $0\le i\le k-1$, let $BF\left(h_i\left(x\right)\right)=1$. However, the Bloom filter may misjudge when determining whether the element belongs to the set S by mistaking $x\notin S$ for $x\in S$. When it is necessary to determine whether the element y belongs to the set S, simply compute $h_i\left(y\right)(0\le y\le k-1)$ and check $BF\left(h_i\right(y\left)\right)$ whether all values are 1. If the result is not all 1, $y\notin S$, otherwise $y\in S$. The maximum error rate is

$$\epsilon =p^k(1+O({\displaystyle \frac{k}{p}}\sqrt{{\displaystyle \frac{\ln w-klnp}{w}}}\left)\right),$$

where $p=1-{(1-{\displaystyle \frac{1}{w}})}^{km}$ and $\epsilon$ is a negligible function of k.

4.2. Identity-Based Public Key Encryption Algorithm

The identity-based cryptosystem makes use of the bilinear property of elliptic curves, and bilinear pairing is established by the relation between cyclic subgroups of elliptic curves and multiplicative cyclic subgroups of extended domains. When the difficulty of the extended domain discrete logarithm problem is similar to that of the elliptic curve discrete logarithm problem, an efficient and secure identity-based cryptosystem can be constructed. Identity-based data encryption algorithm is defined as follows:

P1 is set as the generator of the elliptic curve addition cyclic group G1, and P2 is the generator of the elliptic curve addition cyclic group G2. H (·) stands for Hash function; Enc (·) and Dec (·) respectively correspond to the operation modes of encryption and decryption. KDF (·) is a function involved in the key derivation process; MAC (·) is the authentication message code that carries the key in the authentication process; e (·) is a bilinear pair.

The cryptographic function $H_1(Z,n)$ takes the bit string Z and an integer n and outputs an integer $h_1\in [1,n-1]$. The cryptographic function $H_2(Z,n)$ takes the bit string Z and an integer n and outputs an integer $h_2\in [1,n-1]$. The key generation center randomly selects $ke\in [1,N-1]$ as mater secret key, and computes $P_{pub}=\left[ke\right]P_1$ in $G_1$ as mater public key. The encryption master key pair is$(ke,Ppub)$. The key generation center is kept secret at ke and publicly available at Ppub. The key generation center chooses and exposes the one-byte private key to generate the function identifier $hid$, The identity of the user A is ${ID}_A$, and generates A's private key $d_A$. The key generation center first computes $t_1=H_1\left({ID}_A\right|\left|hid,N\right)+ke$ in the bounded domain $F_N$. If $t_1=0$, the system needs to re-generate the master private key, compute and expose the master public key, and update the existing user's private key; Otherwise, calculate $t_2=ke\bullet t_1^{-1}$, then calculate $d_A=\left[t_2\right]P_1=[S/(H_1\left({ID}_A\right|\left|hid\right)+s\left)\right]P_1$.

Assume that user A encrypts plaintext and sends it to user B, A computes element $Q_B=[H_1\left({ID}_B|\left|hid,N\right)\right]P_1+P_{pub}$ of the group $G_1$, and then randomly selects $r\in [1,N-1]$, and computes $C_1=\left[r\right]Q_B,$ $g=e\left(P_{pub},P_2\right),w=g^r$. A calculates $K=KDF\left(C_1\right|\left|w\right|\left|{ID}_B\right)$. According to the classification of encryption, there are two ways to encrypt plaintext to generate $C_2$: stream cipher $C_2=M+K$ and block cipher $C_2=Enc(M,K)$. A computes $C_3=MAC(K,C_2)$, and finally obtains the ciphertext $C=C_1\left|\left|C_2\right|\right|C_3.$After receiving the ciphertext, user B calculates $w^{\mathrm{\text{'}}}=e(C_1,{ID}_B)$, $K^{\mathrm{\text{'}}}=KDF\left(C_1\right|\left|w^{\mathrm{\text{'}}}\right|\left|{ID}_B\right)$. According to the classification of encryption, there are two ways to decrypt ciphertext to generate $M^{\mathrm{\text{'}}}$: stream cipher$M^{\mathrm{\text{'}}}=C_2+K_1$ and block cipher$M^{\mathrm{\text{'}}}={Dec(C}_2+K_1$). Finally, B computes $u=MAC(K_2^{\mathrm{\text{'}}},C_2)$. If $u=C_3$, output $M^{\mathrm{\text{'}}}$, otherwise an error is reported.

5. Protocol

This protocol mainly includes 6 steps, which are system initialization, key generation, data encryption, user authentication, data decryption, and dynamic updating of terminal devices. The following is the specific interaction process.

5.1. System Initialization

Given security parameter $\lambda$, the authorization center (CA) selects a particular elliptic curve $E_q(a,b)$ and a point P of large prime order on an elliptic curve on a finite field, selects $G_1\mathrm{、}{G}_2$ as addition cyclic groups of prime $N$, and $G_T$ selects a multiplicative cyclic group of primes N. Select bloom filter’s bit array size m and k hash functions which map every identity in the user’s set to $\{\mathrm{1,2},\dots ,m\}$. Generally, k hash functions are used to calculate the elements in the authorized user set, and the obtained results are modulo m, and the bloom filter’s pre-authentication array table A is obtained and stored in the server.

5.2. Key Generation

CA selects a number $x\in [1,N-1]$ at random as system master key $msk$, and the corresponding system master public key $mpk=x\bullet P$ is disclosed. CA selects and exposes the private key generating function identifier hid, which is represented by a single byte. AC computes $t_i^j=H_1\left(I{D}_i^j\right||hid,N)+x$ over a finite field. If $t_i^j\ne 0$, calculate the user's private key${sk}_i^j=x\bullet ({t_i^j)}^{-1}$, and the corresponding user's public key is ${pk}_i^j=x\bullet ({t_i^j)}^{-1}\bullet P$. If $t_i^j=0$, the system master key and public key need to be recalculated. CA randomly selects $R_i^j$, timestamp T, the system master public key $mpk$, the system private key msk, and user identification ${ID}_i^j$ to generate the user key $K_i^j=H\left(msk\right|\left|I{D}_i^j\right|\left|R_i^j\right|\left|T\right)$. In addition, KDC generates a random number $ran{d}_i^j$ for every smart sensor device to generate session key $u{k}_i^j=H_1\left(K_i^j\right|\left|ran{d}_i^j\right)$.

Broadcast key generation: For every smart sensor or gateway device, CA generates the broadcast key $gsk=KGen(msk,GID)$ through the master public key mpk, the master private key $msk$ and $GID=H_1\left(I{D}_1^1\right||\dots |\left|I{D}_m^n\right)$ of all devices, where n represents the last layer, and m represents the last smart sensor device at the last layer. CA selects $grand$ at random to generate the broadcast session key $guk=H_1\left(gsk\right|\left|grand\right)$.

Multicast key generation: When the power service center wants to multicast with the subset of users, the user key and the hash value of user identities are calculated as the multicast key:

$$csk=H_1\left(H_2\right(K_{t_1}\left|\right|\dots \left|\right|K_{t_m}\left)\right|\left|H_2\right(I{D}_{t_1}\left|\right|\dots \left|\right|I{D}_{t_m}\left)\right|\left|T\right),$$

where T is the current timestamp, $K_{t_j}$ and $I{D}_{t_j}$ indicate the user key and identity of the user set, respectively. CA randomly selects grand to generate the multicast session key $cuk=H_1\left(csk\right|\left|grand\right)$.

5.3. Data Encryption

a) Unicast encryption: As shown in Figure 2, CA uses the user's public key $P{K}_i^j$ to encrypt the user key to get $C_i^j=PEnc({PK}_i^j,K_i^j)$, and then uses the unicast key to encrypt the session key to obtain $Enc(K_i^j,u{k}_i^j)$, and finally uses the session key to encrypt the plaintext $M$ to obtain $Enc(u{k}_i^j,M)$, where $PEnc$ represents identity based public key encryption algorithm, and $Enc$ represents any symmetric encryption algorithm.

b) Broadcast encryption: As shown in Figure 3, CA uses the user's public key ${PK}_i^j$ to encrypt the broadcast key to get $C=PEnc({PK}_i^j,gsk)$, and then uses the broadcast key to encrypt the broadcast session key to obtain $Enc(gsk,guk)$, and finally uses the broadcast session key to encrypt the plaintext $M$ to obtain $Enc(guk,M)$.

c) Multicast encryption: As shown in Figure 4, CA uses the user's public key ${PK}_i^j$ to encrypt the multicast key to get $C^{\mathrm{\text{'}}}=PEnc({PK}_i^j,csk)$, and then uses the multicast key to encrypt the multicast session key to obtain $Enc(csk,cuk)$, and finally uses the multicast session key to encrypt the plaintext $M$ to obtain $Enc(cuk,M)$.

5.4. User Authentications

If the user wants to make a data access request to the power service center, it first verifies the legitimacy of the identity. As shown in Figure 5, user authentications include pre-authentication and main authentication, the specific process is as follows.

Pre-authentication: The power service center uses the hash function disclosed by CA in the initialization stage to hash the user identity and get the pre-authentication array $A^{\mathrm{\text{'}}}$ generated by the bloom filter. The power service center pre-verifies the user identity: If $A^{\mathrm{\text{'}}}\subseteq A$, the user passes the authentication and obtains the pre-authentication certification. The power service center calculates $R_B=msk\bullet p{k}_i^j=x\bullet x{\left(t_i^j\right)}^{-1}\bullet P$.

Main authentication: After passing the pre-authentication, the user uses his private key and the system master public key to calculate the shared key $R_A=s{k}_i^j\times mpk$, and calculates

$$Auth=H_1\left(R_A\right|\left|T_A\right|\left|timestamp\right)$$

Then, the user sends $Auth\left|\right|timestamp$ to the power service center. The power service center receives $Auth\left|\right|timestamp$ at ${timestamp}^{\mathrm{\text{'}}}$ moment and firstly checks whether the time interval between $timestamp$ and ${timestamp}^{\mathrm{\text{'}}}$ meets $|timestam{p}^{\mathrm{\text{'}}}-timestamp|\le \Delta T$, where $\Delta T$ represents the transmission delay. If the timestamp falls within the accepted time window, the power service center calculates $Aut{h}^{\mathrm{\text{'}}}=H_1\left(R_B\right|\left|T_A\right|\left|timestamp\right)$, if $Aut{h}^{\mathrm{\text{'}}}=Auth$, then it proves that the user has the correct certification and public and private key pair, and the user successfully passes the authentication.

5.5. Data Decryption

a) Unicast decryption: As shown in Figure 2, the smart sensor device uses its private key $S{K}_i^j$ to calculate ${PK}_i^j=PDec({SK}_i^j,C_i^j)$, decrypts the unicast key, then the session key $u{k}_i^j$ by using the user key, and finally decrypts the plaintext $M$ by using the session key.

b) Broadcast decryption: As shown in Figure 3, the smart sensor device uses its own private key $S{K}_i^j$ to calculate $gsk=PDec({SK}_i^j,C)$ to obtain the user's broadcast key, and then the broadcast session key is obtained by using the broadcast key. Finally, the plaintext $M$ is decrypted by using the broadcast session key.

c) Multicast decryption: As shown in Figure 4, the smart sensor device uses its own private key $S{K}_i^j$ to calculate $csk=PDec\left({SK}_i^j,C^{\mathrm{\text{'}}}\right)$ to obtain the user's multicast key, and then multicast session key $cuk$ is obtained by using the multicast key. Finally, the plaintext $M$ is decrypted by using the multicast session key.

5.6. Dynamic Updating of Terminal Devices

5.6.1. Smart Sensor Device Addition

As shown in Figure 6, when a new user is added to the system, the system generates the public and private keys pair and user key and updates the broadcast key, broadcast session key, multicast key, and multicast session key. The public key, private key, and user key follow the steps for key generation.

a) Updating the broadcast key and broadcast session key: CA generates the broadcast key $gs{k}^{\mathrm{\text{'}}}=KGen(msk,GID)$ using the master public key $mpk$, master private key $msk$, and identity of the existing device $GID$. AC selects $grand$ at random to generate the broadcast session key $gu{k}^{\mathrm{\text{'}}}=H_1\left(gsk\right|\left|grand\right)$.

b) Updating the multicast key and multicast session key: When the power service center wants to multicast with a subset of users containing new users, it firstly recalculates the hash value of the user keys and identities for users: $cs{k}^{\mathrm{\text{'}}}=H_1\left(H_2\right(K_{t_1}\left|\right|\dots \left|\right|K_{t_m}\left)\right|\left|H_2\right(I{D}_{t_1}\left|\right|\dots \left|\right|I{D}_{t_m}\left)\right|\left|T\right)$, where $T$ indicates the current timestamp, and $K_{t_j},I{D}_{t_j}$ indicates the user keys and identities of users respectively. CA randomly selects $grand$ to generate the multicast session key $cu{k}^{\mathrm{\text{'}}}=H_1\left(cs{k}^{\mathrm{\text{'}}}\right|\left|grand\right)$.

5.6.2. Smart Sensor Device Revocation

As shown in Figure 6, when a smart sensor device is revoked, its public key, private key, and authentication certification will expire, and it can no longer be used for data access.

a) Updating the broadcast key and broadcast session key: When a smart device is removed, the broadcast key needs to be recalculated. According to the key generation algorithm, the broadcast key $gs{k}^{\mathrm{\text{'}}\mathrm{\text{'}}}$ is recalculated, and then the broadcast session key $gu{k}^{\mathrm{\text{'}}\mathrm{\text{'}}}$ is generated.

b) Updating the multicast key and multicast session key: When a smart device is removed, the multicast key needs to be recalculated. According to the key generation algorithm, the multicast key ${csk}^{\mathrm{\text{'}}\mathrm{\text{'}}}$ is recalculated, and then the multicast session key ${cuk}^{\mathrm{\text{'}}\mathrm{\text{'}}}$ is generated.

c) Smart sensor device migration: When a subset of user devices is migrated from one gateway to another gateway device, CA needs to recalculate the hash values of the user keys and identities for all nodes on the path from this subset of users to the root node, and then obtain a new multicast key $cs{k}^{\mathrm{\text{'}}\mathrm{\text{'}}}$, which is based on the current new timestamp $\tilde{T}$. $cs{k}^{\mathrm{\text{'}}\mathrm{\text{'}}}$ is broadcast to users in this subset with the previous multicast session key, and upon receiving the message, users decrypt and update the multicast session key $cu{k}^{\mathrm{\text{'}}\mathrm{\text{'}}}$.

6. Security Analysis

This section formally analyzes the security properties of the proposed protocol. The security relies on the hardness of the Elliptic Curve Discrete Logarithm Problem (ECDLP), the Computational Diffie-Hellman (CDH) problem on elliptic curves, and the security of the underlying identity-based encryption (IBE) scheme ($\mathrm{P}\mathrm{E}\mathrm{n}\mathrm{c},\mathrm{P}\mathrm{D}\mathrm{e}\mathrm{c}$) and symmetric encryption scheme ($\mathrm{E}\mathrm{n}\mathrm{c},\mathrm{D}\mathrm{e}\mathrm{c}$). The hash functions $H,H_1,H_2$ are assumed to be cryptographically secure (e.g., behaving as random oracles).

6.1. Forward Security

Theorem 1. 

Forward security ensures that a smart sensor device $S{M}_r$ (with identity $I{D}_r$), once revoked from a group at time $T_{rev}$, cannot decrypt messages intended for the group after $T_{rev}$. This means $S{M}_r$ cannot obtain any newly generated group keys (e.g., $gsk\mathrm{\text{'}}$, $csk\mathrm{\text{'}}$) or session keys (e.g., $guk\mathrm{\text{'}}$, $cuk\mathrm{\text{'}}$).

Proof. 

Consider the broadcast key $gsk$. When $S{M}_r$ is revoked, a new broadcast key $gsk\mathrm{\text{'}}$ is generated by CA using $gsk\mathrm{\text{'}}=\mathrm{K}\mathrm{G}\mathrm{e}\mathrm{n}\left(msk,GID\mathrm{\text{'}}\right)$, where $GID\mathrm{\text{'}}$ represents the identities of the remaining authorized devices. This $gsk\mathrm{\text{'}}$ is then used to derive a new broadcast session key $guk\mathrm{\text{'}}=H_1\left(gs{k}^{\mathrm{\text{'}}}\left|\right|grand\mathrm{\text{'}}\right)$. The plaintext $M$ is encrypted as $\mathrm{E}\mathrm{n}\mathrm{c}\left(guk\mathrm{\text{'}},M\right)$. The key $gsk\mathrm{\text{'}}$ is distributed to authorized users by encrypting it with their respective public keys $P{K}_u$ (derived from $I{D}_u$) using the IBE scheme: $C_u=\mathrm{P}\mathrm{E}\mathrm{n}\mathrm{c}\left(P{K}_u,gsk\mathrm{\text{'}}\right)$.

Since $S{M}_r$ is revoked, its identity $I{D}_r$ is not part of $GID\mathrm{\text{'}}$, and CA will not provide $S{M}_r$ with $\mathrm{P}\mathrm{E}\mathrm{n}\mathrm{c}\left(P{K}_r,gsk\mathrm{\text{'}}\right)$. Even if $S{M}_r$ possesses its old private key $s{k}_r$, it cannot decrypt $C_u$ for any $I{D}_u\in GID\mathrm{\text{'}}$ (assuming $I{D}_u\ne I{D}_r$) to obtain $gsk\mathrm{\text{'}}$, due to the security of the IBE scheme. Without $gsk\mathrm{\text{'}}$, $S{M}_r$ cannot compute $guk\mathrm{\text{'}}$ via $H_1\left(gs{k}^{\mathrm{\text{'}}}\left|\right|grand\mathrm{\text{'}}\right)$ (as $grand\mathrm{\text{'}}$ is fresh and $H_1$ is one-way). Therefore, $S{M}_r$ cannot decrypt $\mathrm{E}\mathrm{n}\mathrm{c}\left(guk\mathrm{\text{'}},M\right)$.

The argument for the multicast key $csk\mathrm{\text{'}}$ is similar. When $S{M}_r$ is revoked from a multicast group, a new $csk″$ is computed based on the remaining members’ keys and identities, and a new timestamp. This $csk″$ is distributed encrypted with the previous multicast session key $cuk$. Since $S{M}_r$ is no longer part of the group, it will not receive this update, or if it does, the subsequent session key $cuk″$ will be derived from $csk″$ which it cannot obtain if $csk″$ is re-encrypted using IBE for the new group. If $csk″$ is broadcast using the old $cuk$, then the subsequent $cuk″$ derived from $csk″$ and a new $grand″$ will be unknown to $S{M}_r$. The core idea is that new keys are generated that $S{M}_r$ does not have the components to derive or decrypt.

Thus, the protocol ensures forward security provided the IBE scheme is secure and hash functions are one-way. An adversary controlling $S{M}_r$ cannot gain access to future group communications.

6.2. Backward Security

Theorem 2. 

Backward security ensures that a newly added smart sensor device $S{M}_n$ (with identity $I{D}_n$) at time $T_{add}$ cannot decrypt messages encrypted for the group before its addition.

Proof. Before $S{M}_n$ joins, group communications use keys like $gs{k}_{old}$ (and $gu{k}_{old}$) or $cs{k}_{old}$ (and $cu{k}_{old}$). These keys were generated based on the identities and keys of members existing before $T_{add}$. For instance, $gs{k}_{old}=\mathrm{K}\mathrm{G}\mathrm{e}\mathrm{n}\left(msk,GI{D}_{old}\right)$, where $I{D}_n\notin GI{D}_{old}$.

When $S{M}_n$ joins, it receives its own private key $s{k}_n$, user key $K_n$, and session key $u{k}_n$. However, $S{M}_n$ does not receive past group keys like $gs{k}_{old}$ or $cs{k}_{old}$. The IBE-encrypted $gs{k}_{old}$ was distributed only to members of $GI{D}_{old}$. Since $I{D}_n$ was not in $GI{D}_{old}$, $s{k}_n$ cannot be used to decrypt ciphertexts containing $gs{k}_{old}$.

The user keys $K_u=H\left(msk\left|\right|I{D}_u\left|\right|R_u\left|\right|T\right)$ are unique to each user and timestamp. A new user $S{M}_n$ cannot derive past user keys of other members due to the one-way nature of $H$ and the secrecy of $msk$ and other users’ $R_u$. Similarly, past multicast keys $cs{k}_{old}=H_1\left(H_2\left(K_{t_1}\left|\right|\dots \right)\left|\right|H_2\left(I{D}_{t_1}\left|\right|\dots \right)\left|\right|T_{old}\right)$ depend on keys and identities of the old group and an old timestamp, which $S{M}_n$ cannot reconstruct.

Therefore, $S{M}_n$ cannot access messages encrypted prior to its joining the group, ensuring backward security. This relies on the IBE security and the one-way property of hash functions.

6.3. Replay Attack Resistance

Theorem 3. 

The protocol resists replay attacks during user authentication. The user sends $Auth=H_1\left(R_A\left|\left|T_A\right|\right|timestamp\right)$ and $timestamp$ to the power service center. $R_A=s{k}_i^j\cdot mpk$.

Proof. 

The power service center (server) receives $\left(Auth,timestamp\right)$ at its current time $timestamp\mathrm{\text{'}}$. It first verifies the freshness of the $timestamp$ by checking if $\left|timestamp\mathrm{\text{'}}-timestamp\right|\le \Delta T$, where $\Delta T$ is a predefined small interval for network delay.

If an adversary intercepts a valid $\left(Aut{h}_1,timestam{p}_1\right)$ and replays it at a significantly later time $timestamp{\mathrm{\text{'}}}_2$, then $\left|timestamp{\mathrm{\text{'}}}_2-timestam{p}_1\right|>\Delta T$. The server will detect this stale timestamp and reject the message.

If the adversary attempts to use a fresh $timestam{p}_2$ with the old $Aut{h}_1$, the server will compute $Auth{\mathrm{\text{'}}}_{check}=H_1\left(R_B\left|\left|T_A\right|\right|timestam{p}_2\right)$ (where $R_B=msk\cdot p{k}_i^j=R_A$). Since $timestam{p}_2\ne timestam{p}_1$ and $H_1$ is collision-resistant, $Aut{h}_1=H_1\left(R_A\left|\left|T_A\right|\right|timestam{p}_1\right)$ will not be equal to $Auth{\mathrm{\text{'}}}_{check}$ (except with negligible probability). Thus, the authentication will fail.

To successfully replay with a fresh timestamp $timestam{p}_2$, the adversary would need to compute a new $Aut{h}_2=H_1\left(R_A\left|\left|T_A\right|\right|timestam{p}_2\right)$. This requires knowledge of $R_A=s{k}_i^j\cdot mpk$. Since the user’s private key $s{k}_i^j$ is secret, and computing $s{k}_i^j\cdot mpk$ without $s{k}_i^j$ is hard (related to the CDH problem, given $p{k}_i^j=s{k}_i^{j}P$ and $mpk=xP$), the adversary cannot forge a valid $Aut{h}_2$.

The inclusion of a fresh timestamp in the hash computation for $Auth$ and the server’s freshness check effectively prevent replay attacks.

6.4. Impersonation Attack Resistance

Theorem 4. 

An adversary attempts to impersonate a legitimate smart sensor device $S{M}_u$ (with identity $I{D}_u$ and private key $s{k}_u$) to the power service center.

Proof. 

To impersonate $S{M}_u$, the adversary must successfully complete the authentication process. This involves computing $Auth=H_1\left(R_A\left|\left|T_A\right|\right|timestamp\right)$, where $R_A=s{k}_u\cdot mpk$. The adversary knows $I{D}_u$, $mpk=xP$, and $p{k}_u=s{k}_{u}P$. The system master key $x$ and user private key $s{k}_u$ are secret.

The private key $s{k}_u$ is computed as $x\cdot {\left(t_u\right)}^{-1}$, where $t_u=H_1\left(I{D}_u\left|\right|hid,N\right)+x$. Thus, $R_A=\left(x\cdot {\left(t_u\right)}^{-1}\right)\cdot \left(xP\right)=x^2{\left(t_u\right)}^{-1}P$.

An adversary faces the following difficulties:

Deriving $s{k}_u$ from $p{k}_u=s{k}_{u}P$: This is the ECDLP, which is assumed to be hard.

Deriving $x$ from $mpk=xP$: This is also the ECDLP.

Computing $R_A=s{k}_u\cdot mpk$ directly from $p{k}_u$ and $mpk$ without knowing $s{k}_u$ or $x$: This is computationally equivalent to solving the CDH problem (given $P,s{k}_{u}P,xP$, compute $s{k}_{u}xP$). While $R_A$ is not exactly $s{k}_{u}xP$, computing $x^2{\left(H_1\left(I{D}_u\left|\right|hid,N\right)+x\right)}^{-1}P$ without $x$ is infeasible.

The pre-authentication step using the Bloom filter adds another layer. If the adversary’s chosen (or forged) identity $I{D}_{adv}$ is not in the authorized set encoded in the Bloom filter $A$ on the server, $A{\mathrm{\text{'}}}_{adv}⊈A$, and pre-authentication fails. Even if a Bloom filter collision occurs for a random $I{D}_{adv}$ (with small probability $ϵ$), the subsequent main authentication requiring $R_A$ will fail.

Since the adversary cannot compute $s{k}_u$ or $R_A$ without breaking underlying hard problems (ECDLP or CDH), they cannot generate a valid $Auth$ message. Therefore, the protocol is resistant to impersonation attacks.

7. Performance Analysis

7.1. Theoretical Analysis

This section will be analyzed in terms of computational cost and communication cost. In computational cost analysis, we focus only on the bilinear pairing, multiplication, hashing, and modular inverse algorithms performed by every device, and ignore other lightweight operations. We represent $P$ as a bilinear pairing operation, $m$ as a multiplication operation, $h$ as a hash operation, and $r$ as a modular power operation. In the registration phase, the power service center generates the unicast key for every smart grid device, which requires three multiplications, three hashes, and one modular power, namely $3m+3h+1r$. The power service center needs $2h$ operations to generate the broadcast key, and $2h$ operations to generate the multicast key. In the encryption phase, unicast encryption, broadcast encryption, and multicast encryption all require one asymmetric encryption operation and two symmetric encryption operations. In the authentication phase, CA authenticates user identity by one multiplication and one hash. In communication cost analysis, CA generates the private key, session key, broadcast key, broadcast session key, multicast key, and multicast session key for the user. Their key’s bit length is $\lambda$. During data access, the user downloads the ciphertext from the power service center. We will ignore other transmitted data.

Table 1 shows the cost comparison of the certification process between the proposed protocol and the protocol of MAH [26], WAN [28], and ZHA [14]. In our protocol, CA requires one multiplication and one hash operation to verify the validity of the terminal device. Therefore, the time consumed by CA authentication increases linearly with the increasing number of terminal devices. As shown in Table 2, the cost of the proposed protocol is lower than other protocols, both in terms of computation cost and communication cost. MAH protocol has the highest computational cost, and WAN protocol has the highest communication cost.

Table 2 shows the cost comparison of encryption and decryption between the proposed protocol and the protocol of CHE [22], ACH [23], and KUM [27]. The protocol of CHE and KUM has low encryption costs but requires a lot of bilinear pairing operations in the key generation and decryption stage, which is not suitable for resource-limited terminal devices in smart grids. In the decryption cost, the proposed protocol has a lower cost.

7.2. Experimental Analysis

In this section, we conduct some experiments to prove that the protocol we designed is efficient. We compare the proposed scheme with the schemes in CHE, ACH, and KUM in terms of encryption cost and decryption cost.

In our experiments, we used a computer with an Intel(R) Core(TM) i9-10920X CPU @ 3.50GHz to simulate the CA in the design system. In the experiment, the C++ programming language is used to implement the designed protocol, and PBC library is used to multiply and modular exponents of elliptic curves. The hash function in our experiment is SHA-256.

As shown in Figure 7, both the computation and communication costs of the proposed protocol are less than other authentication protocols. Since the bloom filter is introduced to encode the identities of smart sensor devices, the proposed protocol reduces the computation and communication cost of the certification phase. Detailed experimental results are shown in Table 3 and Table 4. With the increasing number of terminal devices, the advantage of our protocol becomes more obvious. Specifically, the proposed protocol is 73.94% superior to others on average in terms of computation and 79.98% in terms of communication.

Figure 8 and Figure 9 show comparisons of data encryption and decryption costs for each scheme with the increasing number of terminal devices. The proposed scheme is obviously superior to other schemes in terms of encryption and decryption cost. Detailed experimental results are shown in Table 5 and Table 6. Specifically, the running time of unicast encryption and multicast encryption increases linearly with the increase of terminal devices. Broadcast encryption does not consume excessive uptime due to changes in the number of devices. No matter how many devices are added, broadcast encryption is calculated only once using the device's identity.

For the encryption process, the proposed protocol performs best among four secure data communication protocols. KUM protocol also performs well with the increasing number of smart sensor devices, followed by CHE protocol, while ACH protocol showcases the worst performance. Specifically, the proposed protocol is 37.77% superior to others on average in terms of encryption cost.

For the decryption process, the proposed protocol is the most efficient protocol among four secure data communication protocols as well. Particularly, the KUM protocol and CHE protocol demonstrate similar performance on efficiency in the decryption phase, which significantly falls behind our protocol. In terms of decryption efficiency, the ACH protocol is the worst protocol as well. Specifically, the proposed protocol is 55.75% superior to others on average in terms of decryption cost.

According to the evaluations above, our protocol showcases comprehensive advantages in the secure data communication process. The proposed protocol obviously demonstrates the best performance on authentication, encryption, and decryption progress. In conclusion, the proposed protocol provides an effective and efficient solution for secure data communication in smart grid scenarios.

8. Conclusions

In this paper, we propose a novel secure data communication protocol for sensor groups in the smart grid system. The proposed protocol leverages the symmetric encryption method to transmit obscured data and utilizes the identity-based encryption method to share group secret keys. To improve communication efficiency, the identities of authorized users are encoded by the bloom filter, and a cloud-aided pre-verification procedure is introduced. Correspondingly, a novel dynamic update mechanism of the group secret key is designed in smart grid scenarios. When the sensor group is changed, the proposed mechanism utilizes lightweight operations to implement dynamic updates of the group secret key. Theoretical analysis demonstrates that our protocol achieves forward and backward security of a dynamic sensor group and has the capability to resist the replay attack and impersonation attack. Experimental evaluation indicates that our protocol performs better than the state-of-the-art protocols. Specifically, for computation cost, the proposed protocol is 73.94% superior to others on average in the authentication process, 37.77% in the encryption process, and 55.75% in the decryption process. For communication cost, the proposed protocol is 79.98% superior to others on average in the authentication process.