An efficient authentication protocol with privacy-preserving for virtual power plant

As an important manifestation of the current development and transformation of the world’s power and energy industries, the virtual power plant is an important foundation for optimizing the layout of energy resources. However, since there are many open channels in the virtual power plant, adversaries can implement eavesdropping, replay, impersonation, forgery, and other attacks to access the virtual power plant, and even publish false data in the virtual power plant to disrupt the operation of the virtual power plant. In addition, it is easy for an adversary to deduce key information such as the layout of virtual power plant equipment through the identity of the device. In this context, to ensure the security and privacy of devices when accessing the platform, in this paper, we propose an efficient authentication protocol based on the elliptic curve cryptography and zero-knowledge proof, which requires only two information exchanges. Security analysis shows that the proposed protocol can meet security features such as mutual authentication, key agreement, perfect forward secrecy, and device anonymity. Performance analysis indicates that the proposed protocol achieves a reasonable balance between computational and signaling overhead, and it is more suitable for achieving efficient device authentication and privacy protection in virtual power plants.


Introduction
As the new energy is gradually replacing the supplementary energy to become the main power source in the future, virtual power plants have experienced rapid development in the internet era [1].A virtual power plant contains advanced automation systems for monitoring and controlling various smart devices [2].In a virtual power plant, the residents can control various smart devices such as smart meters and so on.For instance, users regularly transmit their energy consumption data to the control center.Instructions are sent to the smart meters based on their state of operation.This allows for dynamic adjustments in power generation and distribution.By conducting data processing and analysis, the generation and distribution of power can be dynamically adjusted in response to consumers' current electricity requirements, thus enhancing the reliability of the grid system.
Nevertheless, the virtual power plant is susceptible to a range of security risks.For instance, electric consumption information is often sent via an open network, providing opportunities for malicious observers to intercept the data [3].Besides, hackers and malicious codes can use terminal devices in various forms to initiate malicious damage and attacks on the power grid monitoring system.Many other illegal operations lead the power system to be paralyzed and out of control.Therefore, to ensure the safe operation of distributed devices and their data transmission networks, the virtual power plant system needs to strengthen the security protection between distributed terminal devices and platforms to ensure authentication and access control.Up to now, various authentication protocols have been proposed for virtual power plants.Nevertheless, they do not completely satisfy the required security needs and have heavy computation costs.
To address these challenges, we propose an efficient authentication scheme with privacypreserving for the virtual power plant.The main contributions are outlined as follows: κ We propose an efficient authentication scheme with privacy-preserving for the virtual power plant.First, we construct an efficient zero-knowledge proof.Then, we use the proposed zeroknowledge proof to make authentication and provide privacy-preserving of device identity compared to other existing schemes.It ensures the legitimacy of the device and can keep the device's identity anonymous from both observers and the platform in the authentication phase.κ Our proposed authentication protocol for virtual power plants consistently has lower computation costs.First, in our scheme, a confidential session key is established with clear confirmation through only two communication rounds.Second, the construction of our zero-knowledge proof is based on ECC, which is more efficient compared with RSA.κ In the aspect of the security property, our scheme can withstand a range of security attacks, including replay attacks, impersonation attacks, and more.Furthermore, our scheme ensures that the identity information of the device is anonymous to both observers and the platform, while in other existing schemes, the identity information of devices is exposed to the platform in the authentication phase.

Related work
In recent years, there has been more and more research focusing on the secure and efficient authentication of virtual power plants.Zhang et al. [4] developed an effective authentication system that ensures the anonymity of users while considering the storage and computing constraints of smart meters.They substituted resource-intensive exponential operations with XOR operations to minimize computational burdens.Li et al. [5] introduced a method of authentication that ensures user anonymity for the virtual power plant, preserving the confidentiality of smart meters' identities.The method relies on efficient cryptographic primitives designed for lightweight applications.Nevertheless, Wu et al. [6] exposed vulnerabilities in Li's method, highlighting its susceptibility to Denial of Service (DoS) attacks and failure to ensure that both parties verify each other's identity.Additionally, Kumar et al. [7] proposed a scheme for the smart grid that incorporates demand response and facilitates dynamic participation and disengagement of communication devices, enhancing its applicability in real-world scenarios.In a different study, Srinivas et al. [8] outlined a solution for key agreement with anonymous authentication for the smart grid, prioritizing the protection of users' identities.However, the pursuit of anonymity introduces additional computational overhead.In a separate research endeavor, Gope et al. [9] introduced a novel Authentication and Key Agreement (AKE) method based on flexible Physical Unclonable Functions (PUFs) to resist modeling attacks.There is also a study [10] majoring in highlighting the insecurity of an existing Elliptic Curve Cryptography (ECC)-based AKE and proposing an adjusted version based on ECC.Additionally, Deng et al. [11] put forth an AKE scheme without certificates to circumvent the challenges associated with certificate management.Nevertheless, the scheme requires bilinear pairing operations, resulting in high computational costs.
The definition of interactive zero-knowledge proof is shown as follows.Definition 1(Interactive Zero-knowledge proof).Let be a language over {0,1} * , and ( , ) is an interactive zero-knowledge proof for if it meets the following requirements:

System and security model
In this section, we give a detailed description of the system model and the security model of the proposed scheme.

System model
There are three types of entities in the proposed scheme as shown in Figure 1.They are devices, platforms, and trusted centers.To join the system, a terminal device should first register with the platform.As illustrated in Figure .1, in virtual power plant environments, terminal devices can be any decentralized devices, such as distributed photovoltaic devices.In the traditional authentication scenario, the platform needs to obtain the identity of the device in the authentication phase for authentication, which poses a higher security risk to device privacy.Therefore, our scheme ensures the authentication between the device and the platform using the zero-knowledge proof to keep the identity device anonymous to the platform in the authentication phase.The platform manages network entity registration and device authorization, facilitating secure communication channels with devices.

Security Model
The communication system with high exposure faces the risk of message eavesdropping and unauthorized network access.More precisely, there are a variety of attacks that can influence the legitimacy of network access.
Impersonation attacks can impersonate some legitimate users to gain access without permission and derive benefits from the system.Replay attacks can cheat the service by making use of historical messages.Tamper attacks can obstruct the regular sessions of authorized users and affect the networks by interfering with the data during transmission.
Besides, the device's real identity is sensitive to adversaries.Authentication based on PKI exposes the device's real identity to observers.Therefore, it is a challenge to achieve both authentication and privacy-preserving.
The essential security properties that our proposed scheme should meet are outlined as follows: 1) Mutual authentication.The platform needs to verify the legitimacy of the device.Simultaneously, devices need to authenticate the accessed platform to prevent possible interpretation and other hostile assaults.
2) Key establishment.The device and the platform should negotiate a session key to guarantee security between the device and the platform.
3) User privacy.The device's real identity is important.To protect the device's identity privacy, the user's real identity remains undisclosed in the captured data.

4)
Untraceability.The proposed authentication protocol is expected to achieve untraceability.It means that it can not expose the related private information of the device.
5) Forward Secrecy.Given the presence of transition, the proposed protocol needs to satisfy the forward secrecy.Forward secrecy indicates that prior session key information cannot be exploited by an adversary to deduce subsequent session keys.This ensures the security of future communication.

6)
Confidentiality.The sensitive information transferred by the device and the platform during the process of establishing and verifying the identities of communicating parties should be protected.It ensures that any private data exchanged during the authentication procedure remains secure and inaccessible to unauthorized entities.

The proposed scheme
Next, we thoroughly describe our scheme in detail.Our scheme involves four main steps.They are Initialization, Registration, Authentication, and Key agreement.

1) Initialization phase
The key generation center initializes system parameters.It chooses an elliptic curve ( / ) and selects a base point with a large prime order .
2) Registration phase When the device requests to join the system for the first time, this phase is carried out only once.It is presumed that communication messages are reliably transmitted in this phase.
Step 1.The device sends its identity { } to the platform.
Step 2. After receiving the message { } , the platform first checks the validity of .If the identity is invalid, the platform asks for an alternative; otherwise, it computes as follows, where ∈ * is the private key of the platform: = ℎ( , ) The platform computes = and sends { , , } to the device.Step 3.After receiving { , , }, the device stores them.

3)
Authentication phase During this phase, we assume the communication messages are sent over an unreliable channel.
Step 1.The device computes = ℎ( ), = .It randomly selects ∈ * and computes = , = .Then, the device computes as follows: = − Then, the device captures its timestamp and computes as follows: = ℎ( , , , , , ) To hide the device's real identity, the device computes as follows: It sends { , , , , } to the platform.Step 2. Once the device's message is received, the platform checks the validity of .If it is valid, the platform computes as follows: = + = Then, the platform gets the real identity of the device as follows: Step 3. To authenticate the identity of the device, the platform computes as follows: = ℎ( , , , , , ) If the calculated value matches the one received over the insecure public channel, = , the platform selects a random number ∈ * and computes = .

4) Key agreement phase
In this phase, the platform generates a communication session key and sends a verifier to the device.
Step 2. The device computes and makes verification as follows: When the computed verifier matches the value received from the public channel, the device confirms the message's authenticity as from the platform and applies for future communications.

Security Analysis
In this part, we examine the security aspects of our proposed scheme.The security features include mutual authentication and key agreement, perfect forward secrecy, session key security, untraceability, confidentiality, and the device's anonymity.
As shown in Table 1, we also compare the security features of the proposed scheme with other related schemes.
Table 1.Comparison of security features.
Mutual authentication and key agreement.In our proposed scheme, the device sends the request message { , , , , } to the platform.Next, the platform computes = ℎ( , , , , , ).Then, it sends { , } to the device.Once receiving the message, the device obtains the session key by checking = ℎ( , ).Thus, the device and the platform engage in mutual authentication, and the proposed scheme facilitates key agreement in our scheme.
Perfect forward secrecy.During the authentication phase of our scheme, the session key = ℎ( , , ) = ℎ( , , ) is calculated by randomly choosing and .It is obvious that if the adversary gains access to the private keys of the device and platform, obtaining the session key is infeasible. .To obtain the random numbers, the adversary needs to solve the ECDLP.Since computing random numbers is impractical, the proposed scheme satisfies perfect forward secrecy.
Session key security.In our proposed scheme, the device and the platform calculate each session key as =ℎ( , , ) = ℎ( , , ).For the reason that no one can compute except for the device and the platform, the proposed scheme assures the session key security.
Untraceability.In our proposed scheme, random numbers and are generated in { , , , , } and { , }.Therefore, the adversary is unable to associate the messages with a particular device.Furthermore, we provide higher untraceability as the platform cannot relate the messages to a specific device.
Confidentiality.Confidentiality is an essential property in our proposed scheme.The confidentiality of our scheme is based on the one-way property of the hash function and the hardness of the ECDLP.
Device's anonymity.In our proposed scheme, the adversary must know to acquire the actual identity of the device for breaking the anonymity in the authentication phase.
is computed as = ℎ( ) , = . Therefore, the adversary needs to solve the ECDLP and breaks the hash function's one-way property at the same time.As the ECDLP is hard to solve and the hash function satisfies the one-way property, the proposed scheme meets the requirements of the device's anonymity.Our scheme has stronger anonymity as the identity information of the device is even not exposed to the platform in the authentication, while in other schemes, the platform must obtain the identity information of the device to authenticate in the authentication phase.

Performance analysis
In this section, we give the performance analysis of our scheme in terms of computational overhead and signaling overhead.

Computational overhead
In this section, we analyze our scheme in terms of computational overhead, which is the total computational time required to perform all cryptographic operations during the authentication phase.We compare the proposed scheme with the Gu scheme [12], He scheme [13], Xia scheme [14], and Kumar scheme [15] in terms of computational overhead, and the results are shown in Table 2. Let denote an elliptic curve point multiplication operation, denotes the Chebyshev polynomial operation, denotes a modular exponentiation operation, denotes the pairing operation on an elliptic curve.As we can see in Table 2, in the Gu scheme, He scheme, Xia scheme, Kumar scheme, and our proposed scheme, the computational overheads of the device are respectively 6 , 4 , 19 , 3 +2 , and 3 .The computational overheads of the platform are respectively 5 + , 6 , 18 , 3 +3 , and 5 .It is obvious that our scheme has the lowest device computation cost, which is 3 .It is respective 3 , 1 , 16 , and 2 lower than the Gu scheme, He scheme, Xia scheme, and Kumar scheme.In the aspect of platform computation cost, our scheme is , , and 13 lower than the Gu scheme, He scheme, and Xia scheme.However, the computation cost of the platform is a little higher than the Kumar scheme.In the Kumar scheme, the NAN gateway needs to save each symmetric key for encrypting the authentication request message that needs much storage space, while our scheme is based on the zero-knowledge proof that avoids this problem.

Signaling overhead
Signaling overhead refers to the total number of authentication message transmissions during the authentication phase.In this subsection, we compare the proposed scheme, Gu scheme [12], He scheme [13], Xia scheme [14], and Kumar scheme [15] in terms of signaling overhead.As shown in Table 3, our proposed scheme, Gu scheme, Xia scheme, and Kumar scheme all require only 2 signaling overheads during the authentication phase, namely 1 device → platform transmission and 1 device ← platform transmission.Moreover, the signaling overhead of our proposed scheme is reduced by 1 compared with the He scheme.Therefore, our proposed scheme can meet more security attributes with lower computational overhead and lowest signaling overhead, indicating that the proposed protocol is suitable for virtual power plants to ensure trusted and secure transmission of power data.

Conclusion
Security remains a paramount concern in virtual power plants.Ensuring resistance against ephemeral secret leakage attacks and providing privacy of the device's identity is essential in a virtual power plant.In this study, we first proposed an efficient authentication protocol based on the zero-knowledge proof that provides privacy-preserving.To validate the security of our scheme, we have conducted detailed security analyses.Furthermore, to demonstrate its efficiency, we have conducted experimental analyses.The results affirm that our proposed protocol ensures both security and efficiency for implementation within the realm of virtual power plants.

Figure 1
Figure 1 System model of the proposed scheme.

Table 2 .
Comparison of computational overhead.

Table 3 .
Comparison of signaling overhead.