Existing key exchange schemes for resource-constrained IoT edge devices in smart grids suffer from excessive computational overhead or insufficient post-quantum security. To address this, we propose a lightweight, quantum-resistant key exchange protocol. Our approach innovatively exploits the birational equivalence between Ed25519 and Curve25519 to unify signature and key exchange key pairs—thereby ensuring forward secrecy while drastically reducing key management complexity. The protocol integrates HKDF-based initialization, ephemeral ECDHE key agreement, and ASCON128a for lightweight authenticated encryption. We provide a formal security proof in the random oracle model. Experimental evaluation demonstrates end-to-end execution times under 5.5 ms on both Raspberry Pi and Intel Core i9 platforms, with communication overhead limited to just 1024 bits. The protocol thus achieves a rigorous balance of post-quantum security, computational efficiency, and practical deployability for constrained edge environments.

The increasing deployment of the Internet of Things (IoT) edge devices in modern smart grid environments requires secure and efficient communication protocols specifically designed for resource-constrained environments. However, most existing authentication schemes either impose excessive computational overhead or lack robustness against advanced cyber threats, making them unsuitable for resource-limited smart grid deployments. To address these limitations, this paper proposes a lightweight authentication and secure key exchange protocol for smart grid (LSEG) environments. The proposed LSEG protocol utilizes a unified elliptic curve key pair, enabled by birational mapping between Ed25519 and Curve25519, for signing and key exchange. Initial keys are derived using the hash based message authentication code (HMAC) based key derivation function (HKDF), while ephemeral key pairs, generated through the Elliptic Curve Diffie Hellman Ephemeral (ECDHE), are used in each session to ensure forward secrecy. Session communication is protected using ASCON128a, a lightweight, NIST-standardized, authenticated encryption algorithm. Formal security proofs in the random oracle model validate the security properties of LSEG, including mutual authentication, forward secrecy, and resistance to impersonation, replay, and man in the middle attacks. Experimental results on both Raspberry Pi and Intel Core i9-based systems demonstrate practical efficiency, achieving execution times under 5.5 milliseconds on embedded hardware and a communication cost of only 1024 bits for the protocol's message exchanges. The results demonstrate that LSEG effectively balances security, efficiency, and compliance, making it a scalable solution for secure communication in smart grid infrastructures.