An ECC-Based Authentication Protocol for Dynamic Charging System of Electric Vehicles

Abstract

Dynamic wireless charging emerges as a promising technology, effectively alleviating range anxiety for electric vehicles in transit. However, the communication between the system’s various components, conducted over public channels, raises concerns about vulnerability to network attacks and message manipulation. Addressing data security and privacy protection in dynamic charging systems thus becomes a critical challenge. In this article, we present an authentication protocol tailored for dynamic charging systems. This protocol ensures secure and efficient authentication between vehicles and roadside devices without the help of a trusted center. We utilize a physical unclonable function (PUF) to resist physical capture attacks and employ the elliptic curve discrete logarithm problem (ECDLP) to provide forward security protection for session keys. We validated the security of our proposed scheme through comprehensive informal analyses, and formal security analysis using the ROR model and formal analysis tool ProVerif. Furthermore, comparative assessments reveal that our scheme outperforms other relevant protocols in terms of efficiency and security.

1. Introduction

With increasing urbanization, electric vehicles (EVs) play a crucial role in establishing green transportation by providing emission-free operation. They present a promising solution to address energy and environmental challenges [1]. However, the widespread adoption of electric vehicles has underscored the need for a well-developed charging infrastructure, particularly for EV users who are away from home and face time and distance constraints [2].

There are two main charging methods: static charging [3] and dynamic charging [4]. Static charging involves parking the electric vehicle at a charging station, turning off the engine, and connecting the charger to the charging port to obtain electric energy. Dynamic charging allows electric vehicles to charge while driving on the road, utilizing electromagnetic energy transfer between the vehicle and the charging pad. The dynamic charging system consists of the following entities: trusted service provider (TSP), roadside units (RSUs), electric vehicles (EVs), and charge pads (CPs). The system architecture is illustrated in Figure 1. The TSP acts as an energy provider and establishes the necessary infrastructure for electric vehicle charging, which includes RSUs and CPs to form a dynamic power station. The TSP is responsible for the registration of RSUs and EVs. RSUs serve as access points to the road charging area and manage a large number of CPs. They utilize TSP’s public key to verify the legitimacy of users and allocate CPs to provide energy for EVs. EVs are equipped with on-board units, sensors, and Global Positioning System (GPS) and travel along the road network. EVs can establish communication links with both RSUs and CPs using dedicated short-range communications (DSRCs). CPs are components that facilitate the charging of electric vehicles in [5]. Each CP is capable of independently supplying energy to EVs. In comparison to static charging, wireless dynamic charging represents a new paradigm and brings greater convenience. Firstly, the dynamic charging of electric vehicles overcomes the limitation of fixed charging stations and saves time. Secondly, mobile charging of electric vehicles can effectively extend the mileage of electric vehicles.

However, dynamic charging systems face security and communication challenges [6]. Communication between entities occurs over a public channel, which is susceptible to various security threats, including interception, eavesdropping, and message modification [7]. Adversaries can exploit these vulnerabilities to gain unauthorized benefits from energy transactions within the dynamic charging system through impersonation, replay attacks, and man-in-the-middle attacks. Therefore, secure authentication protocols are necessary to mitigate these threats.

1.1. Motivation

Our motivation arises from dual concerns within existing authentication protocols [8,9,10,11,12,13,14] for dynamic charging: computational efficiency and security vulnerabilities. The scheme [8,9] has a high computational overhead, while the schemes [10,11,12,13,14] reduce computational overhead but are vulnerable to common attacks. To address this, we propose a secure and efficient identity authentication scheme for electric vehicle dynamic charging scenarios. The main contributions of this paper are summarized as follows:

• We have designed an efficient authentication protocol based on elliptic curve cryptography (ECC) for the dynamic charging system of electric vehicles that can mitigate RSU capture attacks and provide perfect forward secrecy. Also, this protocol enables the authentication process between vehicles and roadside units (RSUs) without the need for a third-party service provider (TSP).
• During the inter-RSU handover authentication process for vehicles, we have adopted a novel approach that eliminates the use of shared secret keys, ensuring the independence of RSUs.
• The proposed protocol is demonstrated to be resilient against various attacks through informal proofs. Furthermore, the protocol’s semantic security is formally established in the random oracle model.
• Performance analysis and security analysis demonstrate the practicality and efficiency of the proposed protocol.

1.2. Paper Organization

This paper is organized as follows: Section 2 summarizes related work in this research area. Section 3 describes the background, including the necessary preliminaries, system model, and threat model. Section 4 explains the proposed scheme and its main components. Section 5 provides an informal security analysis of the scheme. Section 6 gives a formal security proof in the Random or Real (ROR) model. Section 7 compares the performance of the proposed scheme with other relevant schemes. Finally, Section 8 concludes the paper.

2. Related Work

For dynamic wireless charging systems of electric vehicles, various key agreement protocols have been proposed to ensure secure and authenticated communication between the electric vehicle and the charging system. Roman et al. [8] designed an authentication scheme for a cloud-based wireless charging system for electric vehicles. In their scheme, vehicle users need to purchase tickets from an electric power service provider to enjoy charging services. However, their scheme requires heavy computation based on bilinear pairings and blind signatures, which can result in a large communication overhead. Rabieh et al. [9] proposed a privacy-preserving authentication scheme that achieves mutual authentication between electric vehicles (EVs) and charging plates without the involvement of a trusted third party. Their scheme also protects users’ identities. However, the scheme faces challenges in resisting man-in-the-middle attacks and EV impersonation attacks, and the computational overhead is relatively high.

To improve performance, some lightweight solutions have been proposed, but some security issues still exist. For example, Pazos-Revilla et al. [10] proposed a blind signature-based physical layer assistance scheme for dynamic charging systems to ensure their safety. The key idea is that when an EV authenticates itself to a TSP, the TSP sends a secret seed to the EV to efficiently calculate the shared group key with an RSU. However, the RSU, being exposed in public places, is easy for adversaries to capture, which could lead to the leakage of the shared group key. Li et al. [11] proposed a fast authentication scheme (FADEC) based on elliptic curve cryptography (ECC) to meet the communication requirements during dynamic inductive charging. However, their scheme was found to be vulnerable to replay attacks and privacy issues.

Babu et al. [12] proposed a lightweight authentication scheme based on ECC, where vehicles authenticate with roadside units (RSUs) with the help of edge nodes. However, their scheme is vulnerable to replay attacks and does not satisfy non-linkability. Babu et al. [13] presented a lightweight authentication scheme that incorporates vehicle handover authentication. In this process, the vehicle initiates a handover request with a previously certified roadside unit to communicate with other RSUs under its assistance. Nevertheless, their scheme lacks perfect forward secrecy and is susceptible to replay attacks. Furthermore, Babu et al. [14] proposed another lightweight authentication scheme based on physical unclonable functions. In this scheme, RSUs acquire the physical unclonable function (PUF) response values uploaded by vehicles from a trusted center to enable mutual authentication between vehicles and RSUs. However, their scheme exhibits vulnerabilities to replay attacks and lacks non-linkability and perfect forward secrecy.

In recent years, blockchain technology has been widely applied in dynamic wireless charging systems. Alshaeri et al. [15] proposed a dynamic electric vehicle charging energy trading scheme based on blockchain technology. In their scheme, vehicles purchase tickets from energy providers through smart contracts, and these tickets are encrypted using a shared secret value of the energy provider and RSUs. Abouyoussef et al. [16] proposed a blockchain-based network strategy to support privacy protection for executing dynamic charging. Tajmohammadi et al. [17] proposed a secure and lightweight dynamic wireless charging payment protocol. The protocol employs symmetric encryption and XOR operations to safeguard the privacy of the communication.

3. Preliminaries

3.1. Elliptic Curve Cryptography

Elliptic curve cryptography [18] is a public key encryption technology based on elliptic curves over a finite field. Let $F_p$ denote a finite field with a large prime order p. E denote an elliptic curve: $y^2=x^3+ax+b$ mod p, where $x,y,a,b\in F_p$. G is a cyclic subgroup over $F_p$ and P is the generator point.

Definition 1.

(Elliptic Curve Discrete Logarithm Problem): Given a base point P and a point $Q=x·P$, it is computationally difficult to determine the integer x from Q.

Definition 2.

(Elliptic Curve Computational Diffie–Hellman): Give a base point P and two pointa $Q_1=a·P$ and $Q_2=b·P$, it is computationally difficult to compute $Q=a·b·P$ in probabilistic polynomial time.

3.2. Fuzzy Extractor

A fuzzy extractor [19] can extract the same outputs from the inputs with a certain amount of noise, and it is used to extract and recover the user’s biological key. This process can be described by a pair of functions, denoted as $EXT=(Gen,Rep)$.

• $(\sigma ,\tau )=Gen\left(bio\right)$. The generating function, denoted as $Gen(.)$, takes the input biological information $bio$ and produces the biological key $\sigma$ along with auxiliary information $\tau$.
• $\sigma =Rep(bio,\tau )$. The recovery function, denoted as $Rep(.)$, takes the input biological information $bio$ and auxiliary information $\tau$ to recover the biological key $\sigma$.

3.3. Physical Unclonable Function

A physical unclonable function (PUF) [20] is a hardware security primitive that leverages the unique physical characteristics of a chip to generate an unpredictable response. It possesses reproducibility, uniqueness, and unpredictability properties. By exploiting manufacturing variances, a unique mapping function between the challenge signal and response is established, which can be formalized as $Res=PUF\left(Cha\right)$, where $Cha$ represents the challenge and $Res$ represents the response.

In this paper, a PUF is employed within the RSU to safeguard stored confidential information, preventing the adversary from obtaining any information from the RSU.

3.4. Threat Model

In the model we proposed, the TSP is assumed to be a completely trusted and honest entity. The RSU is assumed to be an honest but curious entity. Specifically, the RSU will honestly execute protocol processes and steps; however, it cannot be excluded that the RSU may attempt to obtain more private information from the running process. The EV is assumed to be an entity that could potentially engage in malicious behaviors. They are at risk of illegal operations caused by hacking attacks. $\mathcal{A}$ is defined as the adversary in our scheme. $\mathcal{A}$ has the following capabilities:

• $\mathcal{A}$ can overhear, intercept, and synthesize any publicly transmitted messages. This is in line with the Dolev–Yao threat model [21].
• $\mathcal{A}$ can either be a registered user or an insider attacker with privileged access, capable of obtaining additional information beyond publicly available messages.
• $\mathcal{A}$ can launch side-channel attacks to obtain information stored in the smart card and RSU.

3.5. Security Goals

In this section, we will focus on introducing the security design goals of the proposed protocol. Specifically, the security objectives of this protocol include the following:

Confidentiality: Sensitive information involved in the charging process cannot be intercepted by unauthorized entities during communication, ensuring that only authorized entities can access the data generated during the charging process.

Message integrity: Due to the TSP not being involved in direct communication between EVs and RSUs, EVs and RSUs need to have the capability to mutually verify if messages have been tampered with to ensure the integrity of message transmission.

Anonymity and unlinkability: The personal information of EVs is effectively protected with anonymity during the charging process. Charging behavior and related data cannot be traced or linked back to specific user identities.

Mutual authentication: Mutual authentication is performed between EVs and RSUs to ensure that the EVs are legitimate and trustworthy and that they can verify the identity of the RSUs, establishing a two-way trust relationship.

4. The Proposed Scheme

The proposed scheme consists of six phases, namely system initialization, vehicle registration, RSU registration, login and authentication, charging authentication, and handover authentication. The notations of our protocol are shown in

Table 1. Notions.

Notions	Description
$TSP$	Trusted service provider
$RS{U}_j$	$j^{th}$ roadside units
$EV{U}_i$	$i^{th}$ electric vehicle user
$CP$	Charge pad
$I{D}_i$	Identity of $EV{U}_i$
$P{W}_i$	Password of $EV{U}_i$
$P{K}_{RS{U}_j},c_j$	Public and private key pair of $RS{U}_j$
$P{K}_{TSP},s$	Public and private key pair of TSP
$PI{D}_i$	Pseudo-identity of vehicle
$T_{\ast }$	Timestamp
$h(.)$	One-way hash function
$Gen(.)$	The generating function of fuzzy extractor
$Rep(.)$	The reproduction function of fuzzy extractor
$PUF\left(\right)$	Physical unclonable function
$Bi{o}_i$	The biological information of $E{V}_i$
${\sigma }_i,{\tau }_i$	Biological key and auxiliary parameter
$Ch{a}_j,Re{s}_j$	The challenge and response of the PUF in $RS{U}_j$
$S{C}_i$	The smart scard of $EV{U}_i$
⊕	Exclusive OR operation
∥	Concatenation operator

.

4.1. Initialization Phase

In this phase, TSP initializes the system environment to generate system parameters. TSP selects a large prime number q, a non-singular elliptic curve $E(a,b)$ on a finite field $F_q$ and a point $P\in E(a,b)$ as the base point. Then, TSP selects a long-term private key $s\in Z_q^{\ast }$, and computes $P{K}_{TSP}=s·P$. Here, based on the elliptic curve discrete logarithm problem (ECDL), s is secure. Next, TSP chooses SHA-256 as the hash function $h:{\{0,1\}}^{\ast }\to {\{0,1\}}^{256}$, and the generation function $Gen(.)$ and recovery function $Rep(.)$ for the fuzzy extractor. Finally, TSP distributes $\{Gen(.),Rep(.),h(.),P,P{K}_{TSP}\}$ to each entity.

4.2. Vehicle Registration Phase

In this phase, the electric vehicle user $EV{U}_i$ registers with TSP to obtain its private key. The registration process is conducted over a secure channel between $EV{U}_i$ and TSP, as shown in

Table 2. Vehicle registration phase.

${\mathit{EVU}}_{\mathit{i}}$		TSP
Input $I{D}_i$, $P{W}_i$, $Bi{o}_i$
	$\underset{Securechannel}{\overset{\left\{I{D}_i\right\}}{\to }}$
		Verify the uniqueness of $I{D}_i$
		Generate random numbers $r_i$, $x_i$
		$PI{D}_i=h(I{D}_i\parallel r_i)$
		$X_i=x_i·P$
		$d_i=x_i+h(PI{D}_i\parallel X_i)·s$
		Store $\{I{D}_i,x_i,r_i\}$ in secure memory
	$\underset{Securechannel}{\overset{\{PI{D}_i,X_i,d_i\}}{\leftarrow }}$
$({\sigma }_i,{\tau }_i)=Gen\left(Bi{o}_i\right)$
$A_i=PI{D}_i\oplus h(P{W}_i\parallel {\sigma }_i)$
$B_i=X_i\oplus h(PI{D}_i\parallel {\sigma }_i)$
$C_i=d_i\oplus h(X_i\parallel {\sigma }_i)$
$D_i=h(I{D}_i\parallel P{W}_i\parallel {\sigma }_i)$
$\{A_i,B_i,C_i,D_i,{\tau }_i,Rep(.)\}$
stored in $S{C}_i$

.

Step VR1:$EV{U}_i$ selects an identity $I{D}_i$ and sends the identity $I{D}_i$ to the trusted service provider (TSP).

Step VR2: Upon receiving $I{D}_i$, the TSP first queries the database to verify the uniqueness of $I{D}_i$. If it is not unique, TSP rejects the vehicle registration. Else, it selects the random numbers $r_i$ and $x_i$. Then, the TSP calculates $PI{D}_i=h(I{D}_i\parallel r_i)$, $X_i=x_i·P$, $d_i=x_i+h(PI{D}_i\parallel X_i)\ast s$. Finally, the TSP sends $\{PI{D}_i,X_i,d_i\}$ to $EV{U}_i$ and stores $\{I{D}_i,x_i,r_i\}$ in its secure memory.

Step VR3: Upon receiving the message, $EV{U}_i$ first inserts the smart card, inputs $P{W}_i$ and $Bi{o}_i$, and calculates $({\sigma }_i,{\tau }_i)=Gen\left(Bi{o}_i\right)$. Next, the values $A_i=PI{D}_i\oplus h(P{W}_i\parallel {\sigma }_i)$, $B_i=X_i\oplus h(PI{D}_i\parallel {\sigma }_i)$, $C_i=d_i\oplus h(X_i\parallel {\sigma }_i)$, and $D_i=h(I{D}_i\parallel P{W}_i\parallel {\sigma }_i)$ are computed. Finally, $\{A_i,B_i,C_i,D_i,{\tau }_i,Rep(.)\}$ are stored in the smart card $S{C}_i$.

4.3. RSU Register Phase

In this phase, the RSU generates its own public and private keys and initiates a registration request to TSP. Each RSU has an independent public/private key pair, instead of using a shared key as in traditional schemes. The registration process is conducted over a secure channel between $RS{U}_j$ and TSP, as shown in

Table 3. RSU registration phase.

${\mathit{RSU}}_{\mathit{j}}$		TSP
Select a random number $c_j$
$P{k}_{RS{U}_j}=c_j·P$
	$\underset{Securechannel}{\overset{\left\{P{k}_{RS{U}_j}\right\}}{\to }}$
		Verify the uniqueness of $P{k}_{RS{U}_j}$
		Store $P{k}_{RS{U}_j}$ in its memory
	$\underset{Securechannel}{\overset{\left\{ACK\right\}}{\leftarrow }}$
Generate a challenge $ch{a}_j$
$Re{s}_j=PUF\left(Ch{a}_j\right)$
$W_j=c_j\oplus h(P{k}_{RS{U}_j}\parallel Re{s}_j)$
$Y_j=G_{pad}\oplus h(P{k}_{RS{U}_j}\parallel c_j)$
Store $\{Ch{a}_j,W_j,Y_j\}$

.

Step RR1:$RS{U}_j$ selects a random number $c_j\in Z_q^{\ast }$ and computes $P{k}_{RS{U}_j}=c_j·P$.

Step RR2:$RS{U}_j$ sends $P{k}_{RS{U}_j}$ to the trusted service provider (TSP) via a secure channel. Upon receiving $P{k}_{RS{U}_j}$, the TSP verifies the uniqueness of the identity, stores $P{k}_{RS{U}_j}$ in its memory and sends $\left\{ACK\right\}$ to $RS{U}_j$.

Step RR3: Upon receiving the message, $RS{U}_j$ generates a challenge value $Ch{a}_j$ and uses the physical unclonable function (PUF) to calculate the response value $Re{s}_j$. $RS{U}_j$ selects the group key $G_{pad}$, delivers $G_{pad}$ to the charging pads (CPs), and then computes $W_j=c_j\oplus h(P{k}_{RS{U}_j}\parallel Re{s}_j)$ and $Y_j=G_{pad}\oplus h(P{k}_{RS{U}_j}\parallel c_j)$. Finally, $RS{U}_j$ stores $\{Ch{a}_j,W_j,Y_j\}$ in its memory.

4.4. Login and Authentication Phase

In the login and authentication phase, $EV{U}_i$ needs to mutually authenticate its identity with the accessed RSU before requesting charging. The authentication process is described in

Table 4. Login and authentication.

${\mathit{EVU}}_{\mathit{i}}$		${\mathit{RSU}}_{\mathit{j}}$
Input $I{D}_i$,$P{W}_i$,$Bi{o}_i$
${\sigma }_i=Rep(Bi{o}_i,{\tau }_i)$
$D_i^{\ast }=h(I{D}_i\parallel P{W}_i\parallel {\sigma }_i)$
Chech $D_i^{\ast }\stackrel{?}{=}{D}_i$
Generate a random number $m_i$ and
the timestamp $T_1$
$PI{D}_i=A_i\oplus h(P{W}_i\parallel {\sigma }_i)$
$X_i=B_i\oplus h(PI{D}_i\parallel {\sigma }_i)$
$d_i=C_i\oplus h(X_i\parallel {\sigma }_i)$
$P_i=m_i·P$
$P_{ij}=m_i·P{K}_{RS{U}_j}$
$M_1=PI{D}_i\oplus h(P_{ij}\parallel T_1)$
$M_2=X_i\oplus h(PI{D}_i\parallel P_{ij}\parallel T_1)$
$e_i=d_i+h(PI{D}_i\parallel P_i\parallel T_1)\ast m_i$
	$\underset{Insecurechannel}{\overset{Me{s}_1=\{M_1,M_2,e_i,P_i,T_1\}}{\to }}$
		Check the freshness of $T_1$
		$Re{s}_j=PUF\left(Ch{a}_j\right)$
		$c_j=W_j\oplus h(P{k}_{RS{U}_j}\parallel Re{s}_j)$
		$P_{ij}=c_j·P_i$
		$PI{D}_i=M_1\oplus h(P_{ij}\parallel T_1)$
		$X_i=M_2\oplus h(PI{D}_i\parallel P_{ij}\parallel T_1)$
		Verify if $e_i·P\stackrel{?}{=}{X}_i+$
		$h(PI{D}_i\parallel X_i)·P{K}_{TSP}+h(PI{D}_i\parallel P_i\parallel T_1)·P_i$
		If not, abort the request. Else,
		Generate a random number $n_j$ and
		the timestamp $T_2$
		$Q_j=n_j·P$
		$Q_{ij}=n_j·P_i$
		$SK=h(Q_{ij}\parallel P{k}_{RS{U}_j}\parallel PI{D}_i)$
		$M_3=h(Q_j\parallel SK\parallel PI{D}_i\parallel P{k}_{RS{U}_j}\parallel T_2)$
	$\underset{Insecurechannel}{\overset{Me{s}_2=\{M_3,Q_j,T_2\}}{\leftarrow }}$
Check the freshness of $T_2$
$SK=h(m_i·Q_j\parallel P{k}_{RS{U}_j}\parallel PI{D}_i)$
$M_3^{\ast }=h(Q_j\parallel SK\parallel PI{D}_i\parallel P{k}_{RS{U}_j}\parallel T_2)$
Check $M_3\stackrel{?}{=}{M}_3^{\ast }$

.

Step LA1:$EV{U}_i$ initiates the login process by inserting the smart card ($S{C}_i$) and entering the identity $I{D}_i$, password $P{W}_i$, and biological information $Bi{o}_i$. $S{C}_i$ computes ${\sigma }_i=Rep(Bi{o}_i,{\tau }_i)$ and $D_i^{\ast }=h(I{D}_i\parallel P{W}_i\parallel {\sigma }_i)$. If $D_i^{\ast }\ne D_i$, $S{C}_i$ rejects $EV{U}_i$’s login request. Otherwise, go on.

$EV{U}_i$ selects a random number $m_i\in Z_q^{\ast }$ and timestamp $T_1$. Next, $EV{U}_i$ computes $PI{D}_i=A_i\oplus h(P{W}_i\parallel {\sigma }_i)$, $X_i=B_i\oplus h(PI{D}_i\parallel {\sigma }_i)$, $d_i=C_i\oplus h(X_i\parallel {\sigma }_i)$, $P_i=m_i·P$, $P_{ij}=m_i·P_{RS{U}_j}$, $M_1=PI{D}_i\oplus h(RI{D}_j\parallel P_{ij}\parallel T_1)$, $M_2=X_i\oplus h(PI{D}_i\parallel P_{ij}\parallel T_1)$, and $e_i=d_i+h(PI{D}_i\parallel P_i\parallel T_1)\ast m_i$. Finally, $EV{U}_i$ sends the message $Me{s}_1=\{M_1,M_2,e_i,P_i,T_1\}$ to $RS{U}_j$ via a public channel.

Step LA2: When $RS{U}_j$ receives $EV{U}_i$’s request, it first checks the freshness of $T_1$. If it is valid, $RS{U}_j$ computes $Re{s}_j=PUF\left(Ch{a}_j\right)$, $c_j=W_j\oplus h(RI{D}_j\parallel Re{s}_j)$, $P_{ij}=c_j·P_i$, $PI{D}_i=M_1\oplus h(RI{D}_j\parallel P_{ij}\parallel T_1)$, and $X_i=M_2\oplus h(PI{D}_i\parallel P_{ij}\parallel T_1)$. After that, $RS{U}_j$ checks $e_i·P=X_i+h(PI{D}_i\parallel X_i)·P{K}_{TSP}+h(PI{D}_i\parallel P_i\parallel T_1)·P_i$. If the condition is not satisfied, $RS{U}_j$ aborts the request. Otherwise, $RS{U}_j$ continues the request.

$RS{U}_j$ selects a random number $n_j\in Z_q^{\ast }$ and generates the timestamp $T_2$. Then, $RS{U}_j$ computes $Q_j=n_j·P$, $Q_{ij}=n_j·P_i$, $SK=h(Q_{ij}\parallel P{k}_{RS{U}_j}\parallel PI{D}_j)$, and $M_3=h(Q_j\parallel SK\parallel PI{D}_i\parallel P{k}_{RS{U}_j}\parallel T_2)$, where SK is session key. Finally, $RS{U}_j$ sends the message $Me{s}_2=\{M_3,Q_j,T_2\}$ to $EV{U}_i$ via a public channel.

Step LA5: After receiving $Me{s}_2$, $EV{U}_i$ checks the validity of $T_2$. If it is correct, $EV{U}_i$ further computes $SK=h(m_i·Q_j\parallel P{k}_{RS{U}_j}\parallel PI{D}_i)$, $M_3^{\ast }=h(Q_j\parallel SK\parallel PI{D}_i\parallel P{k}_{RS{U}_j}\parallel T_2)$, and verifies if $M_3\stackrel{?}{=}{M}_3^{\ast }$. If the verification is successful, $RS{U}_j$ is authenticated by $EV{U}_i$. Otherwise, the session is terminated.

$EV{U}_i$ and $RS{U}_j$ generate a session key $SK$ to encrypt subsequent communications. With the secure channel established via $SK$, $EV{U}_i$ is then able to send a charging request to $RS{U}_j$ securely.

4.5. Charging Authentication Phase

After $EV{U}_i$ completes mutual authentication with the RSU, it needs the help of the $RS{U}_j$ to realize the charging functionality with the CPs. As shown in

Table 5. Charging authentication 1.

${\mathit{EVU}}_{\mathit{i}}$		${\mathit{RSU}}_{\mathit{j}}$		CP
Generate a random number $v_i$
$C{H}_{req}=E_{SK}(v_i,PI{D}_i)$
	$\underset{Insecurechannel}{\overset{ME{S}_3=\left\{C{H}_{req}\right\}}{\to }}$
		Select a random number $v_j$,
		Generate timestamp $T_3$ and $Tim{e}_{end}$
		$(PI{D}_i,v_i)=D_{SK}\left(C{H}_{req}\right)$
		$Ta{g}_i=h(v_i\parallel v_j\parallel PI{D}_i\parallel P{k}_{RS{U}_j}\parallel T_3\parallel Tim{e}_{end})$
		$G_{jk}=h(c_j·P{K}_{RS{U}_k}\parallel T_3)$
		$M_4=E_{SK}(Ta{g}_i,G_{jk})$
		$M_5=h(Ta{g}_i\parallel G_{jk}\parallel M_4\parallel T_3)$
		$G_{pad}=Y_j\oplus h(RI{D}_j\parallel c_j)$
		$M_6=E_{G_{pad}}\left(Ta{g}_i\right)$
	$\underset{Insecurechannel}{\overset{Me{s}_4=\{M_4,M_5,T_3\}}{\leftarrow }}$		$\underset{Insecurechannel}{\overset{ME{S}_5=\left\{M_6\right\}}{\to }}$
$(Ta{g}_i,G_{jk})=D_{SK}\left(M_4\right)$
$M_5^{\ast }=h(Ta{g}_i\parallel G_{jk}\parallel M_4\parallel T_3)$
Check $M_5^{\ast }\stackrel{?}{=}{M}_5$

, $RS{U}_j$ issues a charging credential $ta{g}_i$ to $EV{U}_i$ and CPs.

Table 6. Charging authentication 2.

${\mathit{EVU}}_{\mathit{i}}$		CP
$M_7=h(Ta{g}_i\parallel T_3)$
	$\underset{Insecurechannel}{\overset{ME{S}_6=\{M_7,T_4\}}{\to }}$
		$Ta{g}_i=D_{G_{pad}}\left(M_6\right)$
		$M_7^{\ast }=h(Ta{g}_i\parallel T_4)$
		Check $M_7^{\ast }\stackrel{?}{=}{M}_7$

shows the process of $EV{U}_i$ initiating a charging request to CP.

Step CA1:$EV{U}_i$ selects a random number $v_i$, calculates $C{H}_{req}=E_{SK}(v_i,PI{D}_i)$ and initiates a charging request $ME{S}_3=\left\{C{H}_{req}\right\}$ to $RS{U}_j$.

Step CA2:$RS{U}_j$ selects a random number $v_j$ and generates the timestamp $T_3$, and expiration time $Tim{e}_{end}$, where $Tim{e}_{end}$ is the valid time period of the credential. Next, $RS{U}_j$ calculates $(PI{D}_i,v_i)=D_{SK}\left(C{H}_{req}\right)$, $Ta{g}_i=h(v_i\parallel v_j\parallel PI{D}_i\parallel P{k}_{RS{U}_j}\parallel T_3\parallel Tim{e}_{end})$, $G_{jk}=h(c_j·P{K}_{RS{U}_k}\parallel T_3)$, $M_4=E_{SK}(Ta{g}_i,G_{jk})$, and $M_5=h(Ta{g}_i\parallel G_{jk}\parallel M_4\parallel T_3)$. Also, $RS{U}_j$ calculates $G_{pad}=Y_j\oplus h(RI{D}_j\parallel s_j)$ and $M_6=E_{G_{pad}}\left(Ta{g}_i\right)$. Finally, $RS{U}_j$ sends $ME{S}_4=\{M_4,M_5,T_3\}$ and $ME{S}_5=\left\{M_6\right\}$, respectively, to $EV{U}_i$ and CPs through a public channel.

Step CA3:$EV{U}_i$ calculates $(Ta{g}_i,G_{jk})=D_{SK}\left(M_4\right)$ and $M_5^{\ast }=h(Ta{g}_i\parallel G_{jk}\parallel M_4\parallel T_3)$ and verifies $M_5^{\ast }\stackrel{?}{=}{M}_5$.

Step CA4:$EV{U}_i$ then calculates $M_7=h(Ta{g}_i\parallel T_4)$, and sends $Me{s}_6=\{M_7,T_4\}$ to the CP.

Step CA5: The CP receives the message sent by $RS{U}_j$ and $EV{U}_i$, decrypts $Ta{g}_i$, calculates $M_7^{\ast }=h(Ta{g}_i\parallel T_4)$, and after verifying the consistency between $M_7^{\ast }$ and $M_7$, allows the user to charge.

From the response of $RS{U}_j$, $EV{U}_i$ obtains a token $Ta{g}_i$, which represents its charging authorization. With $Ta{g}_i$, all CPs deployed within the coverage area of $RS{U}_j$ can recognize $EV{U}_i$ as an authorized electric vehicle user, and $EV{U}_i$ can seamlessly obtain charging services.

4.6. Handover Authentication

$EV{U}_i$ is transferred from one $RS{U}_j$ to another $RS{U}_k$ during dynamic charging and running for handover authentication. The process of handover authentication is presented in

Table 7. Handover authentication.

${\mathit{EVU}}_{\mathit{i}}$		${\mathit{RSU}}_{\mathit{k}}$
Generate a random number $k_i$
$N_i=k_i·P$
$H{A}_{req}=E_{G_{jk}}\left(PI{D}_i\right)$
$M_8=h(N_i\parallel P{K}_{RS{U}_j}\parallel PI{D}_i\parallel T_3\parallel T_5)$
	$\underset{Insecurechannel}{\overset{ME{S}_7=\{H{A}_{req},N_i,M_8,P{K}_{RS{U}_j},T_3,T_5\}}{\to }}$
		Check the freshness of $T_3$ and $T_5$
		$Re{s}_k=PUF\left(Ch{a}_k\right)$
		$c_k=W_k\oplus h(P{K}_{RS{U}_k}\parallel Re{s}_k)$
		$G_{jk}^{\ast }=h(c_k·P{K}_{RS{U}_j}\parallel T_3)$
		$PI{D}_i=D_{G_{jk}^{\ast }}\left(H{A}_{req}\right)$
		$M_8^{\ast }=h(N_i\parallel P{K}_{RS{U}_j}\parallel PI{D}_i\parallel T_3\parallel T_5)$
		Check $M_8^{\ast }\stackrel{?}{=}{M}_8$
		$S{K}^{\ast }=h(c_k·N_i\parallel PI{D}_i\parallel P{K}_{RS{U}_k})$
		$M_9=h(S{K}^{\ast }\parallel P{K}_{RS{U}_k}\parallel PI{D}_i\parallel T_6)$
	$\underset{Insecurechannel}{\overset{Me{s}_8=\{M_9,T_6\}}{\leftarrow }}$
Check the freshness of $T_6$
$S{K}^{\ast }=h(k_i·P{K}_{RS{U}_k}\parallel PI{D}_i\parallel P{K}_{RS{U}_k})$
$M_9^{\ast }=h(S{K}^{\ast }\parallel P{K}_{RS{U}_k}\parallel PI{D}_i\parallel T_6)$
Check $M_9^{\ast }\stackrel{?}{=}{M}_9$

.

Step HA1:$EV{U}_i$ first generates a random number $k_i$. Then, $EV{U}_i$ calculates $N_i=k_i·P$, $H{A}_{req}=E_{SK}\left(PI{D}_i\right)$, and $M_8=h(N_i\parallel P{K}_{RS{U}_j}\parallel PI{D}_i\parallel T_3\parallel T_5)$, and sends a message $ME{S}_7=\{H{A}_{req},N_i,M_8,P{K}_{RS{U}_j},T_3,T_5\}$ to $RS{U}_k$.

Step HA2: After $RS{U}_k$ receives the message, it first verifies the timestamp and calculates $Re{s}_k=PUF\left(Ch{a}_k\right)$, $c_k=W_k\oplus h(P{K}_{RS{U}_k}\parallel Re{s}_k)$, $G_{jk}^{\ast }=h(c_k·P{K}_{RS{U}_j}\parallel T_3)$, $PI{D}_i=D_{G_{jk}^{\ast }}\left(H{A}_{req}\right)$, and $M_8^{\ast }=h(N_i\parallel P{K}_{RS{U}_j}\parallel PI{D}_i\parallel T_3\parallel T_5)$, and checks $M_8^{\ast }\stackrel{?}{=}{M}_8$. Then, $RS{U}_k$ computes $S{K}^{\ast }=h(c_k·N_i\parallel PI{D}_i\parallel P{K}_{RS{U}_k})$ and $M_9=h(S{K}^{\ast }\parallel P{K}_{RS{U}_k}\parallel PI{D}_i\parallel T_6)$. Finally, $RS{U}_k$ sends a message $ME{S}_8=\{M_9,T_6\}$ to $EV{U}_i$.

Step HA3: After $EV{U}_i$ receives the message, it verifies the timestamp and computes $S{K}^{\ast }=h(k_i·P{K}_{RS{U}_k}\parallel PI{D}_i\parallel P{K}_{RS{U}_k})$ and $M_9^{\ast }=h(S{K}^{\ast }\parallel P{K}_{RS{U}_k}\parallel PI{D}_i\parallel T_6)$, and checks $M_9^{\ast }\stackrel{?}{=}{M}_9$.

When $EV{U}_i$ moves from the area of $RS{U}_j$ to the area of $RS{U}_k$, it needs to complete a handover authentication. After successful handover authentication, a new session key $S{K}^{\ast }$ is generated between $EV{U}_i$ and $RS{U}_k$. With $S{K}^{\ast }$, $EV{U}_i$ sends a charging request to $RS{U}_k$ and obtains a new charging credential.

5. Informal Security Analysis

5.1. Replay Attack

In our protocol, timestamps are used to ensure the freshness of communication messages. In each session, the freshness of the timestamps is verified when receiving publicly transmitted messages. Any replayed messages cannot pass this freshness verification. Therefore, the proposed scheme is resistant to replay attacks.

5.2. Smart Card Lost Attack

Assuming the smart card is obtained by the adversary $\mathcal{A}$ after being lost, $\mathcal{A}$ attempts to retrieve data $S{C}_i=\{A_i,B_i,C_i,D_i,{\tau }_i,Rep(.)\}$ from the smart card using a power analysis attack, where $A_i=PI{D}_i\oplus h(P{W}_i\parallel {\sigma }_i)$, $B_i=X_i\oplus h(PI{D}_i\parallel {\sigma }_i)$, $C_i=d_i\oplus h(X_i\parallel {\sigma }_i)$, and $D_i=h(I{D}_i\parallel P{W}_i\parallel {\sigma }_i)$, and ${\sigma }_i$ is the biometric key. However, due to the absence of ${\sigma }_i$, $\mathcal{A}$ cannot obtain any valid parameters. Therefore, the proposed protocol is not vulnerable to smart card lost attacks.

5.3. RSU Captured Attack

The adversary $\mathcal{A}$ attempts power analysis attacks to extract the stored parameters $\{ch{a}_j,W_j,Y_j\}$ from $RS{U}_j$. Here, $W_j=c_j\oplus h(RI{D}_j\parallel re{s}_j)$ and $Y_j=G_{pad}\oplus h(RI{D}_j\parallel c_j)$, while $ch{a}_j$ represents the challenge of the PUF. As $PUF\left(ch{a}_j\right)$ produces variable outputs, the secret parameters $c_j$ and $G_{pad}$ remain inaccessible to $\mathcal{A}$. In this manner, our scheme effectively withstands RSU physical capture attacks.

5.4. User Impersonation Attack

Assuming an adversary $\mathcal{A}$ attempts to impersonate a vehicle and sends an authentication request to the RSU, $\mathcal{A}$ would need to know the vehicle’s private key $d_i$ and pseudo-identity $PI{D}_i$ to forge the message $Me{s}_1=\{M_1,M_2,e_i,P_i,T_1\}$. However, as demonstrated in Section 5.2, $\mathcal{A}$ cannot obtain this sensitive information from the smart card. Hence, our protocol is resilient against user impersonation attacks.

5.5. RSU Impersonation Attack

Assuming $\mathcal{A}$ tries to impersonate the RSU to authenticate a vehicle, they would need to know the RSU’s private key $c_j$ to forge the message $Me{s}_2=\{M_3,Q_i,T_2\}$. Nevertheless, as explained in Section 5.3, $\mathcal{A}$ cannot access any useful information from the RSU. Consequently, our protocol can withstand RSU impersonation attacks.

5.6. Perfect Forward Secrecy

In our protocol, $EV{U}_i$ and $RS{U}_j$ share a common session key $SK=h(m_i·n_j·P\parallel RI{D}_j\parallel PI{D}_i)$. Even if the adversary $\mathcal{A}$ can obtain the private keys $d_i$ and $c_j$, $\mathcal{A}$ still cannot calculate the session key because $\mathcal{A}$ needs to solve the elliptic curve computational Diffie–Hellman problem to obtain $m_i·n_j·P$ from $m_i·P$ and $n_j·P$. Thus, the security of previous and future session keys remains safe.

5.7. No Online Trust Authority

In the proposed scheme, the trusted service provider (TSP) is responsible for system initialization and generating secrets for entities during the registration phase. However, once this setup is completed, the TSP does not actively engage in the authentication process between electric vehicle users (EVUs) or roadside units (RSUs) and charging points (CPs). As a result, the TSP does not need to maintain an online presence during the authentication procedures.

5.8. Anonymity and Non-Linkability

In the proposed scheme, the vehicle’s pseudo-identity is represented as $PI{D}_i=h(I{D}_i\parallel r_i)$. The non-reversibility of hash functions makes it challenging to link the pseudo-identity $PI{D}_i$ to the actual identity of the $EV{U}_i$. Moreover, $PI{D}_i$ remains concealed throughout the authentication process, and adversaries cannot extract it from either the public channel or the smart card. Consequently, the scheme ensures non-linkability, preventing adversaries from associating specific users with different sessions.

6. Formal Security Analysis

6.1. Formal Proof

In this section, we establish the semantic security of the proposed protocol under the ROR model [22]. The random oracle model is very suitable for analyzing the security of key exchange protocols. In this model, we design a simulator that interacts with the assumed adversary in a series of game-based interactions. The simulator fairly generates and sends information such as parameters and data to the adversary according to the protocol specification. The adversary chooses whether to attack based on the received information, such as decryption or forgery. If the adversary cannot win over the simulator with a significant probability in a sufficient number of rounds of games, then under this game framework, we can consider the protocol to be secure.

The participants consist of EVs and RSUs. For example, let $I_{Vi}$ and $I_{RSUj}$ represent instances of $EV{U}_i$ and $RS{U}_j$, respectively. Adversary $\mathcal{A}$ can launch various queries in an attempt to compromise the security of authentication and session keys. The details of these queries are listed in

Table 8. Queries performed in ROR model.

Queries	Description
$Execute(I_{Vi},I_{RSUj})$	Adversary $\mathcal{A}$ can intercept all publicly transmitted information.
$CorruptU\left(I_{Vi}\right)$	$\mathcal{A}$ performed a side-channel attack on the smart card and obtained the stored information $\{A_i,B_i,C_i,D_i,{\tau }_i,Rep(.)\}$.
$CorruptRSU\left(I_{RSUj}\right)$	$\mathcal{A}$ performed a side-channel attack on the RSU and obtained the stored information $\{RI{D}_j,ch{a}_j,W_j,Y_j\}$.
$Send(I_{Vi},I_{RSUj},m)$	$\mathcal{A}$ forges message m and sends it to $I_{Vi}$ and $I_{RSUj}$. Upon receiving m, if m is valid, $I_{Vi}$ and $I_{RSUj}$ reply to $\mathcal{A}$.
$Reveal(I_{Vi},I_{RSUj})$	The session keys between $I_{Vi}$ and $I_{RSUj}$ can be queried by $\mathcal{A}$.
$Test(I_{Vi},I_{RSUj},r)$	$\mathcal{A}$ selects a session for a challenge. If $u=1$, $\mathcal{A}$ can obtain the real session key. On the other hand, if $u=0$, $\mathcal{A}$ will receive a randomly generated string of the same length as the real session key.

.

In semantic security, $\mathcal{A}$ is allowed to make a single query to the function $Test(I_{Vi},I_{RSUj},r)$ and multiple other queries to verify the correctness of the return value from $Test(I_{Vi},I_{RSUj},r)$. The advantage of $\mathcal{A}$ in guessing the value of r is defined as $Ad{v}_{\mathcal{A}}=|2Pr\left[suc\left(\mathcal{A}\right)\right]-1|<\eta$, where $Ad{v}_{\mathcal{A}}$ represents the advantage and $\eta$ is a sufficiently small value.

Theorem 1 aims to prove that the proposed scheme attains semantic security in the random oracle model, meaning that $Ad{v}_{\mathcal{A}}$ cannot obtain any useful information from the interactive process.

Theorem 1.

Let Adv represent the advantage of adversaries obtaining session keys in polynomial time: $Ad{v}_{\mathcal{A}}\le \frac{q_{Ha}^2}{2^{l_{Ha}}}+\frac{q_{Se}}{|l_1\left|\right|l_2|2^{l_{bio}-1}}+2Ad{v}_{\mathcal{A}}^{PUF}+2Ad{v}_{\mathcal{A}}^{ECDLP}$. $q_{Ha}$, $q_{Se}$, and $q_{Ex}$ represent the number of hash, send, and execute queries performed by $\mathcal{A}$. $l_{Ha}$ and $l_{bio}$ are the lengths of the hash and biological keys, respectively. $l_1$ and $l_2$ are the sizes of the uniformly distributed identity and password dictionaries, and $|l_1|$ and $|l_2|$ represent the size of the range space of each dictionary. The advantages of breaking the PUF and ECDLP by $\mathcal{A}$ are denoted as $Ad{v}_{\mathcal{A}}^{PUF}$ and $Ad{v}_{\mathcal{A}}^{ECDLP}$, respectively.

Proof. 

To verify the semantic security of the proposed protocol, the five games $Gam{e}_i$$(0\le i\le 4)$ can be performed by $\mathcal{A}$. $Su{c}_i(0\le i\le 4)$ means $\mathcal{A}$ can distinguish the session key and a random number u in the $Gam{e}_i$. □

$Gam{e}_0$: In this game, $\mathcal{A}$ simulates the real attack to the proposed protocol. If $\mathcal{A}$ directly guess the bit u, we obtain

$$Ad{v}_A=|2Pr\left[Su{c}_0\right]-1\left]\right|$$

(1)

$Gam{e}_1$: In this game, $\mathcal{A}$ simulates an eavesdropping attack using the $Execute$ query, allowing $\mathcal{A}$ to intercept all publicly transmitted messages. Then, $\mathcal{A}$ verifies the output of the session key or the random number u using the $Reveal$ and $Test$ queries. The session key $SK=h(m_i·n_j·P\parallel RI{D}_j\parallel PI{D}_j)$ is protected using a hash function. Thus, we obtain

$$Pr\left[Su{c}_1\right]=Pr\left[Su{c}_0\right]$$

(2)

$Gam{e}_2$: In this game, $\mathcal{A}$ simulates a collision attack on the hash results. To achieve this, $\mathcal{A}$ needs to find a hash collision within polynomial time. As defined by the birthday paradox [23], we obtain

$$|Pr\left[Su{c}_2\right]-Pr\left[Su{c}_1\right]|\le \frac{q_{Ha}^2}{2^{l_{Ha}}}$$

(3)

$Gam{e}_3$: In this game, $\mathcal{A}$ executes Corrupt and CorruptRSU queries to obtain the stored information $\{A_i,B_i,C_i,D_i,{\tau }_i,Rep(.)\}$ in the smart card and $\{RI{D}_j,ch{a}_j,W_j,Y_j\}$ in the RSU. However, it is important to note that $\mathcal{A}$ cannot directly obtain valuable parameters as all the values are masked with secret values $I{D}_i$, $P{W}_i$, $Bi{o}_i$, and $re{s}_j$. To succeed in this game, $\mathcal{A}$ must either accurately guess $I{D}_i$, $P{W}_i$, and $Bi{o}_i$, or break the physical unclonable function. The password dictionary is denoted as $l_1$, the identity dictionary as $l_2$, and the length of biological keys as $l_{bio}$. We will assume the probability of $\mathcal{A}$ breaking the PUF as $Ad{v}_{PUF}^{\mathcal{A}}$. Therefore, we obtain

$$|Pr\left[Su{c}_3\right]-Pr\left[Su{c}_2\right]|\le \frac{q_{Se}}{|l_1\left|\right|l_2|2^{l_{bio}}}+Ad{v}_{\mathcal{A}}^{PUF}$$

(4)

$Gam{e}_4$: $\mathcal{A}$ is capable of obtaining $P_i=m_i·P$ and $Q_j=n_j·P$, which are utilized for session key agreement. By obtaining $P_i$ and $Q_j$, $\mathcal{A}$ has access to pairs of points on the elliptic curve. To successfully win this game, $\mathcal{A}$ must be able to solve the elliptic curve discrete logarithm problem (ECDLP) [24]. However, without knowledge of the respective scalars $m_i$ and $n_j$, solving the ECDLP and determining the values of $m_i$ and $n_j$ becomes a challenging task. Therefore, the successful completion of the game requires $\mathcal{A}$ to possess the ability to solve the ECDLP, which is considered a computationally infeasible problem. We obtain

$$|Pr\left[Su{c}_4\right]-Pr\left[Su{c}_3\right]|\le Ad{v}_{\mathcal{A}}^{ECDLP}$$

(5)

All the games have been executed by the adversary. To win the game, $\mathcal{A}$ needs to guess the correct bit u. Therefore, we have

$$Pr\left[Su{c}_4\right]=\frac{1}{2}$$

(6)

Combining the above formulas, we have

$$\begin{array}{}\mathrm{(7)}& \frac{1}{2}Ad{v}_{\mathcal{A}}\hfill & =|Pr\left[Su{c}_0\right]-\frac{1}{2}|\hfill \mathrm{(8)}& & =|Pr\left[Su{c}_1\right]-Pr\left[Su{c}_4\right]|\hfill \mathrm{(9)}& & \le |Pr\left[Su{c}_1\right]-Pr\left[Su{c}_2\right]|+|Pr\left[Su{c}_2\right]-Pr\left[Su{c}_3\right]|+|Pr\left[Su{c}_3\right]-Pr\left[Su{c}_4\right]|\hfill \end{array}$$

Hence, $Ad{v}_{\mathcal{A}}\le \frac{q_{Ha}^2}{2^{l_{Ha}}}+\frac{q_{Se}}{|l_1\left|\right|l_2|2^{l_{bio}-1}}+2Ad{v}_{\mathcal{A}}^{PUF}+2Ad{v}_{\mathcal{A}}^{ECDLP}$

6.2. Automatic Formal Verification by ProVerif

Before deploying security protocols in real networks, it is crucial to thoroughly assess the depth and comprehensiveness of their ability to provide robust security. To achieve this goal, we conducted extensive simulation tests on the proposed protocol using the ProVerif simulator. ProVerif is a commonly used formal analysis tool for validating security protocols. It evaluates the robustness of a protocol under different attack scenarios by establishing a model of the protocol and automatically analyzing its security properties. Our simulation tests included simulating various types of attacks, such as man-in-the-middle attacks and replay attacks.

We define channel, basic types, and functions in Figure 2. The proposed scheme involves five events, namely, VLoginPhase(), VAuthentication(), VSessionKey(), RSession(), and RAuthentication(). VLoginPhase() indicates the login phase of the vehicle user, VAuthentication() indicates that the vehicle user sends an authentication request, RAuthentication() indicates that the RSU passes the authentication of the vehicle user, RSession() indicates that the RSU agrees on the session key, and VSessionKey() indicates that the vehicle user argees the session key. The above events and queries are shown in Figure 3.

The operations of the vehicle user and RSU are shown in Figure 4 and Figure 5, respectively. The main process is presented in Figure 6. As shown in Figure 7, the results of the ProVerif simulation provide strong evidence of the security of our scheme. Specifically, the simulation shows that the session key, the secret parameter of the RSU, and the password of the user are all secure against attacks. At the same time, the process of mutual authentication is performed in sequence.

7. Performance Comparison

We compare our proposed protocol against existing protocols [8,10,14] based on computational efficiency, communication overhead, and security level.

First, we analyze the security of related schemes. In Roman et al.’s scheme [8], the EV purchases tickets from the TSP and then sends a charging request to Fog Server after being certified. The EV and Fog Server establish a session key with random numbers and use the session key to deliver a valid ticket. Fog Server verifies the validity of ticket and helps the EV connect to an RSU. However, in this way, the EV cannot seamlessly charge from the RSU. Additionally, their scheme fails to achieve mutual authentication and provide perfect forward security. In Pazos-Revilla et al.’s scheme [10], the EV sends a charging request to a TSP, and the session key k is composed of public parameters $g_x$ and $g_y$. After the TSP’s verification, it encrypts a secret parameter token with k and sends it to the EV. However, their scheme uses a Diffie–Hellman key exchange to generate the session key, which is vulnerable to man-in-the-middle attacks. In Babu et al.’s scheme [14], the EV stores PUF’s challenge–response pairs in a TSP during the registration phase. Authentication of the EV’s identity by an RSU requires help from the TSP. The session key between the EV and RSU is randomly generated without ensuring perfect forward security.

Additionally, the above schemes do not consider a situation where the RSU is captured. Since RSUs are deployed in public areas without any protection mechanisms, they are easy to capture by adversaries.

Table 9. Comparison of security and properties.

Scheme		[8]	[10]	[14]	Ours
Attacks/Properties	$A_1$	✓	×	✓	✓
	$A_2$	✓	✓	✓	✓
	$A_3$	✓	✓	✓	✓
	$A_4$	✓	×	✓	✓
	$A_5$	✓	✓	✓	✓
	$A_6$	×	×	×	✓
	$P_1$	✓	✓	✓	✓
	$P_2$	×	✓	×	✓
	$P_3$	×	✓	✓	✓
	$P_4$	×	✓	✓	✓
	$P_5$	✓	✓	×	✓
	$P_6$	×	✓	×	✓

×: suffer (attacks)/no (properties). ✓: resist (attacks)/possess (properties). Attacks/properties: $A_1$: off-line password guess attack; $A_2$: impersonation attack; $A_3$: replay attack; $A_4$: man-in-middle attack; $A_5$: smart card loss attack; $A_6$: RSU captured attack; $P_1$: identity anonymity; $P_2$: no online trust authority; $P_3$: seamless handover; $P_4$: mutual authentication; $P_5$: unlinkability; $P_6$: perfect forward secrecy.

compares the security features of the proposed protocol with existing protocols [8,10,14]. Our scheme provides more functional and security properties than all other related protocols.

When an EV roams within or between multiple charging stations, the seamless switching of authentication facilities can be enabled through the exchange of short handover messages. Therefore, achieving continuous authentication requires not only efficient computation but also full consideration of the performance impacts brought by communication overhead. In order to calculate the computational costs of the proposed protocol and compare them with existing related proposals, we adopted the time costs of the scheme proposed by Babu et al. [14] as a measure of the execution time required for different cryptographic operations. The experiments were conducted in a Raspberry Pi environment equipped with a quad-core ARM Cortex-A53 processor and 1GB RAM. The computational costs for the various operations are presented in

Table 10. Simulation result.

Operation	Description	Time (ms)
$T_p$	Bilinear pairing	≈32.084 ms
$T_{exp}$	Modular exponentiation	≈5.326 ms
$T_{ecc}$	ECC point multiplication	≈2.288 ms
$T_{(e/d)}$	Encryption/decryption	≈0.511 ms
$T_s$	Signature generation	≈2.597 ms
$T_{hash}$	One-way hash function	≈0.016 ms
$T_v$	Signature verification	≈4.901 ms
$T_s$	Signature generation	≈2.597 ms
$T_{puf}$	Signature generation	≈3.333 ms
$T_{fhd}$	Signature generation	≈6.370 ms

. As shown in

Table 11. Computational time comparison.

Scheme	Required Operations	Total Time (ms)
[8]	$4T_{ecc}+T_s+T_v+4T_p+14T_{hash}$	≈145.21 ms
[10]	$6T_{exp}+3T_s+T_v+11T_{hash}$	≈44.824 ms
[14]	$28T_{hash}+3T_{puf}+2T_{fhd}$	≈23.187 ms
Ours	$14T_{ecc}+8T_{e/d}+2T_{hash}+2T_{puf}$	≈43.234 ms

, the proposed scheme reduces the computational costs compared to related schemes [8] and [10]. However, compared to [14], our scheme incurs higher computational costs. This is because our scheme satisfies more security attributes. Therefore, our scheme keeps the computational overhead relatively low among related schemes.

To perform an efficiency analysis of the communication overhead of our proposed protocol, we define the specific size of memory overhead for different operands as follows:

• 256 bits for hash functions;
• 320 bits for elliptic curve points;
• 128 bits for AES encryption;
• 128 bits for identities;
• 128 bits for random numbers;
• 32 bits for timestamps.

With the given parameters and message size assumptions, we conducted a comparative analysis of the communication costs of our proposed protocol in comparison to existing protocols in Figure 8. The existing related protocols of Roman et al. [8], Pazos-Revilla et al. [10], and Babu et al. [14] require 4320 bits, 3968 bits, and 3392 bits, respectively. In our scheme, the communication overhead required in the initial authentication is 1728 bits. The communication overhead required in the charging authentication is 1216 bits. The communication overhead required in the handover authentication process is 1376 bits. Hence, the total communication of our scheme is 4320 bits. This is similar to [8]. Our scheme incurs higher communication overhead than schemes [10,14]. However, as shown in Table 9, Refs. [10,14] cannot satisfy more security attributes. Therefore, the communication cost of our scheme is feasible.

Therefore, our scheme is not only more secure with lower computational overhead compared to related schemes but it is also more suitable for the needs of wireless charging systems. However, in terms of communication overhead, our scheme does not provide significant improvement. In future work, we intend to adopt batch authentication strategies to further reduce time overhead.

8. Conclusions

In this paper, we present an elliptic curve cryptography (ECC)-based authentication scheme tailored for dynamic charging systems, enabling mutual authentication between vehicles and roadside units (RSUs) without the need for a trusted third party. As a vehicle transitions to the next RSU, Diffie–Hellman exchanges are leveraged to facilitate seamless handover authentication. To evaluate the security of our protocol, we used the formal tool ProVerif, and employed the ROR model to ensure its semantic security.

Our proposed protocol exhibits robustness against a range of attacks. The incorporation of pseudo identities safeguards user real identities, while the inclusion of physical unclonable functions and biometrics fortifies the defense against RSU physical capture attacks and smart card loss attacks, respectively. Furthermore, comprehensive performance and security analyses show that the proposed protocol is practical.