A Secure Charging System for Electric Vehicles Based on Blockchain

Abstract

Smart grids incorporating internet-of-things are emerging solutions to provide a reliable, sustainable and efficient electricity supply, and electric vehicle drivers can access efficient charging services in the smart grid. However, traditional electric vehicle charging systems are vulnerable to distributed denial of service and privileged insider attacks when the central charging server is attacked. The blockchain-based charging systems have been proposed to resolve these problems. In 2018, Huang et al. proposed the electric vehicle charging system using lightning network and smart contract. However, their system has an inefficient charging mechanism and does not guarantee security of key. We propose a secure charging system for electric vehicles based on blockchain to resolve these security flaws. Our charging system ensures the security of key, secure mutual authentication, anonymity, and perfect forward secrecy, and also provides efficient charging. We demonstrate that our proposed system provides secure mutual authentication using Burrows–Abadi–Needham logic and prevents replay and man-in-the-middle attacks using automated validation of internet security protocols and applications simulation tool. Furthermore, we compare computation and communication costs with previous schemes. Therefore, the proposed charging system efficiently applies to practical charging systems for electric vehicles.

1. Introduction

With widespread adoption of electric vehicles (EVs) and internet-of-things (IoT), smart grids with IoT have become promising solutions to control distributed energy and electricity generation [1]. Internet-of-things is applicable to various forms for vehicular systems, such as vehicular ad hoc networks, vehicle to grid (V2G), vehicle to vehicle (V2V), and internet of vehicle (IoV). Vehicles generally have various communication and measuring sensors, including speed, position, Bluetooth, Wi-Fi and On-board units (OBU). The sensors in vehicle collect and share data such as speed, location, identity and movements. However, an adversary can intercept, modify and reuse the sensitive data of user, and then try to obatin user’s sensitive data because it is transmitted via public network. Therefore, secure mutual authentication and key agreement must be guaranteed to provide secure communication and protect user’s privacy.

In the past decades, the numerous authentication and key agreement schemes for vehicular systems in IoT have been studied to achieve essential security requirements [2,3,4,5,6,7,8,9,10]. Although these schemes try to ensure privacy and enhance efficiency, their scheme is vulnerable to various potential attacks such as distributed denial of service and privileged insider attacks because it is based on trusted third party to provide high security level. If the trusted third party is compromised, their schemes cannot provide services. For these reasons, authenticaion and key agreement schemes without a trusted third party must be proposed to achieve integrity, confidentiality, availability and reliability, considering resource-constrained devices

The smart grid provides reliable, sustainable, stable, and efficient electricity supply. EV charging management is a particularly important issue for smart grids, and related studies have been proposed [11,12,13,14,15,16], providing EV charging for users when they want to use it. However, traditional smart grid systems provide charging services based on a third party and are vulnerable to various attacks, including distributed denial of service and privileged insider attacks. If the third party is compromised, users cannot use EV charging, and smart grid systems with IoT must also consider efficiency, because EV sensors as OBU in EV also have low power and small memory.

Several studies have proposed blockchain approaches to overcome these security weaknesses and enhance efficiency [17,18,19,20,21,22]. Blockchain [17] technology guarantees decentralization, verification, and integrity, and is applicable to various fields, including smart grids, healthcare, finance, markets, and voting. Generally, blockchains consists of data blocks, called transactions, where each transaction includes data regarding previous transactions using a hash algorithm [18]. However, early blockchain studies focused on cryptocurrency, e.g., Bitcoin and Ethereum, which have significant scalability problems. Hyperledgers [19], which do not generate cryptocurrency, have been proposed to overcome these problems and solve scalability. Huang et al. [20] proposed blockchain based EV charging management security model using smart contracts and the lightning network.

This paper demonstrates that Huang et al.’s charging system [20] has inefficient charging mechanisms such as the deposit problem, generating transaction and cost of transaction fee. Huang et al.’s system also does not guarantee security of keys. Consequently, we propose a secure charging system for electric vehicles using a hyperledger to improve security and efficiency. Our main contributions are as follows.

(1)

We demonstrate security weaknesses of Huang et al.’s model, and highlight its inefficiencies.

(2)

We propose a secure charging system for EV based on blockchain to solve these security weaknesses and improve efficiency.

(3)

We perform informal analysis to demonstrate the proposed system is secure against various attacks, and prove that it provides secure mutual authentication using Burrows–Abadi–Needham (BAN) logic. We also perform formal security verification using the AVISPA tool and compare performances with previous schemes.

(4)

We analyze the computational and communication costs compared with other related existing schemes.

1.1. Organization

The remainder of this paper is organized as follows. Section 2 introduces the proposed blockchain-based EV charging model. Section 3 and Section 4 review Huang et al.’s scheme and analyze its security flaws. Section 5 proposes a secure charging system for EV based on blockchain. Section 6 provides informal analysis to verify the proposed system’s security and proves that the system mutual authentication using BAN logic. We also demonstrate that the proposed system is secure against replay and man-in-the-middle attacks using the AVISPA simulation tool. Section 7 compares the proposed system’s performance with related previous schemes. Finally, Section 8 summarizes and concludes the paper.

1.2. Related Works

There are several authentication and key agreement schemes for wireless sensor networks to resolve privacy and security issues [23,24,25,26]. In 2011, Roman et al. [23] analyzed existing authentication and key management schemes for WSN in IoT to enhance security and performance. In 2014, Turkanovic et al. [24] first proposed an authentication and key agreement scheme based on IoT considering resource-constrained devices. However, in 2016, Amin et al. [25] showed that Turkanovic et al.’s scheme was vulnerable to smart card theft, offline identity-password guessing and user impersonation attacks, and proposed an enhanced authentication scheme to overcome these security problems. However, Lu [26] et al. pointed out that Amin et al.’s scheme did not prevent known session-specific temporary information attack and proposed improved authentication and key agreement scheme using symmetric key.

Numerous privacy protection schemes for a vehicular system in IoT ensure security and improve efficiency [2,3,4,5,6,7,8,9,10]. In 2016, Lo and Tasi [2] proposed an efficient authentication scheme for vehicular sensor networks to improve performance. Kumari et al. [3] also proposed a secure trust-extended authentication scheme for vehicular ad-hoc networks to ensure authenticity of messages. In 2017, Chin et al. [4] discussed the security vulnerabilities in the internet-of-things-based smart grid and Liu et al. [5] proposed efficient dual authentication and key agreement scheme in IoV. Mohit et al. [6] also proposed authentication protocol for smart vehicular system in IoT considering energy efficiency of sensor and Guo et al. [7] proposed secure information collection scheme for big data in large scale IoV. Zhou et al. [8] proposed an enhanced privacy-preserving authentication scheme for vehicle sensor network to overcome security weaknesses of the Kumari et al.’s scheme [3]. In 2018, Shen et al. [9] proposed privacy-preserving and lightweight key agreement scheme for V2G in social IoT to guarantee security of smart grid. In 2019, Wu et al. [10] proposed mutual authentication scheme for V2V in vehicular ad hoc network to achieve better performance and security.

Several previous studies have considered EV charging systems [11,12,13,14,15,16]. In 2013, Gan et al. [11] proposed a decentralized protocol for EV charging to improve charging efficiency. In 2016, Xu et al. [12] proposed dynamic EV scheduling using less laxity and longer remaining processing time principle. In 2010 and 2012, Lu et al. [13] and Kim et al. [14] proposed scheduling mechanisms to reduce waiting times at charging stations. In 2016, Tian et al. [15] proposed recommendation system in real-time to provide charging station information. Tang and Zhang [16] proposed a low complexity EV charging scheduling algorithm using near optimal solutions.

Many studies have guaranteed decentralization, verification, and integrity [17,19,21,22,27]. However, initial blockchain models have scalability problems. Lightning network [21] and hyperledger [19] networks have been proposed to overcome this problem and improve efficiency. Lightning networks establish trading channels outside the main blockchain to enhance network performance. Hyperledger solves scalability problem and removes the requirement for cryptocurrency transactions to enhance the performances. These systems incorporate smart contracts, a set of commitments, that improve performance and privacy without requiring a trusted third party [22,27].

Several blockchain-based EV charging management systems have been proposed to improve performance [20,28,29,30]. In 2017, Dubois et al. [28] proposed an app-based blockchain system using smart contracts to provide a charging service between EVs and charging stations without requiring a trusted third party. Knirsch et al. [29] proposed an EV charging system where the EV finds the best charging station by bidding on the blockchain. Li et al. [30] proposed a consortium blockchain for energy trading in the industrial IoT to guarantee fast and reliable energy trading using the Stackelberg game. In 2018, Huang et al. [20] proposed a blockchain-based EV charging management security model, incorporating authentication mechanisms using smart contracts and the lightning network. However, the lightning network has an inefficient charging mechanism and Huang et al.’s system does not guarantee security of keys.

2. System Model

This section presents a secure charging system model for EV based on blockchain and basic concept of hyperledger.

2.1. Hyperledger

Hyperledger [19] is an open source project proposed by the Linux Foundation in 2015. The purpose is to promote cross-industry cooperation with blockchain technology. Hyperledger focuses on enhancing blockchain performance and reliability without requiring cryptocurrency.

Hyperledger architecture comprises nine blockchain components.

• Consensus layer: ensures agreement between transaction order and checks their validation.
• Smart contract layer: processes transaction requests and verifies smart contracts are valid.
• Communication layer: guarantees security for messages transmitted between nodes.
• Data store abstraction: manages data.
• Crypto abstraction: includes cryptographic algorithms or modules.
• Identity service: sets up the blockchain network, manages user and system node registration, and provides authentication and authorization.
• Policy services: provide various policies for blockchain systems.
• APIs: provide various blockchain interfaces.
• Interoperation: allows interoperation among blockchain instances.

Hyperledger provides scalability, confidentiality, complexity, essential security requirements, and compliance; and can also provide distributed ledgers, smart contracts, and friendly interfaces. Therefore, hyperledgers can be applied to various fields and disseminate blockchain technologies for cross-industry applications.

2.2. System Model

Figure 1 presents the proposed charging system for EV based on blockchain and our charging system comprises three entities: operator, energy aggregator (EAG), and user/EV; and incorporates four phases: initialization, registration, authentication, and charging, as follows.

Figure 1. Proposed blockchain based charging system model for electric vehicle.

• EV registers their identity with the operator to access charging services.
• EV and EAG authenticate each other.
• EAG generates transactions.
• EAG verifies the transaction is valid and records transactions on blockchain networks.

3. Review of Huang et al.’s Scheme

This section reviews Huang et al.’s blockchain based EV charging system [20], comprising four phases: registration, scheduling, authentication, and charging.

3.1. Registration Phase

Figure 2 shows how Huang scheme charging management includes EVs, charging piles (CPs) and operators (OP). Each participant is required to register in the open blockchain system. In Huang et al.’s scheme, lightning network transaction management system adopts an internet based cloud platform. The detailed steps are as follows.

Figure 2. Registration phase of Huang et al.’s scheme.

Step 1:

EVs $\{V_1,V_2,\cdots ,V_n\}$ choose a random number $x\in Z_n^{*}$ and calculate $Q_i=x_{i}P$. The EVs request a registration in a blockchain and broadcast $m_i=I{D}_i\left|\right|I{D}_j\left|\right|T$,$(1\le j\le n,i\ne j)$, and $(m_i,si{g}_i\left(H\left(m_i\right)\right))$.

Step 2:

CPs check whether the received signature is valid, and then compute signature ${\alpha }_i=f\left(x_i{x}_{i+1}\right)x_{i+2}P$ and $C_i=E_{p{w}_i}\left({\alpha }_i\right)$. Then, CPs send $m_i=I{D}_i\left|\right|s\left|\right|C_i\left|\right|T$ and $(m_i^{\prime },si{g}_i\left(H\left(m_i^{\prime }\right)\right))$ to the OP in the blockchain.

Step 3:

OP verifies the received the signature is valid and reuses $P{W}_i$, where $P{W}_i$ is shared with each participant to decrypt ${\alpha }_i$. Subsequently OP computes $K_i=E_{P{W}_i}(\sum {\alpha }_j)(1\le j\le n,i\ne j)$ and broadcasts it in the blockchain.

Step 4:

After receiving key $K_i$ from the OP, each participant decrypts $K_i$ and computes session key $K={\alpha }_i+\sum {\alpha }_j={\sum }_{i=1}^n{\alpha }_i=f\left(x_1{x}_{2}P\right)x_{3}P+\cdots +f\left(x_n{x}_{1}P\right)x_{2}P$. When a request is recorded in the blockchain, it is checked by all CPs.

3.2. Scheduling Phase

Figure 3 shows the Huang scheme includes four scheduling strategies to provide charging services and improve charging efficiency: minimum time, minimum waiting time, minimum total cost, and shortest path.

Figure 3. Scheduling phase of Huang et al.’s scheme.

3.3. Authentication Phase

Figure 4 shows that EV and CP perform point-to-point (P2P) transactions under the Huang scheme, followed with mutual authentication to improve trading flexibility. Depending on scheduling strategies, the EV receives the recommendation from the OP, then EV and the selected CP authenticate each other, with mutual authentication performed between EV and CP when the EV arrives at the CP. The detailed authentication steps are as follows.

Figure 4. Authentication phase of Huang et al.’s scheme.

Step 1:

EV sends identity $I{D}_{EV}$ to the CP, and then the CP checks whether it is valid through the blockchain networks. If it is valid, the CP returns charging request to the EV.

Step 2:

After receiving the charging request from the CP, the EV sends $\{Q_{CP},P_{CP},I{D}_{CP},H_{CP},K\}$ to the CP.

Step 3:

CP selects a random number $b\in Z_q^{*}$, current timestamp $T_i$, and calculates $PI{D}_{EV}=RI{D}_{EV}\oplus H_1\left(b{P}_{CP}\right)$, $Q_{EV}=bP\oplus K$, $H_{tEV}=H_2(I{D}_{EV}$, $PI{D}_{EV},Q_{EV},T_{EV})$ and $S{K}_{EV}=b+ϵH_{tEV}$. Then, the CP sends $\{PI{D}_{EV},Q_{EV}$, $T_{EV},S{K}_{EV}\}$ to the EV.

Step 4:

EV selects a random number $c\in Z_q^{*}$, calculates $R_{EV}$=$c_{EV}P$, $H_{EV}$$=H_3(I{D}_{CP}$, $PI{D}_{EV},Q_{EV},R_{EV},T_{EV})$ and ${\xi }_{EV}=S{K}_{EV}+c_{EV}{H}_{EV}$, and sends $\{I{D}_{CP}$, $PI{D}_{EV},Q_{EV},R_{EV},T_{EV},{\xi }_{EV}\}$ to the CP via the secure channel.

Step 5:

After receiving the message from the EV, the CP computes $H_{tEV}$=$H_2$$(I{D}_{EV},PI{D}_{EV},Q_{EV},T_{EV})$ and $H_{EV}=H_3(I{D}_{CP},PI{D}_{EV},Q_{EV},R_{EV},T_{EV})$, and checks the received signature. If it is not valid, the CP aborts the authentication phase. Otherwise, the CP selects a random number $d\in Z_q^{*}$ and computes $R_{CP}=dP$, $SK=H_4(d{R}_{EV},I{D}_{CP},PI{D}_{EV},Q_{EV},T_{EV})$, $H_{CP}=H_5(I{D}_{CP},RI{D}_{CP},Q_{EV},SK,d{R}_{EV})$, and ${\xi }_{CP}={ϵ}_{CP}+d{H}_{CP}$. Finally, the CP sends $\{I{D}_{EV},PI{D}_{EV},R_{CP},{\xi }_{CP}\}$ to the EV.

Step 6:

After receiving the message from the CP, the EV computes $SK=H_4(c{R}_{CP},I{D}_{CP}$, $RI{D}_{EV},Q_{EV},T_{EV})$,$H_{CP}=H_5(RI{D}_{EV}$, and $I{D}_{CP},Q_{EV},SK,d{R}_{CP})$. The CP checks the received signature. If valid, the EV and CP achieve mutual authentication. Otherwise, the EV aborts mutual authentication. After mutual authentication, the session key $SK$ is used to encrypt messages to ensure secure communications.

3.4. Charging Phase

Figure 5 shows the Huang scheme charging phase. After completing authentication, the EV performs charging and updates the transactions. The commitment is recorded in the blockchain. The detailed steps are as follows.

Figure 5. Charging phase of Huang et al.’s scheme.

Step 1:

EV calculates commitment $C=H_5(I{D}_{EV},R_{CP},{\xi }_{CP}P)$ including EV’s identity, random parameter, and signature.

Step 2:

CP verifies whether commitment $C=H_5(I{D}_{EV},R_{CP}{\xi }_{CP}P)$ and current time stamps are valid. If valid, the CP starts charging for EV. Otherwise, this phase is aborted.

4. Problems of Huang et al.’s Scheme

This section discusses problems of Huang et al.’s scheme, such as deposit problem, inefficient transaction generation mechanism, and transaction cost.

4.1. Deposit Problem

In the scheduling phase of Huang et al.’s scheme, the OP recommends an efficient charging station using four strategies. However, the system has a deposit problem where EV needs to establish many payment channels for charging. In lightning networks, a deposit is used to establish a payment channel between two participants. However, an EV is mobile and cannot efficiently choose optimal charging stations because a payment channel must be established with each new charging station. Therefore, an EV unnecessarily spends many deposits, i.e., the mechanism is inefficient.

4.2. Inefficient Mechanism for Generating Transaction

The lightning network records a transaction in the blockchain when opening and closing a payment channel. When charging is completed at a charging station, the commitment transaction is generated and recorded in the blockchain. However, an EV already makes a transaction in the registration phase to allows access to the service, hence, two transactions are generated for one trade, i.e., an inefficient charging mechanism.

4.3. Cost of Transaction Fee

The Huang et al.’s scheme charges a transaction fee when a payment channel is opened or closed. However, after completing charging, an EV needs to re-register with the OP to use the service, hence re-opening the payment channel and incurring a transaction fee. Therefore, the Huang et al.’s scheme results in high transaction fees.

4.4. Security of Key

Huang et al. claimed their scheme provided known key security because the shared secret key K included unique random numbers for each participant. However, an adversary can steal the EV on-board unit (OBU) [31] and extract sensitive data stored in its memory using the power analysis attack [32,33]. Consequently, an adversary can obtain shared secret keys stored in the OBU, avoiding known key security.

5. Proposed Charging System for EV Based on Blockchain

This section proposes a blockchain based EV charging system that addresses the identified problems. Table 1 details the notation used for the proposed phases: initialization, registration, authentication, and charging.

Table 1. Notations.

Notations	Meanings
EV	Electric vehicle
EAG	Energy aggregator
OP	Operator
$E_p$	Elliptic curve over a finite field, where p is a large prime number
G	Base point in $E_p$
$I{D}_i$/$P{W}_i$	Identity/password for entity i
$r_i$	Private key for entity i
$P{K}_i$	Public key for entity i
a, b	Random number
$k_{op}$	Random number from OP
$h(·)$	Hash function
‖	Concatenation operation
⊕	XOR operation
$SK$	Session key

5.1. Initialization Phase

The operator conducts system initialization to set up the networks and EAG is registered in network. The details initialization process is as follows.

Step 1:

OP selects a base point G on the elliptic curve $E_p$ with order n, where n is a large prime number.

Step 2:

EAG generates public key, private key, and random number $b_1$.

Step 3:

OP defines network configuration including channel members and policies, records it in a blockchain, and shares it with system participants.

5.2. Registration Phase

When it wants to access the charging system, EV${}_i$ generates its identity, password, public/private key pair, and then receives a random number from OP. Figure 6 shows the registration phase, with detailed steps as follows.

Figure 6. Registration phase of proposed scheme

Step 1:

EV${}_i$ selects their identity $I{D}_i$, password $P{W}_i$, generates random numbers $a_1$ and $r_{EV}$, calculates a public key $r_{EV}·G$ and $HI{D}_i=h(I{D}_i\left|\right|a_1)$, and then sends $HI{D}_i$ and $a_1$ to OP through a secure channel.

Step 2:

OP chooses a random number $k_{op}$ and calculates public key $P{K}_{op}=r_{op}·G$, $A_i=h(HI{D}_i\left|\right|a_1)$, $B_i=A_i\oplus k_{op}$, and $C_i=h(HI{D}_i\left|\right|a_1\left|\right|k_{op})$. Finally, OP sends $\{B_i$, $C_i\}$ to EV${}_i$, modifies network configurations, and stores details in the blockchain.

Step 3:

EV${}_i$ computes $D_i=h(I{D}_i\left|\right|P{W}_i)\oplus a_i$, $E_i=h(a_1\left|\right|I{D}_i\left|\right|P{W}_i)\oplus r_{EV}$; and stores $\{B_i$, $C_i$, $D_i$, and $E_i\}$ in memory.

5.3. Authentication Phase

When EV${}_i$ wants to use the charging service, EV${}_i$ and EAG must authenticate each other, and then generate a common session key. Figure 7 shows the authentication phase with detailed steps as follows

Figure 7. Authentication phase of proposed scheme.

Step 1:

EV${}_i$ inputs identity $I{D}_i$ and password $P{W}_i$; and calculates $a_1=D_i\oplus h(I{D}_i\left|\right|P{W}_i)$, $r_{EV}=h(a_1\left|\right|I{D}_i\left|\right|P{W}_i)\oplus E_i$, $A_i=h(HI{D}_i\left|\right|a_i)$, $k_{op}=B_i\oplus A_i$, and $C_i^{*}=h(HI{D}_i\left|\right|a_1\left|\right|k_{op})$. Then, EV${}_i$ checks whether $C_i^{*}\stackrel{?}{=}{C}_i$. If valid, EV${}_i$ computes $M_1=\{r_{EV}·G,(a_1\left|\right|HI{D}_i\left|\right|T_i)+r_{EV}·P{K}_{EAG}\}$, and $M_2=h(a_1\left|\right|HI{D}_i\left|\right|T_1)$; and sends $\{M_1$, $M_2$, $T_1\}$ to EAG.

Step 2:

After receiving $\{M_1$, $M_2$, $T_1\}$ from EV${}_i$, EAG calculates $(a_1\left|\right|HI{D}_i\left|\right|T_1)=(a_1\left|\right|HI{D}_i\left|\right|T_1)+r_{EV}·P{K}_{EAG}-r_{EAG}·(r_{EV}·G)$ using the private key $r_{EAG}$. Then EAG computes $M_2^{*}=h(a_1\left|\right|HI{D}_i\left|\right|T_1)$ and verifies $M_2^{*}\stackrel{?}{=}{M}_2$. If valid, EAG authenticates EV${}_i$ and calculates $M_3=b_1\oplus a_1$, $M_4=h(I{D}_{EAG}\left|\right|a_1\left|\right|b_1\left|\right|T_2)$, and session key $SK=h\left(HI{D}_i\right|\left|I{D}_{EAG}\right|\left|a_1\right|\left|b_1\right)$. Finally, EAG sends $\{M_3$, $M_4$, $T_2\}$ to EV${}_i$.

Step 3:

When EV${}_i$ receives $\{M_3$, $M_4$, $T_2\}$ from EAG, it computes $b_1=M_3\oplus a_1$ and $M_4^{*}=h(I{E}_{EAG}\left|\right|a_1\left|\right|b_1\left|\right|T_2)$, and verifies $M_4^{*}\stackrel{?}{=}{M}_4$. If valid, mutual authentication between EV${}_i$ and EAG has been accomplished. EV${}_i$ calculates a shared session key, $SK=h\left(HI{D}_i\right|\left|I{D}_{EAG}\right|\left|a_1\right|\left|b_1\right)$.

5.4. Charging Phase

Charging commences after successfully completing authentication. Figure 8 shows the charging phase with detailed steps as follows.

Figure 8. Charging phase of proposed scheme.

Step 1:

EV${}_i$ generates a transaction $T_x$ including $HI{D}_i$; $I{D}_{EAG}$; charging records, prices, charging time $C{T}_i$, signature of EV${}_i$ and information of payment, and EV${}_i$ computes $D_i=h(HI{D}_i\left|\right|I{D}_{EAG}\left|\right|S{K}_i)$. After that, EV${}_i$ sends $\{T_x,D_i\}$ to the EAG.

Step 2:

After receiving the message from EV${}_i$, EAG checks whether $D_i^{*}\stackrel{?}{=}{D}_i$. If it is correct, EAG checks whether the transaction information $T_x$ is correct. Then, EAG adds the own signature to the transaction. Finally, the charging is started and EAG records the transaction $T_x$ on the blockchain.

6. Security Analysis

This section demonstrates that the proposed system is secure against various attacks using informal analysis and proves the system provides secure mutual authentication using BAN logic [34], a widely accepted formal security analysis. We also show it is secure against replay and man-in-the-middle attacks using automated validation of internet security protocols and applications (AVISPA) [35] which is a formal security verification tool.

6.1. Informal Security Analysis

We perform informal security analysis to evaluate the proposed system security, and show the system can resist impersonation, replay, perfect forward secrecy, and session key disclosure attacks; and also provides secure mutual authentication and anonymity.

6.1.1. Impersonation Attack

If adversary EV${}_A$ attempts to impersonate a legitimate user EV${}_i$, EV${}_A$ must successfully generate a request message $M_2=h(a_1\left|\right|HI{D}_i\left|\right|T_1)$. However, EV${}_A$ cannot calculate the request message because they cannot obtain EV${}_i$’s random number $a_1$, and real identity $I{D}_i$. EV${}_A$ also cannot obtain EV${}_i$’s sensitive information because transmitted message $M_1$ is encrypted by EV${}_i$. Therefore, the proposed protocol prevents impersonation attack.

6.1.2. Session Key Disclosure Attack

In the proposed system, the adversary EV${}_A$ cannot generate a valid session key $h\left(HI{D}_i\right|\left|I{D}_{EAG}\right|\left|a_1\right|\left|b_1\right)$ because EV${}_A$ cannot obtain EV${}_i$’s real identity $I{D}_i$; or random numbers, $a_1$ and $b_1$, generated by EAG. EV${}_A$ also cannot decrypt $M_1$ without EV${}_i$’s private key $r_{EV}$. Therefore, the proposed protocol can resist session key disclosure attack.

6.1.3. Perfect Forward Secrecy

Even if an EV${}_i$ long-term private parameter of EV${}_i$ is compromised, EV${}_A$ does not obtain the previous session key. Suppose the long-term private parameter $a_1$ is leaked. EV${}_A$ cannot obtain $I{D}_i$ because they cannot decrypt $M_1$ without the correct private key. Therefore, the proposed protocol guarantees perfect forward secrecy.

6.1.4. Replay Attack

Suppose EV${}_A$ attempted a replay attack using previous transmitted messages. However, EV${}_A$ cannot reuse previous messages, because all transmitted messages include timestamps, and EV${}_i$ and EAG check all transmitted messages including the timestamps are correct. Therefore, the proposed protocol prevents replay attack.

6.1.5. Mutual Authentication

Section 6.1.1 and Section 6.1.2 demonstrate that EV${}_A$ cannot impersonate EV${}_i$ and obtain the session key. All transmitted parameters are checked by EV${}_i$ and EV${}_A$. When EAG receives the request message $\{M_1,M_2,T_1\}$ from EV${}_i$, EAG decrypts $M_1$ using its own private key, and verifies $M_2$. If valid, EAG authenticates EV${}_i$. When EV${}_i$ receives response $\{M_3,M_4,T_2\}$ from EAG, it computes $b_1=M_3\oplus h(HI{D}_i\left|\right|a_1)$ and $M_4^{*}=h(I{D}_{EAG}\left|\right|a_1\left|\right|b_1\left|\right|T_2)$, and then verifies $M_4^{*}=h(I{D}_{EAG}\left|\right|a_1\left|\right|b_1\left|\right|T_2)$. If valid, EV${}_i$ authenticates EAG. Therefore, the proposed system provides secure mutual authentication because EV${}_i$ and EAG successfully authenticate each other using private keys.

6.1.6. Anonymity

Suppose EV${}_A$ intercepts all previous transmitted messages to attempt to obtain EV${}_i$’s real identity. However, all EV${}_i$ parameters, including $I{D}_i$, are masked by hash or encryption. Therefore, the proposed protocol ensures anonymity.

6.2. Security Analysis Using BAN Logic

We perform a security analysis using BAN logic to demonstrate the proposed system provides secure mutual authentication between EV and EAG. Table 2 introduces BAN logic notations and defines the goals, rules, idealized forms, and assumptions to perform BAN logic analysis.

Table 2. Notations for BAN logic.

Notation	Description
$A|\equiv X$	Abelieves statement X
#X	Statement X is fresh
$A⊲X$	Asees statement X
$A|\sim X$	A once said X
$A\Rightarrow X$	Acontrols statement X
$<X{>}_Y$	Formula X is combined with formula Y
${\left\{X\right\}}_K$	X is encrypted under key K
$A\stackrel{K}{\leftrightarrow }B$	A and B may use shared key K to communicate
$\stackrel{K}{{}_{⟶B}}$	B has K as a public key
$SK$	Session key used in the current session

BAN Logic Rules

The BAN logic rules are as follows.

1. 

Message meaning rule:

$$\frac{A|\equiv A\stackrel{K}{\leftrightarrow }B,A⊲{\left\{X\right\}}_K}{A\left|\equiv B\right|\sim X}$$

2. 

Nonce verification rule:

$$\frac{A\left|\equiv \#\left(X\right),A\right|\equiv B|\sim X}{A\left|\equiv B\right|\equiv X}$$

3. 

Jurisdiction rule:

$$\frac{A\left|\equiv B\right|⟹X,A\left|\equiv B\right|\equiv X}{A|\equiv X}$$

4. 

Freshness rule:

$$\frac{A|\equiv \#(X)}{A|\equiv \#\left(X,Y\right)}$$

5. 

Belief rule:

$$\frac{A|\equiv \left(X,Y\right)}{A|\equiv X.}$$

6.3. Goals

We define the following security goals to prove the proposed system ensures secure mutual authentication.

Goal 1:

$EV\mid \equiv (EV\stackrel{SK}{⟷}EAG)$

Goal 2:

$EV\mid \equiv EAG\mid \equiv (EV\stackrel{SK}{⟷}EAG)$

Goal 3:

$EAG\mid \equiv (EV\stackrel{SK}{⟷}EAG)$

Goal 4:

$EAG\mid \equiv EV\mid \equiv (EV\stackrel{SK}{⟷}EAG)$

6.3.1. Idealized Forms

The idealized forms are given below.

$Ms{g}_1$:

$EV\to EAG$: $(a_1,HI{D}_i,T_1)\stackrel{P{K}_{EAG}}{{}_{⟶EAG}}$

$Ms{g}_2$:

$EAG\to EV$: ${(b_1,I{D}_{EAG},T_2)}_{a_1}$

6.3.2. Assumptions

We define the following initial assumptions for the BAN logic proof.

$A_1$:

$EAG\mid \equiv \#\left(T_1\right)$

$A_2$:

$EV\mid \equiv \#\left(T_2\right)$

$A_3$:

$EV\mid \equiv (EAG\stackrel{a_1}{⟷}EV)$

$A_4$:

$EAG\mid \equiv \#\left(P{K}_{EAG}\right)$

$A_5$:

$EAG\mid \equiv \#\left(a_1\right)$

$A_6$:

$EV\mid \equiv \#\left(b_1\right)$

$A_7$:

$EV\mid \equiv EAG\Rightarrow (EV\stackrel{SK}{⟷}EAG)$

$A_8$:

$EAG\mid \equiv EV\Rightarrow (EV\stackrel{SK}{⟷}EAG)$

6.3.3. Proof using BAN Logic

The detailed steps of the BAN logic proof are as follows.

Step 1:

From $Ms{g}_1$,

$$S_1:EAG⊲(a_1,HI{D}_i,T_1)\stackrel{P{K}_{EAG}}{{}_{⟶EAG}}$$

Step 2:

From the message meaning rule with $S_1$ and $A_4$,

$$S_2:EAG\mid \equiv EV\sim (a_1,HI{D}_i,T_1)$$

Step 3:

Using the freshness rule with $A_1$,

$$S_3:EAG\mid \equiv \#(a_1,HI{D}_i,T_1)$$

Step 4:

From the nonce verification rule with $S_2$ and $S_3$,

$$S_4:EAG\mid \equiv EV\mid \equiv (a_1,HI{D}_i,T_1)$$

Step 5:

Since the session key $SK=h(HI{D}_i|\left|I{D}_{EAG}\right|\left|a_1\right||b_1)$, from $S_4$ and $A_5$,

$$S_5:EAG\mid \equiv EV\mid \equiv (EV\stackrel{SK}{⟷}EAG)\left(\mathbf{Goal}\mathbf{4}\right)$$

Step 6:

From the jurisdiction rule with $S_6$ and $A_8$,

$$S_6:EAG\mid \equiv (EV\stackrel{SK}{⟷}EAG)\left(\mathbf{Goal}\mathbf{3}\right)$$

Step 7:

From the $Ms{g}_2$,

$$S_7:EV⊲{(b_1,I{D}_{EAG},T_2)}_{a_1}$$

Step 8:

Using the message meaning rule with $S_8$ and $A_3$,

$$S_8:EV\mid \equiv EAG\sim {(b_1,I{D}_{EAG},T_2)}_{a_1}$$

Step 9:

From the freshness rule with $A_2$,

$$S_9:EV\mid \equiv \#{(b_1,I{D}_{EAG},T_2)}_{a_1}$$

Step 10:

From the nonce verification rule with $S_9$ and $S_{10}$,

$$S_{10}:EV\mid \equiv EAG\mid \equiv {(b_1,I{D}_{EAG},T_2)}_{a_1}$$

Step 11:

Since the session key $SK=h(HI{D}_i|\left|I{D}_{EAG}\right|\left|a_1\right||b_1)$, from $S_{11}$ and $A_6$,

$$S_{11}:EV\mid \equiv EAG\mid \equiv (EV\stackrel{SK}{⟷}EAG)\left(\mathbf{Goal}\mathbf{2}\right)$$

Step 12:

From the jurisdiction rule with $S_{13}$ and $A_7$,

$$S_{12}:EV\mid \equiv (EV\stackrel{SK}{⟷}EAG)\left(\mathbf{Goal}\mathbf{1}\right)$$

Therefore, the proposed protocol achieves secure mutual authentication between EV and EAG.

6.4. Formal Security AVISPA Tool for Formal Security Verification

To prove the proposed system is secure against replay and man-in-the-middle attacks, we performed formal security analysis using AVISPA [35], a widely accepted formal security verification tool to check systems or protocols can resist replay and man-in-the-middle attacks [36,37,38,39].

The AVISPA module was written in a high level protocol specification language (HLPSL) [40] and consists of four backends: Tree Automate-based Protocol Analyser (TA4SP), SAT-based Model-Checker (SATMC), CL-based Attack Searcher(CL-AtSe) [41] and On-the-Fly Model-Checker(OFMC) [42]. Detailed AVISPA and HLPSL are presented in [35,40].

6.4.1. HLPSL Specification of AVISPA Simulation

The HLPSL consists of three components: role, session, and environment, where role denotes entity, session includes system parameters, and environment includes intruder knowledge, security goal and authentication goal. Figure 9, Figure 10 and Figure 11 show HLPSL specifications for EV, EAG, and OP, respectively. Figure 12 shows session and environment roles.

Figure 9. Specification of the electronic vehicle.

Figure 10. Specification of the energy aggregator.

Figure 11. Specification of the operator.

Figure 12. Specification of the session.

Figure 9 shows the role for EV. In state 0, EV receives the start request and performs registration. EV sends the registration request $\{HI{D}_i,a_1\}$ to OP via a secure channel, updates the state value to 2, and then checks whether the entity is a legitimate user using the secret function.

In state 4, EV receives response $\{B_i,C_i\}$ from OP through a secure channel and sends the login request $\{M_1,M_2,T_1\}$ to EAG via an open channel. EV also declares witness$(\mathrm{EV},\mathrm{EAG},ev\_eag\_m2,A{1}^{\prime })$ to prove that $a_1$ is a weakness authentication factor. EV receives the response $\{M_3,M_4,T_2\}$ from OP, and then calculates the session key and updates the state value to 6.

In state 6, EV declares request$(\mathrm{EAG},\mathrm{EV},eg{g}_e{v}_{m}4,B{1}^{\prime })$ to authenticate each other. The HLPSL specifications for EAG and OP roles are described similarly (see Figure 10 and Figure 11).

6.4.2. AVISPA Verification Results

We used AVISPA with security protocol animator (SAPN) [43] to evaluate whether the proposed system was secure against replay and man-in-the-middle attacks. HLPSL is translated to intermediate format (IF) and the simulation results are presented in output format (OF). OFMC and CL-AtSe check whether our proposed system prevent replay and man-in-the-middle attacks. Figure 13 shows that OFMC backend visited 114 nodes with 0.72 s search time, and CL-AtSe backend analyzed the 2 states with 0.05 s translation time.

Figure 13. AVISPA simulation results.

7. Performance Analysis

This section compares the proposed system computation and communication costs with related schemes [20,44,45]. Figure 14, Figure 15 and Figure 16 present the actual data workflow transmitted on our system to help understand the results of performance analysis. In Figure 14, operator provides the data for scheduling to EV and consensus nodes on blockchain verifty the validity of transactions.

Figure 14. Actual data workflow of network.

Figure 15. Actual data workflow of EV.

Figure 16. Actual data workflow of EAG.

7.1. Computation Cost

We compare computation overheads for the proposed system with related schemes [20,44,45], using the parameters from [46,47].

• Bilinear pairing, $T_{bp}=4.211$ ms.
• Scalar multiplication with bilinear pairing,$T_{sm-bp}=1.709$ ms.
• Point addition with bilinear pairing, $T_{pa-bp}=0.007$ ms.
• Scalar multiplication with elliptic curve cryptography, $T_{sm-ecc}=0.442$ ms.
• Point addition with elliptic curve cryptography, $T_{pa-ecc}=0.0018$ ms.
• Encryption with elliptic curve cryptography, $T_{enc-ecc}=1.17$ ms.
• Decryption with elliptic curve cryptography, $T_{dec-ecc}=0.61$ ms.
• Hash, $T_h=0.0001$ ms.
• Map-to-point,$T_{mtp}=4.302$ ms.

Table 3 compares computation costs for the considered schemes. In Figure 15, the EV’s computation costs of our system are (1.1707 + 0.0002 = 1.1709 ms), including $T_{enc-ecc}$ and $9T_h$. In Figure 16, the EAG’s computation costs of our system are (0.6103 + 0.0001 = 0.6104 ms), including $T_{dec-ecc}$ and $4T_h$.

Table 3. Computation costs for related schemes.

	Lai et al. [44]	Qiu et al. [45]	Huang et al. [20]	Proposed
EV	$7T_{sm-bp}+T_{pa-bp}+T_{mtp}$	$2T_{sm-ecc}+3T_{pa-ecc}+8T_h$	$T_{sm-ecc}+2T_{pa-ecc}+4T_h$	$T_{enc-ecc}+9T_h$
	$\approx 16.272$ ms	$\approx 0.8902$ ms	$\approx 0.4460$ ms	$\approx 1.1709$ ms
EAG	$2T_{bp}+5T_{sm-bp}+T_{pa-bp}+T_{mtp}$	$2T_{sm-ecc}+4T_{pa-ecc}+5T_h$	$2T_{sm-ecc}+2T_{pa-ecc}+7T_h$	$T_{dec-ecc}+4T_h$
	$\approx 21.276$ ms	$\approx 0.8917$ ms	$\approx 0.8883$ ms	$\approx 0.6104$ ms

In Huang et al.’s system [20], EV’s total computation costs are (0.4459 + 0.0001 = 0.4460 ms), including $T_{sm-ecc}$, $2T_{pa-ecc}$ and $4T_h$. EAG’s total computation cost is 0.8882 ms, including $2T_{sm-ecc}$, $2T_{pa-ecc}$ and $7T_h$.

The total cost for the proposed and Huang et al.’s scheme = 1.7811 and 1.3343 ms, respectively. Although the proposed protocol computation cost of somewhat higher than the Huang et al.’s scheme, it provides better efficiency and security than other related schemes.

7.2. Communication Cost

We compare communication overheads for the proposed system with related schemes [20,44,45]. We assume timestamp, random number and identity are 32, 64, and 128 bits, respectively [48,49,50]; and elliptic curve cryptography encryption and hash function are 320 and 160 bits, respectively. For the proposed system, we assume group G is generated by P with order q on elliptic curve cryptography $y^2=x^3+ax+b$ mod p, where p and q are 160 bits prime numbers. Similarly, $G_1$, $G_2$, and G are 1024, 160, and 320 bits, respectively. In Figure 15, the EV’s communication costs of our system are (512 + 736 = 1248 bits), including charging request messages $\{M_1,M_2,T_1\}$ and transaction $T_x$. In Figure 16, the EAG’s communication costs of our system are (256 + 320 = 576 bits), including response messages $\{M_3,M_4,T_2\}$ and transaction $T_x^{*}$.

In Huang et al.’s system [20], EV’s total communication costs are (2368 + 160 = 2528 bits), including charging requset messages $\{I{D}_{CP},Q_{CP},P_{CP},K\}$, response messages $\{I{D}_{CP},PI{D}_{EV},Q_{EV},R_{EV},T_{EV},{\zeta }_{EV}\}$ and charging request messages $H_5(I{D}_{EV},R_{CP},{\zeta }_{CP},P)$. EAG’s total communication costs are 1760 bits, including response messages $\{PI{D}_{EV},Q_{EV},T_{EV},S{K}_{EV}\}$ and $\{I{D}_{EV},PI{D}_{EV},R_{CP},{\zeta }_{CP}\}$.

Table 4 shows communication cost results for all considered schemes. More particularly, the communication cost is efficient compared with other schemes in view of EVs. It is a very important advantage because EV is equipped with resourse-constrained devices as sensors. Thus, the proposed system provides more efficient communication than all other considered schemes.

Table 4. Communication costs.

Scheme	Total Messages	Communication Cost
Lai et al. [44]	2	2560 bits
Qiu et al. [45]	3	2656 bits
Huang et al. [20]	5	4288 bits
Proposed	4	1824 bits

8. Conclusions

With the rapid development of the IoT and embedded technologies, drivers can access various services. However, these services are vulnerable to potential attacks such as replay, impersonation and session key disclosure attacks because they are provided through public channels. Many traditional cryptographic algorithms such as RSA also are suitable to vehicular networks because a vehicle is equipped with resource-constrained sensors. Therefore, secure mutual authentication and key agreement are very important security requirements to guarantee privacy of users, considering the resource-constrained sensors.

This paper demonstrated that Huang et al.’s scheme does not provide high efficiency and security of keys, and has various authentication flaws, including excess deposits, inefficient transaction generation, and excess transaction fees. We proposed a secure charging system for electric vehicles based on blockchain to address these weaknesses, providing high efficiency, anonymity, perfect forward secrecy, and secure mutual authentication. We demonstrated that the proposed system prevents impersonation, session key disclosure, and replay attacks, proved secure mutual authentication between EV and EAG using BAN logic, and confirmed resistance to replay and man-in-the-middle attacks using AVISPA. We compared computation and communication costs with related schemes, and showed that the proposed scheme was superior to all considered schemes. Thus, the proposed system could be applied to IoT-based practical EV charging systems for resource-constrained devices.