A Secure Charging System for Electric Vehicles Based on Blockchain

Smart grids incorporating internet-of-things are emerging solutions to provide a reliable, sustainable and efficient electricity supply, and electric vehicle drivers can access efficient charging services in the smart grid. However, traditional electric vehicle charging systems are vulnerable to distributed denial of service and privileged insider attacks when the central charging server is attacked. The blockchain-based charging systems have been proposed to resolve these problems. In 2018, Huang et al. proposed the electric vehicle charging system using lightning network and smart contract. However, their system has an inefficient charging mechanism and does not guarantee security of key. We propose a secure charging system for electric vehicles based on blockchain to resolve these security flaws. Our charging system ensures the security of key, secure mutual authentication, anonymity, and perfect forward secrecy, and also provides efficient charging. We demonstrate that our proposed system provides secure mutual authentication using Burrows–Abadi–Needham logic and prevents replay and man-in-the-middle attacks using automated validation of internet security protocols and applications simulation tool. Furthermore, we compare computation and communication costs with previous schemes. Therefore, the proposed charging system efficiently applies to practical charging systems for electric vehicles.


Introduction
With widespread adoption of electric vehicles (EVs) and internet-of-things (IoT), smart grids with IoT have become promising solutions to control distributed energy and electricity generation [1]. Internet-of-things is applicable to various forms for vehicular systems, such as vehicular ad hoc networks, vehicle to grid (V2G), vehicle to vehicle (V2V), and internet of vehicle (IoV). Vehicles generally have various communication and measuring sensors, including speed, position, Bluetooth, Wi-Fi and On-board units (OBU). The sensors in vehicle collect and share data such as speed, location, identity and movements. However, an adversary can intercept, modify and reuse the sensitive data of user, and then try to obatin user's sensitive data because it is transmitted via public network. Therefore, secure mutual authentication and key agreement must be guaranteed to provide secure communication and protect user's privacy.
In the past decades, the numerous authentication and key agreement schemes for vehicular systems in IoT have been studied to achieve essential security requirements [2][3][4][5][6][7][8][9][10]. Although these schemes try to ensure privacy and enhance efficiency, their scheme is vulnerable to various potential attacks such as distributed denial of service and privileged insider attacks because it is based on trusted third party to provide high security level. If the trusted third party is compromised, their schemes cannot provide services. For these reasons, authenticaion and key agreement schemes without (1) We demonstrate security weaknesses of Huang et al.'s model, and highlight its inefficiencies.
(2) We propose a secure charging system for EV based on blockchain to solve these security weaknesses and improve efficiency. (3) We perform informal analysis to demonstrate the proposed system is secure against various attacks, and prove that it provides secure mutual authentication using Burrows-Abadi-Needham (BAN) logic. We also perform formal security verification using the AVISPA tool and compare performances with previous schemes. (4) We analyze the computational and communication costs compared with other related existing schemes.

Organization
The remainder of this paper is organized as follows. Section 2 introduces the proposed blockchain-based EV charging model. Sections 3 and 4 review Huang et al.'s scheme and analyze its security flaws. Section 5 proposes a secure charging system for EV based on blockchain. Section 6 provides informal analysis to verify the proposed system's security and proves that the system mutual authentication using BAN logic. We also demonstrate that the proposed system is secure against replay and man-in-the-middle attacks using the AVISPA simulation tool. Section 7 compares the proposed system's performance with related previous schemes. Finally, Section 8 summarizes and concludes the paper.

Related Works
There are several authentication and key agreement schemes for wireless sensor networks to resolve privacy and security issues [23][24][25][26]. In 2011, Roman et al. [23] analyzed existing authentication and key management schemes for WSN in IoT to enhance security and performance. In 2014, Turkanovic et al. [24] first proposed an authentication and key agreement scheme based on IoT considering resource-constrained devices. However, in 2016, Amin et al. [25] showed that Turkanovic et al.'s scheme was vulnerable to smart card theft, offline identity-password guessing and user impersonation attacks, and proposed an enhanced authentication scheme to overcome these security problems. However, Lu [26] et al. pointed out that Amin et al.'s scheme did not prevent known session-specific temporary information attack and proposed improved authentication and key agreement scheme using symmetric key.
Numerous privacy protection schemes for a vehicular system in IoT ensure security and improve efficiency [2][3][4][5][6][7][8][9][10]. In 2016, Lo and Tasi [2] proposed an efficient authentication scheme for vehicular sensor networks to improve performance. Kumari et al. [3] also proposed a secure trust-extended authentication scheme for vehicular ad-hoc networks to ensure authenticity of messages. In 2017, Chin et al. [4] discussed the security vulnerabilities in the internet-of-things-based smart grid and Liu et al. [5] proposed efficient dual authentication and key agreement scheme in IoV. Mohit et al. [6] also proposed authentication protocol for smart vehicular system in IoT considering energy efficiency of sensor and Guo et al. [7] proposed secure information collection scheme for big data in large scale IoV. Zhou et al. [8] proposed an enhanced privacy-preserving authentication scheme for vehicle sensor network to overcome security weaknesses of the Kumari et al.'s scheme [3]. In 2018, Shen et al. [9] proposed privacy-preserving and lightweight key agreement scheme for V2G in social IoT to guarantee security of smart grid. In 2019, Wu et al. [10] proposed mutual authentication scheme for V2V in vehicular ad hoc network to achieve better performance and security.
Several previous studies have considered EV charging systems [11][12][13][14][15][16]. In 2013, Gan et al. [11] proposed a decentralized protocol for EV charging to improve charging efficiency. In 2016, Xu et al. [12] proposed dynamic EV scheduling using less laxity and longer remaining processing time principle. In 2010 and 2012, Lu et al. [13] and Kim et al. [14] proposed scheduling mechanisms to reduce waiting times at charging stations. In 2016, Tian et al. [15] proposed recommendation system in real-time to provide charging station information. Tang and Zhang [16] proposed a low complexity EV charging scheduling algorithm using near optimal solutions.
Many studies have guaranteed decentralization, verification, and integrity [17,19,21,22,27]. However, initial blockchain models have scalability problems. Lightning network [21] and hyperledger [19] networks have been proposed to overcome this problem and improve efficiency. Lightning networks establish trading channels outside the main blockchain to enhance network performance. Hyperledger solves scalability problem and removes the requirement for cryptocurrency transactions to enhance the performances. These systems incorporate smart contracts, a set of commitments, that improve performance and privacy without requiring a trusted third party [22,27].
Several blockchain-based EV charging management systems have been proposed to improve performance [20,[28][29][30]. In 2017, Dubois et al. [28] proposed an app-based blockchain system using smart contracts to provide a charging service between EVs and charging stations without requiring a trusted third party. Knirsch et al. [29] proposed an EV charging system where the EV finds the best charging station by bidding on the blockchain. Li et al. [30] proposed a consortium blockchain for energy trading in the industrial IoT to guarantee fast and reliable energy trading using the Stackelberg game. In 2018, Huang et al. [20] proposed a blockchain-based EV charging management security model, incorporating authentication mechanisms using smart contracts and the lightning network. However, the lightning network has an inefficient charging mechanism and Huang et al.'s system does not guarantee security of keys.

System Model
This section presents a secure charging system model for EV based on blockchain and basic concept of hyperledger.

Hyperledger
Hyperledger [19] is an open source project proposed by the Linux Foundation in 2015. The purpose is to promote cross-industry cooperation with blockchain technology. Hyperledger focuses on enhancing blockchain performance and reliability without requiring cryptocurrency.
1. Consensus layer: ensures agreement between transaction order and checks their validation. 2. Smart contract layer: processes transaction requests and verifies smart contracts are valid. 3. Communication layer: guarantees security for messages transmitted between nodes. 4. Data store abstraction: manages data. 5. Crypto abstraction: includes cryptographic algorithms or modules. 6. Identity service: sets up the blockchain network, manages user and system node registration, and provides authentication and authorization. 7. Policy services: provide various policies for blockchain systems. 8. APIs: provide various blockchain interfaces. 9. Interoperation: allows interoperation among blockchain instances.
Hyperledger provides scalability, confidentiality, complexity, essential security requirements, and compliance; and can also provide distributed ledgers, smart contracts, and friendly interfaces. Therefore, hyperledgers can be applied to various fields and disseminate blockchain technologies for cross-industry applications. Figure 1 presents the proposed charging system for EV based on blockchain and our charging system comprises three entities: operator, energy aggregator (EAG), and user/EV; and incorporates four phases: initialization, registration, authentication, and charging, as follows.

System Model
1. EV registers their identity with the operator to access charging services.

Review of Huang et al.'s Scheme
This section reviews Huang et al.'s blockchain based EV charging system [20], comprising four phases: registration, scheduling, authentication, and charging.  Step 1: EVs {V 1 , V 2 , · · · , V n } choose a random number x ∈ Z * n and calculate Q i = x i P. The EVs request a registration in a blockchain and broadcast

Registration Phase
Step 2: CPs check whether the received signature is valid, and then compute signature to the OP in the blockchain.

Step 3: OP verifies the received the signature is valid and reuses
broadcasts it in the blockchain.
Step 4: After receiving key K i from the OP, each participant decrypts K i and computes session key When a request is recorded in the blockchain, it is checked by all CPs. Figure 3 shows the Huang scheme includes four scheduling strategies to provide charging services and improve charging efficiency: minimum time, minimum waiting time, minimum total cost, and shortest path.  Figure 4 shows that EV and CP perform point-to-point (P2P) transactions under the Huang scheme, followed with mutual authentication to improve trading flexibility. Depending on scheduling strategies, the EV receives the recommendation from the OP, then EV and the selected CP authenticate each other, with mutual authentication performed between EV and CP when the EV arrives at the CP. The detailed authentication steps are as follows. Step 1: EV sends identity ID EV to the CP, and then the CP checks whether it is valid through the blockchain networks. If it is valid, the CP returns charging request to the EV.

Authentication Phase
Step 2: After receiving the charging request from the CP, the EV sends {Q CP , P CP , ID CP , H CP , K} to the CP.
Step 4: EV selects a random number c ∈ Z * q , calculates R EV =c EV P, H EV = H 3 (ID CP , PID EV , Q EV , R EV , T EV ) and ξ EV = SK EV + c EV H EV , and sends {ID CP , PID EV , Q EV , R EV , T EV , ξ EV } to the CP via the secure channel.
Step 5: After receiving the message from the EV, the CP computes H tEV =H 2 (ID EV , PID EV , Q EV , T EV ) and H EV = H 3 (ID CP , PID EV , Q EV , R EV , T EV ), and checks the received signature.
If it is not valid, the CP aborts the authentication phase. Otherwise, the CP selects a random number d ∈ Z * q and computes R CP = dP, SK = H 4 (dR EV , ID CP , PID EV , Q EV , T EV ), H CP = H 5 (ID CP , RID CP , Q EV , SK, dR EV ), and ξ CP = CP + dH CP . Finally, the CP sends {ID EV , PID EV , R CP , ξ CP } to the EV.
Step 6: After receiving the message from the CP, the EV computes SK = H 4 (cR CP , ID CP , RID EV , Q EV , T EV ),H CP = H 5 (RID EV , and ID CP , Q EV , SK, dR CP ). The CP checks the received signature. If valid, the EV and CP achieve mutual authentication. Otherwise, the EV aborts mutual authentication. After mutual authentication, the session key SK is used to encrypt messages to ensure secure communications. Figure 5 shows the Huang scheme charging phase. After completing authentication, the EV performs charging and updates the transactions. The commitment is recorded in the blockchain. The detailed steps are as follows.

Charging Phase
Step 1: EV calculates commitment C = H 5 (ID EV , R CP , ξ CP P) including EV's identity, random parameter, and signature.
Step 2: CP verifies whether commitment C = H 5 (ID EV , R CP ξ CP P) and current time stamps are valid.
If valid, the CP starts charging for EV. Otherwise, this phase is aborted.

Problems of Huang et al.'s Scheme
This section discusses problems of Huang et al.'s scheme, such as deposit problem, inefficient transaction generation mechanism, and transaction cost.

Deposit Problem
In the scheduling phase of Huang et al.'s scheme, the OP recommends an efficient charging station using four strategies. However, the system has a deposit problem where EV needs to establish many payment channels for charging. In lightning networks, a deposit is used to establish a payment channel between two participants. However, an EV is mobile and cannot efficiently choose optimal charging stations because a payment channel must be established with each new charging station. Therefore, an EV unnecessarily spends many deposits, i.e., the mechanism is inefficient.

Inefficient Mechanism for Generating Transaction
The lightning network records a transaction in the blockchain when opening and closing a payment channel. When charging is completed at a charging station, the commitment transaction is generated and recorded in the blockchain. However, an EV already makes a transaction in the registration phase to allows access to the service, hence, two transactions are generated for one trade, i.e., an inefficient charging mechanism.

Cost of Transaction Fee
The Huang et al.'s scheme charges a transaction fee when a payment channel is opened or closed. However, after completing charging, an EV needs to re-register with the OP to use the service, hence re-opening the payment channel and incurring a transaction fee. Therefore, the Huang et al.'s scheme results in high transaction fees.

Security of Key
Huang et al. claimed their scheme provided known key security because the shared secret key K included unique random numbers for each participant. However, an adversary can steal the EV on-board unit (OBU) [31] and extract sensitive data stored in its memory using the power analysis attack [32,33]. Consequently, an adversary can obtain shared secret keys stored in the OBU, avoiding known key security.

Proposed Charging System for EV Based on Blockchain
This section proposes a blockchain based EV charging system that addresses the identified problems. Table 1 details the notation used for the proposed phases: initialization, registration, authentication, and charging.

Initialization Phase
The operator conducts system initialization to set up the networks and EAG is registered in network. The details initialization process is as follows.
Step 1: OP selects a base point G on the elliptic curve E p with order n, where n is a large prime number.
Step 2: EAG generates public key, private key, and random number b 1 .
Step 3: OP defines network configuration including channel members and policies, records it in a blockchain, and shares it with system participants.

Registration Phase
When it wants to access the charging system, EV i generates its identity, password, public/private key pair, and then receives a random number from OP. Figure 6 shows the registration phase, with detailed steps as follows.
Step 1: EV i selects their identity ID i , password PW i , generates random numbers a 1 and r EV , calculates a public key r EV · G and H ID i = h(ID i ||a 1 ), and then sends H ID i and a 1 to OP through a secure channel.
Step 2: OP chooses a random number k op and calculates public key configurations, and stores details in the blockchain.

Authentication Phase
When EV i wants to use the charging service, EV i and EAG must authenticate each other, and then generate a common session key. Figure 7 shows the authentication phase with detailed steps as follows Step 1: EV i inputs identity ID i and password PW i ; and calculates Step 2: After receiving {M 1 , M 2 , T 1 } from EV i , EAG calculates (a 1 ||HID i ||T 1 ) = (a 1 ||HID i ||T 1 ) + r EV · PK EAG − r EAG · (r EV · G) using the private key r EAG . Then EAG computes M * 2 = h(a 1 ||HID i ||T 1 ) and verifies M * = M 4 . If valid, mutual authentication between EV i and EAG has been accomplished. EV i calculates a shared session key, SK = h(H ID i ||ID EAG ||a 1 ||b 1 ).

Charging Phase
Charging commences after successfully completing authentication. Figure 8 shows the charging phase with detailed steps as follows. Step 1: EV i generates a transaction T x including H ID i ; ID EAG ; charging records, prices, charging time CT i , signature of EV i and information of payment, and EV i computes Step 2: After receiving the message from EV i , EAG checks whether D * i ? = D i . If it is correct, EAG checks whether the transaction information T x is correct. Then, EAG adds the own signature to the transaction. Finally, the charging is started and EAG records the transaction T x on the blockchain.

Security Analysis
This section demonstrates that the proposed system is secure against various attacks using informal analysis and proves the system provides secure mutual authentication using BAN logic [34], a widely accepted formal security analysis. We also show it is secure against replay and man-in-the-middle attacks using automated validation of internet security protocols and applications (AVISPA) [35] which is a formal security verification tool.

Informal Security Analysis
We perform informal security analysis to evaluate the proposed system security, and show the system can resist impersonation, replay, perfect forward secrecy, and session key disclosure attacks; and also provides secure mutual authentication and anonymity.

Impersonation Attack
If adversary EV A attempts to impersonate a legitimate user EV i , EV A must successfully generate a request message M 2 = h(a 1 ||HID i ||T 1 ). However, EV A cannot calculate the request message because they cannot obtain EV i 's random number a 1 , and real identity ID i . EV A also cannot obtain EV i 's sensitive information because transmitted message M 1 is encrypted by EV i . Therefore, the proposed protocol prevents impersonation attack.

Session Key Disclosure Attack
In the proposed system, the adversary EV A cannot generate a valid session key h(H ID i ||ID EAG ||a 1 ||b 1 ) because EV A cannot obtain EV i 's real identity ID i ; or random numbers, a 1 and b 1 , generated by EAG. EV A also cannot decrypt M 1 without EV i 's private key r EV . Therefore, the proposed protocol can resist session key disclosure attack.

Perfect Forward Secrecy
Even if an EV i long-term private parameter of EV i is compromised, EV A does not obtain the previous session key. Suppose the long-term private parameter a 1 is leaked. EV A cannot obtain ID i because they cannot decrypt M 1 without the correct private key. Therefore, the proposed protocol guarantees perfect forward secrecy.

Replay Attack
Suppose EV A attempted a replay attack using previous transmitted messages. However, EV A cannot reuse previous messages, because all transmitted messages include timestamps, and EV i and EAG check all transmitted messages including the timestamps are correct. Therefore, the proposed protocol prevents replay attack.
, and then verifies M * 4 = h(ID EAG ||a 1 ||b 1 ||T 2 ). If valid, EV i authenticates EAG. Therefore, the proposed system provides secure mutual authentication because EV i and EAG successfully authenticate each other using private keys.

Anonymity
Suppose EV A intercepts all previous transmitted messages to attempt to obtain EV i 's real identity. However, all EV i parameters, including ID i , are masked by hash or encryption. Therefore, the proposed protocol ensures anonymity.

Security Analysis Using BAN Logic
We perform a security analysis using BAN logic to demonstrate the proposed system provides secure mutual authentication between EV and EAG. Table 2 introduces BAN logic notations and defines the goals, rules, idealized forms, and assumptions to perform BAN logic analysis.

Notation Description
A and B may use shared key K to communicate K −→B B has K as a public key SK Session key used in the current session BAN Logic Rules The BAN logic rules are as follows.

Belief rule :
A ≡ X.

Goals
We define the following security goals to prove the proposed system ensures secure mutual authentication. The idealized forms are given below.

Assumptions
We define the following initial assumptions for the BAN logic proof.

Proof using BAN Logic
The detailed steps of the BAN logic proof are as follows.
Step 1: From Msg 1 , Step 2: From the message meaning rule with S 1 and A 4 , Step 3: Using the freshness rule with A 1 , Step 4: From the nonce verification rule with S 2 and S 3 , Step 5: Since the session key SK = h(H ID i ||ID EAG ||a 1 ||b 1 ), from S 4 and A 5 , Step 6: From the jurisdiction rule with S 6 and A 8 , Step 7: From the Msg 2 , Step 8: Using the message meaning rule with S 8 and A 3 , Step 9: From the freshness rule with A 2 , Step 10: From the nonce verification rule with S 9 and S 10 , Step 11: Since the session key SK = h(H ID i ||ID EAG ||a 1 ||b 1 ), from S 11 and A 6 , Step 12: From the jurisdiction rule with S 13 and A 7 , Therefore, the proposed protocol achieves secure mutual authentication between EV and EAG.

Formal Security AVISPA Tool for Formal Security Verification
To prove the proposed system is secure against replay and man-in-the-middle attacks, we performed formal security analysis using AVISPA [35], a widely accepted formal security verification tool to check systems or protocols can resist replay and man-in-the-middle attacks [36][37][38][39].

HLPSL Specification of AVISPA Simulation
The HLPSL consists of three components: role, session, and environment, where role denotes entity, session includes system parameters, and environment includes intruder knowledge, security goal and authentication goal. Figures 9-11 show HLPSL specifications for EV, EAG, and OP, respectively. Figure 12 shows session and environment roles. Figure 9 shows the role for EV. In state 0, EV receives the start request and performs registration. EV sends the registration request {HID i , a 1 } to OP via a secure channel, updates the state value to 2, and then checks whether the entity is a legitimate user using the secret function.  In state 4, EV receives response {B i , C i } from OP through a secure channel and sends the login request {M 1 , M 2 , T 1 } to EAG via an open channel. EV also declares witness(EV, EAG, ev_eag_m2, A1 ) to prove that a 1 is a weakness authentication factor. EV receives the response {M 3 , M 4 , T 2 } from OP, and then calculates the session key and updates the state value to 6. In state 6, EV declares request(EAG, EV, egg e v m 4, B1 ) to authenticate each other. The HLPSL specifications for EAG and OP roles are described similarly (see Figures 10 and 11).

AVISPA Verification Results
We used AVISPA with security protocol animator (SAPN) [43] to evaluate whether the proposed system was secure against replay and man-in-the-middle attacks. HLPSL is translated to intermediate format (IF) and the simulation results are presented in output format (OF). OFMC and CL-AtSe check whether our proposed system prevent replay and man-in-the-middle attacks. Figure 13 shows that OFMC backend visited 114 nodes with 0.72 s search time, and CL-AtSe backend analyzed the 2 states with 0.05 s translation time.

Performance Analysis
This section compares the proposed system computation and communication costs with related schemes [20,44,45]. Figures 14-16 present the actual data workflow transmitted on our system to help understand the results of performance analysis. In Figure 14, operator provides the data for scheduling to EV and consensus nodes on blockchain verifty the validity of transactions.

Computation Cost
We compare computation overheads for the proposed system with related schemes [20,44,45], using the parameters from [46,47] Table 3 compares computation costs for the considered schemes. In Figure 15, the EV's computation costs of our system are (1.1707 + 0.0002 = 1.1709 ms), including T enc−ecc and 9T h . In Figure 16, the EAG's computation costs of our system are (0.6103 + 0.0001 = 0.6104 ms), including T dec−ecc and 4T h .

Communication Cost
We compare communication overheads for the proposed system with related schemes [20,44,45]. We assume timestamp, random number and identity are 32, 64, and 128 bits, respectively [48][49][50]; and elliptic curve cryptography encryption and hash function are 320 and 160 bits, respectively. For the proposed system, we assume group G is generated by P with order q on elliptic curve cryptography y 2 = x 3 + ax + b mod p, where p and q are 160 bits prime numbers. Similarly, G 1 , G 2 , and G are 1024, 160, and 320 bits, respectively. In Figure 15, the EV's communication costs of our system are (512 + 736 = 1248 bits), including charging request messages {M 1 , M 2 , T 1 } and transaction T x . In Figure 16, the EAG's communication costs of our system are (256 + 320 = 576 bits), including response messages {M 3 , M 4 , T 2 } and transaction T * x . In Huang et al.'s system [20], EV's total communication costs are (2368 + 160 = 2528 bits), including charging requset messages {ID CP , Q CP , P CP , K}, response messages {ID CP , PID EV , Q EV , R EV , T EV , ζ EV } and charging request messages H 5 (ID EV , R CP , ζ CP , P). EAG's total communication costs are 1760 bits, including response messages {PID EV , Q EV , T EV , SK EV } and {ID EV , PID EV , R CP , ζ CP }. Table 4 shows communication cost results for all considered schemes. More particularly, the communication cost is efficient compared with other schemes in view of EVs. It is a very important advantage because EV is equipped with resourse-constrained devices as sensors. Thus, the proposed system provides more efficient communication than all other considered schemes.

Conclusions
With the rapid development of the IoT and embedded technologies, drivers can access various services. However, these services are vulnerable to potential attacks such as replay, impersonation and session key disclosure attacks because they are provided through public channels. Many traditional cryptographic algorithms such as RSA also are suitable to vehicular networks because a vehicle is equipped with resource-constrained sensors. Therefore, secure mutual authentication and key agreement are very important security requirements to guarantee privacy of users, considering the resource-constrained sensors. This paper demonstrated that Huang et al.'s scheme does not provide high efficiency and security of keys, and has various authentication flaws, including excess deposits, inefficient transaction generation, and excess transaction fees. We proposed a secure charging system for electric vehicles based on blockchain to address these weaknesses, providing high efficiency, anonymity, perfect forward secrecy, and secure mutual authentication. We demonstrated that the proposed system prevents impersonation, session key disclosure, and replay attacks, proved secure mutual authentication between EV and EAG using BAN logic, and confirmed resistance to replay and man-in-the-middle attacks using AVISPA. We compared computation and communication costs with related schemes, and showed that the proposed scheme was superior to all considered schemes. Thus, the proposed system could be applied to IoT-based practical EV charging systems for resource-constrained devices.

Conflicts of Interest:
The authors declare no conflict of interest.