A Communication Scheme with Privacy Protection in V2V Power Transaction Based on Linkable Ring Signature

Abstract

The vehicle-to-vehicle (V2V) charging mode of charging stations solves the problem of users being unable to charge immediately due to the absence of charging piles during peak charging times. However, in blockchain-based V2V power transactions, attackers collect private information such as the payment address and transaction amount of electric vehicle owners through ledger information. This makes the relationship between electric vehicle owners and the charging behavior the object of inference attacks, resulting in user privacy disclosure and unfair trading. To solve these problems, we propose a communication scheme with privacy protection in V2V power transactions based on a linkable ring signature. We use a linkable ring signature algorithm to sign EV account addresses and payment information, ensuring the non-traceability of V2V transactions. In addition, we design a stealth address algorithm to avoid inferential attacks in V2V power transactions due to the exposure of the actual account address. The theoretical analysis proves the scheme’s security, and the experiment shows that the scheme has lower computing costs, so it is more suitable for V2V scenarios with limited computing resources.

1. Introduction

In order to alleviate the energy crisis and reduce environmental pollution and carbon emissions, electric vehicles (EVs) are considered an effective alternative to traditional vehicles [1]. By the end of 2023, the number of all kinds of electric vehicles in China will reach 20.41 million, accounting for 6.07% of the total number of vehicles, and maintain a rapid growth trend [2]. At the same time, in 2025, one out of every four cars sold in the United States will be electrified [3]. By 2030, the number of various types of electric vehicles worldwide will be estimated to exceed 250 million [4]. With the rapid growth of EVs, the existing public charging resources will make it challenging to meet owners’ charging needs, especially during the peak charging period of holidays [5]. Currently, the construction of charging stations still faces many difficulties, such as high cost and difficulty determining the best location. If the charging station location is not reasonably planned, it may waste power resources and affect the stability and efficiency of the power grid. Therefore, the construction speed of charging stations is slow, which leads to a mismatch with the EV growth rate and aggravates EV users’ range anxiety [6]. However, with the development of battery technology, V2V charging has been proposed as a new charging mode. This mode transfers power between EVs through DC-DC converters without passing through the grid. It not only requires simple infrastructure but is convenient and feasible and can reduce the heavy power demand of the grid during peak charging hours. It effectively solves the problem of users being unable to charge immediately due to the lack of charging piles in charging stations during peak charging times [7].

As new energy is volatile, intermittent, and difficult to store, the power grid will actively implement demand response strategies to cut peaks and fill valleys by adjusting electricity prices. For example, in August 2023, Beijing implemented a new policy on electricity prices; the peak and valley electricity price ratio is four times higher, of which the peak electricity price is 1.4223 yuan/kWh while the valley electricity price is 0.2939 yuan/kWh [8]. With the development of battery technology, EV batteries can be used as energy storage devices. The seller’s EVs can be charged in the low valleys of the grid. The power can be transferred to the buyer’s EVs during the peak periods of the grid through V2V, which, on the one hand, can alleviate charging anxiety due to the shortage of charging piles and provide users with a variety of charging methods and, on the other hand, can bring additional revenue to EV users. In real life, cities such as Beijing, Shanghai, and Tokyo have begun to use V2V charging technology, while electric vehicle manufacturers such as Rivian and Hyundai are also actively developing V2V charging equipment [9]. References [10,11,12] propose optimizing charging station services through V2V, thus providing better quality charging solutions to users. Ref. [10] proposes an accessible closed-loop V2V charging mechanism for charging stations, which reduces the loss of long-distance power transmission by attracting EV discharges to complete indirect V2V charging through game-theoretic pricing with the charging station as an intermediary. Reference [11] realizes the efficient combination of V2V and V2G (Vehicle-to-Grid) charging methods through the charging algorithm based on matching theory, which enables EVs to have better charging choices and relieves charging anxiety compared with the traditional V2G scheme. In Ref. [12], in order to achieve local charging station demand management and avoid transformer overload, a soft participant-critic model for EV demand management is proposed to maximize EV welfare through V2V charging services. In summary, EV has certain advantages in completing V2V transactions through charging stations, which can not only provide a variety of charging methods to alleviate charging anxiety and improve charging quality effectively but also indirectly complete V2V charging through the energy storage facilities of charging stations, which improves the potential of charging stations to participate in demand response.

Since V2V power trading is a multi-buyer-to-multi-buyer trading problem, it involves many trading entities and decentralized trading, focusing on the interaction between EVs [13]. If a traditional centralized system is used, there may be the following problems: (1) single point of failure: if the central organization fails or is attacked, the power transaction may be interrupted or even subject to malicious control. (2) Lack of privacy: the central organization suffers from privacy leakage and threatens user privacy. Therefore, EV users are reluctant to act as electricity suppliers. (3) Lack of trust: electric vehicle users lack trust in the central organization and have an information asymmetry problem [14]. Blockchain technology has attracted significant attention and has been widely used in electricity trading due to its characteristics of decentralization, reliability, tamper-proof, and traceability [15,16,17]. Blockchain enables public auditing and traceability of transaction data, but due to its openness and transparency, it may expose the user’s private information or create a risk of leakage for information interaction [18]. When paying for electricity, the transaction data in the early payment system, including the account addresses of both parties to the transaction and the transaction amount, are publicly available [19], and an attacker can easily access the transaction information, subjecting both parties of the electricity transaction to inference attacks and loss of anonymity. Since electric vehicles need to be charged frequently, attackers can analyze the payment information for a long time, resulting in the user being linked to each charging location, which will lead to the disclosure of the user’s driving trajectory and charging habits and realize targeted advertising for the owner [20]. Through the payment and settlement of blockchain, the privacy protection of the real identity, account address, and transaction data of the owner’s payment is an urgent problem for V2V power transactions.

Table 1. Comparison of our plan with other existing plans.

Scheme	Architecture	V2V or V2G	Privacy	Authentication	Anonymity	Traceability
Ref. [10]	Center	√	×	×	×	×
Ref. [11]	Center	√	×	×	×	×
Ref. [12]	Center	√	×	×	×	×
Ref. [15]	Blockchain	√	√	×	×	×
Ref. [16]	Blockchain	√	√	×	√	√
Ref. [17]	Blockchain	√	√	√	×	×
our scheme	Blockchain	√	√	√	√	√

summarizes some main differences between existing schemes and our scheme, such as architecture, privacy, authentication, anonymity, and traceability. Here, “√” means the requirement is satisfied, and “×” means the requirement is not.

1.1. Related Work

In 2004, Liu et al. proposed the linkable ring signature algorithm for the first time. When a user repeatedly signs information during a transaction, the system will find these repeated signatures, but it is impossible to determine the specific transaction user who generated the signature. In other words, lousy transaction behaviors can be discovered in time, and transaction fairness can be maintained while users are anonymous. Therefore, the algorithm is widely used in electronic cash and voting. Due to its unique advantages, the algorithm is widely used in the blockchain and all kinds of energy transactions, ensuring the anonymity of both sides of the transaction and its untraceability. References [21,22,23] use linkable ring signatures to ensure the anonymity of both sides of the transaction and anonymous payment and withdrawal in the transaction process. However, these schemes are based on the public key infrastructure. That is, the key center organization entirely generates the user key. When the organization is breached or becomes untrusted, the keys of all users will be leaked, the end user’s signature will be forged, and the transaction will be paralyzed. Reference [24] proposes a certificateless ring signature scheme to achieve unconditional user anonymity. However, this scheme must repeat the bilinear pairing operation many times, and the computational cost is high. Literature [25] achieves the untraceability of transactions by applying linkable ring signatures to transaction data and stealth addresses. If the blockchain account address is leaked, there is a risk of being subjected to inference attacks, which can leak the user’s real individuality information and destroy the transaction’s anonymity. Reference [26] designed a stealth address generation algorithm, which generates a unique address for each transaction and effectively avoids the direct exposure of real accounts in the transaction process. Moreover, based on the elliptic curve algorithm, this algorithm has the advantages of difficulty in cracking, low cost, and easy implementation to ensure the unlinkability of transactions effectively. Reference [27] implements a decentralized real-time settlement energy trading scheme through blockchain. However, the scheme uses a centralized institution to create trading addresses for users and perform currency transfers, which can lead to the leakage of users’ trading addresses if the institution is not adequately managed, destroying anonymity. Reference [28] proposes a fully decentralized hybrid scheme for Bitcoin, which prevents a third party from stealing Bitcoin or learning the relationship between the input and output addresses and realizes strong transaction anonymity. However, this scheme needs to ensure that no malicious user is in the transaction; otherwise, the signature cannot typically be generated. Reference [29] proposes an improved double-key stealth address algorithm, which solves the problem that the transaction was identified due to the need for additional public keys in the transaction process and further strengthens the transaction’s unlinkability. However, the user did not realize their anonymity in the scheme, so exposing their identity privacy information in the transaction was effortless. Reference [30] generates multiple accounts for both sides of the transaction through the mapping mechanism to strengthen the protection of user addresses. However, since this mechanism relies on smart contracts and easily generates iterative operations, it requires strong system computing power. It is not suitable for energy trading systems with fewer computing resources. Through the above literature analysis, the linkable ring signature algorithm and the stealth address mechanism can achieve anonymity for the user in the transaction and untraceability between the account addresses. Meanwhile, this paper only uses the dot product operation on the elliptic curve to complete the transaction and further reduces the system’s calculation overhead.

1.2. Contributions

In order to achieve the anonymity of users and untraceability between input address and output address in V2V power transactions. This article makes the following three contributions:

(1) A linkable ring signature algorithm is used to sign the transaction information and transfer address, ensuring the transaction’s untraceability under the owner’s anonymity.

(2) To avoid revealing the user’s account address in the transaction process, we design an efficient stealth address algorithm to generate multiple transfer addresses for the user to ensure the transaction’s unlinkability. At the same time, the algorithm only needs two multiplications and one addition on the elliptic curve to determine the address’s belonging, which effectively reduces the cost of generating the address.

(3) The certificateless public key system generates keys and pseudo identities for EV users, strengthening the management of user keys and reducing the risk of key leakage. When a dispute occurs in a V2V power transaction, it is easy to track malicious users through fake identities to maintain the fairness of transactions in time.

1.3. Roadmap

Part II describes the related techniques adopted by the system. Part III introduces the V2V trading model and explains the specific process of V2V power trading. Part IV describes the scheme’s implementation process in detail. Part V analyzes the scheme’s safety and performance. Part VI concludes the paper and gives directions for future research.

2. Preliminaries

2.1. Linkable Ring Signature

As a further constraint of ring signature, it not only realizes the unconditional anonymity of the signer but also overcomes the disadvantage that a ring signature cannot determine whether there are multiple signatures of ring members, so it is widely used in electronic cash and electronic voting. In the scheme of this paper, every time an EV user completes an electricity transaction, he/she needs to sign the transaction information and address. The signature can be linked if the EV user uses the same key to sign the transaction repeatedly. Certificate Authority (CA) must trace back to the user and make the user pay again.

2.2. Consortium Blockchain

Consortium blockchain have a more efficient consensus mechanism than public blockchain and higher scalability than private blockchain, which is suitable for many-to-many power trading scenarios. In the consortium blockchain, the consensus algorithm in the network is completed by pre-selecting nodes without the participation of all nodes, significantly reducing the network overhead and consensus time. In our scheme, EVs only need to perform some light computing tasks. In contrast, complex computing tasks such as block consensus and data storage are completed by Local Area Gateway (LAG), which reduces the difficulty of EV participation in transactions. Therefore, consortium blockchain is very suitable for V2V power trading for charging stations.

2.3. Stealth Address

In a transaction, the payer generates a stealth address based on the dual public key provided by the payee. No account address of the two parties to the transaction needs to appear, and only the actual payee has the private key of the stealth address. Other users view the address information generated by their transactions as spam. The address generation algorithm ensures that only the actual electricity supplier can receive the electricity bill and guarantees the unlinkability between the two parties of the transaction and the supplier’s anonymity.

2.4. Related Difficult Problems

Discrete Logarithm (DL) problem: There exists a group $G$ of the order of a large prime $q$. Let $P$ be an arbitrary generator element of $G$. For any $a\in Z_q^{\ast }$, given $aP\in G$, compute $a$. In arbitrary polynomial time, there exists no algorithm $\tau$ that can successfully solve the discrete logarithm problem.

3. Scheme Design

As shown in Figure 1, our proposed V2V power trading model for charging stations mainly comprises the following five entities.

CA: CA is a fully trusted third party with powerful computing resources. It provides registration services for all kinds of entities in the system and generates public parameters. Only CA can trace the EV’s real identity in the transaction. When an EV has bad trading behavior, CA will trace its real identity and punish it.

KGC: The Key Generation Center (KGC) is an incomplete, trusted third party with more computing resources that provide partial keys for EVs.

LAG: LAG is a hardware device with powerful computing and storage capabilities provided by charging stations acting as a consortium blockchain node. LAG will jointly vote to elect multiple controller nodes of the blockchain and use the Practical Byzantine Consensus (PBFT) algorithm to achieve the consensus of the consortium blockchain block.

Trading Platform: The trading platform collects various energy trading requirements submitted by EV users, including information such as vehicle location, purchased or sold power, and expected electricity price, and determines the most appropriate energy trading parties. It is worth noting that both sides of the energy transaction include EV users and charging stations. When charging peaks, EVs cannot be charged in time due to the lack of charging piles, and EVs can complete charging by direct vehicle-to-vehicle to reduce the charging queue waiting time. Secondly, in the case of insufficient power at the charging station, the charging station completed indirect V2V power trading by attracting EV discharge for local power storage, which avoided the loss of long-distance power transmission and brought certain benefits to users [10].

EV: In this scheme, EV is a new type of electric vehicle that uses 5G communication technology to transmit power trading plans and complete bidirectional charging and discharging through a DC-DC converter. When an EV user logs in to the V2V power trading center, they need to choose roles: (1) charging EVs that need to replenish their power to complete the rest of their trip; (2) electric discharge EVs with excess power and willing to carry out V2V power trading. At the same time, EVs should have specific light computing ability. When the power transaction is completed, the transaction data need to be signed and uploaded, but the EV does not need to participate in the block consensus process and acts as a light node in the system.

3.1. Scheme Design Ideas

• The EV user key in the system is jointly calculated by the KGC and the EV users themselves, avoiding the key leakage problem caused by the key generated entirely by the KGC, which exists in the scheme based on public key infrastructure.
• When the power transmission of the transaction is over, the charging EV needs to pay the corresponding currency for the purchased power, which is protected by the individual private key because the currency is stored on the address in the blockchain. The charging EV will generate an exclusive stealth address for the discharging EV using a random number and the public key of the discharging EV and transfer the corresponding amount of currency. The discharging EV can use its private key to extract the currency on the address without revealing its real identity, ensuring both parties’ anonymity in the transaction.
• The charging EV signs the power transaction information and the stealth address with its private key and the system public key set using the linkable ring signature algorithm. Suppose a malicious EV tries to generate multiple signatures. In that case, the linkability of the signature will be triggered to determine that the signature is invalid, and the CA will intervene promptly to punish the malicious EV and ensure the uniqueness of the transaction.

3.2. Scheme Models and Implementation Process

Combined with Figure 1 and Figure 2, the scheme can be divided into the following steps:

(1) It is mainly the process of CA and KGC generating some system public parameters and completing the registration and verification of various entities in the system. Firstly, EV users send personal and accurate EV identity information through the trusted channel, such as license plate number, vehicle type, and owner identity certificate, to CA to complete the user registration of the V2V power trading system. After successful registration, CA will generate a transaction pseudo-identity for EV users as the only identity information of the power trading platform to participate in the power trading and bidding between users. Otherwise, EV users cannot participate in V2V power trading. Subsequently, CA sends the pseudo-identity to KGC. KGC generates part of the key for EV after receiving the pseudo-identity and verifying it to CA. The end user generates the remaining keys and combines them into a complete key.

(2)–(6) is the V2V power trading process, which is mainly divided into the following trading steps: information release, trade matching, settlement, and storage of trading information. When the EV user has an energy demand, they log into the power trading platform and submit information such as EV location $\left(x_i,y_i\right)=place$, current power ${CE}_i$, pre-purchased or sold power quantity $\mathrm{q}\mathrm{u}\mathrm{a}\mathrm{n}\mathrm{t}\mathrm{i}\mathrm{t}\mathrm{y}$, expected charging time ${time}_i$ and acceptable price ${\mathrm{p}\mathrm{r}\mathrm{i}\mathrm{c}\mathrm{e}}_{\mathrm{i}}$, etc. After the trading platform matches the best power trading scheme for charging and discharging EVs, the trading information $\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t}=[\mathrm{p}\mathrm{l}\mathrm{a}\mathrm{c}\mathrm{e},\mathrm{q}\mathrm{u}\mathrm{a}\mathrm{n}\mathrm{t}\mathrm{i}\mathrm{t}\mathrm{y},\mathrm{p}\mathrm{r}\mathrm{i}\mathrm{c}\mathrm{e},\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}]$ is returned to the buyer and seller for confirmation, and then the owner of the vehicle goes to the designated charging station to complete the power transmission. The blockchain payment function is triggered when the transaction parties confirm that the power transmission is over. In the transaction process, EV users interact through pseudo-identity to effectively avoid the exposure of their real identities. When the charging EV pays successfully, the discharging EV will check the authenticity and correctness of the amount on the address and will submit the information to the LAG to form a transaction record only after verifying it is correct. Finally, the master node in the LAG adopts PBFT to form a block and store it on the consortium blockchain. The bank is responsible for providing the currency to the users, and at the same time, the currency can be exchanged.

(7)–(8) is forming a stealth address. Discharging the EV needs to generate a pair of payment keys, $\mathrm{t},\mathrm{T}=\mathrm{t}\mathrm{P}$, and scanning keys $\mathrm{s},\mathrm{S}=\mathrm{s}\mathrm{P}$, and publish them on the blockchain. When the charging EV obtains these two keys and selects the random key $\mathrm{r} \mathsf{ϵ} {\mathrm{Z}}_{\mathrm{q}}^{\ast }$, it generates the transaction public key $R$ and the shared key $d$. It calculates the stealth address $D$. $D$ is stored with the currency corresponding to this transaction. The key $R$ detects whether the discharging EV is the receiver of the address that is eventually posted on the blockchain. These data are junk data that are unrecognizable to other EV users who are not involved in this V2V electricity transaction.

(9) The procedure for generating a linkable ring signature and signature verification for charging EV. The charging EV uses the personal public and private key pair and the public keys of n−1 randomly selected members in the system and uses the tuple $(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},\mathrm{m},\mathrm{U})$, where $U$ is the public key set, to generate the user signature tag $V$. With some random numbers $\mathrm{z},{\mathrm{c}}_{\mathrm{i}}\in {\mathrm{Z}}_{\mathrm{q}}^{\ast }$, output ring signature $\mathsf{\sigma }=({\mathrm{c}}_1,{\mathrm{c}}_2,\dots ,{\mathrm{c}}_{\mathrm{n}},\mathrm{y},\mathrm{V})$ to verify and link the signature. For the valid signature $(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},{\mathrm{m}}_1,{\mathsf{\sigma }}_1=({\mathrm{V}}_1,·\left)\right)$, $(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},{\mathrm{m}}_2,{\mathsf{\sigma }}_2=({\mathrm{V}}_2,·\left)\right)$, when the user signature tag appears as ${\mathrm{V}}_1={\mathrm{V}}_2$, output the link, otherwise output the unlink. When a link appears, the user’s identity needs to be determined, and the CA notifies it to pay again until step (11).

(10) Anonymous extraction: The discharge EV uses $R$ and $c$ to determine whether the stealth address belongs to it. If equal, the discharging EV uses the shared key $d$ and the payment private key $t$ to calculate the corresponding confirmed transaction private key ${\mathrm{t}}_{\mathrm{d}}\mathrm{S}\mathrm{K}$, and only the discharging EV of the transaction can recover the private key.

(11) If the output link indicates dishonest transaction behavior, the CA finds the discharging EV’s real identity through pseudo-identity and asks it to resend. Then, it repeats the operations (7)–(10).

4. Scheme Implementation

Based on the scheme architecture in Figure 1 and the scheme implementation process described above, we give the timing diagram of the whole scheme, as shown in Figure 3. Moreover, we give the specific implementation process corresponding to each stage of the timing diagram.

Table 2. Meaning of certain symbols in the scheme.

Symbols	Meaning
${\mathrm{F}}_{\mathrm{p}}$	Finite field of prime numbers
$E$	An elliptic curve on ${\mathrm{F}}_{\mathrm{p}}$
$q$	Large prime number
$G$	Additive cyclic group
${\mathrm{Z}}_{\mathrm{q}}^{\ast }$	A set of positive integer prime order groups less than $q$
$P$	The q-th order generating element of $G$, with $P$ as the base point
${\mathrm{T}}_{\mathrm{p}\mathrm{u}\mathrm{b}},\mathsf{\alpha }$	CA’s public and private keys
${\mathrm{P}}_{\mathrm{p}\mathrm{u}\mathrm{b}},\mathsf{\beta }$	KGC’s public and private keys
${\mathrm{P}\mathrm{K}}_{\mathrm{i}}$	${\mathrm{E}\mathrm{V}}_{\mathrm{i}}’\mathrm{s} \mathrm{p}\mathrm{u}\mathrm{b}\mathrm{l}\mathrm{i}\mathrm{c} \mathrm{k}\mathrm{e}\mathrm{y} {\mathrm{P}\mathrm{K}}_{\mathrm{i}}=\left({\mathrm{X}}_{\mathrm{i}},{\mathrm{Y}}_{\mathrm{i}}\right)$
${\mathrm{S}\mathrm{K}}_{\mathrm{i}}$	${\mathrm{E}\mathrm{V}}_{\mathrm{i}}’\mathrm{s} \mathrm{p}\mathrm{r}\mathrm{i}\mathrm{v}\mathrm{a}\mathrm{t}\mathrm{e} \mathrm{k}\mathrm{e}\mathrm{y} {\mathrm{S}\mathrm{K}}_{\mathrm{i}}=({\mathsf{\mu }}_{\mathrm{i}},{\mathsf{\lambda }}_{\mathrm{i}})$
${\mathrm{H}}_1~{\mathrm{H}}_4$	Hash function
$W$	User set $\{{\mathrm{P}\mathrm{I}\mathrm{D}}_1,\mathrm{P}{\mathrm{I}\mathrm{D}}_2\dots {\mathrm{A}\mathrm{I}\mathrm{D}}_{\mathrm{n}}\}$
$U$	Public key set $\mathrm{U}=\mathrm{W}\cup \{{\mathrm{P}\mathrm{K}}_{\mathrm{i}}:{\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}}\in \mathrm{W}\}$
$\mathrm{D}$	Stealth address
$\mathrm{b}$	Amount of transaction
$m$	Electricity trading message ($\mathrm{D},\mathrm{b}$)
$\mathsf{\sigma }$	A linkable ring signature
$\mathrm{V}$	Linkable ring signature tag
$event$	V2V power trading list description

shows the meaning of some symbols during the execution of the scheme.

1. Setup: (1) Input security parameter $V$ and select the group $G$ of prime numbers ${\mathrm{q}>\mathrm{Z}}^{\mathrm{V}}$ and the generator element $P$ of $G$. CA randomly selects $\mathsf{\alpha }\in {\mathrm{Z}}_{\mathrm{q}}^{\ast }$ as the master key, public key $T_{pub}=\mathsf{\alpha }\mathrm{P}$; KGC randomly selects $\mathsf{\beta }\in {\mathrm{Z}}_{\mathrm{q}}^{\ast }$ as the master key, public key ${\mathrm{P}}_{\mathrm{p}\mathrm{u}\mathrm{b}}=\mathsf{\beta }\mathrm{P}$. Select four hash functions: ${{\mathrm{H}}_1,\mathrm{H}}_3,{\mathrm{H}}_4:{\left\{\mathrm{0,1}\right\}}^{\ast }\to {\mathrm{Z}}_{\mathrm{q}}^{\ast }$, ${\mathrm{H}}_2:{\left\{\mathrm{0,1}\right\}}^{\ast }\to \mathrm{G}$. Broadcast system parameters: $\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{a}\mathrm{m}\mathrm{s}=\{\mathrm{G},\mathrm{P},\mathrm{q},{\mathrm{H}}_1~{\mathrm{H}}_4,{\mathrm{T}}_{\mathrm{p}\mathrm{u}\mathrm{b}},{\mathrm{P}}_{\mathrm{p}\mathrm{u}\mathrm{b}}\}$.

(2) Generate pseudo-identity: the EV user randomly selects ${\mathrm{r}}_{\mathrm{i}}\in {\mathrm{Z}}_{\mathrm{q}}^{\ast }$, calculates ${\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i},1}={\mathrm{r}}_{\mathrm{i}}\mathrm{P}$, and sends the tuple $({\mathrm{R}\mathrm{I}\mathrm{D}}_{\mathrm{i}},{\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i},1})$ to CA. CA calculates EV pseudo-identity $\mathrm{PI}{\mathrm{D}}_i$ according to the following equation, where $\mathrm{RI}{\mathrm{D}}_i$ is the EV user’s real identity, and ${\mathrm{T}}_{\mathrm{i}}$ is the timestamp.

$$\left\{\begin{array}{l}{\mathrm{PID}}_{\mathrm{i},2}=\mathrm{R}{\mathrm{ID}}_{\mathrm{i}}\oplus {\mathrm{H}}_1\left({\mathsf{\alpha }\mathrm{PID}}_{\mathrm{i},1}\right)\\ {\mathrm{PID}}_{\mathrm{i}}=\left\{{\mathrm{PID}}_{\mathrm{i},1},{\mathrm{PID}}_{\mathrm{i},2},{\mathrm{T}}_{\mathrm{i}}\right\}\end{array}\right.$$

(1)

2. Key generation: The EV user sends the generated private key to the KGC, which generates part of the private key for the EV user after successful verification with the CA through the trusted channel.

($Extract-PPK$) KGC randomly selects ${\mathrm{k}}_{\mathrm{i}}\in {\mathrm{Z}}_{\mathrm{q}}^{\ast }$, generates partial key pairs $\left({\lambda }_i,Y_i\right)$ of EV according to the following formula, and sends tuples $\left({\lambda }_i,Y_i\right)$ to EV users through trusted channels.

$$\left\{\begin{array}{l}{\mathsf{\theta }}_{\mathrm{i}}={\mathrm{H}}_3\left({\mathrm{PID}}_{\mathrm{i}},{\mathrm{P}}_{\mathrm{pub}}\right)\\ {\mathsf{\lambda }}_{\mathrm{i}}=\left({\mathrm{k}}_{\mathrm{i}}+{\mathsf{\theta }}_{\mathrm{i}}\mathsf{\beta }\right)\mathrm{modq}\\ {\mathrm{Y}}_{\mathrm{i}}={\mathsf{\lambda }}_{\mathrm{i}}\mathrm{P}\end{array}\right.$$

(2)

($Set-skSV$) When the user receives $\left({\lambda }_i,Y_i\right)$, and subsequently randomly selects ${\mathsf{\mu }}_{\mathrm{i}}\in {\mathrm{Z}}_{\mathrm{q}}^{\ast }$ as the remaining part of the secret private key, the total private key ${\mathrm{S}\mathrm{K}}_{\mathrm{i}}=({\mathsf{\mu }}_{\mathrm{i}},{\mathsf{\lambda }}_{\mathrm{i}})$.

($Generate-TPK$) The user computes ${\mathrm{X}}_{\mathrm{i}}={\mathsf{\mu }}_{\mathrm{i}}\mathrm{P}$.

($Set-UPK$) user total public key is ${\mathrm{P}\mathrm{K}}_{\mathrm{i}}=({\mathrm{X}}_{\mathrm{i}},{\mathrm{Y}}_{\mathrm{i}})$.

3. Output Transaction Commitment: Suppose the charging EV needs to pay the monetary amount $b$. Let $\mathbb{G}$ be a set of prime order $p$, $g$ and ${\mathrm{h}}_1$ are the generators of $\mathbb{G}$. The charging EV needs to output a commitment ${\mathrm{C}}_{\mathrm{b}}={\mathrm{g}}^{\mathrm{b}}{\mathrm{h}}_1^{\mathrm{r}}$ to the transaction to ensure the correctness of the transaction amount, where $\mathrm{r}\in {\mathrm{Z}}_{\mathrm{p}}$.

4. computing stealth address: Since there are multiple transaction objects in the system, assume that the transaction’s payer is the charging EV and the payee is the discharging EV. The charging EV needs to transfer the corresponding electricity charge to the discharging EV, and then both parties need to perform the following operations:

(1) The discharging EV randomly selects $\mathrm{s},\mathrm{t}\in {\mathrm{Z}}_{\mathrm{q}}^{\ast }$, calculates the scanning public key $\mathrm{S}=\mathrm{sP}$ and the payment public key $\mathrm{T}=\mathrm{tP}$ of the transaction address, and uploads $\mathrm{S},\mathrm{T}$ to the consortium blockchain.

(2) The charging EV obtains the transaction address’s dual public keys, $\mathrm{S}$ and $\mathrm{T}$, from the consortium blockchain. To send the electricity bill, the charging EV randomly selects a temporary private key $\mathrm{r} \mathsf{ϵ} {\mathrm{Z}}_{\mathrm{q}}^{\ast }$, and computes the temporary public key $\mathrm{R}=\mathrm{rP}$, the shared key $\mathrm{d}={\mathrm{H}}_2\left(\mathrm{rS}\right)$, and the stealth address $\mathrm{D}=\mathrm{T}+\mathrm{dP}$ used to store it.

5. Generate a linkable ring signature (Sign): The charging EV uses the individual public and private keys and n−1 public keys randomly selected from the system to form a linkable ring signature, which protects personal information and transaction information and achieves the anonymity of the charging EV, i.e., the signature cannot be identified to which member of the ring it belongs to. ${\mathsf{\mu }}_{\mathrm{i}}$ acts as a temporary key corresponding to the promise ${\mathrm{C}}_{\mathrm{b}}$, and if a message $m$ is encrypted by the same key multiple times, then these signatures are linkable and can be detected and traced by the system. This definition assumes linkability even if the signatures are created using different public key sets. Let the public key set $\mathrm{U}=\{{\mathrm{P}\mathrm{K}}_1,{\mathrm{P}\mathrm{K}}_2\dots {\mathrm{P}\mathrm{K}}_{\mathrm{n}}\}$, the input tuple $(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},\mathrm{m},\mathrm{U})$, and the charging user ${\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{s}}\in \mathrm{W}$.

(1) According to the power trading list $event$ and the stealth address $D$, the charging EV calculates the link tag $V$ according to the following equation.

$$\left\{\begin{array}{l}\mathrm{E}={\mathrm{H}}_2\left(\mathrm{event}\right)\\ \mathrm{h}={\mathrm{H}}_3\left(\mathrm{D}\right)\\ \mathrm{V}=\left({\displaystyle {\mathrm{h}\mathsf{\mu }}_{\mathrm{s}}}+{\mathsf{\lambda }}_{\mathrm{s}}\right)\mathrm{E}\end{array}\right.$$

(3)

(2) The charging EV randomly chooses $\mathrm{z},{\mathrm{c}}_{\mathrm{i}}\in {\mathrm{Z}}_{\mathrm{q}}^{\ast }$, where $\mathrm{i}=\mathrm{1,2},\dots \mathrm{s}-1,\mathrm{s}+1,\dots ,\mathrm{n}$. The signature parameter $y$ is calculated according to the following formula, and the final output signature $\sigma =\left({\mathrm{c}}_1,{\mathrm{c}}_2,\dots ,{\mathrm{c}}_{\mathrm{n}},\mathrm{y},\mathrm{V}\right)$.

$$\left\{\begin{array}{l}\mathrm{A}=\mathrm{zE}+{{\displaystyle \sum }}_{\mathrm{i}=1,\mathrm{i}\ne \mathrm{s}}^{\mathrm{n}}{\mathrm{c}}_{\mathrm{i}}\mathrm{V}\\ \mathrm{B}=\mathrm{zP}+{{\displaystyle \sum }}_{\mathrm{i}=1,\mathrm{i}\ne \mathrm{s}}^{\mathrm{n}}{\mathrm{c}}_{\mathrm{i}}\left({\mathrm{hX}}_{\mathrm{i}}+{\mathrm{Y}}_{\mathrm{i}}\right)\\ \mathrm{u}={\mathrm{H}}_4\left(\mathrm{event},\mathrm{m},\mathrm{V},\mathrm{A},\mathrm{B},\mathrm{U}\right)\\ {\mathrm{c}}_{\mathrm{s}}=\mathrm{u}-{{\displaystyle \sum }}_{\mathrm{i}=1,\mathrm{i}\ne \mathrm{s}}^{\mathrm{n}}{\mathrm{c}}_{\mathrm{i}}\\ \mathrm{y}=\mathrm{z}-{\mathrm{c}}_{\mathrm{s}}\left({\mathrm{h}\mathsf{\mu }}_{\mathrm{s}}+{\mathsf{\lambda }}_{\mathrm{s}}\right)\end{array}\right.$$

(4)

6. Verification of signature validity: Input tuples $(\mathsf{\sigma }=\left({\mathrm{c}}_1,{\mathrm{c}}_2,\dots ,{\mathrm{c}}_{\mathrm{n}},\mathrm{y},\mathrm{V}\right),\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},\mathrm{m},\mathrm{U})$, calculating signature parameters ${\mathrm{E}=\mathrm{H}}_2\left(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t}\right)$, ${\mathrm{h}=\mathrm{H}}_3\left(\mathrm{D}\right)$, $\mathrm{A}=\mathrm{y}\mathrm{E}+{\sum }_{\mathrm{i}=1}^{\mathrm{n}}{\mathrm{c}}_{\mathrm{i}}\mathrm{V}$ and $\mathrm{B}=\mathrm{y}\mathrm{P}+{\sum }_{\mathrm{i}=1}^{\mathrm{n}}{\mathrm{c}}_{\mathrm{i}}(\mathrm{h}{\mathrm{X}}_{\mathrm{i}}+{\mathrm{Y}}_{\mathrm{i}})$. Generate the signature verification parameters $\mathrm{u}={\mathrm{H}}_4(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},\mathrm{m},\mathrm{V},\mathrm{A},\mathrm{B},\mathrm{U})$. Check whether ${\sum }_{\mathrm{i}=1}^{\mathrm{n}}{\mathrm{c}}_{\mathrm{i}}\left(\mathrm{m}\mathrm{o}\mathrm{d}\mathrm{q}\right)=\mathrm{u}$, if equal, the output is 1, otherwise the output is 0.

7. Verify whether the signature is linkable: Input two signature pairs $(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},{\mathrm{m}}_1,{\mathsf{\sigma }}_1=({\mathrm{V}}_1,·\left)\right)$, $(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},{\mathrm{m}}_2,{\mathsf{\sigma }}_2=({\mathrm{V}}_2,·\left)\right)$ to the verifier. When the signature is valid, then it is necessary to verify whether ${\mathrm{V}}_1={\mathrm{V}}_2$ is valid or not; if it is not valid then output unlink, and then it indicates that the two signatures are not related. If it is valid, it outputs a link, which indicates that the EV user has duplicate signatures, and the CA is required to trace the real identity ${\mathrm{R}\mathrm{I}\mathrm{D}}_{\mathrm{i}}$ of the EV based on its pseudo-identity and order the EV user to pay the electricity bill again.

$$\begin{array}{cc}{ \mathrm{RID}}_{\mathrm{i}}& ={\mathrm{PID}}_{\mathrm{i},2}\oplus {\mathrm{H}}_1\left({\mathsf{\alpha }\mathrm{PID}}_{\mathrm{i},1},{\mathrm{T}}_{\mathrm{pub}}\right)\hfill \\ & ={\mathrm{PID}}_{\mathrm{i}}\oplus {\mathrm{H}}_1\left({\mathsf{\alpha }\mathrm{PID}}_{\mathrm{i},1},{\mathrm{T}}_{\mathrm{pub}}\right)\oplus {\mathrm{H}}_1\left({\mathsf{\alpha }\mathrm{PID}}_{\mathrm{i},1},{\mathrm{T}}_{\mathrm{pub}}\right)={\mathrm{RID}}_{\mathrm{i}}\hfill \end{array}$$

(5)

8. Verify account: The discharging EV needs to verify the attribution of the stealth address. Using $R$ and the shared key $\mathrm{d}=\mathrm{H}\left(\mathrm{s}\mathrm{R}\right)$, ${\mathrm{D}}_1=\mathrm{T}+\mathrm{d}*\mathrm{P}$ is calculated. If $\mathrm{D}={\mathrm{D}}_1$, it means that the stealth address belongs to the discharging EV, otherwise it does not.

9. Anonymous extraction: When $\mathrm{D}={\mathrm{D}}_1$, the discharging EV uses the shared private key $d$ and the payment private key $t$ to calculate the confirmation transaction private key ${\mathrm{t}}_{\mathrm{d}}\mathrm{SK}=\mathrm{d}+\mathrm{t}$ to confirm the transaction. Only the real discharging EV of this transaction has the private key of the stealth address, and the remaining users cannot obtain the currency on this address.

5. Scheme Analysis

5.1. Correctness Analysis

$$\begin{array}{cc}yE+{{\displaystyle \sum }}_{i=1}^n{c}_{i}V& =\left(Z-c_s\left(h{\mu }_s+{\lambda }_s\right)\right)E+{{\displaystyle \sum }}_{i=1}^n{c}_{i}V\\ & =ZE-c_s\left(h{\mu }_s+{\lambda }_s\right)E+{{\displaystyle \sum }}_{i=1}^n{c}_{i}V\hfill \\ & =ZE-c_{s}V+{{\displaystyle \sum }}_{i=1}^n{c}_{i}V\hfill \\ & =Z+{{\displaystyle \sum }}_{i=1,i\ne s}^n{c}_{i}V\hfill \\ & =A\hfill \end{array}$$

(6)

$$\begin{array}{cc}yP+{{\displaystyle \sum }}_{i=1}^n{c}_i\left(h{X}_i+Y_i\right)& =\left(Z-c_s\left(h{\mu }_s+{\lambda }_s\right)\right)P+{{\displaystyle \sum }}_{i=1}^n{c}_i\left(h{X}_i+Y_i\right)\hfill \\ & =ZP-c_s\left(h{\mu }_s+{\lambda }_s\right)P+{{\displaystyle \sum }}_{i=1}^n{c}_i\left(h{X}_i+Y_i\right)\hfill \\ & =ZP-c_s\left(h{X}_i+Y_i\right)+{{\displaystyle \sum }}_{i=1}^n{c}_i\left(h{X}_i+Y_i\right)\hfill \\ & =ZP+{{\displaystyle \sum }}_{i=1,i\ne s}^n{c}_i\left(h{X}_i+Y_i\right)\hfill \\ & =B\hfill \end{array}$$

(7)

5.2. Security Analysis

This paper is based on the ROM given in the literature [21] for security proof: it is assumed that there are two types of adversaries, ${\mathrm{A}}_1$ and ${\mathrm{A}}_2$, in the model. The attacker who implements the challenge is $C$. ${\mathrm{A}}_1$ is used to query the user’s public key, and ${\mathrm{A}}_2$ is used to replace the user’s public key as well as part of the private key.

5.2.1. Unforgeable

Theorem 1.

If the DLP is unsolvable, the present scheme is unforgeable in the face of a type I adversary in ROM.

Proof. 

Assume that the tuple $(\mathrm{P},\mathrm{a}\mathrm{P})$ is an instance of the DLP. $C$ will compute the correct value of a in Game 1.

Initialization: $C$ performs the system setup algorithm to obtain the public parameters $\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{a}\mathrm{m}\mathrm{s}=\{\mathrm{G},\mathrm{P},\mathrm{q},{\mathrm{H}}_1~{\mathrm{H}}_4,{\mathrm{T}}_{\mathrm{p}\mathrm{u}\mathrm{b}},{\mathrm{P}}_{\mathrm{p}\mathrm{u}\mathrm{b}}\}$ and forwards them to ${\mathrm{A}}_1$.

Queries: $C$ creates several query lists with an empty initial value for storing queries and results. Before each query, ${\mathrm{A}}_1$ will perform a public key query on $\mathrm{P}{\mathrm{I}\mathrm{D}}_{\mathrm{i}}$.

(1) $Query-UPK$: First $C$ saves the tuple $({\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}},{\mathsf{\mu }}_{\mathrm{i}},{\mathsf{\lambda }}_{\mathrm{i}})$ in the list ${\mathrm{L}}_{\mathrm{u}}$. When ${\mathrm{A}}_1$ enters the identity ${\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}}$, $C$ performs the following operation: in performing the jth query, choose the random number ${\mathsf{\mu }}_{\mathrm{j}} \mathsf{ϵ} {\mathrm{Z}}_{\mathrm{q}}^{\ast }$, let $\mathrm{PI}{\mathrm{D}}_j=\mathrm{PI}{\mathrm{D}}^{\diamond }$, $\mathrm{P}{\mathrm{K}}_j=\mathrm{P}{\mathrm{K}}^{\diamond }=\left({\mathsf{\mu }}_{\mathrm{j}}\mathrm{P},\mathrm{aP}\right)$ and for $\mathrm{i}\ne \mathrm{j}$, $C$ obtains ${\mathrm{P}\mathrm{K}}_{\mathrm{i}}=({\mathsf{\mu }}_{\mathrm{i}}\mathrm{P},{\mathsf{\lambda }}_{\mathrm{i}}\mathrm{P})$, and finally inputs the query and answer in list ${\mathrm{L}}_{\mathrm{U}}$.

(2) $Query-H_i$: Assuming that ${\mathrm{A}}_1$ can perform all the hash query operations in the system, store the $Query-H_i$ query with the corresponding response results $\left({\mathsf{\tau }}_{\mathrm{i}},{\mathrm{E}}_{\mathrm{i}}\right),\left({\mathsf{\gamma }}_{\mathrm{i}},{\mathrm{h}}_{\mathrm{i}}\right),({\mathsf{\rho }}_{\mathrm{i}},{\mathsf{\epsilon }}_{\mathrm{i}})$ in the storage lists ${\mathrm{L}}_2-{\mathrm{L}}_4$, respectively.

(3) $Replace-TPK$: $C$ builds the list ${\mathrm{L}}_{\mathrm{R}}$ and stores the tuple $({\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}},{\mathrm{X}}_{\mathrm{i}},{\mathrm{X}}_{\mathrm{i}}^{\prime })$. When ${\mathrm{A}}_1$ sends a message to the system in the form of ${\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}}$, a new request ${\mathrm{Y}}_{\mathrm{i}}^{\prime }$ is sent to the system, and $C$ replaces ${\mathrm{Y}}_{\mathrm{i}}$ with ${\mathrm{Y}}_{\mathrm{i}}^{\prime }$ and saves the new tuple $({\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}},{\mathrm{X}}_{\mathrm{i}},{\mathrm{X}}_{\mathrm{i}}^{\prime })$ in ${\mathrm{L}}_{\mathrm{R}}$.

(4) $Query-SV$: When ${\mathrm{A}}_1$ sends a new request to ${\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}}$, $C$ will query to $({\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}},{\mathsf{\mu }}_{\mathrm{i}},{\mathsf{\lambda }}_{\mathrm{i}})$ in list ${\mathrm{L}}_{\mathrm{U}}$ and use ${\mathsf{\mu }}_{\mathrm{i}}$ as the response to the request and finally build the table ${\mathrm{L}}_{\mathrm{E}}$ and store with the tuple $({\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}},{\mathsf{\mu }}_{\mathrm{i}})$.

(5) $Query-PPK$: $C$ builds list ${\mathrm{L}}_{\mathrm{D}}$ and stores with tuple $({\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}},{\mathsf{\theta }}_{\mathrm{i}})$, when ${\mathrm{A}}_1$ sends a new request to ${\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}}$; if $\mathrm{PI}{\mathrm{D}}_j=\mathrm{PI}{\mathrm{D}}^{\diamond }$, it means $C$ fails the challenge, otherwise it means that $C$ has queried $({\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}},{\mathsf{\mu }}_{\mathrm{i}},{\mathsf{\lambda }}_{\mathrm{i}})$ in ${\mathrm{L}}_{\mathrm{u}}$ or $({\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}},{\mathrm{X}}_{\mathrm{i}},{\mathrm{X}}_{\mathrm{i}}^{\prime })$ in ${\mathrm{L}}_{\mathrm{R}}$, and finally executes the extracted partial public key algorithm to get ${\mathsf{\theta }}_{\mathrm{i}}$ and adds $({\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}},{\mathsf{\theta }}_{\mathrm{i}})$ to ${\mathrm{L}}_{\mathrm{D}}$.

(6) $Query-Sign$: ${\mathrm{A}}_1$ inputs the tuple $(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},\mathrm{m},\mathrm{U},{\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{s}})$, and assuming that ${\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}}\in \mathrm{W}$, $C$, it performs the following operations in sequence:

If ${\mathrm{A}}_1$ satisfies both conditions $\mathrm{P}{\mathrm{I}\mathrm{D}}_{\mathrm{s}}\ne {\mathrm{P}\mathrm{I}\mathrm{D}}^{\diamond }$ and $\mathrm{P}{\mathrm{I}\mathrm{D}}_{\mathrm{s}}\notin {\mathrm{L}}_{\mathrm{R}}$, $C$ will obtain a $\mathsf{\sigma }$ by the signature algorithm, if not, $C$ builds the list ${\mathrm{L}}^{\diamond }$ and saves the tuple $\left(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},\mathrm{V},{\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{s}}\right)$.

① Retrieve the tuple $\left(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},\mathrm{V},{\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{s}}\right)$ in ${\mathrm{L}}^{\diamond }$ and use the existing value $V$ when the tuple exists; when the retrieval fails, it is necessary to take a new value $\mathrm{V}\in \mathrm{G}$ and save the tuple $\left(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},\mathrm{V},{\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{s}}\right)$ in ${\mathrm{L}}^{\diamond }$.

② Calculate $\mathrm{E}={\mathrm{H}}_2\left(\mathrm{event}\right)$, $\mathrm{h}={\mathrm{H}}_3\left(\mathrm{D}\right)$.

③ Randomly choose $\mathrm{z},{\mathrm{c}}_{\mathrm{i}}\in {\mathrm{Z}}_{\mathrm{q}}^{\ast }$, where $i=\mathrm{1,2},\dots s-1,s+1,\dots ,n$.

④ Calculate $\mathrm{A}=\mathrm{z}\mathrm{E}+{\sum }_{\mathrm{i}=1,\mathrm{i}\ne \mathrm{s}}^{\mathrm{n}}{\mathrm{c}}_{\mathrm{i}}\mathrm{V}$, $\mathrm{B}=\mathrm{z}\mathrm{P}+{\sum }_{\mathrm{i}=1,\mathrm{i}\ne \mathrm{s}}^{\mathrm{n}}{\mathrm{c}}_{\mathrm{i}}(\mathrm{h}{\mathrm{X}}_{\mathrm{i}}+{\mathrm{Y}}_{\mathrm{i}})$.

⑤ Save the signature verification parameter $\mathrm{u}={\mathrm{H}}_4(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},\mathrm{m},\mathrm{V},\mathrm{A},\mathrm{B},\mathrm{U})$ to the list ${\mathrm{L}}_4$, if there exists more than one same $u$ then it means that a collision has occurred; repeat steps ③–⑤ as soon as possible.

⑥ Output the signature $\mathsf{\sigma }=({\mathrm{c}}_1,{\mathrm{c}}_2,\dots ,{\mathrm{c}}_{\mathrm{n}},\mathrm{y},\mathrm{V})$.

Forgery: ${\mathrm{A}}_1$ gets the signature ${\mathsf{\sigma }}^{\ast }=({\mathrm{c}}_1^{\ast },{\mathrm{c}}_2^{\ast },\dots ,{\mathrm{c}}_{\mathrm{n}}^{\ast },{\mathrm{y}}^{\ast },{\mathrm{V}}^{\ast })$ based on the tuple $({\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t}}^{\ast },{\mathrm{m}}^{\ast },{\mathrm{U}}^{\ast })$ to satisfy Game 1.

Solve the DL problem: In order to get ${\mathsf{\sigma }}^{\ast }$, ${\mathrm{A}}_1$ must query ${\mathrm{H}}_4({\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t}}^{\ast },{\mathrm{m}}^{\ast },{\mathrm{V}}^{\ast },{\mathrm{A}}^{\ast },{\mathrm{B}}^{\ast },{\mathrm{U}}^{\ast })$ by hashing. Assuming that the first ${\mathrm{H}}_4$ and ${\mathrm{A}}_1$ queries obtain the corresponding value ${\mathrm{u}}^{\ast }$, since ${\mathrm{H}}_4$ is a hash function with high security and ${\mathrm{u}}^{\ast }={\mathrm{c}}_1^{\ast }+\dots +{\mathrm{c}}_{\mathrm{n}}^{\ast }$, then there must exist one or more $\mathrm{s}\in \{\mathrm{1,2},\dots ,\mathrm{n}\}$, so when ${\mathrm{A}}_1$ obtains ${\mathrm{u}}^{\ast }$, then ${\mathrm{c}}_{\mathrm{s}}^{\ast }$ can be obtained as well. $C$ inputs the same tuple to ${\mathrm{A}}_1$ and returns all query values except the first ${\mathrm{H}}_4$ query value, ${\mathrm{u}}^{\ast \prime }$, after which ${\mathrm{A}}_1$ forges the signature ${\mathsf{\sigma }}^{\ast \prime }=\left({\mathrm{c}}_1^{\ast \prime },{\mathrm{c}}_2^{\ast \prime },\dots ,{\mathrm{c}}_{\mathrm{n}}^{\ast \prime },{\mathrm{y}}^{\ast \prime },{\mathrm{V}}^{\ast \prime }\right)$. At the same time, let ${\mathrm{u}}^{\ast \prime }={\mathrm{c}}_1^{\ast \prime }+\cdots +{\mathrm{c}}_{\mathrm{n}}^{\ast \prime }$, because ${\mathrm{u}}^{\ast }\ne {\mathrm{u}}^{\ast \prime }$ with ${\mathrm{c}}_{\mathrm{s}}^{\ast }\prime$ is obtained after determining ${\mathrm{u}}^{\ast \prime }$ from $c$. Then when $\mathrm{i}\ne \mathrm{s}$, there is ${\mathrm{c}}_{\mathrm{s}}^{\ast }\prime \ne {\mathrm{c}}_{\mathrm{s}}^{\ast }$ and ${\mathrm{c}}_{\mathrm{i}}^{\ast }\prime \ne {\mathrm{c}}_{\mathrm{s}}^{\ast }$, which can be introduced ${\mathrm{y}}^{\ast \prime }\ne {\mathrm{y}}^{\ast }$. If the conditions ${\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{s}}^{\ast }={\mathrm{P}\mathrm{I}\mathrm{D}}^{\diamond }$ and ${\mathrm{P}\mathrm{K}}_{\mathrm{s}}^{\ast }={\mathrm{P}\mathrm{K}}_{\mathrm{j}}$ are satisfied at the same time, we can get $\left({\mathsf{\mu }}^{\ast }\mathrm{P},{\mathsf{\lambda }}^{\ast }\mathrm{P}\right)=({\mathsf{\mu }}_{\mathrm{j}}\mathrm{P},\mathrm{a}\mathrm{P})$, and $C$ looks up the tuple $({\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{j}},{\mathrm{t}}_{\mathrm{j}},\ast )$ in ${\mathrm{L}}_{\mathrm{U}}$ and calculates ${\mathrm{h}}^{\ast }={\mathrm{H}}_2\left(\mathrm{event}\right)$, ${\mathsf{\theta }}_{\mathrm{s}}^{\ast }=\left(\mathrm{PI}{\mathrm{D}}_{\mathrm{s}}^{\ast },{\mathrm{P}}_{\mathrm{pub}}\right)$. The value of $a$ can then be computed: when ${\mathsf{\mu }}^{\ast }={\mathsf{\mu }}_{\mathrm{j}}$, according to a bifurcation lemma based on the literature [31]:

$$\left\{\begin{array}{l}{\mathrm{y}}^{\ast }={\mathrm{z}}^{\ast }-{{\mathrm{c}}_{\mathrm{s}}}^{\ast }\left({\mathrm{h}}^{\ast }{\mathsf{\mu }}_{\mathrm{s}}^{\ast }+{\mathsf{\theta }}_{\mathrm{s}}^{\ast }\mathsf{\beta }+\mathrm{a}\right)\\ {\mathrm{y}}^{\ast \prime }={\mathrm{z}}^{\ast }-{{\mathrm{c}}_{\mathrm{s}}}^{\ast \prime }\left({\mathrm{h}}^{\ast }{\mathsf{\mu }}_{\mathrm{s}}^{\ast }+{\mathsf{\theta }}_{\mathrm{s}}^{\ast }\mathsf{\beta }+\mathrm{a}\right)\\ \mathrm{a}={\left({\mathrm{c}}_{\mathrm{s}}^{\ast \prime }-{\mathrm{c}}_{\mathrm{s}}^{\ast }\right)}^{-1}\left({\mathrm{y}}^{\ast }-{\mathrm{y}}^{\ast \prime }\right)-{\mathrm{h}}^{\ast }{\mathsf{\mu }}_{\mathrm{s}}^{\ast }-{\mathsf{\theta }}_{\mathrm{s}}^{\ast }\mathsf{\beta }\end{array}\right.$$

(8)

□

Theorem 2.

If the DLP cannot be solved, the scheme is unforgeable in the face of a type II adversary in ROM.

The first phase of the proof and the third phase of the query follow the same steps as in Theorem 1.

Initialization: $C$ runs the Setup algorithm to obtain the public parameters $\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{a}\mathrm{m}\mathrm{s}=\{\mathrm{G},\mathrm{P},\mathrm{q},{\mathrm{H}}_1~{\mathrm{H}}_4,{\mathrm{T}}_{\mathrm{p}\mathrm{u}\mathrm{b}},{\mathrm{P}}_{\mathrm{p}\mathrm{u}\mathrm{b}}\}$ and the system master keys $\mathsf{\alpha }$ and $\mathsf{\beta }$ and forwards them to ${\mathrm{A}}_2$.

$Query-SV$: When ${\mathrm{A}}_2$ sends a query request to ${\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}}$, if there exists $\mathrm{P}{\mathrm{I}\mathrm{D}}_{\mathrm{j}}={\mathrm{P}\mathrm{I}\mathrm{D}}^{\diamond }$, then $C$ fails the challenge, otherwise $C$ will query to $({\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}},{\mathsf{\mu }}_{\mathrm{i}},{\mathsf{\lambda }}_{\mathrm{i}})$ in the list ${\mathrm{L}}_{\mathrm{U}}$ and use ${\mathsf{\mu }}_{\mathrm{i}}$ as a response to the request and finally store the tuple $({\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}},{\mathsf{\mu }}_{\mathrm{i}})$ in the list ${\mathrm{L}}_{\mathrm{E}}$.

Solving the DL problem: First, the query and generation steps are similar to Theorem 1. Second, if ${\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{s}}^{\ast }={\mathrm{P}\mathrm{I}\mathrm{D}}^{\diamond }$ and ${\mathrm{P}\mathrm{K}}_{\mathrm{s}}^{\ast }={\mathrm{P}\mathrm{K}}_{\mathrm{j}}$ hold simultaneously, then $\left({\mathsf{\mu }}^{\ast }\mathrm{P},{\mathsf{\lambda }}^{\ast }\mathrm{P}\right)=(\mathrm{a}\mathrm{P},{\mathsf{\lambda }}_{\mathrm{j}}\mathrm{P})$ can be introduced, $C$ queries the tuple $({\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{j}},{\mathrm{t}}_{\mathrm{j}},\ast )$ in ${\mathrm{L}}_{\mathrm{U}}$, and computes ${\mathrm{h}}^{\ast }={\mathrm{H}}_2\left(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t}\right)$, ${\mathsf{\theta }}_{\mathrm{s}}^{\ast }=({\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{s}}^{\ast },{\mathrm{P}}_{\mathrm{p}\mathrm{u}\mathrm{b}})$. Then, compute $a$: when ${\mathsf{\lambda }}^{\ast }={\mathsf{\lambda }}_{\mathrm{j}}$, which is obtained according to the bifurcation lemma:

$$\left\{\begin{array}{l}{\mathrm{y}}^{\ast }={\mathrm{z}}^{\ast }-{{\mathrm{c}}_{\mathrm{s}}}^{\ast }\left({\mathrm{h}}^{\ast }\mathrm{a}+{\mathsf{\theta }}_{\mathrm{s}}^{\ast }\mathsf{\beta }+{\mathrm{k}}^{\ast }\right)\\ {\mathrm{y}}^{\ast \prime }={\mathrm{z}}^{\ast }-{{\mathrm{c}}_{\mathrm{s}}}^{\ast \prime }\left({\mathrm{h}}^{\ast }\mathrm{a}+{\mathsf{\theta }}_{\mathrm{s}}^{\ast }\mathsf{\beta }+{\mathrm{k}}^{\ast }\right)\\ \mathrm{a}={\left({\mathrm{h}}^{\ast }\right)}^{-1}\left[{\left({\mathrm{c}}_{\mathrm{s}}^{\ast \prime }-{\mathrm{c}}_{\mathrm{s}}^{\ast }\right)}^{-1}\left({\mathrm{y}}^{\ast }-{\mathrm{y}}^{\ast \prime }\right)-{\mathrm{k}}^{\ast }-{\mathsf{\theta }}_{\mathrm{s}}^{\ast }\mathsf{\beta }\right]\end{array}\right.$$

(9)

5.2.2. Anonymity

Theorem 3.

Facing a type I adversary in ROM, this scheme has anonymity.

Proof. 

This step is similar to the proof phase of Theorem 1.

Phase 1: ${\mathrm{A}}_1$ performs the same kinds of hash query operations as in Theorem 1.

Challenge: ${\mathrm{A}}_1$ inputs the tuple $(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},\mathrm{m},\mathrm{U},{\mathrm{P}\mathrm{I}\mathrm{D}}_0,{\mathrm{P}\mathrm{I}\mathrm{D}}_1)$ to satisfy the requirements of Game 3. $C$ generates the signature $\mathsf{\sigma }=\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},\mathrm{m},\mathrm{U},{\mathsf{\mu }}_{\mathrm{s}},{\mathsf{\lambda }}_{\mathrm{s}})$ with randomly chosen $\mathsf{\omega }\in \left\{\mathrm{0,1}\right\}$ and finally returns it to ${\mathrm{A}}_1$.

Phase 2: ${\mathrm{A}}_1$ can perform all kinds of query operations as in phase 1 but must comply with the constraints of Game 3.

Response: ${\mathrm{A}}_1$ responds to a new value ${\mathsf{\omega }}^{\prime }\in \left\{\mathrm{0,1}\right\}$.

Since ${\mathrm{A}}_1$ cannot determine the values of ${\mathsf{\lambda }}_0$ and ${\mathsf{\lambda }}_1$, ${\mathrm{A}}_1$ cannot compute $\mathrm{V}=(\mathrm{h}{\mathsf{\mu }}_0+{\mathsf{\lambda }}_0)\mathrm{E}$ and $\mathrm{V}=(\mathrm{h}{\mathsf{\mu }}_1+{\mathsf{\lambda }}_1)\mathrm{E}$ to generate $\mathsf{\sigma }$. Since ${\mathrm{H}}_2,{\mathrm{H}}_3$ are one-way hash functions with irreversibility, therefore ${\mathrm{E}=\mathrm{H}}_2\left(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t}\right)$ and ${\mathrm{h}=\mathrm{H}}_3\left(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t}\right)$ are uniformly distributed on $G$ and ${\mathrm{Z}}_{\mathrm{q}}^{\ast }$, and it follows that $\mathrm{V}=\left(\mathrm{h}{\mathsf{\mu }}_{\mathrm{s}}+{\mathsf{\lambda }}_{\mathrm{s}}\right)\mathrm{E}$ is uniformly distributed on $G$. If ${\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}}\in \mathrm{W}$ is an adversary, and $z$ and ${\mathrm{c}}_{\mathrm{i}}$ are an independent choice, in ${\mathrm{Z}}_{\mathrm{q}}^{\ast }$ keep uniform distribution, then $\mathrm{A}=\mathrm{z}\mathrm{E}+{\sum }_{\mathrm{i}=1,\mathrm{i}\ne \mathrm{s}}^{\mathrm{n}}{\mathrm{c}}_{\mathrm{i}}\mathrm{V}$, $\mathrm{B}=\mathrm{z}\mathrm{P}+{\sum }_{\mathrm{i}=1,\mathrm{i}\ne \mathrm{s}}^{\mathrm{n}}{\mathrm{c}}_{\mathrm{i}}(\mathrm{h}{\mathrm{X}}_{\mathrm{i}}+{\mathrm{Y}}_{\mathrm{i}})$ keep uniform distribution on $G$. Similarly, $u$ as the output of function ${\mathrm{H}}_4$ is uniformly distributed on ${\mathrm{Z}}_{\mathrm{q}}^{\ast }$,${\mathrm{c}}_{\mathrm{s}}=\mathrm{u}-{\sum }_{\mathrm{i}=1,\mathrm{i}\ne \mathrm{s}}^{\mathrm{n}}{\mathrm{c}}_{\mathrm{i}}$, $\mathrm{y}=\mathrm{z}-{\mathrm{c}}_{\mathrm{s}}(\mathrm{h}{\mathsf{\mu }}_{\mathrm{s}}+{\mathsf{\lambda }}_{\mathrm{s}})$ in ${\mathrm{Z}}_{\mathrm{q}}^{\ast }$ keep uniform distribution. According to the above analysis, all parameters of the generated signature $\mathsf{\sigma }$ maintain uniform distribution. If adversary ${\mathrm{A}}_1$ makes a random guess, it will not be able to identify the real signer. □

Theorem 4.

Facing a type II adversary in ROM, this scheme has anonymity.

The proof phase is similar to Theorem 2, and the remaining phases are similar to Theorem 3.

5.2.3. Linkability

Theorem 5.

Facing a type I adversary in ROM; this scheme is linkable.

The proof and query phases are the same as in Theorem 1. Suppose ${\mathrm{A}}_1$ generates two signatures ${(\mathsf{\sigma }}_1,\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},{\mathrm{m}}_1,{\mathrm{U}}_1)$ and ${(\mathsf{\sigma }}_2,\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},{\mathrm{m}}_2,{\mathrm{U}}_2)$ that satisfy the constraints of Game 5. Let ${\mathrm{U}}_{\mathrm{k}}={\mathrm{W}}_{\mathrm{k}}\cup \{{\mathrm{P}\mathrm{K}}_{\mathrm{k}\mathrm{i}}:{\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{k}\mathrm{i}}\in {\mathrm{W}}_{\mathrm{k}}\}$, ${\mathrm{W}}_{\mathrm{k}}=\left\{{\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{k}1},\dots ,{\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{k}\mathrm{n}}\right\},\mathrm{k}=\mathrm{1,2}$, and if ${\mathsf{\sigma }}_1=\left(·,{\mathrm{V}}_1\right),{\mathsf{\sigma }}_2=\left(·,{\mathrm{V}}_2\right)$ has non-connectivity, then it means that ${\mathrm{V}}_1\ne {\mathrm{V}}_2$, ${\sigma }_1\ne {\sigma }_2$, and because ${\mathrm{V}}_1=\left(\mathrm{h}{\mathsf{\mu }}_{1\mathrm{s}}+{\mathsf{\lambda }}_{1\mathrm{s}}\right)\mathrm{E}$, when ${\mathrm{A}}_1$ generates a valid signature ${\sigma }_2$ under the condition that ${\mathrm{A}}_1$ knows only ${\mathsf{\lambda }}_{1\mathrm{s}}$ and is default on ${\mathsf{\mu }}_{1\mathrm{s}}$, ${\mathrm{A}}_1$ cannot generate ${\sigma }_2$ in valid time under DLP. In summary, it follows that ${\mathrm{V}}_1={\mathrm{V}}_2$ necessarily holds and that repeated signatures can be linked when they are repeated.

Theorem 6.

Facing a type II adversary in ROM, this scheme is linkable.

The proof and query phases operate similarly to Theorem 2, and the remaining execution steps are similar to Theorem 5. Eventually, the same condition can be obtained. That is, when ${\mathrm{A}}_1$ generates a valid signature ${\sigma }_2$ under the condition that ${\mathrm{A}}_1$ knows only ${\mathsf{\lambda }}_{1\mathrm{s}}$ and defaults on ${\mathsf{\mu }}_{1\mathrm{s}}$, ${\mathrm{A}}_1$ is unable to generate ${\sigma }_2$ in a valid time under DLP. To sum up, it can be obtained that ${\mathrm{V}}_1={\mathrm{V}}_2$ necessarily holds and that duplicate signatures can be linked when they are duplicated.

5.2.4. Indefensible

Theorem 7.

Facing a type I adversary in ROM, this scheme is indefensible.

The operations performed in the proof and query phases are the same as in Theorem 1. ${\mathrm{A}}_1$ submits the tuple $(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},\mathrm{m},\mathrm{U},{\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{s}})$ to $C$ and ${\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{s}}\in \mathrm{W}$, then $C$ responds to the request and returns the signature $\mathsf{\sigma }=\left(·,\mathrm{V}\right)=\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},\mathrm{m},\mathrm{U},{\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{s}})$. ${\mathrm{A}}_1$ receives $\mathsf{\sigma }$ and then performs a hash-query operation to generate the signature ${\mathsf{\sigma }}^{\prime }=\left(·,{\mathrm{V}}^{\prime }\right)=\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t},{\mathrm{m}}^{\prime },{\mathrm{U}}^{\prime })$ assuming ${\mathrm{U}}^{\prime }={\mathrm{W}}^{\prime }\cup \{{\mathrm{P}\mathrm{K}}_{\mathrm{i}}:{\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{i}}\in {\mathrm{W}}^{\prime }\}$. If ${\mathrm{A}}_1$ wants to generate ${\mathsf{\sigma }}^{\prime }$ to defame the real user’s signature, it must obtain ${\mathsf{\lambda }}_{\mathrm{s}}^{\prime }$, but according to the equation ${\mathrm{E}=\mathrm{H}}_2\left(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t}\right),{\mathrm{h}=\mathrm{H}}_3\left(\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t}\right)$,$\mathrm{V}=\left(\mathrm{h}{\mathsf{\mu }}_{\mathrm{s}}+{\mathsf{\lambda }}_{\mathrm{s}}\right)\mathrm{E},{\mathrm{V}}^{\prime }=(\mathrm{h}{\mathsf{\mu }}_{\mathrm{s}}^{\prime }+{\mathsf{\lambda }}_{\mathrm{s}}^{\prime })\mathrm{E}$, it can be seen that ${\mathrm{A}}_1$ can not compute the value of $\mathrm{h}{\mathsf{\mu }}_{\mathrm{s}}+{\mathsf{\lambda }}_{\mathrm{s}}$ in the DLP condition, so $\mathrm{V}={\mathrm{V}}^{\prime }$ must hold, and according to the linkability of signatures, these two signatures will be judged as linkable, which can be obtained as ${\mathsf{\mu }}_{\mathrm{s}}={\mathsf{\mu }}_{\mathrm{s}}^{\prime },{\mathsf{\lambda }}_{\mathrm{s}}={\mathsf{\lambda }}_{\mathrm{s}}^{\prime }$, which means that if ${\mathrm{A}}_1$ tries to defame then it must obtain ${\mathsf{\lambda }}_{\mathrm{s}}$, but ${\mathrm{A}}_1$ does not have the identity ${\mathrm{P}\mathrm{I}\mathrm{D}}_{\mathrm{s}}\in \mathrm{W}$, so it cannot obtain ${\mathsf{\lambda }}_{\mathrm{s}}$, and therefore, ${\mathrm{A}}_1$ cannot win game 7 by a non-negligible margin.

Theorem 8.

Facing a type II adversary in ROM, this scheme is indefensible.

The proof of the syllogism is deducible on the basis of Theorem 7.

5.2.5. Resist All Types of Attacks

(1) Anti-replay attack: In our scheme, all signed power trading plan information is timestamped, and the value of the timestamp determines whether the message is replayed. Therefore, our scheme is resistant to replay attacks.

(2) Anti-man-in-the-middle attack: In our scheme, the attacker is assumed to be between the EV and the trading center. The goal is to make the EV and the trading center believe that they are communicating directly. However, the attacker must forge EV signatures to make buyers and sellers believe, and according to Theorem 1 and Theorem 2, the attacker cannot forge signatures. Therefore, our scheme can prevent a man-in-the-middle attack.

(3) Tamper-proof attack: If an attacker wants to tamper with any transaction information of EV users, the effectiveness equation can be verified by ${\sum }_{\mathrm{i}=1}^{\mathrm{n}}{\mathrm{c}}_{\mathrm{i}}\left(\mathrm{m}\mathrm{o}\mathrm{d}\mathrm{q}\right)=\mathrm{u}$ to determine whether the transaction has been tampered with. Therefore, our scheme can prevent tampering attacks.

5.3. Performance Analysis

This section will analyze the proposed scheme’s performance regarding the computational overheads of linkable ring signature generation, signature verification, and stealth address generation. Since the heteroskedastic and dot-add operations are used less and time-consuming, we will only consider a few time-consuming operations, such as ${\mathrm{T}}_{\mathrm{b}\mathrm{p}}$ bilinear pairs operation, ${\mathrm{T}}_{\mathrm{e}\mathrm{x}\mathrm{p}}$ exponential operation, ${\mathrm{T}}_{\mathrm{s}\mathrm{m}}$ dot-multiplication operation, and ${\mathrm{T}}_{\mathrm{h}\mathrm{p}}$ hash-to-point operation. The scheme is compared with related representative schemes [21,23,24,26,28,29] to evaluate our scheme’s comprehensive performance.

5.3.1. Computational Overhead of Linkable Ring Signatures

Taking reference [21] as an example, the signature requires $(4n-1)$ point multiplication operations and one hash-to-point operation; that is, the cost of the signature is $\left(4n-1\right){\mathrm{T}}_{\mathrm{s}\mathrm{m}}+1{\mathrm{T}}_{\mathrm{h}\mathrm{p}}$. Signature verification requires $(4n+2)$ point multiplication operations and one hash-to-point operation; that is, the cost of verifying the signature is $\left(4n+2\right){\mathrm{T}}_{\mathrm{s}\mathrm{m}}+1{\mathrm{T}}_{\mathrm{h}\mathrm{p}}$ and the total cost is $\left(8n+1\right){\mathrm{T}}_{\mathrm{s}\mathrm{m}}+2{\mathrm{T}}_{\mathrm{h}\mathrm{p}}$. Based on the same methodology, the signature cost, verification cost, and total cost of the other schemes were analyzed. Then, the running times of the above basic operations were calculated using the Charm-Crypto framework in the same experimental environment (Ubuntu 20.04.4 system, 3.80 GHz CPU, 32 GB RAM). In the experiments, we choose a bilinear pairing $e:G_1\times G_1\to G_2$, where $G_1$ is an additive cyclic group of order $q$, $p$, and $q$, which are of size 160 and 521 bits, respectively. Choose an additive cyclic group $G$ of order $q$, where $P$ is a generator of $G$ and $q$ is a 160-bit prime. $P$ is the base point of Koblitz curve Secp256k1, denoted as ${\mathrm{y}}^2={\mathrm{x}}^3+7$, which is denoted as $E/F_p$, and p is a 256-bit prime number. In order to reduce the experimental error, the time of each operation is taken as the average of 100 actual runtimes, which yields ${\mathrm{T}}_{\mathrm{b}\mathrm{p}}=$ 32.713 ms, ${\mathrm{T}}_{\mathrm{e}\mathrm{x}\mathrm{p}}=$ 2.249 ms, ${\mathrm{T}}_{\mathrm{s}\mathrm{m}}=$ 3.335 ms, and ${\mathrm{T}}_{\mathrm{h}\mathrm{p}}=$ 35.582 ms.

Table 3. Comparison of linkable ring signature costs.

Scheme	Sign Cost	Verify Cost	Total Calculation Cost
Ref. [21]	${(4\mathrm{n}-1)\mathrm{T}}_{\mathrm{s}\mathrm{m}}+1{\mathrm{T}}_{\mathrm{h}\mathrm{p}}$	$\left(4\mathrm{n}+2\right){\mathrm{T}}_{\mathrm{s}\mathrm{m}}+1{\mathrm{T}}_{\mathrm{h}\mathrm{p}}$	$\left(8\mathrm{n}+1\right){\mathrm{T}}_{\mathrm{s}\mathrm{m}}+2{\mathrm{T}}_{\mathrm{h}\mathrm{p}}$
Ref. [23]	$\left(6\mathrm{n}-1\right){\mathrm{T}}_{\mathrm{s}\mathrm{m}}$	${4\mathrm{n}\mathrm{T}}_{\mathrm{s}\mathrm{m}}$	$\left(10\mathrm{n}-1\right){\mathrm{T}}_{\mathrm{s}\mathrm{m}}$
Ref. [24]	$(4\mathrm{n}+4){\mathrm{T}}_{\mathrm{s}\mathrm{m}}$	$4\mathrm{n}{\mathrm{T}}_{\mathrm{s}\mathrm{m}}+3{\mathrm{T}}_{\mathrm{b}\mathrm{p}}$	$(8\mathrm{n}+4){\mathrm{T}}_{\mathrm{s}\mathrm{m}}+3{\mathrm{T}}_{\mathrm{b}\mathrm{p}}$
Ref. [26]	${(4\mathrm{n}+7)\mathrm{T}}_{\mathrm{s}\mathrm{m}}+{\mathrm{T}}_{\mathrm{h}\mathrm{p}}$	${4\mathrm{n}\mathrm{T}}_{\mathrm{s}\mathrm{m}}$	${(8\mathrm{n}+7)\mathrm{T}}_{\mathrm{s}\mathrm{m}}+{\mathrm{T}}_{\mathrm{h}\mathrm{p}}$
This scheme	$\left(3n+2\right){\mathrm{T}}_{\mathrm{s}\mathrm{m}}+1{\mathrm{T}}_{\mathrm{h}\mathrm{p}}$	$\left(3n+3\right){\mathrm{T}}_{\mathrm{s}\mathrm{m}}+1{\mathrm{T}}_{\mathrm{h}\mathrm{p}}$	$\left(6n+5\right){\mathrm{T}}_{\mathrm{s}\mathrm{m}}+2{\mathrm{T}}_{\mathrm{h}\mathrm{p}}$

compares the cost of each signature of this paper’s scheme with the schemes [21,23,24,26]. The total cost comparison with other schemes is given in Figure 4, where $n$ denotes the number of members in the ring signature.

From Table 3, the signature cost of all schemes shows a linear increase with an increase in the ring member, i.e., variable $n$, in the signature. However, this paper’s scheme’s signature only involves dot product and hash-to-dot operation. It does not involve the time-consuming bilinear pair operation, which significantly reduces the signature’s time, cost, and complexity. In order to make the comparison more apparent, we set the initial value of the ring members to 10, and it can be seen from Figure 4 that the increase in the ring members of this paper’s scheme has a higher signature efficiency.

5.3.2. Time Overhead of Stealth Address Generation

In the previous subsection, we analyzed the time cost of linkable ring signatures; in this section, we compare the transaction address generation time cost in different schemes. Similarly, following the comparison methodology in the previous subsection, we have compared the time overhead of the stealth address of this paper scheme with the address generation method in [26,28,29] schemes, where n denotes the number of addresses; the comparison results are shown in

Table 4. Comparison of address generation costs.

Scheme	Address
Ref. [26]	${5\mathrm{n}\mathrm{T}}_{\mathrm{s}\mathrm{m}}+{2\mathrm{n}\mathrm{T}}_{\mathrm{h}\mathrm{p}}$
Ref. [28]	$\left(2{\mathrm{n}}^2+4\mathrm{n}+2\right){\mathrm{T}}_{\mathrm{e}\mathrm{x}\mathrm{p}}+3\mathrm{n}{\mathrm{T}}_{\mathrm{s}\mathrm{m}}$
Ref. [29]	${3\mathrm{n}\mathrm{T}}_{\mathrm{s}\mathrm{m}}+{2\mathrm{n}\mathrm{T}}_{\mathrm{h}\mathrm{p}}$
This scheme	${5\mathrm{n}\mathrm{T}}_{\mathrm{s}\mathrm{m}}+{1\mathrm{n}\mathrm{T}}_{\mathrm{h}\mathrm{p}}$

. The experimental results are shown in Figure 5. As observed in Figure 5, as $n$ becomes more extensive, the address generation method of this paper’s scheme is less time-consuming. It has higher generation efficiency than other schemes, so this paper’s scheme is more suitable for V2V power trading with a large number of EVs involved.

6. Conclusions

In this article, we aim to ensure the unlinkability between the owner and the transaction behavior in the V2V power transaction for charging stations and to achieve the transaction’s unlinkability and untraceability. We design a communication scheme with privacy protection in V2V power transactions based on a linkable ring signature to achieve anonymity for EV users in power transactions. In contrast, our stealth address scheme hides the actual account of EV users to prevent attackers from reasoning attacks on the owners and achieves unlinkability between user transactions. The security properties of the scheme, such as linkability and untraceability, are also demonstrated through security analysis. Experiments show that the offered scheme has low computing cost, effectively reduces the threshold of EV participation in electricity trading, and enables more EV users with limited computing resources to participate in trading easily, making the scheme feasible and practical. At the same time, V2V power trading as a new charging method can ease the charging anxiety of EV owners, reduce the load on the traditional power grid, promote the development of EVs, promote economic transformation, and realize carbon peak and carbon neutrality.

The electric vehicle power trading matching algorithm is not considered in this scheme, and we will perform further research in our future work.