An ECC-Based Authentication Protocol for Dynamic Charging System of Electric Vehicles

: Dynamic wireless charging emerges as a promising technology, effectively alleviating range anxiety for electric vehicles in transit. However, the communication between the system’s various components, conducted over public channels, raises concerns about vulnerability to network attacks and message manipulation. Addressing data security and privacy protection in dynamic charging systems thus becomes a critical challenge. In this article, we present an authentication protocol tailored for dynamic charging systems. This protocol ensures secure and efficient authentication between vehicles and roadside devices without the help of a trusted center. We utilize a physical unclonable function (PUF) to resist physical capture attacks and employ the elliptic curve discrete logarithm problem (ECDLP) to provide forward security protection for session keys. We validated the security of our proposed scheme through comprehensive informal analyses, and formal security analysis using the ROR model and formal analysis tool ProVerif. Furthermore, comparative assessments reveal that our scheme outperforms other relevant protocols in terms of efficiency and security.


Introduction
With increasing urbanization, electric vehicles (EVs) play a crucial role in establishing green transportation by providing emission-free operation.They present a promising solution to address energy and environmental challenges [1].However, the widespread adoption of electric vehicles has underscored the need for a well-developed charging infrastructure, particularly for EV users who are away from home and face time and distance constraints [2].
There are two main charging methods: static charging [3] and dynamic charging [4].Static charging involves parking the electric vehicle at a charging station, turning off the engine, and connecting the charger to the charging port to obtain electric energy.Dynamic charging allows electric vehicles to charge while driving on the road, utilizing electromagnetic energy transfer between the vehicle and the charging pad.The dynamic charging system consists of the following entities: trusted service provider (TSP), roadside units (RSUs), electric vehicles (EVs), and charge pads (CPs).The system architecture is illustrated in Figure 1.The TSP acts as an energy provider and establishes the necessary infrastructure for electric vehicle charging, which includes RSUs and CPs to form a dynamic power station.The TSP is responsible for the registration of RSUs and EVs.RSUs serve as access points to the road charging area and manage a large number of CPs.They utilize TSP's public key to verify the legitimacy of users and allocate CPs to provide energy for EVs.EVs are equipped with on-board units, sensors, and Global Positioning System (GPS) and travel along the road network.EVs can establish communication links with both RSUs and CPs using dedicated short-range communications (DSRCs).CPs are components that facilitate the charging of electric vehicles in [5].Each CP is capable of independently supplying energy to EVs.In comparison to static charging, wireless dynamic charging represents a new paradigm and brings greater convenience.Firstly, the dynamic charging of electric vehicles overcomes the limitation of fixed charging stations and saves time.Secondly, mobile charging of electric vehicles can effectively extend the mileage of electric vehicles.However, dynamic charging systems face security and communication challenges [6].Communication between entities occurs over a public channel, which is susceptible to various security threats, including interception, eavesdropping, and message modification [7].Adversaries can exploit these vulnerabilities to gain unauthorized benefits from energy transactions within the dynamic charging system through impersonation, replay attacks, and man-in-the-middle attacks.Therefore, secure authentication protocols are necessary to mitigate these threats.

Motivation
Our motivation arises from dual concerns within existing authentication protocols [8][9][10][11][12][13][14] for dynamic charging: computational efficiency and security vulnerabilities.The scheme [8,9] has a high computational overhead, while the schemes [10][11][12][13][14] reduce computational overhead but are vulnerable to common attacks.To address this, we propose a secure and efficient identity authentication scheme for electric vehicle dynamic charging scenarios.The main contributions of this paper are summarized as follows: • We have designed an efficient authentication protocol based on elliptic curve cryptography (ECC) for the dynamic charging system of electric vehicles that can mitigate RSU capture attacks and provide perfect forward secrecy.Also, this protocol enables the authentication process between vehicles and roadside units (RSUs) without the need for a third-party service provider (TSP).

•
During the inter-RSU handover authentication process for vehicles, we have adopted a novel approach that eliminates the use of shared secret keys, ensuring the independence of RSUs.

•
The proposed protocol is demonstrated to be resilient against various attacks through informal proofs.Furthermore, the protocol's semantic security is formally established in the random oracle model.
• Performance analysis and security analysis demonstrate the practicality and efficiency of the proposed protocol.

Paper Organization
This paper is organized as follows: Section 2 summarizes related work in this research area.Section 3 describes the background, including the necessary preliminaries, system model, and threat model.Section 4 explains the proposed scheme and its main components.Section 5 provides an informal security analysis of the scheme.Section 6 gives a formal security proof in the Random or Real (ROR) model.Section 7 compares the performance of the proposed scheme with other relevant schemes.Finally, Section 8 concludes the paper.

Related Work
For dynamic wireless charging systems of electric vehicles, various key agreement protocols have been proposed to ensure secure and authenticated communication between the electric vehicle and the charging system.Roman et al. [8] designed an authentication scheme for a cloud-based wireless charging system for electric vehicles.In their scheme, vehicle users need to purchase tickets from an electric power service provider to enjoy charging services.However, their scheme requires heavy computation based on bilinear pairings and blind signatures, which can result in a large communication overhead.Rabieh et al. [9] proposed a privacy-preserving authentication scheme that achieves mutual authentication between electric vehicles (EVs) and charging plates without the involvement of a trusted third party.Their scheme also protects users' identities.However, the scheme faces challenges in resisting man-in-the-middle attacks and EV impersonation attacks, and the computational overhead is relatively high.
To improve performance, some lightweight solutions have been proposed, but some security issues still exist.For example, Pazos-Revilla et al. [10] proposed a blind signaturebased physical layer assistance scheme for dynamic charging systems to ensure their safety.The key idea is that when an EV authenticates itself to a TSP, the TSP sends a secret seed to the EV to efficiently calculate the shared group key with an RSU.However, the RSU, being exposed in public places, is easy for adversaries to capture, which could lead to the leakage of the shared group key.Li et al. [11] proposed a fast authentication scheme (FADEC) based on elliptic curve cryptography (ECC) to meet the communication requirements during dynamic inductive charging.However, their scheme was found to be vulnerable to replay attacks and privacy issues.Babu et al. [12] proposed a lightweight authentication scheme based on ECC, where vehicles authenticate with roadside units (RSUs) with the help of edge nodes.However, their scheme is vulnerable to replay attacks and does not satisfy non-linkability.Babu et al. [13] presented a lightweight authentication scheme that incorporates vehicle handover authentication.In this process, the vehicle initiates a handover request with a previously certified roadside unit to communicate with other RSUs under its assistance.Nevertheless, their scheme lacks perfect forward secrecy and is susceptible to replay attacks.Furthermore, Babu et al. [14] proposed another lightweight authentication scheme based on physical unclonable functions.In this scheme, RSUs acquire the physical unclonable function (PUF) response values uploaded by vehicles from a trusted center to enable mutual authentication between vehicles and RSUs.However, their scheme exhibits vulnerabilities to replay attacks and lacks non-linkability and perfect forward secrecy.
In recent years, blockchain technology has been widely applied in dynamic wireless charging systems.Alshaeri et al. [15] proposed a dynamic electric vehicle charging energy trading scheme based on blockchain technology.In their scheme, vehicles purchase tickets from energy providers through smart contracts, and these tickets are encrypted using a shared secret value of the energy provider and RSUs.Abouyoussef et al. [16] proposed a blockchain-based network strategy to support privacy protection for executing dynamic charging.Tajmohammadi et al. [17] proposed a secure and lightweight dynamic wire-less charging payment protocol.The protocol employs symmetric encryption and XOR operations to safeguard the privacy of the communication.

Elliptic Curve Cryptography
Elliptic curve cryptography [18] is a public key encryption technology based on elliptic curves over a finite field.Let F p denote a finite field with a large prime order p. E denote an elliptic curve: y 2 = x 3 + ax + b mod p, where x, y, a, b ∈ F p .G is a cyclic subgroup over F p and P is the generator point.

Fuzzy Extractor
A fuzzy extractor [19] can extract the same outputs from the inputs with a certain amount of noise, and it is used to extract and recover the user's biological key.This process can be described by a pair of functions, denoted as EXT = (Gen, Rep).

Physical Unclonable Function
A physical unclonable function (PUF) [20] is a hardware security primitive that leverages the unique physical characteristics of a chip to generate an unpredictable response.It possesses reproducibility, uniqueness, and unpredictability properties.By exploiting manufacturing variances, a unique mapping function between the challenge signal and response is established, which can be formalized as Res = PUF(Cha), where Cha represents the challenge and Res represents the response.
In this paper, a PUF is employed within the RSU to safeguard stored confidential information, preventing the adversary from obtaining any information from the RSU.

Threat Model
In the model we proposed, the TSP is assumed to be a completely trusted and honest entity.The RSU is assumed to be an honest but curious entity.Specifically, the RSU will honestly execute protocol processes and steps; however, it cannot be excluded that the RSU may attempt to obtain more private information from the running process.The EV is assumed to be an entity that could potentially engage in malicious behaviors.They are at risk of illegal operations caused by hacking attacks.A is defined as the adversary in our scheme.A has the following capabilities: • A can overhear, intercept, and synthesize any publicly transmitted messages.This is in line with the Dolev-Yao threat model [21].

•
A can either be a registered user or an insider attacker with privileged access, capable of obtaining additional information beyond publicly available messages.

•
A can launch side-channel attacks to obtain information stored in the smart card and RSU.

Security Goals
In this section, we will focus on introducing the security design goals of the proposed protocol.Specifically, the security objectives of this protocol include the following: Confidentiality: Sensitive information involved in the charging process cannot be intercepted by unauthorized entities during communication, ensuring that only authorized entities can access the data generated during the charging process.
Message integrity: Due to the TSP not being involved in direct communication between EVs and RSUs, EVs and RSUs need to have the capability to mutually verify if messages have been tampered with to ensure the integrity of message transmission.
Anonymity and unlinkability: The personal information of EVs is effectively protected with anonymity during the charging process.Charging behavior and related data cannot be traced or linked back to specific user identities.
Mutual authentication: Mutual authentication is performed between EVs and RSUs to ensure that the EVs are legitimate and trustworthy and that they can verify the identity of the RSUs, establishing a two-way trust relationship.

The Proposed Scheme
The proposed scheme consists of six phases, namely system initialization, vehicle registration, RSU registration, login and authentication, charging authentication, and handover authentication.The notations of our protocol are shown in Table 1.Pseudo-identity of vehicle T * Timestamp h(.) One-way hash function Gen(.) The generating function of fuzzy extractor Rep(.) The reproduction function of fuzzy extractor PUF()

Physical unclonable function Bio i
The biological information of EV i σ i , τ i Biological key and auxiliary parameter Cha j , Res j The challenge and response of the PUF in RSU j SC i The smart scard of EVU i ⊕ Exclusive OR operation ∥ Concatenation operator

Initialization Phase
In this phase, TSP initializes the system environment to generate system parameters.TSP selects a large prime number q, a non-singular elliptic curve E(a, b) on a finite field F q and a point P ∈ E(a, b) as the base point.Then, TSP selects a long-term private key s ∈ Z * q , and computes PK TSP = s • P. Here, based on the elliptic curve discrete logarithm problem (ECDL), s is secure.Next, TSP chooses SHA-256 as the hash function h : {0, 1} * → {0, 1} 256 , and the generation function Gen(.) and recovery function Rep(.) for the fuzzy extractor.Finally, TSP distributes {Gen(.),Rep(.), h(.), P, PK TSP } to each entity.

Vehicle Registration Phase
In this phase, the electric vehicle user EVU i registers with TSP to obtain its private key.The registration process is conducted over a secure channel between EVU i and TSP, as shown in Table 2.

EVU i TSP
Verify the uniqueness of ID i Generate random numbers r i , Step VR1: EVU i selects an identity ID i and sends the identity ID i to the trusted service provider (TSP).
Step VR2: Upon receiving ID i , the TSP first queries the database to verify the uniqueness of ID i .If it is not unique, TSP rejects the vehicle registration.Else, it selects the random numbers r i and x i .Then, the TSP calculates Step VR3: Upon receiving the message, EVU i first inserts the smart card, inputs PW i and Bio i , and calculates (σ i , τ i ) = Gen(Bio i ).Next, the values

RSU Register Phase
In this phase, the RSU generates its own public and private keys and initiates a registration request to TSP.Each RSU has an independent public/private key pair, instead of using a shared key as in traditional schemes.The registration process is conducted over a secure channel between RSU j and TSP, as shown in Table 3.
Step RR1: RSU j selects a random number c j ∈ Z * q and computes Pk RSU j = c j • P.
Step RR2: RSU j sends Pk RSU j to the trusted service provider (TSP) via a secure channel.Upon receiving Pk RSU j , the TSP verifies the uniqueness of the identity, stores Pk RSU j in its memory and sends {ACK} to RSU j .
Step RR3: Upon receiving the message, RSU j generates a challenge value Cha j and uses the physical unclonable function (PUF) to calculate the response value Res j .RSU j selects the group key G pad , delivers G pad to the charging pads (CPs), and then computes W j = c j ⊕ h(Pk RSU j ∥Res j ) and Y j = G pad ⊕ h(Pk RSU j ∥c j ).Finally, RSU j stores {Cha j , W j , Y j } in its memory.

Login and Authentication Phase
In the login and authentication phase, EVU i needs to mutually authenticate its identity with the accessed RSU before requesting charging.The authentication process is described in Table 4.

RSU j TSP
Select a random number c j Pk RSU j = c j • P Verify the uniqueness of Pk RSU j Store Pk RSU j in its memory Generate a challenge cha j Res j = PUF(Cha j ) If not, abort the request.Else, Generate a random number n j and the timestamp Step LA1: EVU i initiates the login process by inserting the smart card (SC i ) and entering the identity ID i , password PW i , and biological information Bio i .SC i computes EVU i selects a random number m i ∈ Z * q and timestamp T 1 .Next, EVU i computes , and e i = d i + h(PID i ∥P i ∥T 1 ) * m i .Finally, EVU i sends the message Mes 1 = {M 1 , M 2 , e i , P i , T 1 } to RSU j via a public channel.
Step LA2: When RSU j receives EVU i 's request, it first checks the freshness of T 1 .If it is valid, RSU j computes Res j = PUF(Cha j ), c j = W j ⊕ h(RID j ∥Res j ), If the condition is not satisfied, RSU j aborts the request.Otherwise, RSU j continues the request.
RSU j selects a random number n j ∈ Z * q and generates the timestamp T 2 .Then, RSU j computes where SK is session key.Finally, RSU j sends the message Mes 2 = {M 3 , Q j , T 2 } to EVU i via a public channel.
Step LA5: After receiving Mes 2 , EVU i checks the validity of If the verification is successful, RSU j is authenticated by EVU i .Otherwise, the session is terminated.
EVU i and RSU j generate a session key SK to encrypt subsequent communications.With the secure channel established via SK, EVU i is then able to send a charging request to RSU j securely.

Charging Authentication Phase
After EVU i completes mutual authentication with the RSU, it needs the help of the RSU j to realize the charging functionality with the CPs.As shown in Table 5, RSU j issues a charging credential tag i to EVU i and CPs.Table 6 shows the process of EVU i initiating a charging request to CP.
Step CA1: EVU i selects a random number v i , calculates CH req = E SK (v i , PID i ) and initiates a charging request MES 3 = {CH req } to RSU j .
Step CA2: RSU j selects a random number v j and generates the timestamp T 3 , and expiration time Time end , where Time end is the valid time period of the credential.Next, RSU j calculates Finally, RSU j sends MES 4 = {M 4 , M 5 , T 3 } and MES 5 = {M 6 }, respectively, to EVU i and CPs through a public channel.
Step CA5: The CP receives the message sent by RSU j and EVU i , decrypts Tag i , calculates M * 7 = h(Tag i ∥T 4 ), and after verifying the consistency between M * 7 and M 7 , allows the user to charge.
From the response of RSU j , EVU i obtains a token Tag i , which represents its charging authorization.With Tag i , all CPs deployed within the coverage area of RSU j can recognize EVU i as an authorized electric vehicle user, and EVU i can seamlessly obtain charging services.
Select a random number v j , Generate timestamp T 3 and Time end 4.6.Handover Authentication EVU i is transferred from one RSU j to another RSU k during dynamic charging and running for handover authentication.The process of handover authentication is presented in Table 7.
Step HA1: EVU i first generates a random number k i .Then, EVU i calculates N i = k i • P, H A req = E SK (PID i ), and M 8 = h(N i ∥PK RSU j ∥PID i ∥T 3 ∥T 5 ), and sends a message MES 7 = {HA req , N i , M 8 , PK RSU j , T 3 , T 5 } to RSU k .
Step HA2: After RSU k receives the message, it first verifies the timestamp and calculates Check the freshness of T 3 and

Replay Attack
In our protocol, timestamps are used to ensure the freshness of communication messages.In each session, the freshness of the timestamps is verified when receiving publicly transmitted messages.Any replayed messages cannot pass this freshness verification.Therefore, the proposed scheme is resistant to replay attacks.

Smart Card Lost Attack
Assuming the smart card is obtained by the adversary A after being lost, A attempts to retrieve data SC i = {A i , B i , C i , D i , τ i , Rep(.)} from the smart card using a power analysis attack, where , and σ i is the biometric key.However, due to the absence of σ i , A cannot obtain any valid parameters.Therefore, the proposed protocol is not vulnerable to smart card lost attacks.

RSU Captured Attack
The adversary A attempts power analysis attacks to extract the stored parameters {cha j , W j , Y j } from RSU j .Here, W j = c j ⊕ h(RID j ∥res j ) and Y j = G pad ⊕ h(RID j ∥c j ), while cha j represents the challenge of the PUF.As PUF(cha j ) produces variable outputs, the secret parameters c j and G pad remain inaccessible to A. In this manner, our scheme effectively withstands RSU physical capture attacks.

User Impersonation Attack
Assuming an adversary A attempts to impersonate a vehicle and sends an authentication request to the RSU, A would need to know the vehicle's private key d i and pseudoidentity PID i to forge the message Mes 1 = {M 1 , M 2 , e i , P i , T 1 }.However, as demonstrated in Section 5.2, A cannot obtain this sensitive information from the smart card.Hence, our protocol is resilient against user impersonation attacks.

RSU Impersonation Attack
Assuming A tries to impersonate the RSU to authenticate a vehicle, they would need to know the RSU's private key c j to forge the message Mes 2 = {M 3 , Q i , T 2 }.Nevertheless, as explained in Section 5.3, A cannot access any useful information from the RSU.Consequently, our protocol can withstand RSU impersonation attacks.

Perfect Forward Secrecy
In our protocol, EVU i and RSU j share a common session key SK = h(m i • n j • P∥RID j ∥PID i ).Even if the adversary A can obtain the private keys d i and c j , A still cannot calculate the session key because A needs to solve the elliptic curve computational Diffie-Hellman problem to obtain m i • n j • P from m i • P and n j • P. Thus, the security of previous and future session keys remains safe.

No Online Trust Authority
In the proposed scheme, the trusted service provider (TSP) is responsible for system initialization and generating secrets for entities during the registration phase.However, once this setup is completed, the TSP does not actively engage in the authentication process between electric vehicle users (EVUs) or roadside units (RSUs) and charging points (CPs).As a result, the TSP does not need to maintain an online presence during the authentication procedures.

Anonymity and Non-Linkability
In the proposed scheme, the vehicle's pseudo-identity is represented as PID i = h(ID i ∥r i ).
The non-reversibility of hash functions makes it challenging to link the pseudo-identity PID i to the actual identity of the EVU i .Moreover, PID i remains concealed throughout the authentication process, and adversaries cannot extract it from either the public channel or the smart card.Consequently, the scheme ensures non-linkability, preventing adversaries from associating specific users with different sessions.

Formal Proof
In this section, we establish the semantic security of the proposed protocol under the ROR model [22].The random oracle model is very suitable for analyzing the security of key exchange protocols.In this model, we design a simulator that interacts with the assumed adversary in a series of game-based interactions.The simulator fairly generates and sends information such as parameters and data to the adversary according to the protocol specification.The adversary chooses whether to attack based on the received information, such as decryption or forgery.If the adversary cannot win over the simulator with a significant probability in a sufficient number of rounds of games, then under this game framework, we can consider the protocol to be secure.
The participants consist of EVs and RSUs.For example, let I Vi and I RSUj represent instances of EVU i and RSU j , respectively.Adversary A can launch various queries in an attempt to compromise the security of authentication and session keys.The details of these queries are listed in Table 8.
In semantic security, A is allowed to make a single query to the function Test(I Vi , I RSUj , r) and multiple other queries to verify the correctness of the return value from Test(I Vi , I RSUj , r).The advantage of A in guessing the value of r is defined as where Adv A represents the advantage and η is a sufficiently small value.

Queries Description
Execute(I Vi , I RSUj ) Adversary A can intercept all publicly transmitted information.

CorruptU(I Vi )
A performed a side-channel attack on the smart card and obtained the stored information {A i , B i , C i , D i , τ i , Rep(.)}.

CorruptRSU(I RSUj )
A performed a side-channel attack on the RSU and obtained the stored information {RID j , cha j , W j , Y j }.
Send(I Vi , I RSUj , m) A forges message m and sends it to I Vi and I RSUj .Upon receiving m, if m is valid, I Vi and I RSUj reply to A.
Reveal(I Vi , I RSUj ) The session keys between I Vi and I RSUj can be queried by A.
A selects a session for a challenge.If u = 1, A can obtain the real session key.On the other hand, if u = 0, A will receive a randomly generated string of the same length as the real session key.
Theorem 1 aims to prove that the proposed scheme attains semantic security in the random oracle model, meaning that Adv A cannot obtain any useful information from the interactive process.

Theorem 1. Let Adv represent the advantage of adversaries obtaining session keys in polynomial time: Adv
. q Ha , q Se , and q Ex represent the number of hash, send, and execute queries performed by A. l Ha and l bio are the lengths of the hash and biological keys, respectively.l 1 and l 2 are the sizes of the uniformly distributed identity and password dictionaries, and |l 1 | and |l 2 | represent the size of the range space of each dictionary.The advantages of breaking the PUF and ECDLP by A are denoted as Adv PUF A and Adv ECDLP A , respectively.Proof.To verify the semantic security of the proposed protocol, the five games Game i (0 ≤ i ≤ 4) can be performed by A. Suc i (0 ≤ i ≤ 4) means A can distinguish the session key and a random number u in the Game i .
Game 0 : In this game, A simulates the real attack to the proposed protocol.If A directly guess the bit u, we obtain Game 1 : In this game, A simulates an eavesdropping attack using the Execute query, allowing A to intercept all publicly transmitted messages.Then, A verifies the output of the session key or the random number u using the Reveal and Test queries.The session key SK = h(m i • n j • P∥RID j ∥PID j ) is protected using a hash function.Thus, we obtain Game 2 : In this game, A simulates a collision attack on the hash results.To achieve this, A needs to find a hash collision within polynomial time.As defined by the birthday paradox [23], we obtain Game 3 : In this game, A executes Corrupt and CorruptRSU queries to obtain the stored information {A i , B i , C i , D i , τ i , Rep(.)} in the smart card and {RID j , cha j , W j , Y j } in the RSU.However, it is important to note that A cannot directly obtain valuable parameters as all the values are masked with secret values ID i , PW i , Bio i , and res j .To succeed in this game, A must either accurately guess ID i , PW i , and Bio i , or break the physical unclonable function.The password dictionary is denoted as l 1 , the identity dictionary as l 2 , and the length of biological keys as l bio .We will assume the probability of A breaking the PUF as Adv A PUF .Therefore, we obtain Game 4 : A is capable of obtaining P i = m i • P and Q j = n j • P, which are utilized for session key agreement.By obtaining P i and Q j , A has access to pairs of points on the elliptic curve.To successfully win this game, A must be able to solve the elliptic curve discrete logarithm problem (ECDLP) [24].However, without knowledge of the respective scalars m i and n j , solving the ECDLP and determining the values of m i and n j becomes a challenging task.Therefore, the successful completion of the game requires A to possess the ability to solve the ECDLP, which is considered a computationally infeasible problem.We obtain All the games have been executed by the adversary.To win the game, A needs to guess the correct bit u.Therefore, we have Combining the above formulas, we have ≤ Hence, Adv A ≤

. Automatic Formal Verification by ProVerif
Before deploying security protocols in real networks, it is crucial to thoroughly assess the depth and comprehensiveness of their ability to provide robust security.To achieve this goal, we conducted extensive simulation tests on the proposed protocol using the ProVerif simulator.ProVerif is a commonly used formal analysis tool for validating security protocols.It evaluates the robustness of a protocol under different attack scenarios by establishing a model of the protocol and automatically analyzing its security properties.Our simulation tests included simulating various types of attacks, such as man-in-themiddle attacks and replay attacks.
We define channel, basic types, and functions in Figure 2. The proposed scheme involves five events, namely, VLoginPhase(), VAuthentication(), VSessionKey(), RSession(), and RAuthentication().VLoginPhase() indicates the login phase of the vehicle user, VAuthentication() indicates that the vehicle user sends an authentication request, RAuthentication() indicates that the RSU passes the authentication of the vehicle user, RSession() indicates that the RSU agrees on the session key, and VSessionKey() indicates that the vehicle user argees the session key.The above events and queries are shown in Figure 3.
The operations of the vehicle user and RSU are shown in Figures 4 and 5, respectively.The main process is presented in Figure 6.As shown in Figure 7, the results of the ProVerif simulation provide strong evidence of the security of our scheme.Specifically, the simulation shows that the session key, the secret parameter of the RSU, and the password of the user are all secure against attacks.At the same time, the process of mutual authentication is performed in sequence.

Performance Comparison
We compare our proposed protocol against existing protocols [8,10,14] based on computational efficiency, communication overhead, and security level.
First, we analyze the security of related schemes.In Roman et al.'s scheme [8], the EV purchases tickets from the TSP and then sends a charging request to Fog Server after being certified.The EV and Fog Server establish a session key with random numbers and use the session key to deliver a valid ticket.Fog Server verifies the validity of ticket and helps the EV connect to an RSU.However, in this way, the EV cannot seamlessly charge from the RSU.Additionally, their scheme fails to achieve mutual authentication and provide perfect forward security.In Pazos-Revilla et al.'s scheme [10], the EV sends a charging request to a TSP, and the session key k is composed of public parameters g x and g y .After the TSP's verification, it encrypts a secret parameter token with k and sends it to the EV.However, their scheme uses a Diffie-Hellman key exchange to generate the session key, which is vulnerable to man-in-the-middle attacks.In Babu et al.'s scheme [14], the EV stores PUF's challenge-response pairs in a TSP during the registration phase.Authentication of the EV's identity by an RSU requires help from the TSP.The session key between the EV and RSU is randomly generated without ensuring perfect forward security.
Additionally, the above schemes do not consider a situation where the RSU is captured.Since RSUs are deployed in public areas without any protection mechanisms, they are easy to capture by adversaries.Table 9 compares the security features of the proposed protocol with existing protocols [8,10,14].Our scheme provides more functional and security properties than all other related protocols.

Scheme [8] [10] [14] Ours
Attacks/Properties When an EV roams within or between multiple charging stations, the seamless switching of authentication facilities can be enabled through the exchange of short handover messages.Therefore, achieving continuous authentication requires not only efficient computation but also full consideration of the performance impacts brought by communication overhead.In order to calculate the computational costs of the proposed protocol and compare them with existing related proposals, we adopted the time costs of the scheme proposed by Babu et al. [14] as a measure of the execution time required for different cryptographic operations.The experiments were conducted in a Raspberry Pi environment equipped with a quad-core ARM Cortex-A53 processor and 1GB RAM.The computational costs for the various operations are presented in Table 10.As shown in Table 11, the proposed scheme reduces the computational costs compared to related schemes [8] and [10].However, compared to [14], our scheme incurs higher computational costs.This is because our scheme satisfies more security attributes.Therefore, our scheme keeps the computational overhead relatively low among related schemes.To perform an efficiency analysis of the communication overhead of our proposed protocol, we define the specific size of memory overhead for different operands as follows: • 256 bits for hash functions; • 320 bits for elliptic curve points; • 128 bits for AES encryption; • 128 bits for identities; • 128 bits for random numbers; • 32 bits for timestamps.
With the given parameters and message size assumptions, we conducted a comparative analysis of the communication costs of our proposed protocol in comparison to existing protocols in Figure 8.The existing related protocols of Roman et al. [8], Pazos-Revilla et al. [10], and Babu et al. [14] require 4320 bits, 3968 bits, and 3392 bits, respectively.In our scheme, the communication overhead required in the initial authentication is 1728 bits.The communication overhead required in the charging authentication is 1216 bits.The communication overhead required in the handover authentication process is 1376 bits.Hence, the total communication of our scheme is 4320 bits.This is similar to [8].Our scheme incurs higher communication overhead than schemes [10,14].However, as shown in Table 9, Refs.[10,14] cannot satisfy more security attributes.Therefore, the communication cost of our scheme is feasible.
Therefore, our scheme is not only more secure with lower computational overhead compared to related schemes but it is also more suitable for the needs of wireless charging systems.However, in terms of communication overhead, our scheme does not provide significant improvement.In future work, we intend to adopt batch authentication strategies to further reduce time overhead.

Conclusions
In this paper, we present an elliptic curve cryptography (ECC)-based authentication scheme tailored for dynamic charging systems, enabling mutual authentication between vehicles and roadside units (RSUs) without the need for a trusted third party.As a vehicle transitions to the next RSU, Diffie-Hellman exchanges are leveraged to facilitate seamless handover authentication.To evaluate the security of our protocol, we used the formal tool ProVerif, and employed the ROR model to ensure its semantic security.
Our proposed protocol exhibits robustness against a range of attacks.The incorporation of pseudo identities safeguards user real identities, while the inclusion of physical unclonable functions and biometrics fortifies the defense against RSU physical capture attacks and smart card loss attacks, respectively.Furthermore, comprehensive performance and security analyses show that the proposed protocol is practical.

Definition 1 .
(Elliptic Curve Discrete Logarithm Problem): Given a base point P and a point Q = x • P, it is computationally difficult to determine the integer x from Q. Definition 2. (Elliptic Curve Computational Diffie-Hellman): Give a base point P and two pointa
j , c j Public and private key pair of RSU j PK TSP , s Public and private key pair of TSP PID i

Table 4 .
Login and authentication.
HA req ), and M * 8 = h(N i ∥PK RSU j ∥PID i ∥T 3 ∥T 5 ), and checksM * RSU k computes SK * = h(c k • N i ∥PID i ∥PK RSU k ) and M 9 = h(SK * ∥PK RSU k ∥PID i ∥T 6 ).Finally, RSU k sends a message MES 8 = {M 9 , T 6 } to EVU i .Step HA3: After EVU i receives the message, it verifies the timestamp and computesSK * = h(k i • PK RSU k ∥PID i ∥PK RSU k ) and M * 9 = h(SK * ∥PK RSU k ∥PID i ∥T 6 ), and checks M * moves from the area of RSU j to the area of RSU k , it needs to complete a handover authentication.After successful handover authentication, a new session key SK * is generated between EVU i and RSU k .With SK * , EVU i sends a charging request to RSU k and obtains a new charging credential.

Table 8 .
Queries performed in ROR model.

Table 9 .
Comparison of security and properties.