LLAKEP: A Low-Latency Authentication and Key Exchange Protocol for Energy Internet of Things in the Metaverse Era

: The authenticated key exchange (AKE) protocol can ensure secure communication between a client and a server in the electricity transaction of the Energy Internet of things (EIoT). Park proposed a two-factor authentication protocol 2PAKEP, whose computational burden of authentication is evenly shared by both sides. However, the computing capability of the client device is weaker than that of the server. Therefore, based on 2PAKEP, we propose an authentication protocol that transfers computational tasks from the client to the server. The client has fewer computing tasks in this protocol than the server, and the overall latency will be greatly reduced. Furthermore, the security of the proposed protocol is analyzed by using the ROR model and GNY logic. We verify the low-latency advantage of the proposed protocol through various comparative experiments and use it for EIoT electricity transaction systems in a Metaverse scenario.


Introduction
Authentication schemes in the traditional Energy Internet of Things (EIoT) are generally implemented with the help of Public Key Infrastructure (PKI). To simplify the management of public-key certificates, Shamir [1] introduced the identity-based cryptography scheme (IBC). This scheme directly uses the identity to generate the public key, without certificates or public key directories.
Thus, researchers have proposed two-factor authentication (2FA) [6,7], which combines representative data (ID/password) with personal possession factors (i.e., smart cards or mobile phones) to provide stronger security protection.
When ID-based 2FA authentication scheme is applied in EIoT, latency becomes an issue that has not been well studied [8,9]. Especially when electricity transactions based on EIoT are realized in Metaverse in the near future, high latency will affect the validity of data information (i.e., payment information data) [10]. Therefore, compared with the traditional payment systems, the EIoT payment systems in the Metaverse should meet higher requirements regarding the latency [11].
At present, the Metaverse devices are typically virtual helmets and smart glasses. A two-factor authentication protocol using smart cards (security chips that are embeded in these devices) can enhance the security of the protocol. In related work, we found that 2PAKEP is more secure than previous protocols [12][13][14][15][16]. In order to satisfy the requirement of low latency in EIoT (or future EIoT in Metaverse), we propose a low-latency ID-based two-factor authentication protocol LLAKEP. Our main contributions are summarized below.
• A low-latency ID-based two-factor authentication protocol LLAKEP has been proposed. In the case of unbalanced computing capability between the two parties of the protocol, LLAKEP reduces the computational burden on one side. Compared with 2PAKEP [17], experimental results show that LLAKEP requires less computation time and less running time; • The security of LLAKEP is analyzed by using the ROR (Real-or-Random) model and GNY (Gong-Needham-Yahalom) logic. Analysis results show that LLAKEP achieves the security goals of an AKE protocol; • A use case has been implemented. We applied LLAKEP to EIoT electricity transaction systems in a Metaverse scenario. Results show that LLAKEP will effectively reduce latency.
The rest of this paper is organized as follows. Section 2 reviews the related work. Section 3 introduces the soultion methodology. Section 4 introduces the preliminaries. Section 5 proposes the LLAKEP. In Section 6, the security of the LLAKEP is analyzed. The experiment results of LLAKEP are shown in Section 7. Finally, a conclusion is summarized in Section 8.

Related Work
Das [12] designed an ID-based authentication protocol (the D protocol) using bilinear pairings. However, the D protocol is subject to forgery attacks [18]. Many improved protocols have been proposed based on D protocol [13][14][15][16][17]. Table 1 lists the characteristics, limitations, and disadvantages of different protocols. Table 1. Comparison of the characteristics, limitations, and disadvantages of different protocols.

Protocol Characteristics Limitations and Disadvantages
D protocol [12] Based on pairing and smart card Not resistant to forgery attacks YC protocol [13] Based on identity Prone to simulated attacks Cannot provide perfect forward security YY protocol [14] An improved ID-based mobile device key authentication scheme based on elliptic curves Cannot provide perfect forward security HDB protocol [15] A key agreement remote mutual authentication protocol based on identity Unable to resist impersonation attacks and unknown key sharing attacks QC protocol [16] Based on elliptic curves in mobile environments Not resistant to impersonated user attacks, password changes, insider attacks, and offline password guessing attacks 2PAKEP [17] Two-factor authentication, based on identity Not efficient LLAKEP A low-latency ID-based two-factor authentication protocol \ Because of the inefficiency of bilinear pairing cryptography, researchers have proposed many ID-based authentication protocols using scalar multiplication. Yang and Chang [13] proposed an authentication protocol based on ID (the YC protocol) in 2009. However, Yoon and Yoo [14] found that the YC protocol [13] is prone to simulated attacks. In addition, the YC protocol cannot provide perfect forward security. Therefore, an improved ID-based protocol (the YY protocol) is proposed by Yoon and Yoo. The YY protocol can eliminate the defects of the YC protocol [13]. However, the YY protocol cannot provide perfect forward security. In 2012, He [15] proposed a protocol (the HDB protocol). The HDB protocol can guarantee perfect forward security. However, in 2013, Chou [19] showed that the HDB protocol [15] has defects concerning the private key verification process, and legitimate users cannot confirm whether the private key of the other party is correct. Thus, two improved security protocols (the C1 protocol, and the C2 protocol) were proposed. In 2015, Yang [20] proved that the HDB protocol [15] cannot resist simulation attacks and unknown key sharing attacks, and then Yang proposed an improved ID-based authentication key exchange protocol (the Y protocol).
However, there are some defects in the above-mentioned ID-based authenticated protocols. Their protocols have issues concerning clock synchronization and user anonymity [16]. To solve the issues, Qi and Chen [16] proposed an ID-based two-factor mutual authentication protocol with smart cards (the QC protocol). Qi and Chen claim the QC protocol is resistant to many attacks. However, in 2018, Park [17] proved that the QC protocol is not resistant to simulated user attacks, password change attacks, insider attacks, and offline password guessing attacks. Thus, Park [17] proposed an improved protocol 2PAKEP and proved that it could solve these security issues. LLAKEP uses an improved algorithm to reduce the latency of 2PAKEP. In addition, LLAKEP uses a security chip.
At present, smart cards are widely used in medical, educational, and other scenarios [21][22][23]. Using smart cards as an authentication factor can improve the security of system authentication. The most widely used smart cards in payment systems are mainly microprocessor chips. In addition, the Trustzone [24,25] is included in the microprocessor chip, which provides security features for smart wearable devices [26].

Research Methods
We research the low latency algorithms based on 2PAKEP. Meanwhile, we use security analysis and performance analysis to verify the advantages of LLAKEP.

Security Analysis Methods
First, we prove the security of LLAKEP in the ROR model. Second, we use GNY logic to prove the security of LLAKEP. Finally, we verify the security of the protocol using Prolog.

Performance Analysis Methods
We use a Raspberry Pi and a laptop to simulate two communication parties. The protocol is implemented in Python. The running time and computation time of LLAKEP and other protocols are compared by experiments.

Preliminaries
The system model, ROR model, and computational assumptions are introduced in this section.

System Model
In the EIoT, LLAKEP can be used to secure the key agreement for the communication of electricity transactions. A specific example is shown in Figure 1, where the electric bike rider is ready to swap his battery, and their device (smart glasses) and the battery swap station will establish a secure link through LLAKEP. The communication of transaction information, such as battery types and payment information, can then be encrypted through the session key. One thing to note is that the smart glasses in the example are the user's Metaverse interface, which implies that a "gap" in computing capabilities exists between the two ends of these common communication devices. More specifically, the smart glasses with a microprocessor have weaker computing capabilities than the battery swap station.
Before the electric bike rider uses the smart glasses to enter the Metaverse for electricity transactions, some user information needs to be stored in the memory of the smart glasses in the initial stage. Assuming that the electric bike rider has obtained a registered microprocessor chip, and has a password, and the microprocessor chip is equipped in the user's smart glass, then, as an initiator, the smart glasses authenticate with an energy device.

ROR Model
Abdalla, Fouque, and Pointcheval initially proposed the ROR model for passwordbased key exchange [27]. One of its significant features is that the attacker no longer has a Reveal query compared with the BPR model [28], but instead performs a simulation of a compromise caused by the misuse of a session key via the uniform Test query. This Test query can be called multiple times. Furthermore, the ROR model has been proved to be stronger than the BPR security model [27].
We introduce the primary components associated with the ROR model below. Participants and instances. Let oracles Π t EBR and Π s BSS be the instances t and s of participants EBR and BSS running protocol Π, respectively.
Instance state. Π t EBR will be in the accepted state if it has received the final message according the protocol Π. The session identification sid of Π t EBR is the cocatenation of exchanged messages in the session.
Partnering. We say that Π t EBR and Π s BSS are the partners if the following two conditions are satisfied: (1) both Π t EBR and Π s BSS are in the accepted state, (2) Π t EBR and Π s BSS have the same sid and mutually authenticated each other. Freshness. If the session key SK of Π t EBR and Π s BSS is not compromised by a reveal query or EMD/EMC query defined below, we say Π t EBR and Π s BSS are fresh. Adversary. An active adversary A may intercept, delete, modify, or inject the messages over public channels by the given queries: This query models the eavesdropping attack that permits A to learn the messages exchanged between EBR and BSS.
• Send(Π t EBR , Msg) : This query models the active attack that permits A to transmit a message Msg to a participant's instance Π t EBR . • EMD/EMC(Π t EBR ) : This query models another active attack that permits A to extract all the sensitive secret parameters stored in a mobile device (EMD(Π t EBR )) or microprocessor chip (EMC(Π t EBR )). • Test(Π t EBR ) : Before the game starts, an unbiased coin b is flipped. If Π t EBR is fresh, this query returns the real session key SK if b = 1, or a random key in the key space of EBR is not fresh, this query returns the invalid symbol ⊥. We restrict A to access a limited number of EMD/EMC(Π t EBR ) queries in a formal security analysis. At the same time, A is permitted to access an infinite number of Test(Π t EBR ) queries.
Semantic security. Let A's guesse be b , and Succ be the winning probability in the game. A polynomial t time adversary A's advantage in breaking the semantic security of session key SK is denoted by Random oracle. We model the public one-way cryptographic hash function h(·) as a random oracle (Hash).

Computational Assumption
We use elliptic curve cryptography because it is one of the best candidates among the existing public key cryptographic techniques. Two relevant hardness assumptions are described below.
Definition 1 (Elliptic curve discrete logarithm problem (ECDLP)). Given an elliptic curve E over finit field F p , and P, Q ∈ E, find the discrete logarithm d, such that Q = dP.
Definition 2 (Elliptic curve decisional Diffie-Hellman problem (ECDDHP)). Given an elliptic curve E over finite field F p , a generator P of E, and three random elements k 1 P, k 2 P, and k 3 P, distinguish the triples (k 1 P, k 2 P, k 3 P) and (k 1 P, k 2 P, k 1 k 2 P).
The ECDLP and ECDDHP are computationally hard problems when p is large.

The Low-Latency Protocol
In this section, we mainly introduce the process of LLAKEP. The symbols used in LLAKEP are shown in Table 2.

Initialization Phase
This phase is performed in the battery swap station BSS. The specific process is described as follows.

BSS-1:
BSS selects an elliptic curve E/F p whose base point is P. Meanwhile, the order of p is set to n.
BSS-2: BSS generates a private key sk BSS from Z * n , and calculates the public key pk BSS by pk BSS = sk BSS P.

User Registration Phase
Electric bike rider EBR needs to register with battery swap station BSS before swapping batteries. The registration takes place in a secure channel, and the specific process (Table 3) is described as follows.
EBR-1: EBR inputs the ID EBR and PW EBR on the smart glasses. After the input is completed, the microprocessor chip MC generates two random numbers a MC , b MC and calculates to the BSS by using a secure channel.
BSS-2: BSS checks whether H 2 (ID EBR ) and ID EBR are valid after receiving Msg1. If they already exist in the database, BSS returns a message to EBR asking for a new ID.

BSS-3: BSS calculates
and stores l , v, and C in the microprocessor chip. Checks whether H 2 (ID EBR ) and ID EBR are valid Calculates Calculates l = l ⊕ b MC Stores l , v and C secretly

Authentication and Key Exchange (AKE) Phase
After registration, when electric bike rider EBR wants to swap batteries, he needs to send some information for identity authentication. The key algorithms of this phase are shown in Algorithms 1 and 2. ECC_ScalarMul denotes scalar multiplication on an elliptic curve, and its computation is time-consuming. ECC_Add represents addition on an elliptic curves, and ECC_Neg represents negation operations on an elliptic curves. These two cryptographic operations take less time. kd f represents the key derivation function. We transferred a scalar multiplication on the EBR side in the original protocol algorithm to the BSS side. The specific process (Table 4) of the AKE phase is described as follows.
EBR-1: EBR inputs ID EBR and PW EBR using a smart glasses. Then MC calculates After that, EBR checks whether C EBR is equal to C. After successful verification, MC generates a random number r MC ∈ Z * n and a current timestamp T MC , and computes to the BSS by using a public channel.
BSS-2: BSS verifies whether the difference between T MC and the reception time T * MC is less than the maximum transmission latency ∆T after receiving Msg 1 . If it is greater than ∆T, the protocol will stop running. Otherwise, BSS calculates H 2 (sk BSS ||ID EBR ) = CID EBR ⊕ H 1 (sk BSS ). After that, BSS computes R EBR = U EBR P − pk EBR = r MC P and R * = sk BSS R EBR , Auth * EBR = H 2 (ID EBR ||R * ||CID EBR ||T MC ) and checks whether Auth * EBR is equal to Auth EBR . After successful verification, BSS generates a random number r BSS ∈ Z * n and a current timestamp T BSS . Then BSS computes R BSS = r BSS P, SK BSS = r BSS R EBR and Auth BSS = H 2 (ID EBR ||R * ||SK BSS ||T BSS ). At the end, BSS sends: to EBR by using a public channel.
EBR-3: After receiving Msg 2 , EBR first verifies whether the difference between T BSS and the reception time T * BSS is less than ∆T. If it is greater than ∆T, the protocol will stop running. Otherwise, EBR calculates SK EBR = r MC R BSS , Auth * BSS = H 2 (ID EBR ||R||SK EBR ||T BSS ), and checks whether Auth * BSS is equal to Auth BSS . After successful verification, MC generates the current timestamp T MC , and computes the session key SK = kd f (ID EBR ||SK EBR ||T MC ||T BSS ). At the end, EBR calculates Auth EB = H 2 (ID EBR ||R||SK||T MC ), and EBR sends: to the BSS through a public channel.
BSS-4: After receiving Msg 3 , BSS verifies whether the difference between T MC and the reception time T MC is less than ∆T. If it is greater than ∆T, the protocol will stop running. Otherwises BSS computes the session key SK = kd f (ID EBR ||SK BSS ||T MC ||T BSS ), Auth * EB = H 2 (ID EBR ||R * ||SK ||T MC ) and checks whether Auth * EB is equal to Auth EB . If they are equal, the mutual authentication and session key agreement phase have successfully be completed. Finally, the same session key SK(= SK ) will be store, and it will be used for secure commucations of EBR and BSS. Generates r MC ∈ Z * n and T MC Computes U EBR = r MC + sk EBR , R = r MC pk BSS ,

Password Change
Electric bike riders can change their password at any time. The specific process (

EBR inputs ID EBR and PW EBR MC Computes
Stores l new , v new and C new , deletes old parameters

Comparison of LLAKEP and Other Protocols
From the experimental results of He et al.'s scheme [15], it can be obtained that the most time spent is on the elliptic curve scalar multiplication operation, followed by the execution of a map-to-point hash function and a modular inversion operation, while the time spent on the execution of a hash operation, a dissimilarity operation, a message authentication code operation, and a key derivation function is very short. The main cryptographic operations involved in the authentication phase of the relevant protocols and LLAKEP are shown in Table 6. Client denotes the device with limited computing power, and Server denotes the device with strong computing power.
We can see that the total number of elliptic curve scalar multiplication required by LLAKEP is fewer than that of the protocols proposed in [13,14], so the total computing time of LLAKEP is less than theirs. Compared to the protocols proposed in [15][16][17], Client of LLAKEP needs to perform fewer elliptic curve scalar multiplications, which leads to the computing time being cut, thus reducing the overall latency. Table 6. Comparison of computation costs.

Protocol
Client Server YC protocol [13] 4M + 3H + P 4M + 3H + P YY protocol [14] 4M + 3H + P 4M + 4H + P HDB protocol [15] 3M + 2H + 2C 3M + 3H + C + I QC protocol [16] 3M Note: M: the time for an elliptic curve point scalar multiplication operation; H: the time for a hash operation; P: the time for a map-to-point hash operation; X : the time for a XOR operation; C: the time for a message authentication code operation; I: the time for executing a modular inversion operation; K: the time for a key derivation function.

Security Analysis
This section proves the security of LLAKEP in the ROR model.

Security Proof
The security of LLAKEP in the ROR model is shown in Theorem 1.

Theorem 1. Let Adv LLAKEP (t) be the advantage of a polynomial-time t adversary A in breaking the security of LLAKEP, then
Adv where |Hash|, q s , q h , |D| and Adv ECDDHP A (t) are the number of Hash queries, the number of Send queries, the number of Hash queries, the size of password dictionary D in LLAKEP, and the advantage of A in breaking the ECDDHP in time t, respectively.
Proof. Let G j , where j = 0, 1, 2, 3, 4, be a sequence of games, and Succ G j be the event that an adversary A wins the game G j , the probability of which is denoted by Pr[Succ G j ]. Those five games are defined as follows: • G 0 : This game models the original protocol LLAKEP in the ROR model, and an unbiased coin b is filpped. Therefore, • G 1 : This game excludes the eavesdropping attacks. A may use the Execute query in this game, and once the instance is accepted, A proceeds to the Test query. In LLAKEP, SK and SK are calculated as For getting the session key, A needs ephemeral secrets {r MC , r BSS } and the permanent secret identity ID EBR . Hence, A has no advantage in winning the game G 1 through eavesdropping attack. Therefore, • G 2 : This game models the Send and Hash queries. A may mount an active attack to intercept messages Msg1 = {Auth EBR , CID EBR , U EBR , T MC }, Msg2 = {Auth BSS , R BSS , T BSS }, and Msg3 = {Auth EB , T MC }. Note that all these messages involve the random nonces and the current timestamps, the only advantage A can take is making the Hash queries to find collisions. Therefore, by the birthday paradox, • G 3 : This game models the EMD/EMC query wherein A can extract all the credentials l , v and C from a lost or stolen device or a microprocessor chip, where . Note that since A could not get the secret crentials a MC and sk BSS using the Send queries, guessing is the only way to obtain the password PW EBR and identity ID EBR of a registered user EBR from l , v, and C. Therefore, • G 4 : This game models an active attack. To derive the session key SK of EBR and A may use Send queries to obtain all the intercepted messages Msg1, Msg2, and Msg3, and then try to derive SK EBR = r MC R BSS = r MC (r BSS P) = r BSS (r MC P) = SK BSS . Note that A can derive SK EBR = r MC R BSS or SK BSS = r BSS (U EBR P − pk EBR ). However, this problem is essentially the same as solving an ECDDHP. Therefore, After executing the games, A guesses the bit b: According to (1) and (2), we have: According to (6) and (7), we have: Using the triangular inequality, we have the following result: From (8) and (9), we have: Then, we obtain the required result: Theorem 1 is proved.

GNY Logic Proof
We introduce the symbols and meanings used in the GNY logic [29] in Table 7, and then prove the mutual authentication between electric bike rider EBR and battery swap station BSS in LLAKEP.

Description of Protocol
The parser algorithm would describe the protocol as follows.

Conjunction of A and B. H(A)
A one-way hash function of A.

* A
A is a not-originated-here formula. P A P is told A. P A A possesses, or is capable of possessing A. P |∼ A P once said A. P |≡ (A) P believes that A is fresh, that is, A has not been used before P |≡ ∅(A) P can recognize A, that is, P has certain expectations for the content of A. P |≡ P Key ←→ Q P believes that Key is a suitable secret for P and Q.

Initialization Assumption
The initialization assumptions for EBR and BSS are as follows.
Goal 1 According to A1 and the rule F1, we can infer that EBR believes that SK EBR is fresh, and SK EBR = R BSS * r MC .
According to the rule F1, we can infer that EBR believes that SK is fresh, and SK = kd f (ID EBR ||SK EBR ||T MC ||T BSS ). Goal 1 is proved.
Goal 2 According to A2 and the rule R1, we can infer that EBR believes that SK EBR is recognizable, and SK EBR = R BSS * r MC .
According to the rule R1, we can infer that EBR believes that SK is recognizable, and SK = kd f (ID EBR ||SK EBR ||T MC ||T BSS ). Goal 2 is proved.
Goal 3 According to the rule P2, we can infer that EBR possesses SK EBR , and SK EBR = R BSS * r MC .
EBR r MC , EBR R BSS EBR R BSS * r MC (P2) According to A3 and the rule P2, we can infer that EBR possesses R, and R = r MC * pk BSS .
According to A4 and the rule I3, we can infer that EBR believes that BSS once said SK EBR .
According to the rule I6, we can infer that EBR believes that BSS possesses SK EBR .
According to the rule J6, we can infer that EBR believes that BSS possesses SK, and SK = kd f (ID EBR ||SK EBR ||T MC ||T BSS ). Goal 3 is proved.
Goal 4 According to A5 and the rule F1, we can infer that BSS believes that SK BSS is fresh, and SK BSS = R EBR * r BSS .
According to the rule F1, we can infer that BSS believes that SK is fresh, and SK = kd f (ID EBR ||SK BSS ||T MC ||T BSS ). Goal 4 is proved.
Goal 5 According to A6 and the rule R1, we can infer that BSS believes that SK BSS is recognizable, and SK BSS = R EBR * r BSS .
According to the rule R1, we can infer that BSS believes that SK is recognizable, and SK = kd f (ID EBR ||SK BSS ||T MC ||T BSS ). Goal 5 is proved.
Goal 6 According to A7 and the rule P2, we can infer that BSS possesses R EBR and R, and R EBR = U EBR P − pk EBR , R = sk BSS * R EBR .
According to the rule P2, we can infer that BSS possesses SK BSS , and SK BSS = r BSS * R EBR .
BSS r BSS , BSS R EBR BSS r BSS * R EBR (F1) According to A7 and the rule P2, we can infer that BSS possesses SK. According to the rule F1, we can infer that BSS believes that R is fresh, and R = sk BSS * R EBR .
According to A8 and the rule I3, we can infer that BSS believes that EBR once said SK.
According to the rule I6, we can infer that BSS believes that EBR possesses SK. Goal 6 is proved.

Formal Verification
We use Prolog to verify that our protocol achieves the session key security goals (the freshness and the recognizability of the session key, and the belief that the two authenticating parties have the session key). Prolog is a logic verification tool. Write the flow of the protocol as Prolog code, and Prolog can verify whether the protocol achieves our required security goals.
The execution results of Prolog are shown in Figure 2, and we can see that several security goals regarding the protocol returned "True", which indicates that the LLAKEP can achieve the required security goals.

Performance Analysis
We mainly analyze the advantages of the LLAKEP and provide a use case of LLAKEP in this section. Furthermore, we test the computation time, the total running time and the bit rate of different protocols. The experimental environment is shown in Table 8. We use T D A to represent the time of running A on device D.  [30] (i.e., curves P-192, P-224, P-256, P-384, and P-521). From Figure 3, the following are some verified results: For the average computing time on the EBR side: The results show that LLAKEP does reduce the computational burden on the EBR's side.

Experiment II
We use a Raspberry Pi to represent the smart glasses and a laptop to represent the energy device. Smart glasses have less computing capability than laptops. We test LLAKEP under the same conditions as the elliptic curve of Experiment I. From Figure 4, the following are some verified results:

•
For the average computing time on the EBR side: • For the average total computing time: It shows that the weaker device (i.e., smart glasses) in LLAKEP has shorter computation time. Further, LLAKEP has shorter total computation time compared with 2PAKEP.  1) the calculation time on the U side using LLAKEP is less than 2PAKEP; (2) the total calculation time of LLAKEP is less than 2PAKEP.

Experiment III
This experiment measures the total running time of LLAKEP on two communicating parties (a Raspberry Pi and a laptop). From Figure 5, the following are some verified results: For the average total time: The results show that LLAKEP still has shorter total running time compared with 2PAKEP.

Experiment IV
We assume bits of different messages in Table 9. Therefore, in the authentication phase of the LLAKEP, Msg1 needs (160 + 160 + 160 + 32) = 512 bits, Msg2 needs (160 + 320 +32) = 512 bits and Msg3 needs (160 + 32) = 192 bits. The total bits of LLAKEP is 1216 bits. Combining the total runtime of the protocol in Experiment III with the elliptic curve P-256, we can calculate the bit rate. The higher the bit rate, the faster the data transfer speed. The results are shown in Table 10.
For the bit rate Br: Br LLAKEP > Br 2PAKEP .
Therefore, the transmission latency of LLAKEP is lower. This section illustrates usages and advantages of LLAKEP via a use case in a batterty swap cabinets scenario.

Scenario Description
At present, there are more than 300 million electric bikes in China. In order to meet a large number of battery swap needs, China Tower has built an intelligent power exchange system. They have also deployed battery swap stations ( Figure 6). In the future, with the development of the Metaverse, electric bike riders will use smart glasses to interact with battery swap cabinets. During the peak period, a large number of riders will need to authenticate and pay at the same time.

Application of LLAKEP
The following steps explain how we can use LLAKEP. Initialization: devices A and B should support LLAKEP. Specifically, device A is smart glasses; device B is a battery swap cabinet.
Secure Handshake: suppose there are N smart glasses in the battery swap cabinet scenarios. Secure Messaging: A and B use the generated session key to send the message (battery type and payment information) securely.

Advantages
In this part, we analyze the advantages of LLAKEP. According to the statistics from the battery swap station management system (Figures 7 and 8), the number of battery swap stations in Taiyuan city is 270. One battery swap station has 10 battery swap cabinets. In the peak time, 2700 riders use smart glasses to authenticate. After successful authentication, the rider will pay for the swap of a battery. Taking P-256 as an example, Figure 9 shows the authentication protocol running time of battery swap stations in the peak time. Experiment results show that LLAKEP can reduce latency effectively.

Conclusions
This paper proposes a secure, low-latency authentication protocol LLAKEP for the EIoT. LLAKEP reduces the computational burden on weaker devices by changing the time-consuming cryptographic operations needed in the algorithms for both sides of communication. In addition, a provable security model and a logic analysis are used to analyze LLAKEP. Results show that the security of LLAKEP is guaranteed. When the computing capability of both parties is unbalanced, experimental results show that LLAKEP can reduce the computing time of the device with weaker computing capability. It can improve the efficiency of authentication. Finally in the use case, we apply LLAKEP for EIoT electricity transaction system in the Metaverse.
In the future, we will continue to optimize the low-latency algorithm, and design more low-latency AKE protocols suitable for Metaverse scenarios.