ECQV-Based Lightweight Revocable Authentication Protocol for Electric Vehicle Charging

Abstract

In the near future, using electric vehicles will almost certainly be required for the sustainability of nature and our planet. The most significant challenge that users are concerned about is the availability of electric vehicle charging stations. Therefore, to maximize the availability of electric vehicle charging stations, we suggest taking benefit from individual sellers who produce renewable energy from their homes or electric vehicle owners who have charging piles installed in their homes. However, energy services that are rapidly being offered by these businesses do not have a trust connection developed with the consumers and stakeholders in these new systems. Exchange of data related to electric vehicles and energy aggregators can be used to identify users’ behavior and compromise their privacy. Consequently, it is necessary to set up a charging system that will guarantee privacy and security. Several electric vehicle charging systems have been proposed to provide security and privacy preservation. However, ensuring anonymity alone is not enough to guarantee protection from reconstructing the victim vehicle’s route by the tracking adversary, even if the exchanged messages are completely anonymous. Furthermore, anonymity should not be absolute in order to protect the system and function as necessary by all entities. In this research, we propose an effective, secure, and privacy-preserving authentication method based on the Elliptic Curve Qu–Vanstone for an electric vehicle charging system. The proposed scheme provides all the necessary requirements and a reauthentication protocol to minimize the overhead of subsequent authentication processes. To create credentials and validate electric vehicles and energy aggregators, the scheme makes use of the Elliptic Curve Qu–Vanstone implicit certificate mechanism. The new protocols give EVs security and privacy while cutting computational time by 95% thanks to reauthentication, as demonstrated by the performance comparison with earlier works.

1. Introduction

Transportation produces over 30% of global greenhouse gas (GHG) emissions, which has a big impact on air quality [1]. With environmental concerns and a reduction in fossil fuel consumption, countries are increasingly promoting clean renewable energy alternatives to fossil energy. The electric vehicle (EV) is a good choice for tackling the energy crisis and climate change because it is reasonably priced and emission-free. EVs have recently attracted a lot of attention as a way to cut fuel use and GHG emissions and increase energy efficiency [2].

For three primary reasons, the growth of EVs is expected to continue, even with a higher rate of adoption in the coming years [3]:

• Clean-fuel vehicles and initiatives to reduce carbon emissions should be encouraged: Saudi Arabia, the world’s leading oil producer, declared that at least 30% of the cars in its capital city will be electric by 2030. Similarly, China seeks 25% of all new cars to be electrified by 2025. The UK attempts to stop producing and selling fossil-fuel vehicles by 2030 [4].
• Resolve uncertainty for EV drivers: EV drivers still face uncertainty, even though more people are adopting the technology. As reported by the climate group EV100′s members, the most significant challenge that users are concerned about is the availability of EV charging stations (e.g., charging station location, EV parking space, and charge cost) [5,6]. As a result, charging stations need to be strategically positioned and used efficiently as the demand for EVs increases [7]. Because work was disrupted in major areas due to the COVID-19 pandemic, the installation of publicly available chargers increased by 45%, a slower rate than the 85% seen in 2019. The company also cited a persistent barrier as the lack of suitable vehicle types. The cost of buying an electric vehicle remains a significant barrier [5];
• Make EV charging a smooth experience: Remote control using smartphone applications is one of the features of smart EV charging. This feature makes EV charging faster as well as easier to use and, hence, more accessible to a wider variety of clients [3].

Advancements in distributed renewable production, storage systems, and EVs are causing evolving energy systems to become more decentralized. Energy services are rapidly being offered by businesses (such as individual sellers who produce renewable energy from their homes or EV owners who have charging piles installed in their homes) that have not developed trust connections with the consumers and stakeholders in these new systems [8]. The quality of power distributed by the grid is impacted by unregulated electric vehicle charging systems, which results in significant load changes in the electrical grid. As a result, existing energy systems experience severe negative effects, such as higher load peaks, degradation in power quality, and higher consumption of energy [9].

While an EV is connected to an electric vehicle charging station (EVCS), the energy aggregator (EAG) and EV continually exchange information. The EAG functions as an information collector for EVs and controls the charging of the EVs. The EV reports confidential details, such as the EV’s identity (ID), battery status, consumed energy, and geographical location, to potentially untrustworthy charging entities [10]. The EV can share its distance from the service provider to hide the vehicle’s exact location from adversaries. However, it is feasible for adversaries to determine the EV’s precise location when its distance is disclosed [11]. Additional critical information, including the EV’s identification information, its owners, and its travel behavior, can be inferred from the given information [12]. The information shared can be subject to numerous forms of attacks, since the EV and EAG connect using the internet, Wi-Fi, Bluetooth, dedicated short-range communications (DSRC), etc. These attacks may lead to inconsistent battery charging, poor EVCS operation, money theft, incorrect payment transaction outcomes, and more. The primary attacks that could happen are denial-of-service (DoS) attacks, replay attacks, impersonation attacks, and man-in-the-middle (MITM) attacks [10].

1.1. Problem Statement

One of the biggest hurdles to the widespread adoption of EVs is EV charging. Legal authorities are responsible for issuing EV credentials, which allow vehicle identification and authentication. Because these credentials hold EVs’ genuine identifiers, they can be used to track vehicles. Furthermore, certain data in the electrical transactions must be hidden to prevent personal information (e.g., EV identity, battery charge status, geographical location, payment information, etc.) from being leaked. Furthermore, if a vehicle is not validated, an adversary vehicle can easily imitate an authorized vehicle to broadcast false information. This is because trading data can be utilized to analyze individuals’ behaviors and invade their privacy. For instance, EV charging schedules can reveal when an owner remains at home or outside, allowing potential criminals to attempt robbery [13]. Furthermore, the majority of deployed EV charging stations lack physical security and are seldom supervised; an adversary could cause damage to it or install malware in them. Such malware could be utilized to steal energy, obtain users’ data (such as ID card number to impersonate their identity for a transaction), or disrupt EV charging by causing a denial of service [14]. Additionally, in a wireless sensor network (WSN), a passive adversary may secretly intercept messages and employ traffic analysis methods to deduce details about the structure of the network topology and the profiles of network entities [15]. As a result, how to protect end-user privacy while dealing with electrical transaction data becomes a significant privacy-preserving challenge for researchers throughout EV charging and discharging.

An Elliptic Curve Qu–Vanstone (ECQV)-based EV charging system may be created to address these issues and provide security and straightforward authentication to EV clients. The ECQV implicit certificate is necessary for enabling mutual authentication, key establishment, and secret key exchange for Internet of Things (IoT) devices. There have been several EV charging solutions suggested to offer security and privacy preservation. However, the terms privacy and anonymity are sometimes used interchangeably. Privacy is much broader and refers to all aspects of maintaining user privacy, whereas anonymity is focused on maintaining user identity confidentiality. These systems tend to lack in achieving a balance between the need for privacy (trade traceability to achieve anonymity, etc.) and security considerations.

1.2. Paper Motivation and Contribution

In an effort to meet the requirements for preserving privacy and security mentioned previously, these are the contributions made by this paper:

• Present an ECQV-based authentication solution that is more effective at preserving privacy and providing secure authentication for electric vehicle charging stations;
• Use Burrows–Abadi–Needham (BAN) logic and the AVISPA simulation tool to conduct a formal security study to demonstrate that the proposed scheme is secure against numerous attacks. In addition, we perform an informal security analysis to show the proposed protocol’s security;
• Compare the computational costs with other related work, to illustrate that the proposed techniques will perform better.

1.3. Paper Organization

Following is the format for the remaining portion of the paper: Section 2 covers the preliminary material. In Section 3, we show an analysis of the literature that is relevant to the proposed protocol. In Section 4, the proposed scheme is presented. The formal and informal security analyses are discussed in Section 5. In Section 6, security, functional, and computational aspects are compared with those of related schemes. Finally, Section 7 is the conclusion.

2. Preliminaries

The criteria for EV charging’s authentication solution are covered in this section. Additionally, the concept of an elliptic curve Qu–Vanstone (ECQV) implicit certificate is introduced in this section.

2.1. Solution Requirements

Authentication that protects the privacy and the system’s ability to thwart both active and passive attacks (against system entities) are necessary for the feasibility and acceptability of EV charging systems. These key security requirements must be met before a charging system may be used. However, the current approaches have flaws that raise several questions about EV charging systems. As a result, the proposed scheme needs to fulfill the following criteria:

• Mutual authentication: The system must allow the parties to confirm one another’s identities and guarantee that communication is based on trust. To verify the EAG’s identification and registration with the trusted charging system operator (OP), the EV must authenticate the EAG. The EAG will verify the EV’s registration with the OP concurrently. The OP issues certificates for authentication, consequently reducing the likelihood of a masquerade attack [16];
• Anonymity: Anonymity is the capability to evade being recognized within a group of subjects. The EV’s true identity should not be revealed to the EAG while it is charging [17]. Un-traceability is the ability to keep the activities of a subject un-traceable. Eavesdroppers cannot guess or trace the EV’s activities [16];
• Un-linkability: Un-linkability is where the attacker cannot tell whether two actions are related. EVs during various charging sessions should not be linkable [17];
• Traceability: This characteristic guarantees that, if necessary, the trustworthy organization (OP) can determine or reveal a malicious EV’s real identity [18];
• Perfect forward security: If a long-lasting private key is exposed, the adversary cannot obtain a future session key [19];
• Perfect backward security: If a long-lasting private key is exposed, an adversary cannot obtain the old session key [19];
• Joint key control: The session key will be created using a random number that is contributed by both EAG and EV. As a result, no other party has access to or can acquire any session keys;
• Effective reauthentication: The process where the EAG reauthenticates the EV, causing an overhead. The EAG should, therefore, be able to verify the EV using the information given by a reliable third party (OP) during the initial encounter. Therefore, the EAG does not need to rely on the OP for future access because it can reauthenticate the EV;
• Revocation method: If a user’s registration is ended or the EAG/EV secret key is publicly disclosed, the corresponding information should be revoked. It is critical to grant a revocation mechanism for the system;
• Attack resistance: Adversaries may launch attacks during the communication between EAG and EV, as it is carried out in an insecure environment. Thus, the proposed scheme must be capable of thwarting attacks such as MITM attacks, replay attacks, impersonation attacks, etc.

2.2. ECQV Implicit Certificates

In comparison to the standard certificate (such as X.509 certificates), the implicit certificate provided by the ECQV method offers the advantages of having a smaller certificate that is computationally quicker and more ideal for IoT devices with limited resources [20].

A conventional certificate needs to have its signature verified, whereas an implicit certificate only needs to have its public key derived, and the latter is quicker than the former. The entity seeking the security material is the only one who can derive the private key; hence it is not even accessible to the certificate authority (CA). Hence, the technique is protected against key escrow attacks. Furthermore, a secure connection is not necessary during the operation because all variables may be delivered via the open channel [21].

(1)

ECQV Basic Notations

In

Table 1. ECQV basic notations.

Notations	Meaning
$d_A$	EC private key for entity $A$
$Q_A$	EC public key for entity $A$
$k {\in }_R$[1,…, n − 1]	$k$ integer, a random value between 1 to n − 1
G	Base point in $E_p$ with order $n$
$E_p$	Elliptic curve (EC) over a finite field with $p$ being a significant prime number
$H\left(.\right)$	One-way hash function
$r$	Private reconstruction data
$P_A$	Public reconstruction data
$I{D}_A$	Identity of entity $A$
$e$	Hash of certificate
$Cer{t}_x$	Certificates of entity $x$

below, the fundamental notations used in the ECQV scheme are defined.

(2)

ECQV Algorithms

ECQV implicit certificates are produced using ECQV technology, which is based on elliptic curve cryptography. The elliptic curve domain settings for this method must be agreed upon by the entities and the CA before it can be used. Figure 1 shows the details of this strategy, which consists of three steps [22]:

• ECQV certificate request: A user generates an EC pair of keys and sends the public key together with the user’s ID to the CA;
• ECQV certificate generation: The CA validates the ID and creates data for public reconstruction that may be used to obtain the user’s public key. Next, ECQV certificate data are incorporated and contain both ID and public reconstruction information. The resulting ECQV certificate and the private key of the CA are then used to compute the user’s private reconstruction data. The user then receives the private reconstruction data and the ECQV certificate from the CA;
• ECQV certificate reception: The user creates a public/private-key pair using the first step’s private key, private reconstruction information, and ECQV certificate (acquired from CA). In order to confirm that the obtained certificate was indeed issued by the CA, the user then performs a verification process.

IoT devices can create a secure communication channel using ECQV implicit certificates and Elliptic Curve Diffie–Hellman (ECDH) for authenticated key exchange. The process of the ECQV implicit certificate-based authenticated key exchange algorithm is presented in Figure 2.

3. Literature Review

The most relevant, significant EV charging privacy preservation and security techniques are reviewed in this section. Multiple security systems already in use are discussed, as well as their advantages and disadvantages, along with the efforts this study took to solve the issues. To simplify the authentication process and make it less difficult, this work aims to propose a safe authentication strategy for EV charging that protects the privacy and offers a reliable reauthentication mechanism. Previous works in the security and privacy systems sectors have been reviewed for the intended outcome.

There are two main categories that the authentication protocols fall into: public-key authentication and symmetric-key authentication. Asymmetric cryptography, commonly known as public-key cryptography, is an encryption/decryption technique that utilizes a key pair made up of public/private keys [23]. However, symmetric-key cryptography relies on a single key that may be used for both encryption/decryption [24].

It was recently demonstrated that utilizing only XOR and hash operations in symmetric-key-based authentication protocols [25,26,27] can ensure anonymity and the un-traceability of a user’s behavior. Li et al. (2017) applied symmetric-key cryptography to provide an authentication technique for a dynamic charge system. The technique enables EVs to authenticate anonymously to charging piles (CP) while maintaining their geographical privacy. However, the process of forwarding the credentials (pseudonyms) and the distribution of associated keys to all CPs is inefficient, as it requires a large space to store all these data within CPs and leads to communication overhead. Additionally, an EV’s real identity is revealed to the service provider to create the pseudonym identity, which is risky and expensive computationally [25].

For EV charging, a blockchain-based security model was proposed by Huang et al. (2018). It provides mutual authentication through symmetric-key cryptography. However, the lightning network charging mechanism was not efficient, and the system was not able to protect the security of the keys. Moreover, the proposed model lacks privacy-preserving features such as anonymity, un-likability, and traceability. Moreover, the proposed authentication protocol requires a secure channel between EV and CP, which is hard to establish and increases the overall cost of the system [26].

The blockchain-based security framework introduced by Kim et al. (2019) used XOR and hash operations to reduce the computational cost of communication. However, the process of authentication must be repeated for each charging session. Furthermore, due to the requirement of all nodes to solve the mathematical computation, the system suffers from latency as the number of electric vehicles grows. Moreover, it does not provide some required privacy-preserving features including un-linkability and traceability [27].

To guarantee secure communication among the various network components, a combination of asymmetric and symmetric cryptography with simple hashing can be used. ElGhanam et al. (2021) applied this combination to provide a lightweight authentication mechanism that enables legitimate EVs to charge while assuring secure and fair payments. The mechanism resists well-known attacks such as replay attacks, MITM attacks, and impersonation attacks. For privacy preservation, it ensures an EV’s real identity, anonymity, and un-linkability through the utilization of pseudonyms for each charging process. However, it only provides partial privacy preservation to the EV, as it fails to ensure traceability. If required, the charging company cannot disclose the true identity of the EV that is acting maliciously or inappropriately. They encouraged other researchers to utilize asymmetric cryptography techniques to reduce the computational costs of their scheme [28].

For dynamic charging systems, Babu et al. (2021) presented a robust elliptic curve cryptography-based authentication mechanism. The proposed scheme can mitigate well-known EV attacks including replay attacks, MITM attacks, impersonation attacks, etc. For privacy preservation, it ensures an EV’s anonymity and un-traceability. However, similar to other studies in the literature review, it only provides partial privacy preservation to the EV, as there are no mechanisms for un-linkability, traceability, or reauthentication to cut down on communication costs during the authentication process [29].

To preserve the privacy of vehicles, an EV can be first authenticated to the EVCS using a blind signature [30,31,32]. A digital signature known as a “blind signature” enables the user to have the signer sign any document without being aware of what it contains [33]. Rabieh and Wei (2017) applied a blind signature along with a hash chain to authenticate EVs for dynamic charging while keeping their identities anonymous and un-linkable to other sessions. This was achieved through the usage of pseudonym tickets (to ensure un-linkability) that are published in the revocation list used for authentication and the need for EVs to authenticate themselves multiple times in all phases of the scheme. Unfortunately, the scheme suffers from latency and requires large storage as the number of EVs increases. Moreover, these pseudonyms are generated by EVs randomly and are unregulated. If an EV generates a repeated pseudonym without its knowledge, it will be rejected at the charging center [30].

A partial blind signature along with a hash chain to authenticate EVs for dynamic charging was proposed by Gunukula et al. (2017) to maintain privacy (anonymity and un-linkability). It guarantees resistance to MITM attacks; however, it does not investigate other attacks that could have a wide impact on the system. Furthermore, the system relies on the bank to verify the validity of charging coins, which in turn causes a delay in the authentication process [31].

Roman and Gondim (2019), proposed an authentication protocol for EV dynamic charging infrastructure based on a blind signature along with a hash chain. It ensures resistance to well-known attacks, anonymity, and un-linkability. On the other hand, the scheme requires a secure channel (as it reveals EVs’ real identities) in the ticket-purchasing phase; secure channel establishment is hard and is mainly achieved by physical contact prior to the service request from the charging company. We believe that better solutions exist for handling such requirements [32].

Other techniques used to authenticate EVs and maintain their privacy are public-key, sign-encryption, and group-signature algorithms. They allow signing messages exchanged by EV users, making it impossible for malicious individuals or other network attackers to learn target EVs’ real identities. In contrast to the signature-then-encryption method, signcryption is public-key cryptography (PKC) primitive that simultaneously delivers a digital signature and public-key encryption [34].

Xia et al. (2021) applied the concept of group-signature-based authentication to eliminate the disclosure of an EV’s identity to entities other than the CA. Fog computing was used to reduce the interaction between EVs and cloud servers. However, the scheme needs to reduce the entities’ interaction, as it is considered to be high [35].

Two of the techniques used to improve the protocol’s communication cost are partial identity-based signcryption (IBSC) and pairing-based protocol for EV group authentication, as in the protocol proposed by Roman et al. (2019), where a group message is used to protect the anonymity of EVs. The protocol ensures communication confidentiality, location privacy, and resistance to several attacks. However, at the registration stage, a public/private-key pair is generated for the group; due to this process, there is a need for larger storage and the issue of single-group association must be considered (unchanged until EV requests to leave the group). Furthermore, there is no plan in place to guard against the compromise of single-group association [36].

Kumar et al. (2020) introduced a framework for EV charging using signcryption cryptography to ensure security and privacy preservation. It uses pseudo-identity to provide anonymity for EVs and it resists several attacks including replay attacks, MITM attacks, impersonation attacks, etc. However, the scheme does not provide un-linkability, traceability, or a mutual or reauthentication mechanism to reduce the overhead of the authentication process [37].

Public-key infrastructure (PKI) with smart cards or contract certificates was proposed by Vaidya and Mouftah (2020) to authenticate EVs in plug-and-charge systems. The scheme ensures resistance to MITM and impersonation attacks. However, it does not provide assurance against replay and stolen card attacks, and it is feasible to eavesdrop on data exchange by placing fake card reader devices. Moreover, the system lacks the protection of EV privacy. The scheme has low communication, but it lacks security and privacy [38].

Additionally, according to [39], group-signature authentication has some drawbacks that should be taken into account when designing the system, such as how the private key for the group of EVs is distributed, how frequently the public/private-key pairs need to be changed, and how the key management mechanism works.

Many security protection solutions in vehicle-to-grid (V2G) networks currently rely on anonymity, pseudonymity, and encryption technologies. To address the issue of anonymity, existing research and protocols employ traditional processes such as blind signatures and bilinear pairing. The performance–security trade-off is significantly impacted by all of these systems’ high processing and communication requirements. Due to the complexity of signature and encryption mechanisms, the time required for authentication between an EV and the power grid would significantly increase (such as blind signatures). Simple anonymity and pseudonym solutions are no longer sufficient in addressing the issue of identification for EV users [40].

Solutions by [26,30,32] require a secure channel to purchase the tickets, which is both hard to establish and costly. PKI is the only way to avoid such a secure channel [38]. Studies [30,32] use certificates to initially register and authenticate and are categorized as token-based authentication schemes, as they use tickets for EV authentication. For security and privacy preservation, various blockchain-based EV charging systems have been developed. Anonymous communication hides an EV’s real identity; however, if the same anonymous ID is used multiple times, it threatens the EV’s privacy (un-linkability). By linking data to other publicly available datasets such as transactions, data might be utilized to execute privacy-related linkage attacks, and the cloud can carry out attacks using a variety of data-mining techniques and algorithms. However, absolute anonymity is the main privacy feature considered in most of these systems, which is not sufficient in maintaining order in the EV charging infrastructure [41].

As IoT devices tend to be resource-constrained and the applications of vehicular ad hoc networks (VANETs) are latency-critical, Ha et al. (2016) introduced a security scheme based on ECQV implicit authentication. For IoT devices to have mutual authentication, key establishment, and key exchange capabilities, an ECQV implicit certificate is essential. Ha et al. were able to demonstrate through a computational test that ECQV implicit certificates are preferable to traditional certificates for use in IoT devices with limited resources [22]. In their study, Baee et al. (2019) explored how much the authentication overhead in latency-critical apps affects the safety of EV drivers. They also demonstrated that combining the Elliptic Curve Digital Signature Algorithm (ECDSA) and ECQV over the National Institute of Standard and Technology (NIST) P-256 curve and validating certificates can be a viable solution [42].

The earlier authentication techniques did not consider other fundamental privacy-preserving criteria in VANETs, such as un-linkability and traceability. These requirements integrate into each other because the EV’s real identity is hidden, different sessions are not linkable, and misbehaving anonymous vehicles are traced by authorities. Additionally, we noticed that the concept of token-based reauthentication for authentic EVs within a short period of time has not been tackled. Our work is the first to suggest using ECQV to authenticate EVs EAGs in the charging system, to our knowledge. In order to ensure that the privacy of EVs is maintained for EV charging systems, we provide a lightweight ECQV-based authentication scheme. It delivers reliable and safe authentication and reauthentication.

4. Proposed System

In this section, we present the proposed authentication protocols that address the solution requirements.

Table 2. Notations.

Notations	Meaning
EV	Electric vehicle
EAG	Energy aggregator
OP	Electricity operator
$E_p$	Elliptic curve (EC) over a finite field, with $p$ being a significant prime integer
G	$E_p’\mathrm{s}$ base point with order $n$
$i{d}_{EV}$$,i{d}_{EAG}$	EV/EAG’s true identity
$k_x, R_x$	Pair of EC keys for entity $x$
$S_x$	Data used to construct entity $x$‘s private key
$Cer{t}_x$	Entity $x$’s certificate
$Si{g}_x$$\left(y\right)$	Message $y$ is signed by entity $x$ using $x$’s private key
$P{K}_x \left(y\right)$	Using entity $x’\mathrm{s}$ public key, entity $x$ encrypts message $y$
$A_x$	Entity $x$’s authenticator
$A{H}_x$	Hash of entity $x$’s authenticator
$T_x$	Time stamp produced by $x$
TL	Time-life
$e$	Certificate hash
$P{K}_x, P{R}_x$	Entity $x$’s Public/Private-key pair
RK, RK’	EV and OP/EAG and OP registration key
$Ai{d}_i$	$\mathrm{EV}’\mathrm{s} i^{th}$ anonymous identity established by OP
$Ai{d}_{No}$	$Ai{d}_i$ counter that is incremented by EV
$N_x$	Nonce by $x$
$A{T}_{EV}^{EAG}$	EV’s authorization token, generated by EAG
$K_{EV-EAG}$	EV and EAG shared symmetric master key
$I{K}_{EV-EAG}$	EV and EAG shared symmetric initial key
$T{K}_{EV-EAG}$	EV and EAG shared symmetric temporary key
$S{K}_{EV-EAG}$	EV and EAG shared symmetric session key
$H\left(.\right)$	One-way hash function
$\left(y,x\right)$	Concatenation operation

details the notation used for this scheme’s phases: (1) Initialization, (2) Registration, (3) Authentication, and (4) Charging.

4.1. System Architecture

The entities electricity operator (OP), energy aggregator (EAG), and electric vehicles (EVs) compose our scheme. Figure 3 shows the architecture, and the list of entities in our design are listed below:

• Operator (OP): Any EV or EAG seeking to use the charging system must first register their identification information with the OP, where OP acts as the initializer for the proposed protocol. Authorized EVs can use the EAG’s services and develop trust with one another because the OP acts as a certificate generator (trusted third party). The OP can also identify malicious or misbehaving nodes by revealing their identities;
• Energy Aggregator (EAG): A data aggregator is a smart device or collection of smart devices that serves as a data aggregator of available EV power information while the EVs are charging and supplying power to the EVs via a number of EVCSs. To coordinate the charging, the EAG has an authentication mechanism to identify authorized EVs;
• Electric Vehicle (EV): It is a smart device that communicates charging requests to EAGs and mutually validates an EAG’s eligibility to use its service (charging).

From the architecture in Figure 3, the first step in establishing the communication between an EV and an EAG is the registration with an OP. After receiving credentials, these entities become part of the system and can communicate and authenticate each other if necessary. After successful verification, the EV can access a charging service. The EAG authenticates the EV using the $A_{EV}$ signed by the OP and $Ai{d}_i$ by the EV, without the direct involvement of the OP. The other way around, the EV authenticates the EAG using $A_{EAG}$ signed by the OP to thwart impersonation attacks. The proposed solution makes use of symmetric, ECQV, and PKC methodologies to ensure secure communication and to shorten the computation time in order to establish mutual authentication between the EV and EAG. For effective reauthentication, the proposed solution permits the reuse of $A{T}_{EV}^{EAG}$ (similar to [43] and our previous work [44]) and utilizes the speed constraint in [11] to countermeasure location-related attacks. $A{T}_{EV}^{EAG}$ is issued by the EAG once it has authenticated the EV. The utilization of $A{T}_{EV}^{EAG}$ reduces the time required to verify $A_{EV}$ in upcoming charging requests. Since there are not enough public EVCSs, which is the main problem with the EV charging infrastructure, EV owners may help other EVs in need by lending them their personal charging stations. In return, personal EVCS owners can earn some incentives through sharing with other EVs or by selling excess power to OPs.

4.2. Threat Model

The EAG is responsible for energy node matching and providing location-based services to electric vehicle owners during the energy trading process. We assume that the location-related communication is not secure enough (internet, Wi-Fi, Bluetooth, dedicated short-range communications (DSRC), etc.), and adversaries can use these services to determine the precise location of the target EV owner. Since EV owners’ location data includes vital information such as their house, workplace, hospitals, and so on, once learned by the adversary, the privacy of EV owners will be compromised, and their personal safety may be jeopardized.

The two types of attackers that are interested in obtaining the location data and credentials of EV owners are outsider and insider attackers. The transaction data collected by the system can be used by an outsider attacker to obtain information about the location of EV owners; a malicious internal node in our proposed scheme acts as an insider attacker and can gather user data. We assume that the EAG is a potential insider threat who is capable of learning the credentials or precise location of EV owners throughout the trading process.

4.3. Initialization Phase

The following steps describe how the OP initializes the system to set up the network:

Step 1:

A base point G of order $n$ is chosen by OP on the elliptic curve $E_p$, where $n$ is a significant prime number. Select the curve coefficients $a$ and $b$, field size $q$, and cofactor $h$, where $hn$ is the number of points on the elliptic curve (these are the elliptic curve domain parameters);

Step 2:

Select an approved hash function $H\left(.\right)$. The OP and certificate requester (EV or EAG) specify the generator of random numbers to be used throughout the certificate request/creation procedures to generate the private keys;

Step 3:

OP obtains an EC-key pair ($P{R}_{OP}, P{K}_{OP}$), which is associated with the elliptic curve domain parameters (established in the first step).

Step 4:

Both EV and EAG obtain, in an authentic manner, the EC domain parameters, $H\left(.\right)$, and $P{K}_{OP}$ (OP’s public key).

4.4. Registration Phase

Before EVs and EAGs can join the charging system, they must produce their identities and pair of public/private keys. After which, they receive the corresponding certificate, authenticator, information about constructing the private key, and anonymous identity from the OP (for EV only).

4.4.1. EV Registration

The registration process for EVs is presented in Figure 4 and is detailed as follows:

Step 1:

EV selects its identity $i{d}_{EV}$; generate EC-key pair ($k_{EV}, R_{EV}$), where $k_{EV}$ ${ϵ}_R \left[1, \dots , n-1\right]$ and $R_{EV}=k_{EV}.G$. Compute $I_{EV}=h\left(R_{EV}, i{d}_{EV}, N_{EV}\right)$ to ensure integrity. Then, send it to OP $\left\{i{d}_{EV}, R_{EV}, N_{EV}, I_{EV}\right\}$ encrypted with $P{K}_{OP}$ (OP’s public key);

Step 2:

OP retrieves the content of the message using its private key $P{R}_{OP}$ and verifies $I_{EV}$. Then, choose $k {ϵ}_R \left[1, \dots , n-1\right]$ and generate EV’s implicit certificate $Cer{t}_{EV}=R_{EV}+kG$; compute $e=h\left(Cer{t}_{EV}\right)$, $S_{EV}=ek+P{R}_{OP}\left(mod n\right)$, the private key construction data of EV. OP uses Formula (1) to create EV’s pseudo-identity and signs it using OP’s private key, where the real identity of EV is encrypted with $P{K}_{OP}$ to assure its anonymity and $Ai{d}_i$ is agreed to be incremented sequentially ($Ai{d}_{No}$) by EV itself every time it requests a service. Compute EV’s authenticator using Formula (2), which contains the issued $Cer{t}_{EV}$ with its time-life ($TL$) signed using the private key of OP. Compute $A{H}_{EV}=H\left(A_{EV}\right)$ to ensure integrity. Compute registration key $RK=h(R_{EV},N_{EV}, P{K}_{OP})$ that is shared between OP and EV only. Then, send to EV $\left\{A_{EV}, A{H}_{EV}, Ai{d}_i,S_{EV}\right\}$ encrypted with $RK.$ Lastly, OP destroys $R_{EV}$, $k$, $S_{EV}$ to prevent the possession of EV’s private key by an adversary;

$$Ai{d}_i=\{(Si{g}_{OP} \left(P{K}_{OP}\left(i{d}_{EV}\right),TL\right)), Ai{d}_{No}\}$$

(1)

$$A_{EV}=\{(Si{g}_{OP} \left(Cer{t}_{EV},TL, Ai{d}_i\right))$$

(2)

Step 3:

EV calculates the shared registration key $RK=h(R_{EV},N_{EV}, P{K}_{OP})$ to retrieve and verify $A_{EV}, Ai{d}_i$ through OP’s public key and check $A{H}_{EV}$. Compute $e=h\left(Cer{t}_{EV}\right)$ to generate its private/public-key pair $P{R}_{EV}$/$P{K}_{EV}$ using Formulas (3) and (4).

$$P{R}_{EV}=e.k_{EV}+S_{EV}\left(mod n\right)$$

(3)

$$P{K}_{EV}=e.Cer{t}_{EV}+P{K}_{OP}$$

(4)

To ensure the validity of $P{K}_{EV}$, it computes $PK{’}_{EV}=P{R}_{EV}.G$; then, check if $P{K}_{EV}==PK{’}_{EV}$ as follows:

$$\begin{array}{ccc}P{R}_{EV}\hfill & =\hfill & e.k_{EV}+S_{EV}\left(mod n\right)\hfill \\ & =\hfill & e.k_{EV}+\left(e.k+P{R}_{OP}\left(mod n\right)\right)\hfill \\ & =\hfill & e.(k_{EV}+k)+P{R}_{OP}\left(mod n\right))\hfill \end{array}$$

(5)

$$\begin{array}{ccc}Cer{t}_{EV}\hfill & =\hfill & R_{EV}+kG \hfill \\ & =\hfill & k_{EV}.G+k.G\hfill \\ & =\hfill & (k_{EV}+k).G\hfill \end{array}$$

(6)

$$\begin{array}{ccc}P{K}_{EV}\hfill & =\hfill & e.Cer{t}_{EV}+P{K}_{OP} \hfill \\ & =\hfill & e.(k_{EV}+k).G+P{R}_{OP}.G \hfill \\ & =\hfill & e.((k_{EV}+k)+P{R}_{OP}).G\hfill \\ & =\hfill & P{R}_{EV }.G\hfill \end{array}$$

(7)

After the validation of $P{K}_{EV}==PK{’}_{EV}$, EV adds its signature to $Ai{d}_i$ using its own private key. Lastly, EV stores $\{A_{EV}$, $Ai{d}_i\}$ encrypted with $P{K}_{EV}$ in memory (on-board unit—OBU). Destroy $R_{EV}$, $k_{EV}$, $S_{EV}$ to prevent the possession of an EV’s private key by an adversary.

4.4.2. EAG Registration

The registration process for the EAG is presented in Figure 5 and is detailed as follows:

Step 1:

EAG selects its identity $i{d}_{EAG}$; generate EC-key pair ($k_{EAG}, R_{EAG}$), where $k_{EAG}$ ${ϵ}_R \left[1, \dots , n-1\right]$ and $R_{EAG}=k_{EAG}.G$. Compute $I_{EAG}=h\left(R_{EAG}, i{d}_{EAG}, N_{EAG}\right)$ to ensure integrity. Then, send it to OP $\left\{i{d}_{EAG}, R_{EAG}, N_{EAG}, I_{EAG}\right\}$ encrypted with $P{K}_{OP}$.

Step 2:

OP retrieves the content of the message using its private key $P{R}_{OP}$ and verifies $I_{EAG}$; choose $k {ϵ}_R \left[1, \dots , n-1\right]$ and generate EAG’s implicit certificate $Cer{t}_{EAG}=R_{EAG}+kG$; compute $e=h\left(Cer{t}_{EAG}\right)$, $S_{EAG}=ek+P{R}_{OP}\left(mod n\right)$, the private key construction data of EAG. Compute the authenticator by Formula (8); it contains the issued $Cer{t}_{EAG}$, $i{d}_{EAG}$, its time-life ($TL$) signed using the private key of OP. Then, compute $A{H}_{EAG}=H\left(A_{EAG}\right)$ to ensure integrity. Compute registration key $RK’=h(R_{EAG},N_{EAG}, P{K}_{OP})$ that is shared between OP and EAG only. Then, send it to EAG $\left\{A_{EAG}, A{H}_{EAG},S_{EAG}\right\}$ encrypted with $RK’.$ Lastly, OP destroys $R_{EAG}$, $k$, $S_{EAG}$ to prevent the possession of EAG’s private key by adversaries.

$$A_{EAG}=\left\{(Si{g}_{OP}\left(Cer{t}_{EAG}, TL, i{d}_{EAG}\right)\right\}$$

(8)

Step 3:

EAG computes the registration key $RK’=h(R_{EAG},N_{EAG}, P{K}_{OP})$ to retrieve and verify the $A_{EAG}$ through OP’s public key and checks $A{H}_{EAG}$. Compute $e=h\left(Cer{t}_{EAG}\right)$ to generate its private/public-key pair $P{R}_{EAG}$/$P{K}_{EAG}$ using Formulas (9) and (10).

$$P{R}_{EAG}=e.k_{EAG}+S_{EAG}\left(mod n\right)$$

(9)

$$P{K}_{EAG}=e.Cer{t}_{EAG}+P{K}_{OP}$$

(10)

To ensure the validity of $P{K}_{EAG}$, it computes $PK{’}_{EAG}=P{R}_{EAG}.G$; then, check if $P{K}_{EAG}==PK{’}_{EAG}$ as follows:

$$\begin{array}{ccc}P{R}_{EAG}\hfill & =\hfill & e.k_{EAG}+S_{EAG}\left(mod n\right)\hfill \\ & =\hfill & e.k_{EAG}+\left(e.k+P{R}_{OP}\left(mod n\right)\right)\hfill \\ & =\hfill & e.(k_{EAG}+k)+P{R}_{OP}\left(mod n\right))\hfill \end{array}$$

(11)

$$\begin{array}{ccc}Cer{t}_{EAG}\hfill & =\hfill & R_{EAG}+kG\hfill \\ & =\hfill & k_{EAG}.G+k.G\hfill \\ & =\hfill & (k_{EAG}+k).G\hfill \end{array}$$

(12)

$$\begin{array}{ccc}P{K}_{EAG}\hfill & =\hfill & e.Cer{t}_{EAG}+P{K}_{OP}\hfill \\ & =\hfill & e.(k_{EAG}+k).G+P{R}_{OP}.G \hfill \\ & =\hfill & e.((k_{EAG}+k)+P{R}_{OP}).G\hfill \\ & =\hfill & P{R}_{EAG }.G\hfill \end{array}$$

(13)

After the validation of $P{K}_{EAG}==PK{’}_{EAG}$, EAG stores $\left\{A_{EAG}\right\}$ encrypted with $P{K}_{EAG}$ in memory and destroys $R_{EAG}$, $k_{EAG}$, $S_{EAG}$ to prevent the possession of EAG’s private key by an adversary.

4.5. Authentication Phase

When an EV wishes to access the charging system, the EV and EAG must authenticate one another and create a session key. The authentication phase is separated into two groups: mutual authentication, in which EV and EAG have not yet developed a relationship of trust. Thus, they rely on the information provided by the OP (third party). The second is lightweight reauthentication, where the EV and EAG authenticate each other on their own without a third trusted party (OP).

4.5.1. Mutual Authentication Protocol

This process is conducted initially, where the EAG relays on the OP’s information to authenticate the EV, unless $A_{EV}$ is terminated. Figure 6 illustrates the procedure and provides the following details:

Step 1:

EV generates the charging request $C{H}_{EV}=\left\{amount, price,distance,TL\right\}$, where “$amount$” states the amount of power needed, “$price$” specifies how much the EV is willing to pay for the service (to keep the location of the EV private), “$distance$” should specify how far it is from the local EAG, and “$TL$” states the time-life of the request. Then, EV sends $C{H}_{EV}$ to their local EAG;

Step 2:

The EAG sends its $A_{EAG}, A{H}_{EAG}$ as a response to the EV charging request;

Step 3:

EV verifies $A_{EAG}$ through OP’s signature and checks if it is valid by the $TL$; retrieve $Cer{t}_{EAG}$ and compute $e=h\left(Cer{t}_{EAG}\right)$ to extract the EAG’s public key $P{K}_{EAG}=e.Cer{t}_{EAG}+P{K}_{OP}$. Generate a random number $N_{EV}$, time stamp $T_{EV}$, and the master shared key $K_{EV-EAG}$ using Formula (14). Increase the $Ai{d}_i$ counter one at a time (by adding 1 to the previous EV’s pseudo-identification) to generate a new anonymous identity for the current session. This prevents linking between multiple sessions of an EV. Then, send to EAG $\left\{A_{EV},Ai{d}_i, N_{EV}, T_{EV}\right\}$ encrypted with $P{K}_{EAG}$.

$$K_{EV-EAG}=P{R}_{EV} . P{K}_{EAG}=P{R}_{EV} . P{R}_{EAG} .G$$

(14)

Step 4:

To decrypt the message, EAG employs its own private key and uses OP’s signature to confirm that $A_{EV}$ is authentic, and checks $T_{EV}$ to make sure the message is not being replayed. Compute $e=H\left(Cer{t}_{EV}\right)$ to extract EV’s public key $P{K}_{EV}=e.Cer{t}_{EV}+P{K}_{OP}$. Verify $Ai{d}_i$ by OP’s signature and EV’s signature ($P{K}_{EV}$) that is included in it. Then, generate $N_{EAG}$, $T_{EAG},$ the master shared key using Formula (15), and the authorization token by Formula (16), where $Ai{d}_i, K_{EV-EAG}$ are encrypted with $P{K}_{EAG}$. Moreover, generate the initial and session key using Formulas (17) and (18), receptively. Then, send to EV $\left\{A{T}_{EV}^{EAG}, T_{EAG}\right\}$ encrypted by $I{K}_{EV-EAG}$, the EAG schedule charging service for EVs that is protected by $S{K}_{EV-EAG}$.

$$K_{EV-EAG}=P{R}_{EAG} . P{K}_{EV}=P{R}_{EAG} . P{R}_{EV} .G$$

(15)

$$A{T}_{EV}^{EAG}=\left\{Si{g}_{EAG}\right.\left(A{T}_{No}\right., TL, i{d}_{EAG}, P{K}_{EAG}\left(P{K}_{EV}, K_{EV-EAG}\right))\}$$

(16)

$$I{K}_{EV-EAG}=h\left(i{d}_{EAG}, N_{EV}, T_{EV}\right)$$

(17)

$$S{K}_{EV-EAG}=h\left(K_{EV-EAG}, A{T}_{No}, P{K}_{EV}, N_{EV}\right)$$

(18)

Step 5:

EV generates $I{K}_{EV-EAG}$ by Formula (17) to retrieve $A{T}_{EV}^{EAG}, A{T}_{No}$ and checks the validity of $T_{EAG}$. Next, create the session key to be used during the charging session using Formula (18). EV stores the $A{T}_{EV}^{EAG}$ issued by EAG, and updates $Ai{d}_i$. By the end of this process, EV and EAG shall have both established trust between them, without having to depend on OP in the future for session authentication.

4.5.2. Lightweight Mutual Reauthentication Protocol

As noted before, at this point, the EV and EAG should have developed a relationship of trust. Now, they can directly and mutually authenticate one another in upcoming charging services. Since charging is a rapidly needed service and a matching process is vital in providing the service, reauthentication can guarantee faster matching for the EV to obtain the service faster. When the user has a valid $A{T}_{EV}^{EAG}$ and is scheduled to the same aggregator within a 48-h period, this phase (reauthentication phase) can be utilized. The reauthentication time window is chosen on the basis of EVs’ frequent need for recharging and due to EV memory constraints. Furthermore, if the user is already trusted, it is impractical and expensive to generate all the variables for a new session key. The process of efficient reauthentication is presented in Figure 7, detailed as follows:

Step 1:

EV creates $N_{EV}, N{’}_{EV}$, and applies Formula (18) to determine the previous session key to be used in $Ai{d}_i,{N^{\prime }}_{EV}, T_{EV}$ encryption. Increment the $Ai{d}_i$ counter sequentially (add 1 to the EV’s previous pseudo-identity) to have a new anonymous identity for this session to maintain un-linkability. Then, EV sends $A{T}_{EV}^{EAG}$, $N_{EV}, \left\{N{’}_{EV}\right\}S{K}_{EV-EAG}$ to EAG.

Step 2:

EAG validates the authenticity of $A{T}_{EV}^{EAG}$ via the signature $Si{g}_{EAG}$ using $P{K}_{EAG}$ and $TL$. Decrypt the $A{T}_{EV}^{EAG}$ using $P{R}_{EAG}$ to retrieve $P{K}_{EV}, K_{EV-EAG}$. EAG needs to compute $S{K}_{EV-EAG}$ in order to obtain $Ai{d}_i,{N^{\prime }}_{EV}, T_{EV}$, and confirm that the $A{T}_{EV}^{EAG}$ was transmitted by the authorized EV. Then, use $N{’}_{EV}$, $T_{EV}$, $Ai{d}_{No}$, $A{T}_{No}$ to generate the temporary key $T{K}_{EV-EAG}$ using Formula (19). Generate $N_{EAG}, T_{EAG},$ a fresh session key $SK{’}_{EV-EAG}$ as in the Formula (20). EAG then sends $\left\{N_{EAG}, T_{EAG}\right\}$ encrypted by $T{K}_{EV-EAG}$ to EV. The EAG manages the EV charging service that is secured by $SK{’}_{EV-EAG}$.

$$T{K}_{EV-EAG}=h\left(A{T}_{No}, Ai{d}_{No}, N{’}_{EV}, T_{EV}\right)$$

(19)

$$SK{’}_{EV-EAG}=h\left(T{K}_{EV-EAG}, K_{EV-EAG}, N_{EAG}, P{K}_{EV}\right)$$

(20)

Step 3:

EV generates the $T{K}_{EV-EAG}$ to retrieve $N_{EAG}$ and verifies $T_{EAG}$. Then, use Formula (20) to create $SK{’}_{EV-EAG}$ for the charging session; $Ai{d}_i$ is updated.

4.6. Revocation Protocol

The scheme offers a revocation mechanism to protect the entities from malicious impersonation and MITM attacks and announce that the parameters are no longer reliable even before the validity period has expired. $Ai{d}_i$ and $A{T}_{EV}^{EAG}$ tokens are revoked in case the EV suspects they were stolen by an adversary, with recency proof (RP) confirming the legitimacy of the OP (e.g., month-old time-stamp proof). The process of $Ai{d}_i$ revocation is detailed as follows:

Step 1:

EV creates the $Ai{d}_i$ revocation request $Re{v}_{EV-id}=\left\{P{K}_{OP}\left(Si{g}_{EV},Ai{d}_i, RevAid, T_{EV}\right)\right\}$; forward it to OP after being encrypted with OP’s public key $P{K}_{OP}$.

Step 2:

OP decrypts the revocation request by its $P{R}_{OP}$ and verifies $Si{g}_{EV}$ using $P{K}_{EV}$ and $Si{g}_{OP}$, which is within $Ai{d}_i$, and to avoid replay attack, OP checks $T_{EV}$ to verify whether it is valid or not. Finally, OP updates the $Ai{d}_i$ status as revoked. A fake revocation request cannot be produced by the adversary since EV’s signature is necessary.

The process of $A{T}_{EV}^{EAG}$ revocation is detailed below:

Step 1:

EV uses Formula (21) to create the $A{T}_{EV}^{EAG}$ revocation request, which is subsequently sent to EAG after being partially encrypted using Formula (22).

$$Re{v}_{EV-AT}=\left\{A{T}_{EV}^{EAG},N_{EV}, V{K}_{EV-EAG}\left(Si{g}_{EV},T_{EV}, RevAT, A{T}_{No}\right)\right\}$$

(21)

$$V{K}_{EV-EAG}=h\left(K_{EV-EAG}, A{T}_{No}, N_{EV}\right)$$

(22)

Step 2:

EAG validates the $A{T}_{EV}^{EAG}$ through the signature using $P{K}_{EAG}$ and decrypts internal part $P{K}_{EAG}\left(P{K}_{EV}, K_{EV-EAG}\right)$ using its $P{R}_{EAG}$. Then, EAG uses $K_{EV-EAG}$, $A{T}_{No}, N_{EV}$, to generate the revocation key $V{K}_{EV-EAG}$ using Formula (22) and retrieving the other part of the message. Verify the request belongs to the same $A{T}_{EV}^{EAG}$ by $A{T}_{No}$ and $Si{g}_{EV}$ using the retrieved $P{K}_{EV}$, then check whether $T_{EV}$ is valid or not. Finally, EAG updates $A{T}_{EV}^{EAG}$ status as revoked. The use of revoked $A{T}_{EV}^{EAG}$ leads to the rejection of EV’s charging service request. Furthermore, since the master key $K_{EV-EAG}$ is used to construct the revocation key $V{K}_{EV-EAG}$, an adversary cannot produce a fake revocation request.

5. Security Analysis

We discuss the proposed protocol’s security analysis as well as formal/informal analysis in this section.

5.1. Formal Security Analysis BAN Logic

In authentication protocols, trust connections are evaluated using authentication logic. BAN logic [45] is a frequently used technique for verifying authentication protocols. The proposed protocols’ authentication goals will be examined and verified using this logic (

Table 3. BAN logic notations.

Notations	Description
P|≡ X	Principal P believes statement X is true.
#(X)	Statement X is fresh.
$P |\Rightarrow$ X	P has jurisdiction over statement X.
$P ⊲$ X	P sees X, indicating that P has received statement X and could read it.
$P |\sim$ X	P once said the statement X.
(X, Y)	The formula (X, Y) includes the terms X or Y.
$\langle X{\rangle }_Y$	X combined with Y.
${\left\{X,Y\right\}}_{K }$	The key K is used to encrypt either X or Y.
${\left(X,Y\right)}_{K }$	The key K is used to hash X or Y.
$P\stackrel{ K }{\leftrightarrow }Q$ $\begin{array}{c}P{K}_{X }\\ \to \end{array}X$	K is a secret parameter that P and Q share (or will share). Entity X’s public key.

). A protocol analysis utilizing BAN logic can be broken down into four steps for each given protocol:

• Clearly state the goals to achieve;
• Form assumptions about the initial situation;
• Affirm the protocol in its idealized state;
• Utilize the logic to obtain associated party beliefs.

The actions and messages of the participating individuals should first be converted into formulas in order to employ the BAN logic. The essential rules for BAN logic are as follows:

Rule1 (Message-meaning rule):

$$R1=\frac{P |\equiv P\stackrel{ K }{\leftrightarrow }Q, \mathrm{P}⊲\langle X{\rangle }_Y}{P \left|\equiv Q \right|\sim X}$$

(23)

Rule2 (Nonce-verification rule):

$$R2=\frac{P \left|\equiv \#\left(X\right),P \right|\equiv Q |\sim X}{P \left|\equiv Q \right|\equiv \mathrm{X}}$$

(24)

Rule3 (Jurisdiction rule):

$$R3=\frac{P \left|\equiv Q|\Rightarrow X,P\right|\equiv Q|\equiv X}{P |\equiv X}$$

(25)

Rule4 (Freshness-conjuncatenation rule):

$$R4=\frac{P |\equiv \# \left(X\right)}{P |\equiv \# \left(X,Y\right)}$$

(26)

Rule5 (Belief rule):

$$R5=\frac{P \left|\equiv \left(X\right),P \right|\equiv \left(Y\right) }{P |\equiv \left(X,Y\right)}$$

(27)

Rule6 (Session keys rule):

$$R6=\frac{P |\equiv \#\left(X\right),P \left|\equiv Q \right|\equiv X }{P |\equiv P\stackrel{ K }{\leftrightarrow }Q}$$

(28)

5.1.1. Analyzing Authentication Protocol

The steps listed below are taken to show that the proposed authentication protocol is accurate.

Step 1:

Goals. The analysis’ key goals, which comprise the secrecy of the exchanged session key, are listed below:

Goal 1:

$EV |\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right)$

Goal 2:

$EV \left|\equiv EAG \right|\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right)$

Goal 3:

$EAG |\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right)$

Goal 4:

$EAG \left|\equiv EV \right|\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right)$

Step 2:

Assumptions. The proposed protocol’s preliminary assumptions are as follows:

P1.

EAG |≡ # ($T_{EV}$)

P2.

EV |≡ # ($T_{EAG}$)

P3.

EAG |≡ # ($N_{EV}$)

P4.

EAG |≡$(EV\stackrel{ N_{EV}, T_{EV} }{\leftrightarrow }EAG$)

P5.

EV |≡$(EV\stackrel{ T_{EAG} }{\leftrightarrow }EAG$)

P6.

EAG |≡$(EV\stackrel{ K }{\leftrightarrow }EAG$)

P7.

EV |≡$(EV\stackrel{ K }{\leftrightarrow }EAG$)

P8.

EAG|≡ EV$|\Rightarrow$ $(EV\stackrel{ SK }{\leftrightarrow }EAG$)

P9.

EV |≡ EAG$|\Rightarrow$ $(EV\stackrel{ SK }{\leftrightarrow }EAG$)

Step 3:

Idealization. The following is an idealized version of the proposed protocol:

M1.

EV → EAG: $({\{\to \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV\rangle }_{{\mathrm{A}}_{EV}}, N_{EV},$ $T_{EV} {\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG}$)

M2.

EAG → EV: ${({\{\langle A{T}_{No}\rangle }_{A{T}_{EV}^{EAG}}, T_{EAG}\}}_{h\left(i{d}_{EAG}, N_{EV}, T_{EV}\right)},$ ${\left\{Charge\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV , N_{EV}\right)})$

Step 4:

Analysis. The beliefs that both the EV and EAG can obtain in the proposed protocol are derived here. Then, we investigate, based on BAN logic rules, which authentication goals can be met.

Statement 1: Applying the see rule to M1, we obtain:

$$S1: EAG⊲ ({\{\langle \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV\rangle }_{A_{EV}}, N_{EV}, T_{EV} {\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG})$$

Statement 2: In accordance with Rule (1) (message-meaning rule) and $S1$ and P6, we obtain:

$$S2: EAG \left|\equiv EV \right|\sim ({\{\langle \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV\rangle }_{A_{EV}}, N_{EV}, T_{EV} {\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG})$$

Statement 3: In accordance with freshness conjuncatenation (Rule (4)) and nonce verification (Rule (2)) with $S2$, P1, and P3, we obtain:

$$S3: EAG \left|\equiv EV \right|\equiv ({\{\langle \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV\rangle }_{A_{EV}}, N_{EV}, T_{EV} {\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG})$$

Statement 4: Since the session key $S{K}_{EV-EAG}=h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV, N_{EV}\right)$ and based on the session keys rule (Rule (6)) with $S3$ and P4, we obtain:

$$\begin{gathered} S4: EAG \left|\equiv EV \right|\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right) \\ (\mathrm{Goal} 4) \end{gathered}$$

Statement 5: Based on the jurisdiction (Rule (3)) with $S4$ and P8, we obtain:

$$\begin{gathered} S5: EAG |\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right) \\ (\mathrm{Goal} 3) \end{gathered}$$

Statement 6: Applying the see rule to M2, we obtain:

$$\begin{array}{c}S6: EV ⊲{({\{\langle A{T}_{No}\rangle }_{A{T}_{EV}^{EAG}}, T_{EAG}\}}_{h\left(i{d}_{EAG}, N_{EV}, T_{EV}\right)}, \hfill \\ {\left\{Charge\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV , N_{EV}\right)})\end{array}$$

Statement 7: In accordance with message meaning (Rule (1)) with $S6$ and P7, we obtain:

$$\begin{gathered} S7: EV \left|\equiv EAG \right|\sim {({\{\langle A{T}_{No}\rangle }_{A{T}_{EV}^{EAG}}, T_{EAG}\}}_{h\left(i{d}_{EAG}, N_{EV}, T_{EV}\right)}, \\ {\left\{Charge\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV , N_{EV}\right)}) \end{gathered}$$

Statement 8: In accordance with freshness conjuncatenation (Rule (4)) and nonce verification (Rule (2)) with $S7$ and P2, we obtain:

$$\begin{gathered} S8: EV \left|\equiv EAG \right|\equiv {({\{\langle A{T}_{No}\rangle }_{A{T}_{EV}^{EAG}}, T_{EAG}\}}_{h\left(i{d}_{EAG}, N_{EV}, T_{EV}\right)}, \\ {\left\{Charge\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV , N_{EV}\right)}) \end{gathered}$$

Statement 9: Since the session key $S{K}_{EV-EAG}=h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV, N_{EV}\right)$ and based on the session keys rule (Rule (6)) with $S8$ and P5, we obtain:

$$\begin{gathered} S9: EV \left|\equiv EAG \right|\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right) \\ (\mathrm{Goal} 2) \end{gathered}$$

Statement 10: Based on the jurisdiction (Rule (3)) with $S9$ and P9, we obtain:

$$\begin{gathered} S10: EV |\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right) \\ (\mathrm{Goal} 1) \end{gathered}$$

In summary, the proposed protocol provides the EV and EAG with secure mutual authentication. Additionally, based on the achieved Goals 1, 2, 3, and 4, the EV and EAG can confidently share the session key (SK). Accordingly, using BAN logic, we could say that the proposed protocol provides secure mutual authentication, ensuring that the EV and EAG are the only parties with access to the session key, maintaining security.

5.1.2. Analyzing Reauthentication Protocol

To prove that the proposed reauthentication protocol is accurate, the steps listed below are performed.

Step 1:

Goals. The analysis’ key goals, which comprise the secrecy of the exchanged session key, are listed below:

Goal 1:

$EV |\equiv \left(EV\stackrel{ SK’ }{\leftrightarrow } EAG\right)$

Goal 2:

$EV \left|\equiv EAG \right|\equiv \left(EV\stackrel{ SK’ }{\leftrightarrow } EAG\right)$

Goal 3:

$EAG |\equiv \left(EV\stackrel{ SK’ }{\leftrightarrow } EAG\right)$

Goal 4:

$EAG \left|\equiv EV \right|\equiv \left(EV\stackrel{ SK’ }{\leftrightarrow } EAG\right)$

Step 2:

Assumptions. The proposed protocol’s preliminary assumptions are as follows:

P1.

EAG |≡ # ($N{’}_{EV}$)

P2.

EAG |≡ # ($T_{EV}$)

P3.

EAG |≡ # ($N_{EV}$)

P4.

EV |≡ # ($N_{EAG}$)

P5.

EAG |≡$(EV\stackrel{ N_{EV},N{’}_{EV}, T_{EV} }{\leftrightarrow }EAG$)

P6.

EV |≡$(EV\stackrel{ N_{EAG} }{\leftrightarrow }EAG$)

P7.

EAG |≡$(EV\stackrel{ K }{\leftrightarrow }EAG$)

P8.

EV |≡$(EV\stackrel{ K }{\leftrightarrow }EAG$)

P9.

EAG|≡ EV$|\Rightarrow$ $(EV\stackrel{ SK’ }{\leftrightarrow }EAG$)

P10.

EV |≡ EAG$|\Rightarrow$ $(EV\stackrel{ SK’ }{\leftrightarrow }EAG$)

Step 3:

Idealization. The following is an idealized version of the proposed protocol:

M1.

EV → EAG:$({(\langle A{T}_{No}\rangle }_{A{T}_{EV}^{EAG}},{\{\begin{array}{c}P{K}_{EV }\\ \to \end{array}EV,EV\stackrel{ K }{\leftrightarrow }EAG\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG}),$$N_E,{\left\{{N^{\prime }}_{EV}, T_{EV}, \langle Ai{d}_{No}{\rangle }_{A_{EV}}\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG,A{T}_{No} , \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV,N_{EV}\right)}$)

M2.

EAG → EV: $({\left\{N_{EAG}\right\}}_{h\left(A{T}_{No},Ai{d}_{No},{N^{\prime }}_{EV},T_{EV}\right)},$${\left\{Charge\right\}}_{h\left(EV\stackrel{ TK }{\leftrightarrow }EAG,EV\stackrel{ K }{\leftrightarrow }EAG,N_{EAG}, \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV\right)}$)

Step 4:

Analysis. The beliefs that both the EV and EAG can obtain in the proposed protocol are derived here. Then, we investigate which authentication goals can be met.

Statement 1: Applying the see rule to M1, we obtain:

$$\begin{gathered} S1: EAG⊲({(\langle A{T}_{No}\rangle }_{A{T}_{EV}^{EAG}},{\{ \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV, EV\stackrel{ K }{\leftrightarrow }EAG\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG}), \\ {N}_E, {\left\{{N^{\prime }}_{EV}, T_{EV}, \langle Ai{d}_{No}{\rangle }_{A_{EV}}\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV, N_{EV}\right)}) \end{gathered}$$

Statement 2: In accordance with Rule (1) (message-meaning rule) and $S1$ and P7, we obtain:

$$\begin{gathered} S2: EAG \left|\equiv EV \right|\sim ({(\langle A{T}_{No}\rangle }_{A{T}_{EV}^{EAG}},{\{ \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV, EV\stackrel{ K }{\leftrightarrow }EAG\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG}), \\ {N}_E,{\left\{{N^{\prime }}_{EV}, T_{EV}, \langle Ai{d}_{No}{\rangle }_{A_{EV}}\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG,A{T}_{No} , \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV,N_{EV}\right)}) \end{gathered}$$

Statement 3: In accordance with freshness conjuncatenation (Rule (4)) and nonce verification (Rule (2)) with $S2$, P1, P2, and P3, we obtain:

$$\begin{gathered} S3: EAG \left|\equiv EV \right|\equiv {(\langle A{T}_{No}\rangle }_{A{T}_{EV}^{EAG}},{\{ \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV, EV\stackrel{ K }{\leftrightarrow }EAG\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG}), \\ {N}_E, {\left\{{N^{\prime }}_{EV}, T_{EV}, \langle Ai{d}_{No}{\rangle }_{A_{EV}}\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV, N_{EV}\right)}) \end{gathered}$$

Statement 4: Since the session key $SK{’}_{EV-EAG}=h\left(EV\stackrel{ TK }{\leftrightarrow }EAG,EV\stackrel{ K }{\leftrightarrow }EAG,N_{EAG}, \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV\right)$, $T{K}_{EV-EAG}=h\left(A{T}_{No},Ai{d}_{No},{N^{\prime }}_{EV},T_{EV}\right)$, and based on the session keys rule (Rule (6)) with $S3$ and P5, we obtain:

$$\begin{gathered} S4: EAG \left|\equiv EV \right|\equiv \left(EV\stackrel{ SK’ }{\leftrightarrow } EAG\right) \\ (\mathrm{Goal} 4) \end{gathered}$$

Statement 5: Based on the jurisdiction (Rule (3)) with $S4$ and P9, we obtain:

$$\begin{gathered} S5: EAG |\equiv \left(EV\stackrel{ SK’ }{\leftrightarrow } EAG\right) \\ (\mathrm{Goal} 3) \end{gathered}$$

Statement 6: Applying the see rule to M2, we obtain:

$$\begin{array}{c}S6: EV ⊲({\left\{N_{EAG}\right\}}_{h\left(A{T}_{No}, Ai{d}_{No}, {N^{\prime }}_{EV}, T_{EV}\right)},\hfill \\ {\left\{Charge\right\}}_{h\left(EV\stackrel{ TK }{\leftrightarrow }EAG, EV\stackrel{ K }{\leftrightarrow }EAG, N_{EAG}, \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV\right)})\end{array}$$

Statement 7: In accordance with message meaning (Rule (1)) with $S6$ and P8, we obtain:

$$\begin{gathered} S7: EV \left|\equiv EAG \right|\sim ({\left\{N_{EAG}\right\}}_{h\left(A{T}_{No}, Ai{d}_{No}, {N^{\prime }}_{EV}, T_{EV}\right)}, \\ {\left\{Charge\right\}}_{h\left(EV\stackrel{ TK }{\leftrightarrow }EAG, EV\stackrel{ K }{\leftrightarrow }EAG, N_{EAG}, \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV\right)}) \end{gathered}$$

Statement 8: In accordance with freshness conjuncatenation (Rule (4)) and nonce verification (Rule (2)) with $S7$ and P4, we obtain:

$$\begin{gathered} S8: EV \left|\equiv EAG \right|\equiv ({\left\{N_{EAG}\right\}}_{h\left(A{T}_{No}, Ai{d}_{No}, {N^{\prime }}_{EV}, T_{EV}\right)}, \\ {\left\{Charge\right\}}_{h\left(EV\stackrel{ TK }{\leftrightarrow }EAG, EV\stackrel{ K }{\leftrightarrow }EAG, N_{EAG}, \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV\right)}) \end{gathered}$$

Statement 9: Since the session key $SK{’}_{EV-EAG}=h\left(EV\stackrel{ TK }{\leftrightarrow }EAG,EV\stackrel{ K }{\leftrightarrow }EAG,N_{EAG}, \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV\right)$ and based on the session keys rule (Rule (6)) with $S3$ and P6, we obtain:

$$\begin{gathered} S9: EV \left|\equiv EAG \right|\equiv \left(EV\stackrel{ SK’ }{\leftrightarrow } EAG\right) \\ (\mathrm{Goal} 2) \end{gathered}$$

Statement 10: Based on the jurisdiction (Rule (3)) with $S9$ and P10, we obtain:

$$\begin{gathered} S10: EV |\equiv \left(EV\stackrel{ SK’ }{\leftrightarrow } EAG\right) \\ (\mathrm{Goal} 1) \end{gathered}$$

Achieving Goals 1, 2, 3, and 4 implies that the proposed protocol offers secure mutual authentication and the session key is exclusively shared for security between the EV and EAG.

5.2. Security Simulation with AVISPA Tool

A popular formal security verification method used to evaluate if systems or protocols can withstand replay and MITM assaults [46,47,48,49] is the automated validation of internet security-sensitive protocols and applications (AVISPA) tool [50], using a security protocol animator (SPAN) [51]. In order to evaluate the authentication protocol’s resilience to MITM and replay attacks, we conducted a formal security test of the proposed system using the AVISPA simulation tool.

The high-level protocol specification language (HLPSL) was used to write the AVISPA module [52]. The HLPSL is composed of four backends: SAT-based model checker (SATMC), tree, automate-based protocol analyzer (TA4SP), CL-based attack searcher (CL-AtSe) [53], and on-the-fly model checker (OFMC) [54].

5.2.1. Mutual Authentication HLPSL Specification of AVISPA Simulation

Role, session, and environment are the three components of the HLPSL, where role denotes an entity, session denotes system parameters, and environment denotes the knowledge of the intruder, security, and authentication objectives. The mutual authentication HLPSL specifications for different roles (EV, OP, and EAG) are shown in Figure 8, Figure 9 and Figure 10, respectively. Figure 11 shows the specifications of the session and environment.

The role of the EV is presented in Figure 8. As soon as an EV enters its initial transition (State 0), it obtains the starting request and begins the registration procedure by sending a request $\left\{i{d}_{EV}, R_{EV}, N_{EV}, I_{EV}\right\}$ encrypted with $P{K}_{OP}$ to the OP via an open channel, changes the state value to 2, and then employs the secret function to determine whether the entity is a legitimate user.

In State 2, the EV receives its credentials $\left\{A_{EV}, A{H}_{EV}, Ai{d}_i,S_{EV}\right\}$ encrypted with $RK$ from the OP and sends the authentication request $\left\{A_{EV}, N_{EV}, T_{EV}\right\}$ encrypted with $P{K}_{EAG}$ to the EAG via an open channel and modifies the state value to 4. Moreover, witness(EV, EAG, ev_eag_auth, $Ai{d}_i’$) is declared by the EV to show that $Ai{d}_i’$ is a weak authentication factor. In State 4, the EV receives the response $\left\{A{T}_{EV}^{EAG}, T_{EAG}\right\}$ encrypted by $I{K}_{EV-EAG}$ from the EAG, modifies the state value to 6, and calculates the session key $S{K}_{EV-EAG}$; EV declare request(EAG, EV, eag_ev_auth, $A{T}_{EV}^{EAG}’$) to authenticate each other.

5.2.2. Mutual Authentication AVISPA Verification Results

In order to assess the proposed mutual authentication scheme’s security, we display the AVISPA findings and use the OFMC and CL-AtSe. The OFMC validates that the proposed system is safe against MITM attacks. Furthermore, the CL-AtSe illustrates the protocol’s resistance to replay attacks. The proposed mutual authentication technique is safe against MITM and replay attacks, as shown in Figure 12, which shows the results of the AVISPA simulation.

5.2.3. Reauthentication HLPSL Specifications of AVISPA Simulation

The reauthentication HLPSL specifications for different roles (EV and EAG) are shown in Figure 13 and Figure 14, respectively. Figure 15 shows the specifications of the session and environment.

The role of EV is presented in Figure 13. At an EV’s first transition (State 0), it receives the starting request and then the EV sends the request $\{A{T}_{EV}^{EAG}$, $N_{EV}, \{Ai{d}_i^{’},N{’}_{EV}.T_{EV}\}S{K}_{EV-EAG}\}$ to the EAG via an open channel, modifies the state value to 1, and then uses the secret function to validate if the entity is a legitimate user. Moreover, witness(EV, EAG, ev_eag_auth, $A{T}_{EV}^{EAG}$) is declared by the EV to show that $A{T}_{EV}^{EAG}$ is a weak authentication factor.

In State 1, the EV receives the response $\left\{N_{EAG}’, T_{EAG}’\right\}$ encrypted by $T{K}_{EV-EAG}$ from the EAG, modifies the state value to 2, and calculates the session key $SK{’}_{EV-EAG}$; EV declare request(EAG, EV, eag_ev_auth, $N_{EAG}’$) to authenticate each other.

5.2.4. Reauthentication AVISPA Verification Results

In order to assess the proposed reauthentication scheme’s security, we display the AVISPA findings and use the OFMC and CL-AtSe. The proposed reauthentication system is resilient to MITM and replay attacks as an outcome of the AVISPA simulation, as illustrated in Figure 16.

5.3. Informal Security Analysis

To show that the previously stated solution requirements are met, the proposed protocol is analyzed:

5.3.1. Mutual Authentication

Through the verification of the OP’s signature on the $A_{EAG}$, which holds the EAG’s identity and certificate $Cer{t}_{EAG}$, the EV can ensure that it interacts with the valid EAG during the authentication phase. The EAG also can validate an EV by two credentials, the OP’s signature on the $A_{EV}$, which contains the EV’s certificate $Cer{t}_{EV}$, and the EV’s signature $Si{g}_{EV}$ in its $Ai{d}_i$. Our system can successfully create mutual authentication among the communicating entities (EV and EAG), as shown by a BAN logic demonstration that we carried out as well.

5.3.2. Anonymity

The EV’s true identity $i{d}_{EV}$ is encrypted using the OP’s public key $P{K}_{OP}\left(i{d}_{EV}\right)$ in the $Ai{d}_i$, which is issued during the registration phase. It can be accessed by the OP only and no other party. Therefore, neither the EAG nor any other party may reveal $i{d}_{EV}$. This was dissimilar to the studies [26,38], which used the real identity of the EV in the authentication phase, threatening its privacy.

5.3.3. Un-Linkability

For every session, the EV will have an anonymous identity ($Ai{d}_i$). As the $Ai{d}_i$ was initialized by the OP, EV increments the previous $Ai{d}_i$ sequentially (add 1) for each charging session requested by EV. This was dissimilar to the studies [35,36], where every new charging request contains information about the previous charge, or the EV is associated with a single group until it requests a group change. These techniques enable the adversary to track the targeted EV and threaten its privacy. However, because they have different identities, the proposed protocol sessions are un-linkable to one another.

5.3.4. Traceability

The EV utilizes an anonymous identity $Ai{d}_i$ issued by the OP and even though the EV’s real identity is hidden and protected $P{K}_{OP}\left(i{d}_{EV}\right)$ within $Ai{d}_i$, malicious EVs or misbehaving EVs cannot get away unknown by the authorities. Only the OP can reveal $i{d}_{EV}$ if necessary to maintain order in the system. Other schemes such as [27] concealed the real identity even from the system operator to preserve anonymity. Anonymity maintenance should not be absolute in order to protect the system and work as required by all parties.

5.3.5. Forward/Backward Security

The future/old session keys’ ($S{K}_{EV-EAG}$) secrecy should not be affected in the case an adversary were able to capture any $S{K}_{EV-EAG}$. Dynamic session keys are generated for the authentication phase as it includes a unique random number $N_{EV}.$ For the reauthentication phase, it includes a unique random number $N_{EAG}$. A symmetric temporary key ($T{K}_{EV-EAG}$) protects the $N_{EAG}$, and in every new session $T{K}_{EV-EAG}$ updates dynamically with a new unique random number $N{’}_{EV}$. Moreover, since the master shared key $K_{EV-EAG}$ is a long-lasting key, it was not used to encrypt any message transmitted between the EV and EAG. If the adversary guesses one of the session keys, he/she will only be able to view the relevant communication since each session creates a different session key. As a result, the proposed protocol ensures both forward and backward protection.

5.3.6. Joint Key Control

Without the assistance of other parties (even an OP), a random number $N$ is generated by both parties (EV and EAG) included within the session key ($S{K}_{EV-EAG}$) as well as a fresh session key ($SK{’}_{EV-EAG}$). Only these two individuals are able to receive the master key $K_{EV-EAG}$ because it is generated by the combination of their private and public keys. Thus, the proposed protocol provides joint key control. This is dissimilar to studies [25,31], where the session key is provided by the service provider.

5.3.7. Effective Reauthentication

To shorten the time consumed and reduce the cost, the EAG reauthenticates the EV within the 48-h time-life of the issued $A{T}_{EV}^{EAG}$. The EAG first relies on information from the OP (trusted third party) to authenticate the EV. Afterward, the EAG can authenticate the EV directly without the OP’s information, as an EV holds $A{T}_{EV}^{EAG}$, unlike the schemes [25,26,27,28,29,30,31,32,33,34,35,36,37,38]. Hence, they established full trust between them (EAG and EV).

5.3.8. Revocation Functionality

To prevent the misuse of stolen tokens ($A_{EV}, Ai{d}_i$, or $A{T}_{EV}^{EAG}$) by an adversary or in the case the EV reports to the OP to revoke its $Ai{d}_i$ $A_{EV}$, or the EV report to the EAG to revoke its $A{T}_{EV}^{EAG}$, the tokens will be considered revoked. The revocation protocol gives the EV a way to alert either the OP or EAG if it suspects an $Ai{d}_i$, $A_{EV}$, or $A{T}_{EV}^{EAG}$ has been stolen through recency proof (RP). Related work [25] did not provide a revocation method for the pseudonyms issued by the service provider.

5.3.9. Resist MITM/Replay Attack

Even if the attacker manages to steal $A_{EV}$, the master key ($K_{EV-EAG}$) for EAG authentication must be generated using the EV’s private key. In the case that the adversary is able to capture $A{T}_{EV}^{EAG}$, the master key ($K_{EV-EAG}$) cannot be recovered since it is encrypted within $A{T}_{EV}^{EAG}$ using the EAG’s public key. The adversary will, therefore, be unable to generate the session key required for a MITM attack without $K_{EV-EAG}$. Additionally, in order to prevent replays of previous sessions, random numbers and time stamps are transmitted in every communication between the parties. Therefore, a replay attack is not possible in the proposed protocol.

5.3.10. Resist Impersonation Attack

An adversary with an EAG or OP name cannot generate $A_{EV},$ $Ai{d}_i,$ or $A{T}_{EV}^{EAG}$ tokens, as they involve the issuer’s signature. So, $A_{EV},Ai{d}_i ,$ and $A{T}_{EV}^{EAG}$ counterfeiting or cloning is doubtful, because the issuer’s signature may be used to verify the legitimacy.

5.3.11. Resist DOS Attack

We incorporated the message-specific puzzles and client puzzles of [55] into our authentication mechanisms to thwart DoS attacks. Each EAG handles access requests normally, that is, without discrimination, when there is no evidence of a DoS attack. However, if an EAG suspects a DoS attack, it selectively executes expensive access request authentication. Particularly, the EAG inserts a special puzzle within the beacon messages and demands the puzzle answer be included in each access request message. Only when the answer is correct does the EAG dedicate resources to handle an access request.

6. Comparison with Related Schemes

The proposed approach is compared with related systems in this section based on security and functional properties as well as computing costs. These are the existing EV charging system schemes that have an emphasis on secure EV-to-EAG communication.

6.1. Security and Functional Features Comparison

Table 4. Comparison of the proposed protocol’s security features with similar studies. Note: ”✓” means “available”; ”×” means “not available”.

Feature/Approach	Li et al. [25]	Rabieh and Wei [30]	Gunukula et al. [31]	Huang et al. [26]	Roman et al. [36]	Kim et al. [27]	Roman and Gondim [32]	Vaidya and Mouftah [38]	Kumar et al. [37]	ElGhanam et al. [28]	Xia et al. [35]	Proposed
	2016	2017	2017	2018	2019	2019	2019	2020	2020	2021	2021	2022
Mutual Authentication	✓	✓	✓	✓	✓	✓	✓	×	×	✓	✓	✓
Forward security	×	×	×	✓	✓	✓	✓	×	✓	✓	×	✓
Anonymity	✓	✓	✓	×	✓	✓	✓	×	✓	✓	✓	✓
Resist replay attack	✓	✓	×	✓	✓	✓	✓	×	✓	✓	✓	✓
Resist impersonation attack	×	×	×	×	✓	✓	✓	✓	✓	✓	✓	✓
Resist MITM attack	✓	×	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓
Backward security	×	×	×	×	✓	×	×	×	×	×	×	✓
Un-linkability	×	✓	✓	×	×	×	✓	×	×	✓	×	✓
Traceability	×	×	×	×	×	×	×	×	×	×	✓	✓
Effective Reauthentication	×	×	×	×	×	×	×	×	×	×	×	✓
Revocation method	×	✓	×	×	×	×	✓	×	×	✓	×	✓
Joint key control	×	✓	×	✓	✓	✓	×	×	×	×	×	✓
Number of Messages (EV)	2	2	5	3	2	2	5	3	1	2	1	2

displays the suggested system’s security and functional feature evaluation along with the related systems. There are well-known attacks that could be used against the solutions in [26,30,31,34,38]. Furthermore, solutions in [25,26,27,28,29,30,31,32,33,34,35,36,37,38] do not meet the necessary security and privacy-preservation criteria for EV charging, incorporating traceability, un-linkability, backward security, and efficient re-authentication. In [31,32] it requires an additional message, which increases the overhead on the communication channel. When compared to similar studies, it is shown that our proposed scheme meets all solution requirements.

6.2. Computational Cost Comparison

Based on all of the operations that the authentication protocols offer, this section determines the computing cost of the protocols. The EAG performs at a high level; thus, it has the potential to carry out all necessary processes. In contrast to the EAG, the computational resources and memory of EVs are constrained. Therefore, we must focus on the EV computational costs. An illustration of the timing operations is shown in

Table 5. Operations’ Timing [37,56].

Notation/Operation	${\mathit{T}}_{\mathit{e}\mathit{n}\mathit{c}-\mathit{e}\mathit{c}\mathit{c}}/\mathbf{Elliptic} \mathbf{Curve} \mathbf{Encryption}$	${\mathit{T}}_{\mathit{h}}/\mathbf{Hash}$	${\mathit{T}}_{\mathit{s}\mathit{y}\mathit{m}}/\mathbf{Symmetric}$
Time (ms)	0.43	0.0023	0.0046

.

Table 6. Comparison of the computational cost.

Approach/Efficiency Feature	EV’s Computational Cost
	Authentication Phase	Reauthentication Phase
Kim et al.’s scheme 27	$T_{enc-ecc}+9T_h\approx 0.4484 \mathrm{ms}$	$T_{enc-ecc}+9T_h\approx 0.4484 \mathrm{ms}$
Kumar et al.’s scheme 37	$T_{enc-ecc}+2T_h \approx 0.4346 \mathrm{ms}$	$T_{enc-ecc}+2T_h \approx 0.4346 \mathrm{ms}$
Proposed scheme	$T_{enc-ecc}+3T_h+2T_{sym} \approx 0.4461 \mathrm{ms}$	$3T_h+3T_{sym} \approx 0.0207 \mathrm{ms}$

and Figure 17 indicate the computing costs of the proposed protocol and relevant studies. According to [37,56], a one-way hash function ($T_h$) takes $\approx$ 0.0023 milliseconds (ms), the symmetric encryption ($T_{sym}$) takes $\approx$ 0.0046 ms, and the elliptic curve encryption ($T_{enc-ecc}$) takes $\approx$ 0.43 ms.

For the authentication phase, the EV’s computational cost in Kim et al.’s scheme [27] requires $\approx 0.4484$ ms, while in Kumar et al.’s scheme [37], it requires $\approx 0.4346$ ms. The proposed protocol requires $\approx$ $0.4461$ ms; although it is slightly higher than Kumar et al.’s scheme [37], it provides better security and privacy preservation for the EV. In terms of the reauthentication process for the EV, the proposed protocol requires $\approx 0.0207$ ms, while Kim et al.’s scheme [27] requires $\approx 0.4484$ ms, and Kumar et al.’s scheme [37] requires $\approx 0.4346$ ms. Hence, the computational cost of the proposed reauthentication protocol is nearly 95% less than previous protocols. Considering the EV’s capability, it is clear now that the proposed protocol outperforms the previous two protocols.

7. Conclusions

An efficient, secure, privacy-preserving authentication system for an electric vehicle charging system is provided in this work. It also includes a reauthentication protocol to minimize the overhead of subsequent authentication processes. A smaller certificate and faster computation have been made available by using the ECQV mechanism’s implicit authentication, which is better suited to IoT devices with fewer resources than the conventional certificate. The proposed protocol’s ability to perform mutual authentication and meet solution requirements has been demonstrated using BAN logic and informal security analysis. The comparison with previous research reveals that while Kumar et al.‘s scheme [37] efficiently reduces the cost of the authentication computational process by around 2.5%, the proposed scheme provides the EV with enhanced security and privacy preservation. However, compared to the other two protocols, the proposed reauthentication protocol outperforms them, with a reduction of about 95%. The real-time experiment is one of the limitations of the proposed scheme. For future work, we intend to study the utilization of machine learning and artificial intelligence to cover a wider range of security. Additionally, we will consider the utilization of a combined certification model (software and hardware certification mechanism). We also suggest studying the possibility of either improving existing evaluation tools (AVISPA, ProVerif, etc.) or exploring new implementations to cover the gap between theoretical analysis and actual implementation.