1. Introduction

Transportation produces over 30% of global greenhouse gas (GHG) emissions, which has a big impact on air quality [1]. With environmental concerns and a reduction in fossil fuel consumption, countries are increasingly promoting clean renewable energy alternatives to fossil energy. The electric vehicle (EV) is a good choice for tackling the energy crisis and climate change because it is reasonably priced and emission-free. EVs have recently attracted a lot of attention as a way to cut fuel use and GHG emissions and increase energy efficiency [2].

For three primary reasons, the growth of EVs is expected to continue, even with a higher rate of adoption in the coming years [3]:

• Clean-fuel vehicles and initiatives to reduce carbon emissions should be encouraged: Saudi Arabia, the world’s leading oil producer, declared that at least 30% of the cars in its capital city will be electric by 2030. Similarly, China seeks 25% of all new cars to be electrified by 2025. The UK attempts to stop producing and selling fossil-fuel vehicles by 2030 [4].

• Resolve uncertainty for EV drivers: EV drivers still face uncertainty, even though more people are adopting the technology. As reported by the climate group EV100′s members, the most significant challenge that users are concerned about is the availability of EV charging stations (e.g., charging station location, EV parking space, and charge cost) [5,6]. As a result, charging stations need to be strategically positioned and used efficiently as the demand for EVs increases [7]. Because work was disrupted in major areas due to the COVID-19 pandemic, the installation of publicly available chargers increased by 45%, a slower rate than the 85% seen in 2019. The company also cited a persistent barrier as the lack of suitable vehicle types. The cost of buying an electric vehicle remains a significant barrier [5];

• Make EV charging a smooth experience: Remote control using smartphone applications is one of the features of smart EV charging. This feature makes EV charging faster as well as easier to use and, hence, more accessible to a wider variety of clients [3].

Advancements in distributed renewable production, storage systems, and EVs are causing evolving energy systems to become more decentralized. Energy services are rapidly being offered by businesses (such as individual sellers who produce renewable energy from their homes or EV owners who have charging piles installed in their homes) that have not developed trust connections with the consumers and stakeholders in these new systems [8]. The quality of power distributed by the grid is impacted by unregulated electric vehicle charging systems, which results in significant load changes in the electrical grid. As a result, existing energy systems experience severe negative effects, such as higher load peaks, degradation in power quality, and higher consumption of energy [9].

While an EV is connected to an electric vehicle charging station (EVCS), the energy aggregator (EAG) and EV continually exchange information. The EAG functions as an information collector for EVs and controls the charging of the EVs. The EV reports confidential details, such as the EV’s identity (ID), battery status, consumed energy, and geographical location, to potentially untrustworthy charging entities [10]. The EV can share its distance from the service provider to hide the vehicle’s exact location from adversaries. However, it is feasible for adversaries to determine the EV’s precise location when its distance is disclosed [11]. Additional critical information, including the EV’s identification information, its owners, and its travel behavior, can be inferred from the given information [12]. The information shared can be subject to numerous forms of attacks, since the EV and EAG connect using the internet, Wi-Fi, Bluetooth, dedicated short-range communications (DSRC), etc. These attacks may lead to inconsistent battery charging, poor EVCS operation, money theft, incorrect payment transaction outcomes, and more. The primary attacks that could happen are denial-of-service (DoS) attacks, replay attacks, impersonation attacks, and man-in-the-middle (MITM) attacks [10].

1.1. Problem Statement

One of the biggest hurdles to the widespread adoption of EVs is EV charging. Legal authorities are responsible for issuing EV credentials, which allow vehicle identification and authentication. Because these credentials hold EVs’ genuine identifiers, they can be used to track vehicles. Furthermore, certain data in the electrical transactions must be hidden to prevent personal information (e.g., EV identity, battery charge status, geographical location, payment information, etc.) from being leaked. Furthermore, if a vehicle is not validated, an adversary vehicle can easily imitate an authorized vehicle to broadcast false information. This is because trading data can be utilized to analyze individuals’ behaviors and invade their privacy. For instance, EV charging schedules can reveal when an owner remains at home or outside, allowing potential criminals to attempt robbery [13]. Furthermore, the majority of deployed EV charging stations lack physical security and are seldom supervised; an adversary could cause damage to it or install malware in them. Such malware could be utilized to steal energy, obtain users’ data (such as ID card number to impersonate their identity for a transaction), or disrupt EV charging by causing a denial of service [14]. Additionally, in a wireless sensor network (WSN), a passive adversary may secretly intercept messages and employ traffic analysis methods to deduce details about the structure of the network topology and the profiles of network entities [15]. As a result, how to protect end-user privacy while dealing with electrical transaction data becomes a significant privacy-preserving challenge for researchers throughout EV charging and discharging.

An Elliptic Curve Qu–Vanstone (ECQV)-based EV charging system may be created to address these issues and provide security and straightforward authentication to EV clients. The ECQV implicit certificate is necessary for enabling mutual authentication, key establishment, and secret key exchange for Internet of Things (IoT) devices. There have been several EV charging solutions suggested to offer security and privacy preservation. However, the terms privacy and anonymity are sometimes used interchangeably. Privacy is much broader and refers to all aspects of maintaining user privacy, whereas anonymity is focused on maintaining user identity confidentiality. These systems tend to lack in achieving a balance between the need for privacy (trade traceability to achieve anonymity, etc.) and security considerations.

1.2. Paper Motivation and Contribution

In an effort to meet the requirements for preserving privacy and security mentioned previously, these are the contributions made by this paper:

• Present an ECQV-based authentication solution that is more effective at preserving privacy and providing secure authentication for electric vehicle charging stations;

• Use Burrows–Abadi–Needham (BAN) logic and the AVISPA simulation tool to conduct a formal security study to demonstrate that the proposed scheme is secure against numerous attacks. In addition, we perform an informal security analysis to show the proposed protocol’s security;

• Compare the computational costs with other related work, to illustrate that the proposed techniques will perform better.

1.3. Paper Organization

Following is the format for the remaining portion of the paper: Section 2 covers the preliminary material. In Section 3, we show an analysis of the literature that is relevant to the proposed protocol. In Section 4, the proposed scheme is presented. The formal and informal security analyses are discussed in Section 5. In Section 6, security, functional, and computational aspects are compared with those of related schemes. Finally, Section 7 is the conclusion.

2. Preliminaries

The criteria for EV charging’s authentication solution are covered in this section. Additionally, the concept of an elliptic curve Qu–Vanstone (ECQV) implicit certificate is introduced in this section.

2.1. Solution Requirements

Authentication that protects the privacy and the system’s ability to thwart both active and passive attacks (against system entities) are necessary for the feasibility and acceptability of EV charging systems. These key security requirements must be met before a charging system may be used. However, the current approaches have flaws that raise several questions about EV charging systems. As a result, the proposed scheme needs to fulfill the following criteria:

• Mutual authentication: The system must allow the parties to confirm one another’s identities and guarantee that communication is based on trust. To verify the EAG’s identification and registration with the trusted charging system operator (OP), the EV must authenticate the EAG. The EAG will verify the EV’s registration with the OP concurrently. The OP issues certificates for authentication, consequently reducing the likelihood of a masquerade attack [16];

• Anonymity: Anonymity is the capability to evade being recognized within a group of subjects. The EV’s true identity should not be revealed to the EAG while it is charging [17]. Un-traceability is the ability to keep the activities of a subject un-traceable. Eavesdroppers cannot guess or trace the EV’s activities [16];

• Un-linkability: Un-linkability is where the attacker cannot tell whether two actions are related. EVs during various charging sessions should not be linkable [17];

• Traceability: This characteristic guarantees that, if necessary, the trustworthy organization (OP) can determine or reveal a malicious EV’s real identity [18];

• Perfect forward security: If a long-lasting private key is exposed, the adversary cannot obtain a future session key [19];

• Perfect backward security: If a long-lasting private key is exposed, an adversary cannot obtain the old session key [19];

• Joint key control: The session key will be created using a random number that is contributed by both EAG and EV. As a result, no other party has access to or can acquire any session keys;

• Effective reauthentication: The process where the EAG reauthenticates the EV, causing an overhead. The EAG should, therefore, be able to verify the EV using the information given by a reliable third party (OP) during the initial encounter. Therefore, the EAG does not need to rely on the OP for future access because it can reauthenticate the EV;

• Revocation method: If a user’s registration is ended or the EAG/EV secret key is publicly disclosed, the corresponding information should be revoked. It is critical to grant a revocation mechanism for the system;

• Attack resistance: Adversaries may launch attacks during the communication between EAG and EV, as it is carried out in an insecure environment. Thus, the proposed scheme must be capable of thwarting attacks such as MITM attacks, replay attacks, impersonation attacks, etc.

2.2. ECQV Implicit Certificates

In comparison to the standard certificate (such as X.509 certificates), the implicit certificate provided by the ECQV method offers the advantages of having a smaller certificate that is computationally quicker and more ideal for IoT devices with limited resources [20].

A conventional certificate needs to have its signature verified, whereas an implicit certificate only needs to have its public key derived, and the latter is quicker than the former. The entity seeking the security material is the only one who can derive the private key; hence it is not even accessible to the certificate authority (CA). Hence, the technique is protected against key escrow attacks. Furthermore, a secure connection is not necessary during the operation because all variables may be delivered via the open channel [21].

• (1). ECQV Basic Notations

In Table 1 below, the fundamental notations used in the ECQV scheme are defined.

• (2). ECQV Algorithms

ECQV implicit certificates are produced using ECQV technology, which is based on elliptic curve cryptography. The elliptic curve domain settings for this method must be agreed upon by the entities and the CA before it can be used. Figure 1 shows the details of this strategy, which consists of three steps [22]:

• ECQV certificate request: A user generates an EC pair of keys and sends the public key together with the user’s ID to the CA;

• ECQV certificate generation: The CA validates the ID and creates data for public reconstruction that may be used to obtain the user’s public key. Next, ECQV certificate data are incorporated and contain both ID and public reconstruction information. The resulting ECQV certificate and the private key of the CA are then used to compute the user’s private reconstruction data. The user then receives the private reconstruction data and the ECQV certificate from the CA;

• ECQV certificate reception: The user creates a public/private-key pair using the first step’s private key, private reconstruction information, and ECQV certificate (acquired from CA). In order to confirm that the obtained certificate was indeed issued by the CA, the user then performs a verification process.

IoT devices can create a secure communication channel using ECQV implicit certificates and Elliptic Curve Diffie–Hellman (ECDH) for authenticated key exchange. The process of the ECQV implicit certificate-based authenticated key exchange algorithm is presented in Figure 2.

3. Literature Review

The most relevant, significant EV charging privacy preservation and security techniques are reviewed in this section. Multiple security systems already in use are discussed, as well as their advantages and disadvantages, along with the efforts this study took to solve the issues. To simplify the authentication process and make it less difficult, this work aims to propose a safe authentication strategy for EV charging that protects the privacy and offers a reliable reauthentication mechanism. Previous works in the security and privacy systems sectors have been reviewed for the intended outcome.

There are two main categories that the authentication protocols fall into: public-key authentication and symmetric-key authentication. Asymmetric cryptography, commonly known as public-key cryptography, is an encryption/decryption technique that utilizes a key pair made up of public/private keys [23]. However, symmetric-key cryptography relies on a single key that may be used for both encryption/decryption [24].

It was recently demonstrated that utilizing only XOR and hash operations in symmetric-key-based authentication protocols [25,26,27] can ensure anonymity and the un-traceability of a user’s behavior. Li et al. (2017) applied symmetric-key cryptography to provide an authentication technique for a dynamic charge system. The technique enables EVs to authenticate anonymously to charging piles (CP) while maintaining their geographical privacy. However, the process of forwarding the credentials (pseudonyms) and the distribution of associated keys to all CPs is inefficient, as it requires a large space to store all these data within CPs and leads to communication overhead. Additionally, an EV’s real identity is revealed to the service provider to create the pseudonym identity, which is risky and expensive computationally [25].

For EV charging, a blockchain-based security model was proposed by Huang et al. (2018). It provides mutual authentication through symmetric-key cryptography. However, the lightning network charging mechanism was not efficient, and the system was not able to protect the security of the keys. Moreover, the proposed model lacks privacy-preserving features such as anonymity, un-likability, and traceability. Moreover, the proposed authentication protocol requires a secure channel between EV and CP, which is hard to establish and increases the overall cost of the system [26].

The blockchain-based security framework introduced by Kim et al. (2019) used XOR and hash operations to reduce the computational cost of communication. However, the process of authentication must be repeated for each charging session. Furthermore, due to the requirement of all nodes to solve the mathematical computation, the system suffers from latency as the number of electric vehicles grows. Moreover, it does not provide some required privacy-preserving features including un-linkability and traceability [27].

To guarantee secure communication among the various network components, a combination of asymmetric and symmetric cryptography with simple hashing can be used. ElGhanam et al. (2021) applied this combination to provide a lightweight authentication mechanism that enables legitimate EVs to charge while assuring secure and fair payments. The mechanism resists well-known attacks such as replay attacks, MITM attacks, and impersonation attacks. For privacy preservation, it ensures an EV’s real identity, anonymity, and un-linkability through the utilization of pseudonyms for each charging process. However, it only provides partial privacy preservation to the EV, as it fails to ensure traceability. If required, the charging company cannot disclose the true identity of the EV that is acting maliciously or inappropriately. They encouraged other researchers to utilize asymmetric cryptography techniques to reduce the computational costs of their scheme [28].

For dynamic charging systems, Babu et al. (2021) presented a robust elliptic curve cryptography-based authentication mechanism. The proposed scheme can mitigate well-known EV attacks including replay attacks, MITM attacks, impersonation attacks, etc. For privacy preservation, it ensures an EV’s anonymity and un-traceability. However, similar to other studies in the literature review, it only provides partial privacy preservation to the EV, as there are no mechanisms for un-linkability, traceability, or reauthentication to cut down on communication costs during the authentication process [29].

To preserve the privacy of vehicles, an EV can be first authenticated to the EVCS using a blind signature [30,31,32]. A digital signature known as a “blind signature” enables the user to have the signer sign any document without being aware of what it contains [33]. Rabieh and Wei (2017) applied a blind signature along with a hash chain to authenticate EVs for dynamic charging while keeping their identities anonymous and un-linkable to other sessions. This was achieved through the usage of pseudonym tickets (to ensure un-linkability) that are published in the revocation list used for authentication and the need for EVs to authenticate themselves multiple times in all phases of the scheme. Unfortunately, the scheme suffers from latency and requires large storage as the number of EVs increases. Moreover, these pseudonyms are generated by EVs randomly and are unregulated. If an EV generates a repeated pseudonym without its knowledge, it will be rejected at the charging center [30].

A partial blind signature along with a hash chain to authenticate EVs for dynamic charging was proposed by Gunukula et al. (2017) to maintain privacy (anonymity and un-linkability). It guarantees resistance to MITM attacks; however, it does not investigate other attacks that could have a wide impact on the system. Furthermore, the system relies on the bank to verify the validity of charging coins, which in turn causes a delay in the authentication process [31].

Roman and Gondim (2019), proposed an authentication protocol for EV dynamic charging infrastructure based on a blind signature along with a hash chain. It ensures resistance to well-known attacks, anonymity, and un-linkability. On the other hand, the scheme requires a secure channel (as it reveals EVs’ real identities) in the ticket-purchasing phase; secure channel establishment is hard and is mainly achieved by physical contact prior to the service request from the charging company. We believe that better solutions exist for handling such requirements [32].

Other techniques used to authenticate EVs and maintain their privacy are public-key, sign-encryption, and group-signature algorithms. They allow signing messages exchanged by EV users, making it impossible for malicious individuals or other network attackers to learn target EVs’ real identities. In contrast to the signature-then-encryption method, signcryption is public-key cryptography (PKC) primitive that simultaneously delivers a digital signature and public-key encryption [34].

Xia et al. (2021) applied the concept of group-signature-based authentication to eliminate the disclosure of an EV’s identity to entities other than the CA. Fog computing was used to reduce the interaction between EVs and cloud servers. However, the scheme needs to reduce the entities’ interaction, as it is considered to be high [35].

Two of the techniques used to improve the protocol’s communication cost are partial identity-based signcryption (IBSC) and pairing-based protocol for EV group authentication, as in the protocol proposed by Roman et al. (2019), where a group message is used to protect the anonymity of EVs. The protocol ensures communication confidentiality, location privacy, and resistance to several attacks. However, at the registration stage, a public/private-key pair is generated for the group; due to this process, there is a need for larger storage and the issue of single-group association must be considered (unchanged until EV requests to leave the group). Furthermore, there is no plan in place to guard against the compromise of single-group association [36].

Kumar et al. (2020) introduced a framework for EV charging using signcryption cryptography to ensure security and privacy preservation. It uses pseudo-identity to provide anonymity for EVs and it resists several attacks including replay attacks, MITM attacks, impersonation attacks, etc. However, the scheme does not provide un-linkability, traceability, or a mutual or reauthentication mechanism to reduce the overhead of the authentication process [37].

Public-key infrastructure (PKI) with smart cards or contract certificates was proposed by Vaidya and Mouftah (2020) to authenticate EVs in plug-and-charge systems. The scheme ensures resistance to MITM and impersonation attacks. However, it does not provide assurance against replay and stolen card attacks, and it is feasible to eavesdrop on data exchange by placing fake card reader devices. Moreover, the system lacks the protection of EV privacy. The scheme has low communication, but it lacks security and privacy [38].

Additionally, according to [39], group-signature authentication has some drawbacks that should be taken into account when designing the system, such as how the private key for the group of EVs is distributed, how frequently the public/private-key pairs need to be changed, and how the key management mechanism works.

Many security protection solutions in vehicle-to-grid (V2G) networks currently rely on anonymity, pseudonymity, and encryption technologies. To address the issue of anonymity, existing research and protocols employ traditional processes such as blind signatures and bilinear pairing. The performance–security trade-off is significantly impacted by all of these systems’ high processing and communication requirements. Due to the complexity of signature and encryption mechanisms, the time required for authentication between an EV and the power grid would significantly increase (such as blind signatures). Simple anonymity and pseudonym solutions are no longer sufficient in addressing the issue of identification for EV users [40].

Solutions by [26,30,32] require a secure channel to purchase the tickets, which is both hard to establish and costly. PKI is the only way to avoid such a secure channel [38]. Studies [30,32] use certificates to initially register and authenticate and are categorized as token-based authentication schemes, as they use tickets for EV authentication. For security and privacy preservation, various blockchain-based EV charging systems have been developed. Anonymous communication hides an EV’s real identity; however, if the same anonymous ID is used multiple times, it threatens the EV’s privacy (un-linkability). By linking data to other publicly available datasets such as transactions, data might be utilized to execute privacy-related linkage attacks, and the cloud can carry out attacks using a variety of data-mining techniques and algorithms. However, absolute anonymity is the main privacy feature considered in most of these systems, which is not sufficient in maintaining order in the EV charging infrastructure [41].

As IoT devices tend to be resource-constrained and the applications of vehicular ad hoc networks (VANETs) are latency-critical, Ha et al. (2016) introduced a security scheme based on ECQV implicit authentication. For IoT devices to have mutual authentication, key establishment, and key exchange capabilities, an ECQV implicit certificate is essential. Ha et al. were able to demonstrate through a computational test that ECQV implicit certificates are preferable to traditional certificates for use in IoT devices with limited resources [22]. In their study, Baee et al. (2019) explored how much the authentication overhead in latency-critical apps affects the safety of EV drivers. They also demonstrated that combining the Elliptic Curve Digital Signature Algorithm (ECDSA) and ECQV over the National Institute of Standard and Technology (NIST) P-256 curve and validating certificates can be a viable solution [42].

The earlier authentication techniques did not consider other fundamental privacy-preserving criteria in VANETs, such as un-linkability and traceability. These requirements integrate into each other because the EV’s real identity is hidden, different sessions are not linkable, and misbehaving anonymous vehicles are traced by authorities. Additionally, we noticed that the concept of token-based reauthentication for authentic EVs within a short period of time has not been tackled. Our work is the first to suggest using ECQV to authenticate EVs EAGs in the charging system, to our knowledge. In order to ensure that the privacy of EVs is maintained for EV charging systems, we provide a lightweight ECQV-based authentication scheme. It delivers reliable and safe authentication and reauthentication.

4. Proposed System

In this section, we present the proposed authentication protocols that address the solution requirements. Table 2 details the notation used for this scheme’s phases: (1) Initialization, (2) Registration, (3) Authentication, and (4) Charging.

4.1. System Architecture

The entities electricity operator (OP), energy aggregator (EAG), and electric vehicles (EVs) compose our scheme. Figure 3 shows the architecture, and the list of entities in our design are listed below:

• Operator (OP): Any EV or EAG seeking to use the charging system must first register their identification information with the OP, where OP acts as the initializer for the proposed protocol. Authorized EVs can use the EAG’s services and develop trust with one another because the OP acts as a certificate generator (trusted third party). The OP can also identify malicious or misbehaving nodes by revealing their identities;

• Energy Aggregator (EAG): A data aggregator is a smart device or collection of smart devices that serves as a data aggregator of available EV power information while the EVs are charging and supplying power to the EVs via a number of EVCSs. To coordinate the charging, the EAG has an authentication mechanism to identify authorized EVs;

• Electric Vehicle (EV): It is a smart device that communicates charging requests to EAGs and mutually validates an EAG’s eligibility to use its service (charging).

From the architecture in Figure 3, the first step in establishing the communication between an EV and an EAG is the registration with an OP. After receiving credentials, these entities become part of the system and can communicate and authenticate each other if necessary. After successful verification, the EV can access a charging service. The EAG authenticates the EV using the $A_{EV}$ signed by the OP and $Ai{d}_i$ by the EV, without the direct involvement of the OP. The other way around, the EV authenticates the EAG using $A_{EAG}$ signed by the OP to thwart impersonation attacks. The proposed solution makes use of symmetric, ECQV, and PKC methodologies to ensure secure communication and to shorten the computation time in order to establish mutual authentication between the EV and EAG. For effective reauthentication, the proposed solution permits the reuse of $A{T}_{EV}^{EAG}$ (similar to [43] and our previous work [44]) and utilizes the speed constraint in [11] to countermeasure location-related attacks. $A{T}_{EV}^{EAG}$ is issued by the EAG once it has authenticated the EV. The utilization of $A{T}_{EV}^{EAG}$ reduces the time required to verify $A_{EV}$ in upcoming charging requests. Since there are not enough public EVCSs, which is the main problem with the EV charging infrastructure, EV owners may help other EVs in need by lending them their personal charging stations. In return, personal EVCS owners can earn some incentives through sharing with other EVs or by selling excess power to OPs.

4.2. Threat Model

The EAG is responsible for energy node matching and providing location-based services to electric vehicle owners during the energy trading process. We assume that the location-related communication is not secure enough (internet, Wi-Fi, Bluetooth, dedicated short-range communications (DSRC), etc.), and adversaries can use these services to determine the precise location of the target EV owner. Since EV owners’ location data includes vital information such as their house, workplace, hospitals, and so on, once learned by the adversary, the privacy of EV owners will be compromised, and their personal safety may be jeopardized.

The two types of attackers that are interested in obtaining the location data and credentials of EV owners are outsider and insider attackers. The transaction data collected by the system can be used by an outsider attacker to obtain information about the location of EV owners; a malicious internal node in our proposed scheme acts as an insider attacker and can gather user data. We assume that the EAG is a potential insider threat who is capable of learning the credentials or precise location of EV owners throughout the trading process.

4.3. Initialization Phase

The following steps describe how the OP initializes the system to set up the network:

• Step 1:. A base point G of order $n$ is chosen by OP on the elliptic curve $E_p$, where $n$ is a significant prime number. Select the curve coefficients $a$ and $b$, field size $q$, and cofactor $h$, where $hn$ is the number of points on the elliptic curve (these are the elliptic curve domain parameters);

• Step 2:. Select an approved hash function $H\left(.\right)$. The OP and certificate requester (EV or EAG) specify the generator of random numbers to be used throughout the certificate request/creation procedures to generate the private keys;

• Step 3:. OP obtains an EC-key pair ($P{R}_{OP}, P{K}_{OP}$), which is associated with the elliptic curve domain parameters (established in the first step).

• Step 4:. Both EV and EAG obtain, in an authentic manner, the EC domain parameters, $H\left(.\right)$, and $P{K}_{OP}$ (OP’s public key).

4.4. Registration Phase

Before EVs and EAGs can join the charging system, they must produce their identities and pair of public/private keys. After which, they receive the corresponding certificate, authenticator, information about constructing the private key, and anonymous identity from the OP (for EV only).

4.4.1. EV Registration

The registration process for EVs is presented in Figure 4 and is detailed as follows:

• Step 1:. EV selects its identity $i{d}_{EV}$; generate EC-key pair ($k_{EV}, R_{EV}$), where $k_{EV}$ ${ϵ}_R \left[1, \dots , n-1\right]$ and $R_{EV}=k_{EV}.G$. Compute $I_{EV}=h\left(R_{EV}, i{d}_{EV}, N_{EV}\right)$ to ensure integrity. Then, send it to OP $\left\{i{d}_{EV}, R_{EV}, N_{EV}, I_{EV}\right\}$ encrypted with $P{K}_{OP}$ (OP’s public key);

• Step 2:. OP retrieves the content of the message using its private key $P{R}_{OP}$ and verifies $I_{EV}$. Then, choose $k {ϵ}_R \left[1, \dots , n-1\right]$ and generate EV’s implicit certificate $Cer{t}_{EV}=R_{EV}+kG$; compute $e=h\left(Cer{t}_{EV}\right)$, $S_{EV}=ek+P{R}_{OP}\left(mod n\right)$, the private key construction data of EV. OP uses Formula (1) to create EV’s pseudo-identity and signs it using OP’s private key, where the real identity of EV is encrypted with $P{K}_{OP}$ to assure its anonymity and $Ai{d}_i$ is agreed to be incremented sequentially ($Ai{d}_{No}$) by EV itself every time it requests a service. Compute EV’s authenticator using Formula (2), which contains the issued $Cer{t}_{EV}$ with its time-life ($TL$) signed using the private key of OP. Compute $A{H}_{EV}=H\left(A_{EV}\right)$ to ensure integrity. Compute registration key $RK=h(R_{EV},N_{EV}, P{K}_{OP})$ that is shared between OP and EV only. Then, send to EV $\left\{A_{EV}, A{H}_{EV}, Ai{d}_i,S_{EV}\right\}$ encrypted with $RK.$ Lastly, OP destroys $R_{EV}$, $k$, $S_{EV}$ to prevent the possession of EV’s private key by an adversary;

  (1)$Ai{d}_i=\{(Si{g}_{OP} \left(P{K}_{OP}\left(i{d}_{EV}\right),TL\right)), Ai{d}_{No}\}$

  (2)$A_{EV}=\{(Si{g}_{OP} \left(Cer{t}_{EV},TL, Ai{d}_i\right))$

• Step 3:. EV calculates the shared registration key $RK=h(R_{EV},N_{EV}, P{K}_{OP})$ to retrieve and verify $A_{EV}, Ai{d}_i$ through OP’s public key and check $A{H}_{EV}$. Compute $e=h\left(Cer{t}_{EV}\right)$ to generate its private/public-key pair $P{R}_{EV}$/$P{K}_{EV}$ using Formulas (3) and (4).

  (3)$P{R}_{EV}=e.k_{EV}+S_{EV}\left(mod n\right)$

  (4)$P{K}_{EV}=e.Cer{t}_{EV}+P{K}_{OP}$

To ensure the validity of $P{K}_{EV}$, it computes $PK{’}_{EV}=P{R}_{EV}.G$; then, check if $P{K}_{EV}==PK{’}_{EV}$ as follows:

(5)$\begin{array}{ccc}P{R}_{EV}\hfill & =\hfill & e.k_{EV}+S_{EV}\left(mod n\right)\hfill \\ & =\hfill & e.k_{EV}+\left(e.k+P{R}_{OP}\left(mod n\right)\right)\hfill \\ & =\hfill & e.(k_{EV}+k)+P{R}_{OP}\left(mod n\right))\hfill \end{array}$

(6)$\begin{array}{ccc}Cer{t}_{EV}\hfill & =\hfill & R_{EV}+kG \hfill \\ & =\hfill & k_{EV}.G+k.G\hfill \\ & =\hfill & (k_{EV}+k).G\hfill \end{array}$

(7)$\begin{array}{ccc}P{K}_{EV}\hfill & =\hfill & e.Cer{t}_{EV}+P{K}_{OP} \hfill \\ & =\hfill & e.(k_{EV}+k).G+P{R}_{OP}.G \hfill \\ & =\hfill & e.((k_{EV}+k)+P{R}_{OP}).G\hfill \\ & =\hfill & P{R}_{EV }.G\hfill \end{array}$

After the validation of $P{K}_{EV}==PK{’}_{EV}$, EV adds its signature to $Ai{d}_i$ using its own private key. Lastly, EV stores $\{A_{EV}$, $Ai{d}_i\}$ encrypted with $P{K}_{EV}$ in memory (on-board unit—OBU). Destroy $R_{EV}$, $k_{EV}$, $S_{EV}$ to prevent the possession of an EV’s private key by an adversary.

4.4.2. EAG Registration

The registration process for the EAG is presented in Figure 5 and is detailed as follows:

• Step 1:. EAG selects its identity $i{d}_{EAG}$; generate EC-key pair ($k_{EAG}, R_{EAG}$), where $k_{EAG}$ ${ϵ}_R \left[1, \dots , n-1\right]$ and $R_{EAG}=k_{EAG}.G$. Compute $I_{EAG}=h\left(R_{EAG}, i{d}_{EAG}, N_{EAG}\right)$ to ensure integrity. Then, send it to OP $\left\{i{d}_{EAG}, R_{EAG}, N_{EAG}, I_{EAG}\right\}$ encrypted with $P{K}_{OP}$.

• Step 2:. OP retrieves the content of the message using its private key $P{R}_{OP}$ and verifies $I_{EAG}$; choose $k {ϵ}_R \left[1, \dots , n-1\right]$ and generate EAG’s implicit certificate $Cer{t}_{EAG}=R_{EAG}+kG$; compute $e=h\left(Cer{t}_{EAG}\right)$, $S_{EAG}=ek+P{R}_{OP}\left(mod n\right)$, the private key construction data of EAG. Compute the authenticator by Formula (8); it contains the issued $Cer{t}_{EAG}$, $i{d}_{EAG}$, its time-life ($TL$) signed using the private key of OP. Then, compute $A{H}_{EAG}=H\left(A_{EAG}\right)$ to ensure integrity. Compute registration key $RK’=h(R_{EAG},N_{EAG}, P{K}_{OP})$ that is shared between OP and EAG only. Then, send it to EAG $\left\{A_{EAG}, A{H}_{EAG},S_{EAG}\right\}$ encrypted with $RK’.$ Lastly, OP destroys $R_{EAG}$, $k$, $S_{EAG}$ to prevent the possession of EAG’s private key by adversaries.

  (8)$A_{EAG}=\left\{(Si{g}_{OP}\left(Cer{t}_{EAG}, TL, i{d}_{EAG}\right)\right\}$

• Step 3:. EAG computes the registration key $RK’=h(R_{EAG},N_{EAG}, P{K}_{OP})$ to retrieve and verify the $A_{EAG}$ through OP’s public key and checks $A{H}_{EAG}$. Compute $e=h\left(Cer{t}_{EAG}\right)$ to generate its private/public-key pair $P{R}_{EAG}$/$P{K}_{EAG}$ using Formulas (9) and (10).

  (9)$P{R}_{EAG}=e.k_{EAG}+S_{EAG}\left(mod n\right)$

  (10)$P{K}_{EAG}=e.Cer{t}_{EAG}+P{K}_{OP}$

To ensure the validity of $P{K}_{EAG}$, it computes $PK{’}_{EAG}=P{R}_{EAG}.G$; then, check if $P{K}_{EAG}==PK{’}_{EAG}$ as follows:

(11)$\begin{array}{ccc}P{R}_{EAG}\hfill & =\hfill & e.k_{EAG}+S_{EAG}\left(mod n\right)\hfill \\ & =\hfill & e.k_{EAG}+\left(e.k+P{R}_{OP}\left(mod n\right)\right)\hfill \\ & =\hfill & e.(k_{EAG}+k)+P{R}_{OP}\left(mod n\right))\hfill \end{array}$

(12)$\begin{array}{ccc}Cer{t}_{EAG}\hfill & =\hfill & R_{EAG}+kG\hfill \\ & =\hfill & k_{EAG}.G+k.G\hfill \\ & =\hfill & (k_{EAG}+k).G\hfill \end{array}$

(13)$\begin{array}{ccc}P{K}_{EAG}\hfill & =\hfill & e.Cer{t}_{EAG}+P{K}_{OP}\hfill \\ & =\hfill & e.(k_{EAG}+k).G+P{R}_{OP}.G \hfill \\ & =\hfill & e.((k_{EAG}+k)+P{R}_{OP}).G\hfill \\ & =\hfill & P{R}_{EAG }.G\hfill \end{array}$

After the validation of $P{K}_{EAG}==PK{’}_{EAG}$, EAG stores $\left\{A_{EAG}\right\}$ encrypted with $P{K}_{EAG}$ in memory and destroys $R_{EAG}$, $k_{EAG}$, $S_{EAG}$ to prevent the possession of EAG’s private key by an adversary.

4.5. Authentication Phase

When an EV wishes to access the charging system, the EV and EAG must authenticate one another and create a session key. The authentication phase is separated into two groups: mutual authentication, in which EV and EAG have not yet developed a relationship of trust. Thus, they rely on the information provided by the OP (third party). The second is lightweight reauthentication, where the EV and EAG authenticate each other on their own without a third trusted party (OP).

4.5.1. Mutual Authentication Protocol

This process is conducted initially, where the EAG relays on the OP’s information to authenticate the EV, unless $A_{EV}$ is terminated. Figure 6 illustrates the procedure and provides the following details:

• Step 1:. EV generates the charging request $C{H}_{EV}=\left\{amount, price,distance,TL\right\}$, where “$amount$” states the amount of power needed, “$price$” specifies how much the EV is willing to pay for the service (to keep the location of the EV private), “$distance$” should specify how far it is from the local EAG, and “$TL$” states the time-life of the request. Then, EV sends $C{H}_{EV}$ to their local EAG;

• Step 2:. The EAG sends its $A_{EAG}, A{H}_{EAG}$ as a response to the EV charging request;

• Step 3:. EV verifies $A_{EAG}$ through OP’s signature and checks if it is valid by the $TL$; retrieve $Cer{t}_{EAG}$ and compute $e=h\left(Cer{t}_{EAG}\right)$ to extract the EAG’s public key $P{K}_{EAG}=e.Cer{t}_{EAG}+P{K}_{OP}$. Generate a random number $N_{EV}$, time stamp $T_{EV}$, and the master shared key $K_{EV-EAG}$ using Formula (14). Increase the $Ai{d}_i$ counter one at a time (by adding 1 to the previous EV’s pseudo-identification) to generate a new anonymous identity for the current session. This prevents linking between multiple sessions of an EV. Then, send to EAG $\left\{A_{EV},Ai{d}_i, N_{EV}, T_{EV}\right\}$ encrypted with $P{K}_{EAG}$.

  (14)$K_{EV-EAG}=P{R}_{EV} . P{K}_{EAG}=P{R}_{EV} . P{R}_{EAG} .G$

• Step 4:. To decrypt the message, EAG employs its own private key and uses OP’s signature to confirm that $A_{EV}$ is authentic, and checks $T_{EV}$ to make sure the message is not being replayed. Compute $e=H\left(Cer{t}_{EV}\right)$ to extract EV’s public key $P{K}_{EV}=e.Cer{t}_{EV}+P{K}_{OP}$. Verify $Ai{d}_i$ by OP’s signature and EV’s signature ($P{K}_{EV}$) that is included in it. Then, generate $N_{EAG}$, $T_{EAG},$ the master shared key using Formula (15), and the authorization token by Formula (16), where $Ai{d}_i, K_{EV-EAG}$ are encrypted with $P{K}_{EAG}$. Moreover, generate the initial and session key using Formulas (17) and (18), receptively. Then, send to EV $\left\{A{T}_{EV}^{EAG}, T_{EAG}\right\}$ encrypted by $I{K}_{EV-EAG}$, the EAG schedule charging service for EVs that is protected by $S{K}_{EV-EAG}$.

  (15)$K_{EV-EAG}=P{R}_{EAG} . P{K}_{EV}=P{R}_{EAG} . P{R}_{EV} .G$

  (16)$A{T}_{EV}^{EAG}=\left\{Si{g}_{EAG}\right.\left(A{T}_{No}\right., TL, i{d}_{EAG}, P{K}_{EAG}\left(P{K}_{EV}, K_{EV-EAG}\right))\}$

  (17)$I{K}_{EV-EAG}=h\left(i{d}_{EAG}, N_{EV}, T_{EV}\right)$

  (18)$S{K}_{EV-EAG}=h\left(K_{EV-EAG}, A{T}_{No}, P{K}_{EV}, N_{EV}\right)$

• Step 5:. EV generates $I{K}_{EV-EAG}$ by Formula (17) to retrieve $A{T}_{EV}^{EAG}, A{T}_{No}$ and checks the validity of $T_{EAG}$. Next, create the session key to be used during the charging session using Formula (18). EV stores the $A{T}_{EV}^{EAG}$ issued by EAG, and updates $Ai{d}_i$. By the end of this process, EV and EAG shall have both established trust between them, without having to depend on OP in the future for session authentication.

4.5.2. Lightweight Mutual Reauthentication Protocol

As noted before, at this point, the EV and EAG should have developed a relationship of trust. Now, they can directly and mutually authenticate one another in upcoming charging services. Since charging is a rapidly needed service and a matching process is vital in providing the service, reauthentication can guarantee faster matching for the EV to obtain the service faster. When the user has a valid $A{T}_{EV}^{EAG}$ and is scheduled to the same aggregator within a 48-h period, this phase (reauthentication phase) can be utilized. The reauthentication time window is chosen on the basis of EVs’ frequent need for recharging and due to EV memory constraints. Furthermore, if the user is already trusted, it is impractical and expensive to generate all the variables for a new session key. The process of efficient reauthentication is presented in Figure 7, detailed as follows:

• Step 1:. EV creates $N_{EV}, N{’}_{EV}$, and applies Formula (18) to determine the previous session key to be used in $Ai{d}_i,{N^{\prime }}_{EV}, T_{EV}$ encryption. Increment the $Ai{d}_i$ counter sequentially (add 1 to the EV’s previous pseudo-identity) to have a new anonymous identity for this session to maintain un-linkability. Then, EV sends $A{T}_{EV}^{EAG}$, $N_{EV}, \left\{N{’}_{EV}\right\}S{K}_{EV-EAG}$ to EAG.

• Step 2:. EAG validates the authenticity of $A{T}_{EV}^{EAG}$ via the signature $Si{g}_{EAG}$ using $P{K}_{EAG}$ and $TL$. Decrypt the $A{T}_{EV}^{EAG}$ using $P{R}_{EAG}$ to retrieve $P{K}_{EV}, K_{EV-EAG}$. EAG needs to compute $S{K}_{EV-EAG}$ in order to obtain $Ai{d}_i,{N^{\prime }}_{EV}, T_{EV}$, and confirm that the $A{T}_{EV}^{EAG}$ was transmitted by the authorized EV. Then, use $N{’}_{EV}$, $T_{EV}$, $Ai{d}_{No}$, $A{T}_{No}$ to generate the temporary key $T{K}_{EV-EAG}$ using Formula (19). Generate $N_{EAG}, T_{EAG},$ a fresh session key $SK{’}_{EV-EAG}$ as in the Formula (20). EAG then sends $\left\{N_{EAG}, T_{EAG}\right\}$ encrypted by $T{K}_{EV-EAG}$ to EV. The EAG manages the EV charging service that is secured by $SK{’}_{EV-EAG}$.

  (19)$T{K}_{EV-EAG}=h\left(A{T}_{No}, Ai{d}_{No}, N{’}_{EV}, T_{EV}\right)$

  (20)$SK{’}_{EV-EAG}=h\left(T{K}_{EV-EAG}, K_{EV-EAG}, N_{EAG}, P{K}_{EV}\right)$

• Step 3:. EV generates the $T{K}_{EV-EAG}$ to retrieve $N_{EAG}$ and verifies $T_{EAG}$. Then, use Formula (20) to create $SK{’}_{EV-EAG}$ for the charging session; $Ai{d}_i$ is updated.

4.6. Revocation Protocol

The scheme offers a revocation mechanism to protect the entities from malicious impersonation and MITM attacks and announce that the parameters are no longer reliable even before the validity period has expired. $Ai{d}_i$ and $A{T}_{EV}^{EAG}$ tokens are revoked in case the EV suspects they were stolen by an adversary, with recency proof (RP) confirming the legitimacy of the OP (e.g., month-old time-stamp proof). The process of $Ai{d}_i$ revocation is detailed as follows:

• Step 1:. EV creates the $Ai{d}_i$ revocation request $Re{v}_{EV-id}=\left\{P{K}_{OP}\left(Si{g}_{EV},Ai{d}_i, RevAid, T_{EV}\right)\right\}$; forward it to OP after being encrypted with OP’s public key $P{K}_{OP}$.

• Step 2:. OP decrypts the revocation request by its $P{R}_{OP}$ and verifies $Si{g}_{EV}$ using $P{K}_{EV}$ and $Si{g}_{OP}$, which is within $Ai{d}_i$, and to avoid replay attack, OP checks $T_{EV}$ to verify whether it is valid or not. Finally, OP updates the $Ai{d}_i$ status as revoked. A fake revocation request cannot be produced by the adversary since EV’s signature is necessary.

The process of $A{T}_{EV}^{EAG}$ revocation is detailed below:

• Step 1:. EV uses Formula (21) to create the $A{T}_{EV}^{EAG}$ revocation request, which is subsequently sent to EAG after being partially encrypted using Formula (22).

  (21)$Re{v}_{EV-AT}=\left\{A{T}_{EV}^{EAG},N_{EV}, V{K}_{EV-EAG}\left(Si{g}_{EV},T_{EV}, RevAT, A{T}_{No}\right)\right\}$

  (22)$V{K}_{EV-EAG}=h\left(K_{EV-EAG}, A{T}_{No}, N_{EV}\right)$

• Step 2:. EAG validates the $A{T}_{EV}^{EAG}$ through the signature using $P{K}_{EAG}$ and decrypts internal part $P{K}_{EAG}\left(P{K}_{EV}, K_{EV-EAG}\right)$ using its $P{R}_{EAG}$. Then, EAG uses $K_{EV-EAG}$, $A{T}_{No}, N_{EV}$, to generate the revocation key $V{K}_{EV-EAG}$ using Formula (22) and retrieving the other part of the message. Verify the request belongs to the same $A{T}_{EV}^{EAG}$ by $A{T}_{No}$ and $Si{g}_{EV}$ using the retrieved $P{K}_{EV}$, then check whether $T_{EV}$ is valid or not. Finally, EAG updates $A{T}_{EV}^{EAG}$ status as revoked. The use of revoked $A{T}_{EV}^{EAG}$ leads to the rejection of EV’s charging service request. Furthermore, since the master key $K_{EV-EAG}$ is used to construct the revocation key $V{K}_{EV-EAG}$, an adversary cannot produce a fake revocation request.

5. Security Analysis

We discuss the proposed protocol’s security analysis as well as formal/informal analysis in this section.

5.1. Formal Security Analysis BAN Logic

In authentication protocols, trust connections are evaluated using authentication logic. BAN logic [45] is a frequently used technique for verifying authentication protocols. The proposed protocols’ authentication goals will be examined and verified using this logic (Table 3). A protocol analysis utilizing BAN logic can be broken down into four steps for each given protocol:

• Clearly state the goals to achieve;

• Form assumptions about the initial situation;

• Affirm the protocol in its idealized state;

• Utilize the logic to obtain associated party beliefs.

The actions and messages of the participating individuals should first be converted into formulas in order to employ the BAN logic. The essential rules for BAN logic are as follows:

Rule1 (Message-meaning rule):

(23)$R1=\frac{P |\equiv P\stackrel{ K }{\leftrightarrow }Q, \mathrm{P}⊲⟨X{⟩}_Y}{P \left|\equiv Q \right|\sim X}$

Rule2 (Nonce-verification rule):

(24)$R2=\frac{P \left|\equiv \#\left(X\right),P \right|\equiv Q |\sim X}{P \left|\equiv Q \right|\equiv \mathrm{X}}$

Rule3 (Jurisdiction rule):

(25)$R3=\frac{P \left|\equiv Q|\Rightarrow X,P\right|\equiv Q|\equiv X}{P |\equiv X}$

Rule4 (Freshness-conjuncatenation rule):

(26)$R4=\frac{P |\equiv \# \left(X\right)}{P |\equiv \# \left(X,Y\right)}$

Rule5 (Belief rule):

(27)$R5=\frac{P \left|\equiv \left(X\right),P \right|\equiv \left(Y\right) }{P |\equiv \left(X,Y\right)}$

Rule6 (Session keys rule):

(28)$R6=\frac{P |\equiv \#\left(X\right),P \left|\equiv Q \right|\equiv X }{P |\equiv P\stackrel{ K }{\leftrightarrow }Q}$

5.1.1. Analyzing Authentication Protocol

The steps listed below are taken to show that the proposed authentication protocol is accurate.

• Step 1:. Goals. The analysis’ key goals, which comprise the secrecy of the exchanged session key, are listed below:

  • Goal 1:. $EV |\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right)$

  • Goal 2:. $EV \left|\equiv EAG \right|\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right)$

  • Goal 3:. $EAG |\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right)$

  • Goal 4:. $EAG \left|\equiv EV \right|\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right)$

• Step 2:. Assumptions. The proposed protocol’s preliminary assumptions are as follows:

  • P1.. EAG |≡ # ($T_{EV}$)

  • P2.. EV |≡ # ($T_{EAG}$)

  • P3.. EAG |≡ # ($N_{EV}$)

  • P4.. EAG |≡$(EV\stackrel{ N_{EV}, T_{EV} }{\leftrightarrow }EAG$)

  • P5.. EV |≡$(EV\stackrel{ T_{EAG} }{\leftrightarrow }EAG$)

  • P6.. EAG |≡$(EV\stackrel{ K }{\leftrightarrow }EAG$)

  • P7.. EV |≡$(EV\stackrel{ K }{\leftrightarrow }EAG$)

  • P8.. EAG|≡ EV$|\Rightarrow$ $(EV\stackrel{ SK }{\leftrightarrow }EAG$)

  • P9.. EV |≡ EAG$|\Rightarrow$ $(EV\stackrel{ SK }{\leftrightarrow }EAG$)

• Step 3:. Idealization. The following is an idealized version of the proposed protocol:

  • M1.. EV → EAG: $({\{\to \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV⟩}_{{\mathrm{A}}_{EV}}, N_{EV},$ $T_{EV} {\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG}$)

  • M2.. EAG → EV: ${({\{⟨A{T}_{No}⟩}_{A{T}_{EV}^{EAG}}, T_{EAG}\}}_{h\left(i{d}_{EAG}, N_{EV}, T_{EV}\right)},$ ${\left\{Charge\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV , N_{EV}\right)})$

• Step 4:. Analysis. The beliefs that both the EV and EAG can obtain in the proposed protocol are derived here. Then, we investigate, based on BAN logic rules, which authentication goals can be met.

Statement 1: Applying the see rule to M1, we obtain:

$S1: EAG⊲ ({\{⟨\begin{array}{c}P{K}_{EV }\\ \to \end{array}EV⟩}_{A_{EV}}, N_{EV}, T_{EV} {\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG})$

Statement 2: In accordance with Rule (1) (message-meaning rule) and $S1$ and P6, we obtain:

$S2: EAG \left|\equiv EV \right|\sim ({\{⟨\begin{array}{c}P{K}_{EV }\\ \to \end{array}EV⟩}_{A_{EV}}, N_{EV}, T_{EV} {\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG})$

Statement 3: In accordance with freshness conjuncatenation (Rule (4)) and nonce verification (Rule (2)) with $S2$, P1, and P3, we obtain:

$S3: EAG \left|\equiv EV \right|\equiv ({\{⟨\begin{array}{c}P{K}_{EV }\\ \to \end{array}EV⟩}_{A_{EV}}, N_{EV}, T_{EV} {\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG})$

Statement 4: Since the session key $S{K}_{EV-EAG}=h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV, N_{EV}\right)$ and based on the session keys rule (Rule (6)) with $S3$ and P4, we obtain:

$$\begin{gathered} S4: EAG \left|\equiv EV \right|\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right) \\ (\mathrm{Goal} 4) \end{gathered}$$

Statement 5: Based on the jurisdiction (Rule (3)) with $S4$ and P8, we obtain:

$$\begin{gathered} S5: EAG |\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right) \\ (\mathrm{Goal} 3) \end{gathered}$$

Statement 6: Applying the see rule to M2, we obtain:

$\begin{array}{c}S6: EV ⊲{({\{⟨A{T}_{No}⟩}_{A{T}_{EV}^{EAG}}, T_{EAG}\}}_{h\left(i{d}_{EAG}, N_{EV}, T_{EV}\right)}, \hfill \\ {\left\{Charge\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV , N_{EV}\right)})\end{array}$

Statement 7: In accordance with message meaning (Rule (1)) with $S6$ and P7, we obtain:

$$\begin{gathered} S7: EV \left|\equiv EAG \right|\sim {({\{⟨A{T}_{No}⟩}_{A{T}_{EV}^{EAG}}, T_{EAG}\}}_{h\left(i{d}_{EAG}, N_{EV}, T_{EV}\right)}, \\ {\left\{Charge\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV , N_{EV}\right)}) \end{gathered}$$

Statement 8: In accordance with freshness conjuncatenation (Rule (4)) and nonce verification (Rule (2)) with $S7$ and P2, we obtain:

$$\begin{gathered} S8: EV \left|\equiv EAG \right|\equiv {({\{⟨A{T}_{No}⟩}_{A{T}_{EV}^{EAG}}, T_{EAG}\}}_{h\left(i{d}_{EAG}, N_{EV}, T_{EV}\right)}, \\ {\left\{Charge\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV , N_{EV}\right)}) \end{gathered}$$

Statement 9: Since the session key $S{K}_{EV-EAG}=h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV, N_{EV}\right)$ and based on the session keys rule (Rule (6)) with $S8$ and P5, we obtain:

$$\begin{gathered} S9: EV \left|\equiv EAG \right|\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right) \\ (\mathrm{Goal} 2) \end{gathered}$$

Statement 10: Based on the jurisdiction (Rule (3)) with $S9$ and P9, we obtain:

$$\begin{gathered} S10: EV |\equiv \left(EV\stackrel{ SK }{\leftrightarrow } EAG\right) \\ (\mathrm{Goal} 1) \end{gathered}$$

In summary, the proposed protocol provides the EV and EAG with secure mutual authentication. Additionally, based on the achieved Goals 1, 2, 3, and 4, the EV and EAG can confidently share the session key (SK). Accordingly, using BAN logic, we could say that the proposed protocol provides secure mutual authentication, ensuring that the EV and EAG are the only parties with access to the session key, maintaining security.

5.1.2. Analyzing Reauthentication Protocol

To prove that the proposed reauthentication protocol is accurate, the steps listed below are performed.

• Step 1:. Goals. The analysis’ key goals, which comprise the secrecy of the exchanged session key, are listed below:

  • Goal 1:. $EV |\equiv \left(EV\stackrel{ SK’ }{\leftrightarrow } EAG\right)$

  • Goal 2:. $EV \left|\equiv EAG \right|\equiv \left(EV\stackrel{ SK’ }{\leftrightarrow } EAG\right)$

  • Goal 3:. $EAG |\equiv \left(EV\stackrel{ SK’ }{\leftrightarrow } EAG\right)$

  • Goal 4:. $EAG \left|\equiv EV \right|\equiv \left(EV\stackrel{ SK’ }{\leftrightarrow } EAG\right)$

• Step 2:. Assumptions. The proposed protocol’s preliminary assumptions are as follows:

  • P1.. EAG |≡ # ($N{’}_{EV}$)

  • P2.. EAG |≡ # ($T_{EV}$)

  • P3.. EAG |≡ # ($N_{EV}$)

  • P4.. EV |≡ # ($N_{EAG}$)

  • P5.. EAG |≡$(EV\stackrel{ N_{EV},N{’}_{EV}, T_{EV} }{\leftrightarrow }EAG$)

  • P6.. EV |≡$(EV\stackrel{ N_{EAG} }{\leftrightarrow }EAG$)

  • P7.. EAG |≡$(EV\stackrel{ K }{\leftrightarrow }EAG$)

  • P8.. EV |≡$(EV\stackrel{ K }{\leftrightarrow }EAG$)

  • P9.. EAG|≡ EV$|\Rightarrow$ $(EV\stackrel{ SK’ }{\leftrightarrow }EAG$)

  • P10.. EV |≡ EAG$|\Rightarrow$ $(EV\stackrel{ SK’ }{\leftrightarrow }EAG$)

• Step 3:. Idealization. The following is an idealized version of the proposed protocol:

  • M1.. EV → EAG:$({(⟨A{T}_{No}⟩}_{A{T}_{EV}^{EAG}},{\{\begin{array}{c}P{K}_{EV }\\ \to \end{array}EV,EV\stackrel{ K }{\leftrightarrow }EAG\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG}),$$N_E,{\left\{{N^{\prime }}_{EV}, T_{EV}, ⟨Ai{d}_{No}{⟩}_{A_{EV}}\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG,A{T}_{No} , \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV,N_{EV}\right)}$)

  • M2.. EAG → EV: $({\left\{N_{EAG}\right\}}_{h\left(A{T}_{No},Ai{d}_{No},{N^{\prime }}_{EV},T_{EV}\right)},$${\left\{Charge\right\}}_{h\left(EV\stackrel{ TK }{\leftrightarrow }EAG,EV\stackrel{ K }{\leftrightarrow }EAG,N_{EAG}, \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV\right)}$)

• Step 4:. Analysis. The beliefs that both the EV and EAG can obtain in the proposed protocol are derived here. Then, we investigate which authentication goals can be met.

Statement 1: Applying the see rule to M1, we obtain:

$$\begin{gathered} S1: EAG⊲({(⟨A{T}_{No}⟩}_{A{T}_{EV}^{EAG}},{\{ \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV, EV\stackrel{ K }{\leftrightarrow }EAG\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG}), \\ {N}_E, {\left\{{N^{\prime }}_{EV}, T_{EV}, ⟨Ai{d}_{No}{⟩}_{A_{EV}}\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV, N_{EV}\right)}) \end{gathered}$$

Statement 2: In accordance with Rule (1) (message-meaning rule) and $S1$ and P7, we obtain:

$$\begin{gathered} S2: EAG \left|\equiv EV \right|\sim ({(⟨A{T}_{No}⟩}_{A{T}_{EV}^{EAG}},{\{ \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV, EV\stackrel{ K }{\leftrightarrow }EAG\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG}), \\ {N}_E,{\left\{{N^{\prime }}_{EV}, T_{EV}, ⟨Ai{d}_{No}{⟩}_{A_{EV}}\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG,A{T}_{No} , \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV,N_{EV}\right)}) \end{gathered}$$

Statement 3: In accordance with freshness conjuncatenation (Rule (4)) and nonce verification (Rule (2)) with $S2$, P1, P2, and P3, we obtain:

$$\begin{gathered} S3: EAG \left|\equiv EV \right|\equiv {(⟨A{T}_{No}⟩}_{A{T}_{EV}^{EAG}},{\{ \begin{array}{c}P{K}_{EV }\\ \to \end{array}EV, EV\stackrel{ K }{\leftrightarrow }EAG\}}_{\begin{array}{c}P{K}_{EAG }\\ \to \end{array}EAG}), \\ {N}_E, {\left\{{N^{\prime }}_{EV}, T_{EV}, ⟨Ai{d}_{No}{⟩}_{A_{EV}}\right\}}_{h\left(EV\stackrel{ K }{\leftrightarrow }EAG, A{T}_{No} , \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV, N_{EV}\right)}) \end{gathered}$$

Statement 4: Since the session key $SK{’}_{EV-EAG}=h\left(EV\stackrel{ TK }{\leftrightarrow }EAG,EV\stackrel{ K }{\leftrightarrow }EAG,N_{EAG}, \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV\right)$, $T{K}_{EV-EAG}=h\left(A{T}_{No},Ai{d}_{No},{N^{\prime }}_{EV},T_{EV}\right)$, and based on the session keys rule (Rule (6)) with $S3$ and P5, we obtain:

$$\begin{gathered} S4: EAG \left|\equiv EV \right|\equiv \left(EV\stackrel{ SK’ }{\leftrightarrow } EAG\right) \\ (\mathrm{Goal} 4) \end{gathered}$$

Statement 5: Based on the jurisdiction (Rule (3)) with $S4$ and P9, we obtain:

$$\begin{gathered} S5: EAG |\equiv \left(EV\stackrel{ SK’ }{\leftrightarrow } EAG\right) \\ (\mathrm{Goal} 3) \end{gathered}$$

Statement 6: Applying the see rule to M2, we obtain:

$\begin{array}{c}S6: EV ⊲({\left\{N_{EAG}\right\}}_{h\left(A{T}_{No}, Ai{d}_{No}, {N^{\prime }}_{EV}, T_{EV}\right)},\hfill \\ {\left\{Charge\right\}}_{h\left(EV\stackrel{ TK }{\leftrightarrow }EAG, EV\stackrel{ K }{\leftrightarrow }EAG, N_{EAG}, \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV\right)})\end{array}$

Statement 7: In accordance with message meaning (Rule (1)) with $S6$ and P8, we obtain:

$$\begin{gathered} S7: EV \left|\equiv EAG \right|\sim ({\left\{N_{EAG}\right\}}_{h\left(A{T}_{No}, Ai{d}_{No}, {N^{\prime }}_{EV}, T_{EV}\right)}, \\ {\left\{Charge\right\}}_{h\left(EV\stackrel{ TK }{\leftrightarrow }EAG, EV\stackrel{ K }{\leftrightarrow }EAG, N_{EAG}, \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV\right)}) \end{gathered}$$

Statement 8: In accordance with freshness conjuncatenation (Rule (4)) and nonce verification (Rule (2)) with $S7$ and P4, we obtain:

$$\begin{gathered} S8: EV \left|\equiv EAG \right|\equiv ({\left\{N_{EAG}\right\}}_{h\left(A{T}_{No}, Ai{d}_{No}, {N^{\prime }}_{EV}, T_{EV}\right)}, \\ {\left\{Charge\right\}}_{h\left(EV\stackrel{ TK }{\leftrightarrow }EAG, EV\stackrel{ K }{\leftrightarrow }EAG, N_{EAG}, \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV\right)}) \end{gathered}$$

Statement 9: Since the session key $SK{’}_{EV-EAG}=h\left(EV\stackrel{ TK }{\leftrightarrow }EAG,EV\stackrel{ K }{\leftrightarrow }EAG,N_{EAG}, \begin{array}{c} P{K}_{EV }\\ \to \end{array}EV\right)$ and based on the session keys rule (Rule (6)) with $S3$ and P6, we obtain:

$$\begin{gathered} S9: EV \left|\equiv EAG \right|\equiv \left(EV\stackrel{ SK’ }{\leftrightarrow } EAG\right) \\ (\mathrm{Goal} 2) \end{gathered}$$