Vehicular Communications 41 (2023) 100612

Contents lists available at ScienceDirect

Vehicular Communications
journal homepage: www.elsevier.com/locate/vehcom

A robust ECC-based authentication framework for energy internet

(EI)-based vehicle to grid communication system
Samiulla Itoo a , Lalit Kumar Som a , Musheer Ahmad a , Ram Baksh a ,
Faheem Syeed Masoodi b,∗
a
Department of Applied Sciences and Humanities, Faculty of Engineering and Technology, Jamia Millia Islamia, New Delhi 110025, India
b
Department of Computer Sciences, University of Kashmir, Srinagar 190001, India

a r t i c l e i n f o a b s t r a c t

Article history: The integration of electric vehicles (EVs) into the smart grid system through Vehicle-to-Grid (V2G)
Received 1 January 2023 technology enables bi-directional power delivery, allowing EVs to distribute excess electricity to the grid
Received in revised form 6 April 2023 and recharge as needed. However, V2G networks face significant security and privacy challenges due
Accepted 25 April 2023
to the involvement of large amounts of data and untrusted entities. To address these challenges, we
Available online 3 May 2023
propose a new authentication protocol based on Elliptic Curve Cryptography (ECC) that enables secure
Keywords: communication between EVs and charging stations in V2G networks. The proposed plan functions by
Authentication protocols going through four primary phases, which are: 1) Initialization, 2) Registration, 3) Authentication and
Elliptic curve cryptography 4) password change, vehicle revoke and new joining. Our protocol aims to maintain secure connections
Vehicle to Grid (V-to-G) while minimizing computation and communication costs through the use of lightweight cryptographic
Formal security operations such as one-way hash functions, concatenation, and bitwise Xor operations. We validated the
Informal security security of our protocol through both informal and formal security analyses, including verification with
the Scyther Verification tool, which confirms that the proposed protocol is free from security threats
within bounds. Our ECC-based authentication protocol for V2G is more secure and lightweight compared
to other related protocols in the same context. Our contributions are: 1) A new ECC-based authentication
framework for energy Internet (EI)-based V2G communication systems, and 2) The use of lightweight
cryptographic operations to reduce computational expenditure and improve resource utilization. Overall,
our proposed protocol provides a robust and secure framework for V2G communication that can address
the significant security and privacy challenges facing V2G networks.
© 2023 Elsevier Inc. All rights reserved.

1. Introduction system technologies to construct the next generation of smart grids

There is potential for mutual support and improved efficiency
through the synergy of energy, research, and the economy. Ex-
ploiting and using renewable energy and replacing conventional
fossil fuels are crucial steps in changing the energy landscape from
the aspect of society’s environmental sustainability. It has become
challenging to meet the demands associated with integrating dis-
persed generation and renewable energy sources, as well as to in-
clude other techniques to increase energy efficiency, due to the ex-
isting grid structure. The idea of the Energy Internet has been put
up to address these problems by integrating Information and Com-
munication Technology (ICT), Cyber-Physical systems, and power
*Corresponding author.
E-mail addresses: samiullaitoo93@gmail.com (S. Itoo), lalitsom.maths@gmail.com
(L.K. Som), mahmad@jmi.ac.in (M. Ahmad), r2121b@gmail.com (R. Baksh),
masoodifahim@uok.edu.in (F.S. Masoodi).
[1,2]. The concept of EI has been introduced to allow energy shar-
ing similar to how information is transferred on the traditional
Internet [3]. The core concept of the EI is to merge economics, in-
formation, and energy while using the power grid as the backbone
network to create a free and fair environment for the exchange
of energy and related information. The EI is created to make it
easier for various energy sources to be seamlessly integrated into
the grid and for different parts of the power grid to communi-
cate with one another to boost energy efficiencies [4]. A power
grid’s generation, transmission, distribution, service provider, op-
erations, markets, and customers will all profit from secure and
effective communication over decisions regarding the flow of en-
ergy and information [5]. EI also connects other energy networks,
including gas, enabling better energy operations, in comparison to
smart grids. The goal of SGs is to consolidate enhanced sensing,
transmission, and control capabilities in order to provide energy
to end clients in an economical and dependable manner. So, to

https://doi.org/10.1016/j.vehcom.2023.100612
2214-2096/© 2023 Elsevier Inc. All rights reserved.
S. Itoo, L.K. Som, M. Ahmad et al.
satisfy increasing energy demands, SGs again promote the adop-
tion of Electric Vehicles (EVs) [6]. The use of electric vehicles (EVs)
has rapidly increased as an alternative solution for meeting energy
demand in both domestic and industrial applications [7,8]. Electric
cars (EVs) have the potential to be combined with various charging
methods, and even used in a Vehicle-to-Grid (V2G) system where
the energy stored in the EVs can be transferred to the power sys-
tem. This can improve the stability of the grid, thus making it
more reliable. [9]. Vehicle-to-Grid (V2G) recently emerged as an
attractive choice, enabling bidirectional communication and power
flow between the power grid and EVs. Such a two-way information
exchange between EVs and the grid provides a significant num-
ber of documents that may be utilized to deliver useful services
like as load prediction, price forecasts, efficient energy utilization
management, and so on [10]. In V2G systems communication, sev-
eral important requirements must be met, including authentica-
tion, forward secrecy, information secrecy, message integrity, and
Quality of Service (QoS). However, these systems are susceptible
to various security threats and weaknesses, such as imperson-
ation attacks, replay attacks, spoofing attacks, man-in-the-middle
attacks, and masquerading attacks. Despite various solutions pro-
posed, such as authentication, encryption techniques, privacy pro-
tection, and physical layer safety, none of them adequately address
all the security requirements of V2G communication systems. To
enhance the security of V2G systems, we propose an ECC-based
authentication key agreement framework that has minimal com-
putation and communication overheads. This framework provides
an effective solution to address the security issues of V2G systems.
1.1. Related works
In the field of V2G communication systems, there has been
a proliferation of authentication protocols introduced in recent
times, each with a range of applications. The elliptic curve cryptog-
raphy (ECC) and identity-based authentication techniques proposed
by Mohammadali et al. [11] have lower computational costs for
smart meters. However, these techniques have been found to be
vulnerable to various security issues, such as De-synchronization,
Impersonation attacks, Man-in-the-Middle attacks, and False Data
assaults. Nicanfar et al. [12] proposed an authentication protocol
that utilizes both ECC and symmetric-based operations. However,
it was later discovered that this approach [12] is unsuitable for
smart-grid applications due to fake injection attacks [13], high
computing costs, and other issues. To address these issues, Wu
et al. [13] suggested a protocol that incorporates both public-key
and symmetric operations. Wu and Zhou’s approach [13] later in-
spired other researchers to propose fault-tolerant and scalable key
management strategies for smart grids. Subsequently, Xia et al.
[14] demonstrated that the fault-tolerant and scalable key man-
agement proposed by Wu and Zhou [13] does not offer protec-
tion against man-in-the-middle attacks and suggested a different
method of data aggregation. Following this, Park et al. [15] showed
that Xia et al.’s approach [14] does not defend user privacy against
forgery attempts. Afterward, Tsai et al. [16] combined identity-
based signature algorithms to develop a key distribution strategy
for smart grids. Furthermore, Tsai et al. [16] also illustrated that
the model proposed by Xia et al. [14] does not guarantee the
secrecy of long-term secrets in smart meters or the security of ses-
sion keys. Gope et al. [17] observed that the security scheme pro-
posed in Xia et al. [14] is vulnerable to a Man-in-the-Middle attack,
which can result in a Denial of Service (DoS) attack. To address
this issue, Gope et al. [17] suggested using physically unclonable
functions (PUFs) to provide physical protection for smart meters.
Over time, various authentication protocols [18–21] have been pro-
posed for V-to-G communication systems but unfortunately, most
of these protocols [21–24] in V2G based systems have privacy
2
Vehicular Communications 41 (2023) 100612
problems. Many of these schemes make use of operations based
on sign encryption and group signatures. These implementations
are costly and also do not address the privacy issues for E V s users.
Recently, Gope et al. [17] introduced a lightweight E-I-based V2G
authentication protocol in V2G communication system. However,
Kaur et al. [25] addressed some issues and introduced an ECC-
based privacy-preserving authentication scheme for V2G networks.
Irshad et al. [26] demonstrated that in the registration phase, the
Gope-Sikdar scheme [17] experiences De-synchronization issues
and also faces man-in-the-middle and replay attacks while com-
municating in an open channel. Garg et al. [27] introduced an
energy-trading hierarchical authentication scheme in V2G environ-
ment, in which three communicating parties E V s , C G S, and a cen-
tral aggregator over a blockchain network is used to preserve the
anonymity of vehicle. Roman et al. [28] developed a pairing-based
authentication technique that ensures communication privacy, pre-
serves E V s user identities, and prohibits attackers from tracing the
vehicle. In order to establish a precise balance between the secu-
rity and performance of smart grids, Zhang et al. [29] presented a
mitigation ECC-based authentication method with privacy protec-
tion by deploying a tamper-proof device at the side of smart ap-
pliances. Shen et al. [30] developed a new authentication method
for V2G networks that protects user privacy. This approach specif-
ically builds a lightweight system for authentication of E V s and
smart grid using the non-super-singular elliptic curve. After that
[31] found that the protocol proposed by [30] fails to maintain in-
sider attacks, user impersonation attacks, and traceability attacks
and the protocol does not facilitate the formation of session keys.
In light of the aforementioned shortcomings, we suggest a cutting-
edge and effective V2G protocol scheme that would allow vehicles
to securely interact with one another or recharge at particular ser-
vice stations. Additionally, the proposed framework outperforms
the other existing framework in the V2G communication system.
1.2. Functionality features and security comparison
Table 1 compares the suggested scheme’s security and func-
tionality performance with another scheme those of Odelu et al.
[22], Gope et al. [17], Kaur et al. [25], Garg et al. [27], Roman
et al. [28], Zhang et al. [29], SU et al. [30] and V. Skumar [31].
In general [22,17,25,27–31] cannot fulfill all the security require-
ments. Therefore the proposed protocol has more security features
than the other existing protocols as shown in Table 2.
1.3. System model
The system model for an EI-based V2G communication has
three main parts: a group of Electric Vehicle E V s customers,
a group of Charging Stations C G S, and a service provider S p which
is shown in Fig. 1. The Data Centre (DC) and the Power Genera-
tion, Management, and Distribution Centre (PGMDC) are the two
primary parts of the service provider S p . Each user must regis-
ter their electric vehicle E V s with the S p . The S p then keeps all
of the user data in its data center. Here, the S p is an organiza-
tion in charge of getting electricity from various suppliers. The S p
also provides power to charging stations in various locations. Sev-
eral private companies may have these charging stations. Any of
the C G S may be used by a user to charge/discharge the batteries
of his or her E V s . Therefore, depending on where the C G S is lo-
cated, the rate of discharging/charging may change. For instance,
the C G S placed near Commercial Area Networks (ComANs) may
have a higher charging/discharging rate compared to others. Public
Area Networks (PANs) may have a lower charging/discharging rate
compared to Residential Area Networks (RANs). After initial regis-
tration, safe communication can be established between the user
of E V s and the S p . Each E V s user can have an internet connection
S. Itoo, L.K. Som, M. Ahmad et al. Vehicular Communications 41 (2023) 100612

Table 1
Previously proposed authentication protocol and their security flaws.

Authentication protocol Proposed by Security flaws

Fault-tolerant and scalable key management for smart grid
Secure key distribution for the smart grid
Multi-layer ECC-based authentication for SG
Secure anonymous key distribution scheme for smart grid
Provably secure authenticated key agreement scheme for smart grid
Energy internet-based V2G communication authentication scheme
A novel privacy-preserving authentication scheme for V2G networks
Cloud enabled smart vehicle to grid network authentication protocol
Wu et al. [13] in 2011
Xia et al. [14] in 2012
Nicanfar et al. [12] in 2013
Tsai et al. [16] in 2015
Odelu et al. [22] in 2018
Gope et al. [17] in 2019
Su et al. [30] in 2020
Sureshkumar et al. [31] in 2022
Xia et al. [14] proved that [13] does not offer protection
against man-in-the-middle attack
Park et al. [15] demonstrated that [14] does not defend
user privacy against forgery attempts.
It was discovered that [12] is unsuitable for smart-grid
applications due to fake injection attacks [13]
Odelu et al. [22] proved that [16] fails to maintain the
security of session key
Gope et al. in [17] observed that the scheme [22] is
subject to a Man-in-the-Middle attack
Irshad et al. [26] demonstrated that, the Gope- Sikdar
scheme [17] experiences De-synchronization issues
The protocol proposed by [30] fails to maintain insider
attacks, user impersonation attacks, and traceability
attacks [31]
Fails to maintain the security in V-to-G system also
having high computation and communication overheads

Table 2
Security computation.

Security features [22] [17] [25] [27] [28] [29] [30] [31] Proposed
Mutual authentication  ×       
Anonymity ×  ×   ×   
Replay attack  ×  ×  ×   
De-synchronization attack × × × × × × × × 
Insider attack × ×  ×  ×   
Unlinkability × × × × × × × × 
Impersonation attack  ×  × × ×   
Man in the middle attack    × × × × × 
Ephemeral security Leakage Attacks × × × × × × × × 
Eavesdropping attacks ×  × × × × × × 
Traceability attacks ×  × ×  × ×  
Session key security         
DoS attack ×  ×   × × × 
ROR Model   × × × ×   

Fig. 1. System model.

to communicate with the C G S. Through private networks or the
public internet, a C G S can communicate with the S p . Two differ-
ent forms of flows, namely energy flows and data flows, have been
taken into account in this model. Before sharing any information,
each of the entities (E V s , C G S, and S p ) must first authenticate
themselves. Because of the public network-based communication
employed in the system environment, impersonation, man-in-the-
middle, and replay attacks all are possible.
1.4. Motivation and contribution
In this article, we proposed an ECC based security safeguarding
validated key-agreement scheme for V2G networking framework.
We use Cryptographic techniques and Primitives (Hash functions)
to make our protocol effective. The proposed protocol offers se-
cure communication between E V s and C G S in the authentication
phase, which are important security features for the foundation of

3
S. Itoo, L.K. Som, M. Ahmad et al.
Table 3
Notations.
Symbol Description
ECC Elliptic Curve Cryptography
G Additive Group
E(Fq) Elliptic curve E over a prime finite field F q
l The parameter for security
q Large prime
I Di The ith participant’s identity
G Additive group of Elliptic curve points
h(·) Cryptographic hash function (one way)
S K i j (.) Entities i and j share a session key
V-to-G The vehicular to grid
A Adversary
V-to-G networking system. In this, we have utilized hash function
(one-way) instead of a map to-point hash function that permits
the S p to authenticate all the messages. Our system also allows all
participants (i.e., E V s , C G S, and S p ) to verify each other in order
to share a common session key for safe communication in future.
Following are the key-noted contributions of the proposed proto-
col:
• We suggest an ECC-based authentication technique and a fresh
key agreement for V2G network systems.
• The suggested framework is secure against various security
attacks, including eavesdropping, replay, insider attack, imper-
sonation and man-in-the-middle attacks. The suggested proto-
col also maintains a number of security features, including key
freshness, perfect forward security, mutual authentication, and
vehicle charging stations anonymity.
• Using a Random Oracle Model, we will perform a security
analysis (formal) for the suggested protocol.
• In comparison to other existing protocols [22,17,25,27–31] in
the same context, the proposed framework has substantially
lower communication and computation costs.
• The suggested protocol makes it simple for users to update
their passwords and remove or join a new vehicle.
• In the suggested framework, we did the security verification
through the well known Scyther Verification tool and proved
that the suggested protocol has no security threats within the
bounds such as Synchronisation (Ni-synch), Agreement (Ni-
agree), Weak agreement (Weakagree), Secret parameters and
Aliveness (Alive) of Scyther are among its security attributes.
1.5. Adversary model
The “Dolev-Yao (DY) model” [32] is frequently used to analyze
the security of authentication protocols. According to DY Model, an
attacker A can intercept, delete, and change communications over
an unsecured channel in the authentication protocol. The adver-
sary’s strengths are as follows:
An adversary may perform MITM attacks, forgeries, and im-
personation attacks. An attacker can gain access to a valid
user’s identity and gather all the data on it using power analy-
sis techniques. So, during the registration procedure, the E V s ,
C G S, and S p entities interact with each other through a se-
cure channel. During the login and authentication process, the
entities E V s , C G S, and S p communicate across an insecure
channel. An adversary could be a real user or a credentialed
insider at the registration center.
“Canetti-Krawczyk (CK) model” [33], which makes a more sig-
nificant assumption than the DY model, is also taken into
consideration. A hostile opponent can access secure data, in-
cluding the master key, session secret credentials and private
key using the CK model. So, an Adversary has complete access
4
Vehicular Communications 41 (2023) 100612
Symbol Description
P Kv Public key of vehicle
y Secret key of S p
T Communication’s maximum time delay
Fq Finite field of prime order q
⊕ Operation of bitwise XOR
 Concatenation operation
g Base point of G 
Z q∗ Group under multiplication with order q − 1
?
i= j Whether i and j are equal
P W v Password of vehicle E V s
≈ Approximate value
to an insecure channel during message exchange. He is able
to intercept, modify, eavesdrop on, delete, or manipulate the
message. Any A can appear as a valid E V s and obtain services
on his behalf. Also, the adversary may appear as a C G S and
demand additional payment from the user. Hence, a secure
system for authentication is required, so that it is mandatory
to validate the legitimacy of the specific entities.
1.6. Paper organization
The remaining part of this paper is structured as follows: In
section 2, the mathematical preliminaries are described. In sec-
tion 3, we discuss the proposed protocol. The formal and informal
security analyses for the presented scheme have been done in sec-
tion 4. The performance analysis of our scheme is done in section 5
and the conclusion and future direction are given in section 6. Fur-
thermore, symbols/notations employed are shown in Table 3.
2. Preliminaries
In this section we discuss some important mathematical pre-
liminaries that are used to describe the proposed protocol, and all
the notations used in the article are displayed in Table 3.
2.1. Elliptic curve cryptography (ECC)
ECC is a type of public-key encryption that uses an elliptic
curve over a large finite field [34]. When compared to current
public-key cryptography, ECC can give more protection and bet-
ter performance with smaller key lengths. Assume q to be a large
prime number, f 1 , f 2 ∈ F q , and 4 f 13 + 27 f 22 = 0 (mod q). So, the
equation for a nonsingular elliptic curve E q ( f 1 , f 2 ) over a finite
field F q is
E q ( f 1 , f 2 ) : y  2 = x 3 + x f 1 + f 2 (mod q)
   
Then, the additive elliptic  curve group G as defined G = {(x , y ) :
x , y  ∈ F q ; (x , y  ) ∈ E } {}, where the point  is known as the
asymptotic point which works as the identity element or zero ele-
ments in G  .
The operation on the group G  is as follows:
• Assume Q is a base point on the elliptic curve E q ( f 1 , f 2 ). The
scalar multiplication operation is therefore stated as
k · Q = Q + · · · + Q (k times),
where k ∈ F q is a positive integer.
• ECC group G  point addition is described as if M = (x1 , y 1 ) ∈
G  and N = (x2 , y 2 ) ∈ G  , so M + N = (x3 , y 3 ) where x3 =
2 − x1 − x2 mod q and y 3 = ((x1 − x3 ) − y 1 ) mod q, where
S. Itoo, L.K. Som, M. Ahmad et al. Vehicular Communications 41 (2023) 100612

Table 4
Electrical vehicle registration.

Electric vehicle (E V s ) Service provider Sp

Inputs I D v and P W v
Selects a ∈ Z q∗
Calculate P K E v = a. g 
Sends {I D v , P W v , P K E v }
· · · · · · · · · · · · · · ·· ⇒ Calculate A = h( I D v  P W v  y ), where y is private key of server provider
Calculate B = A ⊕ P K E v
Sends { A , B}
⇐ · · · · · · · · · · · · · · ··
Select r v ∈ Z q∗
Calculate R = h( A  B r v . g  )
Store { R , P K E v } in database

⎧  
⎪ y −y
⎨ x2 −x1 mod q when M = N where M k is the kth plaintext’s binary value, K k is the kth encryp-
= 2
2
1
tion key’s binary value, and Ck is the kth ciphertext’s binary value.
⎪
⎩ 3x1 +c
mod q when M = N .
2 y 1
3. The proposed scheme
• Let M = (x , y  ) ∈ G  , then we define −M = (x, − y ) and M +
−M = 0. The proposed model is aimed at establishing a secure authen-
tication protocol for V2G communication using ECC. The protocol
2.2. ECC security involves a group of Charging Stations (CGS), an Electrical Service
Provider (SP), and a set of Electrical Vehicles (EVs), and consists
ECC security is centered on the following problems: of four key phases: Initialization, Registration, Authentication, and
Password update. These phases are critical to ensuring the integrity
Elliptic Curve Discrete Logarithm Problem (ECDLP): It is signifi- and confidentiality of communication in the V-to-G environment.
cantly more challenging for any polynomial bounded algo-
rithm to calculate e for a given pair (Z , e Z ), where e ∈ 3.1. Initialization
Z q∗ , Z ∈ G  . [34]. The chances that the cryptoanalyst will eval-
uate ECDLP as Adv EC D L P A = P rob[A(Z , e Z ) = e : e ∈ Z q∗ , Z ∈ In this case, the suggested technique works as follows:
G  ]. Since, Adv EC D L P A is negligible so Adv EC D L P A ≤  , where
 is comparatively very small. The S p select q and non-singular elliptic curve E q ( f 1 , f 2 ) :
Elliptic Curve Diffie-Hellman Problem (ECDHP): Let sX , t X ∈ G y  2 = x 3 + f 1 x + f 2 (mod q) with f 1 , f 2 ∈ F q as base point,
∀s, t ∈ Z q∗ . It is difficult to compute stY . The possibility that A and 4 f 13 + 27 f 22 = 0 (mod q) and the additive elliptic curve
successfully solves ECDHP as: Adv EC D H P A = P rob[A(sX , t X ) group G  generated by g  of order q defined as G  = {(x , y  ) :
= stY : s, t ∈ Z q∗ , X ∈ G  ]. The probabilistic time restricted x , y  ∈ F q ; (x , y  ) ∈ E } {}. Then, S p chooses his one-
polynomial for adversary A, Adv EC D H P A is very small i.e. way hash h(.). S p now produces a private key as y  ∈ Z q∗
Adv EC D H P A ≤  .
and a public key as P P U B = y  . g  . Therefore, S P disclose
Elliptic Curve Decisional Diffie-Hellman Problem (ECDDHP):
( E q ( f 1 , f 2 ), q, g  , P P U B , h(.)) and keep y  hidden.
Given four points P , u P , v P , w P on elliptic curve E q (U , V ),
to decide whether w P = uv P or not, where u , v , w ∈ Z q∗ .
3.2. Registration

2.3. Hash function

The next stage of the suggested technique is the registration
phase, which occurs over a secure channel between an electric ve-
The hash function (one way) h, is defined as h : → {0, 1}∗
hicle ( E V s ) and a charging station C G S and a service provider S p .
{0, 1}n , where the hash function takes w ∈ {0, 1}∗ as an input
and gives a result of fix length n as h( w ) ∈ {0, 1}n [35]. The ben-
3.2.1. Electric vehicle ( E V s ) registration
efit of A is calculated as Adv H A
ASH
(θ) = P rob[( w 1 , w 2 ) ⇐ R A :
The E V s user must register with the S p in order to receive
w 1 is not equal to w 2 and h( w 1 ) = h( w 2 )] and ( w 1 , w 2 ) ⇐ R A
services. Therefore, the E V v follows the steps that are discussed
indicates that any opponent A generates the set ( w 1 , w 2 ). As a
result, using the run time t for A, the probability of this advan- below and shown in Table 4:
tage is estimated across the random choice values. In addition, h(.)
is referred to collision resistant if Adv H ASH
(θ) ≤  . Step 1. The E V s enters the actual identity I D v and selects a ∈ Z q∗ ,
then it calculates the public key as P K E v = a. g  . The E V s
A

2.4. XOR operation then transmits the registration request to the S p , together
with its identity and public keys ( I D v , P W v , and P K E v ).
The XOR Cipher is a Boolean Exclusive-OR logic function based Here, we shall assume that an E V v registration process
on binary bits [36]. The XOR Cipher is a symmetric cryptogra- uses a secure channel.
Step 2. Upon receiving the request, the S p establishes a new ac-
phy algorithm. The XOR Cipher’s security is affected by the length
count and records it in its database. Then, via secure chan-
and characteristics of the cipher text. Longer cipher text increases
nel, it computes A = h( I D v  P W v  y ), where y is S p ’s pri-
uncertainty and is more resistant to brute-force attacks. The XOR
vate key, and calculate B = A ⊕ P K E v . It keeps A, B in its
Cipher algorithm’s decryption and encryption are as follows:
database in relation to I D v and transmits the request for
further interaction with E V s .
Ck = M k ⊕ K k .........
Step 3. After receiving { A , B } from the S p , the E V s chooses a fresh
M k = Ck ⊕ K k ........ random number r v ∈ Z q∗ and does the following calcula-

5
S. Itoo, L.K. Som, M. Ahmad et al.
Table 5
Charging station registration.
Charging station (CGS)
Inputs I D cs and P W cs
Selects x ∈ Z q∗
Calculate P K cs = x. g
Sends {I D cs , P W cs , P K cs }
· · · · · · · · · · · · · · ·· ⇒
Select rc ∈ Z q∗
Calculate R 1 = h( A 1  B 1 rc . g )
Store { R 1 , P K cs } in database
tions: R = h( A  B r v . g  ). Lastly E V s saves { R , P K E v } in its
data base.
3.2.2. Charging station registration
The C G S must register with S p , before serving the E V s . The
charging station follows the steps that are discussed below and
shown in Table 5:
Step 1. The real identity I D cs and password P W cs is entered by
C G S when it registers with the S p . C G S then selects
a private key x ∈ Z q∗ and calculate public key P K cs =
x. g  . Additionally, the C G S transmits a registration request
[ I D cs , P W cs , P K cs ] to the S p via secure channel.
Step 2. After receiving the registration request [ I D cs , P W cs , P K cs ]
from C G S, S p computes A 1 from the formula A 1 =
h( I D cs  P W cs  y ), where y stands for the private secret key
and I D c stands for the C G S’s identity and then S p calcu-
lates B 1 = A 1 ⊕ P K cs . Using a secure channel, S p transmits
{ A 1 , B 1 } to the C G S, and it stores { A 1 , B 1 } in its database
in relation to I D cs for later use in communication with
C G S.
Step 3. Upon receiving { A 1 , B 1 } from the S p , the C G S selects a
random number rc ∈ Z q∗ and does the following calcula-
tions: R 1 = h( A 1  B 1 rc . g ). Lastly, CGS saves { R 1 , P K cs } in
its database.
3.3. Authentication
The E V s must go through an anonymous authentication step
before achieving communication security. Before using C G S’s ser-
vices, the E V s must go through an anonymous authentication pro-
cess in order to establish communication security, and C G S must
authenticate the E V s with the aid of S p . The suggested scheme’s
authentication procedure is explained below and described in Ta-
ble 6:
Step 1. The electric vehicle user E V s first takes I D v and P W v
as an input and selects a ∈ Z q∗ before computing R  =
h( A  B a . g ). The validity of E V s is then verified by com-
?
puting R  = R. The E V s creates a random nonce r  ∈ Z q∗ if
the E V v ’s validation is successful. The E V v then compute
I D ∗v = (a ⊕ I D v ) and H 1 = h( I D ∗v  P W v r  . g   I D sp ). In or-
der to calculate the ciphered hash response as G 1 = h((r  ⊕
R  ) T 1 ). So, the E V v generates a request M 1 = { H 1 , G 1 , T 1 }
and sends it to S p .
Step 2. When the S p receives M 1 = { H 1 , G 1 , T 1 }, it verifies time
stamp T 1 − T 2 ≤  T and performs the following calcu-
lation: H 1∗ = h( I D ∗v  P W v r  . g   I D sp ). The validity of S p
?
is then verified by computing H 1∗ = H 1 . Afterwards, the
S p calculates G 2 = y ⊕ G 1 if the E V s validation is suc-
cessful. After above calculations, the S p computes H 2 =
Vehicular Communications 41 (2023) 100612
Service provider Sp
Calculate A 1 = h( I D cs  P W cs  y ), where y is private key of server provider
Calculate B 1 = A 1 ⊕ P K cs
Sends { A 1 , B 1 }
⇐ · · · · · · · · · · · · · · ··
h( I D ∗v  R 1  T 2  I D sp ) and sends M 2 = { H 2 , G 2 , T 2 } to the
C G S.
Step 3. The C G S validates time stamp T 2 − T 3 ≤  T after receiving
M 2 = { H 2 , G 2 , T 2 }. The authentication process will end if
the encrypted data is invalid, in such case C G S will extract
message M 2 . Then it calculates H 2∗ = h( I D ∗v  R 1  T 2  I D sp )
?
and verifies H 2∗ = H 2 . The C G S then confirms whether
the retrieved key-hash response H 2∗ is equal to H 2 . The
C G S assumes that ciphered message is fake or manipu-
lative if they are not the same. As a result, the authen-
tication procedure is stopped. The authentication proce-
dure continues if they are identical. The C G S then deter-
mines G 3 = P K cs ⊕ G 2 and computes I D cs ∗ = ( P K ⊕ I D ).
cs cs
Then it also determines the shared session key S K cs =
∗  I D ∗  P K  P K  G ). It then calculates the key-
h( I D cs v cs Ev 3
hash response, H 3 = h( I D ∗v  R 1  T 3  I D cs
∗ ). Finally, the S
p
creates a response with the following parameters: M 3 =
{ H 3 , G 3 , T 3 } and sends it to the S p .
Step 4. The S p validates Time stamp T 3 − T 4 ≤  T after receiving
M 3 = { H 3 , G 3 , T 3 }. The S p calculates H 3∗ = h( I D ∗v  R 1  T 3 
?
∗ ) and verifies H ∗ = H . The authentication procedure
I D cs 3 3
will be stopped by the S p if it is invalid. The S p then com-
putes H 4 = h( I D cs ∗  B  T  I D ∗ ) and sends it to the E V .
4 v s
Step 5. The E V s validates Time stamp T 4 − T 5 ≤  T after receiving
{ H 4 , G 3 , T 4 }. The E V s Calculate H 4∗ = h( I D cs∗  B T  I D ∗ )
4 v
?
and verifies H 4∗ = H 4 . The authentication procedure will be
stopped by the E V s if it is invalid; else, the E V s deter-
∗  I D ∗  P K  P K  G ). Once S K
mines S K E v = h( I D cs
v cs Ev 3 Ev =
?
∗  I D ∗  P K  P K  G ) = S K = S K has been veri-
h( I D cs v sp Ev 3 cs
fied, all parties utilize the agreed-upon session-key to fin-
ish the authentication procedure and obtain the services
they need.
3.4. Password update, vehicle revoke or join with new vehicle
When the electric vehicle user E V s wants to change the pass-
word or wants to revoke or join with new vehicle, she/he takes the
following steps:
Step 1. The electric vehicle user E V s first takes I D v and P W v
as an input and selects a ∈ Z q∗ before computing R  =
h( A  B a . g ). The validity of E V s is then verified by com-
?
puting R  = R.
Step 2. If the E V v ’s validation is not successful, it stops the ses-
sion. Otherwise, E V s inputs new password and Identity
P W N , I D N and generates a new random number r N
and then it calculates public key as P K E v = r N . g  . The
E V v then transmits the registration request to the S p ,
along with its new identity, password and public keys
( I D N , P W N , and P K E v ).
6
S. Itoo, L.K. Som, M. Ahmad et al. Vehicular Communications 41 (2023) 100612

Table 6
Authentication phase.

Electric vehicle (E V s ) Service provider S p Charging station (C G S)

Inputs I D v and P W v
Selects a ∈ Z q∗
Calculate R  = h( A  B a . g )
Verify R  = R if yes
Generates r  ∈ Z q∗
Calculate I D ∗v = (a ⊕ I D v )
Calculate H 1 = h( I D ∗v  P W v r  . g   I D sp )
Calculate G 1 = h((r  ⊕ R  ) T 1 )
Sends M 1 = { H 1 , G 1 , T 1 }
· · · · · · · · · · · · · · ·· ⇒ Verifies T 1 − T 2 ≤  T
Calculate H 1∗ = h( I D ∗v  P W v r  . g   I D sp )
Verifies H 1∗ = H 1 if yes
Calculate G 2 = y ⊕ G 1
Calculate H 2 = h( I D ∗v  R 1  T 2  I D sp )
Sends M 2 = { H 2 , G 2 , T 2 }
· · · · · · · · · · · · · · ·· ⇒ Verifies Time stamp T 2 − T 3 ≤  T
Calculate H 2∗ = h( I D ∗v  R 1  T 2  I D sp )
Verifies H 2∗ = H 2 if yes
Calculate G 3 = P K cs ⊕ G 2
∗ = (P K ⊕ I D )
Calculate I D cs cs cs
Calculate S K sp = h( I D cs∗  I D ∗  P K  P K G )
v cs Ev 3
∗
Calculate H 3 = h( I D v  R 1  T 3  I D cs∗ )

Sends M 3 = { H 3 , G 3 , T 3 }
⇐ · · · · · · · · · · · · · · ··
Verifies Time stamp T 3 − T 4 ≤  T
Calculate H 3∗ = h( I D ∗v  R 1  T 3  I D cs
∗ )

verifies H 3∗ = H 3 if yes
∗  B T  I D ∗ )
Calculate H 4 = h( I D cs 4 v
Sends M 4 = { H 4 , G 3 , T 4 }
⇐ · · · · · · · · · · · · · · ··
Verifies Time stamp T 4 − T 5 ≤  T
Calculate H 4∗ = h( I D cs
∗  B T  I D ∗ )
4 v
Verifies H 4∗ = H 4 if yes
∗ ∗
Calculate S K E v = h( I D cs  I D v  P K cs  P K E v G 3 )
?
Check S K E v = S K cs = S K

Step 3. S p replaces the old password and identity of vehicle with
new password and identity, and replaces the parameters A
by A N and B by B N respectively.
4. Security comparisons
In this section we performed both, formal and informal security
analysis to prove that the proposed protocol is secure against many
security attacks.
4.1. Informal security analysis
Through informal security, we will prove that the proposed pro-
tocol is secure against many security flaws informally.
4.1.1. Mutual authentication
The Electric Vehicle E V s , computes H 1 = h( I D ∗v  P W v r  . g  
I D sp ), then composes a request M 1 = { H 1 , G 1 , T 1 } and forwards
it to the S p . Then S p checks timestamp, if yes, then S p computes
?
H 1∗ = h( I D ∗v  P W v r  . g   I D sp ) and verifies if H 1∗ = H 1 is authenti-
cated and then proceeds. S p computes H 2 = h( I D ∗v  R 1  T 2  I D sp )
and sends M 2 = { H 2 , G 2 , T 2 } to the C G S. Then the C G S checks
?
timestamp if yes, then calculates H 2∗ and verifies H 2∗ = H 2 . The
C G S then confirms whether the retrieved key-hash response H 2∗
is equal to H 2 . The C G S assumes that ciphered message is fake
or manipulative if they are not the same. As a result, the authen-
tication procedure is stopped. The authentication procedure con-
tinues if they are identical. The C G S then determines the shared
∗  I D ∗  P K  P K  G ) and creates a re-
session key S K cs = h( I D cs v cs Ev 3
sponse M 3 with the following parameters: M 3 = { H 3 , G 3 , T 3 } and
sends it to the S p . The S p checks timestamp if yes, then calcu-
?
lates H 3∗ and verifies H 3∗ = H 3 . The authentication procedure will
be stopped by the S p if it is invalid. The S p then computes H 4 =
∗  B  T  I D ∗ ) and sends it on to the E V . The E V checks
h( I D cs 4 v s s
?
timestamp if yes, then verifies H 4∗ = H 4 . The authentication proce-
dure will be stopped by the E V s if it is invalid; else, the E V s deter-
∗  I D ∗  P K  P K G ) = S K = ?
mines S K E v . Once S K E v = h( I D cs v cs Ev 3 cs
S K has been verified, then the mutual authentication procedure is
completed.
4.1.2. E V s anonymity
In the suggested framework, we hide the electric vehicle iden-
tity by I D ∗v = a ⊕ I D v , so that if an A attempts to intercept
the login request, M 1 through {H 1 , G 1 , T 1 } sent by E V v , A will
be unable to retrieve the identity of electric vehicle I D v because
we use anonymous identity I D ∗v = (a ⊕ I D v ) and adversary does
not calculate H 1 without I D ∗v , P W v and I D sp . So, the genuine
identification I D v and P W v of the E V s cannot be recovered by
any A. Consequently, the proposed framework ensures the E V s ’s
anonymity.
4.1.3. E V s impersonation
According to the proposed framework, E V s sends S p the lo-
gin request message through M 1 = { H 1 , G 1 , T 1 }. A can intercept
E V s ’s login request and attempt to pass itself off as the real
E V s . In our protocol, the computation of H 1 and G 1 is not pos-
sible due to ECDHP for the production of a valid login request
M 1 = { H 1 , G 1 , T 1 }. Then A is unaware of I D v , P W v , I D sp and pri-
vate key r which is used in the computation of H 1 . Similarly A
cannot determine a legitimate G 1 , due to the fact that it needs
the complete secret key of the vehicle and we calculate it by hash
function due to ECDHP. Therefore, the suggested framework pro-
tects against impersonation attacks due to ECDHP.

7
S. Itoo, L.K. Som, M. Ahmad et al.
4.1.4. C G S impersonation attack
In the suggested protocol, S p sends C G S a login request M 2
through {H 2 , G 2 , T 2 }. In our protocol, the computation of H 2 and
G 2 is required for the production of a valid login request by in-
tercepting the parameters H 2 and G 2 from {H 2 , G 2 , T 2 }, A can
attempt to pass for the legitimate S p . In order to trick the charging
station C G S, A needs to produce a request M 2 from {H 2 , G 2 , T 2 }.
A must determine the valid H 2 and G 2 in order to produce the
valid request. For A in this situation, computing H 2 and G 2 is not
possible due to ECDHP. The explanation is that A is unaware of
I D cs , P W v , and keys P K cs and y which is used in the computa-
tion of H 2 and G 2 . A cannot pass for a legitimate S p .
4.1.5. S p impersonation attack
In the proposed protocol’s login and authentication phase, C G S
sends the message M 3 through {H 3 , G 3 , T 3 } to S p . An A must
compute authentic H 3 , G 3 and T 3 if he wishes to imitate the le-
gitimate S p which is not possible due to ECDHP. To obtain the I D v
and I D cs , whereas G 3 and T 3 can only be calculated using P K cs
knowledge. Since A is unaware of the I D cs , I D v , and S K cs , A is
unable to serve as a legitimate S p . The suggested protocol is hence
protected from S p impersonation attacks.
4.1.6. Session key security
Any A is unable to gain the session key because electric vehicle
E V s and charging station C G S compute session key via hash value
and elliptic curve cryptography with the timestamp of a message
that includes identity of Electric Vehicle E V s , Charging Station
public key, identity of Charging Station and identity of a Service
provider. For every session, we generate fresh random number, so
that the adversary A can not obtain the session keys.
4.1.7. Replay attack
The proposed protocol considers the advantage of timestamp T
and random nonce to prevent replay attack. The S p verifies T 1 −
T 2 ≤  T and T 3 − T 4 ≤  T , where  T represents maximum time
threshold. Similarly, C G S verifies T 2 − T 3 ≤  T and verifies H 2∗ =
? G 1 and G 2 . On the contrary, A is still unable to estimate SK
H 2 . S p generates fresh random number a ∈ Z q∗ and uses in the
login and authentication phase. E V s verifies T 4 − T 5 ≤  T . E V s
generates fresh random number r  ∈ Z q∗ and uses in the login and
authentication phase. Even if A replays the intercepted message
through an insecure channel, the adversary requires fresh random
number which is not possible in the proposed scheme. Hence our
protocol is resistant to replay attacks.
4.1.8. De-synchronization attack
Both the server side and the user side do not require any pa-
rameter updates. When an E V s wants to change its password, it
can log in and go through the verification process. Additionally,
the E V s or S p do not have to be in sync for the proposed proto-
col to function. A de-synchronization attack will therefore have no
effect on the login and authentication of the suggested framework.
4.2. Subsection insider attack
During the registration stage, E V s inserts I D v , r v and P W v be-
fore computing R = h( A  B r v . g  ), where P W v is the password,
I D v is the identity of the vehicle, and r v is the fresh randomly
generated value produced by E V s . As a result, the administrator of
the server cannot acquire P W v and fresh randomly generated r v .
Thus the proposed protocol is protected against this attack.
4.2.1. Unlinkability
Two significant privacy issues are the identity of the vehi-
cle and its location. The identity of the vehicle and any other
relevant information must remain a secret from the adversary.
8
Vehicular Communications 41 (2023) 100612
In the proposed protocol, the vehicle’s identity cannot be deter-
mined by the adversary because we utilize an anonymous identity
I D ∗v = (r ⊕ I D v ) and also encrypt it using the private key y as
G 1 = h((r  ⊕ R  ) T 1 ). In order to protect user privacy, each session
makes use of a unique anonymous identity I D ∗v . So I D ∗v is unlik-
able, therefore outsiders are unable to determine who is speaking
with C G S. The identity involved in two executions of the frame-
work that are different or identical is unknown to the adversary.
Consequently, the suggested technique stops the disclosure of user
identification and protects user privacy.
4.2.2. Man-in-middle-attack
On the server side, A would attempt to use the prior login mes-
sages. A replays {H 1 , G 1 , T 1 }, where H 1 = h( I D ∗v  P W v r  . g   I D sp )
is encrypted by ECC and hidden by hash function. The S p validates
?
timestamps T 1 − T 2 ≤  T and H 1∗ = H 1 after receiving the mes-
sage. The C G S similarly confirms the timestamps T 3 − T 4 ≤  T
?
and H 2∗ = H 2 . Since, we used fresh randomly generated variables
and an anonymous identity, therefore A is unable to compute with
the original entities. Thus, our suggested technique is protected to
Man-in-the-middle attacks.
4.2.3. Ephemeral security leakage attacks
Assume A has access to the short-term (ephemeral) and long-
term (permanent) values of the secret parameters. After that, A
∗  I D ∗  P K  P K G )
can attempt to determine S K E v = h( I D cs
v cs Ev 3
between the vehicle and the service provider. Below is an illus-
tration of the two cases:
• Assume that A is aware of the short-term secret values for r 
and a. Then, despite the fact that A can evaluate B with the
short-term confidential variables but cannot compute H 4∗ , A
attempts to compute S K , which cannot be determined without
the long-term hidden variables G 1 and G 2 .
• Suppose A gets information to the long-term hidden variables
as he is uninformed of the short-term hidden variables r  and
a, which is not possible due to ECDHP.
In the above two scenarios, in order to build the appropriate S K , A
would have to be aware of both short-term and long-term hidden
aspects. Ephemeral security leakage attacks are therefore impossi-
ble with our suggested framework.
4.2.4. Eavesdropping attacks
In accordance with the eavesdropping attack, A is able to inter-
cept any message sent across an insecure channel. Therefore A can
intercept messages but under the suggested protocol, each round
of authentication uses a different random number generator and
a hash function to secure all the parameters. As a result, neither
A nor the user’s identity are obtained. Additionally, A is unable
∗  I D ∗  P K  P K  G ). As a result, A is
to compute S K E v = h( I D cs v cs Ev 3
unable to acquire I D v , {H i , G i , T i } and S K E v .
4.2.5. Traceability attacks
An attacker keeps track of and contrasts the authentication
request from two distinct sessions to check if they remain iden-
tical. The authentication request will have the same source if
both messages are identical, proving that the same user submitted
both requests. Since these messages contain encrypted parame-
ters H 1 , G 1 , I D v and R  with y (private key), hash function, and
timestamp T i that a fresh timestamp is chosen for each new ses-
sion, as a result of the establishment of new {H i , G i , T i }. Even
after eavesdropping/stealing authentication messages {H i , G i , T i },
the adversary cannot track the user in this framework. Therefore, it
S. Itoo, L.K. Som, M. Ahmad et al.
is impossible to identify the user or the service provider. Therefore,
the proposed scheme defends the traceability attack.
4.2.6. DoS attacks
In the proposed protocol’s login phase, E V s inputs I D v and
P W v . Additionally, S p calculates H 1∗ = h( I D ∗v  P W v r  . g   I D sp )
? the Test query once while the suggested protocol is in use.
and verifies H 1∗ = H 1 . If this criterion is not satisfied, the session
is ended. Therefore, E V s only receives the authentication request
if S p confirms validity. E V s defends itself from replay attack by
determining how recent the messages are. Therefore, C G S rejects
such requests by examining the message freshness by verification
?
of H 2∗ = H 2 and timestamp T 2 − T 3 ≤  T . Therefore the proposed
scheme is protected from DoS attacks.
4.3. Formal security analysis
In this section, we did a formal security analysis through the
Random Oracle Model (ROM) and Scyther tool [37] to demonstrate
the proposed protocol’s security. This section contains a compre-
hensive formal security analysis.
4.3.1. Formal security model
The ROM model is used to demonstrate the security of an au-
thentication protocol [38,39]. The following are the specifics of this
security model.
Participants in the Protocol: Assume that the participants in
the suggested protocol are a Vehicle E V s , Charging Station C G S,
and a Service Provider S p . Multiple protocols can be performed by
E V s , C G S, and S p with various parties. A single protocol execution
with any other party is referred to as an instance. A participant
entity, such as E V s , C G S, or S p , may have a variety of instances
known as oracles, all of which are engaged in the proposed proto-
b
col’s execution. We designate entity E V v ’s instance b as E V .
Oracle inquiries: A includes a variety of Oracle attacks and can
create numerous queries for each Oracle. A becomes more power-
ful with each query, adding features like known key security and
perfect forward secrecy. The responses to the next six queries are
explained below:
1. Send Query (Π Eb V , Mesg): The send query is created so that A
b
can send Mesg to E V . A receives a similar result from the
send query as does b E V s during the processing of message
b
Mesg. A sends the command Send( E V , Start) to start the
protocol execution. This send query also handles with A man-
aging all transmitted communications. This query is denoted
by the symbol Q sn .
b c d b
2. Execute Query ( E V , C G S , S p ): Using three oracles ( E V ,
c d
C G S and S p ), the execute query enables A to receive accu-
rate results for the proposed protocol’s execution. This ques-
tion is used to determine the private keys of participants in a
conversation. We have denoted this by Q ex.
b
3. Reveal Query ( E V ): The reveal query is created for A to ob-
tain the session key S K . Furthermore, this query deals with a
b
known key security attack. If E V has a legitimate S K , then
the reveal query may be available. Q r v is presented as the re-
veal query.
4. Corrupt Query (E V ) Due to this query, A is able to access the
longer session key that E V s has returned. This query has been
designed to handle perfect forward secrecy.
5. Hash Query ( H ): Here, A makes random oracle queries and
receives the results of the hashing process. After receiving
the hash query, Random Oracle assesses whether or not the
message Mesg has been queried. The previous findings are re-
turned by the hash oracle if it is determined that Mesg has
9
Vehicular Communications 41 (2023) 100612
queried. If not, A receives a number produced at random, r v2 ,
and it stores (Mesg, r v2 ) in its a hash table. The hash table
contains all of the data utilized for earlier hash queries. The
hash query is displayed as Q hs .
b
6. Test Query ( E V ): The test query is designed to simulate the
semantic security of the session key S K . A may only request
b
Then, if C n = 1, E V tosses a coin (C n ) and outputs S K . If
C n = 0, the reply is otherwise a random number stream of
b
length | S K |. Only fresh E V is acceptable with this query.
Theorem. Assume that A is an adversary with likelihood probability
polynomial time who could produce maximum Q sn times Send query,
Q hs times Hash query and Q ex times Execute query to break the pro-
posed protocol’s semantic security. The benefit of A is provided as:
2
( Q hs + Q sn ) ( Q sn + Q ex )2 2Q sn
Adv P roposed (A) ≤ + +
2l−1 q |C |
List
+ 2 Adv E k Hash (A)

+ 2Q hs max Adv EC D L P (A), Adv EC D H P (A)
D
where Adv E k (A) denotes A’s advantage against decryption/encryption,
k
l is the security parameter, q is the larger prime number and |C | repre-
sents uniform distributed cardinality of set.
Proof. To demonstrate, we will use the seven factor game Gmi ,
where i = 0, 1, 2, ..., 6. Let E t be the Gmi associated event in which
the A properly evaluates the bit coin e there in game Gmi. Seven
games, sequencing from 0 to 6, are presented here. The following
is a full explanation of all seven of these games assuming Et as an
event
• Gm0 : This attack game is original in which the hash serves as
a random oracle. Attacks are made against our protocol by the
attacker. e is chosen at random before the game begins, so
Adv P roposed (A) = |2. P rob[ Et 0 ] − 1| (1)
• Gm1 : This game Gm1 and game Gm0 are similar. The game
handles hash queries by carefully inspecting the hash list de-
fined as List Hash , which is how it differs from previously de-
scribed games. Once all of the queries in Gm1 are answered
properly in a manner similar to how they were answered in
game Gm0 , Gm1 and game Gm0 stay identical. As a result, we
were able to derive the following equation from this game.
P rob[ Et 1 ] = P rob[ Et 0 ] (2)
• Gm2 : The only difference between this game and the previ-
ously played is that in Gm2 , the simulation ends upon the
occurrence of the next two events as one is collisions between
hash queries while running a protocol simulation and another
one is that during simulation of participant transcripts, there
was a collision.
According to the Birthday Paradox Model [40], the chance of
( Q sn + Q ex )2
collision in the script is always less than or equal to 2q
,
2
Q hs
and the hash collision’s highest success likelihood is , here
2l+1
l represents the length of hash. Therefore, we obtain
2
Q hs ( Q sn + Q ex )2
| P rob( Et 2 ) − P rob( Et 1 )| ≤ + (3)
2l+1 2q
• Gm3 : It is the same game as Gm2 . The distinction is that in
Gm3 , an A may know information about authentication values
without knowing anything about hash oracles. We then have:
S. Itoo, L.K. Som, M. Ahmad et al. Vehicular Communications 41 (2023) 100612

Q sn
| P rob( Et 3 ) − P rob( Et 2 )| ≤ (4)
2l
• Gm4 : The execution of Gm4 modifies Gm3 in accordance with
the following points. Here, we focus on the session key se-
curity of suggested framework. The security goal of V-to-G is
to prevent A from obtaining shared session keys of E V s and
C G S. In the scenarios outlined below, the aim of any A is to
determine the actual session key.
(i): ES-Reveal (E V s ) and ES-Reveal (C G S): In this situation,
we shall assume that A only has access to E V s and tem-
porary keys of C G S but not to their actual secret keys.
(ii): Corrupt (E V s ) & Corrupt (C G S): Here, we assume that A
has access to V and keys of G, i.e. (x, y ) as well as other
secrets, but not to their ephemeral secrets.
In above said scenarios, A is unable to derive the session key
from just knowing the hash or solve the ECDLP/ECDHP prob-
lems. As long as such ECDHP/ECDLP is satisfied, the variance
Fig. 2. Simulation of Scyther with advanced parameters.
between this game Gm4 and the prior game Gm3 is negligible.
Thus, we have
4.4. Security verification using Scyther tool

| P rob( Et 4 ) − P rob( Et 3 )| This section outlines the security assessment of the suggested

≤ Q hs max Adv EC D H P (A), Adv EC D L P (A) (5) protocol using the Scyther tool [41]. This tool offers security pro-
tocol analysis, falsification, and verification according to Security
• Gm5 : The Game Gm4 is changed in the game Gm5 with fol- Protocol Description Language (SPDL) [42]. The synchronisation
lowing ways. (Nisynch), agreement (Niagree), weak agreement (Weakagree), and
(I): E V s chooses r  randomly, then computes H 1 = h( I D ∗v aliveness (Alive) of Scyther are among its security attributes [42].
 P W v r  . g   I D sp ), and G 1 = h((r  ⊕ R  ) T 1 ) before stor- All communications are transmitted by the sender and received
ing {H 1 , G 1 , T 1 } in List Hash . by the receiver thanks to the Nisynch. The Niagree makes sure
(II): C G S computes H 2∗ = h( I D ∗v  R 1  T 2  I D sp ), H 3 = h( I D ∗v that the communicating parties concur on the contents of mes-
∗ ) and G = P K ⊕ G , and stores {H , G , T }
 R 1  T 3  I D cs sages sent back and forth. The Weakagree guarantees resistance
3 cs 2 3 3 3
in List Hash . Up until A asks for a hash oracle, where like- to impersonation attacks, while Alive checks if the intended com-
lihood of discovering hash oracles is Q1 n , the modified munication partners actually carried out the planned sequence of
s
Gm5 cannot be distinguished from Gm4 . Hence, we were events. We have specified E V s , S p , and C G S as roles for our pro-
able to obtain tocol’s security verification. As shown in Fig. 2, the Scyther tool
runs our protocol 100 times with advanced options to find ev-
Q sn List Hash ery potential attack for up to 10 patterns per claim. Fig. 3 shows
| P rob( Et 5 ) − P rob( Et 4 )| ≤ + Adv E k (A) (6)
|C | the outcomes of our protocol’s Scyther tool implementation. The
“No attacks within bounds” indicator shows that the Scyther tool
• Gm6 : Simulation of Gm6 is similar to Gm5 , except in this case did not identify any attack within the reaching bound. As a result,
the test S K query of Gm6 will terminate if A publishes a hash we can state that our protocol satisfies security claims and that
∗  I D ∗  P K  P K  G ) be-
query with the hash S K E v = h( I D cs v cs Ev 3 Scyther’s tool has not detected any attacks.
cause A will utilize the hash query with a simulation prob-
2
Q hs 5. Performance analysis
ability of to extract the session key. Thus, we establish
2l+1
that
Here we analyze the performance of suggested scheme with
2 other existing schemes in the similar context in V-to-G environ-
Q hs
| P rob( Et 6 ) − P rob( Et 5 )| ≤ (7) ment. The proposed authentication protocol out performs then the
2l+1
other existing protocol in security features, computational cost,
Based on the ROM model assumption, the game sequence and communication cost and storage overheads.
security model shows that the suggested approach is provably
secure. So, without being informed of the hash query for the 5.1. Computation cost analysis
actual input, A loses an advantage in identifying the S K out
of a random one, P rob( Et 6 ) = 1/2. Here we provide the computational cost of suggested frame-
Now adding all above simulated probabilities equations (1) to work with the other existing framework. We calculate the sug-
(7), we conclude that: gested scheme’s computing cost. The calculations were performed
on a virtual machine running on a PC with a dual core i5 4300,
Adv P roposed (A) 2.60 GHz processor, and a smart phone HTC One with a cortex A9,
MP core processor working at 890 MHz [17]. The following is the
2
( Q hs + Q sn ) ( Q sn + Q ex )2 2Q sn time needed for symmetric decryption/encryption T sym , T h for the
≤ + +
2l−1 q |C | hash function, T mm for the modular multiplication, T eo for the ex-
List ponential operation, T em for point multiplication (ECC-based), T bp
+ 2 Adv E k Hash (A) for the bilinear pairing, T certG , and T cert V , which performs certifi-
 cate generation and certificate verification.
+ 2Q hs max Adv EC D L P (A), Adv EC D H P (A)
The computing cost for above mentioned operations on the
Hence the assumption is proved.  HTC mobile device and PC are shown in Table 7. T cert V at virtual

10
S. Itoo, L.K. Som, M. Ahmad et al. Vehicular Communications 41 (2023) 100612

Fig. 3. Scyther verification results.

Table 7
Execution Time.

Operation Th T sym T eo T mm T em T cert V T bp T certG

PC (Dual Core-i5 4300) 0.011 ms 0.041 ms 2.338 ms 14.5 ms 2.6 ms 17.237 ms 3.78 ms −
Mobile (HTC One) 0.0186 ms 0.0584 ms 7.235 ms 21.86 ms 5.12 ms − 8.67 ms 55.946 ms

machine: 17.237 ms, T certG at mobile: 55.946 ms. Only the com-
putation cost of Gope et al. [17] is lower than that of the proposed
scheme. It should be noted, however, that this protocol is insecure
against all of the security features as specified in Table 2. Table 8
also provides an illustration of the comparison of computing cost.
The suggested scheme is more effective than those of other previ-
ous scheme as shown in Fig. 4.
ing hypothesis. A random value requires 160 bits, bi-linear pair-
ing requires 320 bits, symmetric encryption/decryption requires
256 bits, an identification requires 60 bits, hash function requires
160 bits, the time stamp requires 32 bits and a digital signa-
ture requires 1024 bits. So, to conclude, the suggested approach
has a much lower communication overhead compared to current
schemes within the same context as shown in Fig. 5.

5.2. Communication cost 5.3. Storage cost

The amount of bits communicated during the execution of the
proposed scheme determines the communication cost. We com-
pare communication cost with relevant protocols in Table 9. It in-
dicates that compared to other presented schemes, our scheme has
lesser communication cost [22,17,25,27–31]. Additionally, we have
calculated each scheme’s communication cost based on the follow-
The storage of parameters established during the authentication
phase is necessary to complete the authentication process. To de-
termine the storage cost for both proposed and existing schemes,
the bit lengths of messages exchanged between EVs and CGS are
taken as a reference. Various protocols, including Odelu et al. [22],
Gope et al. [17], Kaur et al. [25], Garg et al. [27], Roman et al. [28],

11
S. Itoo, L.K. Som, M. Ahmad et al. Vehicular Communications 41 (2023) 100612

Table 8
Comparison of computation cost.

Protocol Vehicle Service provider Charging station Total execution time (ms)
Roman et al. [28] 8T h + 3T bp + 5T em + T sym = 24.469 9T h + 9T em = 23.499 6T h + 3T bp + 6T em + T sym = 27.047 75.015
Garg-Kaur [27] 3T h + 2T em = 5.233 3T h + 3T em = 7.833 3T h + 5T em = 13.033 26.099
Odelu et al. [22] 3T em + T eo + 6T h = 10.204 2T em + T eo + 6T h + 2T bp = 15.164 0 25.368
Kaur-Garg [25] 4T h + 2T em = 5.244 5T h + 2T em = 5.255 6T h = 0.066 10.565
Gope-sikdar [17] 7T h = 0.077 7T h = 0.077 2T h = 0.022 0.176
Zhang et al. [29] 2T h + T em = 2.622 0 2T h + T em + T sym = 2.663 5.285
SU et al. [30] 2T h + 5T em = 13.022 0 2T h + 4T em = 10.422 23.444
V. Skumar [31] 8T h + 5T em = 13.088 7T h + 7T em = 18.277 4T h + 5T em = 13.044 44.409
Our Proposed 5T h + 2T em = 5.255 4T h = 0.044 3T h = 0.033 5.332

Table 9 Table 10
Comparison of communication overhead. Comparison of the storage cost.

Protocol Messages forwarded Communication Cost Protocol Storage cost (in bits)
Roman et al. [28] 4 2012 Roman et al. [28] 1376 bits
Garg-Kaur [27] 5 2400 Garg et al. [27] 800 bits
Odelu et al. [22] 3 3466 Odelu et al. [22] 3840 bits
Kaur-Garg [25] 4 1856 Kaur et al. [25] 640 bits
Zhang et al. [29] 3 1472 Zhang et al. [29] 864 bits
Gope-Sikdar [17] 4 2144 Gope et al. [17] 1600 bits
SU et al. [30] 2 1920 SU et al. [30] 1920 bits
V. Skumar [31] 4 2302 Skumar et al. [31] 2560 bits
Our Proposed 4 1308 Our Proposed 640 bits

Fig. 4. Computation cost. Fig. 6. Storage cost.

32 bits, point multiplication (ECC-based) requires 160 bits, and

a digital signature requires 1024 bits of storage. In the proposed
protocols we store the parameters E V s saves { R , P K E v } in Elec-
tric Vehicle ( E V s ) Registration phase that costs 160 + 160 = 320
bits, and in Charging Station Registration we store the parame-
ters { R 1 , P K cs } which costs 160 + 160 = 320 bits only. Thus, our
proposed protocol only requires 640 bits of storage cost, which is
significantly lower than other similar protocols.
The comparison of storage cost (in bits) is shown in Table 10
and Fig. 6 illustrates that the proposed protocol has a lower stor-
age cost than the others [22,17,27–31] in the similar context of
V2G. The cryptographic strategy that requires fewer data (bits) to
be produced and stored to carry out the authentication procedure
provides the best storage performance as shown in Fig. 6.

6. Conclusion
Fig. 5. Comparison of communication cost.

The proposed Robust ECC-based Authentication Framework for

Zhang et al. [29], SU et al. [30] and Skumar et al. [31] are evaluated
based on the storage cost of their parameters. The storage cost of
each protocol is calculated by assuming that a random value re-
quires 160 bits of storage, bi-linear pairing requires 320 bits, sym-
metric encryption/decryption requires 256 bits, identification re-
quires 60 bits, hash function requires 160 bits, time stamp requires
Energy Internet-based Vehicle to Grid Communication System
presents a promising solution for secure and efficient V2G com-
munication. The proposed lightweight framework, in which E V s
and C G S can mutually authenticate each other in a V2G network,
is based on combining hash functions (one-way) with ECC mul-
tiplication, concatenation, and XORed operations. The suggested

12
S. Itoo, L.K. Som, M. Ahmad et al.
framework offers lightweight provably secure cryptographic func-
tions as compared to costly modular exponentiation and supports
dynamic inclusion of S p , secure authentication between E V s , S p
and C G S, as well as E V s password changing capabilities. Extensive
security analysis has shown that the proposed approach is resilient
to various security threats such as impersonation, eavesdropping,
forward secrecy, replay, and man-in-the-middle attacks. Addition-
ally, the computation and communication cost analysis shows that
the suggested architecture is superior than the existing schemes
in the V2G communication system. Subsequent research could in-
vestigate how power systems and EV user behavior are affected
by EVs and V2G systems utilizing dynamic wireless charging on
roadways that allow bidirectional flow of electricity.
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Data availability
Data will be made available on request.
References
[1] J. Rifkin, The Third Industrial Revolution: How Lateral Power Is Transforming
Energy, the Economy, and the World, Macmillan, 2011.
[2] K. Zhou, S. Yang, Z. Shao, Energy internet: the business perspective, Appl. En-
ergy 178 (2016) 212–222.
[3] J. Shen, T. Zhou, F. Wei, X. Sun, Y. Xiang, Privacy-preserving and lightweight key
agreement protocol for V2G in the social internet of things, IEEE Int. Things J.
5 (4) (2017) 2526–2536.
[4] Y. Zheng, Z.Y. Dong, Y. Xu, K. Meng, J.H. Zhao, J. Qiu, Electric vehicle battery
charging/swap stations in distribution systems: comparison study and optimal
planning, IEEE Trans. Power Syst. 29 (1) (2013) 221–229.
[5] Y. Zhang, S. Gjessing, H. Liu, H. Ning, L.T. Yang, M. Guizani, Securing vehicle-
to-grid communications in the smart grid, IEEE Wirel. Commun. 20 (6) (2013)
66–73.
[6] K. Kaur, S. Garg, N. Kumar, A.Y. Zomaya, A game of incentives: an efficient de-
mand response mechanism using fleet of electric vehicles, in: Proceedings of
the 1st International Workshop on Future Industrial Communication Networks,
2018, pp. 27–32.
[7] M. İnci, M. Büyük, M.M. Savrun, M.H. Demir, Design and analysis of fuel cell
vehicle-to-grid (FCV2G) system with high voltage conversion interface for sus-
tainable energy production, Sustain. Cities Soc. 67 (2021) 102753.
[8] M. İnci, Techno-economic analysis of fuel cell vehicle-to-grid (FCV2G) system
supported by photovoltaic energy, Energy Technol. 11 (2023) 2201162.
[9] M. İnci, M.M. Savrun, Ö. Çelik, Integrating electric vehicles as virtual power
plants: a comprehensive review on vehicle-to-grid (V2G) concepts, interface
topologies, marketing and future prospects, J. Energy Storage 55 (2022) 105579.
[10] X. Hu, K. Wang, X. Liu, Y. Sun, P. Li, S. Guo, Energy management for EV charging
in software-defined green vehicle-to-grid network, IEEE Commun. Mag. 56 (5)
(2018) 156–163.
[11] A. Mohammadali, M. Sayad Haghighi, M.H. Tadayon, A. Mohammadi-
Nodooshan, A novel identity-based key establishment method for advanced
metering infrastructure in smart grid, IEEE Trans. Smart Grid 9 (4) (2018)
2834–2842, https://doi.org/10.1109/TSG.2016.2620939.
[12] H. Nicanfar, V.C. Leung, Multilayer consensus ECC-based password authen-
ticated key-exchange (MCEPAK) protocol for smart grid system, IEEE Trans.
Smart Grid 4 (1) (2013) 253–264.
[13] D. Wu, C. Zhou, Fault-tolerant and scalable key management for smart grid,
IEEE Trans. Smart Grid 2 (2) (2011) 375–381.
[14] J. Xia, Y. Wang, Secure key distribution for the smart grid, IEEE Trans. Smart
Grid 3 (3) (2012) 1437–1443.
[15] J.H. Park, M. Kim, D. Kwon, Security weakness in the smart grid key distribu-
tion scheme proposed by Xia and Wang, IEEE Trans. Smart Grid 4 (3) (2013)
1613–1614.
13
Vehicular Communications 41 (2023) 100612
[16] J.-L. Tsai, N.-W. Lo, Secure anonymous key distribution scheme for smart grid,
IEEE Trans. Smart Grid 7 (2) (2015) 906–914.
[17] P. Gope, B. Sikdar, An efficient privacy-preserving authentication scheme for
energy internet-based vehicle-to-grid communication, IEEE Trans. Smart Grid
10 (6) (2019) 6607–6618.
[18] C. Alcaraz, J. Lopez, S. Wolthusen, OCPP protocol: security threats and chal-
lenges, IEEE Trans. Smart Grid 8 (5) (2017) 2452–2459.
[19] Y. Dodis, B. Kanukurthi, J. Katz, L. Reyzin, A. Smith, Robust fuzzy extractors and
authenticated key agreement from close secrets, IEEE Trans. Inf. Theory 58 (9)
(2012) 6207–6222, https://doi.org/10.1109/TIT.2012.2200290.
[20] M. Bellare, P. Rogaway, Entity authentication and key distribution, in: Annual
International Cryptology Conference, Springer, 1993, pp. 232–249.
[21] A. Jindal, N. Kumar, M. Singh, Internet of energy-based demand response man-
agement scheme for smart homes and PHEVs using SVM, Future Gener. Com-
put. Syst. 108 (2020) 1058–1068.
[22] V. Odelu, A.K. Das, M. Wazid, M. Conti, Provably secure authenticated key
agreement scheme for smart grid, IEEE Trans. Smart Grid 9 (3) (2018)
1900–1910, https://doi.org/10.1109/TSG.2016.2602282.
[23] Z. Yang, S. Yu, W. Lou, C. Liu, p 2 : privacy-preserving communication and pre-
cise reward architecture for V2G networks in smart grid, IEEE Trans. Smart Grid
2 (4) (2011) 697–706, https://doi.org/10.1109/TSG.2011.2140343.
[24] D. He, S. Chan, M. Guizani, Privacy-friendly and efficient secure communication
framework for V2G networks, IET Commun. 12 (3) (2018) 304–309.
[25] K. Kaur, S. Garg, G. Kaddoum, F. Gagnon, S.H. Ahmed, M. Guizani, A secure,
lightweight, and privacy-preserving authentication scheme for V2G connec-
tions in smart grid, in: IEEE INFOCOM 2019-IEEE Conference on Computer
Communications Workshops, INFOCOM WKSHPS, IEEE, 2019, pp. 541–546.
[26] A. Irshad, M. Usman, S.A. Chaudhry, H. Naqvi, M. Shafiq, A provably secure
and efficient authenticated key agreement scheme for energy internet-based
vehicle-to-grid technology framework, IEEE Trans. Ind. Appl. 56 (4) (2020)
4425–4435.
[27] S. Garg, K. Kaur, G. Kaddoum, F. Gagnon, J.J. Rodrigues, An efficient blockchain-
based hierarchical authentication mechanism for energy trading in V2G envi-
ronment, in: 2019 IEEE International Conference on Communications Work-
shops, ICC Workshops, IEEE, 2019, pp. 1–6.
[28] L.F. Roman, P.R. Gondim, J. Lloret, Pairing-based authentication protocol for V2G
networks in smart grid, Ad Hoc Netw. 90 (2019) 101745.
[29] L. Zhang, S. Tang, H. Luo, Elliptic curve cryptography-based authentication with
identity protection for smart grids, PLoS ONE 11 (3) (2016) e0151253.
[30] Y. Su, G. Shen, M. Zhang, A novel privacy-preserving authentication scheme for
V2G networks, IEEE Syst. J. 14 (2) (2020) 1963–1971, https://doi.org/10.1109/
JSYST.2019.2932127.
[31] V. Sureshkumar, S. Mugunthan, R. Amin, An enhanced mutually authenticated
security protocol with key establishment for cloud enabled smart vehicle to
grid network, Peer-to-Peer Netw. Appl. 15 (5) (2022) 2347–2363.
[32] D. Dolev, A. Yao, On the security of public key protocols, IEEE Trans. Inf. Theory
29 (2) (1983) 198–208.
[33] R. Canetti, H. Krawczyk, Analysis of key-exchange protocols and their use for
building secure channels, in: International Conference on the Theory and Ap-
plications of Cryptographic Techniques, Springer, 2001, pp. 453–474.
[34] W. Stallings, Cryptography and Network Security, 4/E, Pearson Education India,
2006.
[35] D.R. Stinson, Some observations on the theory of cryptographic hash functions,
Des. Codes Cryptogr. 38 (2) (2006) 259–277.
[36] C. Paar, J. Pelzl, Understanding Cryptography: A Textbook for Students and Prac-
titioners, Springer Science & Business Media, 2009.
[37] S. Itoo, M. Ahmad, V. Kumar, A. Alkhayyat, RKMIS: robust key management
protocol for industrial sensor network system, J. Supercomput. (2023) 1–29.
[38] R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited,
J. ACM 51 (4) (2004) 557–594.
[39] S. Itoo, A.A. Khan, V. Kumar, A. Alkhayyat, M. Ahmad, J. Srinivas, CKMIB: con-
struction of key agreement protocol for cloud medical infrastructure using
blockchain, IEEE Access 10 (2022) 67787–67801.
[40] P. Flajolet, D. Gardy, L. Thimonier, Birthday paradox, coupon collectors, caching
algorithms and self-organizing search, Discrete Appl. Math. 39 (3) (1992)
207–229.
[41] C.J. Cremers, The Scyther tool: verification, falsification, and analysis of secu-
rity protocols, in: International Conference on Computer Aided Verification,
Springer, 2008, pp. 414–418.
[42] C.J.F. Cremers, et al., Scyther: Semantics and Verification of Security Protocols,
Eindhoven University of Technology, Eindhoven, Netherlands, 2006.