With more countries across the globe pushing for a transition from fossil-fuel combustion engines to electric automobiles in order to mitigate climate change, there has been a rapid growth in the EV market over the past decade. The increasing popularity of EVs in the automobile industry is mainly because gas-powered vehicles are one of the largest sources of greenhouse gases. For example, in the United States, the transportation sector accounts for more than a quarter of total emissions . Governments and automotive industries have been increasing their investments in technologies pertaining to EVs including but not limited to efficient charging infrastructures.
There exist two different types of charging infrastructures: static and dynamic. Although static charging systems are promising, they require the installation of isolated charging stations that must be interoperable with multiple automobile models of different manufacturers . Compared to the traditional vehicles, the batteries used in static charging are heavy, expensive, and have a shorter lifespan. Static charging systems can also lead to range anxiety, which is the fear of running out of power in an EV and not being able to find a charging station in time to recharge the battery . The above-listed reasons limit the widespread adoption of static systems, and hence of EVs. As a solution to these problems, dynamic wireless power transfer (DWPT) technology, that enables charging the EV while it is moving, is emerging to be a promising alternative . Dynamic charging systems provide the EV the flexibility to charge when they are on the move with the help of charging pads (CPs) embedded under roads. To enable efficient utilization of this technology, we need to establish a Internet of Vehicles (IoV) where an EV can communicate and securely share information with the surrounding infrastructure and the CPs using Vehicle-to-Everything (V2X) communications. With the introduction of such dynamic charging infrastructures, secure and reliable mechanisms for authentication and billing of EVs by the DWPT systems are essential. The system must meet the security requirements of the customer utilizing the service such as location privacy, along with the physical and computational constraints presented by DWPT entities, for example, swift communication between the EV and the CP involved in the charging process.
Different approaches have been proposed in recent times to address the secure authentication of EVs. The works  and  proposed one of the first real-world scenario approaches in two steps, with additional billing schemes proposed in the second work. Different more complex approaches introduce the rise of security problems in the design implementation, if not carefully reviewed. An attacker could use the additional entities and message exchanges as entry points to build an exploit able to bypass the security and attack the system.
In this paper, we identify vulnerabilities in the existing protocol scheme  and we propose a novel, secure and efficient scheme with enhancements to the vulnerabilities and inefficiencies found in . In addition, we provide a security analysis of the proposed scheme against common attacks in this environment.
Our contributions can be summarized as follows:
we develop a new, efficient and secure protocol adopting exclusive OR operations, hashing and hash chains,
we disclose vulnerabilities of an existing protocol,
we compare our solution to the SOTA solutions, demonstrating the improvement in the performance during authentication, using the Charm Crypto Python library to compute the primitive times .
The rest of the paper is structured as follows: in Section II, we describe the related work, considering proposals with the same system model, while in Section III, we present the model used in the proposed scheme. In Section IV, the authentication schemes  are presented, and the vulnerabilities are outlined in Section V. In Section VI, we describe our solution and improvements, providing a security analysis in Section VII and performance analysis in Section VIII. Section XI and X comprise discussion and conclusions, respectively.
2 Related Work
Over the past decade, several privacy-preserving authentication schemes for DWPT systems have been proposed. The authentication protocol needs to be communication and computationally lightweight, secure against different types of attacks and preserve the privacy of the user. The user identity is protected using pseudonyms that hide the real identity of the customer. From the simple physical representation of the system , researchers have developed a complete cryptography-based protocol managing the authentication of dynamic wireless charging for EVs.
One of the initial works proposed with this scenario is the protocol developed by Li et al. in 2015 . Their scheme comprehends a DWPT system for authentication and billing making use of symmetric encryption with keys generated depending on the position in time and space of the EV. The protocol exchanges messages for authentication with each CP using a different key each time, resulting in a large overhead for the communication and computation of these keys.
Hussain et al.  published their scheme based on two different approaches described in detail later in the paper. They introduced the idea of CPs connected to the CSPA and the hash chain-based authentication and revocation of credentials to avoid the fraudulent use of the same. In this protocol, the EV exchanges multiple messages with the CP, which the CP relays to the CSPA and receives response from the CSPA. This leads to a large number of interactions between the CP and CSPA as well as increased utilization of the CP in the authentication scheme. As the CP is resource constrained and the contact time between EV and CP is limited, this authentication scheme might create a bottleneck for the protocol.
Two other works published by Zhao et al.  and Rabieh et al.  propose authentication schemes for a system model similar to the above works. The former uses public-key encryption with a signing and verification scheme provided by a Registration Authority (RA), and a bank in charge of the token provisioning for the charging requests. Each energy segment is assumed to transmit a constant amount of energy to the EV. The authors prove the scheme to be secure against free-riding, a particular attack in this scenario, in which the adversary tries to pose as an authenticated user or taking advantage from the physic of the system for a free charge. Zhao et al. try to solve this problem checking the battery level of the vehicles at predefined time intervals. The latter scheme  is based on blind signatures, hash chains and XOR operations. In this case, additional to authentication and privacy, the authors address the double-spending attack, in which a malevolent user tries to abuse old credentials to get free charge.
Several other protocols employing multiple entities such as cloud servers (CS), fog servers (FS), pad owners (POs) and road-side units (RSU) have been proposed in [13, 14, 15, 16]. However, all these approaches consider a decentralised infrastructure involving multiple mutual authentications between the EV and various other entities of the DWPT system. Such exchanges impose higher communication and computational cost on the EV. These systems have not addressed dynamic addition of RSUs and FS and the handover involved among them as well. Therefore, we consider a simple model that reduces attack surfaces as well as the number of mutual authentications while not compromising the critical security challenges and requirements required with the DWPT environment.
3 System and Adversary Model
We briefly describe the system model in Section 3.1 and the adversary model in Section 3.2.
3.1 System Model
We consider a system model for the dynamic charging infrastructure that comprises of the EV, CP, CSPA, and the RA in the authentication scheme. In the model, the CSPA is directly connected via a wired link to the RA and all the CPs. We provide the scheme in Figure 1. Authentication is achieved via direct communication between EV and CPs, where the CSPA can be involved or not, depending on the protocol scheme. The EV contains an On-Board Unit (OBU) that manages the cryptographic operations and securely stores the EV’s parameters. Such parameters include the EV’s real identity and the pseudonyms assigned to it. We consider the OBU secure and tamper-proof. The RA is responsible for publishing the parameters for the encryption scheme and generating the pseudonyms for the OBU at the time of registration. The communication between the different facilities and the OBU happens through Dedicated Short-Range Communication (DSRC) or wireless communication protocols.
3.2 Adversary Model
Our system considers both the EV and the CSPA malicious and not trustworthy. The adversary can compose, replay, intercept and forge messages, but they cannot decipher them without the correct cryptographic keys. The goal of the attacker is to infer the private key between the two entities, that allows them to get all the parameters of the charging process, and successively launch attacks in order to get a free charge or identify the vehicle, mining the privacy of the customer.
Only the RA is trustworthy and knows the true identity of the EVs, which is never revealed during the authentication process. Because of the symmetric key encryption, the wired communication network is considered secure; however, an adversary can connect to the network and sniff the traffic. If the protocol is poorly designed, an adversary may be able to infer useful information that could be used for further attacks, such as tracing or replay attacks. This adversary representation is formulated in the Dolev-Yao model .
4 Reference Protocol
The authors in  proposed two different approaches for the model described in the previous section, namely Direct Mutual Authentication (DMA) and Pure Hash Chain-Based Authentication (PHA), reported in sections 4.1 and 4.2, respectively. Both the protocols rely on the same preliminaries and initialization phase. The first one is a direct authentication between EV and CPs, which can incur computation delays due to the memory constraints associated with the pads.
|Charge Serving Provider Authority|
|Department of motor vehicle|
|Identity of the EV|
|Identity of CP|
|Pseudonyms identifier for OBU|
|Current count of EV pseudonym|
|Incrementing factor of EV|
|Secret counter of EV|
|collision-free hash functions|
|Session key between CP and OBU|
|Master Secret Key of CSPA|
|Pseudonym of OBU|
|Private key of EV|
|Pseudonym generation key of EV|
|Private key of the DMV|
The second one is a faster hash-chain-based protocol that involves the participation of the CSPA, using the CPs as forwarders, thus incurring increased communication delay. The system uses El-Gamal encryption over an elliptic curve. The Department of Motor Vehicles (DMV) decides the parameters for the cryptographic scheme and generates its private and public keys. The DMV is in charge of revocation, and the implementation of revocation is beyond the scope of this work but can be found well delineated in . The cryptographic parameters are then stored in the Trusted Platform Module (TRM) of the EV at the time of registration, along with EV’s secret key, pseudonym generation key, and pseudonyms. The anonymous handles are generated using a secret counter and a secret incremental factor, unique for each EV. The generic formula is given by
with as the update value and as the counter of the current pseudonym. Furthermore, DMV generates an identifier for the vehicle as , stored in TRM along with the other parameters. The symbols used in the protocol are described in Table 1.
4.1 Direct Mutual Authentication
In the former protocol DMA, the OBU of the EV and CPs mutually authenticate each other without the involvement of the CSPA. The CSPA creates several master secret keys and sends them to DMV. The DMV in turn sends back to the CSPA. Before requesting to charge, the EV needs to register with the CSPA by sending .
and the CSPA computes three values: , , . The first is stored as a security parameter at CSPA while the rest are sent to the OBU along with the hash function h() used to compute them:
On receiving this message, the EV can authenticate with the CPs without the help of the CSPA. The OBU begins the protocol by selecting a pseudonym ) and computes the following parameters to forward them to the CP:
OBU sends all these parameters to CP along with . CP then extracts the secret from , computes in order to get from . The CP goes on to check the value of and for authentication. In the next step, CP selects a nonce , generates the session key following the generation of and sends back to the EV the following parameters:
From these parameters, OBU can extract the using , assuming that the OBU knows the value of . In order to authenticate CP, OBU checks the values of and while is used to extract and stored as a security parameter. At this point, the two involved parties can establish a session key used later for the billing process. After the authentication is complete, the charging process begins.
According to the adversary model used, CSPA is not trustworthy and the use of is a threat for the privacy of the customer, in that is fixed for a large amount of protocol runs. In this way, a malicious CSPA could track the customer along the road and possibly identify the identity of the user.
4.2 Pure Hash Chain-Based Authentication
The second approach requires the involvement of CSPA and makes use of hash chains. This system lowers the computation cost required by OBU and CSPA but can incur a higher communication delay.
After the common initialization and pseudonym assignment, the DMV provides the OBU with the corresponding hash chain for each pseudonym:
The OBU registers with CSPA by sending the head of the hash chain of the current pseudonym. I n order to authenticate with the CP, the OBU has to send the next hash chain value expected. The CP will forward the hash value to CSPA for authentication: the provider validates the received parameter against the value expected after using the hash operation as . Following this procedure, the CSPA replaces with . As described in the following section, this is a vulnerability that impacts the protocol’s security. This method expects the OBU to authenticate at each pad to receive the designated amount of energy. After authentication, the CSPA provides CP with a session key . The CP stores the session key in its database along with a timestamp.
5 Vulnerabilities and Attacks
As mentioned in the previous section, there is a possible attack vector in thePure Hash Chain-Based approach. The generation of a hash chain is depicted in Fig. 2, while the intended use of a hash chain for authentication is depicted in Fig. 3. The problem is in how the CSPA updates the value for the next expected hash chain value:
Instead of storing the current value received from the OBU (), CSPA stores the hash value that is already in memory, resulting in the same hash chain value received at the start of the protocol being stored:
This behaviour can have two consequences:
The OBU currently participating in the protocol exchange is unable to authenticate itself further. This occurs because the hash value that the OBU sends, which could be say, , and the value that the CP or CSPA expects differ. Following the initial successful authentication, the CSPA repeatedly waits for the same value, resulting in an error.
The OBU could send the same value for authentication indefinitely, and an attacker could eavesdrop on the packet and then pose as the authenticated vehicle, resulting in a successful free-riding through replay attack.
To mitigate this behaviour, it is sufficient to store the most recent value received from OBU, generalizing:
Some parameters in the message exchanges during the DMA approach are ambiguous or can be eliminated because they add little to the protocol itself. The message sent by OBU to CSPA, which the authors claim is required for authentication and the subsequent verification of presents two issues. If CSPA wants to check the value , it must know which to compare. CSPA is aware of all the registered values of , but this may be a performance issue because it must brute-force the database to find the corresponding entry that matches the computation of . The second inefficiency occurs when the CSPA extracts the value of and checks the validity of with this value. In this case, the computed and received values are identical because the extracted value is used for the exact computation. If this is the case, the extracted is never used in the protocol, rendering this step unnecessary. The billing section has an exception where the value can be substituted to avoid transmission.
Assuming OBU is aware of the value , only the OBU can extract the value from during the message exchange between CP and OBU because it is the only other entity aware of value. Furthermore, is used to extract and store the value of , which is later on not used elsewhere. In this case, we know that and can be removed without affecting authentication.
Finally, as anticipated in the preceding section, the use of throughout multiple runs can expose the customer’s identity and allow tracking of it in different charging processes. This poses a serious threat to the DWPT system’s privacy requirements.
6 Revised Protocol
To address the vulnerabilities identified in the previous section, we modify the message exchanges between the OBU and the CSPA. To verify the veracity of the OBU registration later, we initially store a copy of the DMV’s database of vehicle pseudonyms at the CSPA without revealing the mapping between the OBU and its associated pseudonym. We modify the value of to , where is a collision-free hash function provided by DMV. As a result, the value used to construct the authentication parameters is dynamic and cannot be used to track the user across different charging processes, thereby removing the issue highlighted in the previous section. This solution adds to the computational overhead at the start of each scheme run, but has no discernible effect on performance when compared to SOTA.
Following the first step, we modify the parameters sent during OBU-CP communication. To avoid authentication between the EV and the CP, the message exchange described in section 4 occurs between the OBU and the CSPA. As a result, we mutually authenticate with the system’s first level (the CSPA), and the OBU uses a hash chain to authenticate with the CPs. Consequently, retains its value while is completely removed. To authenticate with CP, we make the following changes:
Instead of the original , we use ;
In , we use the exclusive or with , a nonce generated for the current exchange and send ;
OBU generates a nonce to use in order to generate the hash chain as .
CSPA can use the value of extracted from as in the original work, and consequently extract from , from and compare the results to . Following the Pure Hash Chain-Based Authentication approach, the hash chain will be used as authentication between OBU and each successive CP during the charging process. Summarizing the message exchange between OBU and CSPA again,
Similar to , CSPA generates a nonce for the run of the protocol, . After removing and replacing and , CSPA sends the following to OBU,
From this message, OBU can extract the value of and check the result of the exponentiation against . This approach necessitates the publication of the parameters and that are constant during the entire protocol. In the next phase, the CSPA sends the hash chain value provided by OBU to the CPs to authenticate and begin the charging process as in the hash chain-based authentication proposed in .
7 Security Analysis
In this section, we provide an informal security analysis of our proposed scheme against the most common attacks for this scenario. In this environment, we consider the possibility of both the entities, the EV and the CSPA, being malicious, contemplating both passive and active attackers. The system provides mutual authentication between the OBU and CSPA, preserving the user’s privacy at the same time. The use of pseudonyms and the initial message exchange between the two entities meet these two requirements through the use of hash and exclusive or operations. The protocol is secure against the following attacks.
Impersonation: it is difficult for an adversary to impersonate a different OBU in the authentication and charging process. The use of pseudonyms and their registration avoids the possibility of an attacker presenting as a different customer. During the authentication, sensitive information is hidden from an external party, making it impossible to infer the user parameters and nonces that is essential to pose as another user;
Unlinkability: the generation of pseudonyms is restricted to the DMV. They are provided in a non-linear and complex manner, making it impossible for an external individual or CSPA to correlate a particular pseudonym to the corresponding user. Furthermore, linking different pseudonyms belonging to the same EV is unfeasible due to non-linearity and secret seeds in the pseudonym generation process;
Man-In-The-Middle (MITM): In this scenario, an adversary cannot initiate an MITM attack due to the impossibility of impersonation and the presence of authentication messages containing secrets that are known and can only be used by the intended recipient. The attacker could only play the role of a forwarder unable to gain any advantage without modifying or forging messages posing as a different entity, as they cannot manage to extract the pseudonyms using the particular value and consequently and from the OBU authentication message;
Free-riding: in this situation, a malicious user attempts to get a free charge without being authenticated. We are assuming that CPs are relatively shorter such that no two vehicles can be on the same pad at a particular time. The attack is mitigated as the hash chain used for authenticating with the CSPA can be generated only by the intended user. The adversary could listen to the current value to authenticate with the next pad. However, at the successive charging pad, CSPA waits for the next value of the hash chain to authenticate the OBU. This value cannot be computed by an unauthenticated, different vehicle;
Double-spending: in this scenario, an EV that just utilized the service wants to use the same message again to get a free charge. The CSPA avoids this by storing previously used pseudonyms in the database for revocation in the event of a discrepancy.
8 Performance Analysis
In this section, we compare the computation and communication cost of different protocols with a similar system model against the revised protocol solution we proposed in section 6.
In order to make the comparison, we count the number of operations in the authentication steps between OBU-CSPA and OBU-CP. As shown in Table 2, the total number of operations in the modified scheme is significantly reduced compared to the original protocol, even with the introduction of the exponentiation operation in both OBU and CSPA. We compute the reference time for two operations (hash and multiplication) using a simulation of the primitives in Python, using Charm-Crypto Library .
The exclusive or operation consumes less time, and hence, we exclude the time taken forexclusive or in the results. We simulate the experiment on a laptop with the following specifics: 8 GB of memory, 256 GB of SSD space, Intel Core i7-6500U @ 2.50 Ghz x 4, Ubuntu 20.04.3 LTS with 64-bit architecture. The simulation allows performing multiple executions to get a statistic of the time. We list the time required by each primitive in Table 2.
|Primitive||Average Time (ms)||Min. Time (ms)||Max. Time (ms)|
8.2 Computation Cost
As listed in Table 3, the total time taken by our revised protocol is significantly lower than the original one even with the use of an exponentiation operation, primarily due to the reduction of the messages sent in the authentication exchange that presented redundancy. We also compare the revised protocol with other schemes with a similar infrastructure setup. In , a different approach comprising a digital signature is used, making the authentication part with the provider quite heavy. However, in the later part, a hash chain is used for authenticating with the CPs. In contrast to this, in Zhao et al. scheme, a digital signature is requested for each plate, making it computationally heavier than our proposed solution. The resulting optimization is around 5 times better against  and even more pronounced with .
|Auth OBU||Auth CP/CSPA/CMC||Hash-chain||Total time|
|Our Solution||5 + 3 + = 1.46 ms||7 + 3 + = 2.0 ms||ms|
|Hussain ||6 + 6 = 1.62 ms||7 + 6 = 1.89 ms||—||ms|
|Rabieh ||4 + 4 + 2 + + = 10.01 ms||2 + 4 + 4 + + = 10.01 ms||ms||ms|
|Zhao ||2 + 2 + = 5.15 ms||+ 2 = 3.89 ms||ms||ms|
8.3 Communication Cost
To compare the communication efficiency of the protocol, we compare our revised protocol with the original protocol. In Table 4, we report the cost that each step of authentication takes in terms of bytes. We consider that the pseudonym and the hash are 32 Bytes variables, and exponentiation is a 64 Bytes number with prime order of 512 bits.
Considering the integration of the hash chain at the CP level, we achieve better performance after the first constant part of the protocol. Following that, instead of the entire communication cost, we need only a message containing a hash, thus remarkably reducing the overall cost. Our protocol has minimal overhead stemming from the pre-authentication message exchange required to eliminate the usage of any parameter that can be used to track the user activity. Compared to the original scheme, which has a significant overhead at each CP, authentication between the EV and the CP in the proposed protocol consists of a hash chain value for each pad, which provides a significant advantage.
|Our Solution||Hussain et al.|
|Auth CP / CSPA||B||B|
|Hash-chain||B per CP||—|
In this paper, we analyzed two authentication protocols for the dynamic charging of EVs and demonstrated vulnerabilities of the DWPT system in the proposed scheme, which allows the adversary to attack the charging infrastructure or EV by eavesdropping, intercepting, and tampering with the exchanged messages. We propose an enhanced, lightweight and secure authentication protocol that improves system security by eliminating threats while lowering the computational costs and communication overhead of the system. The revised scheme protects the EV from adversarial attacks including but not limited to replay and denial-of-service attacks.
-  United States Environmental Protection Agency, Inventory of U.S. Greenhouse Gas Emissions and Sinks. https://www.epa.gov/ghgemissions/inventory-us-greenhouse-gas-emissions-and-sinks. Accessed 25 April 2022.
-  Pareek, S., Sujil, A., Ratra, S., Kumar, R.: Electric Vehicle Charging Station Challenges and Opportunities: A Future Perspective. In: 2020 International Conference on Emerging Trends in Communication, Control and Computing (ICONC3), 2020, pp. 1-6 (2020)
-  Mouftah, H.T., Erol-Kantarci, M., Sorour, S.: (Eds.). Connected and Autonomous Vehicles in Smart Cities (1st ed.). CRC Press.(2020)
-  Hutchinson, L., Waterson, B., Anvari, B., Naberezhnykh, D.: Potential of Wireless Power Transfer for Dynamic Charging of Electric Vehicles. In: IET Intelligent Transport Systems. pp. 3-12 (2019)
-  Hussain, R., Kim, D., Nogueira, M., Son, J., Tokuta, A., Oh, H.: A New Privacy-Aware Mutual Authentication Mechanism for Charging-on-the-Move in Online Electric Vehicles. In: 11th International Conference on Mobile Ad-hoc and Sensor Networks (MSN), 2015, pp. 108-115 (2015)
-  Hussain, R., Son, J., Kim, D., Nogueira, M., Oh, H., Tokuta A.O., Seo, J.: PBF: A New Privacy-Aware Billing Framework for Online Electric Vehicles with Bidirectional Auditability. In: Wireless Communications and Mobile Computing, vol. 2017, Article ID 5676030, 17 pages (2017)
-  Panchal, C., Stegen, S., Lu, J.: Review of static and dynamic wireless electric vehicle charging system. In: Engineering Science and Technology, an International Journal, Volume 21, Issue 5, 2018, Pages 922-937 (2018)
-  Li, H., Dán, G., Nahrstedt, K.: Portunes+: Privacy-Preserving Fast Authentication for Dynamic Electric Vehicle Charging. In: IEEE Transactions on Smart Grid, vol. 8, no. 5, pp. 2305-2313 (2017)
-  Charm-Crypto Python Library. https://jhuisi.github.io/charm/index.html. Accessed 20 April 2022
-  Rabieh, K., Wei, M.: Efficient and privacy-aware authentication scheme for EVs pre-paid wireless charging services. In: IEEE International Conference on Communications (ICC), 2017, pp. 1-6 (2017)
-  Zhao, X., Lin, J., Li, H.: Privacy-Preserving Billing Scheme against Free-Riders for Wireless Charging Electric Vehicles. In: Mobile Information Systems, vol. 2017, Article ID 1325698, 9 pages (2017)
-  Hamouid, K., Adi, K.: Privacy-aware authentication scheme for electric vehicle in-motion wireless charging. In: 2020 International Symposium on Networks, Computers and Communications (ISNCC). IEEE, 2020, pp. 1–6 (2020)
-  Babu, P. R., Amin, R., Reddy, A. G., Das, A. K., Susilo, W., Park, Y.: Robust Authentication Protocol for Dynamic Charging System of Electric Vehicles. In: IEEE Transactions on Vehicular Technology, vol. 70, no. 11, pp. 11338-11351 (2021)
-  Roman, L. F., Gondim, P. R.: Authentication protocol in ctns for a cwd-wpt charging system in a cloud environment. In: Ad Hoc Networks, vol. 97, p. 102004 (2020)
-  Gunukula, S., Sherif, A. B., Pazos-Revilla, M., Ausby, B., Mahmoud, M., Shen, X. S.: Efficient scheme for secure and privacy-preserving electric vehicle dynamic charging system. In: IEEE International Conference on Communications (ICC). IEEE, 2017, pp. 1–6 (2017)
-  Feng, X., Shi, Q., Xie, Q., Wang, L.: P2ba: A privacy-preserving protocol with batch authentication against semi-trusted rsus in vehicular ad hoc networks. In: IEEE Transactions on Information Forensics and Security, vol. 16, pp. 3888–3899 (2021)
-  Elghanam, E., Ahmed, I., Hassan, M., Osman, A.: Authentication and Billing for Dynamic Wireless EV Charging in an Internet of Electric Vehicles. In: Future Internet (2021)
-  Dolev, D., Yao, A.: On the security of public key protocols. In: IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198-208 (1983)