vi Chapter Page 5.4.1 Priority Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 5.4.1.1 Emergency Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 5.4.2 Regular Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 5.5 Hierarchical Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 5.5.1 Computing shared keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 5.5.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 5.6 Coin Deposit and Double Spending verification . . . . . . . . . . . . . . . . . . . 62 5.6.1 Double Spending detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 5.6.2 Identifying the Double Spender . . . . . . . . . . . . . . . . . . . . . . . . . 63 6. SECURITY AND PRIVACY ANALYSIS . . . . . . . . . . . . . . . . . . . . . . . . . 65 6.1 Privacy Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 6.1.1 External attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 6.1.2 Internal attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 6.2 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 6.2.1 Attacks against payment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 6.2.2 Attacks against priority determination . . . . . . . . . . . . . . . . . . . . . 69 6.2.3 Attacks against authentication and key management . . . . . . . . . . . . . 70 7. PERFORMANCE ANALYSIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 7.1 Experimental setup and performance metrics . . . . . . . . . . . . . . . . . . . . 73 7.2 Computation Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 7.3 Communication Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 8. CONCLUSION AND FUTURE WORK . . . . . . . . . . . . . . . . . . . . . . . . . . 79 8.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 8.2 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 VITA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 APPENDICES A. PUBLICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
LIST OF TABLES Table Page 1.1 Number of charging stations with different charging standards [1] . . . . . . . . . . . . . 3 5.1 Table of notation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 7.1 Computational overhead of cryptographic operations. . . . . . . . . . . . . . . . . . . . 74 7.2 Setup times of the system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 7.3 Computation overhead. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 7.4 Communication overhead. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 vii
LIST OF FIGURES Figure Page 1.1 ORNL testbed for dynamic charging system [2] . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 ORNL 20 kW wireless charging system . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3 Qualcomm dynamic charging track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1 Considered network model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.1 Example for access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 4.2 The schnorr protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 5.1 Flowchart of proposed scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.2 Example of 4 level public E-Coin tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 5.3 Public E-Coin tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 5.4 E-Coin purchase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 5.5 Overview of the exchanged messages in the proposed scheme . . . . . . . . . . . . . . . 51 5.6 Exchanged messages in priority mode of our scheme . . . . . . . . . . . . . . . . . . . . 53 5.7 Exchanged messages in the regular mode of our scheme . . . . . . . . . . . . . . . . . . 58 5.8 Using the seed γ n,n r to compute a set of tokens. . . . . . . . . . . . . . . . . . . . . . . 59 5.9 Using the seed µ 1 , 1 to compute a set of tokens. . . . . . . . . . . . . . . . . . . . . . . . 60 5.10 Computation of shared keys with CSP by RSU i . . . . . . . . . . . . . . . . . . . . . . . 60 5.11 Computation of shared keys with RSUs by EV i . . . . . . . . . . . . . . . . . . . . . . . 61 5.12 Charging from the pads of fifth RSU to the pads of tenth RSU. . . . . . . . . . . . . . 61 viii
CHAPTER 1 INTRODUCTION In this chapter, we first explain the motivations of the dynamic charging of electric vehicles (EV), then we explain its characteristics and main advantages over conventional charging methods. Then, we explain the communication requirements of the dynamic charging system. Next, we discuss the security and privacy issues which plays a crucial role for practical implementation of EV dynamic charging system. Finally, we give a brief overview to our proposed scheme to address these issues. 1.1 Electric Vehicles and Dynamic Charging EVs have recently received increasing popularity because they can reduce the dependency on fossil fuels and promote the adoption of intermittent renewable energy sources [3, 4, 5] by storing excess power generated. EVs can inject power to the grid to facilitate the power regulation and load balancing. According to [6], the price of 0.10 per kWh electricity is equivalent to the price of 0.70 per gallon of gasoline in the U.S. Due to such potential, many automotive companies have invested in EV technology and started to produce reliable EVs. Most of the governments around the world are exerting a lot of effort for accelerating the penetration of EVs into the market by giving special privileges for EVs such as priority to use High Occupancy Vehicle (HOV) lanes, special parking places in parking lots etc. The Electric Power Research Institute (EPRI) projects that 62 percent of the entire U.S. vehicle fleet will consist of EVs by 2050 using a moderate penetration scenario [5]. Inspite of the advantages of EVs over the conventional vehicles, there are some challenges that should be addressed before the large scale deployment of EVs in market. One of the major challenges is the long time needed to charge EVs battery. For a single charge, depending upon the size of the EV battery, it may take from one half hour to several hours according to the power 1
2 ratings of the attached charger, which is many times longer than fueling of gasoline vehicles. For example, a Nissan Leaf uses a 24-kWh battery pack to support a 100-miles range [7]. Similarly, a Mitsubishi iMiEV can achieve the same range by using 16 kWh battery pack. Tesla Model S is capable of providing a much larger driving range of 208/265 miles with a 60/85 kWh battery pack. The driving range of an EV is proportional to the size of the battery pack which means if a long driving range is needed, then the EV should have a large battery pack which affects the cost and performance of the EV. In addition, access to the public charging stations is also limited for most of the locations in the U.S [8]. Currently, more than 16,000 public charging stations with 43,000 connectors have already been deployed, but this number is far behind comparing to the number of gas stations available in the U.S. These charging stations are built with different charging standards as given in Table. 1.1. As we can learn from the Table 1.1, EV charging infrastructure in U.S. still needs to go a long way to reach the needs of EV owners. But the progress in direct durrent (DC) chargers and wireless chargers in recent years helps to reach that goal in near future. Since most of the charging of EVs can be done at home, which would be sufficient for low distance travel of an EV. The main role of these public chargers is to enable long distance travel and that would be practically achievable through DC fast charging and dynamic charging. It is expected that there will be more number of fast-charging stations built on major highways in the near future [1]. Even though these fast charging stations provide faster services than conventional alternate current (AC) Level-1 and Level-2 charging stations, the EVs need to stop at these charging stations until they fully charge the battery. In order to remove these restrictions on the driving range of EV and the time to charge, many researchers have been trying to develop an efficient charging system which would be more convenient option for EV charging infrastructure. Dynamic charging is a promising technology that can address the issue of long charging time by enabling the EVs to charge while moving [2, 9] by installing charging elements on roads called
3 Table 1.1: Number of charging stations with different charging standards [1] Charging Standard Stations Connections AC Level - 1 1 , 482 2 , 924 AC Level - 2 14 , 433 34 , 148 DC Fast 2 , 080 5 , 607 Inductive (wireless) 63 81 Charging Pads (CPs), that can charge EVs by electro-magnetic induction. This means that the EVs do not need to stop and wait at charging stations to charge their batteries, which can help EV drivers to save a lot of time. The dynamic charging technology helps to increase the driving range of EVs and reduce the battery size which in turn reduces the overall manufacturing cost of an EV. As the dynamic charging becomes practical and the EV prices continue to fall, the dynamic wireless charging becomes more popular as a public charging option because of its convenience and flexibility. The Society of Automotive Engineers (SAE) has formed the SAE J2954 Wireless Charging Task Force in 2010 to address the needs of comprehensive standardization of Wireless Power Tech- nology (WPT) for the stationary charging case. In 2012, the U.S. Department of Transportation (DOT) identified the need for dynamic wireless charging for EVs and also mentioned the implica- tions of dynamic charging of EVs on the national highways [10]. Tajima et. al have mentioned in [11, 12] that they have already conducted several tests using the dynamic charging system in which they have successfully showed that the EVs can be charged with 180 kW (DC 600 V, 300 A) of power while the vehicle is moving at a speed of 156 km/h. These researchers have even started to develop a dynamic charging system which can supply 450 kW (DC 750 V, 600 A) of power while EV moves with the speed of 200 km/h during charging. The authors claim that that if this dynamic charging systems are deployed to the highways, the restrictions on EV driving range could be removed by the installation of a charging station with approximately two kilometers of charging lane per 50 km.
4 Figure 1.1: ORNL testbed for dynamic charging system [2] To sum up, dynamic charging technology offers major advantages like lowering the overall manufacturing cost of EVs by reducing the size of battery pack and eliminating the range anxiety which is a major challenge for deploying EVs in large scale. 1.2 Conceptual model of dynamic charging Several researchers [13, 9, 14, 15] as well as companies like Qualcomm, Honda etc., have been working on developing prototypes to show that the concept of dynamic charging would be practical and efficient. As an example, a testbed for dynamic wireless power transfer is created by researchers from Oak Ridge National Laboratory (ORNL) [2] as shown in Fig.1.1. In the testbed, charging pads are placed under a portion of roadbed and an EV’s battery is charged by using magnetic induction while the vehicle moves over the pads [2]. Each charging station in the dynamic charging system will have a large number of pads extended over a long distance (several miles) to allow EVs to charge
5 Figure 1.2: ORNL 20 kW wireless charging system . enough amount of power. Each pad should charge only one EV at a time. This is because not all the EVs driving on a road need to charge, and thus if a pad is long, it may charge these EVs. Pads should be turned on only when the EV that needs to charge is above it to eliminate the energy waste if pads are turned on all the time. By using different charging rates and resonance frequencies, the charging pads can charge EVs with different battery types according to the request made by an EV. The dynamic charging system must learn the EVs parameters such as its speed and air gap. It should also switch on each individual charging pad just before the EV comes, adjust the power output according to the incoming EVs parameters, and switch off the charging pad after the EV moves over. Considering the aforementioned characteristics and limitations of dynamic charging systems, ORNLs power electronics team have developed a unique architecture as shown in Fig.1.2 for dynamic
6 Figure 1.3: Qualcomm dynamic charging track charging infrastructure which includes ORNL-built inverter, isolation transformer, vehicle-side elec- tronics and efficient coupling technologies to achieve 90 percent efficient 20 kW wireless charging system for passenger EVs. For demonstration, the researchers have integrated a single-converter system into an electric Toyota RAV4 equipped with an additional 10-kilowatt hour battery with a air gap of 16 cm between charging pads and the charging coils of EV. Qualcomm Technologies Inc. has designed, built, and tested a dynamic EV charging system as shown in Fig. 1.3 which is capable of charging an EV dynamically over a speed of 100 km/h with 20kW. They have even tested the system by charging two electric vehicles simultaneously on the track using dynamic wireless charging technology. Another researchers from Korean Advanced Institute of Science and Technology (KAIST) [16] have started a project on Online Electric Vehicles (OLEV), in which they have developed a new technology, called Shaped Magnetic Field in Resonance (SMFIR), that delivers high power of
7 100 kW with an efficiency of 85 percent with 20 cm air gap. They also deployed two OLEV buses along a 15-mile inner-city route in Gumi, Korea. This track uses the technology of SMFIR to deliver power wirelessly from charging pads to the bus. The challenges that are discussed in the above mentioned works to make the dynamic wireless power transfer (DWPT) practical for commercial use are [2]: • Acceptable power levels vs. vehicle battery types. • Vehicle alignment, maintaining the correct alignment between the charging pads and the EV to acheive high efficiency of power transfer • Allowable speed profiles and issues related to coils size for the segmented track. • Multiple vehicles on a single charging lane and power flow management. • Need for low latency, private and secure bidirectional communications. 1.3 Privacy and security issues in dynamic charging communication network The main requirement of any communication network is security, privacy preservation, and high performance. In dynamic charging system, EVs need to send sensitive information to charging stations for authentication, payment, and load management purposes. The dynamic charging system should secure the payment and the authentication processes and should also be efficient enough to serve a large number of EVs in little amount of time. Moreover, since EV is a personnel product, the location of an EV is actually the location of the EV driver, and thus location privacy can be breached by attackers if the data sent by the EVs can be linked to a particular driver. Designing an efficient and secure communication scheme for dynamic charging system while considering the scalability and large geographic area of the system, which can extend over several miles is a real challenge. The contradictory issues between security and privacy complicates the
8 problem. To elaborate, it is necessary to know the identity of an EV in order to authenticate it to the dynamic charging system before allowing that EV to charge, but it is not appealing to reveal the identity of an EV to the dynamic charging system because of the privacy issues. For security and privacy reasons, it is sufficient if an EV discloses a little information that would be enough to authenticate the EV to ensure that the EV that requests charging service is a legitimate member in the system without being able to link the information to a particular EV. Another major part of the system is the payment for charging service. A secure and anony- mous payment protocol is needed in order to ensure payment integrity to avoid any payment related fraud during the purchase. The payment protocol should be able to detect and thwart different attacks and identify the attackers. At the same time, the payment should be done anonymously to protect the privacy of the EV drivers. To achieve that, any information sent by an EV during a charging purchase should not be linkable to a particular EV or other purchases in different locations to avoid tracing the EVs. Another issue for dynamic charging system is the variation in EV charging demand from time to time. A quite possible scenario is that the charging demand exceeds the available energy supply during peak times. Therefore, there should be a mechanism for prioritizing the EVs and charge the highly-prioritized EVs. Unlike the regular plug-in charging stations, load shifting cannot be used in dynamic charging to allot particular time for an EV to charge because in dynamic charging, EVs will be in motion while charging. In order to prioritize the charging requests of EVs into different levels of priority, the charging station needs to learn some information about the attributes of EV to determine its priority level. For instance, the attributes of an EV include a police, an ambulance, a government official vehicle, a veteran driver etc. The attributes of an EV driver can also be related to his/her work, organization or physical/mental status etc. Revealing these attributes definitely reveals personal information about the EV driver. For example, if any attacker knows that an EV is a government official’s vehicle, then the attacker can trace the location of that EV to know the
9 places that are frequently visited by that official and might learn some private information, which violates the privacy of the EV drivers. That is why, the prioritization should be done anonymously without disclosing sensitive information about the attributes of an individual EV. The prioritization should also be secure because EV drivers may lie about their attributes to get high priority. In conclusion, for the dynamic charging system to function properly, it should communicate with the EVs to only charge the authorized vehicles, prioritize charging requests, and ensure payment integrity. At the same time, the charging system should also be protected from misbehaving entities either internal or external by securing the communication, avoiding leakage of sensitive information, and identifying the misbehaving entities. Without proper privacy-preserving mechanisms, users may hesitate to use the dynamic charging communication networks. Therefore, it is paramountly necessary to resolve the security and privacy issues before implementing the dynamic charging systems. In this thesis we propose priority-based and privacy-preserving EV dynamic charging system with divisible e-payment which aims to address the security and privacy issues mentioned before. 1.4 Overview of the proposed scheme In this thesis, we propose a dynamic charging system which provides an integrated secure and privacy-preserving payment, authentication, and prioritization for EV. Before charging, EV needs to communicate with various system entities that include a bank, a charging service provider (CSP), roadside units (RSUs), and CPs. The proposed scheme aims to address the privacy and security related to this communication to preserve the privacy of the EV drivers and ensure the proper functionality of the system. In this subsection, we explain the overall idea of the proposed sacheme. First, the EV should communicate with the bank to purchase divisible e-coins that will be used when the EV needs to charge. Hence, a secure, efficient, and flexible payment mechanism
10 should be employed to facilitate the payment and spending of e-coins so that each EV can adjust the value of the e-coin according to the charging amount. Moreover, the spending of the e-coins should be anonymous to preserve the location privacy of the EV drivers. An efficient divisible payment scheme is proposed in [17] which allows the user to purchase a divisible e-coins of value 2 n from the bank, and then the user can spend anonymously adjustable e-coins values at different merchants. Divisible e-coins are a requirement to the flexibility of the dynamic charging system, where the EVs can adjust the e-coin value according to the amount of the energy required. In our scheme, we integrate the payment scheme proposed in [17] with our authentication and priority determination schemes to allow EVs to purchase and spend divisible e-coins efficiently. Moreover, we modified the verifications needed by the payment scheme to prevent false accusation attack of double-spending which can happen when a legitimate EV spend an e-coin at a malicious CSP. This CSP can pass that e-coin to another EV that can also spend the e-coin at different CSP. Therefore, when both CSPs deposit their e-coins at the bank, the legitimate EV is falsely accused of double-spending. Our modifications prevent this scenario from happening in the system. After EV purchases e-coins and when the EV needs to charge, it communicates with the CSP by sending a charging request that includes the amount of needed energy, whereas the CSP needs to check if it has enough energy to service the set of requests it receives at a given instance of time. In an event that the available energy is less than charging demand, prioritization becomes a necessity. EVs get serviced based on a set of predefined criteria that define the importance of the demands [18, 19]. For example, ambulances and police vehicles should be given high priority. In our scheme, a priority policy is determined by each charging station and multi-authority attribute based encryption scheme is used to ensure the security and privacy of the policy [20]. Moreover, charging process requires exchanging messages between EV, RSUs, and CPs to charge authorized EVs, but this can be used to identify EVs, and hence, location privacy of EV drivers can be breached. Since these messages are transmitted via wireless communications, it is
11 imperative that the data are secured against eavesdroppers. In order to address these issues, an efficient hierarchical authentication scheme that is based on symmetric-key cryptography is used. The scheme allows the EV to first authenticate with the CSP and receive secret keys, called tokens, shared with the RSUs. After using these tokens to authenticate to the RSUs, the EV receives another secret tokens shared with a number of CPs under each RSU control to further authenticate with the CPs for charging process. Designing an efficient, privacy-preserving and secure scheme that integrates authentication, prioritization, and payment for dynamic charging system is a challenging task. It is necessary for the dynamic charging system to efficiently authenticate the EVs that need to charge. Also, the payment process should be efficient and flexible. In summary, for dynamic charging system to be fully functional, EVs need to be able to communicate securely and anonymously with several entities. The CSP, on the other hand, should be able to discern authorized EVs and allow them to authenticate to RSUs and CPs to charge. Activities such as bill payment should be performed seamlessly while preserving the privacy of the EV drivers. Unlike existing schemes for dynamic charging systems [18, 21] that do not provide an integrated solution for the dynamic charging system, in this thesis, an efficient and secure privacy-preserving scheme for dynamic charging of EVs is presented which provides an integrated solution for anonymous authentication, prioritization, and payment. The main three components of our scheme are summarized as follows. • Multi-Authority Attribute-Based Prioritization. The CSP is able to securely prioritize charging requests based on the attributes of the EV received from different authorities. During this prioritization, the attributes of EVs are kept confidential from the CSP. It can only know that a given EV fulfills a given priority policy but does not know the exact attribute set the EV possesses. In addition, this secure prioritization prevents any malicious EV from claiming a false priority level.
12 • E-payment. An efficient, flexible, and anonymous E-payment scheme with divisible e-coins is used for billing in the proposed dynamic charging system. The scheme allows the EV to spend a pre-purchased e-coin at the charging station anonymously and efficiently. Furthermore, the value of the e-coin can be adjusted according to the amount of charge that the EV gets. • Efficient Hierarchical Authentication. A lightweight and scalable authentication scheme based on symmetric key cryptography is presented to enable fast authentication between the EV and CSP. The scheme allows the EV to get secret tokens from CSP shared with the RSUs. These tokens allow mutual authentication between EV and RSU. Similarly, the EV gets secret tokens from RSU shared with the CPs it controls to allow the authentication between the EV and CPs. Our analysis demonstrates that the proposed scheme is secure and can preserve privacy of the EV drivers. In addition, our measurements confirm that the proposed scheme is efficient in terms of computation overhead as well as communication overhead. 1.5 Thesis Outline The remainder of this thesis is organized as follow: The literature review is given in Chapter 2. The network and threat models are explained in Chapter 3. The preliminaries are explained in Chapter 4. The proposed schemes are presented in Chapter 5. The security/privacy analysis are discussed in Chapter 6. The performance evaluations are given in Chapter 7. Finally, conclusions and future works are drawn in Chapter 8.
CHAPTER 2 LITERATURE REVIEW The proposed scheme is related to three different fields of research: efficient authentication, privacy-preserving payment, and priority determination. In this chapter, we first survey the pa- pers of dynamic charging systems for electric vehicles. We will discuss different dynamic charging system architectures and the authentication protocols that are designed for them. Then, we dis- cuss the papers that are related to privacy-preserving payment, which aims to enable a user to pay anonymously to the merchant for the service he/she has received from merchant and it also protects the system from any misbehaving users/merchants. Finally, we survey the priority determination schemes which allows the CSP to determine the charging priority level of an EV without knowing any private information about the driver. We provide an extensive literature review related to all of these fields while also highlighting the key differences between this thesis and the works done in literature. 2.1 Dynamic charging technology for EVs The challenges in dynamic charging systems that are related to power management and also communication, security and privacy have been investigated in the literature systems. We have classified our literature review on Dynamic Charging for EV into non-cryptography based and cryptography based schemes. Li et al., in [22] has reviewed the technologies of the wireless power transfer (WPT) that are applicable for electric vehicle wireless charging. This study has considered the complex issues that are related to wireless charging such as the frequency of the magnetic field, the distance between two coils, misalignment and other uncertainties of the system. The authors have also discussed 13
14 the efficient design methodologies for the magnetic coupler and have also stated the challenges and differences between the stationary wireless charging couplers and the dynamic charging couplers. Finally, the authors concluded that the dynamic wireless charging capability provides the foundation for mass market penetration for EV in the near future regardless of battery technology and it can be done efficiently with little advancement in technology. Omer et al. summarize some of the activities of Oak Ridge National Laboratory (ORNL) in wireless charging for in-motion EVs in [23] and have designed a prototype system for their exper- iments. The authors have studied their system behavior under different frequencies and observed that the behaviour of the system changes according to the frequency deviation from resonance. The authors have even studied efficient methodologies of coil design and properties of high-frequency power inverter and also the insertion losses due to different road surface materials. In [24], Lukic et. al., have investigated inductive power transfer (IPT) technology for wireless charging. The authors have reviewed the fundamentals of the IPT technology and its history and claimed that wireless power transfer is more realistic by using IPT. They also presented some factors that have to be considered to adapt IPT for static and dynamic EV charging. In order to determine the requirements for dynamic wireless charging for EVs, Patnic et. al. in [25] have considered the report from [24] and have done various tests on different types of EVs (compact car: Honda Insight; large car: Chevrolet Impala; and SUV: Ford Explorer) with different sizes of battery packs (8, 11, and 15 kWh, respectively) to measure the variation of driving ranges for each vehicle depending upon the driving conditions. After reviewing the simulation results, the authors claim that IPT enabled roadways can extend the driving ranges of EV. Turki et al. in [26] have introduced and studied the concept of how the railway energy supply system can be used to feed the wireless charging networks by using the available power electronic devices and the grid topologies. They have selected an efficient dual-active bridge (DAB) topology which provides a high degree of flexibility and can match the demands of power ratings that are
15 required for the transformation of railway grid AC voltage to DC voltage for wireless charging feeders. The authors have also conducted several simulations and found out that controlling the DABs topologies can compensate the variations in railway grid voltage. The authors have concluded that the challenges for dynamic wireless charging can be resolved using present technology, but it could be optimized. Li et al. in [27] proposed an initial framework for coupling EVs and the power grid through dynamic charging and VANET technology. The demand driven framework designed in this work has considered the hourly variation of traffic according to locations and have estimated the demand of electricity to efficiently allocate the charging stations. By using this framework, the charging stations can have better visibility about the demand and control over its resources. In [28], Suh et. al. have studied the wireless power transfer field and have verified the practical applicability of wireless charging. The authors have introduced the concept of wireless power transfer technology, called Shaped the Magnetic Field in Resonance (SMFIR), for Online Electric Vehicles (OLEV) and have demonstrated their experimental results. The authors have also discussed the design concept, system architecture, and development process of the system design to achieve higher power transfer efficiency. In [29], Theodorous et. al. have discussed the impact of dynamic wireless EV charging on the existing grid infrastructure. The authors have created a simulation environment in order to assess the impact of a charging lane layout and traffic on the grid and evaluated the energy storage requirements for demand smoothing and finally discussed the possibility of integrating renewable energy into dynamic wireless charging infrastructure. In [2], Miller et al. have discussed the challenges of wireless power transfer in case of moving EVs. The authors have not just investigated the issues in high power transfer to moving EVs but also the communication in a vehicle to infrastructure (V2I) environment under high traffic conditions.
16 2.2 Privacy-Preserving authentication schemes Few papers in the literature have investigated the security and privacy issues of dynamic charging of EVs. In [30], Li et al. proposed a privacy-preserving authentication scheme for EV dynamic charging. The idea is that when an EV needs to charge, it has to contact the CSP to obtain a pseudonym and a corresponding symmetric key. Then, the EV can use them to authenticate to every charging pad it encounters in its way. The CSP has to distribute all the pseudonyms and corresponding keys to all the pads, and all pads should store all the pseudonyms/keys including the ones that may be used at other pads. This is because in the considered network model a charging station spreads over a large geographical area and an EV can take any route to get charging using its set of pseudonyms. This requires large storage for charging pads and large communication overhead. Cost-effective charging pads usually have limited computation and communication resources. An authentication scheme was proposed in [31] to expedite the authentication between EV and CPs. The scheme consists of two main parts: direct and indirect authentication. In the direct authentication, EV and CP authenticate each other directly. After that, CP forwards the authentication request to the utility for authenticating the drivers. EVs have their credentials stored in a tamper-proof module (TPM) and activated for usage by the registered motor authority (MA). These keys are updated at specific intervals by the same authority. For revocation of keys, a number of registered revocation authorities have to cooperate, using credentials from MA, to identify EV associated with a key. A large number of CPs and frequency of communication with utility can lead to communication bottleneck at CSP. In [32], a fast authentication scheme is proposed for EV charging. The scheme uses Just Fast Keying [33] approach to initiate the charging session with each RSU, which serves as an intermediary between EV and utility. To enable fast response and eliminate the need for EV to frequently authenticate as it travels between RSUs, EV credentials are forwarded from one RSU to another.
17 The scheme, however, is susceptible to replay attack, does not consider the privacy of EVs and also does not consider payment. In [34], Zhao et al. proposed a billing scheme for dynamic charging system. The proposed scheme assumes that each EV should use a Trusted Platform Module (TPM) which is a tamper proof device used to save secret keys. The proposed scheme targets a single CSP system, and if an EV needs to get charging at another CSP, it also has to register at that CSP. In [35], Li et al. have proposed an efficient and secure anonymous real-time reporting scheme for EVs. In the proposed scheme, rewards are used to encourage the EVs to report their battery status to the utility. Because the EV information such as the future trip start time and battery State-of-Charge (SoC) helps the power grid to perform some optimizations like load management, charging scheduling, V2G profit optimization, etc. Nicanfar et al. [36] have proposed an authentication scheme for EV in V2G network while preserving the privacy of the EV drivers. The authors have considered two different cases. The first case is on the home network which needs the mutual authentication between EV and the smart grid server that EV has already registered for, and in the second case, EV uses pseudonyms given by registered grid to anonymously authenticate to a non-trusted third-party server. By using both of these schemes, the EV can charge its battery at multiple charging stations. This paper is the improved version of [37] and has mentioned all the situations that an EV can be involved in a V2G network. In [38], Yang et. al., have studied the privacy related issues in V2G network and proposed an anonymous authentication scheme with precise reward scheme to encourage the users to use V2G network. The authors have used the idea of ID-based restrictive partially blind signature [39] to protect the identity of EV during authentication protocol. The EV has to prove that it has a valid permit given by control center to the aggregator during authentication protocol. During this communication, the aggregator can only know that it is communicating with one of the EV in the system, but cannot linke the EV to any specific users identity.
18 Authentication for dynamic charging infrastructure is similar to the authentication in V2G networks and the Vehicular Adhoc Networks (VANETs), where the authentication should take place between an EV and the infrastructure. In general, VANETs need two authentication schemes, one for vehicle to vehicle (V2V) authentication and the second is for vehicle-to-roadside unit authentication (V2R). The most commonly used schemes for the privacy-preserving authentication in VANETs and V2G networks use anonymous certified pseudonyms [36, 40] and Group signatures [41] where a group manager generates keys for each member of the group to sign their messages. Given a signature, a verifier cannot infer the signer’s identity and can only know that the signer is a member in the group. In the vehicular network settings, one conventional approach is to use a trusted authority as group manager, and all vehicles are the group members who generate a group signature to authenticate anonymously during communication with RSUs. Another approach is to use the RSU as a group manager and all vehicles within the RSUs communication range as its group members [40]. Li et al. [42] proposed two anonymous authentication schemes for V2R and V2V networks which use self-generated pseudonyms, and identity-based signatures (IBS) [43]. This scheme also provides conditional anonymity with traceability for non-repudiation in case of malicious vehicles try to attack the system. The authors have also analyzed the proposed schemes for the typical VANETs environment and have concluded that the proposed scheme is the best fit for that environment. In [44], Zhang et al. have proposed an RSU-based message authentication mechanism, called RAISE, that uses k-anonymity approach [45] to provide conditional anonymity for drivers of vehicle. By using RAISE, roadside units verify the authenticity of messages sent by vehicles on behalf of other vehicles and notifies the results back to the vehicles. The idea of this paper is to reduce the computation overhead on vehicles during high traffic density, since a vehicle may not be able to verify all the signatures given by its neighbors which results in message loss. In [46], Lu et al. have proposed an efficient conditional privacy preservation (ECPP) scheme for VANETs based on the on-the-fly short-time anonymous key generation between the vehicle and
19 an RSU. The paper focuses on conditional privacy while addressing two security issues such as efficient safety message anonymous authentication and efficient tracking on the source of a disputed safety message. In [47], Xi et al. have proposed a random key-set pre-distribution based authentication scheme for VANETs. The keys are distributed to the vehicles by a key distribution authority. The authentication scheme proposed in this work was primarily being used in wireless sensor networks and has also been adapted to vehicular network [47]. This authentication scheme preserves the privacy of drivers under the zero trust policy, which means that there is no central trusted authority. In case of disputes, the identity of a malicious driver can be identified with the help of key distribution center. Ahren et. al. have proposed an efficient key management scheme based on Temporary Anony- mous Certified Keys (TACKs) in VANETs [48]. The scheme facilitates the revocation of misbehaving entities and focuses on VANET applications that require short-term linkability of vehicle messages, i.e., an RSU needs to be able to link two messages sent by the same vehicle. The authors claim that the short-term linkability does not violate drivers privacy because of its constrained mobility pattern. The TACKs keys are certified by a regional authority (RA) and used by vehicles to au- thenticate to RSUs. To update these TACKs, the vehicle needs to authenticate to RAs using group signature. This group signature can be generated by an vehicle using the long-term key issued by the trusted authority. If any vehicle misbehaves, the identity of that vehicle can be traced by the trusted authority, and to revoke a user the trusted authority computes a revocation token corresponding to that EV and publishes it to the RAs. In [49], Jinyuan et al. have proposed an identity based [50] security system for VANETs. The proposed scheme is based on using pseudonyms for driver’s anonymity. It also uses threshold signature [51, 52] for exculpability, which means that the legitimate user cannot be falsely accused as a malicious user even by a corrupted authority. The proposed scheme also uses threshold authen-
20 tication [53] to revoke misbehaving driver’s credentials. So, any additional authentication beyond the threshold value can reveal the identity of the misbehaving user. 2.3 Privacy-Preserving payment schemes In line with maintaining anonymity while charging, it is imperative that the payment scheme preserves the privacy of EV drivers. There are many different forms of existing payment systems, like electronic cash (e-cash), credit card payments, physical cash, and bitcoins. In this section, we survey the payment systems that are specifically designed for EV charging transactions and also other practical payment systems like electronic cash. Few researchers have developed payment schemes that are specifically designed for EV charg- ing transactions [54, 55, 56, 57] and the public transportation systems [58]. In [54], Soghoian et. al. have proposed a secure payment system, called Merx, that enables a user to delegate a third party to perform a transaction on behalf of the user while protecting the users privacy. The idea is that the user should generate a transaction token and give it to a third party which uses that token as an authorization to purchase goods by a third party without involvement of the user. This token reveals no information about the user, like users account number, identity etc., to the merchant. Merx protocol is designed to be used with mobile phones and mobile computing devices, especially in situations where end-users do not have access to the Internet. In [58], Rupp et. al. have proposed a lightweight payment scheme for public transit systems called Privacy-Preserving Pre-Payments with Refunds ( P 4 R ). In the proposed scheme, a user has to make a deposit to get a credential, where the credential represents fixed amount of money and allows to make an arbitrary ride. The actual fare of a trip is calculated according to the entering and exiting stations of the transit and the user gets a refund if the actual fare is less than his deposit, i.e., overpayments are refunded at the end of the trip. The user can then aggregate all trip refunds into a single token. This scheme is built upon the Brands’ e-cash scheme [59] for constructing the
21 pre-payment system and a variant of blind Boneh-Lynn- Shacham signatures [60] to implement the refund capabilities. In [55], Zhao et. al. have proposed an anonymous payment scheme for EVs charging. An anonymous credential technique [61] is used for anonymous authentication of EVs to Energy Provider Company (EPC). Some attributes are added to the anonymous credential to prove the properties of EV, like the battery size, power ratings etc., and to provide diversity in price according to the charging service. The Trusted Platform Module (TPM) which is embedded in On Board Unit (OBU) of EV is used to prevent users from performing replay attacks on EPC and it is assumed that TPM does not do any illegal actions. At the time of charging, TPM and OBU present their credential and some attributes of the vehicle to the EPC server. TPM authenticates to the charging server using the technique of direct anonymous attestation [62]. After that, server checks the price of the current electric energy in the case of dynamic price. If the remaining balance in the credential is larger than the require amount, the server starts to charge the EV; otherwise, it rejects the request of EV. After that, OBU gets an updated credential with decremented balance. In [56], Zhao et. al. have proposed a secure and privacy-preserving payment system for EVs using Camenisch-Lysyanskaya (CL) signature and TPM technique. The CL signature technique [63] is used to protect the privacy of EV drivers while users schedule charging service to EVs. A user can reserve a limited number of charging stations simultaneously. A punishment mechanism is also used if a driver makes a reservation but does not come. This scheme also provides a lost EV protection service to the users so that users can find their stolen vehicles with the help of trusted authority. Moreover, the scheme uses a TPM which is totally trusted and tamper-resistant to store the cryptographic secrets of EV and also authenticate the EV during charging reservation. Each EV needs to top up some amount into its account before entering the charging station and proves to the charging server that it has enough amount of money in its account using range proof technique [64]. This scheme also supports the dynamic pricing.
22 In [57], Mustafa et. al., have proposed an offline payment scheme for EV charging. In the proposed scheme, users need to register for a contracted supplier (CS) and if the EV gets charged from any other host supplier (HS), then it authenticates to that HS using the pseudonyms given by CS and the HS generates a bill for CS which should be paid later by EV. Electronic cash was first invented in [65, 66], and extensively investigated in [67, 68, 69, 70, 71, 72, 73]. Unlike physical cash, electronic coins are easy to duplicate. The main idea for any e-cash scheme is that, even though a single party, i.e., bank, is responsible for giving out electronic coins and later accepting them for deposit, the coin withdrawal and the spending protocols should be designed in such a way that it is impossible to identify who spent a particular coin. The coin withdrawal protocol does not reveal any information to the bank that would later enable it to trace where a coin is spent. So, the users can spend their e-cash anonymously without worrying about their privacy. Empowered by the anonymity that e-cash provides, malicious EV drivers involved in coin double spending will not be punished unless something is done to include accountability. In [74], Camenisch et. al. have presented an efficient off-line anonymous e-cash scheme where a user can withdraw a wallet containing 2 l coins each of which the user can spend unlinkably. This scheme is efficient in terms of storage space where the whole wallet of 2 l coins has about the same size as one coin and also provides traceable coins without a trusted third party. That is, once a user spends one of the 2 l coins in his wallet twice, all his spending of these coins can be traced by using the technique of verifiable encryption [75] during withdrawal protocol. This scheme also offers exculpability of users, in which the bank can prove to a third party that a user has double spent coins but cannot accuse a legitimate user of double spending. The e-cash system proposed in [76] is a bandwidth-efficient off-line anonymous e-cash scheme with traceable coins and identity using the technique proposed in [77]. The major difference between other e-cash schemes and this paper is the traceability of e-coins by the users, i.e., coin-tracing without a trusted third party. The idea is that any party can trace the coins of the same user
23 once this user double spend a coin, i.e., whenever a user double spends a coin, the bank can detect the identity of user and also publishes some tracing information called tag. Given two payment transcripts from same coin of the same user, the scheme outputs same tag, so that once a user double spends, all spendings of the same user are identified by the merchant during payment protocol. In an e-cash system proposed by Camenish et. al. in [78], a user can withdraw coins from the bank, and then spend each coin anonymously and unlinkably. The authors also have proposed an additional property for e-cash by adding restriction on number of transactions made by a user with specific merchant. The number of transactions may vary for each merchant. This property of e-cash can be used in some cases where it is desirable to set a limit on anonymous transactions. In the proposed scheme, a users anonymity is guaranteed as long as the user does not: (1) double spend a coin, or (2) exceed the publicly-known spending limit with any merchant. The spending limit may vary from one merchant to another. In [79], Canard et. al. have presented an off-line divisible e-cash scheme based on binary trees, where a user can withdraw a divisible coin of monetary value of 2 l and spend any value between 2 0 and 2 l in multiple transactions anonymously and unlinkably. The main motivation of divisible e-cash is to provide a method to withdraw or spend several coins more efficiently than repeating several times a single withdrawal or spending protocol. Using the binary tree approach, each node of the tree is related to a tag key which is used to generate a serial number S of spending node and detect double spending. The serial number of a particular node is the concatenation of the two children tag keys. The root tag key and the identity of the user are signed by the bank during the withdrawal protocol using signature scheme proposed in [80]. During spending protocol, a security tag T is generated by the spender. The spender has to prove that S and T are well-formed using zero-knowledge proof [81, 82, 83, 84] without giving any information about his identity. Given the tag key of a node N , it is easy for anyone to compute the tag keys of the descendant nodes of N , but it is impossible to compute a tag key which is not related to a descendant of the targeted node
24 without the knowledge of the root tag key. Baldimsti et. al. have proposed a transferable e-cash scheme in [85] which is little bit different from previous e-cash schemes. In traditional e-cash schemes, transferring coins is allowed only between users and merchants, but in the proposed scheme, the users are able to transfer coins between each other multiple times before depositing them to the bank. This is similar to the physical cash. The proposed scheme is fully anonymous transferable e-cash and does not need a trusted third party. The malleable signatures are used to allow secure and anonymous transferring of the coins. The scheme also achieves one of the main requirement of e-cash, i.e., as long as users do not double spend coin, they should remain anonymous. For transferable e-cash, the owner of a coin transfers the signature of bank ( σ ) on a coin which has a unique serial number ( SN 1 ) to another user in such a way that the transferred coin is valid and generates a new serial number ( SN 2 ) for that coin and it also carries a Double-Spending tag ( DS ) which carries all the information necessary to detect the double spending and preserves anonymity of spender. In order to achieve the property of transferring signature, a Malleable Signature scheme [86] is used. The signature scheme allows a user to generate several versions of a signature that are unlinkable to the original signature to protect anonymity and extend banks’ signature on new message which has the information about new receiver (merchant) of the coin. When spending the coin with a merchant or any user, a double-spending tag DS is computed by spender, which encodes his identity. The merchant then deposits Coin C = ( SN , σ , DS ) at the bank. If two coins C and C ′ with the same serial number but different double-spending tags ( DS and DS ′ ) are deposited, that means one of the user double spent that coin. Then, by using these two double spending tags together, the bank can reveal the identity of the user who double spent the coin. The used payment scheme in this thesis is primarily based on [17], which provides a flexible and efficient means of e-coin spending. The scheme uses a public global tree structure to construct all the e-coins in the system. The tree is constructed by the bank thereby eliminating the need for
25 users to prove that the tree is well-formed unlike in the cases of [79, 87]. When a user purchases an e-coin, he gets a certificate on a random secret x . This secret value defines all the serial numbers associated with the purchased e-coin that can be generated using that public tree. To spend a node on the tree, user computes an e-coin t s for that node by using the public parameters of that node along with users secret. The user has to prove to the CSP that t s is well formed. During deposit process, the CSP submits t s given by the user to the bank. Given t s , the bank can compute all the serial numbers related to that node and check for double-spending by comparing with previously deposited e-coins serial numbers. If a duplicate serial number is found, it indicates that a coin has been double spend. The user stays anonymous until it commits a double spending attack. We modified the verifications needed by the payment scheme to prevent false accusation attack of double spending that results from a collusion between malicious CSP and malicious EVs to passing e-coins spent by legitimate EVs. 2.4 Privacy-Preserving priority determination schemes Due to the expected large number of EVs, at some times, the charging demand may exceed the available power supply at a charging station. In this case, the charging station cannot serve all the charging requests, so it is better to prioritize the EVs and charge the highly prioritized EVs without exceeding the amount of available power. The concept of prioritizing EV charging has been used in plug-in charging to coordinate the EV charging based on the demand and supply variation. The charging coordination is useful to reduce the potential stress and performance degradations that may occur in the power system due to the uncontrolled and random EV charging. In order to coordinate charging, some data about the EVs need to be provided to the coordination authority and this calls for concern about the privacy of the users. A number of research papers have been published on privacy preservation of users personal data while coordinating their EV charge schedules [88, 21, 18]. A privacy-preserving charging coordination scheme is presented in [21]. In this scheme, each
26 electric storage unit (ESU) including EVs and home batteries sends an encrypted charging request to an aggregator. This request includes the identity of the ESU, the state of the battery, the charging demand, and the time to complete the charge. The state of the battery and the time to complete charge are used to compute a charging priority index for each ESU. For anonymity purposes, the aggregator shuffles the identities of all ESUs with their charging requests and forwards these requests to the charging coordinator. The charging coordinator executes a modified version of knapsack algorithm in order to schedule the charging based on their priorities taking into consideration the charging capacity constraints. In addition, the authors proposed adding noise to each ESU request (i.e., state of the battery and time to charge) to prevent linking requests sent from one ESU. However, the proposed scheme in [21] can only be used for plug-in charging because if an EV does not charge in one time slot, it can charge in a different time slot, but in dynamic charging, EVs are in motion and they do not wait for future time slots to charge. We, therefore, consider a scheme that uses assigned attributes to EVs to determine priority for charge. In [18], an attribute-based prioritization scheme for EV charging is proposed. The scheme uses the EV attributes to determine the type of charging service it should receive. Two services are considered: quality guaranteed service (QGS) and best effort service (BES). In QGS, an EV gets a guarantee of its requested charge while in BES, it gets charged based on remaining energy available at charge station after serving QGS. However, the scheme was developed for a plug-in charging scenario and considers only two levels of priority and one attribute authority. Our scheme considers multiple levels of priority and multiple authorities. 2.5 Our Contributions This thesis integrates three main schemes: 1) Privacy preserving payment scheme that allows the CSP to charge the EVs without learning any information about EV drivers; 2) Privacy-preserving priority level determination scheme to determine the charging priority of EVs; and 3) Lightweight
27 authentication scheme to enable EVs to mutually authenticate with the charging station entities including CSPs, RSUs, and charging pads. The privacy preserving payment scheme that we used in our proposed scheme aims to provide an efficient way for the EVs to pay for charging service anonymously. It uses blind signature and randomizing signatures to construct cryptographic e-coins which can be used by EVs to authenticate to CSP as well as to the Bank. We chose this payment scheme because of its security and efficiency in terms of computation of e-coins and we have modified the verification process of this payment scheme such that no one can accuse a legitimate EV of double spending and also fits best in to our application. The existing schemes either use contract billing or the online payments which are not efficient. In contract billing, the charging station charges the contractor and later the contractor charges the EV according to the bill given by charging station. In this case, the user’s privacy is not protected, since in long run the contractor can know the regularly visited places of a legitimate user. This means the anonymity of the user is not protected even if he does not misbehave. In online payments, the bank has to stay online during the transaction between EV and charging station to check for the double spending. Keeping bank online increases the network traffic and it can become the bottleneck for the system. In some offline payment schemes such as [74, 79, 85], the proofs generated by EV at the time of coin spending needs large computations and storage space which is not efficient in our dynamic charging scenario. The proposed privacy-preserving priority level determination scheme is designed specifically for providing prioritized service to EVs at the time of low power available for charging at CSP. The closest scheme toour proposal is in [18], but there are two main differences. First, is that the scheme is not expressive in terms of creating policies because it has only two levels of priority. Second, it also not realistic to assume that there will be only one attribute authority [89] that is responsible for managing all the attributes and distributing secret keys to all the users in the system. It would be more realistic to have multiple attribute authorities independent from each other who can create
28 and maintain their own attribute set and distribute corresponding secrets for their users. Unlike [18], our proposal has multiple attribute authorities and can create expressive access policies. The proposed lightweight authentication scheme is designed to provide an efficient mutual authentication between EVs and the different parts of the dynamic charging system. The main challenge for authentication protocol in dynamic charging scenario is that the EV needs to be au- thenticated by a large number of charging pads encountered on its way and this should be done within a short contact time between EV and charging pads. In order to achieve this fast authen- tication, the scheme must use lightweight cryptography. Our protocol achieves this by using an efficient way of key generation and distribution. Finally, we integrate the three schemes efficiently to reduce the computation and communication overhead. None of the existing works propose an integrated authentication, payment and priority determination scheme. Our authentication scheme also aims to reduce the overhead on the pads to reduce their cost. This is an important requirement because of the large number of pads in the system. Our proposed scheme is also scalable which can be deployed any number of CSPs and large number of pads in the system.
CHAPTER 3 SYSTEM MODEL AND DESIGN GOALS In this chapter, we first discuss the different entities that are involved in the proposed scheme and also explain how these entities communicate with each other. Then we discuss the adversary and threat model considered in the thesis. Finally, we formulate the considered research problem and discuss the design goals of the proposed schemes. 3.1 Network model As illustrated in Fig. 3.1, the proposed dynamic charging system consists of Charging Sta- tions (Service Providers), EVs (Users), Bank, Attribute Authorities (AA) and a Trusted Authority (TA). Each Charging Station has a Charging Service Provider (CSP), Road Side Units (RSUs) and Charging Pads (CPs). The RSUs are the access points that are deployed across the charging section on the road that can be extended to several miles. The CPs are the elements that provide charging to EVs. It is expected that there will be a large number of CPs at a charging station that can be extended to several miles. Our considered system model has multiple AAs like government agencies, police department, health care department, veterans service etc., Each AA is responsible for distributing a set of secret keys used to identify the assigned attributes to each user, which means that there is no central authority that distributes attributes and secret keys to all the users. Instead, there can be several authorities where each authority is responsible for the key distribution of its specific set of attributes. Multi-authority scenario is more realistic, since in reality there may be multiple number of authorities that have their own specific attribute set. In our scheme, even the charging station can act as an attribute authority to assign attributes to users of different types of memberships, such as regular 29
30 Figure 3.1: Considered network model users, premium users, etc. The communication between CSPs and EVs with the bank can be done using the Internet. EVs communicate with RSUs and CPs using dedicated short range communication technology [90]. Between EV and CSP, a wireless communication scheme, such as 4G LTE could be used. We assume that the communication between CSP, RSU and CPs uses dedicated wired connection. Each RSU can communicate with a number of pads and each CSP can communicate with all RSUs in the charging station. The EVs can communicate with the pads by using a dedicated short range wireless communication device installed at the bottom of EV. Each EV maintains an account with the bank and uses this account to purchase anonymous coins to pay for charging. EV gets authenticated when it has shown evidence of being capable of making payment. CPs need to authenticate EVs before switching on to charge them.
31 3.2 Adversary and Threat model We consider a strong adversary model assuming that all entities are not fully trusted except the TA. The bank and CSP are considered honest-but-curious. The attackers can be either internal or external who may attempt to jeopardize the privacy of EV drivers or attack the authentication and payment schemes to achieve financial gains. The internal attackers may aim to learn the locations of EVs and the attributes of drivers, but not to disrupt the proper operation of the scheme. For the authentication scheme, we consider the attackers can be an individual EV or CSP. An EV tries to charge from CSP without pay or with less pay, for example the EV may try to authenti- cate to more number of charging pads than the purchased power etc. Some EVs may eavesdrop on the communication between CSP and other EVs to perform replay attack to impersonate legitimate EVs. While external attackers can only eavesdrop on the network transmissions to infer sensitive information about the users, these attackers may also modify users messages which can cause EVs to not charge even after paying for the charging service. The attackers may attempt to impersonate an EV or CSP to send the data under their names. For example, if an attacker impersonates a CSP, he can get coins from EVs and deposit them at the bank. The EVs can also attack the authentication scheme to charge for free, by launching replay attacks and by reusing the old authentication tokens. For the attacks on privacy, the internal attackers like bank and CSPs may try to compromise the anonymity of a legitimate user. Bank may try to find some relation between the withdrawan coins by EVs and the deposited coins by CSPs to earn the locations of the EVs. During authentication, the CSP may try to compromise the privacy of EVs by finding the identity of EV driver or by tracing the EV by linking the transmitted data in ne sessionto the data of other sessions. Bank and CSP may collude to link the packets sent by same EV. Each EV is interested to know the other EVs’ identity and attributes. For the payment scheme, we consider that the attacks can be launched either by a single
32 EV or CSP, and colluding EVs and CSPs. The bank may also collude with the CSPs to attack the system and falsely accuse a legitimate EV of double spending. The EVs may attack the system by charging without pay or with less payment. Malicious EVs may try to impersonate other EVs while purchasing coins from the bank to purchase coins using other EV’s account. They may also try to forge coins and double spend valid coins at different CSPs. CSPs may try to charge EVs more amount of money than the amount required for the charging service. The bank may falsely accuse an EV of double spending and may try to find the identity of that EV driver. For priority determination, some EVs may claim that they have the attributes that can satisfy high priority level to get charged. CSPs may even attempt to find the sensitive information about the attributes of an individual EV during priority level determination process. 3.3 Problem Formulation and Design Goals In order to achieve an efficient, secure, and privacy-preserving dynamic charging system, an efficient integrated payment, authentication, and priority determination scheme is needed. During the communication between EV and other entities in the system, the EV may need to send some sensitive information to the CSP or the Bank, so security and privacy should be well investigated. This information should not leak anything about EV’s identity. The only information that can be known to the CSP is that, some legitimate EVs with valid coins request the charging service. All the exchanged messages in the system should be verifiable to protect against external attacks. Our goal is to design secure and privacy-preserving dynamic charging system that can achieve the following: 1. Privacy-preservation: The privacy of EV drivers should be protected by hiding their real identities. Attackers should not be able to link the data sent from one EV at different locations and times. Attackers should not also be able to track an EV to avoid identifying the EV driver
33 from the locations visited by the EV. Moreover, the set of attributes an EV possesses should also be preserved. 2. Resistance of collusion attacks: The proposed scheme should be secure against collusion attacks. Even if all the entities except the trusted authority collude to identify an EV, steal money, impersonate other EV, claim higher priority level etc., colluders should not succeed. 3. Forward and Backwards secrecy: The keys established during the authentication protocol should have perfect forward and backward secrecy, i.e., given a session key, no one should be able to compute the past or future keys. 4. Replay, Data modification and Impersonation attacks: The proposed scheme should be secure against known attacks such as replay, data modification, and impersonation. To elaborate, if an attacker eavesdrops on the communication between any two entities and tries to reuse the exchanged messages to impersonate other user, he should not get succeed. Moreover, if a message is modified by an attacker during transmission, the message modification should be detected. 5. Accountability: If any entity in the system tries to attack the system, it should be held accountable and be identified. For example, if any EV misbehaves and double spends a coin, the bank should be able to detect the double spending at the time of the coin deposit and identity the attacker. 6. Resilience for false accusations: The proposed scheme should be resilient to false accusa- tions, i.e., no one in the system should be able to falsely accuse an honest entity of misbehavior. If the bank claims that a user has double spent a coin, then it should be able to prove the misbehavior to the trusted authority in order to identify and punish the attackers.
34 7. Flexible payment: The payment scheme should be flexible enough for the users to pay any value of money to the CSP for their charging service. Since the cost of power and the power requirement for an EV may change from time to time, the EV driver should be able to charge for desired amount of money. 8. Scalability: The proposed scheme should be scalable with acceptable performance because the system has a large number of EVs and CPs. 9. Communication overhead: The number and size of messages exchanged between the EV and the entities of the dynamic charging sytem should be minimal. 10. Computation overhead: The computation overhead on the different entities in the system should be acceptable, especially the overhead on the CPs should be minimal because cost- effective CPs have low computational power.
CHAPTER 4 PRELIMINARIES In this chapter, we briefly present the basic concepts of cryptographic building blocks used in our schemes. We start by introducing the cryptographic hash function, access structures and linear secret sharing scheme, and Bilinear pairing and complexity assumptions. Finally, we discuss the Blind-LRSW signature scheme which is the basis of the payment scheme. 4.1 Cryptographic hash function A cryptographic hash function ( H ) maps data of an arbitrary size to a fixed data size, i.e., H : { 0 , 1 } ∗ → { 0 , 1 } n . The fixed data size is known as a hash value, hash code, digest, or simply hash. Hash functions are typically used for achieving data integrity, i.e., any changes made to the original message can be detected from its hash. The hash function is the building block of HMAC which provides message authentication. The security properties of a cryptographic hash function are as follows: 1. Pre-image resistance: Given a message m , it is very easy to compute its hash h = H ( m ), but given hash value h = H ( m ), it is infeasible to find message m , i.e., the hash function is one way where it is hard to reverse. 2. Second pre-image resistance: Given an input m 1 , it is infeasible to find a different m 2 such that H ( m 1 ) = H ( m 2 ). Hash functions that cannot achieve this property are vulnerable to second-preimage attacks. 35
36 3. Collision resistance: It is infeasible to find two different messages m 1 and m 2 such that H ( m 1 ) = H ( m 2 ). If such a pair of messages is found, this is called a cryptographic hash collision. This property is sometimes referred to as strong collision resistance. There are several hash functions that are being used in many applications like MD5, SHA-1, SHA- 256, SHA-384 and SHA-512 [91, 92]. Each has its own advantages in terms of performance and security [93]. 4.2 Bilinear pairing Bilinear pairings map two elements from two cryptographic groups to a third group. Let G 1 and G 2 be both cyclic multiplicative groups of prime order p . Let g be a generator of G 1 and g ′ be a generator of G 2 . e is a bilinear pairing function that maps an element from G 1 and an element from G 2 to an element in G T , i.e., e ( G 1 , G 2 ) → G T . The pairing can be symmetric if the input elements of the pairing are from the same group, i.e., G 1 = G 2 , whereas it is called asymmetric if the input elements are from two different groups, i.e., G 1 � = G 2 . Bilinear pairing function e has the following properties: q , we have e ( u a , v b ) = e ( u, v ) ab . 1. Bilinearity : For all u ∈ G 1 , v ∈ G 2 and a , b ∈ Z ∗ 2. Non-degenerate : There exists g ∈ G 1 and g ′ ∈ G 2 such that e ( g, g ′ ) � = 1. In other words, the mapping cannot be the trivial map which sends every pair of elements in G 1 × G 2 to the identity in G T . 3. Computable : There is an efficient algorithm to compute e ( g, g ′ ). 4. Admissible : A pairing is admissible if the mapping is also non-degenerate and computable.
37 Figure 4.1: Example for access policy Bilinear pairings have been used in several cryptosystems such as protocols for one-round three-party key agreement [94, 95], identity-based encryption [96, 97], and aggregate signatures [98, 99]. 4.3 Attribute Based Encryption In this subsection, we present the formal definitions of access structures and linear secret- sharing schemes introduced in [100] and used in [89, 20]. These are the building blocks for Attribute Based Encryption (ABE). We also explain how a secret can be shared linearly in an access structure using linear secret sharing scheme. 4.3.1 Access policies Let U be the set of all attributes in the system. An access policy A on U is a collection of non-empty sets of attributes. The sets of attributes that can satisfy the access policy A are called the authorized sets and the sets that are not in A are called the unauthorized sets. Additionally, an access policy is called monotone if attributes in sets ∀ B, C ∈ A and B ⊆ C , and C ∈ A . For instance, the set { a, b, c, d, e } are the set of attributes in a system and an access policy can be defined on these attributes as an access tree shown in 4.1. Anyone who can access this access policy can determine that the authorized sets for this access policy are { a, b } , { c } , { d } . This access policy is
38 also monotonic, which means if a user have ( b, c ) attributes it doesn’t affect the ability of that user to satisfy the access policy. 4.3.2 Linear Secret Sharing Schemes Linear secret sharing is a method of distributing shared secret among a set of entities such that any authorized subset can reconstruct the secret using its shares. In ABE, the secret is shared among the attributes in an access policy and this shared secret among the attributes can only be reconstructed by a user who satisfies that access policy. The concept of linear secret sharing can be explained as follows: Let p be a prime number and U the attribute universe. A secret-sharing scheme ( S ) with secrets taken from the field Z ∗ p is linear over Z ∗ p if: 1. The shares of a secret z ∈ Z ∗ p for each attribute form a vector over Z p . 2. For each access policy A on U , there exists a matrix A ∈ Z l × n , called the share-generating p matrix with l rows and n columns, and a function δ that labels the rows of A with attributes from U , i.e., δ : [ l ] → U . During the generation of the shares, we consider a column vector v = ( z, r 2 , ....r n ) T , where { r 2 , ....r n } are randomly selected from Z p . Then the vector of l rows, shares the secret z according to S is equal to λ = A v ∈ Z l × n . The share λ j with j ∈ [ l ] belongs to attribute δ ( j ). From now p onwards, we will be referring to the pair ( A , δ ) as the policy of the access policy A . According to [100], a secret-sharing scheme should satisfy the reconstruction requirement and the security requirement, which means an authorized set of attributes can reconstruct the secret and any unauthorized set of attributes cannot reveal any partial information about the secret. There exist some constants { c i } i ∈ I in Z p such that for any valid shares { λ i = ( Av ) i } i ∈ I of a secret z according to S , it is true that: � i ∈ I c i λ i = z , or equivalently � i ∈ I c i A i = (1, 0, . . . . 0), where A i
39 is the i-th row of A . Note that if the access policy is encoded as a monotonic boolean formula over attributes, there is a generic algorithm that generates the corresponding access policy in polynomial time [100, 101]. 4.4 Zero-Knowledge proof A proof of knowledge is a two-party protocol between a prover and a verifier by means of which the verifier can be convinced of the validity of an assertion. Proofs of knowledge have two properties: 1. Completeness: Given an honest prover and an honest verifier, the prover can succeed to prove its knowledge of secret to the verifier in all the attempts. 2. Soundness: If a dishonest prover P can successfully execute the protocol with the verifier V with non-negligible probability, then there exists an expected polynomial time algorithm M that can be used to extract from this prover knowledge, which with overwhelming probability allows successful subsequent protocol executions. A proof of knowledge is called zero-knowledge proof if it does not allow the verifier to learn any information about the assertion itself other than one bit which indicates either true or false. 4.4.1 Schnorr protocol Schnorr protocol is an example of proof of knowledge. The exchanged messages in this protocol are given in Fig. 4.2. In this protocol, the prover has the knowledge of secret value x , and the public generator g ∈ Z q . He computes and publishes y = g x . To prove that she has knowledge of the secret value x , the prover firstly commits to a random value r ∈ R Z q by computing and sending t = g r . In the second round, the verifier sends a challenge c to the prover. Finally, the prover computes and sends the response s = ( r + cx ) mod q , and the verifier is able to verify the provers
40 Figure 4.2: The schnorr protocol knowledge of the value x by computing t ′ = g s y − c and comparing it with the previously received value t . In the payment scheme used in this thesis, the Fiat-Shamir heuristic will be used to compute non-interactive proofs as described in [102]. Different from the Schnorr protocol, the challenge c is generated by hashing the concatenation of the witness g and t , and the message m , i.e., c = H ( g, t, m ). Zero-knowledge proofs can also be non-interactive. In Non-Interactive proof of knowledge, the prover and the verifier share a random string and the proof of knowledge is sent by the prover without receiving any data from the verifier. Different from the interactive protocol, c is generated by the prover using a hash function c = H ( g, t, m ) and sends c and s to the verifier, where t = g r and s = ( r − cx ) mod q are called witness. Here, the prover proves its knowledge of secret r to the verifier without revealing the secret. Then the verifier is able to verify the prover’s knowledge of r by computing t ′ = g s y c , c ′ = H ( g, t ′ , m ) and then verifies c ? = c ′ . 4.5 Blind-LRSW signature A blind signature is a form of digital signature in which the content of a message is masked (blinded) before its is signed by the signer. Just like regular digital signature, a valid blind signature
41 can also be verified by anyone who receives the signature on the original (unblinded) message and the signer cannot deny signing the message. It is used to verify the authenticity of a message and the blind signatures are generally used in privacy related applications, where the signer and the message creator are different parties. The Blind-LRSW (B-LRSW) signature is an example to blind signature scheme [103]. This signature scheme is a variant of Camenisch-Lysyanskaya signatures [80], where the signature is done on a commitment of some secret. The B-LRSW signature scheme has three phases: KeyGen , Sign , and Verify . We briefly describe them as follows: p and public key pk = ( u 1 , u 2 ) ← ( g α , g β ). 1. Keygen : Set secret key sk = ( α, β ) ← Z ∗ 2. Sign ( sk , g m ): Given g m as input instead of the actual message m ∈ Z ∗ p ( m is known only to user), the signer selects a random element r ← Z ∗ p and returns σ = ( Z 1 , Z 2 , Z 3 , Z 4 ) = ( g r , g rβ , g r ( α + m.αβ ) , g rβm ) 3. Verify ( pk , m , σ ): Accept the signature only if Z 4 = Z m 2 , ˆ e ( Z 1 , u 2 ) = ˆ e ( Z 2 , ˜ g ), and ˆ e ( Z 3 , ˜ g ) = ˆ e ( Z 1 .Z 4 , u 1 ). An interesting feature of this scheme is that any signature σ = ( Z 1 , Z 2 , Z 3 , Z 4 ) on a message p and computing σ ′ = ( Z t 1 , Z t 2 , Z t 3 , Z t m can be randomized by selecting a random t ← Z ∗ 4 ) which is still valid signature on m . The interesting point is that, given ( σ, σ ′ ) but not m , it is hard to decide whether these signatures were issued on the same message or not under the external Diffie-Hellman (XDH) assumption. This property can be used to prevent linking messages sent from the same user to preserve privacy.
CHAPTER 5 PROPOSED SCHEME 5.1 Overview An overview of the proposed scheme is presented in the flow chart given in Figure 5.1. After initializing the system, an EV can purchase divisible e-coins from the bank, and when the EV needs to charge, it should send a request to the CSP. The CSP checks if the available energy supply can serve all the charging requests. If the available energy is enough, then there is no need to run the prioritization scheme and all EVs can charge. Otherwise, the prioritization scheme is run and only the highly-prioritized requests are served without exceeding the available energy supply. Then, each EV should pay for charging by sending an e-coin to the CSP. The CSP should first verify the validity the e-coin and then send secret tokens to the EV to use them to authenticate to the RSUs. After authentication with RSUs, each RSU sends another secret tokens to the EV to authenticate to CPs. The CPs only charge the EVs that can authenticate correctly. Finally, the CSP can deposit the e-coins to the bank. The detalis of the proposed scheme are explained in the following subsections. All notations used are declared on Table 5.1. 5.2 Initialization In this section, we explain the setup of the whole system and the parameters used by the proposed scheme. The setup of the system is run by an off-line trusted authority which takes ′ k ′ as an input parameter and chooses bilinear groups G 1 and G T of prime order p with generators g and g t , respectively. In addition, ′ e ′ is a symmetric pairing and e : ( G 1 × G 1 → G T ), which maps elements from group G 1 to the elements in group G T . Finally, the trusted authority publishes the 43
44 Figure 5.1: Flowchart of proposed scheme public parameters of the system as GP = { p, G 1 , G T , g, g t , e } . R Using these public parameters, each CSP selects a random secret key msk ← Z ∗ p and computes R the public key as mpk = g msk . In addition, each EV selects a random secret key usk ← Z ∗ p and computes the public key as upk = g usk . All these entities need to have certificates from a certificate authority for their public keys. The bank performs two actions during initialization. It constructs a public e-coin tree which is associated with the e-coins that are to be used for payment as will be explained in Section. 5.3,
45 Table 5.1: Table of notation. Notation Description G 1 G T Bilinear Groups g, g Generators for G 1 g s ∈ G 1 Associated generator for e-coin s g t ∈ G T Associated generators for CSP challenge message mpk, msk Public/private pair for the CSP upk, usk Public/private pair for the EV bpk, bsk Public/private pair for the bank u 1 , u 2 Bank key for generating e-coins α, β Secret key of bank to generate e-coins α θ , β θ Secret key of attribute authority GID Unique user global identifier Sig DSA signature σ B Bank signature on the coin σ ′ Anonymized bank signature B π Signature of knowledge U Set of Attributes H Function that maps GID to G 1 AA θ Attribute authority with identifier θ F Function that maps attribute U to G 1 T Function that maps attribute U to U θ e Bilinear pairing map n r , n p , n Number of RSU, Charge pad and EV respectively d Number of attributes l Number of nodes in the payment tree and computes the following three sets of keys. R 1. Public/private key pair for authentication: Bank selects a random private key bsk ← p and then computes its public key as bpk = g bsk . Z ∗ 2. Public/private key pair for creating E-Coins: The bank selects its secret key randomly R p and computes its public key as pk = ( u 1 , u 2 ) = ( g α , g β ). as sk = ( α, β ) ← Z ∗ 3. Public/private key pair for creating emergency E-Coins: The bank selects its secret key R p and computes its public key as pk 2 = ( u 3 , u 4 ) = ( g α 2 , g β 2 ). ← Z ∗ randomly as sk 2 = ( α 2 , β 2 )
46 We have introduced the concept of emergency e-coins to address the special case during the prioritization scheme. These coins are different from normal e-coins and the details of how these emergency e-coins are used in the proposed scheme are further discussed in section.5.4.1. In order to perform the priority determination in the proposed scheme, two steps need to be taken during system initialization i.e. attribute authority setup and secret key generation for attributes. 1. Attribute authority setup: Each attribute authority ( AA θ ) should select two random keys R Then, it publishes PK = { e ( g, g ) α θ , g y θ } as its public key, ( α θ , y θ ) ← Z ∗ p as secret keys. where θ is the attribute authority identifier. In addition, public hash function H: { 0 , 1 } ∗ → G 1 that maps a vehicle ID to a point in G 1 , public hash function F: { 0 , 1 } ∗ → G 1 that maps an attribute u ∈ U to G 1 , and a function T that maps an attribute u ∈ U to AA θ . 2. Attribute secret key generation: Each EV gets a key for each assigned attribute by the attribute authority computed using GID , θ , u ∈ U , ( α θ , y θ ) and the global parameters GP . R The authority first chooses a random t ← Z ∗ p and outputs to the user the secret key as: SK GID,u = { K GID,u = g α θ H ( GID ) y θ F ( u ) t , K ′ GID,u = g t } (5.1) 5.3 Purchase of E-Coins In this section, we explain the construction of public global e-coin tree and also how an EV purchases e-coins from the bank. 5.3.1 Construction of Divisible E-Coin Public Tree As discussed in [17], the bank broadcasts a public e-coin tree T that has n levels, where the maximum e-coin value of this tree is 2 n . The idea of the public global tree is that, each coin spent
47 Figure 5.2: Example of 4 level public E-Coin tree by a user is associated with public values of any one of the node in this e-coin tree, and these nodes at each level correspond to certain amount of money as shown in Fig. 5.2. Since, an user can spend each node individually in different transactions, the flexible payment can be achieved. For example, the e-coin tree shown in Fig. 5.2, the maximum amount of the tree is 8, where the user can spend either two coins of 4 valued nodes, or four coins of 2 valued nodes, or any other combination without exceeding the maximum amount of 8. But, the restriction in spending these coins from public tree is, the user can only spend a node but not the leaves i.e., from the tree shown in Fig. 5.2, the minimum amount of a coin spent by the user is 2. The construction of this public e-coin tree is done by the bank with the help of the trusted authority and the process of constructing of e-coin tree is explained in the following paragraphs. As shown in Fig. 5.3, each internal node s in public e-coin tree T is associated with an element g s ∈ G 1 and each leaf f in the tree is associated with an element χ f ∈ G T . This approach of building the e-coin tree makes the payment divisible where the user can spend one or more e-coins of value 2 l where 0 ≤ l ≤ n . Along with these elements, for each leaf f and any node s on the path to f from root, an element g s → f ∈ G 1 exists; such that e ( g s , g s → f ) = χ f . Note that, any leaf value represents a serial number associated with any internal nodes on its path to the root. This serial number is used to detect double spending of E-Coins. Users use the public values of nodes at the
48 Figure 5.3: Public E-Coin tree time of spending to create an e-coin. As shown in Fig. 5.2, the public e-coin tree enables the user to spend a divisible e-coin value by selecting a node from the tree and use it for payment. By spending any internal node in the tree, the user should not spend the subtree’s leaves of this node. Let S n be the set of all nodes in the tree and F n be the set of leaves. For any node s , ∀ s ∈ S n , the set F n ( s ) is the set of leaves in the subtree of that particular node. p and g s = g r s ; – For each node, s ∈ S n , r s randomly selected from Z ∗ – For each leaf f ∈ F n , the trusted authority selects l f randomly from Z ∗ p ; – For each leaf f ∈ F n , and the node s ∈ S n its path to reach root of the tree, the trusted g s → f = g l f /r s . authority calculates ´ The random value r s is kept secret by trusted authority, while l f , f ∈ F n are not used anymore and can be discarded by trusted authority after creating the tree and all the other values are public. The g s → f is only used by the bank for calculating the serial numbers of the spent e-coins, so that it can detect double spending. The secret r s will later be used by the trusted authority to help the bank to identify the double spender. Users and merchants (CSPs) need to know only the groups and the generators, just g s ∈ S n . The bank should decide the number and the depth of the public trees. The reason for
49 having different public trees is adding flexibility to the payment system. For our proposed scheme, we need two public trees. One is for regular coins and the second is for emergency coins. Depending upon the requirements of bank such as the number of trees and depth of the tree n , the trusted authority constructs this public tree. The process of constructing these two trees is similar, but the number of levels for each tree may be different. The regular coins tree should have more number of levels because they are used more than the emergency coins. The emergency coins are usually more costly than the regular coins to encourage the EVs to use these emergency coins only in the case of emergency like having very low battery power for an EV. The construction of emergency tree will follow the same process of construction of regular tree as discussed earlier with different secrets ( r e , l e ) and different nodes of the tree as g e . 5.3.2 Purchase of E-Coins To purchase e-coins, an EV should contact the bank directly using its real identity so that the amount of purchase can be deducted from its bank account. First, EV should select a random R p . Then, it should get the bank’s signature on g x , this signature implicitly defines all secret x ← Z ∗ the serial numbers associated with this e-coin as χ x f for each leaf f . In order to spend a node s of height l in the tree, the EV computes t s = g x s and proves to CSP that it is well formed by using the signature of bank on g x . Given t s at the time of deposit, the bank can compute all the serial numbers related to that spent node using g s → f and can find the double spender, if the e-coin was double spent. The exchanged messages between EV and bank during coin purchase are given in Figure 5.4. These are further outlined below: ← Z p then sends its real identity GID , g x and its signature R 1. EV computes a random number x Sig ( g x , TS ) to the bank, where TS is the time stamp.
50 Figure 5.4: E-Coin purchase Using Schorr’s protocol, CSP challenges the EV with c , then EV has to prove its knowledge of x to the bank as given in messages 2 and 3 in Figure 5.4. 2. If the submitted proof is valid and g x has not been used before, then the bank signs g x and sends it back to EV. σ B = ( Z 1 , Z 2 , Z 3 , Z 4 ) = ( g r , g rβ , g r ( α + xαβ ) , g rβx ) (5.2) This signature proves that the e-coin has been issued by the bank. 3. EV verifies the received e-coins as follows: ? ? ? = Z x Z 4 2 , e ( Z 1 , u 2 ) = e ( Z 2 , g ) , and e ( Z 3 , g ) = e ( Z 1 .Z 4 , u 1 ) This is the verification of bank’s signature on g x . Later, when the EV needs to charge, it uses it’s secret ′ x ′ to create an anonymous coin using public values of e-coin tree to pay for the charging service at the CSP. 5.4 Modes of Operation In our scheme, two modes of operations are supported by the CSP; namely priority mode and regular mode. In priority mode, the CSP does not have enough energy supply to satisfy the
51 Figure 5.5: Overview of the exchanged messages in the proposed scheme current charging demand of the EVs. Therefore, it prioritizes the requests and charges the highly- prioritized requests without exceeding the total energy supply. Within the same priority level, the requests are served in order of First-Come-First-Charge (FCFC). Multi-authority attribute based encryption scheme is used to protect the priority determination process [20]. The idea is that, in case of low power resources at the CSP, it should first charge the EVs that use emergency coins, i.e.,EVs which have very low battery charge and then it also charges the EVs that have some special attributes such as law enforcement EVs, ambulances, government officials etc. Whereas in regular mode, the CSP has enough energy supply to satisfy all the incoming charging requests. The next subsections explain the protocols used in each operation mode. 5.4.1 Priority Mode During this mode, CSP should first determine the EVs charging priorities by challenging them using multi-authority attribute based encryption. The idea is that the CSP should first create priority policy and then it sends encrypted messages using multi-authority attribute based encryp-
52 tion. Then, only the EVs having a given priority level should have the attributes and relevant secret keys needed to decrypt the challenge message. Then, each EV should send a proof of decrypting the message to gain relevant priority level. Finally, the CSP charges the highest priority requests without exceeding the energy supply and uses FCFC procedure for EVs that have the same priority level. There may be some EVs which have low power and need to get charging immediately but cannot satisfy any of the priority policies announced by CSP. In those cases, the EVs can use the emergency coins in order to purchase the charging service. The EVs that request the charging ser- vice using these emergency coins should get the highest priority and the CSP should directly run the anonymous payment scheme. The detailed steps involved in determining the priority level is explained below. Initially, the CSP creates its charging priority policy by using the attributes issued by mul- tiple attribute authorities like Government Agencies, Police Department, Health Care Department, Veterans Service etc. Then, the CSP broadcasts the priority policy along with the correspond- ing challenges (attribute based encryptions) and also the maximum amount of energy an EV can charge. In order to get a prioritized charging service, the EV needs to check the priority policy and determine whether its attributes can satisfy a priority level and then decrypt the corresponding ciphertext (challenge) to prove its priority level to CSP. The step by step exchanged messages in priority determination process is shown in Fig. 5.6 and the details of the process are as follows. 1. Challenge by CSP: In order to compute the ciphertext of a priority policy, the CSP encrypts different messages g r p t , for different priority levels, where g t ∈ G 1 , where G 1 is a multiplicative R group, r p ← Z ∗ p is a random element selected by CSP for each priority level p and { 1 ≤ p ≤ N} , and N is the number of priority levels. For each priority level, CSP creates an access policy p } l ∗ n , where l is the number of rows in that access matrix and δ is the ( A, δ ) with A ∈ { Z ∗ function that maps rows of the access matrix to the attributes. ρ is another function that
53 Figure 5.6: Exchanged messages in priority mode of our scheme maps attributes to its authorities ρ :[ l ] → U θ as { ρ ( . ): T( δ ( . )) } . To encrypt the message g r p t , CSP needs the public keys of the relevant attribute authorities, and the public parameters. CSP first creates two random vectors v = ( z, v 2 , ....v n ) T and w = (0 , w 2 , ....w n ) T , where { z, v 2 , ....v n , w 2 , ....w n } are elements randomly selected from Z ∗ p . We denote λ x as the share of z corresponding to row x , i.e., λ x = ( A x .v ) and w x denotes the share of 0, i.e., w x = ( A x .w ), R where A x is the x -th row of access matrix A . Then, CSP chooses a random element t x ← Z ∗ p for each row and computes the ciphertext CT p as: C 0 = g r p t .e ( g, g ) z ; { C 1 ,x = e ( g, g ) λ x e ( g, g ) α ρ ( x ) t x ; C 2 ,x = g − t x ; C 3 ,x = g y ρ ( x ) t x g w x ; C 4 ,x = F ( δ ( x )) t x } x ∈ [ l ]
54 In the same way, the CSP creates different ciphertexts with different policies for each priority level and then broadcasts the challenges of all the priority levels. challenge p = { CT p , TS, Sig CSP { H ( CT p � TS ) }} (5.3) The format of the challenges is given in eq.(5.3), where p is the priority level (1 ≤ p ≤ n ), TS is the timestamp, and Sig CSP { H ( CT p � TS ) } is the signature of CSP on the ciphertext and the timestamp. 2. Response of EV: In order to get a prioritized charging service, each EV needs to check the priority policies and determine whether its attributes can satisfy a priority level and then decrypt the corresponding ciphertext to prove its priority level to CSP as shown in Figure 5.6. Each EV uses its attributes’ secret keys to decrypt the ciphertext to obtain g r p and compute t a shared symmetric key using g r p t . Then, the EV encrypts a message using the shared key as a proof for decrypting CT p correctly, and thus having the related priority level. The EV takes the policy ( A, δ ) and the corresponding ciphertext ( CT p ) and uses its secret keys ( K GID,u , K ′ GID,u ) for a subset of rows A x of satisfied attributes in access matrix, then for each row x , EV computes: GID,δ ( x ) , C 4 ,x ) = e ( g, g ) λ x . e ( H ( GID ) , g ) w x C 1 ,x . e ( K GID,δ ( x ) , C 2 ,x ) . e ( H ( GID ) , C 3 ,x ) . e ( K ′ Then, the EV calculates the constants c x ∈ Z p such that Σ x c x A x = (1, 0, . . . 0) and computes: Π x ( e ( g, g ) λ x . e ( H ( GID ) , g ) w x ) c x = e ( g, g ) z This is true because λ x = ( A x .v ) and w x = ( A x .w ), where � (1 , 0 , ..., 0) .v � = z and � (1 , 0 , ..., 0) .w � = 0. The message can be decrypted as g r p = C 0 /e ( g, g ) z . EV uses g r p to t t compute a shared key with the CSP as k = g r i .r p , where r i ∈ Z ∗ p is the random number t selected by EV i . EV sends H k ( g r p t ), g r i to CSP. Then, g r p is used by CSP to compute the t t
55 shared key. H k ( g r p t ) is used as a proof by the EV that it correctly decrypted the attribute based encrypted challenge. In addition, the EV should send the amount of energy it needs to charge. 3. Payment for charging: After the EV gets a confirmation on its charge request from the CSP, the EV should send the encryption of anonymous e-coin ( g s , t s ), the anonymized bank R B = ( Z t 1 , Z t 2 , Z t 3 , Z t signature σ ′ ← Z ∗ 4 ) where t p , and its own signature π to CSP as indicated in Figure 5.6. π = C x is the signature of the EV on C , and C = H ( σ ′ B , t s , g s , ID CSP , TS ). Then, CSP decrypts the received message and verifies the signatures of bank on the coin and EV’s signature as follows: • CSP verifies the bank’s signature to make sure that the coin given by the EV is issued by the bank, the following two verifications are required. The first verification is ? e ( Z ′ 1 , u 2 ) = e ( Z ′ 2 , g ) (5.4) The proof of the verification is as follows: 1 , u 2 ) = e ( g tr , g β ) e ( Z ′ = e ( g trβ , g ) = e ( Z ′ 2 , g ) The second verification is ? e ( Z ′ = e ( Z ′ 1 .Z ′ 3 , g ) 4 , u 1 ) (5.5) The proof of the verification is as follows: 3 , g ) = e ( g tr ( α + xαβ ) , g ) e ( Z ′ = e ( g tr g txβ , g α ) = e ( Z ′ 1 .Z ′ 4 , u 1 )
56 • Then, the CSP should verify the EV’s signature, by doing the following two verifications. The first verification on EV’s signature is: ? e ( Z ′ 2 , t s ) = e ( Z ′ 4 , g s ) (5.6) The proof of this verification is as follows: 2 , t s ) = e ( g trβ , g x e ( Z ′ s ) = e ( g trβx , g s ) = e ( Z ′ 4 , g s ) The second verification on EV’s signature is ? e ( π, g s ) = e ( C, t s ) (5.7) The proof of this verification is as follows e ( π, g s ) = e ( C x , g s ) = e ( C, g x s ) = e ( C, t s ) Finally, the CSP sends authentication tokens to EV after it successfully verifies the tendered credentials. These tokens will allow the EV to authenticate to the RSUs and obtain secret tokens to authenticate to CPs to get charged. 5.4.1.1 Emergency Service. This is the special case in priority mode. As mentioned earlier, there may be some EVs which have very low power and need to get charging immediately, but cannot satisfy any of the priority policies published by CSP. In those cases, the EVs can pay using the emergency coins to charge. The EVs that requested the charging service using these emergency coins should get the highest priority over all the priority levels published by the CSP. The authentication and payment in this case is similar to those of the regular mode as explained in
57 Section.5.4.2, the only difference is that, here the authentication of EV is done by using emergency coins whereas in the regular mode it will be done by normal e-coins. • First, the EV decides the amount of power it needs and sends a charging purchase request to CSP by sending the spending node g e from emergency coin public tree, and the corresponding coin t e = g ex . • The rest of the scheme follows the same process from step-2 in Fig. 5.7 using g e instead of g s as the base. 5.4.2 Regular Mode In regular mode, the energy supply is more than or equal to the charging requests. The CSP is capable of serving all the charging requests of the EVs. The exchanged messages in the regular mode of our scheme are illustrated in Figure 5.7. First, the EV should send a charging request to the CSP which should reply with a response message. In these two messages, the EV and CSP should mutually authenticate each other and establish a session key. Finally, the EV should pay to receive tokens that are used for authentication to RSUs. 1. EV Charging Request. EV decides the amount of energy to purchase and sends a request to CSP containing the tree node g s and the corresponding e-coin t s = g x s for payment. R 2. CSP Response. After the CSP receives the request it should select r ← Z ∗ p and compute a shared key as k = g x.r s , and responds with g r s , H k ( g sx , g sr ) , Sig ( H k ( g sx , g sr )), where Sig is the CSP signature on H k ( g sx , g sr ). All exchanged messages between EV and CSP should be encrypted by the shared key k . 3. EV Payment. EV verifies the signature of CSP on the message and computes a session key k = g rx s . In addition, the EV should send the encryption of the anonymized bank signature
58 Figure 5.7: Exchanged messages in the regular mode of our scheme σ ′ B and its own signature π to the CSP for payment clearance. CSP sends the authentication tokens to EV after it verifies the e-coin, as explained in Section 5.4.1. 5.5 Hierarchical Authentication This section explains an efficient and hierarchical authentication scheme. The idea is that once an EV authenticates to the CSP and pays for the charging service, EV receives authentication tokens that are used to authenticate the EV to the RSUs. After this authentication the RSUs send tokens to the EV which are used to authenticate the EV to the CPs. 5.5.1 Computing shared keys The CSP shares a group secret key with all RSUs under its control. The CSP selects two random seeds ( γ n,n r and µ 1 , 1 ), encrypts them using the group key, and broadcasts them to RSUs. Each RSU uses the seeds to compute the secret shared tokens matrices as illustrated in Figs. 5.8 and 5.9.
59 Figure 5.8: Using the seed γ n,n r to compute a set of tokens. The group secret key k is used to interactively hashing the received token ( γ n,n r and µ 1 , 1 ) to generate { γ n − 1 ,n r , γ n − 2 ,n r , ..., γ 1 ,n r } and { µ 2 , 1 , µ 3 , 1 , ...., µ n, 1 } and then hashing operations are used to compute the rest of matrices as shown in Figs.5.8 and 5.9. Each RSU only needs to store one column from each matrix, but it is still required to compute tokens until it arrives to its column. However, the CSP needs to compute the whole matrices since it will be interacting with all EVs. After computing its two sets of tokens, each RSU should compute the shared keys with the EVs (that will be distributed to the EVs by the CSP) by XORing corresponding two elements in the matrices as indicated in Figure 5.10. On the other hand, when an EV i authenticates to the CSP, it receives two seed tokens ( µ i, 1 and γ i,n r ) to compute the shared keys with the RSUs by hashing the two tokens and XORing each two elements, as illustrated in Figure 5.11. Each EV can only compute one row in the matrix. The same technique used to share keys between RSUs and EVs is employed between EVs and CPs under the control of a given RSU. However, only one token set is used unlike in the case of CSP-RSU. Each RSU shares a group key with its CPs which is used to compute shared secret tokens. RSU
60 Figure 5.9: Using the seed µ 1 , 1 to compute a set of tokens. Figure 5.10: Computation of shared keys with CSP by RSU i . selects a random seed (Ω n,n p ), encrypts it using the group key and then broadcasts it to the CPs. Each CP computes the secret shared keys similar to the procedure used between CSP and RSU. For each RSU, the token set generated can only be used to serve n EVs. The scheme can limit the number CPs an EV can charge from as illustrated in Figure 5.12. For instance, if an EV needs to charges from the CPs under the fifth RSU to the CPs under the tenth RSU, the CSP should send it the tokens µ i, 5 and γ i, 10 . As illustrated in the figure, the EV
61 Figure 5.11: Computation of shared keys with RSUs by EV i . Figure 5.12: Charging from the pads of fifth RSU to the pads of tenth RSU. can compute the keys shared only with these RSUs. The EV cannot calculate other keys because hash functions are one way. In the next section, we explain how the shared keys between EVs and RSUs and CPs are used for authenticating the EVs. 5.5.2 Authentication The authentication of the EVs to the different parties in the charging station takes place in a hierarchical structure. The EV first authenticates to the CSP and receives tokens to authenticate to the RSUs. After that it receives tokens to authenticates to CPs. A challenge/response authentication technique is used to enable entities to prove knowledge of the secret keys. When RSU j needs to authenticate an EV i , it sends a challenge packet containing a random number r i . EV i then responds with the authentication code given in equation 5.8. Authentication Code = H ( γ i,j ⊕ µ i,j || r i ) (5.8) After verifying the received code, RSU; sends the confirmation code to EV i that is given in equation 5.9. It also sends an encryption, using the key γ i,j ⊕ µ i,j of the seed token the EV needs
62 to compute the shared keys with CPs. Confirmation Code = H ( γ i,j ⊕ µ i,j || r i || 1) (5.9) EV i decrypts the received message from RSU j and computes the shared keys with the CPs. A challenge/response technique similar to the one used between EV i and RSU j is used to authenticate EV i to the CPs. Once the authentication process completes and EV i gets authenticated, the CP switches on to charge the EV i . Every time a key is used by an EV, the RSU deletes it from the list of valid keys so that it will not be accepted again if reused. It is possible that a key will never be used at an RSU if an EV does not charge from all RSUs. To avoid storing these keys forever, when the CSP initiates the process of calculating new keys, it should notify the RSUs about the keys that can be used from the previous key set. This can be done efficiently in our scheme because the CSP releases the tokens in order, e.g., if the row number 70 is used, that means all the rows before 70 should have been used, but the keys after 70 are still usable. 5.6 Coin Deposit and Double Spending verification In order to update its bank account, the CSP should deposit the e-coins to the bank with the corresponding evidence submitted by EVs. This deposit does not need to be done right after each EV charges, but CSP can deposit the e-coins collected in one day (or few days) all at once. After receiving the e-coins, the bank should verify them against double spending first before updating the CSP’s account. The verification of the e-coins is done as follows: 1. To verify authenticity of an e-coin: This verification is to verify that the given e-coin is valid and was actually purchased from the bank. If this verification fails, then the bank punishes the CSP because of accepting an invalid e-coin. In order to verfy this e-coin, the
63 bank needs its public key ( ˜ u 1 , ˜ u 2 ) and the randomized signature given by EV at the time of charging purchase. ? ? e ( Z ′ = e ( Z ′ 2 , g ) and e ( Z ′ = e ( Z ′ 1 .Z ′ 1 , u 2 ) 3 , g ) 4 , ˆ u 1 ). 2. To verify EV’s proof: This step of verification is to verfiy that the deposited e-coin is actually spent by an EV that knows the secret ’x’ that was authorized by bank. If this verification fails, it means the CSP tried to attack the system by impersonating a legitimate EV or by accepting a wrong proof submitted by an EV. In both cases the bank penalizes the CSP because of accepting or submitting an invalid proof. The proof is verified as follows: ? ? e ( Z ′ 2 , t s ) = e ( Z ′ 4 , g s ) and e ( π, t s ) = e ( C, g s ). If the first two verifications are successful that means the CSP well behaves during charging purchase, and thus the bank deposits the coin into CSPs account and checks for the double spending of the e-coin. 5.6.1 Double Spending detection As mentioned earlier in Section 5.3.1, because the bank maintains a list of used coins, if any user double spends an e-coin, it can be easily detected by the bank using the deposited e-coin ( g s , t s ). Once a e-coin is submitted to the bank, it computes all the serial numbers χ f related to that e-coin g s → f ) = χ x as ˆ e ( t s , ´ f . If any of these serial numbers has already submitted to the bank before, that means the user has double spent that coin. 5.6.2 Identifying the Double Spender Once the bank detects the double spending, it contacts the trusted authority and submits the proof of double spending and the coin ( g s , t s ) to trace the identity of double spender. The trusted authority then uses the secret r s that was used to construct the public tree, to calculate
64 s = ( g x/r s ) r s = g x and then gives g x to the bank. The bank then uses this value to link it to the t r s identity of the user who bought the e-coin in the first step of withdrawal protocol given in Fig. 5.4. The bank can then impose fine on the misbehaving user or even revoke his credentials.
CHAPTER 6 SECURITY AND PRIVACY ANALYSIS In this chapter, we list the common attacks that can be launched against the proposed scheme. We also explain how the scheme can thwart these attacks and preserve the users’ privacy. 6.1 Privacy Analysis In this section, we explain different privacy attacks and how the proposed scheme can thwart these attacks. 6.1.1 External attacks The external attackers can eavesdrop on all parts of the wireless communications in the network to capture the transmitted data and infer sensitive information about the user’s identity, location, and attributes. As the EVs and CSP share symmetric keys that are used to encrypt the exchanged messages. The attackers cannot infer any useful information if the encryption scheme is secure and the secret keys are not known to the attackers. Even if an attacker could get these keys, they cannot find any useful information to trace it back to the identity of users. The proposed scheme is also secure against any collusion external attackers. 6.1.2 Internal attacks We consider the attacks performed on the dynamic charging system by the internal entities such as EVs, CSPs, RSUs, CPs, and Bank. Internal attacks are ususlly more serious than the external attacks because the attackers are already part of the system and can communicate directly with the EVs. 65
66 1. Identity Anonymity: In the proposed scheme, EVs use anonymous coins for payment and authentication to CSPs. The coins cannot be linked to the EV that bought them due to using blind signature. To elaborate, the real identity of an EV is used only once during the purchase of coins which is necessary to clear the payment. However, when a coin is sent by a CSP for double spending check, the bank cannot link it to an EV to preserve location privacy, assuming that each CSP has a known location. This is because the bank cannot link g x of the coin to the blinded value of g x s sent during coin purchase. As a result, our scheme provides full anonymity where neither the charging station nor the bank can link an EV’s coin to its real identity. 2. Coins and Charging Requests Unlinkability: If different coins and charging requests are sent from the same EV at different occasions, neither the bank nor the CSP can link them and know that they are sent from the same EV. This is because coins use one-time random numbers ( x ) that are not linkable and can make the coins look different. Every time an EV spends an e-coin, it generates an anonymized and valid bank signature σ ′ B . Given the pair of bank signature ( σ B , σ ′ B ) it is hard to decide whether these signatures were issued on the same e-coin or not under the external Diffie-Hellman (XDH) assumption. Even if the attackers collude to compromise the privacy of a legitimate user, and they cannot succeed. The attackers can be any combination of eavesdroppers, EVs, CSP, RSUs, CPs and even the bank, and our scheme is immune to any attacks from any of these attackers. For example, if CSP colludes with the bank to compromise the privacy of an EV by linking the messages exchanged during It is impossible to link g x created during the coin the withdrawal and spending of coins. withdrawal time and g x s i created during the coin spending time, even though those two values are created using same secret value ’x’. This unlinkability property comes from using two different bases g and g s i for creating the two value. This property helps the EVs to spend the coins anonymously and unlinkably.
67 6.2 Security Analysis In this section we explain different security attacks that can target the dynamic charging systems. We will also explain how our scheme can thwart these attacks. 6.2.1 Attacks against payment 1. False Accusation. Malicious CSP may try to falsely accuse an EV of double spending by passing the e-coin spent by a legitimate EV to another EV to use it in a different charging station. As a result of this attack, two CSPs try to deposit the same e-coin at the bank and the EV is falsely accused of double spending. This attack can be prevented by using the signature of knowledge π . We modified the verifications needed by the payment scheme proposed in [17] to prevent this attack. To make the explanation clear, we first briefly discuss the spending and the verification needed by [17], and then we explain how the attack can be done. In [17], the user spends an e-coin as follows: 4 ) = ( Z t 1 , Z t 2 , Z t 3 , Z t a) User computes the anonymized bank signature as σ ′ B = ( Z ′ 1 , Z ′ 2 , Z ′ 3 , Z ′ 4 ) where t ← Z ∗ p p and computes k 1 = g k s , k 2 = Z k b) User selects a random k ← Z ∗ 2 , C = H ( σ ′ B , t s , k 1 , k 2 , info ), and λ = k + Cx . c) Finally, the user sends ( σ ′ B , t s , C, λ ) to the merchant. 2 Z ′− C The merchant should compute the following values for verifications, l 1 = g λ s t − C , l 2 = Z ′ λ , s 4 and C ′ = H ( σ ′ B , t s , l 1 , l 2 , info ). Then, the following three verifications are needed by the ? ? merchant. C = C ′ , e ( Z 1 , u 2 ) = e ( Z 2 , g ) , and e ( Z 3 , g ) = e ( Z 1 .Z 4 , u 1 ). Malicious merchant can forward the received e-coin ( σ ′ B , t s , C, λ ) to another malicious user who can simply replace C with ˜ C , and λ with λ ˜ C/C , where ˜ C ← Z ∗ p . Then, malicious user can
68 B , t s , ˜ C, λ ˜ spend the modified e-coin ( σ ′ C/C ) at any other merchant without being detected. Finally, the legitimate user is falsely accused of double spending coins by the bank. This attack is completely eliminated in our system by the two verifications in equations 5.6 and 5.7, because the EV has to compute signature of knowledge on H ( σ ′ B , t s , g s , ID CSP , TS ), using the secret value x (known only to the EV) at the time of spending. This can prove to the CSP and the Bank that the EV that knows the secret value x has computed that signature. By this way, we have prevented any entity from falsely accusing an honest EV of double spending. 2. Double spending. When a CSP submits a signed e-coin to the bank for deposit, the bank can easily detect whether the e-coin was double spent by comparing the serial numbers of the given e-coin to the serial numbers of spent e-coins. If the Bank finds same serial number twice, that means the EV has double spent the e-coin and the bank can find the identity of the double spender with the help of trusted authority and punish the double spender. 3. Forging e-coins. In order to forge e-coins, the attacker should either be able to compute a valid signature of the bank or the secret value ( x ) of any user using the exchanges messages between the EV and the bank or CSP. It is impossible to compute the private key of the bank and it is also impossible to calculate the secret value ( x ) even if the attacker knows g x s and g s of a user because of the Discrete Logarithm Problem (DLP). 4. Purchasing e-coins without payment. When an EV purchases e-coins, it has to use its real identity so that the bank can make sure that the EV has enough money to pay for the e-coins. A malicious EV cannot impersonate other EVs to obtain e-coins without payment because the malicious EV has to compute a valid signature to authenticate itself. Also, if an attacker eavesdrops on the communications between the bank and an EV, he cannot compose the e-coin without knowing the secret value x that is used to create the e-coin g x s .
69 5. Charging more than the payment. As explained earlier, the CSP can charge EVs partially by allowing them to charge from only a fixed number of CPs by giving the EV seed tokens to compute keys shared with some set of RSUs. As shown in Fig. 5.12, although the EV can compute γ i, 4 , it cannot compute µ i, 4 to compute an extra key. Similarly, although the EV can compute µ i, 11 , it cannot compute γ i, 11 for an extra key. The EVs cannot compute more keys to charge from more CPs because hash chains are one way. In addition, given one set of tokens, our key generation technique does not allow the EVs to derive other tokens because they do not know the group key used to compute the keyed hash values. 6.2.2 Attacks against priority determination In our proposed scheme, the priority determination technique is used to prioritize the EVs requests depending upon the EVs attributes and the CSP priority policies. During this process we made sure that our proposed priority determination scheme is secure to protect the system from internal/external attackers and also protects the privacy of the users by maintaining anonymity of EVs identities and its attributes. 1. Collusion Attack: In the priority determination part of our proposed scheme, some EVs may collude to attack the system by using their attributes together in order to satisfy the priority policy created by CSP. This attack is impossible, if none of the colluded EVs can alone satisfy the priority policy using their own attributes because the part of the secret key GID,u = g t is unique for each user, which obstructs the users to collude in order to satisfy K ′ a policy. During decryption, the random secret ′ t ′ selected by authority can only be canceled by its corresponding part of secret key K GID,u = g α θ H ( GID ) y θ F ( u ) t and cannot be canceled by using secrets of any other users. 2. Identity Anonymity. In the proposed scheme, EVs use anonymous e-coins for payment and
70 authentication. The e-coins cannot be linked to the EV that bought them due to using blind signature. To elaborate, the real identity of an EV is used only once during the purchase of e-coins which is necessary to clear the payment. However, when an e-coin is sent by a CSP for the double-spending check, the bank cannot link it to an EV to preserve users’ privacy unless the user double spend. The CSP cannot link an EV to its real identity, as a result, our scheme provides full anonymity . The bank can only reveal the identity of the EV if and only if the user double spend the e-coin. 6.2.3 Attacks against authentication and key management In our scheme, signatures are used to authenticate EVs to the Bank and CSP. Keyed hashes are used to authenticate EVs to RSUs and pads. Also, if an EV can calculate the correct key shared with the CSP, this is a proof that the EV is the one that created g x s of the coin because the computation of the key needs the secret x . 1. Coins and Charging Requests Unlinkability. If different e-coins and charging requests are sent from the same EV at different occasions, neither the bank nor the CSP can link them and know that they are sent from the same EV. This is because e-coins use one-time random numbers ( x ) that are not linkable and can make the e-coins look different. The attackers may even collude to compromise the privacy of a legitimate user and expose the location of EV. The attackers can be any combination of eavesdroppers, EVs, CSP and the Bank. For example, to compromise the privacy of an EV, CSP may collude with the Bank and tries to link the messages exchanged during withdrawal and spending times, but it is impossible to link σ B created during withdrawal time and σ ′ B created during spending time, even though those two values are created using same secret value x . 2. Keys Reuse Attack. Attackers may try to reuse old keys shared with RSUs and CPs to
71 charge more than once for only one payment. This is not possible in our scheme since the RSUs and CPs delete the keys from the list of valid keys once they are used. Also, the CSP and the RSUs should make sure that the seed tokens used to calculate the keys are not reused. 3. Man-in-the-Middle Attack. In our scheme, Diffie-Hellman technique is used to enable EVs to establish shared session keys with CSPs. The man-in-the-middle attack is not possible because the CSP signs its share of the session key and the EV’s share ( g x ) is signed by the bank, and it is not feasible to forge these signatures.
CHAPTER 7 PERFORMANCE ANALYSIS In this chapter, we explain our experimental setup and evaluate the performance of our proposed scheme. 7.1 Experimental setup and performance metrics We use two metrics, namely computation and communication overhead, to evaluate the per- formance of our scheme. The first metric measures the time needed to compute the packets in our scheme while the second metric measures the packet size. Most of the computationally-intensive op- erations in our scheme, such as blind signature on coins and establishing group keys and distributing seed tokens and computing shared keys among the different parts of the dynamic charging system can be done offline, i.e., during the low traffic period (e.g., at night). Therefore, we focus on the messages that are exchanged in real time, such as the messages exchanged between EVs and the different entities of the charging station. In our evaluation, an Intel Core i7- 4765T 2.00 GHz and 8 GB RAM machine is used. For symmetric pairing, we used supersingular elliptic curve with the symmetric Type 1 of size 512 bits (SS512 curve) [104]. All cryptographic operations were run 1,000 times and average measurements are reported. 7.2 Computation Overhead The Computation overhead measures the time needed to compute the cryptosystems or per- form validation operations on the received packets. In order to measure the computation overhead of our scheme, Python charm cryptographic library [105] and Crypto++ 5.6.5 library [106] are used. The average computation time of the cryptographic operations needed in our scheme are given in 73
74 Table 7.1: Computational overhead of cryptographic operations. Operation time T 1 Pairing e( g 1 , g 1 ) 1.34 ms g a ∈ G 1 T 2 2.03 ms g a ∈ G T T 3 9.56 µ s H : { 0 , 1 } ∗ → G 1 T 4 0.065 ms T 5 g 1 × g 2 ∈ G 1 5.13 µ s T 6 g 1 × g 2 ∈ G T 1.68 µ s T 7 HMAC or SHA1 3.6 µ s T 8 AES encryption 29.49 µ s T 9 AES decryption 12.85 µ s T 10 DSA Sig 6.91 ms T 11 DSA Sig Verify 7.2 ms Table 7.1 Table 7.2 gives the required time to setup the system. Each EV needs one exponentiation in G 1 for public/private pair key generation. Bank performs one exponentiation in G 1 and four exponentiation in G 2 for public keys generation, in addition to (2 l − 1) asymmetric pairing and exponentiation operations in G 1 to create public e-coins tree with l nodes for regular e-coins. Each attribute authority needs one pairing, one exponentiation in G 1 , and one exponentiation in G T for public key generation. In addition, for each attribute key, four exponentiations in G 1 , two hash operations to G 1 , and two multiplication operations in G 1 are needed. CSP performs one exponentiation in G 1 for public key generation, in addition to 2 × ( n − 1) × ( n r − 1) hashing operations to create two sets of tokens shared with RSUs. Each RSU at most needs 2 × ( n − 1) × ( n r − 1) hash operations to create two sets of tokens shared with CSP. To create shared tokens between each CP and its RSU, each CP has to perform n − 1 keyed hashes and at most n p − 1 unkeyed hashes which takes at most ( n − 1) × ( n p − 1) hashing operations. Table 7.3 gives the computation overhead of various entities in the system during executing
75 Table 7.2: Setup times of the system. Entities Computation Time(ms) EV Public/Private Key Generation T 2 2.03 Bank Public/Private Key Generation 3 T 2 6.09 (2 l − 1) × ( T 2 + T 1 ) (2 l − 1) × 3.37 Building Tree Attribute Authority Public/Private Key Generation T 1 + T 2 + T 3 3.38 Attribute Generation 4 T 2 + 2 T 4 + 2 T 5 8.25 CSP Public/Private Key Generation & Shared Keys Generation T 2 + 2 × ( n − 1) × ( n r − 1) × T 7 2.03+0.007 × ( n − 1) × ( n r − 1) RSU Shared Keys Generation 2 × ( n − 1) × ( n r − 1) × T 7 0.007 × ( n − 1) × ( n r − 1) Charging Pad Shared Keys Generation ( n − 1) × ( n p − 1) × T 7 0.003 × ( n − 1) × ( n p − 1) our scheme. During the e-coin purchase, four messages are exchanged between the EV and the bank as shown in Figure 5.4. Each EV performs the following computation: one exponentiation in G 1 and one signature for message (1) ; one signature verfication for message (2); point addition which is assumed to be negligible for message (3); and one e-coin signature verification which has three asymetric pairing and one multiplication in G 1 for message (4). The total computations done by the EV can be formulated as 3 T 1 + T 2 + T 5 + T 10 + T 11 . On the other hand, the bank performs the following computations: one signature verification for message (1); one signature for message (2); two exponentiation and one multiplication in G 1 for message (3); and one e-coin signature which have four exponentiation in G 1 for message (4). The total computations done by the bank can be formulated as 6 T 2 + T 5 + T 10 + T 11 . During regular service, four messages are exchanged between the EV and the CSP as shown in Figure 5.7. Each EV performs the following computations: one exponentiation in G 1 for message (1); one exponentiation in G 1 for message (2), one keyed hash for verification, and one signature verification; four exponentiation in G 1 for bank signature anonymization, one hash operation and one exponentiation in G 1 for generation of π , and one AES symmetric key encryption for message (3); and one AES symmetric key decryption for message (4). The total computations done by the EV can be formulated as 7 T 2 + 2 T 7 + T 8 + T 9 + T 11 . On the other hand, the CSP performs the following computations: one exponentiation in G 1 for message (1); one exponentiation in G 1 for message (2),
76 Table 7.3: Computation overhead. Computation Time(ms) Authentication to Bank EV 3 T 1 + T 2 + T 5 + T 10 + T 11 20.16 Bank 6 T 2 + T 5 + T 10 + T 11 26.29 Regular Authentication to CSP EV 7 T 2 + 2 T 7 + T 8 + T 9 + T 11 21.45 CSP 8 T 1 + 2 T 2 + T 5 + T 7 + T 8 + T 9 + T 10 27.74 Prioritized Authentication to CSP EV 3 dT 1 + 6 T 2 + ( d + 2) T 3 + (3 d + 1) T 6 + 2 T 7 + 2 T 8 + 2 T 9 + T 11 4.03d+19.49 CSP (2 d + 9) T 1 + 4 dT 2 + (2 d + 2) T 3 + dT 4 10.9d+19.08 +( d + 1) T 5 + ( d + 1) T 6 + T 7 + 2 T 8 + 2 T 9 + T 10 Authentication to RSU EV 2 T 7 + T 9 0.02 RSU 2 T 7 + T 9 0.03 Authentication to CP EV 2 T 7 0.007 CP 2 T 7 0.007 one keyed hash for verification, and one signature; eight asymmetric pairing operations and one multiplication in G 1 for verification of bank signature for message (3), and one AES symmetric key decryption; one AES symmetric key encryption for message (4). The total computations done by the CSP can be formulated as 8 T 1 + 2 T 2 + T 5 + T 7 + T 8 + T 9 + T 10 . During prioritized service, five messages are exchanged between EV and CSP as shown in Figure 5.6. Each EV performs the following computations: the EV decrypts the attribute based encrypted challenge by computing 3 d symmetric pairing, 3 d + 1 multiplications in G T , and d + 1 exponentiations in G T , in addition to one signature verification for message (1); one exponentiation in G T , one keyed hash, and one AES symmetric encryption for message (2); one exponentiation in G 1 for t s , one hash operation and one exponentiation in G 1 for π , four exponentiations in G 1 for bank signature anonymization, and finally one AES symmetric encryption for message (4); two AES symmetric key decryptions for messages (3 and 5). The total computations done by the EV can be formulated as 3 dT 1 + 6 T 2 + ( d + 2) T 3 + (3 d + 1) T 6 + 2 T 7 + 2 T 8 + 2 T 9 + T 11 . On the other hand, the CSP performs the following computations: the CSP encrypt a challenge by computing 2 d + 1 symmetric pairing operations, 2 d + 1 exponentiations in G T , d + 1 multiplications in G T , 4 d exponentiations in G 1 , d hashes to G 1 , and d products in G 1 , in addition to one signature for message (1); one exponentiation in G T , one keyed hash for verification, and one AES symmetric
77 decryption for message (2); one AES symmetric encryption for message (3); eight asymmetric pairing operations and one multiplication in G 1 for verification of bank signature, and one AES symmetric key decryption for message (4). The total computations done by the CSP can be formulated as (2 d + 9) T 1 + 4 dT 2 + (2 d + 2) T 3 + dT 4 + ( d + 1) T 5 + ( d + 1) T 6 + T 7 + 2 T 8 + 2 T 9 + T 10 . For EV authentication with RSU, it needs two hashing operations, one XOR operation, and one AES decryption to authenticate itself to each RSU. The XOR operations are ignored since they are infinitesimally small. The total computations done by the EV can be formulated as 2 T 7 + T 9 . On the other hand, the RSU needs to perform one symmetric encryption and two hashing operations to authenticate each EV. The total computations done by the RSU can be formulated as 2 T 7 + T 9 . For EV authentication with CP, it needs two hashing operations and one XOR operation. The total computations done by the EV can be formulated as 2 T 7 . On the other hand, each CP needs two hashing operations to authenticate each EV. The total computations done by the RSU can be formulated as 2 T 7 . 7.3 Communication Overhead The communication overhead is measured by the number of bytes in every communication message sent. Table 7.4 gives the communication overhead of various entities in the system during messages exchange. During the e-coin purchase, four messages are exchanged between the EV and the bank as shown in Figure 5.4. The EV sends the following messages: message (1) requires 4 bytes for GID , 4 bytes for TS , 64 bytes for g x , and 128 bytes for σ U ; and message (3) requires 64 bytes for s . The total packets size sent by the EV is 328 bytes. On the other hand, the bank sends the following messages: message (2) requires 4 bytes for TS , 64 bytes for c , and 128 bytes for σ B ( c || TS ); and message (4) is four group points of 64 bytes each. The total packets size sent by the bank is 260 bytes. During regular service, four messages are exchanged between the EV and the CSP as shown
78 Table 7.4: Communication overhead. Communication(bytes) Authentication to Bank EV 328 Bank 260 Regular Authentication to CSP EV 320 CSP 252 Prioritized Authentication to CSP EV 660 CSP 256d + 236 Authentication to RSU EV 20 RSU 40 Authentication to CP EV 20 CP 40 in Figure 5.7. The EV sends the following messages: message (1) requires two group points of total size of 128 bytes, and message (3) requires five group points encrypted with AES with total size of 320 bytes and 20 bytes for the HMAC. The total packets size sent by the EV is 468 bytes. On the other hand, the CSP sends the following messages: message (2) requires 64 bytes for one group point, 20 bytes for HMAC and 128 bytes for signature; message (4) requires 40 bytes for authentication tokens. The total packets size sent by the CSP is 252 bytes. During prioritized service, three messages are exchanged between the EV and the CSP as shown in Figure 5.6. The EV sends message (2) which contains ten group points of size 640 bytes and 20 bytes for the HMAC, so the total size is 660 bytes. On the other hand, the CSP sends message (2) which contains attribute based encryption challenge of size (4 d + 1) × 64 bytes, 4 bytes for the TS , and 128 signature; and message (3) requires 40 bytes for authentication tokens. The total packets size sent by the CSP is 256 d + 236 bytes. For EV authentication with RSU, the EV receives 40 bytes for the challenge and the confir- mation and sends 20 bytes for authnetication code. The same packets sizes are sent in case of for the authentication with CP.
CHAPTER 8 CONCLUSION AND FUTURE WORK 8.1 Conclusion In EV dynamic charging system, the EVs need to exchange some data with the CSP and bank in order to charge and make payment, but this data should not reveal any sensitive information about the EV drivers. At the same time, the dynamic charging system should also be able to interact with a large number of EVs in an efficient way to authenticate all the EVs to provide secure charging service. So, security and privacy are predominant factors to ensure the correct operation of the system and the protection of the drivers’ sensitive information. The existing security and privacy techniques cannot be applied effectively and efficiently in EV dynamic charging system due to its unique problems and requirements such as the high authentication rate, long distance charging station, etc. In this thesis, we have proposed a priority-based and privacy-preserving scheme to secure the communication and to preserve the privacy of the drivers in dynamic charging system. The proposed system has three schemes for payment, authentication and prioritization which are integrated in an efficient way in order to reduce the overall computation and communication overhead. In order to address the scalability of the system due to the large number of EVs and CPs and the limited resources of the CPs, an efficient hierarchical authentication scheme that is based on symmetric-key cryptography is proposed. The idea is that after an EV authenticates successfully to the CSP and purchase charging using anonymous payment method, it receives secret keys, called tokens, from the CSP shared with the RSUs. After using these tokens to authenticate to the RSUs, the EV receives secret tokens shared with a number of CPs under each RSU control. These tokens are used to enable 79
80 the CPs to identify and charge only authorized EVs. The proposed authentication and payment scheme consider the characteristics of the dynamic charging system such as the large number of charging pads having limited computational resources and the short contact time between EVs and CPs due to the high speed of EVs. Moreover, we have introduced an efficient charge prioritization technique which is needed when the energy supply at the charging station is less than the charging demand. In this case, the CSP cannot serve all incoming charging requests, and therefore, the charging station should distribute its power resources wisely to the EVs that are in high priority. In our scheme, a priority policy is determined by each charging station and multi-authority attribute based encryption scheme is used to ensure the security and privacy of the policy. Our security analysis demonstrates that the proposed scheme is secure and can preserve the privacy of EV drivers and protect the system from collusion attacks. Along with that, our system can also trace the identity of the driver to penalize him if he misbehaves and tries to attack the system by reusing the spent coins. In addition, our performance evaluations confirm that the time required to run the cryptographic operations of our scheme and the communication overhead are acceptable. 8.2 Future work In the future, we plan to investigate and extend our system design for a new adaptive privacy- preserving dynamic charging system for public transportation and to have more than one charging lanes. Using this scheme, the dynamic charging system can charge the EVs on multiple lanes and with different power ratings, which removes the restrictions on EV for changing between the lanes during charging. We also plan to introduce prediction techniques in our system to assess and estimate the traffic patterns on the basis of time and location. This helps the dynamic charging system to allocate best charging station in the travel route of an EV. To achieve this, we need to introduce an entity (or a company) that is independent from all the charging stations which receives
81 the encrypted charging requests that includes EVs’ travel routes, amount of charge required, its desired power ratings, and the arrival time etc. The company can then use the EV’s requests to know the distribution of the requests and then it should use this information to determine the best routes that can satisfy all the EVs requests with providing requested/acceptable amount of charging. In this technique, we need to use the concept of computation over encrypted data to protect the privacy of EV drivers while providing best charging service to the EVs. This scheme aims to achieve fairness in the charging distribution, prioritization and high driver’s satisfaction.
VITA Surya Teja Gunukula was born in Nandigama city, India, on May 11, 1993. He graduated from St. Anns high school, Nuzvid city, where he obtained his high school diploma in 2010. On discovering his passion for applied sciences, he proceeded to study Electronics and Communication Engineering at the Jawaharlal Nehru Technological University - Kakinada, Andhra Pradesh, India. He received a Bachelors of Engineering in Electrical Engineering in July of 2014. He attended Ten- nessee Technological University from August 2015 to May 2017 from where he obtained a Master of Science degree in Electrical and Computer Engineering. Some of his research interests are cryp- tography, network security and privacy in dynamic charging networks for EV, Internet of Things etc. 83
APPENDICES 85
APPENDIX A PUBLICATIONS 87
88 1. Surya Gunukula , A. B. T. Sherif, M. Pazos-Revilla, B. Ausby, M. Mahmoud and X. S. Shen, ”Efficient scheme for secure and privacy-preserving electric vehicle dynamic charging system,” 2017 IEEE International Conference on Communications (ICC), Paris, 2017, pp. 1-6. doi: 10.1109/ICC.2017.7997252 2. M. Pazos-Revilla, A. Alsharif, Surya Gunukula , T. N. Guo, M. Mahmoud and X. Shen, ”Secure and Privacy-Preserving Physical-Layer-Assisted Scheme for EV Dynamic Charg- ing System,” in IEEE Transactions on Vehicular Technology, vol. PP, no. 99, pp. 1-1. doi: 10.1109/TVT.2017.2780179 3. M. Nabil, M. Bima, A. Alsharif, W. Johnson, Surya Gunukula , M. Mahmoud, M. Abdalla, Priority-based and Privacy-preserving Electric Vehicle Dynamic Charging System with Divisible E-Payment, Book chapter in book titled Smart Cities Cybersecurity and Privacy, Elsevier, In press, 2018.
REFERENCES 89
90 [1] Public EV charging stations. [Online]. Available: https://electrek.co/2017/06/19/ us-electric-vehicle-charging-stations/ [2] J. M. Miller, P. T. Jones, J.-M. Li, and O. C. Onar, “ORNL experience and challenges facing dynamic wireless power charging of EVs,” IEEE circuits and systems magazine , vol. 15, no. 2, pp. 40–53, 2015. [3] H. Lund and W. Kempton, “Integration of renewable energy into the transport and electricity sectors through V2G,” Energy policy . [4] S. M. Lukic, J. Cao, R. C. Bansal, F. Rodr´ ıguez, and A. Emadi, “Energy storage systems for automotive applications,” IEEE Transactions on Industrial Electronics . [5] X. Hu, S. J. Moura, N. Murgovski, B. Egardt, and D. Cao, “Integrated Optimization of Battery Sizing, Charging, and Power Management in Plug-In Hybrid Electric Vehicles,” IEEE Transactions on Control Systems Technology . [6] L. Dickerman and J. Harrison, “A new car, a new grid,” IEEE Power and Energy Magazine , vol. 8, no. 2, pp. 55–61, 2010. [7] J. K. Liu, W. Susilo, T. H. Yuen, M. H. Au, J. Fang, Z. L. Jiang, and J. Zhou, “Efficient privacy-preserving charging station reservation system for electric vehicles,” The Computer Journal , vol. 59, no. 7, pp. 1040–1053, 2016. [8] E. Sortomme and M. A. El-Sharkawi, “Optimal charging strategies for unidirectional vehicle- to-grid,” IEEE Transactions on Smart Grid , vol. 2, no. 1, pp. 131–138, 2011. [9] G. A. Covic and J. T. Boys, “Modern trends in inductive power transfer for transportation applications,” IEEE Journal of Emerging and Selected topics in power electronics . [10] SAE publishes tir j2954, wireless power transfer EV/PHEV. [Online]. Available: https://www.standardsuniversity.org/e-magazine/june-2016/ sae-publishes-tir-j2954-wireless-power-transfer-evphev/ [11] T. Tajima, H. Tanaka, T. Fukuda, Y. Nakasato, W. Noguchi, Y. Katsumasa, and T. Aruga, “Study of a dynamic charging system for achievement of unlimited cruising range in ev,” SAE Technical Paper, Tech. Rep., 2015. [12] ——, “Study of high power dynamic charging system,” SAE Technical Paper, Tech. Rep., 2017. [13] H. Perik, “Practical EV integration cases for static and dynamic wireless power transfer,” in International Energy Transfer for Electric Vehicles Conference , 2013. [14] S. Lee, J. Huh, C. Park, N.-S. Choi, G.-H. Cho, and C.-T. Rim, “On-line electric vehicle using inductive power transfer system,” in IEEE Energy Conversion Congress and Exposition (ECCE) . IEEE, pp. 1598–1601. [15] S. Ahn and J. Kim, “Magnetic field design for high efficient and low EMF wireless power transfer in on-line electric vehicle,” in Proceedings of the 5th European IEEE Conference on Antennas and Propagation (EUCAP) . IEEE, 2011, pp. 3979–3982. [16] Wireless charging electric bus. [Online]. Available: https://kmatrix.kaist.ac.kr/ wireless-charging-electric-bus/
Recommend
More recommend