AN ABSTRACT OF A THESIS PRIORITY-BASED AND PRIVACY-PRESERVING - - PDF document

AN ABSTRACT OF A THESIS PRIORITY-BASED AND PRIVACY-PRESERVING ELECTRIC VEHICLE DYNAMIC CHARGING SYSTEM WITH DIVISIBLE E-PAYMENT Surya Teja Gunukula Master of Science in Electrical and Computer Engineering The future transportation systems will use many advanced technologies including dynamic charging systems that enable Electric Vehicles (EVs) to charge their batteries while they are in motion. Special charging pads (CPs) placed on the roads can charge the EVs through magnetic induction. The dynamic charging system should commu- nicate with the EVs to only charge authorized EVs, prioritize charging requests and ensure payment integrity. This communication should not reveal any sensitive informa- tion about the EV drivers, and security should be well investigated to ensure the proper

• peration of the system. This thesis presents a system that provides an integrated secure

and privacy-preserving authentication, charging prioritization, and payment for dynamic charging system. The proposed system has three schemes for payment, authentication and prioritization which are integrated efficiently in order to reduce the overall compu- tation and communication overhead. In order to make payment, the EV should first purchase divisible e-coins from the bank and use them when it needs to charge. The payment scheme should be efficient and flexible in that the value of the e-coins can be adjusted based on the amount paid for charging. Charge prioritization is needed when the energy supply at the charging station is less than the charging demand because the Charging Service Provider (CSP) cannot serve all incoming charge requests and therefore the charging station should be capable of distributing its low power resources wisely to the highly-prioritized EVs. In our scheme, a priority policy is determined by each charg- ing station and multi-authority attribute-based encryption scheme is used to ensure the security and privacy of the policy. In order to address the scalability of the system due to the large number of EVs and CPs, and the limited resources of the CPs, an efficient hierarchical authentication scheme that is based on symmetric-key cryptography is de-

• veloped. The idea is that, after an EV authenticates successfully to the CSP and pays

using anonymous online payment method, it receives secret keys, called tokens, from the CSP shared with the Road Side Units (RSUs). After using these tokens to authenticate to the RSUs, the EV receives secret tokens shared with a number of CPs under each RSU control. These tokens are used to enable the CPs to identify and charge only au- thorized EVs. Our security analysis demonstrates that the proposed scheme is secure against different attacks and can preserve the privacy of EV drivers. Along with that,

• ur system can also trace the identity of the driver if he misbehaves and tries to attack

the system by double spending the e-coins. In addition, our performance evaluations and practical measurements confirm that the time required to run the cryptographic

• perations needed in our scheme and the communication overhead are acceptable.

PRIORITY-BASED AND PRIVACY-PRESERVING ELECTRIC VEHICLE DYNAMIC CHARGING SYSTEM WITH DIVISIBLE E-PAYMENT A Thesis Presented to the Faculty of the College of Graduate Studies Tennessee Technological University by Surya Teja Gunukula In Partial Fulfillment

• f the Requirements for the Degree

MASTER OF SCIENCE Electrical and Computer Engineering May 2018

CERTIFICATE OF APPROVAL OF THESIS PRIORITY-BASED AND PRIVACY-PRESERVING ELECTRIC VEHICLE DYNAMIC CHARGING SYSTEM WITH DIVISIBLE E-PAYMENT by Surya Teja Gunukula Graduate Advisory Committee: Mohamed Mahmoud, Chairperson Date Omar Elkeelany Date Ambareen Siraj Date Approved for the Faculty: Mark Stephens Dean College of Graduate Studies Date ii

DEDICATION This thesis is dedicated to my FAMILY

• my Mother, Father, Brother, Sister and Friends

iii

ACKNOWLEDGMENTS My profound gratitude goes to the Almighty God for the knowledge and wisdom he has bestowed upon me to complete this thesis. I’m grateful to all the people who were helpful in the creation of this thesis. Thanks to my committee members, Dr. Mohamed Mahmoud, Dr. Omar Elkeelany, and Dr. Ambareen Siraj, for their help and support. Thanks to my colleagues, friends, and well wishers for all their valuable contribution. Finally, I thank my family for their prayers, patience, support, and encouragement all through the duration of my graduate study. iv

TABLE OF CONTENTS Page LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Chapter

• 1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 1.1 Electric Vehicles and Dynamic Charging . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Conceptual model of dynamic charging . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Privacy and security issues in dynamic charging communication network . . . . . 7 1.4 Overview of the proposed scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.5 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

• 2. LITERATURE REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

13 2.1 Dynamic charging technology for EVs . . . . . . . . . . . . . . . . . . . . . . . . 13 2.2 Privacy-Preserving authentication schemes . . . . . . . . . . . . . . . . . . . . . . 16 2.3 Privacy-Preserving payment schemes . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.4 Privacy-Preserving priority determination schemes . . . . . . . . . . . . . . . . . 25 2.5 Our Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

• 3. SYSTEM MODEL AND DESIGN GOALS

. . . . . . . . . . . . . . . . . . . . . . . . 29 3.1 Network model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 3.2 Adversary and Threat model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 3.3 Problem Formulation and Design Goals . . . . . . . . . . . . . . . . . . . . . . . 32

• 4. PRELIMINARIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

35 4.1 Cryptographic hash function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 4.2 Bilinear pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 4.3 Attribute Based Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 4.3.1 Access policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 4.3.2 Linear Secret Sharing Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . 38 4.4 Zero-Knowledge proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4.4.1 Schnorr protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4.5 Blind-LRSW signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

• 5. PROPOSED SCHEME

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 5.2 Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 5.3 Purchase of E-Coins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 5.3.1 Construction of Divisible E-Coin Public Tree . . . . . . . . . . . . . . . . . 46 5.3.2 Purchase of E-Coins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 5.4 Modes of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 v

Chapter vi Page 5.4.1 Priority Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 5.4.1.1 Emergency Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 5.4.2 Regular Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 5.5 Hierarchical Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 5.5.1 Computing shared keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 5.5.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 5.6 Coin Deposit and Double Spending verification . . . . . . . . . . . . . . . . . . . 62 5.6.1 Double Spending detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 5.6.2 Identifying the Double Spender . . . . . . . . . . . . . . . . . . . . . . . . . 63

• 6. SECURITY AND PRIVACY ANALYSIS

. . . . . . . . . . . . . . . . . . . . . . . . . 65 6.1 Privacy Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 6.1.1 External attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 6.1.2 Internal attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 6.2 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 6.2.1 Attacks against payment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 6.2.2 Attacks against priority determination . . . . . . . . . . . . . . . . . . . . . 69 6.2.3 Attacks against authentication and key management . . . . . . . . . . . . . 70

• 7. PERFORMANCE ANALYSIS

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 7.1 Experimental setup and performance metrics . . . . . . . . . . . . . . . . . . . . 73 7.2 Computation Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 7.3 Communication Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

• 8. CONCLUSION AND FUTURE WORK . . . . . . . . . . . . . . . . . . . . . . . . . .

79 8.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 8.2 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 VITA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 APPENDICES

• A. PUBLICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

88 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

LIST OF TABLES Table Page 1.1 Number of charging stations with different charging standards [1] . . . . . . . . . . . . . 3 5.1 Table of notation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 7.1 Computational overhead of cryptographic operations. . . . . . . . . . . . . . . . . . . . 74 7.2 Setup times of the system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 7.3 Computation overhead. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 7.4 Communication overhead. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 vii

LIST OF FIGURES Figure Page 1.1 ORNL testbed for dynamic charging system [2] . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 ORNL 20 kW wireless charging system . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3 Qualcomm dynamic charging track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1 Considered network model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.1 Example for access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 4.2 The schnorr protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 5.1 Flowchart of proposed scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.2 Example of 4 level public E-Coin tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 5.3 Public E-Coin tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 5.4 E-Coin purchase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 5.5 Overview of the exchanged messages in the proposed scheme . . . . . . . . . . . . . . . 51 5.6 Exchanged messages in priority mode of our scheme . . . . . . . . . . . . . . . . . . . . 53 5.7 Exchanged messages in the regular mode of our scheme . . . . . . . . . . . . . . . . . . 58 5.8 Using the seed γn,nr to compute a set of tokens. . . . . . . . . . . . . . . . . . . . . . . 59 5.9 Using the seed µ1,1 to compute a set of tokens. . . . . . . . . . . . . . . . . . . . . . . . 60 5.10 Computation of shared keys with CSP by RSUi. . . . . . . . . . . . . . . . . . . . . . . 60 5.11 Computation of shared keys with RSUs by EVi. . . . . . . . . . . . . . . . . . . . . . . 61 5.12 Charging from the pads of fifth RSU to the pads of tenth RSU. . . . . . . . . . . . . . 61 viii

CHAPTER 1 INTRODUCTION In this chapter, we first explain the motivations of the dynamic charging of electric vehicles (EV), then we explain its characteristics and main advantages over conventional charging methods. Then, we explain the communication requirements of the dynamic charging system. Next, we discuss the security and privacy issues which plays a crucial role for practical implementation of EV dynamic charging system. Finally, we give a brief overview to our proposed scheme to address these issues. 1.1 Electric Vehicles and Dynamic Charging EVs have recently received increasing popularity because they can reduce the dependency on fossil fuels and promote the adoption of intermittent renewable energy sources [3, 4, 5] by storing excess power generated. EVs can inject power to the grid to facilitate the power regulation and load

• balancing. According to [6], the price of 0.10 per kWh electricity is equivalent to the price of 0.70

per gallon of gasoline in the U.S. Due to such potential, many automotive companies have invested in EV technology and started to produce reliable EVs. Most of the governments around the world are exerting a lot of effort for accelerating the penetration of EVs into the market by giving special privileges for EVs such as priority to use High Occupancy Vehicle (HOV) lanes, special parking places in parking lots etc. The Electric Power Research Institute (EPRI) projects that 62 percent

• f the entire U.S. vehicle fleet will consist of EVs by 2050 using a moderate penetration scenario [5].

Inspite of the advantages of EVs over the conventional vehicles, there are some challenges that should be addressed before the large scale deployment of EVs in market. One of the major challenges is the long time needed to charge EVs battery. For a single charge, depending upon the size of the EV battery, it may take from one half hour to several hours according to the power 1

2 ratings of the attached charger, which is many times longer than fueling of gasoline vehicles. For example, a Nissan Leaf uses a 24-kWh battery pack to support a 100-miles range [7]. Similarly, a Mitsubishi iMiEV can achieve the same range by using 16 kWh battery pack. Tesla Model S is capable of providing a much larger driving range of 208/265 miles with a 60/85 kWh battery pack. The driving range of an EV is proportional to the size of the battery pack which means if a long driving range is needed, then the EV should have a large battery pack which affects the cost and performance of the EV. In addition, access to the public charging stations is also limited for most

• f the locations in the U.S [8].

Currently, more than 16,000 public charging stations with 43,000 connectors have already been deployed, but this number is far behind comparing to the number of gas stations available in the U.S. These charging stations are built with different charging standards as given in Table. 1.1. As we can learn from the Table 1.1, EV charging infrastructure in U.S. still needs to go a long way to reach the needs of EV owners. But the progress in direct durrent (DC) chargers and wireless chargers in recent years helps to reach that goal in near future. Since most of the charging

• f EVs can be done at home, which would be sufficient for low distance travel of an EV. The

main role of these public chargers is to enable long distance travel and that would be practically achievable through DC fast charging and dynamic charging. It is expected that there will be more number of fast-charging stations built on major highways in the near future [1]. Even though these fast charging stations provide faster services than conventional alternate current (AC) Level-1 and Level-2 charging stations, the EVs need to stop at these charging stations until they fully charge the

• battery. In order to remove these restrictions on the driving range of EV and the time to charge,

many researchers have been trying to develop an efficient charging system which would be more convenient option for EV charging infrastructure. Dynamic charging is a promising technology that can address the issue of long charging time by enabling the EVs to charge while moving [2, 9] by installing charging elements on roads called

3 Table 1.1: Number of charging stations with different charging standards [1] Charging Standard Stations Connections AC Level - 1 1, 482 2, 924 AC Level - 2 14, 433 34, 148 DC Fast 2, 080 5, 607 Inductive (wireless) 63 81 Charging Pads (CPs), that can charge EVs by electro-magnetic induction. This means that the EVs do not need to stop and wait at charging stations to charge their batteries, which can help EV drivers to save a lot of time. The dynamic charging technology helps to increase the driving range of EVs and reduce the battery size which in turn reduces the overall manufacturing cost of an EV. As the dynamic charging becomes practical and the EV prices continue to fall, the dynamic wireless charging becomes more popular as a public charging option because of its convenience and flexibility. The Society of Automotive Engineers (SAE) has formed the SAE J2954 Wireless Charging Task Force in 2010 to address the needs of comprehensive standardization of Wireless Power Tech- nology (WPT) for the stationary charging case. In 2012, the U.S. Department of Transportation (DOT) identified the need for dynamic wireless charging for EVs and also mentioned the implica- tions of dynamic charging of EVs on the national highways [10]. Tajima et. al have mentioned in [11, 12] that they have already conducted several tests using the dynamic charging system in which they have successfully showed that the EVs can be charged with 180 kW (DC 600 V, 300 A) of power while the vehicle is moving at a speed of 156 km/h. These researchers have even started to develop a dynamic charging system which can supply 450 kW (DC 750 V, 600 A) of power while EV moves with the speed of 200 km/h during charging. The authors claim that that if this dynamic charging systems are deployed to the highways, the restrictions on EV driving range could be removed by the installation of a charging station with approximately two kilometers of charging lane per 50 km.

4 Figure 1.1: ORNL testbed for dynamic charging system [2] To sum up, dynamic charging technology offers major advantages like lowering the overall manufacturing cost of EVs by reducing the size of battery pack and eliminating the range anxiety which is a major challenge for deploying EVs in large scale. 1.2 Conceptual model of dynamic charging Several researchers [13, 9, 14, 15] as well as companies like Qualcomm, Honda etc., have been working on developing prototypes to show that the concept of dynamic charging would be practical and efficient. As an example, a testbed for dynamic wireless power transfer is created by researchers from Oak Ridge National Laboratory (ORNL) [2] as shown in Fig.1.1. In the testbed, charging pads are placed under a portion of roadbed and an EV’s battery is charged by using magnetic induction while the vehicle moves over the pads [2]. Each charging station in the dynamic charging system will have a large number of pads extended over a long distance (several miles) to allow EVs to charge

5 Figure 1.2: ORNL 20 kW wireless charging system . enough amount of power. Each pad should charge only one EV at a time. This is because not all the EVs driving on a road need to charge, and thus if a pad is long, it may charge these EVs. Pads should be turned on only when the EV that needs to charge is above it to eliminate the energy waste if pads are turned on all the time. By using different charging rates and resonance frequencies, the charging pads can charge EVs with different battery types according to the request made by an

• EV. The dynamic charging system must learn the EVs parameters such as its speed and air gap.

It should also switch on each individual charging pad just before the EV comes, adjust the power

• utput according to the incoming EVs parameters, and switch off the charging pad after the EV

moves over. Considering the aforementioned characteristics and limitations of dynamic charging systems, ORNLs power electronics team have developed a unique architecture as shown in Fig.1.2 for dynamic

6 Figure 1.3: Qualcomm dynamic charging track charging infrastructure which includes ORNL-built inverter, isolation transformer, vehicle-side elec- tronics and efficient coupling technologies to achieve 90 percent efficient 20 kW wireless charging system for passenger EVs. For demonstration, the researchers have integrated a single-converter system into an electric Toyota RAV4 equipped with an additional 10-kilowatt hour battery with a air gap of 16 cm between charging pads and the charging coils of EV. Qualcomm Technologies Inc. has designed, built, and tested a dynamic EV charging system as shown in Fig. 1.3 which is capable of charging an EV dynamically over a speed of 100 km/h with

• 20kW. They have even tested the system by charging two electric vehicles simultaneously on the

track using dynamic wireless charging technology. Another researchers from Korean Advanced Institute of Science and Technology (KAIST) [16] have started a project on Online Electric Vehicles (OLEV), in which they have developed a new technology, called Shaped Magnetic Field in Resonance (SMFIR), that delivers high power of

7 100 kW with an efficiency of 85 percent with 20 cm air gap. They also deployed two OLEV buses along a 15-mile inner-city route in Gumi, Korea. This track uses the technology of SMFIR to deliver power wirelessly from charging pads to the bus. The challenges that are discussed in the above mentioned works to make the dynamic wireless power transfer (DWPT) practical for commercial use are [2]:

• Acceptable power levels vs. vehicle battery types.
• Vehicle alignment, maintaining the correct alignment between the charging pads and the EV

to acheive high efficiency of power transfer

• Allowable speed profiles and issues related to coils size for the segmented track.
• Multiple vehicles on a single charging lane and power flow management.
• Need for low latency, private and secure bidirectional communications.

1.3 Privacy and security issues in dynamic charging communication network The main requirement of any communication network is security, privacy preservation, and high performance. In dynamic charging system, EVs need to send sensitive information to charging stations for authentication, payment, and load management purposes. The dynamic charging system should secure the payment and the authentication processes and should also be efficient enough to serve a large number of EVs in little amount of time. Moreover, since EV is a personnel product, the location of an EV is actually the location of the EV driver, and thus location privacy can be breached by attackers if the data sent by the EVs can be linked to a particular driver. Designing an efficient and secure communication scheme for dynamic charging system while considering the scalability and large geographic area of the system, which can extend over several miles is a real challenge. The contradictory issues between security and privacy complicates the

8

• problem. To elaborate, it is necessary to know the identity of an EV in order to authenticate it to

the dynamic charging system before allowing that EV to charge, but it is not appealing to reveal the identity of an EV to the dynamic charging system because of the privacy issues. For security and privacy reasons, it is sufficient if an EV discloses a little information that would be enough to authenticate the EV to ensure that the EV that requests charging service is a legitimate member in the system without being able to link the information to a particular EV. Another major part of the system is the payment for charging service. A secure and anony- mous payment protocol is needed in order to ensure payment integrity to avoid any payment related fraud during the purchase. The payment protocol should be able to detect and thwart different attacks and identify the attackers. At the same time, the payment should be done anonymously to protect the privacy of the EV drivers. To achieve that, any information sent by an EV during a charging purchase should not be linkable to a particular EV or other purchases in different locations to avoid tracing the EVs. Another issue for dynamic charging system is the variation in EV charging demand from time to time. A quite possible scenario is that the charging demand exceeds the available energy supply during peak times. Therefore, there should be a mechanism for prioritizing the EVs and charge the highly-prioritized EVs. Unlike the regular plug-in charging stations, load shifting cannot be used in dynamic charging to allot particular time for an EV to charge because in dynamic charging, EVs will be in motion while charging. In order to prioritize the charging requests of EVs into different levels of priority, the charging station needs to learn some information about the attributes of EV to determine its priority level. For instance, the attributes of an EV include a police, an ambulance, a government official vehicle, a veteran driver etc. The attributes of an EV driver can also be related to his/her work, organization or physical/mental status etc. Revealing these attributes definitely reveals personal information about the EV driver. For example, if any attacker knows that an EV is a government official’s vehicle, then the attacker can trace the location of that EV to know the

9 places that are frequently visited by that official and might learn some private information, which violates the privacy of the EV drivers. That is why, the prioritization should be done anonymously without disclosing sensitive information about the attributes of an individual EV. The prioritization should also be secure because EV drivers may lie about their attributes to get high priority. In conclusion, for the dynamic charging system to function properly, it should communicate with the EVs to only charge the authorized vehicles, prioritize charging requests, and ensure payment

• integrity. At the same time, the charging system should also be protected from misbehaving entities

either internal or external by securing the communication, avoiding leakage of sensitive information, and identifying the misbehaving entities. Without proper privacy-preserving mechanisms, users may hesitate to use the dynamic charging communication networks. Therefore, it is paramountly necessary to resolve the security and privacy issues before implementing the dynamic charging systems. In this thesis we propose priority-based and privacy-preserving EV dynamic charging system with divisible e-payment which aims to address the security and privacy issues mentioned before. 1.4 Overview of the proposed scheme In this thesis, we propose a dynamic charging system which provides an integrated secure and privacy-preserving payment, authentication, and prioritization for EV. Before charging, EV needs to communicate with various system entities that include a bank, a charging service provider (CSP), roadside units (RSUs), and CPs. The proposed scheme aims to address the privacy and security related to this communication to preserve the privacy of the EV drivers and ensure the proper functionality of the system. In this subsection, we explain the overall idea of the proposed sacheme. First, the EV should communicate with the bank to purchase divisible e-coins that will be used when the EV needs to charge. Hence, a secure, efficient, and flexible payment mechanism

10 should be employed to facilitate the payment and spending of e-coins so that each EV can adjust the value of the e-coin according to the charging amount. Moreover, the spending of the e-coins should be anonymous to preserve the location privacy of the EV drivers. An efficient divisible payment scheme is proposed in [17] which allows the user to purchase a divisible e-coins of value 2n from the bank, and then the user can spend anonymously adjustable e-coins values at different merchants. Divisible e-coins are a requirement to the flexibility of the dynamic charging system, where the EVs can adjust the e-coin value according to the amount of the energy required. In our scheme, we integrate the payment scheme proposed in [17] with our authentication and priority determination schemes to allow EVs to purchase and spend divisible e-coins efficiently. Moreover, we modified the verifications needed by the payment scheme to prevent false accusation attack of double-spending which can happen when a legitimate EV spend an e-coin at a malicious CSP. This CSP can pass that e-coin to another EV that can also spend the e-coin at different CSP. Therefore, when both CSPs deposit their e-coins at the bank, the legitimate EV is falsely accused of double-spending. Our modifications prevent this scenario from happening in the system. After EV purchases e-coins and when the EV needs to charge, it communicates with the CSP by sending a charging request that includes the amount of needed energy, whereas the CSP needs to check if it has enough energy to service the set of requests it receives at a given instance

• f time. In an event that the available energy is less than charging demand, prioritization becomes

a necessity. EVs get serviced based on a set of predefined criteria that define the importance of the demands [18, 19]. For example, ambulances and police vehicles should be given high priority. In

• ur scheme, a priority policy is determined by each charging station and multi-authority attribute

based encryption scheme is used to ensure the security and privacy of the policy [20]. Moreover, charging process requires exchanging messages between EV, RSUs, and CPs to charge authorized EVs, but this can be used to identify EVs, and hence, location privacy of EV drivers can be breached. Since these messages are transmitted via wireless communications, it is

11 imperative that the data are secured against eavesdroppers. In order to address these issues, an efficient hierarchical authentication scheme that is based on symmetric-key cryptography is used. The scheme allows the EV to first authenticate with the CSP and receive secret keys, called tokens, shared with the RSUs. After using these tokens to authenticate to the RSUs, the EV receives another secret tokens shared with a number of CPs under each RSU control to further authenticate with the CPs for charging process. Designing an efficient, privacy-preserving and secure scheme that integrates authentication, prioritization, and payment for dynamic charging system is a challenging task. It is necessary for the dynamic charging system to efficiently authenticate the EVs that need to charge. Also, the payment process should be efficient and flexible. In summary, for dynamic charging system to be fully functional, EVs need to be able to communicate securely and anonymously with several entities. The CSP, on the other hand, should be able to discern authorized EVs and allow them to authenticate to RSUs and CPs to charge. Activities such as bill payment should be performed seamlessly while preserving the privacy of the EV drivers. Unlike existing schemes for dynamic charging systems [18, 21] that do not provide an integrated solution for the dynamic charging system, in this thesis, an efficient and secure privacy-preserving scheme for dynamic charging of EVs is presented which provides an integrated solution for anonymous authentication, prioritization, and payment. The main three components of our scheme are summarized as follows.

• Multi-Authority Attribute-Based Prioritization. The CSP is able to securely prioritize charging

requests based on the attributes of the EV received from different authorities. During this prioritization, the attributes of EVs are kept confidential from the CSP. It can only know that a given EV fulfills a given priority policy but does not know the exact attribute set the EV

• possesses. In addition, this secure prioritization prevents any malicious EV from claiming a

false priority level.

12

• E-payment. An efficient, flexible, and anonymous E-payment scheme with divisible e-coins is

used for billing in the proposed dynamic charging system. The scheme allows the EV to spend a pre-purchased e-coin at the charging station anonymously and efficiently. Furthermore, the value of the e-coin can be adjusted according to the amount of charge that the EV gets.

• Efficient Hierarchical Authentication. A lightweight and scalable authentication scheme based
• n symmetric key cryptography is presented to enable fast authentication between the EV and
• CSP. The scheme allows the EV to get secret tokens from CSP shared with the RSUs. These

tokens allow mutual authentication between EV and RSU. Similarly, the EV gets secret tokens from RSU shared with the CPs it controls to allow the authentication between the EV and CPs. Our analysis demonstrates that the proposed scheme is secure and can preserve privacy of the EV drivers. In addition, our measurements confirm that the proposed scheme is efficient in terms

• f computation overhead as well as communication overhead.

1.5 Thesis Outline The remainder of this thesis is organized as follow: The literature review is given in Chapter

• 2. The network and threat models are explained in Chapter 3. The preliminaries are explained in

Chapter 4. The proposed schemes are presented in Chapter 5. The security/privacy analysis are discussed in Chapter 6. The performance evaluations are given in Chapter 7. Finally, conclusions and future works are drawn in Chapter 8.

CHAPTER 2 LITERATURE REVIEW The proposed scheme is related to three different fields of research: efficient authentication, privacy-preserving payment, and priority determination. In this chapter, we first survey the pa- pers of dynamic charging systems for electric vehicles. We will discuss different dynamic charging system architectures and the authentication protocols that are designed for them. Then, we dis- cuss the papers that are related to privacy-preserving payment, which aims to enable a user to pay anonymously to the merchant for the service he/she has received from merchant and it also protects the system from any misbehaving users/merchants. Finally, we survey the priority determination schemes which allows the CSP to determine the charging priority level of an EV without knowing any private information about the driver. We provide an extensive literature review related to all

• f these fields while also highlighting the key differences between this thesis and the works done in

literature. 2.1 Dynamic charging technology for EVs The challenges in dynamic charging systems that are related to power management and also communication, security and privacy have been investigated in the literature systems. We have classified our literature review on Dynamic Charging for EV into non-cryptography based and cryptography based schemes. Li et al., in [22] has reviewed the technologies of the wireless power transfer (WPT) that are applicable for electric vehicle wireless charging. This study has considered the complex issues that are related to wireless charging such as the frequency of the magnetic field, the distance between two coils, misalignment and other uncertainties of the system. The authors have also discussed 13

14 the efficient design methodologies for the magnetic coupler and have also stated the challenges and differences between the stationary wireless charging couplers and the dynamic charging couplers. Finally, the authors concluded that the dynamic wireless charging capability provides the foundation for mass market penetration for EV in the near future regardless of battery technology and it can be done efficiently with little advancement in technology. Omer et al. summarize some of the activities of Oak Ridge National Laboratory (ORNL) in wireless charging for in-motion EVs in [23] and have designed a prototype system for their exper-

• iments. The authors have studied their system behavior under different frequencies and observed

that the behaviour of the system changes according to the frequency deviation from resonance. The authors have even studied efficient methodologies of coil design and properties of high-frequency power inverter and also the insertion losses due to different road surface materials. In [24], Lukic et. al., have investigated inductive power transfer (IPT) technology for wireless

• charging. The authors have reviewed the fundamentals of the IPT technology and its history and

claimed that wireless power transfer is more realistic by using IPT. They also presented some factors that have to be considered to adapt IPT for static and dynamic EV charging. In order to determine the requirements for dynamic wireless charging for EVs, Patnic et. al. in [25] have considered the report from [24] and have done various tests on different types of EVs (compact car: Honda Insight; large car: Chevrolet Impala; and SUV: Ford Explorer) with different sizes of battery packs (8, 11, and 15 kWh, respectively) to measure the variation of driving ranges for each vehicle depending upon the driving conditions. After reviewing the simulation results, the authors claim that IPT enabled roadways can extend the driving ranges of EV. Turki et al. in [26] have introduced and studied the concept of how the railway energy supply system can be used to feed the wireless charging networks by using the available power electronic devices and the grid topologies. They have selected an efficient dual-active bridge (DAB) topology which provides a high degree of flexibility and can match the demands of power ratings that are

15 required for the transformation of railway grid AC voltage to DC voltage for wireless charging

• feeders. The authors have also conducted several simulations and found out that controlling the

DABs topologies can compensate the variations in railway grid voltage. The authors have concluded that the challenges for dynamic wireless charging can be resolved using present technology, but it could be optimized. Li et al. in [27] proposed an initial framework for coupling EVs and the power grid through dynamic charging and VANET technology. The demand driven framework designed in this work has considered the hourly variation of traffic according to locations and have estimated the demand

• f electricity to efficiently allocate the charging stations. By using this framework, the charging

stations can have better visibility about the demand and control over its resources. In [28], Suh et. al. have studied the wireless power transfer field and have verified the practical applicability of wireless charging. The authors have introduced the concept of wireless power transfer technology, called Shaped the Magnetic Field in Resonance (SMFIR), for Online Electric Vehicles (OLEV) and have demonstrated their experimental results. The authors have also discussed the design concept, system architecture, and development process of the system design to achieve higher power transfer efficiency. In [29], Theodorous et. al. have discussed the impact of dynamic wireless EV charging on the existing grid infrastructure. The authors have created a simulation environment in order to assess the impact of a charging lane layout and traffic on the grid and evaluated the energy storage requirements for demand smoothing and finally discussed the possibility of integrating renewable energy into dynamic wireless charging infrastructure. In [2], Miller et al. have discussed the challenges of wireless power transfer in case of moving EVs. The authors have not just investigated the issues in high power transfer to moving EVs but also the communication in a vehicle to infrastructure (V2I) environment under high traffic conditions.

16 2.2 Privacy-Preserving authentication schemes Few papers in the literature have investigated the security and privacy issues of dynamic charging of EVs. In [30], Li et al. proposed a privacy-preserving authentication scheme for EV dynamic charging. The idea is that when an EV needs to charge, it has to contact the CSP to obtain a pseudonym and a corresponding symmetric key. Then, the EV can use them to authenticate to every charging pad it encounters in its way. The CSP has to distribute all the pseudonyms and corresponding keys to all the pads, and all pads should store all the pseudonyms/keys including the

• nes that may be used at other pads. This is because in the considered network model a charging

station spreads over a large geographical area and an EV can take any route to get charging using its set of pseudonyms. This requires large storage for charging pads and large communication overhead. Cost-effective charging pads usually have limited computation and communication resources. An authentication scheme was proposed in [31] to expedite the authentication between EV and CPs. The scheme consists of two main parts: direct and indirect authentication. In the direct authentication, EV and CP authenticate each other directly. After that, CP forwards the authentication request to the utility for authenticating the drivers. EVs have their credentials stored in a tamper-proof module (TPM) and activated for usage by the registered motor authority (MA). These keys are updated at specific intervals by the same authority. For revocation of keys, a number

• f registered revocation authorities have to cooperate, using credentials from MA, to identify EV

associated with a key. A large number of CPs and frequency of communication with utility can lead to communication bottleneck at CSP. In [32], a fast authentication scheme is proposed for EV charging. The scheme uses Just Fast Keying [33] approach to initiate the charging session with each RSU, which serves as an intermediary between EV and utility. To enable fast response and eliminate the need for EV to frequently authenticate as it travels between RSUs, EV credentials are forwarded from one RSU to another.

17 The scheme, however, is susceptible to replay attack, does not consider the privacy of EVs and also does not consider payment. In [34], Zhao et al. proposed a billing scheme for dynamic charging

• system. The proposed scheme assumes that each EV should use a Trusted Platform Module (TPM)

which is a tamper proof device used to save secret keys. The proposed scheme targets a single CSP system, and if an EV needs to get charging at another CSP, it also has to register at that CSP. In [35], Li et al. have proposed an efficient and secure anonymous real-time reporting scheme for EVs. In the proposed scheme, rewards are used to encourage the EVs to report their battery status to the utility. Because the EV information such as the future trip start time and battery State-of-Charge (SoC) helps the power grid to perform some optimizations like load management, charging scheduling, V2G profit optimization, etc. Nicanfar et al. [36] have proposed an authentication scheme for EV in V2G network while preserving the privacy of the EV drivers. The authors have considered two different cases. The first case is on the home network which needs the mutual authentication between EV and the smart grid server that EV has already registered for, and in the second case, EV uses pseudonyms given by registered grid to anonymously authenticate to a non-trusted third-party server. By using both

• f these schemes, the EV can charge its battery at multiple charging stations. This paper is the

improved version of [37] and has mentioned all the situations that an EV can be involved in a V2G network. In [38], Yang et. al., have studied the privacy related issues in V2G network and proposed an anonymous authentication scheme with precise reward scheme to encourage the users to use V2G network. The authors have used the idea of ID-based restrictive partially blind signature [39] to protect the identity of EV during authentication protocol. The EV has to prove that it has a valid permit given by control center to the aggregator during authentication protocol. During this communication, the aggregator can only know that it is communicating with one of the EV in the system, but cannot linke the EV to any specific users identity.

18 Authentication for dynamic charging infrastructure is similar to the authentication in V2G networks and the Vehicular Adhoc Networks (VANETs), where the authentication should take place between an EV and the infrastructure. In general, VANETs need two authentication schemes, one for vehicle to vehicle (V2V) authentication and the second is for vehicle-to-roadside unit authentication (V2R). The most commonly used schemes for the privacy-preserving authentication in VANETs and V2G networks use anonymous certified pseudonyms [36, 40] and Group signatures [41] where a group manager generates keys for each member of the group to sign their messages. Given a signature, a verifier cannot infer the signer’s identity and can only know that the signer is a member in the group. In the vehicular network settings, one conventional approach is to use a trusted authority as group manager, and all vehicles are the group members who generate a group signature to authenticate anonymously during communication with RSUs. Another approach is to use the RSU as a group manager and all vehicles within the RSUs communication range as its group members [40]. Li et al. [42] proposed two anonymous authentication schemes for V2R and V2V networks which use self-generated pseudonyms, and identity-based signatures (IBS) [43]. This scheme also provides conditional anonymity with traceability for non-repudiation in case of malicious vehicles try to attack the system. The authors have also analyzed the proposed schemes for the typical VANETs environment and have concluded that the proposed scheme is the best fit for that environment. In [44], Zhang et al. have proposed an RSU-based message authentication mechanism, called RAISE, that uses k-anonymity approach [45] to provide conditional anonymity for drivers of vehicle. By using RAISE, roadside units verify the authenticity of messages sent by vehicles on behalf of

• ther vehicles and notifies the results back to the vehicles. The idea of this paper is to reduce the

computation overhead on vehicles during high traffic density, since a vehicle may not be able to verify all the signatures given by its neighbors which results in message loss. In [46], Lu et al. have proposed an efficient conditional privacy preservation (ECPP) scheme for VANETs based on the on-the-fly short-time anonymous key generation between the vehicle and

19 an RSU. The paper focuses on conditional privacy while addressing two security issues such as efficient safety message anonymous authentication and efficient tracking on the source of a disputed safety message. In [47], Xi et al. have proposed a random key-set pre-distribution based authentication scheme for VANETs. The keys are distributed to the vehicles by a key distribution authority. The authentication scheme proposed in this work was primarily being used in wireless sensor networks and has also been adapted to vehicular network [47]. This authentication scheme preserves the privacy

• f drivers under the zero trust policy, which means that there is no central trusted authority. In

case of disputes, the identity of a malicious driver can be identified with the help of key distribution center. Ahren et. al. have proposed an efficient key management scheme based on Temporary Anony- mous Certified Keys (TACKs) in VANETs [48]. The scheme facilitates the revocation of misbehaving entities and focuses on VANET applications that require short-term linkability of vehicle messages, i.e., an RSU needs to be able to link two messages sent by the same vehicle. The authors claim that the short-term linkability does not violate drivers privacy because of its constrained mobility

• pattern. The TACKs keys are certified by a regional authority (RA) and used by vehicles to au-

thenticate to RSUs. To update these TACKs, the vehicle needs to authenticate to RAs using group

• signature. This group signature can be generated by an vehicle using the long-term key issued by the

trusted authority. If any vehicle misbehaves, the identity of that vehicle can be traced by the trusted authority, and to revoke a user the trusted authority computes a revocation token corresponding to that EV and publishes it to the RAs. In [49], Jinyuan et al. have proposed an identity based [50] security system for VANETs. The proposed scheme is based on using pseudonyms for driver’s anonymity. It also uses threshold signature [51, 52] for exculpability, which means that the legitimate user cannot be falsely accused as a malicious user even by a corrupted authority. The proposed scheme also uses threshold authen-

20 tication [53] to revoke misbehaving driver’s credentials. So, any additional authentication beyond the threshold value can reveal the identity of the misbehaving user. 2.3 Privacy-Preserving payment schemes In line with maintaining anonymity while charging, it is imperative that the payment scheme preserves the privacy of EV drivers. There are many different forms of existing payment systems, like electronic cash (e-cash), credit card payments, physical cash, and bitcoins. In this section, we survey the payment systems that are specifically designed for EV charging transactions and also

• ther practical payment systems like electronic cash.

Few researchers have developed payment schemes that are specifically designed for EV charg- ing transactions [54, 55, 56, 57] and the public transportation systems [58]. In [54], Soghoian et. al. have proposed a secure payment system, called Merx, that enables a user to delegate a third party to perform a transaction on behalf of the user while protecting the users privacy. The idea is that the user should generate a transaction token and give it to a third party which uses that token as an authorization to purchase goods by a third party without involvement of the user. This token reveals no information about the user, like users account number, identity etc., to the merchant. Merx protocol is designed to be used with mobile phones and mobile computing devices, especially in situations where end-users do not have access to the Internet. In [58], Rupp et. al. have proposed a lightweight payment scheme for public transit systems called Privacy-Preserving Pre-Payments with Refunds (P4R). In the proposed scheme, a user has to make a deposit to get a credential, where the credential represents fixed amount of money and allows to make an arbitrary ride. The actual fare of a trip is calculated according to the entering and exiting stations of the transit and the user gets a refund if the actual fare is less than his deposit, i.e., overpayments are refunded at the end of the trip. The user can then aggregate all trip refunds into a single token. This scheme is built upon the Brands’ e-cash scheme [59] for constructing the

21 pre-payment system and a variant of blind Boneh-Lynn- Shacham signatures [60] to implement the refund capabilities. In [55], Zhao et. al. have proposed an anonymous payment scheme for EVs charging. An anonymous credential technique [61] is used for anonymous authentication of EVs to Energy Provider Company (EPC). Some attributes are added to the anonymous credential to prove the properties

• f EV, like the battery size, power ratings etc., and to provide diversity in price according to the

charging service. The Trusted Platform Module (TPM) which is embedded in On Board Unit (OBU)

• f EV is used to prevent users from performing replay attacks on EPC and it is assumed that TPM

does not do any illegal actions. At the time of charging, TPM and OBU present their credential and some attributes of the vehicle to the EPC server. TPM authenticates to the charging server using the technique of direct anonymous attestation [62]. After that, server checks the price of the current electric energy in the case of dynamic price. If the remaining balance in the credential is larger than the require amount, the server starts to charge the EV; otherwise, it rejects the request

• f EV. After that, OBU gets an updated credential with decremented balance.

In [56], Zhao et. al. have proposed a secure and privacy-preserving payment system for EVs using Camenisch-Lysyanskaya (CL) signature and TPM technique. The CL signature technique [63] is used to protect the privacy of EV drivers while users schedule charging service to EVs. A user can reserve a limited number of charging stations simultaneously. A punishment mechanism is also used if a driver makes a reservation but does not come. This scheme also provides a lost EV protection service to the users so that users can find their stolen vehicles with the help of trusted

• authority. Moreover, the scheme uses a TPM which is totally trusted and tamper-resistant to store

the cryptographic secrets of EV and also authenticate the EV during charging reservation. Each EV needs to top up some amount into its account before entering the charging station and proves to the charging server that it has enough amount of money in its account using range proof technique [64]. This scheme also supports the dynamic pricing.

22 In [57], Mustafa et. al., have proposed an offline payment scheme for EV charging. In the proposed scheme, users need to register for a contracted supplier (CS) and if the EV gets charged from any other host supplier (HS), then it authenticates to that HS using the pseudonyms given by CS and the HS generates a bill for CS which should be paid later by EV. Electronic cash was first invented in [65, 66], and extensively investigated in [67, 68, 69, 70, 71, 72, 73]. Unlike physical cash, electronic coins are easy to duplicate. The main idea for any e-cash scheme is that, even though a single party, i.e., bank, is responsible for giving out electronic coins and later accepting them for deposit, the coin withdrawal and the spending protocols should be designed in such a way that it is impossible to identify who spent a particular coin. The coin withdrawal protocol does not reveal any information to the bank that would later enable it to trace where a coin is spent. So, the users can spend their e-cash anonymously without worrying about their privacy. Empowered by the anonymity that e-cash provides, malicious EV drivers involved in coin double spending will not be punished unless something is done to include accountability. In [74], Camenisch et. al. have presented an efficient off-line anonymous e-cash scheme where a user can withdraw a wallet containing 2l coins each of which the user can spend unlinkably. This scheme is efficient in terms of storage space where the whole wallet of 2l coins has about the same size as one coin and also provides traceable coins without a trusted third party. That is, once a user spends one of the 2l coins in his wallet twice, all his spending of these coins can be traced by using the technique of verifiable encryption [75] during withdrawal protocol. This scheme also offers exculpability of users, in which the bank can prove to a third party that a user has double spent coins but cannot accuse a legitimate user of double spending. The e-cash system proposed in [76] is a bandwidth-efficient off-line anonymous e-cash scheme with traceable coins and identity using the technique proposed in [77]. The major difference between

• ther e-cash schemes and this paper is the traceability of e-coins by the users, i.e., coin-tracing

without a trusted third party. The idea is that any party can trace the coins of the same user

23

• nce this user double spend a coin, i.e., whenever a user double spends a coin, the bank can detect

the identity of user and also publishes some tracing information called tag. Given two payment transcripts from same coin of the same user, the scheme outputs same tag, so that once a user double spends, all spendings of the same user are identified by the merchant during payment protocol. In an e-cash system proposed by Camenish et. al. in [78], a user can withdraw coins from the bank, and then spend each coin anonymously and unlinkably. The authors also have proposed an additional property for e-cash by adding restriction on number of transactions made by a user with specific merchant. The number of transactions may vary for each merchant. This property

• f e-cash can be used in some cases where it is desirable to set a limit on anonymous transactions.

In the proposed scheme, a users anonymity is guaranteed as long as the user does not: (1) double spend a coin, or (2) exceed the publicly-known spending limit with any merchant. The spending limit may vary from one merchant to another. In [79], Canard et. al. have presented an off-line divisible e-cash scheme based on binary trees, where a user can withdraw a divisible coin of monetary value of 2l and spend any value between 20 and 2l in multiple transactions anonymously and unlinkably. The main motivation of divisible e-cash is to provide a method to withdraw or spend several coins more efficiently than repeating several times a single withdrawal or spending protocol. Using the binary tree approach, each node

• f the tree is related to a tag key which is used to generate a serial number S of spending node

and detect double spending. The serial number of a particular node is the concatenation of the two children tag keys. The root tag key and the identity of the user are signed by the bank during the withdrawal protocol using signature scheme proposed in [80]. During spending protocol, a security tag T is generated by the spender. The spender has to prove that S and T are well-formed using zero-knowledge proof [81, 82, 83, 84] without giving any information about his identity. Given the tag key of a node N, it is easy for anyone to compute the tag keys of the descendant nodes of N, but it is impossible to compute a tag key which is not related to a descendant of the targeted node

24 without the knowledge of the root tag key. Baldimsti et. al. have proposed a transferable e-cash scheme in [85] which is little bit different from previous e-cash schemes. In traditional e-cash schemes, transferring coins is allowed

• nly between users and merchants, but in the proposed scheme, the users are able to transfer coins

between each other multiple times before depositing them to the bank. This is similar to the physical

• cash. The proposed scheme is fully anonymous transferable e-cash and does not need a trusted third
• party. The malleable signatures are used to allow secure and anonymous transferring of the coins.

The scheme also achieves one of the main requirement of e-cash, i.e., as long as users do not double spend coin, they should remain anonymous. For transferable e-cash, the owner of a coin transfers the signature of bank (σ) on a coin which has a unique serial number (SN1) to another user in such a way that the transferred coin is valid and generates a new serial number (SN2) for that coin and it also carries a Double-Spending tag (DS) which carries all the information necessary to detect the double spending and preserves anonymity of spender. In order to achieve the property of transferring signature, a Malleable Signature scheme [86] is used. The signature scheme allows a user to generate several versions of a signature that are unlinkable to the original signature to protect anonymity and extend banks’ signature on new message which has the information about new receiver (merchant)

• f the coin. When spending the coin with a merchant or any user, a double-spending tag DS is

computed by spender, which encodes his identity. The merchant then deposits Coin C = (SN, σ, DS) at the bank. If two coins C and C′ with the same serial number but different double-spending tags (DS and DS′) are deposited, that means one of the user double spent that coin. Then, by using these two double spending tags together, the bank can reveal the identity of the user who double spent the coin. The used payment scheme in this thesis is primarily based on [17], which provides a flexible and efficient means of e-coin spending. The scheme uses a public global tree structure to construct all the e-coins in the system. The tree is constructed by the bank thereby eliminating the need for

25 users to prove that the tree is well-formed unlike in the cases of [79, 87]. When a user purchases an e-coin, he gets a certificate on a random secret x. This secret value defines all the serial numbers associated with the purchased e-coin that can be generated using that public tree. To spend a node

• n the tree, user computes an e-coin ts for that node by using the public parameters of that node

along with users secret. The user has to prove to the CSP that ts is well formed. During deposit process, the CSP submits ts given by the user to the bank. Given ts, the bank can compute all the serial numbers related to that node and check for double-spending by comparing with previously deposited e-coins serial numbers. If a duplicate serial number is found, it indicates that a coin has been double spend. The user stays anonymous until it commits a double spending attack. We modified the verifications needed by the payment scheme to prevent false accusation attack of double spending that results from a collusion between malicious CSP and malicious EVs to passing e-coins spent by legitimate EVs. 2.4 Privacy-Preserving priority determination schemes Due to the expected large number of EVs, at some times, the charging demand may exceed the available power supply at a charging station. In this case, the charging station cannot serve all the charging requests, so it is better to prioritize the EVs and charge the highly prioritized EVs without exceeding the amount of available power. The concept of prioritizing EV charging has been used in plug-in charging to coordinate the EV charging based on the demand and supply variation. The charging coordination is useful to reduce the potential stress and performance degradations that may

• ccur in the power system due to the uncontrolled and random EV charging. In order to coordinate

charging, some data about the EVs need to be provided to the coordination authority and this calls for concern about the privacy of the users. A number of research papers have been published on privacy preservation of users personal data while coordinating their EV charge schedules [88, 21, 18]. A privacy-preserving charging coordination scheme is presented in [21]. In this scheme, each

26 electric storage unit (ESU) including EVs and home batteries sends an encrypted charging request to an aggregator. This request includes the identity of the ESU, the state of the battery, the charging demand, and the time to complete the charge. The state of the battery and the time to complete charge are used to compute a charging priority index for each ESU. For anonymity purposes, the aggregator shuffles the identities of all ESUs with their charging requests and forwards these requests to the charging coordinator. The charging coordinator executes a modified version of knapsack algorithm in order to schedule the charging based on their priorities taking into consideration the charging capacity constraints. In addition, the authors proposed adding noise to each ESU request (i.e., state of the battery and time to charge) to prevent linking requests sent from one ESU. However, the proposed scheme in [21] can only be used for plug-in charging because if an EV does not charge in one time slot, it can charge in a different time slot, but in dynamic charging, EVs are in motion and they do not wait for future time slots to charge. We, therefore, consider a scheme that uses assigned attributes to EVs to determine priority for charge. In [18], an attribute-based prioritization scheme for EV charging is proposed. The scheme uses the EV attributes to determine the type of charging service it should receive. Two services are considered: quality guaranteed service (QGS) and best effort service (BES). In QGS, an EV gets a guarantee of its requested charge while in BES, it gets charged based on remaining energy available at charge station after serving

• QGS. However, the scheme was developed for a plug-in charging scenario and considers only two

levels of priority and one attribute authority. Our scheme considers multiple levels of priority and multiple authorities. 2.5 Our Contributions This thesis integrates three main schemes: 1) Privacy preserving payment scheme that allows the CSP to charge the EVs without learning any information about EV drivers; 2) Privacy-preserving priority level determination scheme to determine the charging priority of EVs; and 3) Lightweight

27 authentication scheme to enable EVs to mutually authenticate with the charging station entities including CSPs, RSUs, and charging pads. The privacy preserving payment scheme that we used in our proposed scheme aims to provide an efficient way for the EVs to pay for charging service anonymously. It uses blind signature and randomizing signatures to construct cryptographic e-coins which can be used by EVs to authenticate to CSP as well as to the Bank. We chose this payment scheme because of its security and efficiency in terms of computation of e-coins and we have modified the verification process of this payment scheme such that no one can accuse a legitimate EV of double spending and also fits best in to our

• application. The existing schemes either use contract billing or the online payments which are not
• efficient. In contract billing, the charging station charges the contractor and later the contractor

charges the EV according to the bill given by charging station. In this case, the user’s privacy is not protected, since in long run the contractor can know the regularly visited places of a legitimate user. This means the anonymity of the user is not protected even if he does not misbehave. In online payments, the bank has to stay online during the transaction between EV and charging station to check for the double spending. Keeping bank online increases the network traffic and it can become the bottleneck for the system. In some offline payment schemes such as [74, 79, 85], the proofs generated by EV at the time of coin spending needs large computations and storage space which is not efficient in our dynamic charging scenario. The proposed privacy-preserving priority level determination scheme is designed specifically for providing prioritized service to EVs at the time of low power available for charging at CSP. The closest scheme toour proposal is in [18], but there are two main differences. First, is that the scheme is not expressive in terms of creating policies because it has only two levels of priority. Second, it also not realistic to assume that there will be only one attribute authority [89] that is responsible for managing all the attributes and distributing secret keys to all the users in the system. It would be more realistic to have multiple attribute authorities independent from each other who can create

28 and maintain their own attribute set and distribute corresponding secrets for their users. Unlike [18], our proposal has multiple attribute authorities and can create expressive access policies. The proposed lightweight authentication scheme is designed to provide an efficient mutual authentication between EVs and the different parts of the dynamic charging system. The main challenge for authentication protocol in dynamic charging scenario is that the EV needs to be au- thenticated by a large number of charging pads encountered on its way and this should be done within a short contact time between EV and charging pads. In order to achieve this fast authen- tication, the scheme must use lightweight cryptography. Our protocol achieves this by using an efficient way of key generation and distribution. Finally, we integrate the three schemes efficiently to reduce the computation and communication overhead. None of the existing works propose an integrated authentication, payment and priority determination scheme. Our authentication scheme also aims to reduce the overhead on the pads to reduce their cost. This is an important requirement because of the large number of pads in the system. Our proposed scheme is also scalable which can be deployed any number of CSPs and large number of pads in the system.

CHAPTER 3 SYSTEM MODEL AND DESIGN GOALS In this chapter, we first discuss the different entities that are involved in the proposed scheme and also explain how these entities communicate with each other. Then we discuss the adversary and threat model considered in the thesis. Finally, we formulate the considered research problem and discuss the design goals of the proposed schemes. 3.1 Network model As illustrated in Fig. 3.1, the proposed dynamic charging system consists of Charging Sta- tions (Service Providers), EVs (Users), Bank, Attribute Authorities (AA) and a Trusted Authority (TA). Each Charging Station has a Charging Service Provider (CSP), Road Side Units (RSUs) and Charging Pads (CPs). The RSUs are the access points that are deployed across the charging section

• n the road that can be extended to several miles. The CPs are the elements that provide charging

to EVs. It is expected that there will be a large number of CPs at a charging station that can be extended to several miles. Our considered system model has multiple AAs like government agencies, police department, health care department, veterans service etc., Each AA is responsible for distributing a set of secret keys used to identify the assigned attributes to each user, which means that there is no central authority that distributes attributes and secret keys to all the users. Instead, there can be several authorities where each authority is responsible for the key distribution of its specific set of attributes. Multi-authority scenario is more realistic, since in reality there may be multiple number of authorities that have their own specific attribute set. In our scheme, even the charging station can act as an attribute authority to assign attributes to users of different types of memberships, such as regular 29

30 Figure 3.1: Considered network model users, premium users, etc. The communication between CSPs and EVs with the bank can be done using the Internet. EVs communicate with RSUs and CPs using dedicated short range communication technology [90]. Between EV and CSP, a wireless communication scheme, such as 4G LTE could be used. We assume that the communication between CSP, RSU and CPs uses dedicated wired connection. Each RSU can communicate with a number of pads and each CSP can communicate with all RSUs in the charging station. The EVs can communicate with the pads by using a dedicated short range wireless communication device installed at the bottom of EV. Each EV maintains an account with the bank and uses this account to purchase anonymous coins to pay for charging. EV gets authenticated when it has shown evidence of being capable of making payment. CPs need to authenticate EVs before switching on to charge them.

31 3.2 Adversary and Threat model We consider a strong adversary model assuming that all entities are not fully trusted except the TA. The bank and CSP are considered honest-but-curious. The attackers can be either internal

• r external who may attempt to jeopardize the privacy of EV drivers or attack the authentication and

payment schemes to achieve financial gains. The internal attackers may aim to learn the locations

• f EVs and the attributes of drivers, but not to disrupt the proper operation of the scheme.

For the authentication scheme, we consider the attackers can be an individual EV or CSP. An EV tries to charge from CSP without pay or with less pay, for example the EV may try to authenti- cate to more number of charging pads than the purchased power etc. Some EVs may eavesdrop on the communication between CSP and other EVs to perform replay attack to impersonate legitimate

• EVs. While external attackers can only eavesdrop on the network transmissions to infer sensitive

information about the users, these attackers may also modify users messages which can cause EVs to not charge even after paying for the charging service. The attackers may attempt to impersonate an EV or CSP to send the data under their names. For example, if an attacker impersonates a CSP, he can get coins from EVs and deposit them at the bank. The EVs can also attack the authentication scheme to charge for free, by launching replay attacks and by reusing the old authentication tokens. For the attacks on privacy, the internal attackers like bank and CSPs may try to compromise the anonymity of a legitimate user. Bank may try to find some relation between the withdrawan coins by EVs and the deposited coins by CSPs to earn the locations of the EVs. During authentication, the CSP may try to compromise the privacy of EVs by finding the identity of EV driver or by tracing the EV by linking the transmitted data in ne sessionto the data of other sessions. Bank and CSP may collude to link the packets sent by same EV. Each EV is interested to know the other EVs’ identity and attributes. For the payment scheme, we consider that the attacks can be launched either by a single

32 EV or CSP, and colluding EVs and CSPs. The bank may also collude with the CSPs to attack the system and falsely accuse a legitimate EV of double spending. The EVs may attack the system by charging without pay or with less payment. Malicious EVs may try to impersonate other EVs while purchasing coins from the bank to purchase coins using other EV’s account. They may also try to forge coins and double spend valid coins at different CSPs. CSPs may try to charge EVs more amount of money than the amount required for the charging service. The bank may falsely accuse an EV of double spending and may try to find the identity of that EV driver. For priority determination, some EVs may claim that they have the attributes that can satisfy high priority level to get charged. CSPs may even attempt to find the sensitive information about the attributes of an individual EV during priority level determination process. 3.3 Problem Formulation and Design Goals In order to achieve an efficient, secure, and privacy-preserving dynamic charging system, an efficient integrated payment, authentication, and priority determination scheme is needed. During the communication between EV and other entities in the system, the EV may need to send some sensitive information to the CSP or the Bank, so security and privacy should be well investigated. This information should not leak anything about EV’s identity. The only information that can be known to the CSP is that, some legitimate EVs with valid coins request the charging service. All the exchanged messages in the system should be verifiable to protect against external attacks. Our goal is to design secure and privacy-preserving dynamic charging system that can achieve the following:

• 1. Privacy-preservation: The privacy of EV drivers should be protected by hiding their real
• identities. Attackers should not be able to link the data sent from one EV at different locations

and times. Attackers should not also be able to track an EV to avoid identifying the EV driver

33 from the locations visited by the EV. Moreover, the set of attributes an EV possesses should also be preserved.

• 2. Resistance of collusion attacks: The proposed scheme should be secure against collusion
• attacks. Even if all the entities except the trusted authority collude to identify an EV, steal

money, impersonate other EV, claim higher priority level etc., colluders should not succeed.

• 3. Forward and Backwards secrecy: The keys established during the authentication protocol

should have perfect forward and backward secrecy, i.e., given a session key, no one should be able to compute the past or future keys.

• 4. Replay, Data modification and Impersonation attacks: The proposed scheme should

be secure against known attacks such as replay, data modification, and impersonation. To elaborate, if an attacker eavesdrops on the communication between any two entities and tries to reuse the exchanged messages to impersonate other user, he should not get succeed. Moreover, if a message is modified by an attacker during transmission, the message modification should be detected.

• 5. Accountability: If any entity in the system tries to attack the system, it should be held

accountable and be identified. For example, if any EV misbehaves and double spends a coin, the bank should be able to detect the double spending at the time of the coin deposit and identity the attacker.

• 6. Resilience for false accusations: The proposed scheme should be resilient to false accusa-

tions, i.e., no one in the system should be able to falsely accuse an honest entity of misbehavior. If the bank claims that a user has double spent a coin, then it should be able to prove the misbehavior to the trusted authority in order to identify and punish the attackers.

34

• 7. Flexible payment: The payment scheme should be flexible enough for the users to pay any

value of money to the CSP for their charging service. Since the cost of power and the power requirement for an EV may change from time to time, the EV driver should be able to charge for desired amount of money.

• 8. Scalability: The proposed scheme should be scalable with acceptable performance because

the system has a large number of EVs and CPs.

• 9. Communication overhead: The number and size of messages exchanged between the EV

and the entities of the dynamic charging sytem should be minimal.

• 10. Computation overhead: The computation overhead on the different entities in the system

should be acceptable, especially the overhead on the CPs should be minimal because cost- effective CPs have low computational power.

CHAPTER 4 PRELIMINARIES In this chapter, we briefly present the basic concepts of cryptographic building blocks used in

• ur schemes. We start by introducing the cryptographic hash function, access structures and linear

secret sharing scheme, and Bilinear pairing and complexity assumptions. Finally, we discuss the Blind-LRSW signature scheme which is the basis of the payment scheme. 4.1 Cryptographic hash function A cryptographic hash function (H) maps data of an arbitrary size to a fixed data size, i.e., H: {0, 1}∗ → {0, 1}n. The fixed data size is known as a hash value, hash code, digest, or simply

• hash. Hash functions are typically used for achieving data integrity, i.e., any changes made to the
• riginal message can be detected from its hash. The hash function is the building block of HMAC

which provides message authentication. The security properties of a cryptographic hash function are as follows:

• 1. Pre-image resistance: Given a message m, it is very easy to compute its hash h = H(m),

but given hash value h = H(m), it is infeasible to find message m, i.e., the hash function is

• ne way where it is hard to reverse.
• 2. Second pre-image resistance: Given an input m1, it is infeasible to find a different m2

such that H(m1) = H(m2). Hash functions that cannot achieve this property are vulnerable to second-preimage attacks. 35

36

• 3. Collision resistance: It is infeasible to find two different messages m1 and m2 such that

H(m1) = H(m2). If such a pair of messages is found, this is called a cryptographic hash

• collision. This property is sometimes referred to as strong collision resistance.

There are several hash functions that are being used in many applications like MD5, SHA-1, SHA- 256, SHA-384 and SHA-512 [91, 92]. Each has its own advantages in terms of performance and security [93]. 4.2 Bilinear pairing Bilinear pairings map two elements from two cryptographic groups to a third group. Let G1 and G2 be both cyclic multiplicative groups of prime order p. Let g be a generator of G1 and g′ be a generator of G2. e is a bilinear pairing function that maps an element from G1 and an element from G2 to an element in GT , i.e., e(G1, G2) → GT . The pairing can be symmetric if the input elements of the pairing are from the same group, i.e., G1 = G2, whereas it is called asymmetric if the input elements are from two different groups, i.e., G1 = G2. Bilinear pairing function e has the following properties:

• 1. Bilinearity: For all u ∈ G1, v ∈ G2 and a, b ∈ Z∗

q , we have e(ua, vb) = e(u, v)ab.

• 2. Non-degenerate: There exists g ∈ G1 and g′ ∈ G2 such that e(g, g′) = 1. In other words,

the mapping cannot be the trivial map which sends every pair of elements in G1 × G2 to the identity in GT .

• 3. Computable: There is an efficient algorithm to compute e(g, g′).
• 4. Admissible: A pairing is admissible if the mapping is also non-degenerate and computable.

37 Figure 4.1: Example for access policy Bilinear pairings have been used in several cryptosystems such as protocols for one-round three-party key agreement [94, 95], identity-based encryption [96, 97], and aggregate signatures [98, 99]. 4.3 Attribute Based Encryption In this subsection, we present the formal definitions of access structures and linear secret- sharing schemes introduced in [100] and used in [89, 20]. These are the building blocks for Attribute Based Encryption (ABE). We also explain how a secret can be shared linearly in an access structure using linear secret sharing scheme. 4.3.1 Access policies Let U be the set of all attributes in the system. An access policy A on U is a collection of non-empty sets of attributes. The sets of attributes that can satisfy the access policy A are called the authorized sets and the sets that are not in A are called the unauthorized sets. Additionally, an access policy is called monotone if attributes in sets ∀ B, C ∈ A and B ⊆ C, and C ∈ A. For instance, the set {a, b, c, d, e} are the set of attributes in a system and an access policy can be defined

• n these attributes as an access tree shown in 4.1. Anyone who can access this access policy can

determine that the authorized sets for this access policy are {a, b}, {c}, {d}. This access policy is

38 also monotonic, which means if a user have (b, c) attributes it doesn’t affect the ability of that user to satisfy the access policy. 4.3.2 Linear Secret Sharing Schemes Linear secret sharing is a method of distributing shared secret among a set of entities such that any authorized subset can reconstruct the secret using its shares. In ABE, the secret is shared among the attributes in an access policy and this shared secret among the attributes can only be reconstructed by a user who satisfies that access policy. The concept of linear secret sharing can be explained as follows: Let p be a prime number and U the attribute universe. A secret-sharing scheme (S) with secrets taken from the field Z∗

p is linear over Z∗ p if:

• 1. The shares of a secret z ∈ Z∗

p for each attribute form a vector over Zp.

• 2. For each access policy A on U, there exists a matrix A ∈ Zl×n

p

, called the share-generating matrix with l rows and n columns, and a function δ that labels the rows of A with attributes from U, i.e., δ : [l] → U. During the generation of the shares, we consider a column vector v = (z, r2, ....rn)T , where {r2, ....rn} are randomly selected from Zp. Then the vector of l rows, shares the secret z according to S is equal to λ = Av ∈ Zl×n

p

. The share λj with j ∈ [l] belongs to attribute δ(j). From now

• nwards, we will be referring to the pair (A , δ) as the policy of the access policy A.

According to [100], a secret-sharing scheme should satisfy the reconstruction requirement and the security requirement, which means an authorized set of attributes can reconstruct the secret and any unauthorized set of attributes cannot reveal any partial information about the secret. There exist some constants {ci}i∈I in Zp such that for any valid shares {λi = (Av)i}i∈I of a secret z according to S, it is true that:

i∈I ciλi = z , or equivalently i∈I ciAi = (1, 0, . . . . 0), where Ai

39 is the i-th row of A. Note that if the access policy is encoded as a monotonic boolean formula over attributes, there is a generic algorithm that generates the corresponding access policy in polynomial time [100, 101]. 4.4 Zero-Knowledge proof A proof of knowledge is a two-party protocol between a prover and a verifier by means of which the verifier can be convinced of the validity of an assertion. Proofs of knowledge have two properties:

• 1. Completeness: Given an honest prover and an honest verifier, the prover can succeed to

prove its knowledge of secret to the verifier in all the attempts.

• 2. Soundness: If a dishonest prover P can successfully execute the protocol with the verifier V

with non-negligible probability, then there exists an expected polynomial time algorithm M that can be used to extract from this prover knowledge, which with overwhelming probability allows successful subsequent protocol executions. A proof of knowledge is called zero-knowledge proof if it does not allow the verifier to learn any information about the assertion itself other than one bit which indicates either true or false. 4.4.1 Schnorr protocol Schnorr protocol is an example of proof of knowledge. The exchanged messages in this protocol are given in Fig. 4.2. In this protocol, the prover has the knowledge of secret value x, and the public generator g ∈ Zq. He computes and publishes y = gx. To prove that she has knowledge of the secret value x, the prover firstly commits to a random value r ∈R Zq by computing and sending t = gr. In the second round, the verifier sends a challenge c to the prover. Finally, the prover computes and sends the response s = (r + cx)mod q, and the verifier is able to verify the provers

40 Figure 4.2: The schnorr protocol knowledge of the value x by computing t′ = gsy−c and comparing it with the previously received value t. In the payment scheme used in this thesis, the Fiat-Shamir heuristic will be used to compute non-interactive proofs as described in [102]. Different from the Schnorr protocol, the challenge c is generated by hashing the concatenation of the witness g and t, and the message m, i.e., c = H(g, t, m). Zero-knowledge proofs can also be non-interactive. In Non-Interactive proof of knowledge, the prover and the verifier share a random string and the proof of knowledge is sent by the prover without receiving any data from the verifier. Different from the interactive protocol, c is generated by the prover using a hash function c = H(g, t, m) and sends c and s to the verifier, where t = gr and s = (r − cx)mod q are called witness. Here, the prover proves its knowledge of secret r to the verifier without revealing the secret. Then the verifier is able to verify the prover’s knowledge of r by computing t′ = gsyc , c′ = H(g, t′, m) and then verifies c

?

= c′. 4.5 Blind-LRSW signature A blind signature is a form of digital signature in which the content of a message is masked (blinded) before its is signed by the signer. Just like regular digital signature, a valid blind signature

41 can also be verified by anyone who receives the signature on the original (unblinded) message and the signer cannot deny signing the message. It is used to verify the authenticity of a message and the blind signatures are generally used in privacy related applications, where the signer and the message creator are different parties. The Blind-LRSW (B-LRSW) signature is an example to blind signature scheme [103]. This signature scheme is a variant of Camenisch-Lysyanskaya signatures [80], where the signature is done

• n a commitment of some secret.

The B-LRSW signature scheme has three phases: KeyGen, Sign, and Verify. We briefly describe them as follows:

• 1. Keygen: Set secret key sk = (α, β) ← Z∗

p and public key pk = (u1, u2) ← (gα, gβ).

• 2. Sign (sk, gm): Given gm as input instead of the actual message m ∈ Z∗

p (m is known only

to user), the signer selects a random element r ← Z∗

p and returns σ = (Z1, Z2, Z3, Z4) =

(gr, grβ, gr(α+m.αβ), grβm)

• 3. Verify (pk, m, σ): Accept the signature only if Z4 = Zm

2 , ˆ

e(Z1, u2) = ˆ e(Z2, ˜ g), and ˆ e(Z3, ˜ g) = ˆ e(Z1.Z4, u1). An interesting feature of this scheme is that any signature σ = (Z1, Z2, Z3, Z4) on a message m can be randomized by selecting a random t ← Z∗

p and computing σ′ = (Zt 1, Zt 2, Zt 3, Zt 4) which is

still valid signature on m. The interesting point is that, given (σ, σ′) but not m, it is hard to decide whether these signatures were issued on the same message or not under the external Diffie-Hellman (XDH) assumption. This property can be used to prevent linking messages sent from the same user to preserve privacy.

CHAPTER 5 PROPOSED SCHEME 5.1 Overview An overview of the proposed scheme is presented in the flow chart given in Figure 5.1. After initializing the system, an EV can purchase divisible e-coins from the bank, and when the EV needs to charge, it should send a request to the CSP. The CSP checks if the available energy supply can serve all the charging requests. If the available energy is enough, then there is no need to run the prioritization scheme and all EVs can charge. Otherwise, the prioritization scheme is run and only the highly-prioritized requests are served without exceeding the available energy supply. Then, each EV should pay for charging by sending an e-coin to the CSP. The CSP should first verify the validity the e-coin and then send secret tokens to the EV to use them to authenticate to the RSUs. After authentication with RSUs, each RSU sends another secret tokens to the EV to authenticate to CPs. The CPs only charge the EVs that can authenticate correctly. Finally, the CSP can deposit the e-coins to the bank. The detalis of the proposed scheme are explained in the following subsections. All notations used are declared on Table 5.1. 5.2 Initialization In this section, we explain the setup of the whole system and the parameters used by the proposed scheme. The setup of the system is run by an off-line trusted authority which takes ′k′ as an input parameter and chooses bilinear groups G1 and GT of prime order p with generators g and gt, respectively. In addition, ′e′ is a symmetric pairing and e : (G1 × G1 → GT ), which maps elements from group G1 to the elements in group GT . Finally, the trusted authority publishes the 43

44 Figure 5.1: Flowchart of proposed scheme public parameters of the system as GP = {p, G1, GT , g, gt, e}. Using these public parameters, each CSP selects a random secret key msk

R

← Z∗

p and computes

the public key as mpk = gmsk. In addition, each EV selects a random secret key usk

R

← Z∗

p and

computes the public key as upk = gusk. All these entities need to have certificates from a certificate authority for their public keys. The bank performs two actions during initialization. It constructs a public e-coin tree which is associated with the e-coins that are to be used for payment as will be explained in Section. 5.3,

45 Table 5.1: Table of notation. Notation Description G1GT Bilinear Groups g, g Generators for G1 gs ∈ G1 Associated generator for e-coin s gt ∈ GT Associated generators for CSP challenge message mpk, msk Public/private pair for the CSP upk, usk Public/private pair for the EV bpk, bsk Public/private pair for the bank u1, u2 Bank key for generating e-coins α, β Secret key of bank to generate e-coins αθ, βθ Secret key of attribute authority GID Unique user global identifier Sig DSA signature σB Bank signature on the coin σ′

B

Anonymized bank signature π Signature of knowledge U Set of Attributes H Function that maps GID to G1 AAθ Attribute authority with identifier θ F Function that maps attribute U to G1 T Function that maps attribute U to Uθ e Bilinear pairing map nr, np, n Number of RSU, Charge pad and EV respectively d Number of attributes l Number of nodes in the payment tree and computes the following three sets of keys.

• 1. Public/private key pair for authentication: Bank selects a random private key bsk

R

← Z∗

p and then computes its public key as bpk = gbsk.

• 2. Public/private key pair for creating E-Coins: The bank selects its secret key randomly

as sk = (α, β)

R

← Z∗

p and computes its public key as pk = (u1, u2) = (gα, gβ).

• 3. Public/private key pair for creating emergency E-Coins: The bank selects its secret key

randomly as sk2 = (α2, β2)

R

← Z∗

p and computes its public key as pk2 = (u3, u4) = (gα2, gβ2).

46 We have introduced the concept of emergency e-coins to address the special case during the prioritization scheme. These coins are different from normal e-coins and the details of how these emergency e-coins are used in the proposed scheme are further discussed in section.5.4.1. In order to perform the priority determination in the proposed scheme, two steps need to be taken during system initialization i.e. attribute authority setup and secret key generation for attributes.

• 1. Attribute authority setup: Each attribute authority (AAθ) should select two random keys

(αθ, yθ)

R

← Z∗

p as secret keys.

Then, it publishes PK = {e(g, g)αθ, gyθ} as its public key, where θ is the attribute authority identifier. In addition, public hash function H:{0, 1}∗ → G1 that maps a vehicle ID to a point in G1, public hash function F:{0, 1}∗ → G1 that maps an attribute u ∈ U to G1, and a function T that maps an attribute u ∈ U to AAθ.

• 2. Attribute secret key generation: Each EV gets a key for each assigned attribute by the

attribute authority computed using GID, θ, u ∈ U, (αθ, yθ) and the global parameters GP. The authority first chooses a random t

R

← Z∗

p and outputs to the user the secret key as:

SKGID,u = {KGID,u = gαθH(GID)yθF(u)t, K′

GID,u = gt}

(5.1) 5.3 Purchase of E-Coins In this section, we explain the construction of public global e-coin tree and also how an EV purchases e-coins from the bank. 5.3.1 Construction of Divisible E-Coin Public Tree As discussed in [17], the bank broadcasts a public e-coin tree T that has n levels, where the maximum e-coin value of this tree is 2n. The idea of the public global tree is that, each coin spent

47 Figure 5.2: Example of 4 level public E-Coin tree by a user is associated with public values of any one of the node in this e-coin tree, and these nodes at each level correspond to certain amount of money as shown in Fig. 5.2. Since, an user can spend each node individually in different transactions, the flexible payment can be achieved. For example, the e-coin tree shown in Fig. 5.2, the maximum amount of the tree is 8, where the user can spend either two coins of 4 valued nodes, or four coins of 2 valued nodes, or any other combination without exceeding the maximum amount of 8. But, the restriction in spending these coins from public tree is, the user can only spend a node but not the leaves i.e., from the tree shown in Fig. 5.2, the minimum amount of a coin spent by the user is 2. The construction of this public e-coin tree is done by the bank with the help of the trusted authority and the process of constructing of e-coin tree is explained in the following paragraphs. As shown in Fig. 5.3, each internal node s in public e-coin tree T is associated with an element gs ∈ G1 and each leaf f in the tree is associated with an element χf ∈ GT . This approach of building the e-coin tree makes the payment divisible where the user can spend one or more e-coins

• f value 2l where 0 ≤ l ≤ n. Along with these elements, for each leaf f and any node s on the path

to f from root, an element gs→f ∈ G1 exists; such that e (gs, gs→f) = χf. Note that, any leaf value represents a serial number associated with any internal nodes on its path to the root. This serial number is used to detect double spending of E-Coins. Users use the public values of nodes at the

48 Figure 5.3: Public E-Coin tree time of spending to create an e-coin. As shown in Fig. 5.2, the public e-coin tree enables the user to spend a divisible e-coin value by selecting a node from the tree and use it for payment. By spending any internal node in the tree, the user should not spend the subtree’s leaves of this node. Let Sn be the set of all nodes in the tree and Fn be the set of leaves. For any node s, ∀s ∈ Sn, the set Fn(s) is the set of leaves in the subtree of that particular node. – For each node, s ∈ Sn, rs randomly selected from Z∗

p and gs = grs;

– For each leaf f ∈ Fn, the trusted authority selects lf randomly from Z∗

p;

– For each leaf f ∈ Fn, and the node s ∈ Sn its path to reach root of the tree, the trusted authority calculates ´ gs→f = glf /rs. The random value rs is kept secret by trusted authority, while lf, f ∈ Fn are not used anymore and can be discarded by trusted authority after creating the tree and all the other values are public. The gs→f is only used by the bank for calculating the serial numbers of the spent e-coins, so that it can detect double spending. The secret rs will later be used by the trusted authority to help the bank to identify the double spender. Users and merchants (CSPs) need to know only the groups and the generators, just gs ∈ Sn. The bank should decide the number and the depth of the public trees. The reason for

49 having different public trees is adding flexibility to the payment system. For our proposed scheme, we need two public trees. One is for regular coins and the second is for emergency coins. Depending upon the requirements of bank such as the number of trees and depth of the tree n, the trusted authority constructs this public tree. The process of constructing these two trees is similar, but the number of levels for each tree may be different. The regular coins tree should have more number of levels because they are used more than the emergency coins. The emergency coins are usually more costly than the regular coins to encourage the EVs to use these emergency coins only in the case

• f emergency like having very low battery power for an EV. The construction of emergency tree

will follow the same process of construction of regular tree as discussed earlier with different secrets (re, le) and different nodes of the tree as ge. 5.3.2 Purchase of E-Coins To purchase e-coins, an EV should contact the bank directly using its real identity so that the amount of purchase can be deducted from its bank account. First, EV should select a random secret x

R

← Z∗

• p. Then, it should get the bank’s signature on gx, this signature implicitly defines all

the serial numbers associated with this e-coin as χx

f for each leaf f. In order to spend a node s of

height l in the tree, the EV computes ts = gx

s and proves to CSP that it is well formed by using

the signature of bank on gx. Given ts at the time of deposit, the bank can compute all the serial numbers related to that spent node using gs→f and can find the double spender, if the e-coin was double spent. The exchanged messages between EV and bank during coin purchase are given in Figure 5.4. These are further outlined below:

• 1. EV computes a random number x

R

← Zp then sends its real identity GID, gx and its signature Sig(gx, TS) to the bank, where TS is the time stamp.

50 Figure 5.4: E-Coin purchase Using Schorr’s protocol, CSP challenges the EV with c, then EV has to prove its knowledge

• f x to the bank as given in messages 2 and 3 in Figure 5.4.
• 2. If the submitted proof is valid and gx has not been used before, then the bank signs gx and

sends it back to EV. σB = (Z1, Z2, Z3, Z4) = (gr, grβ, gr(α+xαβ), grβx) (5.2) This signature proves that the e-coin has been issued by the bank.

• 3. EV verifies the received e-coins as follows:

Z4

?

= Zx

2 , e(Z1, u2) ?

= e(Z2, g) , and e(Z3, g)

?

= e(Z1.Z4, u1) This is the verification of bank’s signature on gx. Later, when the EV needs to charge, it uses it’s secret ′x′ to create an anonymous coin using public values of e-coin tree to pay for the charging service at the CSP. 5.4 Modes of Operation In our scheme, two modes of operations are supported by the CSP; namely priority mode and regular mode. In priority mode, the CSP does not have enough energy supply to satisfy the

51 Figure 5.5: Overview of the exchanged messages in the proposed scheme current charging demand of the EVs. Therefore, it prioritizes the requests and charges the highly- prioritized requests without exceeding the total energy supply. Within the same priority level, the requests are served in order of First-Come-First-Charge (FCFC). Multi-authority attribute based encryption scheme is used to protect the priority determination process [20]. The idea is that, in case of low power resources at the CSP, it should first charge the EVs that use emergency coins, i.e.,EVs which have very low battery charge and then it also charges the EVs that have some special attributes such as law enforcement EVs, ambulances, government officials etc. Whereas in regular mode, the CSP has enough energy supply to satisfy all the incoming charging requests. The next subsections explain the protocols used in each operation mode. 5.4.1 Priority Mode During this mode, CSP should first determine the EVs charging priorities by challenging them using multi-authority attribute based encryption. The idea is that the CSP should first create priority policy and then it sends encrypted messages using multi-authority attribute based encryp-

52

• tion. Then, only the EVs having a given priority level should have the attributes and relevant secret

keys needed to decrypt the challenge message. Then, each EV should send a proof of decrypting the message to gain relevant priority level. Finally, the CSP charges the highest priority requests without exceeding the energy supply and uses FCFC procedure for EVs that have the same priority

• level. There may be some EVs which have low power and need to get charging immediately but

cannot satisfy any of the priority policies announced by CSP. In those cases, the EVs can use the emergency coins in order to purchase the charging service. The EVs that request the charging ser- vice using these emergency coins should get the highest priority and the CSP should directly run the anonymous payment scheme. The detailed steps involved in determining the priority level is explained below. Initially, the CSP creates its charging priority policy by using the attributes issued by mul- tiple attribute authorities like Government Agencies, Police Department, Health Care Department, Veterans Service etc. Then, the CSP broadcasts the priority policy along with the correspond- ing challenges (attribute based encryptions) and also the maximum amount of energy an EV can

• charge. In order to get a prioritized charging service, the EV needs to check the priority policy

and determine whether its attributes can satisfy a priority level and then decrypt the corresponding ciphertext (challenge) to prove its priority level to CSP. The step by step exchanged messages in priority determination process is shown in Fig. 5.6 and the details of the process are as follows.

• 1. Challenge by CSP: In order to compute the ciphertext of a priority policy, the CSP encrypts

different messages grp

t , for different priority levels, where gt ∈ G1, where G1 is a multiplicative

group, rp

R

← Z∗

p is a random element selected by CSP for each priority level p and {1 ≤ p ≤ N},

and N is the number of priority levels. For each priority level, CSP creates an access policy (A, δ) with A ∈ {Z∗

p}l∗n, where l is the number of rows in that access matrix and δ is the

function that maps rows of the access matrix to the attributes. ρ is another function that

53 Figure 5.6: Exchanged messages in priority mode of our scheme maps attributes to its authorities ρ:[l]→ Uθ as {ρ(.): T(δ(.))}. To encrypt the message grp

t ,

CSP needs the public keys of the relevant attribute authorities, and the public parameters. CSP first creates two random vectors v = (z, v2, ....vn)T and w = (0, w2, ....wn)T , where {z, v2, ....vn, w2, ....wn} are elements randomly selected from Z∗

• p. We denote λx as the share of

z corresponding to row x, i.e., λx = (Ax.v) and wx denotes the share of 0, i.e., wx = (Ax.w), where Ax is the x-th row of access matrix A. Then, CSP chooses a random element tx

R

← Z∗

p

for each row and computes the ciphertext CTp as: C0 = grp

t .e(g, g)z;

{C1,x = e(g, g)λxe(g, g)αρ(x)tx; C2,x = g−tx; C3,x = gyρ(x)txgwx; C4,x = F(δ(x))tx}x∈[l]

54 In the same way, the CSP creates different ciphertexts with different policies for each priority level and then broadcasts the challenges of all the priority levels. challengep = {CTp, TS, SigCSP {H(CTp TS)}} (5.3) The format of the challenges is given in eq.(5.3), where p is the priority level (1 ≤ p ≤ n), TS is the timestamp, and SigCSP {H(CTp TS)} is the signature of CSP on the ciphertext and the timestamp.

• 2. Response of EV: In order to get a prioritized charging service, each EV needs to check

the priority policies and determine whether its attributes can satisfy a priority level and then decrypt the corresponding ciphertext to prove its priority level to CSP as shown in Figure 5.6. Each EV uses its attributes’ secret keys to decrypt the ciphertext to obtain grp

t

and compute a shared symmetric key using grp

t . Then, the EV encrypts a message using the shared key as

a proof for decrypting CTp correctly, and thus having the related priority level. The EV takes the policy (A, δ) and the corresponding ciphertext (CTp) and uses its secret keys (KGID,u, K′

GID,u) for a subset of rows Ax of satisfied attributes in access matrix, then

for each row x, EV computes: C1,x . e(KGID,δ(x), C2,x) . e(H(GID), C3,x) . e(K′

GID,δ(x), C4,x) = e(g, g)λx . e(H(GID), g)wx

Then, the EV calculates the constants cx ∈ Zp such that ΣxcxAx = (1, 0, . . . 0) and computes: Πx(e(g, g)λx . e(H(GID), g)wx)cx = e(g, g)z This is true because λx = (Ax.v) and wx = (Ax.w), where (1, 0, ..., 0).v = z and (1, 0, ..., 0).w = 0. The message can be decrypted as grp

t

= C0/e(g, g)z. EV uses grp

t

to compute a shared key with the CSP as k = gri.rp

t

, where ri ∈ Z∗

p is the random number

selected by EVi. EV sends Hk(grp

t ), gri t

to CSP. Then, grp

t

is used by CSP to compute the

55 shared key. Hk(grp

t ) is used as a proof by the EV that it correctly decrypted the attribute

based encrypted challenge. In addition, the EV should send the amount of energy it needs to charge.

• 3. Payment for charging: After the EV gets a confirmation on its charge request from the

CSP, the EV should send the encryption of anonymous e-coin (gs, ts), the anonymized bank signature σ′

B = (Zt 1, Zt 2, Zt 3, Zt 4) where t R

← Z∗

p, and its own signature π to CSP as indicated

in Figure 5.6. π = Cx is the signature of the EV on C, and C = H (σ′

B, ts, gs, IDCSP , TS).

Then, CSP decrypts the received message and verifies the signatures of bank on the coin and EV’s signature as follows:

• CSP verifies the bank’s signature to make sure that the coin given by the EV is issued

by the bank, the following two verifications are required. The first verification is e(Z′

1, u2) ?

= e(Z′

2, g)

(5.4) The proof of the verification is as follows: e(Z′

1, u2) = e(gtr, gβ)

= e(gtrβ, g) = e(Z′

2, g)

The second verification is e(Z′

3, g) ?

= e(Z′

1.Z′ 4, u1)

(5.5) The proof of the verification is as follows: e(Z′

3, g) = e(gtr(α+xαβ), g)

= e(gtrgtxβ, gα) = e(Z′

1.Z′ 4, u1)

56

• Then, the CSP should verify the EV’s signature, by doing the following two verifications.

The first verification on EV’s signature is: e(Z′

2, ts) ?

= e(Z′

4, gs)

(5.6) The proof of this verification is as follows: e(Z′

2, ts) = e(gtrβ, gx s )

= e(gtrβx, gs) = e(Z′

4, gs)

The second verification on EV’s signature is e(π, gs)

?

= e(C, ts) (5.7) The proof of this verification is as follows e(π, gs) = e(Cx, gs) = e(C, gx

s )

= e(C, ts) Finally, the CSP sends authentication tokens to EV after it successfully verifies the tendered

• credentials. These tokens will allow the EV to authenticate to the RSUs and obtain secret

tokens to authenticate to CPs to get charged. 5.4.1.1 Emergency Service. This is the special case in priority mode. As mentioned earlier, there may be some EVs which have very low power and need to get charging immediately, but cannot satisfy any of the priority policies published by CSP. In those cases, the EVs can pay using the emergency coins to charge. The EVs that requested the charging service using these emergency coins should get the highest priority over all the priority levels published by the CSP. The authentication and payment in this case is similar to those of the regular mode as explained in

57 Section.5.4.2, the only difference is that, here the authentication of EV is done by using emergency coins whereas in the regular mode it will be done by normal e-coins.

• First, the EV decides the amount of power it needs and sends a charging purchase request to

CSP by sending the spending node ge from emergency coin public tree, and the corresponding coin te = gex.

• The rest of the scheme follows the same process from step-2 in Fig. 5.7 using ge instead of gs

as the base. 5.4.2 Regular Mode In regular mode, the energy supply is more than or equal to the charging requests. The CSP is capable of serving all the charging requests of the EVs. The exchanged messages in the regular mode of our scheme are illustrated in Figure 5.7. First, the EV should send a charging request to the CSP which should reply with a response message. In these two messages, the EV and CSP should mutually authenticate each other and establish a session key. Finally, the EV should pay to receive tokens that are used for authentication to RSUs.

• 1. EV Charging Request. EV decides the amount of energy to purchase and sends a request

to CSP containing the tree node gs and the corresponding e-coin ts = gx

s for payment.

• 2. CSP Response. After the CSP receives the request it should select r

R

← Z∗

p and compute

a shared key as k = gx.r

s , and responds with gr s, Hk(gsx, gsr), Sig(Hk(gsx, gsr)), where Sig is

the CSP signature on Hk(gsx, gsr). All exchanged messages between EV and CSP should be encrypted by the shared key k.

• 3. EV Payment. EV verifies the signature of CSP on the message and computes a session key

k = grx

s . In addition, the EV should send the encryption of the anonymized bank signature

58 Figure 5.7: Exchanged messages in the regular mode of our scheme σ′

B and its own signature π to the CSP for payment clearance. CSP sends the authentication

tokens to EV after it verifies the e-coin, as explained in Section 5.4.1. 5.5 Hierarchical Authentication This section explains an efficient and hierarchical authentication scheme. The idea is that

• nce an EV authenticates to the CSP and pays for the charging service, EV receives authentication

tokens that are used to authenticate the EV to the RSUs. After this authentication the RSUs send tokens to the EV which are used to authenticate the EV to the CPs. 5.5.1 Computing shared keys The CSP shares a group secret key with all RSUs under its control. The CSP selects two random seeds (γn,nr and µ1,1), encrypts them using the group key, and broadcasts them to RSUs. Each RSU uses the seeds to compute the secret shared tokens matrices as illustrated in Figs. 5.8 and 5.9.

59 Figure 5.8: Using the seed γn,nr to compute a set of tokens. The group secret key k is used to interactively hashing the received token (γn,nr and µ1,1) to generate {γn−1,nr, γn−2,nr, ..., γ1,nr} and {µ2,1, µ3,1, ...., µn,1} and then hashing operations are used to compute the rest of matrices as shown in Figs.5.8 and 5.9. Each RSU only needs to store

• ne column from each matrix, but it is still required to compute tokens until it arrives to its column.

However, the CSP needs to compute the whole matrices since it will be interacting with all EVs. After computing its two sets of tokens, each RSU should compute the shared keys with the EVs (that will be distributed to the EVs by the CSP) by XORing corresponding two elements in the matrices as indicated in Figure 5.10. On the other hand, when an EVi authenticates to the CSP, it receives two seed tokens (µi,1 and γi,nr) to compute the shared keys with the RSUs by hashing the two tokens and XORing each two elements, as illustrated in Figure 5.11. Each EV can only compute one row in the matrix. The same technique used to share keys between RSUs and EVs is employed between EVs and CPs under the control of a given RSU. However, only one token set is used unlike in the case of CSP-RSU. Each RSU shares a group key with its CPs which is used to compute shared secret tokens. RSU

60 Figure 5.9: Using the seed µ1,1 to compute a set of tokens. Figure 5.10: Computation of shared keys with CSP by RSUi. selects a random seed (Ωn,np), encrypts it using the group key and then broadcasts it to the CPs. Each CP computes the secret shared keys similar to the procedure used between CSP and RSU. For each RSU, the token set generated can only be used to serve n EVs. The scheme can limit the number CPs an EV can charge from as illustrated in Figure 5.12. For instance, if an EV needs to charges from the CPs under the fifth RSU to the CPs under the tenth RSU, the CSP should send it the tokens µi,5 and γi,10. As illustrated in the figure, the EV

61 Figure 5.11: Computation of shared keys with RSUs by EVi. Figure 5.12: Charging from the pads of fifth RSU to the pads of tenth RSU. can compute the keys shared only with these RSUs. The EV cannot calculate other keys because hash functions are one way. In the next section, we explain how the shared keys between EVs and RSUs and CPs are used for authenticating the EVs. 5.5.2 Authentication The authentication of the EVs to the different parties in the charging station takes place in a hierarchical structure. The EV first authenticates to the CSP and receives tokens to authenticate to the RSUs. After that it receives tokens to authenticates to CPs. A challenge/response authentication technique is used to enable entities to prove knowledge of the secret keys. When RSUj needs to authenticate an EVi, it sends a challenge packet containing a random number ri. EVi then responds with the authentication code given in equation 5.8. Authentication Code = H(γi,j ⊕ µi,j||ri) (5.8) After verifying the received code, RSU; sends the confirmation code to EVi that is given in equation 5.9. It also sends an encryption, using the key γi,j ⊕ µi,j of the seed token the EV needs

62 to compute the shared keys with CPs. Confirmation Code = H(γi,j ⊕ µi,j||ri||1) (5.9) EVi decrypts the received message from RSUj and computes the shared keys with the CPs. A challenge/response technique similar to the one used between EVi and RSUj is used to authenticate EVi to the CPs. Once the authentication process completes and EVi gets authenticated, the CP switches on to charge the EVi. Every time a key is used by an EV, the RSU deletes it from the list of valid keys so that it will not be accepted again if reused. It is possible that a key will never be used at an RSU if an EV does not charge from all RSUs. To avoid storing these keys forever, when the CSP initiates the process of calculating new keys, it should notify the RSUs about the keys that can be used from the previous key set. This can be done efficiently in our scheme because the CSP releases the tokens in

• rder, e.g., if the row number 70 is used, that means all the rows before 70 should have been used,

but the keys after 70 are still usable. 5.6 Coin Deposit and Double Spending verification In order to update its bank account, the CSP should deposit the e-coins to the bank with the corresponding evidence submitted by EVs. This deposit does not need to be done right after each EV charges, but CSP can deposit the e-coins collected in one day (or few days) all at once. After receiving the e-coins, the bank should verify them against double spending first before updating the CSP’s account. The verification of the e-coins is done as follows:

• 1. To verify authenticity of an e-coin: This verification is to verify that the given e-coin

is valid and was actually purchased from the bank. If this verification fails, then the bank punishes the CSP because of accepting an invalid e-coin. In order to verfy this e-coin, the

63 bank needs its public key (˜ u1,˜ u2) and the randomized signature given by EV at the time of charging purchase. e(Z′

1, u2) ?

= e(Z′

2, g) and e(Z′ 3, g) ?

= e(Z′

1.Z′ 4, ˆ

u1).

• 2. To verify EV’s proof: This step of verification is to verfiy that the deposited e-coin is

actually spent by an EV that knows the secret ’x’ that was authorized by bank. If this verification fails, it means the CSP tried to attack the system by impersonating a legitimate EV or by accepting a wrong proof submitted by an EV. In both cases the bank penalizes the CSP because of accepting or submitting an invalid proof. The proof is verified as follows: e(Z′

2,ts) ?

= e(Z′

4, gs) and e(π, ts) ?

= e(C, gs). If the first two verifications are successful that means the CSP well behaves during charging purchase, and thus the bank deposits the coin into CSPs account and checks for the double spending

• f the e-coin.

5.6.1 Double Spending detection As mentioned earlier in Section 5.3.1, because the bank maintains a list of used coins, if any user double spends an e-coin, it can be easily detected by the bank using the deposited e-coin (gs, ts). Once a e-coin is submitted to the bank, it computes all the serial numbers χf related to that e-coin as ˆ e(ts, ´ gs→f) = χx

• f. If any of these serial numbers has already submitted to the bank before, that

means the user has double spent that coin. 5.6.2 Identifying the Double Spender Once the bank detects the double spending, it contacts the trusted authority and submits the proof of double spending and the coin (gs, ts) to trace the identity of double spender. The trusted authority then uses the secret rs that was used to construct the public tree, to calculate

64 trs

s = (gx/rs)rs = gx and then gives gx to the bank. The bank then uses this value to link it to the

identity of the user who bought the e-coin in the first step of withdrawal protocol given in Fig. 5.4. The bank can then impose fine on the misbehaving user or even revoke his credentials.

CHAPTER 6 SECURITY AND PRIVACY ANALYSIS In this chapter, we list the common attacks that can be launched against the proposed scheme. We also explain how the scheme can thwart these attacks and preserve the users’ privacy. 6.1 Privacy Analysis In this section, we explain different privacy attacks and how the proposed scheme can thwart these attacks. 6.1.1 External attacks The external attackers can eavesdrop on all parts of the wireless communications in the network to capture the transmitted data and infer sensitive information about the user’s identity, location, and attributes. As the EVs and CSP share symmetric keys that are used to encrypt the exchanged messages. The attackers cannot infer any useful information if the encryption scheme is secure and the secret keys are not known to the attackers. Even if an attacker could get these keys, they cannot find any useful information to trace it back to the identity of users. The proposed scheme is also secure against any collusion external attackers. 6.1.2 Internal attacks We consider the attacks performed on the dynamic charging system by the internal entities such as EVs, CSPs, RSUs, CPs, and Bank. Internal attacks are ususlly more serious than the external attacks because the attackers are already part of the system and can communicate directly with the EVs. 65

66

• 1. Identity Anonymity: In the proposed scheme, EVs use anonymous coins for payment and

authentication to CSPs. The coins cannot be linked to the EV that bought them due to using blind signature. To elaborate, the real identity of an EV is used only once during the purchase

• f coins which is necessary to clear the payment. However, when a coin is sent by a CSP for

double spending check, the bank cannot link it to an EV to preserve location privacy, assuming that each CSP has a known location. This is because the bank cannot link gx of the coin to the blinded value of gx

s sent during coin purchase. As a result, our scheme provides full anonymity

where neither the charging station nor the bank can link an EV’s coin to its real identity.

• 2. Coins and Charging Requests Unlinkability: If different coins and charging requests are

sent from the same EV at different occasions, neither the bank nor the CSP can link them and know that they are sent from the same EV. This is because coins use one-time random numbers (x) that are not linkable and can make the coins look different. Every time an EV spends an e-coin, it generates an anonymized and valid bank signature σ′

• B. Given the pair
• f bank signature (σB, σ′

B) it is hard to decide whether these signatures were issued on the

same e-coin or not under the external Diffie-Hellman (XDH) assumption. Even if the attackers collude to compromise the privacy of a legitimate user, and they cannot succeed. The attackers can be any combination of eavesdroppers, EVs, CSP, RSUs, CPs and even the bank, and our scheme is immune to any attacks from any of these attackers. For example, if CSP colludes with the bank to compromise the privacy of an EV by linking the messages exchanged during the withdrawal and spending of coins. It is impossible to link gx created during the coin withdrawal time and gx

si created during the coin spending time, even though those two values

are created using same secret value ’x’. This unlinkability property comes from using two different bases g and gsi for creating the two value. This property helps the EVs to spend the coins anonymously and unlinkably.

67 6.2 Security Analysis In this section we explain different security attacks that can target the dynamic charging

• systems. We will also explain how our scheme can thwart these attacks.

6.2.1 Attacks against payment

• 1. False Accusation. Malicious CSP may try to falsely accuse an EV of double spending by

passing the e-coin spent by a legitimate EV to another EV to use it in a different charging

• station. As a result of this attack, two CSPs try to deposit the same e-coin at the bank and the

EV is falsely accused of double spending. This attack can be prevented by using the signature

• f knowledge π. We modified the verifications needed by the payment scheme proposed in [17]

to prevent this attack. To make the explanation clear, we first briefly discuss the spending and the verification needed by [17], and then we explain how the attack can be done. In [17], the user spends an e-coin as follows: a) User computes the anonymized bank signature as σ′

B = (Z′ 1, Z′ 2, Z′ 3, Z′ 4) = (Zt 1, Zt 2, Zt 3, Zt 4)

where t ← Z∗

p

b) User selects a random k ← Z∗

p and computes k1 = gk s , k2 = Zk 2 , C = H(σ′ B, ts, k1, k2, info),

and λ = k + Cx. c) Finally, the user sends (σ′

B, ts, C, λ) to the merchant.

The merchant should compute the following values for verifications, l1 = gλ

s t−C s

, l2 = Z′λ

2 Z′−C 4

, and C′ = H(σ′

B, ts, l1, l2, info).

Then, the following three verifications are needed by the

• merchant. C = C′, e(Z1, u2)

?

= e(Z2, g) , and e(Z3, g)

?

= e(Z1.Z4, u1). Malicious merchant can forward the received e-coin (σ′

B, ts, C, λ) to another malicious user

who can simply replace C with ˜ C, and λ with λ ˜ C/C, where ˜ C ← Z∗

• p. Then, malicious user can

68 spend the modified e-coin (σ′

B, ts, ˜

C, λ ˜ C/C) at any other merchant without being detected. Finally, the legitimate user is falsely accused of double spending coins by the bank. This attack is completely eliminated in our system by the two verifications in equations 5.6 and 5.7, because the EV has to compute signature of knowledge on H(σ′

B, ts, gs, IDCSP , TS), using

the secret value x (known only to the EV) at the time of spending. This can prove to the CSP and the Bank that the EV that knows the secret value x has computed that signature. By this way, we have prevented any entity from falsely accusing an honest EV of double spending.

• 2. Double spending. When a CSP submits a signed e-coin to the bank for deposit, the bank

can easily detect whether the e-coin was double spent by comparing the serial numbers of the given e-coin to the serial numbers of spent e-coins. If the Bank finds same serial number twice, that means the EV has double spent the e-coin and the bank can find the identity of the double spender with the help of trusted authority and punish the double spender.

• 3. Forging e-coins. In order to forge e-coins, the attacker should either be able to compute a

valid signature of the bank or the secret value (x) of any user using the exchanges messages between the EV and the bank or CSP. It is impossible to compute the private key of the bank and it is also impossible to calculate the secret value (x) even if the attacker knows gx

s and gs

• f a user because of the Discrete Logarithm Problem (DLP).
• 4. Purchasing e-coins without payment. When an EV purchases e-coins, it has to use its

real identity so that the bank can make sure that the EV has enough money to pay for the e-coins. A malicious EV cannot impersonate other EVs to obtain e-coins without payment because the malicious EV has to compute a valid signature to authenticate itself. Also, if an attacker eavesdrops on the communications between the bank and an EV, he cannot compose the e-coin without knowing the secret value x that is used to create the e-coin gx

s .

69

• 5. Charging more than the payment. As explained earlier, the CSP can charge EVs partially

by allowing them to charge from only a fixed number of CPs by giving the EV seed tokens to compute keys shared with some set of RSUs. As shown in Fig. 5.12, although the EV can compute γi,4, it cannot compute µi,4 to compute an extra key. Similarly, although the EV can compute µi,11, it cannot compute γi,11 for an extra key. The EVs cannot compute more keys to charge from more CPs because hash chains are one way. In addition, given one set of tokens, our key generation technique does not allow the EVs to derive other tokens because they do not know the group key used to compute the keyed hash values. 6.2.2 Attacks against priority determination In our proposed scheme, the priority determination technique is used to prioritize the EVs requests depending upon the EVs attributes and the CSP priority policies. During this process we made sure that our proposed priority determination scheme is secure to protect the system from internal/external attackers and also protects the privacy of the users by maintaining anonymity of EVs identities and its attributes.

• 1. Collusion Attack: In the priority determination part of our proposed scheme, some EVs

may collude to attack the system by using their attributes together in order to satisfy the priority policy created by CSP. This attack is impossible, if none of the colluded EVs can alone satisfy the priority policy using their own attributes because the part of the secret key K′

GID,u = gt is unique for each user, which obstructs the users to collude in order to satisfy

a policy. During decryption, the random secret ′t′ selected by authority can only be canceled by its corresponding part of secret key KGID,u = gαθH(GID)yθF(u)t and cannot be canceled by using secrets of any other users.

• 2. Identity Anonymity. In the proposed scheme, EVs use anonymous e-coins for payment and

70

• authentication. The e-coins cannot be linked to the EV that bought them due to using blind
• signature. To elaborate, the real identity of an EV is used only once during the purchase of

e-coins which is necessary to clear the payment. However, when an e-coin is sent by a CSP for the double-spending check, the bank cannot link it to an EV to preserve users’ privacy unless the user double spend. The CSP cannot link an EV to its real identity, as a result, our scheme provides full anonymity . The bank can only reveal the identity of the EV if and only if the user double spend the e-coin. 6.2.3 Attacks against authentication and key management In our scheme, signatures are used to authenticate EVs to the Bank and CSP. Keyed hashes are used to authenticate EVs to RSUs and pads. Also, if an EV can calculate the correct key shared with the CSP, this is a proof that the EV is the one that created gx

s of the coin because the

computation of the key needs the secret x.

• 1. Coins and Charging Requests Unlinkability. If different e-coins and charging requests

are sent from the same EV at different occasions, neither the bank nor the CSP can link them and know that they are sent from the same EV. This is because e-coins use one-time random numbers (x) that are not linkable and can make the e-coins look different. The attackers may even collude to compromise the privacy of a legitimate user and expose the location of EV. The attackers can be any combination of eavesdroppers, EVs, CSP and the Bank. For example, to compromise the privacy of an EV, CSP may collude with the Bank and tries to link the messages exchanged during withdrawal and spending times, but it is impossible to link σB created during withdrawal time and σ′

B created during spending time, even though those two

values are created using same secret value x.

• 2. Keys Reuse Attack. Attackers may try to reuse old keys shared with RSUs and CPs to

71 charge more than once for only one payment. This is not possible in our scheme since the RSUs and CPs delete the keys from the list of valid keys once they are used. Also, the CSP and the RSUs should make sure that the seed tokens used to calculate the keys are not reused.

• 3. Man-in-the-Middle Attack.

In our scheme, Diffie-Hellman technique is used to enable EVs to establish shared session keys with CSPs. The man-in-the-middle attack is not possible because the CSP signs its share of the session key and the EV’s share (gx) is signed by the bank, and it is not feasible to forge these signatures.

CHAPTER 7 PERFORMANCE ANALYSIS In this chapter, we explain our experimental setup and evaluate the performance of our proposed scheme. 7.1 Experimental setup and performance metrics We use two metrics, namely computation and communication overhead, to evaluate the per- formance of our scheme. The first metric measures the time needed to compute the packets in our scheme while the second metric measures the packet size. Most of the computationally-intensive op- erations in our scheme, such as blind signature on coins and establishing group keys and distributing seed tokens and computing shared keys among the different parts of the dynamic charging system can be done offline, i.e., during the low traffic period (e.g., at night). Therefore, we focus on the messages that are exchanged in real time, such as the messages exchanged between EVs and the different entities of the charging station. In our evaluation, an Intel Core i7- 4765T 2.00 GHz and 8 GB RAM machine is used. For symmetric pairing, we used supersingular elliptic curve with the symmetric Type 1 of size 512 bits (SS512 curve) [104]. All cryptographic operations were run 1,000 times and average measurements are reported. 7.2 Computation Overhead The Computation overhead measures the time needed to compute the cryptosystems or per- form validation operations on the received packets. In order to measure the computation overhead

• f our scheme, Python charm cryptographic library [105] and Crypto++ 5.6.5 library [106] are used.

The average computation time of the cryptographic operations needed in our scheme are given in 73

74 Table 7.1: Computational overhead of cryptographic operations. Operation time T1 Pairing e(g1, g1) 1.34 ms T2 ga ∈ G1 2.03 ms T3 ga ∈ GT 9.56 µs T4 H : {0, 1}∗ → G1 0.065 ms T5 g1 × g2 ∈ G1 5.13 µs T6 g1 × g2 ∈ GT 1.68 µs T7 HMAC or SHA1 3.6 µs T8 AES encryption 29.49 µs T9 AES decryption 12.85 µs T10 DSA Sig 6.91 ms T11 DSA Sig Verify 7.2 ms Table 7.1 Table 7.2 gives the required time to setup the system. Each EV needs one exponentiation in G1 for public/private pair key generation. Bank performs one exponentiation in G1 and four exponentiation in G2 for public keys generation, in addition to (2l − 1) asymmetric pairing and exponentiation operations in G1 to create public e-coins tree with l nodes for regular e-coins. Each attribute authority needs one pairing, one exponentiation in G1, and one exponentiation in GT for public key generation. In addition, for each attribute key, four exponentiations in G1, two hash operations to G1, and two multiplication operations in G1 are needed. CSP performs one exponentiation in G1 for public key generation, in addition to 2×(n−1)×(nr−1) hashing operations to create two sets of tokens shared with RSUs. Each RSU at most needs 2 × (n − 1) × (nr − 1) hash

• perations to create two sets of tokens shared with CSP. To create shared tokens between each CP

and its RSU, each CP has to perform n − 1 keyed hashes and at most np − 1 unkeyed hashes which takes at most (n − 1) × (np − 1) hashing operations. Table 7.3 gives the computation overhead of various entities in the system during executing

75 Table 7.2: Setup times of the system.

Entities Computation Time(ms) EV Public/Private Key Generation T2 2.03 Bank Public/Private Key Generation 3T2 6.09 Building Tree (2l − 1) × (T2 + T1) (2l − 1)× 3.37 Attribute Authority Public/Private Key Generation T1 + T2 + T3 3.38 Attribute Generation 4T2 + 2T4 + 2T5 8.25 CSP Public/Private Key Generation & Shared Keys Generation T2 + 2 × (n − 1) × (nr − 1) × T7 2.03+0.007×(n − 1) × (nr − 1) RSU Shared Keys Generation 2 × (n − 1) × (nr − 1) × T7 0.007×(n − 1) × (nr − 1) Charging Pad Shared Keys Generation (n − 1) × (np − 1) × T7 0.003×(n − 1) × (np − 1)

• ur scheme. During the e-coin purchase, four messages are exchanged between the EV and the bank

as shown in Figure 5.4. Each EV performs the following computation: one exponentiation in G1 and one signature for message (1) ; one signature verfication for message (2); point addition which is assumed to be negligible for message (3); and one e-coin signature verification which has three asymetric pairing and one multiplication in G1 for message (4). The total computations done by the EV can be formulated as 3T1 + T2 + T5 + T10 + T11. On the other hand, the bank performs the following computations: one signature verification for message (1); one signature for message (2); two exponentiation and one multiplication in G1 for message (3); and one e-coin signature which have four exponentiation in G1 for message (4). The total computations done by the bank can be formulated as 6T2 + T5 + T10 + T11. During regular service, four messages are exchanged between the EV and the CSP as shown in Figure 5.7. Each EV performs the following computations: one exponentiation in G1 for message (1); one exponentiation in G1 for message (2), one keyed hash for verification, and one signature verification; four exponentiation in G1 for bank signature anonymization, one hash operation and

• ne exponentiation in G1 for generation of π, and one AES symmetric key encryption for message

(3); and one AES symmetric key decryption for message (4). The total computations done by the EV can be formulated as 7T2 + 2T7 + T8 + T9 + T11. On the other hand, the CSP performs the following computations: one exponentiation in G1 for message (1); one exponentiation in G1 for message (2),

76 Table 7.3: Computation overhead.

Computation Time(ms) Authentication to Bank EV 3T1 + T2 + T5 + T10 + T11 20.16 Bank 6T2 + T5 + T10 + T11 26.29 Regular Authentication to CSP EV 7T2 + 2T7 + T8 + T9 + T11 21.45 CSP 8T1 + 2T2 + T5 + T7 + T8 + T9 + T10 27.74 Prioritized Authentication to CSP EV 3dT1 + 6T2 + (d + 2)T3 + (3d + 1)T6 + 2T7 + 2T8 + 2T9 + T11 4.03d+19.49 CSP (2d + 9)T1 + 4dT2 + (2d + 2)T3 + dT4 10.9d+19.08 +(d + 1)T5 + (d + 1)T6 + T7 + 2T8 + 2T9 + T10 Authentication to RSU EV 2T7 + T9 0.02 RSU 2T7 + T9 0.03 Authentication to CP EV 2T7 0.007 CP 2T7 0.007

• ne keyed hash for verification, and one signature; eight asymmetric pairing operations and one

multiplication in G1 for verification of bank signature for message (3), and one AES symmetric key decryption; one AES symmetric key encryption for message (4). The total computations done by the CSP can be formulated as 8T1 + 2T2 + T5 + T7 + T8 + T9 + T10. During prioritized service, five messages are exchanged between EV and CSP as shown in Figure 5.6. Each EV performs the following computations: the EV decrypts the attribute based encrypted challenge by computing 3d symmetric pairing, 3d + 1 multiplications in GT , and d + 1 exponentiations in GT , in addition to one signature verification for message (1); one exponentiation in GT , one keyed hash, and one AES symmetric encryption for message (2); one exponentiation in G1 for ts, one hash operation and one exponentiation in G1 for π, four exponentiations in G1 for bank signature anonymization, and finally one AES symmetric encryption for message (4); two AES symmetric key decryptions for messages (3 and 5). The total computations done by the EV can be formulated as 3dT1 + 6T2 + (d + 2)T3 + (3d + 1)T6 + 2T7 + 2T8 + 2T9 + T11. On the other hand, the CSP performs the following computations: the CSP encrypt a challenge by computing 2d + 1 symmetric pairing operations, 2d + 1 exponentiations in GT , d + 1 multiplications in GT , 4d exponentiations in G1, d hashes to G1, and d products in G1, in addition to one signature for message (1); one exponentiation in GT , one keyed hash for verification, and one AES symmetric

77 decryption for message (2); one AES symmetric encryption for message (3); eight asymmetric pairing

• perations and one multiplication in G1 for verification of bank signature, and one AES symmetric

key decryption for message (4). The total computations done by the CSP can be formulated as (2d + 9)T1 + 4dT2 + (2d + 2)T3 + dT4 + (d + 1)T5 + (d + 1)T6 + T7 + 2T8 + 2T9 + T10. For EV authentication with RSU, it needs two hashing operations, one XOR operation, and

• ne AES decryption to authenticate itself to each RSU. The XOR operations are ignored since they

are infinitesimally small. The total computations done by the EV can be formulated as 2T7+T9. On the other hand, the RSU needs to perform one symmetric encryption and two hashing operations to authenticate each EV. The total computations done by the RSU can be formulated as 2T7 + T9. For EV authentication with CP, it needs two hashing operations and one XOR operation. The total computations done by the EV can be formulated as 2T7. On the other hand, each CP needs two hashing operations to authenticate each EV. The total computations done by the RSU can be formulated as 2T7. 7.3 Communication Overhead The communication overhead is measured by the number of bytes in every communication message sent. Table 7.4 gives the communication overhead of various entities in the system during messages exchange. During the e-coin purchase, four messages are exchanged between the EV and the bank as shown in Figure 5.4. The EV sends the following messages: message (1) requires 4 bytes for GID, 4 bytes for TS, 64 bytes for gx, and 128 bytes for σU; and message (3) requires 64 bytes for s. The total packets size sent by the EV is 328 bytes. On the other hand, the bank sends the following messages: message (2) requires 4 bytes for TS, 64 bytes for c, and 128 bytes for σB(c||TS); and message (4) is four group points of 64 bytes each. The total packets size sent by the bank is 260 bytes. During regular service, four messages are exchanged between the EV and the CSP as shown

78 Table 7.4: Communication overhead.

Communication(bytes) Authentication to Bank EV 328 Bank 260 Regular Authentication to CSP EV 320 CSP 252 Prioritized Authentication to CSP EV 660 CSP 256d + 236 Authentication to RSU EV 20 RSU 40 Authentication to CP EV 20 CP 40

in Figure 5.7. The EV sends the following messages: message (1) requires two group points of total size of 128 bytes, and message (3) requires five group points encrypted with AES with total size of 320 bytes and 20 bytes for the HMAC. The total packets size sent by the EV is 468 bytes. On the

• ther hand, the CSP sends the following messages: message (2) requires 64 bytes for one group point,

20 bytes for HMAC and 128 bytes for signature; message (4) requires 40 bytes for authentication

• tokens. The total packets size sent by the CSP is 252 bytes.

During prioritized service, three messages are exchanged between the EV and the CSP as shown in Figure 5.6. The EV sends message (2) which contains ten group points of size 640 bytes and 20 bytes for the HMAC, so the total size is 660 bytes. On the other hand, the CSP sends message (2) which contains attribute based encryption challenge of size (4d + 1) × 64 bytes, 4 bytes for the TS, and 128 signature; and message (3) requires 40 bytes for authentication tokens. The total packets size sent by the CSP is 256d + 236 bytes. For EV authentication with RSU, the EV receives 40 bytes for the challenge and the confir- mation and sends 20 bytes for authnetication code. The same packets sizes are sent in case of for the authentication with CP.

CHAPTER 8 CONCLUSION AND FUTURE WORK 8.1 Conclusion In EV dynamic charging system, the EVs need to exchange some data with the CSP and bank in order to charge and make payment, but this data should not reveal any sensitive information about the EV drivers. At the same time, the dynamic charging system should also be able to interact with a large number of EVs in an efficient way to authenticate all the EVs to provide secure charging

• service. So, security and privacy are predominant factors to ensure the correct operation of the

system and the protection of the drivers’ sensitive information. The existing security and privacy techniques cannot be applied effectively and efficiently in EV dynamic charging system due to its unique problems and requirements such as the high authentication rate, long distance charging station, etc. In this thesis, we have proposed a priority-based and privacy-preserving scheme to secure the communication and to preserve the privacy of the drivers in dynamic charging system. The proposed system has three schemes for payment, authentication and prioritization which are integrated in an efficient way in order to reduce the overall computation and communication overhead. In order to address the scalability of the system due to the large number of EVs and CPs and the limited resources of the CPs, an efficient hierarchical authentication scheme that is based on symmetric-key cryptography is proposed. The idea is that after an EV authenticates successfully to the CSP and purchase charging using anonymous payment method, it receives secret keys, called tokens, from the CSP shared with the RSUs. After using these tokens to authenticate to the RSUs, the EV receives secret tokens shared with a number of CPs under each RSU control. These tokens are used to enable 79

80 the CPs to identify and charge only authorized EVs. The proposed authentication and payment scheme consider the characteristics of the dynamic charging system such as the large number of charging pads having limited computational resources and the short contact time between EVs and CPs due to the high speed of EVs. Moreover, we have introduced an efficient charge prioritization technique which is needed when the energy supply at the charging station is less than the charging demand. In this case, the CSP cannot serve all incoming charging requests, and therefore, the charging station should distribute its power resources wisely to the EVs that are in high priority. In our scheme, a priority policy is determined by each charging station and multi-authority attribute based encryption scheme is used to ensure the security and privacy of the policy. Our security analysis demonstrates that the proposed scheme is secure and can preserve the privacy of EV drivers and protect the system from collusion attacks. Along with that, our system can also trace the identity of the driver to penalize him if he misbehaves and tries to attack the system by reusing the spent coins. In addition, our performance evaluations confirm that the time required to run the cryptographic operations of our scheme and the communication overhead are acceptable. 8.2 Future work In the future, we plan to investigate and extend our system design for a new adaptive privacy- preserving dynamic charging system for public transportation and to have more than one charging lanes. Using this scheme, the dynamic charging system can charge the EVs on multiple lanes and with different power ratings, which removes the restrictions on EV for changing between the lanes during charging. We also plan to introduce prediction techniques in our system to assess and estimate the traffic patterns on the basis of time and location. This helps the dynamic charging system to allocate best charging station in the travel route of an EV. To achieve this, we need to introduce an entity (or a company) that is independent from all the charging stations which receives

81 the encrypted charging requests that includes EVs’ travel routes, amount of charge required, its desired power ratings, and the arrival time etc. The company can then use the EV’s requests to know the distribution of the requests and then it should use this information to determine the best routes that can satisfy all the EVs requests with providing requested/acceptable amount of charging. In this technique, we need to use the concept of computation over encrypted data to protect the privacy of EV drivers while providing best charging service to the EVs. This scheme aims to achieve fairness in the charging distribution, prioritization and high driver’s satisfaction.

VITA Surya Teja Gunukula was born in Nandigama city, India, on May 11, 1993. He graduated from St. Anns high school, Nuzvid city, where he obtained his high school diploma in 2010. On discovering his passion for applied sciences, he proceeded to study Electronics and Communication Engineering at the Jawaharlal Nehru Technological University - Kakinada, Andhra Pradesh, India. He received a Bachelors of Engineering in Electrical Engineering in July of 2014. He attended Ten- nessee Technological University from August 2015 to May 2017 from where he obtained a Master

• f Science degree in Electrical and Computer Engineering. Some of his research interests are cryp-

tography, network security and privacy in dynamic charging networks for EV, Internet of Things etc. 83

APPENDICES 85

APPENDIX A PUBLICATIONS 87

88 1. Surya Gunukula, A. B. T. Sherif, M. Pazos-Revilla, B. Ausby, M. Mahmoud and

• X. S. Shen, ”Efficient scheme for secure and privacy-preserving electric vehicle dynamic charging

system,” 2017 IEEE International Conference on Communications (ICC), Paris, 2017, pp. 1-6. doi: 10.1109/ICC.2017.7997252 2.

• M. Pazos-Revilla, A. Alsharif, Surya Gunukula, T. N. Guo, M. Mahmoud and X.

Shen, ”Secure and Privacy-Preserving Physical-Layer-Assisted Scheme for EV Dynamic Charg- ing System,” in IEEE Transactions on Vehicular Technology, vol. PP, no. 99, pp. 1-1. doi: 10.1109/TVT.2017.2780179 3.

• M. Nabil, M. Bima, A. Alsharif, W. Johnson, Surya Gunukula, M. Mahmoud, M.

Abdalla, Priority-based and Privacy-preserving Electric Vehicle Dynamic Charging System with Divisible E-Payment, Book chapter in book titled Smart Cities Cybersecurity and Privacy, Elsevier, In press, 2018.

REFERENCES 89

90 [1] Public EV charging stations. [Online]. Available: https://electrek.co/2017/06/19/ us-electric-vehicle-charging-stations/ [2]

• J. M. Miller, P. T. Jones, J.-M. Li, and O. C. Onar, “ORNL experience and challenges facing

dynamic wireless power charging of EVs,” IEEE circuits and systems magazine, vol. 15, no. 2,

• pp. 40–53, 2015.

[3]

• H. Lund and W. Kempton, “Integration of renewable energy into the transport and electricity

sectors through V2G,” Energy policy. [4]

• S. M. Lukic, J. Cao, R. C. Bansal, F. Rodr´

ıguez, and A. Emadi, “Energy storage systems for automotive applications,” IEEE Transactions on Industrial Electronics. [5]

• X. Hu, S. J. Moura, N. Murgovski, B. Egardt, and D. Cao, “Integrated Optimization of

Battery Sizing, Charging, and Power Management in Plug-In Hybrid Electric Vehicles,” IEEE Transactions on Control Systems Technology. [6]

• L. Dickerman and J. Harrison, “A new car, a new grid,” IEEE Power and Energy Magazine,
• vol. 8, no. 2, pp. 55–61, 2010.

[7]

• J. K. Liu, W. Susilo, T. H. Yuen, M. H. Au, J. Fang, Z. L. Jiang, and J. Zhou, “Efficient

privacy-preserving charging station reservation system for electric vehicles,” The Computer Journal, vol. 59, no. 7, pp. 1040–1053, 2016. [8]

• E. Sortomme and M. A. El-Sharkawi, “Optimal charging strategies for unidirectional vehicle-

to-grid,” IEEE Transactions on Smart Grid, vol. 2, no. 1, pp. 131–138, 2011. [9]

• G. A. Covic and J. T. Boys, “Modern trends in inductive power transfer for transportation

applications,” IEEE Journal of Emerging and Selected topics in power electronics. [10] SAE publishes tir j2954, wireless power transfer EV/PHEV. [Online]. Available: https://www.standardsuniversity.org/e-magazine/june-2016/ sae-publishes-tir-j2954-wireless-power-transfer-evphev/ [11]

• T. Tajima, H. Tanaka, T. Fukuda, Y. Nakasato, W. Noguchi, Y. Katsumasa, and T. Aruga,

“Study of a dynamic charging system for achievement of unlimited cruising range in ev,” SAE Technical Paper, Tech. Rep., 2015. [12] ——, “Study of high power dynamic charging system,” SAE Technical Paper, Tech. Rep., 2017. [13]

• H. Perik, “Practical EV integration cases for static and dynamic wireless power transfer,” in

International Energy Transfer for Electric Vehicles Conference, 2013. [14]

• S. Lee, J. Huh, C. Park, N.-S. Choi, G.-H. Cho, and C.-T. Rim, “On-line electric vehicle

using inductive power transfer system,” in IEEE Energy Conversion Congress and Exposition (ECCE). IEEE, pp. 1598–1601. [15]

• S. Ahn and J. Kim, “Magnetic field design for high efficient and low EMF wireless power

transfer in on-line electric vehicle,” in Proceedings of the 5th European IEEE Conference on Antennas and Propagation (EUCAP). IEEE, 2011, pp. 3979–3982. [16] Wireless charging electric bus. [Online]. Available: https://kmatrix.kaist.ac.kr/ wireless-charging-electric-bus/

91 [17]

• S. Canard, D. Pointcheval, O. Sanders, and J. Traor´

e, “Divisible e-cash made practical,” in IACR International Workshop on Public Key Cryptography. Springer, 2015, pp. 77–100. [18]

• M. He, K. Zhang, and X. S. Shen, “PMQC: A privacy-preserving multi-quality charging scheme

in V2G network,” in Global Communications Conference (GLOBECOM), 2014 IEEE. IEEE, 2014, pp. 675–680. [19]

• S. Sahoo, D. R. Pullaguram, and S. Mishra, “A consensus priority algorithm based V2G

charging framework for frequency response,” in Proceedings of the 7th IEEE Power India International Conference (PIICON). IEEE, 2016. [20]

• Y. Rouselakis and B. Waters, “Efficient statically-secure large-universe multi-authority

attribute-based encryption,” in International Conference on Financial Cryptography and Data Security. Springer, 2015, pp. 315–332. [21]

• A. Sherif, M. Ismail, M. Pazos-Revilla, M. Mahmoud, K. Akkaya, E. Serpedin, and K. Qaraqe,

“Privacy preserving power charging coordination scheme in the smart grid,” 2017. [22]

• S. Li and C. C. Mi, “Wireless power transfer for electric vehicle applications,” IEEE journal
• f emerging and selected topics in power electronics, vol. 3, no. 1, pp. 4–17, 2015.

[23]

• O. C. Onar, J. M. Miller, S. L. Campbell, C. Coomer, C. P. White, and L. E. Seiber, “A

novel wireless power transfer for in-motion EV/PHEV charging,” in Applied Power Electronics Conference and Exposition (APEC), 2013 Twenty-Eighth Annual IEEE. IEEE, 2013, pp. 3073–3080. [24]

• S. Lukic and Z. Pantic, “Cutting the cord: Static and dynamic inductive wireless charging of

electric vehicles,” IEEE Electrification Magazine, vol. 1, no. 1, pp. 57–64, 2013. [25]

• Z. Pantic, S. Bai, and S. M. Lukic, “Inductively coupled power transfer for continuously

powered electric vehicles,” in Vehicle Power and Propulsion Conference, 2009. VPPC’09. IEEE. IEEE, 2009, pp. 1271–1278. [26]

• F. Turki, V. Staudt, and A. Steimel, “Dynamic wireless EV charging fed from railway grid:

Magnetic topology comparison,” in Electrical Systems for Aircraft, Railway, Ship Propulsion and Road Vehicles (ESARS), 2015 International Conference on. IEEE, 2015, pp. 1–8. [27] J.-M. Li, P. T. Jones, O. Onar, and M. Starke, “Coupling electric vehicles and power grid through charging-in-motion and connected vehicle technology,” in Electric Vehicle Conference (IEVC), 2014 IEEE International. IEEE, 2014, pp. 1–7. [28] I.-S. Suh and J. Kim, “Electric vehicle on-road dynamic charging system with wireless power transfer technology,” in Electric Machines & Drives Conference (IEMDC), 2013 IEEE Inter- national. IEEE, 2013, pp. 234–240. [29]

• T. Theodoropoulos, A. Amditis, J. Sall´

an, H. Bludszuweit, B. Berseneff, P. Guglielmi, and

• F. Deflorio, “Impact of dynamic EV wireless charging on the grid,” in Electric Vehicle Con-

ference (IEVC), 2014 IEEE International. IEEE, 2014, pp. 1–7. [30]

• H. Li, G. D´

an, and K. Nahrstedt, “Portunes+: Privacy-preserving fast authentication for dynamic electric vehicle charging,” IEEE Transactions on Smart Grid, 2017.

92 [31]

• R. Hussain, D. Kim, M. Nogueira, J. Son, A. Tokuta, and H. Oh, “A new privacy-aware mutual

authentication mechanism for charging-on-the-move in online electric vehicles,” in Moile Ad- hoc and Sensor Networks (MSN), 2015 11th International Conference on. IEEE, 2015, pp. 108–115. [32]

• H. Li, G. D´

an, and K. Nahrstedt, “Proactive key dissemination-based fast authentication for in-motion inductive EV charging,” in Communications (ICC), 2015 IEEE International Conference on. IEEE, 2015, pp. 795–801. [33]

• W. Aiello, S. M. Bellovin, M. Blaze, R. Canetti, J. Ioannidis, A. D. Keromytis, and O. Rein-

gold, “Just fast keying,” ACM Transactions on Information and System Security, vol. 7, no. 2,

• pp. 242–273, may 2004.

[34]

• T. Zhao, L. Wei, and C. Zhang, “A secure and privacy-preserving billing scheme for online

electric vehicles,” in Vehicular Technology Conference (VTC Spring), 2016 IEEE 83rd. IEEE, 2016, pp. 1–5. [35]

• H. Li, G. D´

an, and K. Nahrstedt, “Lynx: Authenticated anonymous real-time reporting of electric vehicle information,” in Smart Grid Communications (SmartGridComm), 2015 IEEE International Conference on. IEEE, 2015, pp. 599–604. [36]

• H. Nicanfar, P. TalebiFard, S. Hosseininezhad, V. Leung, and M. Damm, “Security and privacy
• f electric vehicles in the smart grid context: problem and solution,” in Proceedings of the third

ACM international symposium on Design and analysis of intelligent vehicular networks and applications. ACM, 2013, pp. 45–54. [37]

• H. Nicanfar, S. Hosseininezhad, P. TalebiFard, and V. C. Leung, “Robust privacy-preserving

authentication scheme for communication between electric vehicle as power energy storage and power stations,” in Computer Communications Workshops (INFOCOM WKSHPS), 2013 IEEE Conference on. IEEE, 2013, pp. 55–60. [38]

• Z. Yang, S. Yu, W. Lou, and C. Liu, “P 2: Privacy-preserving communication and precise

reward architecture for V2G networks in smart grid,” IEEE Transactions on Smart Grid,

• vol. 2, no. 4, pp. 697–706, 2011.

[39]

• X. Chen, F. Zhang, and S. Liu, “Id-based restrictive partially blind signatures and applica-

tions,” Journal of Systems and Software, vol. 80, no. 2, pp. 164–171, 2007. [40]

• G. Calandriello, P. Papadimitratos, J.-P. Hubaux, and A. Lioy, “Efficient and robust pseudony-

mous authentication in VANET,” in Proceedings of the fourth ACM international workshop

• n Vehicular ad hoc networks.

ACM, 2007, pp. 19–28. [41]

• D. Boneh, X. Boyen, and H. Shacham, “Short group signatures,” in Crypto, vol. 3152.

Springer, 2004, pp. 41–55. [42]

• J. Li, H. Lu, and M. Guizani, “ACPN: A novel authentication framework with conditional

privacy-preservation and non-repudiation for VANETs,” IEEE Transactions on Parallel and Distributed Systems, vol. 26, no. 4, pp. 938–948, 2015. [43]

• A. Shamir et al., “Identity-based cryptosystems and signature schemes.” in Crypto, vol. 84.

Springer, 1984, pp. 47–53.

93 [44]

• C. Zhang, X. Lin, R. Lu, and P.-H. Ho, “RAISE: An efficient RSU-aided message authentica-

tion scheme in vehicular communication networks,” in Communications, 2008. ICC’08. IEEE International Conference on. IEEE, 2008, pp. 1451–1457. [45]

• L. Sweeney, “k-anonymity: A model for protecting privacy,” International Journal of Uncer-

tainty, Fuzziness and Knowledge-Based Systems, vol. 10, no. 05, pp. 557–570, 2002. [46]

• R. Lu, X. Lin, H. Zhu, P.-H. Ho, and X. Shen, “ECPP: Efficient conditional privacy preserva-

tion protocol for secure vehicular communications,” in INFOCOM 2008. The 27th Conference

• n Computer Communications. IEEE.

IEEE, 2008, pp. 1229–1237. [47]

• Y. Xi, K. Sha, W. Shi, L. Schwiebert, and T. Zhang, “Enforcing privacy using symmetric ran-

dom key-set in vehicular networks,” in Autonomous Decentralized Systems, 2007. ISADS’07. Eighth International Symposium on. IEEE, 2007, pp. 344–351. [48]

• A. Studer, E. Shi, F. Bai, and A. Perrig, “TACKing together efficient authentication, revoca-

tion, and privacy in VANETs,” in Sensor, Mesh and Ad Hoc Communications and Networks,

• 2009. SECON’09. 6th Annual IEEE Communications Society Conference on.

IEEE, 2009,

• pp. 1–9.

[49]

• J. Sun, C. Zhang, Y. Zhang, and Y. Fang, “An identity-based security system for user privacy

in vehicular ad hoc networks,” IEEE Transactions on Parallel and Distributed Systems, vol. 21,

• no. 9, pp. 1227–1239, 2010.

[50]

• D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” in Advances in

Cryptology, CRYPTO 2001. Springer, 2001, pp. 213–229. [51]

• A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613,

1979. [52]

• J. Baek and Y. Zheng, “Identity-based threshold signature scheme from the bilinear pair-

ings,” in Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004. International Conference on, vol. 1. IEEE, 2004, pp. 124–128. [53]

• L. Nguyen and R. Safavi-Naini, “Dynamic k-times anonymous authentication,” in ACNS, vol.

3531. Springer, 2005, pp. 318–333. [54]

• C. Soghoian and I. Aad, “Merx: Secure and privacy preserving delegated payments,” in In-

ternational Conference on Trusted Computing. Springer, 2009, pp. 217–239. [55]

• T. Zhao, C. Chen, L. Wei, and M. Yu, “An anonymous payment system to protect the privacy
• f electric vehicles,” in Wireless Communications and Signal Processing (WCSP), 2014 Sixth

International Conference on. IEEE, 2014, pp. 1–6. [56]

• T. Zhao, C. Zhang, L. Wei, and Y. Zhang, “A secure and privacy-preserving payment system

for electric vehicles,” in IEEE International Conference on Communications (ICC). IEEE, 2015, pp. 7280–7285. [57]

• M. A. Mustafa, N. Zhang, G. Kalogridis, and Z. Fan, “Roaming electric vehicle charging and

billing: An anonymous multi-user protocol,” in IEEE International Conference on Smart Grid Communications (SmartGridComm). IEEE, 2014, pp. 939–945.

94 [58]

• A. Rupp, G. Hinterw¨

alder, F. Baldimtsi, and C. Paar, “P4R: Privacy-preserving pre-payments with refunds for transportation systems,” in International Conference on Financial Cryptog- raphy and Data Security. Springer, 2013, pp. 205–212. [59]

• S. A. Brands, “An efficient off-line electronic cash system based on the representation prob-

lem,” 1993. [60]

• D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the weil pairing,” Advances in

Cryptology, ASIACRYPT 2001, pp. 514–532, 2001. [61]

• D. Slamanig, “Efficient schemes for anonymous yet authorized and bounded use of cloud

resources.” in Selected Areas in Cryptography, vol. 7118. Springer, 2011, pp. 73–91. [62]

• E. Brickell, J. Camenisch, and L. Chen, “Direct anonymous attestation,” in Proceedings of the

11th ACM conference on Computer and communications security. ACM, 2004, pp. 132–145. [63]

• J. Camenisch and A. Lysyanskaya, “Signature schemes and anonymous credentials from bilin-

ear maps,” in Annual International Cryptology Conference. Springer, 2004, pp. 56–72. [64]

• J. Camenisch, R. Chaabouni et al., “Efficient protocols for set membership and range proofs,”

in International Conference on the Theory and Application of Cryptology and Information Security. Springer, 2008, pp. 234–252. [65]

• D. Chaum, “Blind signatures for untraceable payments,” in Advances in cryptology. Springer,

1983, pp. 199–203. [66] ——, “Blind signature system,” in Advances in cryptology. Springer, 1984, pp. 153–153. [67] ——, “Security without identification: Transaction systems to make big brother obsolete,” Communications of the ACM, vol. 28, no. 10, pp. 1030–1044, 1985. [68]

• D. Chaum, A. Fiat, and M. Naor, “Untraceable electronic cash,” in Proceedings on Advances

in cryptology. Springer-Verlag New York, Inc., 1990, pp. 319–327. [69]

• T. Okamoto and K. Ohta, “Disposable zero-knowledge authentications and their applications

to untraceable electronic cash,” in Conference on the Theory and Application of Cryptology. Springer, 1989, pp. 481–496. [70]

• S. Brands, “Electronic cash systems based on the representation problem in groups of prime
• rder,” in Advances in Cryptology-CRYPTO, vol. 93, 1993, pp. 1–15.

[71]

• Y. Tsiounis, “Efficient electronic cash: new notions and techniques,” College of Computer

Science, 1997. [72]

• J. L. Camenisch, “Group signature schemes and payment systems based on the discrete loga-

rithm problem,” Ph.D. dissertation, 1998. [73]

• A. Chan, Y. Frankel, and Y. Tsiounis, “Easy come-easy go divisible cash,” Advances in Cryp-

tology, EUROCRYPT’98, pp. 561–575, 1998. [74]

• J. Camenisch, S. Hohenberger, and A. Lysyanskaya, “Compact e-cash.” in Eurocrypt, vol.

3494. Springer, 2005, pp. 302–321.

95 [75]

• J. Camenisch and I. Damg˚

ard, “Verifiable encryption, group encryption, and their applications to separable group signatures and signature sharing schemes,” in ASIACRYPT, vol. 1976. Springer, 2000, pp. 331–345. [76]

• M. H. Au, S. S. Chow, and W. Susilo, “Short e-cash,” in International Conference on Cryp-

tology in India. Springer, 2005, pp. 332–346. [77]

• S. Brands, “Untraceable off-line cash in wallet with observers,” in Annual International Cryp-

tology Conference. Springer, 1993, pp. 302–318. [78]

• J. Camenisch, S. Hohenberger, and A. Lysyanskaya, “Balancing accountability and privacy

using e-cash,” in SCN, vol. 6. Springer, 2006, pp. 141–155. [79]

• S. Canard and A. Gouget, “Divisible e-cash systems can be truly anonymous,” in Eurocrypt,
• vol. 4515.

Springer, 2007, pp. 482–497. [80]

• J. Camenisch and A. Lysyanskaya, “Signature schemes and anonymous credentials from bilin-

ear maps,” in Annual International Cryptology Conference. Springer, 2004, pp. 56–72. [81]

• J. Camenisch and M. Michels, “Proving in zero-knowledge that a number is the product of

two safe primes,” in International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 1999, pp. 107–122. [82]

• D. Chaum and T. P. Pedersen, “Transferred cash grows in size,” in Workshop on the Theory

and Application of of Cryptographic Techniques. Springer, 1992, pp. 390–407. [83]

• M. Girault, G. Poupard, and J. Stern, “On the fly authentication and signature schemes based
• n groups of unknown order,” Journal of Cryptology, vol. 19, no. 4, pp. 463–487, 2006.

[84] C.-P. Schnorr, “Efficient identification and signatures for smart cards,” in Conference on the Theory and Application of Cryptology. Springer, 1989, pp. 239–252. [85]

• F. Baldimtsi, M. Chase, G. Fuchsbauer, and M. Kohlweiss, “Anonymous transferable e-cash.”

in Public Key Cryptography, 2015, pp. 101–124. [86]

• M. Chase, M. Kohlweiss, A. Lysyanskaya, and S. Meiklejohn, “Malleable signatures: New

definitions and delegatable anonymous credentials,” in Computer Security Foundations Sym- posium (CSF), 2014 IEEE 27th. IEEE, 2014, pp. 199–213. [87]

• S. Canard and A. Gouget, “Multiple denominations in e-cash with compact transaction data.”

in Financial Cryptography, vol. 6052. Springer, 2010, pp. 82–97. [88]

• V. D. Razo and H.-A. Jacobsen, “Smart Charging Schedules for Highway Travel With Electric

Vehicles,” IEEE Transactions on Transportation Electrification, vol. 2, no. 2, pp. 160–173, jun 2016. [89]

• B. Waters, “Ciphertext-policy attribute-based encryption: An expressive, efficient, and prov-

ably secure realization.” in Public Key Cryptography, vol. 6571. Springer, 2011, pp. 53–70. [90]

• M. Raya, A. Aziz, and J.-P. Hubaux, “Efficient secure aggregation in VANETs,” in Proceedings
• f the 3rd international workshop on Vehicular ad hoc networks - VANET.

ACM Press, 2006. [91]

• J. E. Silva, “An overview of cryptographic hash functions and their uses,” Global Information

Assurance Certification (GIAC), 2003.

96 [92]

• P. Gauravaram, “Cryptographic hash functions:

cryptanalysis, design and applications,” Ph.D. dissertation, Queensland University of Technology, 2007. [93] Stephen J. Fried, “An Illustrated Guide to Cryptographic Hashes,” http://www.unixwiz.net/ techtips/iguide-crypto-hashes.html, 2005, [Online]. [94]

• Z. Cheng, L. Vasiu and R. Comley, “Pairing-based one-round tripartite key agreement proto-

cols,” Citeseer IACR Cryptology ePrint Archive, vol. 2004, p. 79, 2004. [95]

• F. Zhang, S. Liu, and K. Kim, “ID-based one round authenticated tripartite key agreement

protocol with pairings,” in Citeseer Cryptology ePrint Archive, Report, 2002. [96]

• D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” in Springer

Annual International Cryptology Conference, 2001, pp. 213–229. [97]

• B. Waters, “Efficient identity-based encryption without random oracles,” in Springer Annual

International Conference on the Theory and Applications of Cryptographic Techniques, 2005,

• pp. 114–127.

[98]

• D. Boneh, C. Gentry, B. Lynn and H. Shacham, “Aggregate and verifiably encrypted signatures

from bilinear maps,” in Springer International Conference on the Theory and Applications of Cryptographic Techniques, 2003, pp. 416–432. [99]

• C. Gentry and Z. Ramzan, “Identity-based aggregate signatures,” in Springer International

Workshop on Public Key Cryptography, 2006, pp. 257–273. [100] A. Beimel, Secure schemes for secret sharing and key distribution. Technion-Israel Institute

• f technology, Faculty of computer science, 1996.

[101] A. Lewko and B. Waters, “Decentralizing attribute-based encryption,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 2011, pp. 568–588. [102] S. Goldwasser and Y. Kalai, “On the (In)security of the Fiat-Shamir paradigm,” in Proceedings

• f the 44th Annual Symposium on Foundations of Computer Science.

IEEE. [103] D. Bernhard, G. Fuchsbauer, E. Ghadafi, N. P. Smart, and B. Warinschi, “Anonymous attes- tation with user-controlled linkability,” International Journal of Information Security, vol. 12,

• no. 3, pp. 219–249, 2013.

[104] SEC, SECG, “Recommended elliptic curve domain parameters,” Standards for Efficient Cryp- tography Group (SECG), Certicom Corp, 2000. [105] J. A. Akinyele, C. Garman, I. Miers, M. W. Pagano, M. Rushanan, M. Green, and A. D. Ru- bin, “Charm: a framework for rapidly prototyping cryptosystems,” Journal of Cryptographic Engineering, vol. 3, no. 2, pp. 111–128, 2013. [106] Crypto++ Library 5.6.5. [Online]. Available: https://www.cryptopp.com/