Conditional Privacy-Preserving Anonymous Authentication Scheme With Forward Security in Vehicle-to-Grid Networks

In the Vehicle-to-Grid (V2G) network, the electric vehicles (EVs) need to report their respective information, such as vehicle identity, battery capacity, battery state of charge (SoC), current location, and driving direction, to the power grid through the distributed local aggregators (LAGs), so that the power grid can dispatch power reasonably. However, the information has much to do with privacy of the EVs. The issue of how to solve the contradictory needs of privacy protection and information report is a challenging problem in the V2G network. This paper proposed a privacy preserving authentication mechanism together with a key exchange between the EVs and the LAGs, in which the EVs do not use any pseudonyms. Besides satisfying the requirements of anonymity, confidentiality, unlinkability, nonrepudiation, traceability and revocation, the scheme can further support forward security. The performance analysis shows that the proposed scheme is efficient in terms of computation and communication overhead. The experimental results show that the proposed scheme has fewer exchanged messages in the authentication process among compared schemes.


I. INTRODUCTION
Electric vehicle-to-grid technology (V2G) combines a smart grid with electric vehicles, thereby enabling electric vehicles (EVs) to act as energy storage media. In the V2G network, electric vehicles are used to store extra energy during low power consumption and release the energy back to the smart grid when the demand is high. The two-way exchange of energy can provide a number of economic, environmental and operational benefits. In practice, in order to optimize the power dispatch, the grid needs to collect the status information about the EVs, such as their respective ID, battery capacity, battery state-of-charge (SoC) and current location. In the V2G network, the status information reported by an EV through the DSRC wireless channel contains much information related to the EV and the private information about the EV owner. Since the wireless channel is an open channel, it is vulnerable to various network attacks, such as forgery attacks, collusion attacks, linkage attacks, impersonation attacks and replay attacks. Thus, the transmitted information could be completely exposed to attackers, and an attacker could easily The associate editor coordinating the review of this manuscript and approving it for publication was Junaid Arshad . deduce the user's private information, such as their entertainment behavior, living habits, etc. Several articles have presented comprehensive surveys of the privacy protection and network security in V2G networks [1]- [4]. It is widely agreed that authentication and privacy protection are two basic requirements in the V2G system and this subject has led to an extensive literature.
In the current V2G network, certificate-based pseudonym authentication methods [19], [21], [22], in which certificates are generated and distributed by a trusted authority (TA), are widely used to provide authentication and protect the true identities of EVs from disclosure. In this case, to prevent a linkage attack, each pseudonym can only be used for a limited time. Therefore, EVs need to store many pseudonyms and periodically update them. If an EV cannot update its pseudonym in time, it will face the risk of the disclosure of its private information. However, storing a large number of pseudonyms and the frequent replacement of them will cause complicated pseudonym management problems and create a heavy burden on the system. In addition, there are some authentication schemes that are based on self-generated pseudonyms. In this type of scheme, each vehicle is equipped with a tamper-resistant device (TPD). The TA preloads the system master key into the tamper-resistant device, and then each EV can dynamically generate pseudonyms when needed [18], [24]. However, the main problem of this type of solution is that the security assumption for the TPD is too strong. If the master key stored in the TPDs is leaked, the entire system will completely collapse. Actually, attackers can obtain a large amount of substantial information from a TPD by using side channel attacks [30], which means that TPD-based authentication schemes have potential security risks. Though some schemes do not store the master key in the TPD, they need to run secure computations in the TPD [33]. This means that the security is still based on the secure assumption of the TPD. Cui et al. suggested a self-generated pseudonym authentication scheme that did not use a TPD [32]. The main shortage of [32] is that the TA is involved in the authentication process. In addition, there may be some malicious EVs in the V2G network that might abuse pseudonyms to obtain more benefits. In this case, the V2G system must be able to reveal the true identity of this malicious EV and prevent it from continuing in the system, which means that the system must possess traceability and revocation. Though some existing pseudonym-based schemes can support traceability and revocation, most of them do not consider the forward security of a revoked EV [13]- [17]. In these schemes, when an EV needs to be revoked, all the current pseudonyms owned by the EV will be published openly. In this case, attackers can easily link these pseudonyms to the revoked EV and learn the EV's previous private information.
In addition to privacy protection, secure transmission is also a fundamental requirement in V2G system that means V2G system should satisfy security. Because the DSRC is open channel, in order to prevent unauthorized entities from accessing the information reported by an EV, the information should be encrypted before its transmission.
Therefore, in view of the above problems, this paper designs a conditional privacy preserving authentication scheme with forward security in the V2G network. Our main contributions are as follows: 1) An EV does not need to use any pseudonym in our scheme; therefore, our scheme is immune to the periodic change of the pseudonyms for the EV, and the EV does not need to store a large number of pseudonyms.
2) The solution supports the two-way authentication between an EV and the local aggregator (LAG), integrates the building of a shared key between an EV and the LAG into the authentication process and uses the shared key to achieve secure transmissions. 3) This solution achieves forward security. The solution can trace and revoke EVs with malicious behavior, and the revocation process will not lead to the leakage of the private information reported before an EV's revocation.

A. ORGANIZATION
The rest of the paper is organized as follows. In the second part, we introduce the preliminaries and related work. In the third section, we describe the cryptographic knowledge, network model, security model, and security goals used in the scheme. In section four, the details of the scheme are introduced in detail. In the fifth part, we analyze the security and performance of the proposed scheme. In the sixth part, we summarize our paper.

II. RELATED WORK
In 2016, Neetesh et al. propose a mutual authentication scheme to preserve the privacy of EVs' information from aggregators/servers at home and distributed visiting V2G networks [4]. This scheme, based on a bilinear pairing technique with an accumulator performing batch verification, yields higher system efficiency, defeats various security attacks, and maintains untraceability, forward privacy, and identity anonymity. However, the scheme suffers from the burden of updating users' pseudonyms continuously. In 2011, Yang et al. proposed an authentication method [5], which adopted an ID-based restricted partial blind signature technology to generate a license for identity authentication in its scheme, for a V2G network. However, forward security is not considered in [5]. Furthermore, the scheme of Yang et al. was later proved to be insecure because the licenses generated by using ID-based restricted partial blind signatures [6] in their scheme could easily be forged [7]. Liu et al. identified unique battery challenges for different battery states of EVs and proposed a battery status-aware authentication scheme (BASA) to address the security issues of V2G networks [8]. Though this scheme implements the mutual authentication between EVs and the LAG, it does not consider forward security. In 2002, in [9], Zhang et al.
proposed a context-aware V2G authentication scheme, which proposed different safety and privacy requirements for EVs during different battery states and designed its certification framework for different battery states. Guo et al. proposed a unique batch authentication protocol (UBAPV2G) for V2G communication [10]. The scheme uses batch authentication to ensure the confidentiality and integrity of the messages exchanged between the LAG and EVs. The LAG broadcasts a request message to the EVs within its range; the EVs respond with a message with their identity information. The LAG collects the responses of the EVs at specific time intervals and then uses a batch authentication mechanism to verify their authenticity. Batch authentication is better than one-to-one authentication because it saves communication and computational overhead [10]. H. Tseng analyzed the security of the UBAPV2G scheme and proved that there are some security loopholes in the scheme [11], [31]. The work illustrated that any EV or LAG in [10] can easily generate a pseudosignature set that meets the batch verification requirements (i.e., the target of a forgery attack) without having to know the signer's private key. He et al. proposed a framework to achieve secure communication between EVs and the power grid [12].
Although the scheme states that it does not require any trusted third party to participate, the scheme considers the LAG as a trusted entity; that is, EVs need to send their real identity information to the LAG to complete the authentication.
In [13], Kilari et al. proposed a scheme to provide revocable anonymity for electric vehicles. In this scheme, if the charging station proves that the electric vehicle is malicious, the scheme can revoke the anonymity of the electric vehicle. The property of forward security, however, is ignored in [13]. Mahmoud Hashem et al. designed an efficient and secure privacy-preserving IPv6 protocol to protect the communications in V2G networks [14]. This solution considers the traceability of EVs but it does not consider forward security. Chen et al. proposed an authentication scheme based on revocable group signature technology [15] in which an EV authenticates itself to the LAG using a permit that could be used to implement a linkage attack by LAGs. Su et al. proposed a lightweight privacy protection identity authentication scheme that does not use bilinear pairing [17]. The scheme solves the security of the master key escrow in the system by using the secure two-party computing (2PC) protocol between the TPA and DC. It can effectively prevent internal attackers from maliciously leaking the system's master key. Although the above schemes achieve revocability, these security measures do not consider the issue of forward security. It is proved that when EVs play different roles, the security and privacy issues that need to be considered are also different [20]. The scheme proposes a role-based privacy protection anonymous authentication scheme to achieve secure communications between EVs and the power grid, but this solution ignores the traceability, revocability, and forward security of revoked EVs.
In [19], Shen et al. proposed a robust key agreement protocol that can achieve mutual authentication between EVs and the LAG without exposing the true identity of the EVs, but this scheme uses pseudonyms for EVs and requires the pseudonyms to be updated regularly. Abdallah et al. proposed a lightweight and secure V2G privacy preserving scheme [21]. Although the scheme guarantees the confidentiality and integrity of information exchange and solves the authentication problem of electric vehicles, the scheme has the same shortcomings as [19]. That is, the EVs in the solution use different pseudonyms for different sessions and need to frequently change pseudonyms. In [22], a mutual authentication mechanism for privacy protection between the entities in EV and V2G networks was proposed. However, EVs also need to get pseudonyms from the RA, and so this scheme has the same problems as [19], [21]. In [23], Kaur et al. proposed a security authentication and key exchange mechanism for the V2G network. In their scheme, the TA needs to distribute pseudonyms to EVs. All the above schemes have the disadvantages of the regular replacement of pseudonyms and large storage overhead. Kaveh et al. presented an authentication scheme for V2G communication based on physical unclonable function (PUF) in which the grid manager is involved in the authentication process [25]. In [26], Wang et al. proposed a traceable privacy protection communication scheme in the V2G environment, but the security assumption of this scheme is too high for the aggregator; that is, the aggregator knows the true identity information of the EVs, which means that the aggregator can obtain the EVs' private information. Romana et al. presented a group-based authentication protocol in V2G networks [34]. In this scheme, a group member EV is issued a temporal identity by the authentication server. The EV authenticates itself to the AS with the temporary identity that also needs to be updated frequently.

A. BILINEAR PAIRING
We define the bilinear pairing of our system as follows. Let G 1 be a cyclic group of prime order p. Let G T be a cyclic group with the same order p, where e: G 1 × G 1 → G T is a bilinear pairing with the following properties: (1) Bilinearity: ∀a, b ∈ Z p and g ∈ G 1 , we have e(g a , g b ) = e(g, g) ab .
(3) Efficiency: ∀u, v ∈ G 1 , there is a polynomial time algorithm associated with a given safety constant λ that can efficiently compute e(u, v).

B. K-CAA ASSUMPTION
In [28], Mitsunari et al. proposed an assumption called k − CAA (collusion attack algorithm with k traitors), which is a weak version of a q − SDH (strong Diffie-Hellman) problem [29]. We use k-CAA as the security basis in our presented scheme.

C. SYSTEM MODEL
Our system model is shown in Figure 1. It consists of three subjects: a trusted entity TA, a local aggregator LAG, and an electric vehicle EV.
The TA is the builder and maintainer of the entire system and is responsible for generating the system's global security parameters and the keys of all entities. The LAG is responsible for collecting the real-time status information about the EVs that want to join the smart grid within its communication range and completing the verification of the legality of an EV's identity. The LAG is responsible for a message reporting area. The EV is owned by an individual. The EV needs to report its power information, travel arrival time, location, and battery state of charge to the LAG in real time. An OBU communication device is installed on each EV to communicate with the LAG through the DSRC. Each EV is additionally equipped with a GPS device to provide information such as time and location.

D. SECURITY MODEL
We assume that the wired channel between the TA and the LAG in the system is secure, that the wireless channel between the EV and the LAG is insecure, and that the TA is a trusted entity that can resist any attack. The LAG is a semitrusted organization that will perform according to the specified protocol process, but it is curious about user privacy. It may use authentication information to obtain EV private information. The EV is an untrusted entity. There may be malicious EV tampering through unsafe channels, replay, counterfeiting, forgery, and other network attacks. The attackers referred to in this article refer to the malicious EVs in the system.

E. ATTACK TYPES
Linkage attack of the LAG: An attack by which the LAG can determine whether different authentication messages come from the same EV.
Impersonation attack: An attack that impersonates another legitimate user in the system.
Forgery attack: An attack that forges a nonexisting legitimate user.
Collusion attack: An attack that uses multiple legitimate private keys to generate a new valid private key.
Replay attack: An attack that resends a legitimate message that was previously intercepted.

F. SECURITY GOALS
Anonymity: Only the TA can obtain the true identity of the EV in this scheme.
Unlinkability: The unlinkability in this scenario means that an attacker or LAG cannot confirm whether messages are sent by the same EV.
Message integrity: Ensures that the messages received during communication are not tampered with by malicious attackers.
Confidentiality: Realizes the secure transmission of information between the EV and LAG and ensures that only authorized entities get the transmitted information content.
Traceability: For an EV that sends malicious messages, the TA can trace its true identity.
Revocability: For the revoked malicious EV, it will not be able to send a message report to the LAG again.
Forward security: This means that if the EV is revoked from the current system, the private information it sent before will not be revealed.
Nonrepudiation: An attacker who is revealed by the TA cannot deny his/her attack behavior.

IV. PROPOSED SCHEME
Our solution consists of the following six parts: system initialization, the EV registration process, the mutual authentication process, the message report process, the tracking phase and the revocation phase. The specific interaction process of each entity is shown in Figure 2. Table 1 gives the corresponding explanation of the symbols appearing in our scheme.

A. SYSTEM INITIALIZATION
At this stage, the TA generates the parameters for the entire system and generates its key pair. The specific initialization details are as follows.
The TA generates bilinear parameters as (G, G T , g, e, p). The TA randomly selects the system master key θ , a i ∈ Z * p , 1 ≤ i ≤ n. The TA randomly selects the forward security parameter η ∈ Z * p and computes u i = g ηa i , 1 ≤ i ≤ n, g θ = g ηθ . Let HMAC k (M ) be the authentication code of message M with key k, E k (M ) be the symmetric encryption algorithm and D k (M ) be the symmetric decryption algorithm. Let pk TA be the public key of the TA and sk TA be the private key of the TA. The TA secretly saves a i , θ, sk TA and the public system parameters G, G T , g, e, p, g θ , u i , HMAC, e(g, g) η , E k (M ), D k (M ) and pk TA . The public parameters are prestored in the OBUs of the LAGs and EVs.   For LAG registration, for a newly joined LAG i , the TA randomly generates a signing key pair (sk i , pk i ) and a corresponding certificate cert i = pk i sig sk TA pk i T for LAG i , where T represents the validity period of the certificate; and then the TA sends cert i sk i pk i to LAG i .

B. EV REGISTRATION PHASE
The EVs must first register their true identity with the TA to enter the V2G network. The EV registration process is as follows: When registering, EV i needs to provide its real identity ID i (such as its license plate number, user ID number, etc.) to the TA. If the identity of EV i is verified, the TA randomly selects x i1 , x i2 , · · · , x in ∈ Z * p and calculates n j=1 a j x ij = s i mod p. The TA stores ID i s i in the tracking list TL (if s i is equal to the stored value in TL, then it reselect x i1 , x i2 , · · · , x in ). The TA calculates y i = g 1 θ +s i ,g i = g s i separately. The TA sends x i1 , x i2 , · · · , x in , y i , g i to the EV as its private key over the secure channel.

C. MUTUAL AUTHENTICATION PHASE
When EV i enters a new LAG i area, EV i needs to authenticate itself using an anonymous identity, and so EV i first completes mutual authentication with LAG i . The mutual authentication process between the EV and LAG is as follows.
Each LAG periodically broadcasts an authentication message. The specific process is as follows: When LAG i broadcasts a new authentication message, LAG i selects a random number R ∈ Z * q and computes (1) When EV i enters LAG i 's communication area, EV i will receive the authentication message broadcast by LAG i and perform the following process: Step 1: EV i uses the public key pk TA of TA to verify that the certificate cert i is valid. If cert i is valid, store it and continue the following process; otherwise, end the authentication process.
Step 2: EV i uses public key pk i of LAG i to verify that signature σ is valid. If σ is valid, continue with the following steps; otherwise, end the authentication process.
Step 3: EV i randomly selects r ∈ Z * q and computes Step 4: EV i computes β = HMAC k (c 1 c 2 c 3 c 4 time) and sends an authentication message Auth EV i = c 1 c 2 c 3 c 4 time β to LAG i , where time is the current time used to prevent replay attack, and β provides integrity protection to prevent a tampering attack.
(2) After LAG i receives the authentication message Auth EV i , the following process is performed: Step 1: First, LAG i judges if it is a valid message using time. If time is valid, continue with the following steps; otherwise, the authentication process is ended.
Step 2: LAG i computes k = c 1 R , β = HMAC k (c 1 c 2 c 3 c 4 time) and verifies the correctness of equation (1): If equation (1) holds, then it continues with the following steps; otherwise, end the certification process.
Step 3: LAG i computes c 3 = c 3 R −1 = g ηθr and verifies the correctness of equations (2) and (3): If equations (2) and (3) hold, LAG i saves the record c 1 c 4 k; otherwise, end the process. The above processes indicates that the solution supports mutual authentication.
Proof of correctness: The authentication process of the registered EVs must be verified by the LAG, and only the proofs (1), (2), and (3) hold.

D. MESSAGE REPORT PHASE
According to the above authentication processes, after the legal EV i completes the authentication process with LAG i , the two parties seperately generate a shared key, and the shared key k can be used to realize a secure message report (It notes that the shared key keeps valid until the EV leaves the LAG's communication area. Whenever an EV entries a LAG's communication area, the authtication process will be launched and a new shared key will be generated). Let m be the message to be reported. EV i computes c = E k (m) and σ = HMAC k (c time) and sends msg = c time σ to LAG i . After LAG i receives the reported message msg = c time σ , LAG i first judges whether the message is fresh according to time, and it then uses the shared key k to calculate σ = HMAC k (c time) and verify the correctness of equation (5): If equation (5) holds, LAG i performs a decryption algorithm to obtain the reported message m = D k (c). Message integrity: According to the characteristics of the HMAC, the message report sent by the EV satisfies the integrity requirement. In addition, the message reported by the EV is sent in encrypted ciphertext, which means that the scheme satisfies the security.

E. TRACING PHASE
In V2G networks, some EV may send malicious messages which may result more rewards from Grid or may affect the Grid's stability and efficiency. If the LAG finds that an EV has sent a malicious message report msg = c σ and passed the verification of equation (5), the LAG finds the corresponding record c 1 c 4 k and sends it to the TA. After the TA receives the message c 1 c 4 from the LAG and calculates it for each record ID i s i in the tracing list TL according to the current value η, it then determines whether there is a record c ηs i 4 equal to c 1 : If s i is present such that equation (6) holds, ID i in record ID i s i is the EV i that sends the malicious message, indicating that the scheme satisfies the traceability requirement. To achieve forward security, the TA randomly selects η ∈ Z * q , and the TA updates the corresponding system public parameters: η → η , u i → g η a i , g θ → g η θ , e(g, g) η → e(g, g) η . The TA adds the corresponding g η s i to the RL and updates the RL of all LAGs.
Proof of correctness of the tracing phase. If ID i is the real identity of EV i that sent the malicious message, it means that the equation (7) must hold: That is, malicious EV i must be traced. In addition, for other legal records, such as ID j s j , because s j = s i , we find it easy to get (c 4 ) ηs j = (c 4 ) ηs i = c 1 . That is, EV j will not be traced as the malicious EV by mistake. That is, the scheme of this paper satisfies the nonrepudiation requirement.

F. REVOCATION PHASE
If the record in the RL is not empty, it indicates that there are some malicious EVs that have been revoked. To prevent receiving messages from a revoked EV, LAGs need to verify whether the sender of the received report is in the current RL. That is, for all records in the current RL list, determine whether there is a record cl i such that equation (8) holds: If there is a record cl i such that equation (8) holds, then the LAG will terminate the communication; that is, the revoked EV will not be able to obtain the token required to send the message report, which realizes the revocation of the malicious EV, indicating that this solution meets the revocation requirement.
Proof of the correctness of the revocation process: Let EV i be revoked and its corresponding record in the RL is cl i = g η s i . When EV i authenticates with the LAG, the authentication message from EV i will be able to pass the verification of equations (1), (2) and (3); but when the verification is revoked, e(cl i , c 4 ) = e(g η s i , g r ) = e(g, g η rs i ) = e(g, c 1 ) can be obtained, indicating that equation (8) will certainly hold.

V. SECURITY ANALYSIS
According to the above analysis, we know that the solution in this article meets the nonrepudiation, revocation and traceability requirements, and we will analyze other security attributes here. a) Anonymity. From the above, there are two types of messages sent by EV i : one is an authentication message Auth EV i = c 1 c 2 c 3 c 4 β and the other is a broadcast message msg = c time σ . Neither type of message contains EV i 's true identity ID i , so neither the LAG nor the attacker can get EV i 's true identity information from the message; therefore, the scheme meets the anonymity requirement. b) Unlinkability. In this solution, the EV reports the message in ciphertext. From the security of the symmetric cryptographic algorithm, the attacker cannot determine whether two ciphertexts are encrypted under the same key without the VOLUME 8, 2020 shared key; that is, the attacker cannot judge whether different ciphertext messages are sent by the same EV, indicating that this scheme meets the unlinkability requirement. c) Forward security. Assuming that EV i has been revoked, for the authentication message Auth EV i = c 1 c 2 c 3 c 4 time β sent before EV i is revoked (before η is updated to η ), we can know e(cl i , c 4 ) = e(g η s i , g r ) = e(g, g η rs i ) = e(g, g ηrs i ) = e(g, c 1 ), which does not satisfy formula (7); therefore, the LAG and attackers cannot use the revocation information cl i in the RL to link the messages sent before EV i was revoked, which means that the proposed scheme meets the forward security requirement. d) Message integrity and confidentiality. From the characteristics of the HMAC, it can be known that the message sent by the EV meets the integrity requirements. Furthermore, the reported information is sent in the form of ciphertext, which means that the scheme meets confidentiality.

A. ATTACK ANALYSIS
From the above analysis, we know that this solution can resist replay attacks and tampering attacks. More types of attacks are analyzed as follows: a) Collusion attack. In practice, there are several situations where an attacker can obtain different legitimate private keys. For example, an attacker may obtain more legal private keys by registering multiple EVs, or multiple malicious EVs may perform a collusion attack by sharing their private keys. Therefore, it is of practical significance to resist collusion attacks.
Theorem 1: the proposed scheme can resist collision attack if the k − CAA is (t, ε) hard problem.
Proof: suppose there is an algorithm A, by given l private keys < X i , g s i , g 1 θ +s i > where X i = (x i1 , . . . , x in ), can compute a new private key < X , g s , g 1 θ +s > with non-negligible probability ε in polynomial time t, then we can construct an (t, ε) algorithm B, which can solve the k − CAA problem by running A as a subroutine. Given an instance g, g θ , s 1 , . . . , s l , g 1 θ +s 1 , . . . , g 1 θ +s l of the k − CAA problem, where s i ∈ Z p , B does the following process: 1) Set up the system parameters < G, G T , g, e, p, g θ , u i = g a i , HMAC, e(g, g) η , E, D > where g, p, g θ are same as the k − CAA instance and the other parameters are generated according to the process of system initialization. 2) For each s i of the given k − CAA instance, solves X i = (x i1 , . . . , x in ) satisfying j a j x ij = s i .
3) Computes g s i and inputs l private keys < X i , g s i , y i = At last, if A returns a new private key < X = x 1 , . . . , x n , g s , y > to B, where X / ∈ {X 1 , . . . , X l } and s / ∈ {s 1 , . . . , s l }, then B outputs < s , y > where s = j a j x j . Obviously, if the < X , g s , y > is a valid private key where y = g 1 θ+s , then the < s , y > is a correct solution of the k − CAA problem. b) Impersonation attack. Because replay attacks and tampering attacks cannot be used to impersonate a legitimate EV, an attacker can only generate new authentication messages by impersonating a legitimate user. Analysis of the attack shows that in this case, the attacker must obtain the private key of a legitimate EV because the private key is secure and all such impersonation attacks are not feasible, indicating that this scheme can resist impersonation attacks. c) Forgery attack. According to the structure of the scheme, if an attacker can forge a legitimate report, it means that he must have a valid shared key. From the analysis of the above collusion attack, it can be known that the attacker cannot forge a valid private key; that is, the attacker cannot impersonate a legitimate user to pass the LAG authentication and thus cannot obtain a valid shared key; therefore, it is also impossible to forge a legitimate report. This shows that the scheme in this paper can resist forgery attacks. d) Linkage attack of the LAG. According to the scheme, in each authentication process, EV i will use a different random number r to generate an authentication message Auth EV i = c 1 c 2 c 3 c 4 β. Moreover, the shared key is also randomly generated, and so all authentication messages from different EVs follow the same distribution. This means that the attacker and LAG cannot distinguish whether different authentication messages are generated by the same EV, indicating that this solution can resist linkage attacks of the LAG.

B. COMPARISON OF SECURITY ATTRIBUTES
In this section, we compare the characteristics satisfied by the proposed scheme with other similar schemes. Table 2 shows the results of our proposed scheme compared with those of other related schemes [5], [26], [17]. As seen from Table 2, none of these three solutions can meet the requirements of forward security.

VI. PERFORMANCE ANALYSIS
Considering the [14] has a different system model with ours, the [12] and [23] treat the authenticator as a trusted party, and the [34] focus on group authentication, in this section, we still  evaluate our scheme by comparing it with the three similar schemes [5], [26], [17]. We will analyze the computational overhead and communication overhead of the four schemes.

A. COMPUTATIONAL COST
In this section, we evaluate the computational cost of the proposed scheme. The calculation performance of the scheme in this paper mainly depends on the exponential operation and bilinear pairing operation. Like most similar solutions, we ignore the factors of other operations. For the proposed scheme, we use the Type A symmetric paring e: G 1 × G 1 → G T with embedding degree 2 as defined in [27], where G 1 is a cyclic group with prime order p. For the Type A paring, G 1 is constructed on a super singular elliptic curve E : y 2 = x 3 + x mod q, where q = 3 mod 4 is a 512 bit prime number and p is a 160 bit prime number. We use the AES cipher to achieve secure communication. In our scheme, n is the number of common parameters u i selected by the TA during the initialization phase, where 1≤ i ≤ n. Obviously, the larger the value of n, the longer it takes to execute the program, but the higher the security of the program. When n = 3, our solution is sufficient to meet the security requirements. We chose n = 3 and measured the calculation cost of the basic operation under this experimental platform. Table 3 lists the times for various operations. These operations were evaluated using an Intel(R) Core(TM) i7-6700 3.4 GHz computer with 16 GB memory running Java version 1.8.0.131 and the JPBC library with the default parameters [27].
We chose three similar schemes [5], [26], [17] to compare with our schemes. We estimated the total computational cost of each scheme by calculating the time of the basic operations used in the mutual authentication process of the EV and the LAG/CAG/CS in each scheme. Table 4 shows the basic operations performed by both parties in each scheme during  the mutual authentication process. Figure 3 shows the comparison of the calculation cost of the authentication process of the four schemes for a single EV. In the authentication process where only one EV participates, our scheme has a considerably lower computational cost compared to the schemes in [5] and [26], and our scheme has a slightly higher computational cost than the scheme in [17]. This is because our scheme uses bilinear pairing technology in its design, and scheme [17] is an authentication process based on an elliptic curve cryptographic algorithm; therefore, the time taken by the bilinear pairing technique is generally greater than the time taken by the elliptic curve operation, and so our scheme has poorer comunication cost than the scheme in [17]. However, as seen from Figure 4, the computational overhead of the four schemes increases linearly with the number of EVs; and when the number of EVs participating in the authentication process is greater than 6, the computational cost of our scheme is the smallest. This is because in the proposed scheme, the LAG calculates and broadcasts the message for identity authentication, which can be used to verify all EVs in its area.

B. COMMUNICATION COST
In this section, we evaluate the communication overhead of the proposed scheme. From Section A, we know that q is a 512 bit prime number and p is 160 bit prime number, and so the sizes of the elements in G 1 and ECC group are 64 bytes VOLUME 8, 2020   and 20 bytes, respectively. Here, we assume that the size of the hash function and HMAC are 20 bytes, the size of ID and PID is 20 bytes, the size of the signature is 40 bytes, the size of the certificate is 64 bytes and the size of the timestamp is 4 bytes.
As seen from Table 5, when the number of EVs is 1, the number of exchanges in schemes [5], [26] and [17] is 5, 7, and 2, respectively. It can be seen from Table 5 that in the mutual authentication stage, the number of message exchanges in our scheme is the same as the number of message exchanges in scheme [17], and only 2 messages were exchanged. Obviously, our scheme and scheme [17] have the fewest exchanges among the four schemes. It can be seen from Figure 5 and Figure 6 that when the number of EVs is greater than 1, the total number of message exchanges in our scheme during the authentication process is the smallest. This is because in our scheme, the LAG broadcasts an authentication message once, which can be used for the authentication of all EVs in its area. Table 6 compares the communication   Communication overhead of the CAG: |R| + |R | + |R 1 | + |t 2 | + |V | + |t 4 | + |d| + |t 6 | = 64 + 128 + 128 + 4 + 64 + 4 + 20 + 4 = 416.
Therefore, the communication overhead of scheme [26] is 956 bytes.
In scheme [17], there are two messages {ID EV PID EV U EV VP i δ CS } and {PID EV R CS δ CS } that are transmitted during the mutual authentication phase. The communication overhead is computed as follows: Communication overhead of the EV: Therefore, the communication overhead of the proposed scheme is 184 bytes.
In our scheme, there are also two messages Auth LAG i = M T θ σ cert i , where M = T 1 T 2 T 3 , cert i = pk i sig sk TA (pk i T ) and Auth EV i = c 1 c 2 c 3 c 4 time β. The communication overhead is computed as follows: The size of cert i : |pk i | + |sig sk TA pk i | + |T | = 20 + 40 + 4 = 64.
Therefore, the communication overhead of our scheme is 620 bytes.
It can be seen from Figure 7 that the communication overhead of our scheme is much smaller than that of schemes [5] and [26]; and compared with scheme [17], the communication overhead of our scheme is relatively high. For one thing, because scheme [17] stores the master key in the TPD of the EV tamperproof device and uses the master key to realize the mutual identity authentication of the EV and other entities, the scheme cannot satisfy the revocation requirement. For another thing, in scheme [17], the security assumptions of the TPD antitampering device are too strong. In addition, scheme [17] also does not meet the security requirements such as unlinkability, traceability, revocation, and forward security.
In summary, the following conclusions can be drawn. The computational and communication overhead of the proposed scheme is significantly better than those of the two bilinear pair-based schemes [5] and [26], and the number of message exchanges during the authentication process is significantly lower than those of schemes [5] and [26]. Compared to scheme [17], our scheme is superior to scheme [17] in terms of computational cost; in addition, although our scheme has a higher communication overhead than that of [17], our scheme meets more security features. Therefore, the scheme in this paper has a better performance than that of other schemes.

VII. CONCLUSION
In this paper, we propose an authentication scheme for conditional privacy protection that supports forward security in a V2G network. In the scheme, EVs do not need to obtain pseudonyms from the TA, which not only solves the mutual authentication problem between the LAG and EVs but also meets features such as anonymity, message confidentiality and integrity, traceability, revocation, and forward security. Moreover, the proposed scheme can resist a linkage attack from the LAG. Security analysis shows that the proposed solution can resist multiple security attacks. The performance analysis shows that the solution is efficient.