PUF-Based Robust and Anonymous Authentication and Key Establishment Scheme for V2G Networks

V2G improves flexibility, reliability, and efficiency and ensures effective charging services by enabling two-way communication along with two-way electricity transmission between the power grid and electric vehicle (EV). However, V2G networks are fragile to lethal security threats because an attacker may try to compromise and control the communication participants at any time. Recently, Sureshkumar et al. presented a robust and lightweight authentication and key establishment (AKE) for secure V2G networks to provide essential security properties. However, we prove that their scheme suffered from various security threats and lacked essential security properties. To protect against physical security attacks, a promising solution is the use of physical unclonable function (PUF) technology and many AKE schemes have been designed for V2G networks. However, these schemes are still fragile to machine learning (ML)-based modeling attacks as well as existing security threats. Thus, we design a PUF-based robust and anonymous AKE scheme for V2G networks, called R2AKEV2G to resist ML-based modeling attacks. We prove the security of R2AKEV2G by performing formal security analyses. Moreover, we perform a network simulator (NS) 3 implementation in compliance with IEEE 802.11 to prove its feasibility and verify that R2AKE-V2G is suitable for practical V2G networks. Consequently, R2AKE-V2G supports better security features and functionalities attributes and also guarantees superior costs with regard to communication and computation as compared to existing relevant schemes.


PUF-Based Robust and Anonymous Authentication and Key Establishment Scheme for V2G Networks Sungjin Yu , Graduate Student Member, IEEE, and Kisung Park
Abstract-Vehicle-to-grid (V2G) improves flexibility, reliability, and efficiency and ensures effective charging services by enabling two-way communication along with two-way electricity transmission between the power grid and electric vehicle (EV).However, V2G networks are fragile to lethal security threats because an attacker may try to compromise and control the communication participants at any time.Recently, Sureshkumar et al. presented a robust and lightweight authentication and key establishment (AKE) for secure V2G networks to provide essential security properties.However, we prove that their scheme suffered from various security threats and lacked essential security properties.To protect against physical security attacks, a promising solution is the use of physical unclonable function (PUF) technology and many AKE schemes have been designed for V2G networks.However, these schemes are still fragile to machine learning (ML)-based modeling attacks as well as existing security threats.Thus, we design a PUF-based robust and anonymous AKE scheme for V2G networks, called R2AKEV2G to resist MLbased modeling attacks.We prove the security of R2AKEV2G by performing formal security analyses.Moreover, we perform a network simulator (NS) 3 implementation in compliance with IEEE 802.11 to prove its feasibility and verify that R2AKE-V2G is suitable for practical V2G networks.Consequently, R2AKE-V2G supports better security features and functionalities attributes and also guarantees superior costs with regard to communication and computation as compared to existing relevant schemes.

I. INTRODUCTION
W ITH the development of "5G, smart grid (SG), and electric vehicle (EV)" technology, the vehicle-to-grid (V2G) is emerging as an attractive new network paradigm and also it has garnered considerable interest from both scientific and industrial communities [1], [2], [3].The V2G allows bidirectional energy communication between EV and power grid and mitigates environmental pollution, and also helps overcome the energy crisis.The V2G not only encourages citizens to switch to eco-friendly plug-in hybrid electric vehicles (PHEVs) and EVs but also actively supports load management on the power grid and offers new economic benefits in charging interoperability scenarios [4].Owing to the V2G, the electrical energy can flow from the SG to the EV to charge the battery and also can flow in the reserve direction to provide surplus and peak power.In addition, an individual owner or single household may engage in trading to purchase and sell energy from their EVs using V2G technology without building formal power generation and distribution systems.However, despite the multiple benefits and advantages of V2G, there are significant difficulties and challenges to be addressed.Since the V2G communication among an electrical vehicle user, utility service provider (USP), and charging station occurs without any encryption or authentication, a malicious attacker can attempt to forge, modify, eavesdrop, and delete the user's individual data for V2G (i.g.locations, payment records, and battery status) [5].Moreover, a malicious attacker can steal a smart device of a legitimate user, he/she then extracts the user's sensitive data stored in the smart device by using differential power analysis [6].If the sensitive data of the legitimate user is revealed, a malicious attacker may attempt lethal cyber attacks like "forgery, insider, and offline password guessing" attacks.Moreover, physical security is also essential because charging stations and EVs are not normally guarded by humans.Due to these physical and cyber security attacks, a malicious attacker may insert new consumption data and report the wrong energy charging data into the smart devices during charging and discharging processes and then lead to a waste of resources and impose financial charges on the users for electric energy which has not been used [7].With the escalating need for energy services and applications in V2G networks, another significant challenge is its lightweight feature.Since the smart devices for V2G (e.g., Internet of Energy Things (IoET), smart meters, smart card, etc.) have resource-constrained with respect to computation and communication overheads, memory, and computing power [8], it is not suitable to use public key cryptosystems that require high performance.Hence, "lightweight and robust authentication and key establishment (AKE) schemes" are indispensable for V2G networks [9], [10], [11].
Sureshkumar et al. [12] recently designed a robust AKE scheme with privacy-preserving for V2G networks to ensure reliable energy services.Sureshkumar et al. claimed that their AKE protocol offers "necessary security requirements" while preventing lethal physical/cyber attacks.However, we indicate that their scheme [12] lacks the ability to withstand severe security attacks like "session key disclosure and impersonation" attacks and lacks "mutual authentication."To enhance these issues, a promising solution is the use of physical unclonable function (PUF) technology.
A PUF presents to address these issues by allowing smart devices to create secure and unique digital fingerprints with extremely low-computation overheads.Recently, many AKA schemes have been designed for V2G networks using PUF to resist cyber/physical security attacks.Although there are some PUF-based schemes for V2G networks have been presented, these schemes are still susceptible to various security attacks because other security issues have remained unresolved.Moreover, existing PUF utilized in AKE schemes is vulnerable to machine learning (ML)-based modeling attacks since an adversary can clone the PUF model by having access to a subset for the challenge-response pairs (CRPs) of the PUF through a public channel.Therefore, we design a PUF-based robust and anonymous AKE scheme, called R2AKE-V2G to enhance ML-based modeling attacks as well as various existing security issues.

A. Motivations
The primary objective of this article is to show and enhance the security shortcomings of [12].We demonstrated that scheme [12] is vulnerable to deadly security attacks like "session key disclosure" and "impersonation" attacks and it also lacks "mutual authentication."Sureshkumar et al.'s scheme [12] put in a tremendous amount of effort to develop a high-level security-supported system for V2G networks.Regrettably, their scheme did not approach AKE protocol from the perspective that we have verified and demonstrated.These discoveries have motivated us to develop a new AKE scheme that is robust and anonymous based on PUF and capable of resisting "potential security attacks" that are present in V2G networks as well as ensuring "necessary security functionalities."

B. Contributions
This section serves to introduce the primary contribution of R2AKE-V2G.
1) We design a "new PUF-based robust and anonymous AKE scheme for V2G networks" to enhance the security drawbacks of [12].2) We present "automated verification of Internet security protocols and application (AVISPA)" [13], [14] which assesses the robustness against potential security attacks like MITM and replay attacks.Moreover, we present "real-or-random (ROR) oracle" model [15] which proves the session key security of the proposed scheme.3) We present a performance analysis with regard to computational and communication costs and security functionalities compared to related AKE schemes.4) We present the implementation for performance analysis using the network simulator (NS) 3 [16] on various network scenarios and attributes.

II. RELATED WORKS
Secure and reliable communication is one of the most important necessary requirements for V2G networks to provide secure data exchange and sharing.Thus, a robust and anonymous AKE scheme is essential for secure and efficient data exchange between components.
To resolve these problems, many AKE schemes have been presented for V2G networks [17], [18], [19] to provide secure and efficient data exchange between each entity.Mohammadali et al. [20] designed two protocol scenarios for SG networks: 1) elliptic curve cryptosystems (ECCs)based AKE scheme and 2) identity-based AKE scheme.These AKE protocols are resistant to desynchronization and replay attacks and also reduce the computation cost with regard to the smart meter.However, these AKE protocols are fragile to MITM, false data injection, and masquerade attacks.Nicanfar and Leung [21] proposed two protocol scenarios to provide scalability and security for data exchange in SG systems: 1) symmetric key-based AKE scheme and 2) ECC-based AKE scheme.Unfortunately, their scheme is insecure to false data injection attacks and also has high-computation cost during AKE phase.Wu and Zhou [22] designed a secure and lightweight AKE protocol for SG networks by combining public key and symmetric key cryptosystems.However, Xia and Wang [23] pointed out that Wu and Zhou's scheme [22] cannot prevent MITM attacks and they presented a new secure key distribution scheme for SG networks.Unfortunately, Park et al. [24] demonstrated that Xia and Wang's scheme [23] is still vulnerable to forgery attacks and does not protect the privacy of users.Tsai and Lo [25] designed a secure key distribution scheme for V2G networks by using identity-based encryption and signature.Odelu et al. [26] proved that Tsai and Lo's scheme [25] does not ensure the session key security and also privacy of the smart meters.However, Gope and Sikdar [27] pointed out that the AKE scheme proposed in [26] is fragile to MITM attacks ultimately leading to DoS attacks.
In the last few years, many AKE research articles have been presented on privacy issues for V2G networks [28], [29] besides [20], [21], [22], [23], [24], [25], [26], [27].However, these AKE schemes have inefficient performance because they use cryptographic primitives, such as sign encryption and group signature operations, that require a high-computation cost, and also the problem of privacy concerns for electrical vehicle users remained unresolved.In this context, Gope and Sikdar designed a cost-effective privacy-preserving AKE scheme for V2G networks [27].However, Irshad et al. [30] demonstrated that Gope and Sikdar's scheme [27] has a desynchronization problem during login to the device and also is fragile to key compromise impersonation attacks through the feeble assumptions, in which the private secret key is revealed by mistake to the attacker.Irshad et al. [30] proposed a secure and lightweight AKE scheme for V2G networks to enhance the security drawbacks of Gope and Sikdar's scheme [27].
Recently, Sureshkumar et al. [12] designed a robust AKE scheme for V2G networks to provide high security and privacy.They claimed that their AKE scheme [12] guarantees necessary security requirements, and also is resistant to lethal security attacks.However, we proved that scheme [12] TABLE I EXISTING AKE SCHEMES FOR V2G NETWORKS: A COMPARATIVE SUMMARY is fragile to deadly security threats, such as "session key disclosure and impersonation" attacks, due to wrong protocol design and it lacks "mutual authentication."Thus, we propose a "PUF-based robust and anonymous AKE scheme for V2G networks" to address the security shortcomings of [12].The proposed scheme generates a unique temporary key based on the PUF and then utilizes it to use symmetric key encryption to not only ensure high-level security in the current session but also establish secure V2G communication.Although there are some PUF-based schemes for V2G networks have been proposed [31], [32], [33], [34] to resolve physical capture attacks, these schemes [31], [33] are still susceptible to various security attacks because other security issues have remained unresolved.Due to this fact, it is very difficult to design cryptographic protocols to satisfy all necessary security requirements.
A comparative summary of existing AKE schemes for V2G networks is presented in Table I.
1) In the DY and CK models, an adversary (A) can "resend, delete, block, eavesdrop, and so on" the transmitted data under an insecure channel and also can injure the session states with ephemeral secret value.2) A can steal a smart card (SC) of the user and then extract the information stored in SC by using "differential power analysis" [6].3) A may attempt lethal security attacks, including "stolen verifier, offline guessing, and privileged insider" attacks [37].

B. Physical Unclonable Function
PUF is widely recognized as a practical solution safeguarding the security of smart devices with limited computing capabilities from potential adversarial threats [38], [39].PUF is a widely utilized technique for producing an output based on a given input, such as a fingerprint, which is derived from the physical micronstructure of smart devices.PUF does not retain a private key and poses a considerable challenge in the successful replication of an identical PUF.This is due to the intricate nanoscale variations during the manufacturing process of the IC chip.The optimal PUF ensures the properties of unpredictability, uniqueness, and reliability, all of which are critical components for protecting the security of smart devices.PUF is particularly effective in protecting the smart devices that are deployed in WMSN-based healthcare systems from attacks, such as cloning, side-channel, and tampering attacks.PUF is reliant upon the distinct physical attributes of the integrated circuit, and any alteration to the system shall undoubtedly result in a modification of the PUF output.In addition, PUF allows for the verification of the legitimacy of entities prior to the establishment of a session key, as has been demonstrated in previous research [40].The functionalities of the PUF are as follows.
1) "PUF is quite simple to implement and assess." 2) "PUF depends on physical microstructure of system." 3) "Any attempt to interfere with smart devices that have PUF will update of PUF's behavior and consequently its destruction [41]."As depicted in Fig. 1, a PUF-enabled generator procedure utilizes multiple functions, including "decoding, encoding, and key derivation," to produce powerful extractors for secret key.These functions combine to make an optimal solution for "robust authentication of lightweight devices in V2G network."

C. System Model
This section presents the system model for V2G network communication in Fig. 2. The system model has consisted of the "USP, smart electric vehicle (SEV), cloud, server (CS), and fog server (FS)."This model is possible for different levels of communications, including "vehicle-to-charging station (V2C), vehicle-to-vehicle (V2V), and charging stationto-USP."In this model, an anonymous, lightweight, and robust AKE scheme is proposed to ensure effective and secure communication for V2G networks.An ordinary server can only process data from one vehicle at a time.Moreover, there is a need for a CS to perform parallel processing.In the system model, the FS controls and monitors the CS and vehicle in real-time.If the vehicles move out of the smart city, the FS transmits a message to the CS to connect to another FS.Therefore, our system model is considered a good solution for a secure, effective, robust, and anonymous AKE scheme in V2G environments.

IV. REVIEW OF SURESHKUMAR ET AL.'S SCHEME
We introduce the reviews for Sureshkumar et al.'s scheme [12].Table II is presented the symbols used in this article.

A. Initial Setup Phase
USP selects a master private key MK USP and comprises an "one-way hash function h : (0, 1) * → (0, 1) n and bio-hash function H(•)."USP publishes the "bio-hash function H(•) and the one-way hash function h(•)" as public details.
where h 1 is an one-way hash function whose output concatenated to PW i results in the size of the output of h(•).Finally, where G i and K i are included only for the contribution of password recovery functionality.

C. Charging Station Registration Phase
CS generates a ID CS and then sends it to the USP.After that, USP calculates c j = h(ID CS ||MK USP ) and sends it to the CS via a secure channel.Finally, USP removes the parameter c j in the system.CS keeps the c j securely.

D. Authentication and Key Establishment Phase
The registered U i is required to establish a mutually authenticated session key SK in order to access reliable V2G services.
AKE-1: U i inputs ID U , PW i and imprints BIO in SC.After that, SC calculates b i = H(BIO), A 1 = h(ID U ), and After that, SC verifies whether terminates and rejects the current session.AKE-2: SC generates a random nonce R 1 and calculates Consequently, U i , USP, and CS are mutually authenticated and successfully establish a SK = h(L 1 ||L 3 ||L 5 ).

E. Password Update Phase
If U i wants to change a new PW i , U i may update their previous PW i without requiring interaction with the USP.
PUP-1: U i inputs an ID i , an old PW old i , and imprints a biometric BIO in the SC.

V. SECURITY FLAWS OF SURESHKUMAR ET AL.'S SCHEME
We serve to show the security vulnerabilities inherent in the scheme presented by Sureshkumar et al.'s scheme [12].

A. Session Key Disclosure Attack
Referring to Section III-A, A can extract the secret credentials {F i , E i , G i , K i } stored in SC.In addition, A can "delete, block, and replay" the transmitted messages through an insecure channel.A first computes Finally, A generates a SK = h(L 1 ||L 3 ||L 5 ), successfully.Consequently, Sureshkumar et al.'s scheme is deemed to be vulnerable to this attack that aims to compromise the confidentiality of the session key.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

B. Impersonation Attack
Based on the adversary model Section III-A, A may attempt lethal security threats and also can extract the secret parameters {F i , E i , G i , K i } of the SC.Thus, A attempts to impersonate the legitimate U i in this attack.
1) IA-1: tamp is matches, CS generates a random number R 2 and then calculates

VI. PROPOSED SCHEME
We design a "PUF-based robust and anonymous AKE scheme for V2G networks (R2AKE-V2G)" to enhance the security shortcomings of [12].

A. Initial Setup Phase
USP first generates a master private key MK USP and comprises the h(•).And then, USP publishes the h(•) as public details.

B. Registration Phase
The registration phase has consisted of two parts: 1) CS and 2) U i registration phases.This phase is performed via a secure channel.
1) Charging Station Registration Phase: CS selects a identity ID CS and a set of (C x CS , R x CS ) then transmits {ID CS , (C x CS , R x CS )} to the USP via a secure channel.After that, USP computes Z j = h(ID CS ||ID USP ||MK USP ||R x CS ) and c j = h(ID CS ||MK USP ) and then transmits its to the CS securely.Finally, USP removes Z j and c j and stores 2) User Registration Phase: Before AKE phase, U i registers within USP to access the useful V2G services and gets the credential from USP.
URP-1: U i selects a ID U and PW i and imprints BIO.After that, U i generates a set of (C x U , R x U ) and calculates After that, USP stores {Q i , W i } in the SC and transmits SC to the U i .Then,

C. Authentication and Key Establishment Phase
If U i wants to access V2G services, U i must mutually authenticates USP with the help of CS and establishes a SK among U i , CS, and USP.This AKE phase is performed over an open channel.This AKE phase is presented as shown in Fig. 3 and presents detailed descriptions of AKE phase.AKE-1: U i inputs ID U , PW i , and imprints BIO in SC.
, and verifies whether W * i ?= W i .If it matches, SC accepts U i , otherwise; terminates and rejects the current session.SC generates a random nonce R 1 , a timestamp T 1 , and a pair of Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

AKE-2: CS checks the freshness of |T
and ) and verifies whether Auth * U ?

=
Auth U .If it matches, USP authenticates U i successfully.After that, USP generates a R 3 , T 3 and computes R 1 ← RandomNonce(); and T 1 ← Timestamp(); 12: Select a pair of We present the AKE by executing the following sequence of procedures whose details are as shown in Algorithms 1-4.

D. Password Update Phase
If U i wants to change a new PW i , U i may update previous PW i without requiring interaction with the USP.
PUP-1: U i inputs an ID U and an old PW old i , and imprints BIO in SC.SC computes

VII. SECURITY ANALYSIS
This section introduces the formal and informal security analyses.

Theorem: Adv R2AKE−V2G
A means the advantages of A in flouting SK security for R2AKE-V2G.Thus, we derive the following: Hash, q P , q h , and q send are the "number of Hash query," "range space of PUF(•)," "range space of h(•)," and "Send(•) query."And also, l n , s, l m , and C are the Zipf's credentials [42].
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

Algorithm 4 Charging Station Confirmation and Response
Transmits Msg 3 ← {MI

Proof: We indicate the games GM i (i ∈ [0, 4]). We introduce that Adv R2AKE−V2G
A,GM i is the probability of A for winning the GM i .
Game GM 0 : GM 0 is considered as "an actual attacks executed by A" in R2AKE-V2G.The GM 0 's result is as follows: ( Game GM 1 : GM 1 means that A performs an "eavesdropping attack in which the transmitted messages are intercepted among U, CS, and USP performing Execute(•) query."In this game, A carry out the "Test(•) and Reveal(•)" queries to reveal SK.The output of Test(•) and Reveal(•) queries decide if A gets SK.To reveal SK, A needs the {R 1 , R 2 , R 3 }.Hence, A's probability of winning GM 1 by eavesdropping on the messages does not increase.This game's result is as follows: Game GM 2 : This game is considered as the "active/passive attacks by performing Hash and Send(•) queries."A can intercept the {Msg 1 , Msg 2 , Msg 3 , Msg 4 } during AKE phase.All message are not revealed by A since it is protected by using s result is as follows: Game GM 3 : This particular game is an extension of GM 2 , wherein the simulation of PUF query has been incorporated.Based on analogous argument introduced in GM 2 , this game's results is as follows: Game GM 4 : This game is considered the simulation of the CorruptSC(•) and CourruptCS(•) queries.A extract {Q i , W i } in SC's memory by performing the "differential power analysis."Note that, However, this game is computationally infeasible for A to reveal PW i of the U i via Send(•) query without the BIO, And also, A cannot distinguish the "PUF secret" and "biometric" since the probability of guessing the PUF secret of l 2 and biometric credential of l 1 bits by A is (1/2 l 2 ) and (1/2 l 1 ).Consequently, GM 3 and GM 4 are "indistinguishable if the off-line password and biometric guessing attacks are not implemented."GM 4 's result is as follows: After GM 0 −GM 4 are successfully performed, A attempts to guess the "c for winning all game by utilizing Test(•) query."Thus, we get the following: Combining the "formulas (1), ( 2), and ( 6)," we get the following: Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.Based on the application of the "triangular inequality" using the formulas (3), ( 4), (5), and (7), we can get the subsequent result 1 2 Finally, by applying a scalar operation of multiplication to both sides of (8) with a factor of 2, we get the following: send , (q s /2 l 1 ), (q s /2 l 2 )}.

B. Formal Security Analysis Using AVISPA Simulation
AVISPA simulation provides evidence of the robustness of the security protocol against lethal security threats.We first implement the R2AKE-V2G as a programming language "High-Level Protocol Specification Language (HLPSL)" [43].Subsequently, the simulation commences the analysis of the intermediate format (IF) over the two back-ends: 1) "OFMC" and 2) "CL-AtSe." We utilized the "security protocol animator (SPAN) [14]" based on HLPSL implementation to simulate R2AKE-V2G.AVISPA supports the DY model and involves a malicious adversary in the security protocol execution with a current session.In Fig. 4, we present the AVISPA implementation results of SPAN, OFMC, and CL-AtSe.SPAN demonstrates the security attacks and the malicious intruder simulated through a GUI" and also OFMC and CL-AtSe show that R2AKE-V2G is secured against lethal security attacks.Consequently, we verified the SAFE output through a formal security analysis and demonstrated that R2AKE-V2G is resistant to various security attacks from a malicious intruder based on the DY threat model.

C. Informal Security Analysis
We demonstrate that R2AKE-V2G exhibits resistance to security attacks and further assures the fulfillment of essential security requirements.
1) Session Key Disclosure Attack: A can steal SC of the legitimate U i and extract the credentials {Q i , W i }.In R2AKE-V2G, A must obtain the random nonces {R 1 , R 2 , R 3 } to compromise a SK = h(R 1 ||R 2 ||R 3 ).However, A is difficult to calculate a SK because the random nonces are protected with the PUF secret values {R 1 U , R 1 CS } and secret credentials {X i , Z j } by using "XOR and hash" operations.Thus, R2AKE-V2G is secure to this attack.
2) Impersonation Attack: This attack indicates that A tries to masquerade the U i by intercepting the transmitted messages under a public channel.A must create the request messages {Msg 1 , Msg 2 } and response messages {Msg 3 , Msg 4 } related to mutual authentication between other entities.However, it is deemed unfeasible to produce the request and response messages associated with mutual authentication since A cannot obtain the PUF secret values {R 1 U , R 1 CS }, credentials {X i , Z j }, and temporary secret key {TK}.Thus, R2AKE-V2G is secure from this attack since A cannot correctly generate the request and response messages related to mutual authentication.
3) MITM Attack: Referring to the information given in Section III-A, A inject, resend, delete, eavesdrop, intercept, and block the transmitted messages {Msg 1 , Msg 2 , Msg 3 , Msg 4 } during the bidirectional communication among U i , CS, and USP.After that, A tries to get sensitive information for legitimate parties.However, A is difficult to generate the messages related to authentication because all messages are protected with the PUF secret values {R 1 U , R 1 CS } and random nonces {R 1 , R 2 , R 3 } by using "XOR and hash" operations.Thus, R2AKE-V2G is resistant to this attack because A cannot obtain the legitimate entity's important information.
4) ML-Based Modeling Attack: If ML methods are used, the existing PUF may be vulnerable to modeling threats.In order to achieve these types of this attack, A requires accumulating a large subset of possible CRPs like Thus, A make up a mathematical model M * for PUF behavior from this collection data in order to predict the PUF response R i to a new challenge C i .In R2AKE-V2G, even if A calculates the valid CRP set using a ML model method, A cannot obtain the sensitive information for U i , CS, and USP because without the knowledge of the shared secret keys {X i , Z j }.Moreover, A cannot obtain the important information of the legitimate entities even if they obtain CRP by performing the ML-based modeling attack because R2AKE-V2G encrypts and transmits the messages required for authentication using a symmetric key encryption such as advanced encryption standard (AES) algorithm.Consequently, R2AKE-V2G is resistant to this attack because even if A attempts an attack using the ML-based model method, A cannot successfully obtain the sensitive information of legitimate entities.
5) Replay Attack: A eavesdrops the U i 's messages during previous sessions and in another session the A replays the intercepted messages to involve in the current sessions.Based on the information given in Section III-A, A eavesdrops the exchanged messages {Msg 1 , Msg 2 , Msg 3 , Msg 4 } related to mutual authentication during AKE phase.Then, A tries to authenticate with other entities through the exchange of intercepted messages from the previous session.A solution to resist this attack encompasses the addition of "timestamps" and "random nonces" to the shared information, which renders the data distinctive for each authentication phase.Thus, R2AKE-V2G resists replay attacks since our AKE scheme utilizes timestamps and verifies the freshness of the current timestamps T i .Furthermore, the exchanged messages are protected with the "PUF responses" {R 1 U , R 1 CS } and the "credentials" {X i , Z j } in R2AKE-V2G.Thus, our AKE scheme is resistant to this attack.
6) Physical Capture Attack: Suppose that CS are physically captured by A and extracts the credentials {c j } stored in DB, where c j = h(ID CS ||MK USP ).However, A does not correctly calculate a common SK = h(R 1 ||R 2 ||R 3 ) among U i , CS, and USP without the knowledge of the secret parameter {Z j }, the temporary secret key TK, and random nonces {R 2 , R 3 }.Furthermore, there are independent, distinct, and robust for CS's memory because PUF pair Thus, R2AKE-V2G is considerably impervious against this attack given that the output of PUF relies on the inherent physical fluctuations of the IC chip.
7) Off-Line Password Guessing Attack: According to Section III-A, A inject, resend, delete, eavesdrop, intercept, and block the transmitted messages and extract the parameters stored in SC.A tries to this attack to guess the real PW i for U i .However, PW i is comprised of RPW i = h(PW i ||BIO).Thus, A is difficult to guess PW i without knowledge of the biometric BIO.Consequently, this attack is unfeasible in R2AKE-V2G.
8) Anonymity: Suppose that A eavesdrops the exchanged messages during AKE phase.However, A is unfeasible to obtain the real ID U for legitimate U i without knowing, such as the "biometric BIO, secret credentials X i , and PUF secret value R 1 U ." R2AKE-V2G provides secure anonymity for U i .9) Perfect Forward Secrecy: The security protocol for providing "perfect forward secrecy" guarantees that a SK cannot be compromised by any A even in the event of a long-term key compromise.

VIII. PERFORMANCE COMPARATIVE ANALYSIS
We offer a comprehensive analysis of the performance comparison of R2AKE-V2G and existing schemes [12], [21], [22], [23], [25], [26], [27] by calculating communication and Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

A. Security Requirement and Functionality
We compare the "security functionalities and requirements" of R2AKE-V2G with the existing schemes for V2G networks [12], [21], [22], [23], [25], [26], [27].Referring to the information given in Table IV, we proved that some related schemes for V2G networks are not fully protected and may be vulnerable to lethal security attacks.Hence, the cryptographic protocol should be designed in such a method that it should be robust and secure to security attacks.In contrast, R2AKE-V2G is secure from "potential security attacks" and also allows the "essential security functionalities and requirements."Thus, R2AKE-V2G guarantees more security functionalities and requirements as compared with the existing schemes for V2G networks.

C. Computation Costs
We present the "computation cost comparison analysis" of the R2AKE-V2G and existing schemes [12], [21], [22], [23], [25], [26], [27].We utilize the well-known PBC [44] and JCE [45] libraries in order to deduce the execution times needed for cryptographic primitives.In Table VI, we denote "T h , T s , T mp , T e , T b , T m , T cert gen , and T cert ver " to evaluate the execution times required for "a hash function, a symmetric key encryption/decryption, an elliptic curve multiplication point, a modular exponential, a bilinear pairing, an elliptic curve multiplication, and a certificate generation and verification."We take the platform for U i as "Smartphone Lenovo Zuk Z1 with Quad-core 2.5-GHz processor having 4-GB RAM and Android Operating System V5.1.2."And also, we take the platform for CS/USP server as a virtual machine with HP E8300 Core i5 and 2.93-GHz processor with 4-GB RAM using Ubuntu 16.11 OS."In Table VII and Fig. 6, we demonstrate comparative results for computation costs of R2AKE-V2G and existing related schemes.Although R2AKE-V2G has a slightly higher computation cost compared with existing related scheme [12], [23], [27], the proposed AKE scheme has superior lightweight computation cost compared with another related scheme [21], [22], [25], [26] and also are better the necessary security functionalities and requirements better than existing related scheme [12], [21], [22], [23], [25], [26], [27].Thus, R2AKE-V2G is suitable for practical V2G environments.

IX. NS-3 IMPLEMENTATION
To assess the utility and availability of the R2AKE-V2G, we utilize NS-3 [16] on a system running Ubuntu 20.04.6 LTS, equipped with an Intel Core i5-10400 CPU operating at 2.90 GHz.In the simulation configuration, USP is fixed at the central location, while CS is randomly positioned within a range of 20 to 350m from USP.We also configured the mobility of U i to a maximum speed of 15 m/s within a range of 0 to 300m around USP.We perform simulation under three scenarios in compliance with the IEEE 802.11 standard network and the detailed parameters of experimental environments are shown in Table VIII.
In R2AKE-V2G, the entities U i , CS, and USP engage in the exchange of authentication messages.These messages include Msg 1 = {RID i , M 1 , Auth U , C 1 U , T 1 }, with a size of 71.5 bytes, Msg 2 = {MI 1 , ID CS , C 1 CS , T 2 , C 1 U , T 1 } sized at 62.5 bytes, Msg 3 = {MI 2 , T 3 } with a size of 36 bytes, and Msg 4 = {ID CS , M 4 , Auth USP−U , Auth CS−U , T 3 , T 4 } with 75.5 bytes.We evaluate the impact of the R2AKE-V2G on "end-to-end delay" and "throughput" of exchanged messages over a duration of 1200 s under distinct scenarios.

A. End-to-End Delay
We assess the end-to-end delays, representing the average time it takes for data packets to traverse from the source entity to the destination entity.The computation involves Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

TABLE VIII SIMULATION PARAMETERS
Fig. 7. End-to-end delay.P t y=0 (T R y − T S y )/P t , where P t denotes the total packet count, T R y signifies the received time of the ith packet, and T S y denotes the transmission time of the ith packet.Fig. 7 illustrates the observed end-to-end delay in simulation outcomes under three scenarios.As the number of entities increases, the number of packet forwarding increases and the end-to-end delay is likely to be amplified due to resource processing and traffic load.Therefore, we can observe that as the number of U i and CS increases, the end-to-end delay increases since the distance between entities decreases.

B. Throughput
Throughput is a metric that quantifies the amount of transmitted data bits per unit of time within a communication network.The calculation for network throughput is expressed by the formula (R × |η|)/T R , where R, |η|, and T R represent the number of received packets, the size of an individual packet, and the total time in seconds, respectively.Fig. 8 is the simulation outcomes illustrating the throughput within the proposed scheme, considering an overall simulation duration of 1800 s.The analysis reveals that network throughput increases as the number of exchanged messages increases.

X. CONCLUSION AND FUTURE WORKS
We demonstrate that Sureshkumar et al.'s scheme is not resistant to impersonation and session key disclosure attacks and also lacks secure mutual authentication.Thus, we design a new PUF-based robust and anonymous AKE scheme for V2G networks.We show that R2AKE-V2G is resilient to MITM and replay attacks by using AVISPA implementation analysis.Moreover, we prove the session key security of R2AKE-V2G by using the ROR oracle model.We demonstrate that the implementation of the R2AKE-V2G using NS-3 simulation shows the impact on various network performance parameters.

TABLE II SYMBOLS
URP-1: U i generates a identity ID U , a biometric BIO, and password PW i and calculates b B. User Registration PhaseU i duly register with USP and acquires specific confidential credentials from USP.
establishes a common session key SK A = h(L A1 ||L A3 ||L 5 ) with the USP and CS.Consequently, Sureshkumar et al.'s scheme cannot prevent impersonation attacks because A can impersonate as the legitimate U i .Sureshkumar et al. claimed scheme [12] guarantees secure "mutual authentication."Unfortunately, according to Sections V-A and V-B, A can successfully create the login message Auth U = h(L 1 ||L 2 ||T 1 ) and authentication message NAuth U = h(N u 1 ||N u 2 ||S i ||L 1 ) for mutual authentication.As a result, Sureshkumar et al.'s scheme lacks secure "mutual authentication" between U i , USP, and CS.

TABLE III QUERIES
AND PURPOSES

=
In the proposed AKE scheme, if USP's private key MK USP is revealed, A cannot computes a SK = h(R 1 ||R 2 ||R 3 ) because A cannot get the knowledge of the "PUF responses {R 1 U , R 1 CS } and secret credentials {X i , Z j }, and random nonces PUF secret values {R 1 , R 2 , R 3 }."Thus, R2AKE-V2G guarantees perfect forward secrecy.10) Mutual Authentication: In R2AKE-V2G, all entities perform successfully mutual authentication.After receiving the authentication request message {Msg 1 , Msg 2 }, USP verifies Auth * Auth U .If it matches, USP authenticates U i .Upon getting the authentication confirmation message {Msg 3 }, CS verifies Auth *

TABLE IV COMPARATIVE
STUDY ON SECURITY FEATURES

TABLE V COMMUNICATION
COST (IN BITS) OF CRYPTOGRAPHIC PRIMITIVEScomputation costs during AKE phase.In addition, we compare the security and functionality features.

TABLE VII COMPARATIVE
PERFORMANCE ANALYSIS FOR COMPUTATION AND COMMUNICATION COSTS