A Reliable and Privacy-Preserving Vehicular Energy Trading Scheme Using Decentralized Identifiers

Abstract

As the usage of electric vehicles (EVs) expands, various energy management technologies, including battery energy storage systems, are being developed to efficiently charge EVs using various energy sources. In recent years, many blockchain-based energy trading schemes have been proposed for secure energy trading. However, existing schemes cannot fully solve privacy issues and security problems during energy trading. In this paper, we propose a reliable and privacy-preserving vehicular energy trading scheme utilizing decentralized identifier technology. In the proposed scheme, identity information and trading result information are not revealed publicly; this is due to the use of decentralized identifiers and verifiable credential technologies. Additionally, only parties who have successfully conducted energy trading can manage complete transaction information. We also demonstrate our method’s security and ensure privacy preservation by performing informal and formal security analyses. Furthermore, we analyze the performance and security features of the proposed scheme and related works and show that the proposed scheme has competitive performance.

1. Introduction

As the urgency to transition to eco-friendly transportation systems grows in the near future to significantly reduce fossil fuel consumption and CO₂ emissions, electric vehicles (EVs) have become critical as a primary mode of transportation by offering emission-free operation. However, the widespread distribution of EVs is creating problems for EV users, who are limited in time and space to charge their EVs. To address these issues and ensure smooth travel for EV users, it is necessary to expand the EV charging infrastructure, which may involve converting existing fossil fuel gas stations into electric-only charging stations and/or constructing new charging stations [1,2].

Specifically, the progress of smart grid (SG), energy management, and internet of vehicle (IoV) technologies enables EVs to charge everywhere from various energy resources, such as a grid stations, homes, and other vehicles [3,4,5,6,7]. However, despite the expansion of the EV market with the technologies mentioned above, the charging infrastructure remains at a preliminary stage in terms of commercialization. According to a report published by the (IEA) in 2020, the number of electric vehicles was estimated to reach 7.2 in 2019. In contrast, the number of charging stations was estimated to be approximately 0.8 million [8]. Furthermore, a market research report indicated that many countries face a shortage of charging stations compared to the growing demand for EVs [9]. Given that EVs are characterized by high mobility and unpredictability, energy demand can become concentrated based on the time and location of operation. Integrating the energy flow for EVs into existing power grids can lead to issues like peak load increases, power loss, and voltage drops during charging and discharging processes. Consequently, high demand for EV charging, combined with inadequate infrastructure, can have severe negative impacts on existing smart grids [10,11]. Recently, to address these challenges, energy trading approaches that utilize smart grid technology such as battery energy storage systems have been researched in order to enable energy to be sourced from external sources rather than relying solely on existing power grids [12,13].

Several energy trading schemes for vehicular energy trading systems [14,15] have been proposed to provide reliable energy management. These schemes, on the one hand, offer an energy trading service based on a centralized infrastructure. However, because their scheme does not account for charging station overload, it is difficult to provide reliable service. Additionally, significant privacy concerns arise as the central authority node, which manages users’ personal data and arranges energy transactions, is exposed to potential adversary attacks. In addition, communications regarding vehicular energy trading are performed on wireless channels, which can be exposed to various threats by attackers, such as impersonation attacks, replay attacks, and man-in-the-middle attacks. If the personal information is leaked to a malicious attacker, the attacker can conjecture the home, workplace, and hobbies of the driver [16,17,18]. Therefore, a secure authentication protocol is necessary.

Recently, research for decentralized energy trading systems [19,20,21,22] has been presented to resolve the security issues of a centralized system. A blockchain is regarded as a trusted distributed ledger that ensures data integrity and decentralization. In previous works, trading records were stored on the blockchain to ensure data privacy [23,24]. However, even if personal data are encrypted before being uploaded to the blockchain, security issues may arise later because the data recorded in the blockchain cannot be deleted or modified. Recently, due to privacy issues with blockchains, it is recommended not to store personal data on blockchains [25,26].

Decentralized identifiers (DIDs) are a new type of identifier that enable verifiable decentralized digital identities. DIDs provide a unique, decentralized way for entities to assert and control their identities without relying on centralized authorities. Each DID is generated by the entity it represents and is accompanied by a DID document containing cryptographic keys and verification methods. DIDs ensure interoperability across various decentralized systems and platforms while offering enhanced privacy and security. Users retain full control over their personal data, mitigating the risks associated with centralized identity management systems. In essence, DIDs empower individuals and organizations to manage their digital identities securely and autonomously in decentralized environments.

In this paper, we propose a reliable and privacy-preserving vehicular energy trading scheme using decentralized Identifiers to resolve the above-mentioned security challenges. In the proposed approach, the blockchain only records the information necessary for user verification, while personal information and transaction details are not stored. Moreover, completed transaction information is recorded using verifiable credentials, which can prove the validity of VCs later without any interaction using the blockchain.

This paper proposes a vehicular energy trading scheme using decentralized identifiers to address the security issues mentioned above while ensuring reliability and privacy protection. The proposed scheme does not store users’ personal data and trading data on the blockchain; instead, the blockchain only operates to verify users’ authenticity. Furthermore, digital signatures and verifiable credential technology are employed to ensure the reliability of transactions, and records of transaction outcomes are stored. Transaction participants can independently prove the validity of future verifiable credentials using the blockchain without the need for third-party assistance.

1.1. Motivation

The main motivation of this work is, first, to propose a solution that protects the privacy of energy traders. In existing decentralized energy trading schemes, most information, including transaction results, is recorded on the blockchain. However, while this method ensures data integrity and transparency, it also carries the risk of potential leakage to other participants. Additionally, storing a lot of data on a blockchain is costly and does not guarantee scalability.

Secondly, we aim to provide a reliable trading solution. Existing vehicle-to-vehicle energy trading methods require vehicles to arrive at the same time and place for energy trading. While advancements in battery energy storage systems (BESSs) have helped overcome the temporal constraints of vehicle-to-vehicle energy trading, the system’s reliability could be compromised if malicious energy sellers pursue financial gain without delivering energy. Therefore, finding a solution that ensures the reliability of energy trading in such cases is essential. To address these issues, we are motivated to use a public blockchain, DID, VC, and commitment approaches to consider security, privacy, and reliability for the vehicular energy trading system.

1.2. Contributions

The main contributions of this paper are below.

•

We propose a reliable and privacy-preserving vehicular energy trading scheme using decentralized identifiers (DIDs) and verifiable credential (VC) technologies. The energy purchaser’s DID is not revealed during the authentication process at the reservation phase. Additionally, completed transaction information is not recorded in a public ledger but in VCs.

•

In order to ensure reliability in energy trading, the initial VC shared during the reservation phase is incomplete. When the transaction parties successfully perform the energy trade, the signature of the CS is added to the VC, and it becomes valid.

•

We analyze the proposed scheme using an ROR model and AVISPA simulation for demonstrating it resists malicious attacks and attains security features.

•

We compare the performance and security features of the proposed scheme and related works to showcase the security and efficiency of our approach.

This paper is organized as follows. In Section 2 and Section 3, we review the related works and relevant preliminaries, respectively. In Section 4, we propose a vehicular energy trading system model. Section 5 describes the details of the proposed energy trading scheme. In Section 6, we analyze the security of the proposed scheme. In Section 7, we analyze the performance of the proposed scheme compared to related schemes. Finally, we conclude this paper in Section 8.

2. Related Work

2.1. Decentralized Energy Trading System for Electric Vehicles

Energy trading systems for electric vehicles (EVs) have gained significant attention as a means to promote sustainable energy distribution. The traditional centralized approach to managing these energy transactions has security risks, such as single points of failure and data integrity issues. As a result, there is a growing interest in transitioning to a blockchain-based decentralized structure to enhance security [27,28,29,30]. The transition to a decentralized energy trading system using blockchain offers several security benefits:

•

Elimination of single points of failure: In a centralized system, all information is processed through a central authority, creating a vulnerability. Blockchain decentralizes transaction processing, reducing the risk of system-wide failure due to a single compromised node.

•

Data integrity and immutability: Blockchain records transactions in a manner that ensures data cannot be tampered with. This immutability is crucial for maintaining accurate and trustworthy records in EV energy trading systems, which allows for robust auditing and accountability.

•

Enhanced security through decentralization: By distributing transactions across a network of nodes, blockchain-based systems are inherently more secure against cyber-attacks. Encrypted data and consensus-based verification methods provide additional layers of protection.

•

Increased trust and transparency: In a blockchain-based system, all participants can view the transaction history, which enhances transparency. This transparency builds trust among users, as they can independently verify the accuracy and legitimacy of transactions.

2.2. Privacy Protection and Reliability Research for Decentralized Energy Trading Systems

In recent years, research on vehicular energy trading schemes has been proposed to protect user privacy and ensure the reliability of transactions. Gai et al. [31] proposed a privacy-preserving approach for energy trading users in a blockchain-based energy trading system. They proposed a noise-based privacy protection scheme to resist linking attacks that violate energy purchasers’ privacy by linking public information recorded in the blockchain with other datasets. However, their scheme does not consider privacy issues during data transmission and has the problem that energy traders rely on tokens issued by energy brokers to verify the legitimacy of the counterparties. Guan et al. [32] proposed privacy-preserving energy trading based on blockchain and attribute-based encryption (ABE). They focused on the problem of privacy leakage in blockchain-based energy trading systems, which exposes the raw information of users recorded in the blockchain. Their scheme proposed a ciphertext policy ABE-based access control method so that authorized users can access user information recorded in the blockchain. Xia et al. [33] proposed a V2V electricity trading scheme for the Internet of Vehicles by leveraging blockchain technology. Their scheme utilized a Bayesian game framework to model the strategic interactions among vehicles engaged in energy trading. By incorporating Bayesian inference techniques, vehicles can make informed decisions based on their private information and the observed behavior of other vehicles. The authors promote trust among participants by leveraging blockchain technology, which ensures transparency, security, and immutability of transactions, along with smart contracts, which are programmable codes that are reliable. Baza et al. [34] proposed blockchain-enabled secure energy trading schemes for both charging-stations-to-vehicle (CS2V) and vehicle-to-vehicle (V2V) scenarios. This scheme addresses privacy concerns by leveraging blockchain technology and smart contracts to facilitate transparent and tamper-proof transactions while ensuring fairness. The authors proposed a common prefix linkable anonymous authentication scheme to mitigate Sybil attacks and ensure system availability. Additionally, an anonymous and efficient blockchain-based payment system is proposed to prevent double-spending attacks. Li et al. [35] proposed a decentralized energy trading system named FeneChain that ensures privacy protection, verifiable fairness, and access control. They addressed security and privacy concerns in centralized energy trading systems and introduced mechanisms for anonymous authentication, timed commitments, and fine-grained access control. FeneChain addresses fairness issues in peer-to-peer (P2P) energy trading and aims to protect the rights of energy purchasers. Yahaya et al. [36] proposed a two-stage secure P2P energy trading model using a permissioned blockchain and cloud-based aggregator for secure and transparent P2P energy trading. Their scheme ensures mutual authentication, user privacy protection, and fair pricing and incentivizes energy contribution. A permissioned blockchain, off-chain authentication, and a reputation-based scoring system are employed to prevent impersonation and collusion. The model also features a privacy-preserving dynamic pricing mechanism based on the supply–demand ratio (SDR) and contract theory.

However, Baza et al. [34] use smart contracts to authenticate among EVs and take reservations for energy trading. To execute smart contract, EVs must produce transactions containing details regarding energy exchanges, revealing the identities of energy traders. Despite attempts to obscure or encode the data, they remain permanently recorded in the blockchain as transaction. Additionally, the above-mentioned schemes [33,34,35,36] store information regarding energy trading and/or users in the blockchain, which does not solve the privacy issues. Certain blockchain nodes responsible for upkeep of the decentralized ledger possess the capability to decode these transactions. In our scheme, we utilize DIDs and VCs to provide confidentiality and to ensure privacy preservation by avoiding the recording of sensitive information in the blockchain for the vehicular energy trading system. Therefore, we propose a reliable and privacy-preserving vehicular energy trading scheme using decentralized identifiers to overcome the above-mentioned problems.

3. Preliminaries

The proposed scheme utilizes an elliptic curve cryptosystem (ECC), an elliptic curve Pedersen commitment, decentralized identifiers (DIDs), and verifiable credentials (VCs). The definitions and properties are introduced in this section.

3.1. Elliptic Curve Cryptosystem (ECC)

ECC is a public-key cryptosystem based on the mathematical principles of elliptic curves [37]. Let p be a large prime number and $E_p(a,b)$: $y^2=x^3+ax+b$ be an elliptic curve over a prime finite field ${\mathbb{Z}}_p$, where $(a,b)\in {\mathbb{Z}}_p$, $4a^3+27b^2\ne 0$ (mod p). G is a generator point on $E_p(a,b)$. The features of elliptic curve cryptosystems are defined as follows.

• Elliptic curve discrete logarithm problem (ECDLP): given a base point G and point $A=\alpha ·G$, it is difficult to find the $\alpha \in {\mathbb{Z}}_p$ in probability polynomial time.
• Elliptic curve decisional Diffie–Hellman problem (ECDDHP): given a base points G and two points $A=\alpha ·G$ and $B=\beta ·G$, it is difficult to compute $Q_1=\alpha ·\beta ·G$ in probability polynomial time.

3.2. Elliptic Curve Pedersen Commitment

The elliptic curve Pedersen commitment is an efficient implementation of the Pedersen commitment scheme (PCS) [38,39] that uses the intractability of the ECDLP. In this scheme, a committer commits to secrets such that it is hard for a verifier to open the commitment. The description of the elliptic curve Pedersen commitment is presented in the following steps:

• Setup: Let G be a random generator point on $E_p(a,b)$ and $H=x_H·G$ be a chosen generator point, where $x_H\in Z_p$. The trusted authority publishes $(p,E_p(a,b),G,H)$.
• Commit: The committer creates a commitment C; $x,r\in Z_p$ are random numbers, and $C(x,r)=x·G+r·H$, where $C(x,r)$ represents a dedicated value created by the committer.
• Open: To confirm the authenticity of C, the committer reveals x and r, and the verifier checks if $C=x·G+r·H$.

3.3. Decentralized Identifiers (DIDs)

Decentralized identifiers (DIDs) [40] are a new type of identifier that enables users to control their own identities and sovereignty without relying on trusted authorities. The DID ecosystem leverages blockchain technology for the storage of identities in a tamper-proof and interoperable way. A DID address consists of three fields. The first field, denoted as the DID scheme, is the URI schema of the identity. The second field, denoted as the DID method, defines how the DID scheme can be implemented on a particular distributed ledger. The last field, denoted as the DID method-specific identifier, is the unique identification string. DIDs are resolvable to DID documents, which contain public key parameters and additional information associated with a particular DID. The resolved DID document can be used for signature verification and authentication purposes for the DID subject. Figure 1 shows an example of a DID and Figure 2 shows an example of a DID document.

3.4. Verifiable Credentials (VCs)

A verifiable credential [41] is a tamper-resistant credential containing one or multiple statements about a specific identity. The primary qualification of the VC is to be programmable, privacy-preserving, and secure cryptographically. The issuer signs the VC by using its private key. The public key is stored in the public blockchain. The agent of the user’s DID submits the VC, which includes the required official attestation statements from the issuer. Consequently, it is securely verified that the user can prove specific claims through the presentation of VCs with DID. Only users have the authority to manage and control their DIDs and VCs, and this is done while exposing as little of their claims and personal information as possible. VCs also provide consistent usability across different contexts.

In the W3C VC model [41], the subject should create a decentralized identifier through a verifiable data registry, which is a distributed ledger. The holder requests the issuer to generate a VC representing the specified properties of the identifier. Commonly, the holder is the subject of the VC he/she is maintaining (e.g., a parent maintains VCs for his/her child). The issuer confirms that the identifiers and the properties of the holder are valid, and it has authority to hold the subjects of VCs. Then, the issuer issues the VC. The holder can manage the VC after receiving it from the issuer. As a result, the holder creates a verifiable presentation based on VCs and presents it to the verifier. The identities of the verifiers are unknown to the issuers in this model. Figure 3 shows the workflow for W3C verifiable credentials.

4. Proposed Model

Our proposed blockchain-based V2V energy trading scheme is composed three entities: EVs, RSUs, and the blockchain. We describe each entity below. The proposed system model is also depicted in Figure 4.

• Electric vehicles (EVs): EVs embedded with OBU devices can communicate with external entities through dedicated short range communication (DSRC) or wireless access in vehicular environment (WAVE) and store data securely. Bidirectional EVs can purchase energy (charge) from electric vehicle supply equipment (EVSE) and sell energy to external loads (discharge). In this paper, we refer to the first vehicle as the energy purchaser and the second vehicle as the energy seller.
  Energy seller (ES): To sell surplus energy, the ES generates a bid containing the selling price, transaction time, energy volume, and other relevant information; then, it sends it to other EVs via the RSU. When the ES receives a message from an EP seeking to reserve an energy transaction, it verifies the message and shares the incomplete credentials and session key with the EP. Subsequently, the ES transfers energy and commitment to the promised CS according to the credential information and then completes the credentials by adding the signature received from the CS.
  Energy purchaser (EP): After selecting the optimal bid price, the EP sends a reservation message to the ES to plan energy trading. In the reservation phase, the EP shares incomplete credentials and a session key with the ES. When the EP arrives at the promised CS, the EP proves its commitment to the ES using the session key. If the proof is correct, the ES gets the energy stored in the CS.
  In this paper, RSU only provides a wide range of wireless communication services to EVs.
• Smart charging stations (CSs): CSs are equipped with battery energy storage and a communication module for EV charging services. The CS receives the commitment and energy from the ES and stores it. The stored energy is passed on to the EP, who proves the same commitment. CSs are a type of semi-trusted authority. Even if the charging station is attacked by a malicious attacker, there is no advantage to the attacker because the charging station does not have specific information about the energy trading.
• Blockchain: The proposed energy trading system utilizes a public blockchain. Public blockchains are fully decentralized infrastructures, allowing all nodes on the network to easily participate without the intervention of a trusted authority and preventing single points of failure. To ensure that all participants in the system agree on a single source of truth, consensus algorithms are employed. In our system, this source comprises DID documents rather than energy trading information between EVs.

5. Proposed Scheme

We present the details of the proposed scheme in a vehicular energy trading environment. It is composed of five phases; initialization phase, DID generation phase, submitting bids phase, reservation phase, and charging phase.

5.1. Initialization Phase

Trusted authorities (TA)s first initiate the system’s public parameters. The TA sets an elliptic curve $E(a,b)$: $y^2=x^3+ax+b$ over a prime finite field ${\mathbb{Z}}_p$, generators G and H, and a hash function $h(·):{\{0,1\}}^{*}\to Z_p$, where $a,b\in {\mathbb{Z}}_p, 4a^3+27b^2\ne 0$. And the TA publishes system parameters $\{p,q,E(a,b),G,H,h(·\left)\right\}$.

5.2. DID Generation Phase

In this phase, All system participant generate their own decentralized identifiers. Each EV selects aN identity $I{D}_i$, password $P{W}_i$, and random numbers $a_i,b_i\in Z_p$, where $a_i$ is its private key $S{K}_i$. Then, the EV generates a public key $P{K}_i=S{K}_i·G$ and stores the $P{K}_i$ as a DID document on the blockchain. After the DID document is stored on the blockchain, the EV obtains the decentralized identifier $DI{D}_i$ corresponding to the DID document. After that, the EV calculates $HP{W}_i=h(b_i\left|\right|P{W}_i)$, $A_i=b_i\oplus h(I{D}_i\left|\right|P{W}_i)$, $B_i=h(I{D}_i\left|\right|HP{W}_i\left|\right|b_i)$ and stores $\{A_i,B_i\}$ securely in its storage. RSUs and CSs also create their own DIDs in a process similar to the DID generation steps of the EV.

5.3. Submitting Bids Phase

If the $E{S}_i$ user wants to sell surplus energy, $E{S}_i$ discloses the bids to potential buyers. $E{P}_j$, which endures a lack of energy, reviews bids and selects the best one. The detailed process of the submitting bids phase is as follows and is also shown in Figure 5.

• Step 1: $E{S}_i$ user enters identity $I{D}_i$ and password $P{W}_i$ and computes $h\left(I{D}_i\right|\left|P{W}_i\right)$, $b_i^{*}=A_i\oplus h(I{D}_i\left|\right|P{W}_i)$, $HP{W}_i^{*}=h(P{W}_i\left|\right|b_i^{*})$, $B_i^{*}=h(I{D}_i\left|\right|HP{W}_i^{*}\left|\right|b_i^{*})$. Then, $E{S}_i$ verifies whether $B_i\stackrel{?}{=}{B}_i^{*}$. If it matches, $E{S}_i$ generates a random number $x_i\in Z_p$ and a current timestamp $T_i$ and computes $X_i=x_i·G$, $HM{S}_1=h(amoun{t}_i\left|\right|pric{e}_i\left|\right|DI{D}_i\left|\right|ex{t}_i\left|\right|T_i)$, signature ${\delta }_i=x_i+HM{S}_i·S{K}_i$, and a bid $bi{d}_i=\{amoun{t}_i,pric{e}_i,X_i,DI{D}_i,ex{t}_i\}$ to sell surplus energy, where $amoun{t}_i, pric{e}_i, ex{t}_i$ denote an amount of energy to sell, a selling price, an expiration time for the transaction, respectively. $E{S}_i$ propagates $\{bi{d}_i,{\delta }_i,T_i\}$.
• Step 2: $E{P}_j$ checks the freshness of timestamp $|T_2-T_1|\le ▵T$ and uses $DI{D}_i$ to retrieve the corresponding DID document. Then, $E{P}_j$ computes $HM{S}_1^{*}=h(amoun{t}_i\left|\right|$$pric{e}_i\left|\right|DI{D}_i\left|\right|ex{t}_i\left|\right|T_i)$ and checks whether ${\delta }_i·G=X_i+HM{S}_1^{*}·P{K}_i$. It is essential for $E{P}_j$ to select the best bid and, at the same time, check the validity of the bid.

5.4. Reservation Phase

$E{P}_j$ selects the $E{S}_i$ that presented the optimal bid among multiple bids and sends a message to schedule an energy transaction with $E{S}_i$. When $E{S}_i$ confirms the message and the transaction reservation between $E{P}_j$ and $E{S}_i$ is completed, $E{P}_j$ and $E{S}_i$ share a session key and incompletely verifiable credentials. The credentials contain information related to the energy transaction, including energy volume, price, and energy storage location. The detailed process is as follow and is also shown in Figure 6.

• Step 1: $E{P}_j$ inputs $I{D}_j$ and $P{W}_j$ and then computes $h\left(I{D}_j\right|\left|P{W}_j\right)$, $b_j^{*}=A_j\oplus h(I{D}_j\left|\right|P{W}_j)$, $HP{W}_j^{*}=h(P{W}_j\left|\right|b_j^{*})$, $B_j^{*}=h(I{D}_j\left|\right|HP{W}_j^{*}\left|\right|b_j^{*})$. $E{S}_j$ checks $B_j\stackrel{?}{=}{B}_j^{*}$. If it is valid, $E{P}_j$ generates a random number $y_j$ and a timestamp $T_3$ and computes $Y_j=y_j·G$, $E{K}_{ij}=h(y_j·X_i)$, $E{M}_1=E{K}_{ij}\oplus (bil{l}_i,DI{D}_j)$, $Sym{K}_{E{S}_i-E{P}_j}=h(X_i·s{k}_j\left|\right|y_j·P{K}_i)$, $HM{P}_1=h(bil{l}_i\left|\right|T_3\left|\right|Y_j\left|\right|Sym{K}_{E{S}_i-E{P}_j})$, ${\delta }_j=y_j+HM{P}_1·S{K}_j)$. Then, $E{P}_j$ sends $\{E{M}_1,Y_j,{\delta }_j,T_3\}$ to $E{S}_i$.
• Step 2: $E{S}_i$ checks the timestamp $T_3$ and computes $E{K}_{ij}=h(x_i·Y_j)$, $(bil{l}_i,DI{D}_j)=E{M}_1\oplus E{K}_{ij}$. Then, $E{S}_i$ retrieves $DI{D}_j$’s document using $DI{D}_j$ to obtain $P{K}_j$ and computes $Sym{K}_{E{S}_i-E{P}_j}=h(x_i·P{K}_j\left|\right|Y_j·S{K}_i)$, $HM{P}_1^{*}=h(bil{l}_i\left|\right|T_3\left|\right|Y_j\left|\right|Sym{K}_{E{S}_i-E{P}_j})$. $E{S}_i$ verifies the signature ${\delta }_j$ through ${\delta }_j·G\stackrel{?}{=}{Y}_j+HM{P}_1^{*}·P{K}_j$.
• Step 3: When $E{S}_i$ and $E{P}_j$ select the optimal charging station $G{S}_z$ for energy trading, $E{S}_i$ generates a temporary credential $VC{t}_{rsv}$ recording a signature and information about the negotiated transaction and sends $VC{t}_{rsv}$ encrypted with $Sym{K}_{E{S}_i-E{P}_j}$ to $E{P}_j$.
• Step 4: $E{P}_j$ decrypts the $En{c}_{SymK}\left(VC{t}_{rsv}\right)$ using $Sym{K}_{E{S}_i-E{P}_j}$ and verifies the signature of $E{S}_i$ recorded in $VC{t}_{rsv}$. After that, $E{P}_j$ adds payment information and a signature to $VC{t}_{rsv}$. Then, $E{P}_j$ sends $VC{t}_{rsv}^{*}$ encrypted with $Sym{K}_{E{S}_i-E{P}_j}$ to $E{S}_i$ and stores $VC{t}_{rsv}^{*}$.
• Step 5: $E{S}_i$ decrypts $En{c}_{SymK}\left(VC{t}_{rsv}^{*}\right)$ using $Sym{K}_{E{S}_i-E{P}_j}$ and verifies the signature of $E{P}_j$ recorded in $VC{t}_{rsv}^{*}$. Then, $E{S}_i$ stores $VC{t}_{rsv}^{*}$.

5.5. Charging Phase

In this phase, $E{P}_j$ and $E{S}_i$ trade energy through the promised charging station equipped with BESS according to the initial credentials.

5.5.1. $E{S}_i$ Discharging

According to the negotiation in $VC{t}_{rsv}^{*}$, $E{S}_i$ stores the surplus energy in $G{S}_z$ and then receives a signature from $G{S}_z$ to make its $VC{t}_{rsv}^{*}$ valid. $G{S}_z$ receives a commitment and energy from $E{S}_i$ and sends its signature to $E{S}_i$. A complete credential $VC{t}_{rsv}^{*}$ proves that $E{S}_i$ stored the energy in $G{S}_z$ as negotiated. Figure 7 depicts the $E{S}_i$ discharging phase.

• Step 1: $E{S}_i$ generates an $n_i\in Z_p$ and a timestamp $T_5$. Next, $E{S}_i$ computes $N_i=n_i·G$, $A{K}_{iz}=n_i·P{K}_z$, $HIF=h\left(inf\right|\left|pay\right)$, $Com=Sym{K}_{E{S}_i-E{P}_j}·G+HIF·H$, $ES{M}_1=A{K}_{iz}\oplus \left(HIF\right||DI{D}_i\left|\right|Com)$, ${\delta }_{i2}=n_i+h\left(HIF\right|\left|Com\right||N_i\left|\right|T_5)·S{K}_i$ and sends $\{ES{M}_1,$$N_i,{\delta }_{i2},T_5\}$ to $G{S}_z$
• Step 2: $G{S}_z$ checks the freshness of the $T_5$ and calculates $A{K}_{iz}=N_i·S{K}_z$, $\left(HIF\right||DI{D}_i$$\left|\right|Com)=ES{M}_1\oplus A{K}_{iz}$. If ${\delta }_{i2}·G=N_i+h\left(HIF\right|\left|Com\right||N_i\left|\right|T_5)·P{K}_i$ matches, $G{S}_z$ generates $Si{g}_{s{k}_z}\left(HIF\right)$ and sends $ES{M}_2=A{K}_{iz}\oplus Si{g}_{s{k}_z}\left(HIF\right)$ to $E{S}_i$.
• Step 3: $E{S}_i$ calculates $Si{g}_{s{k}_z}\left(HIF\right)=ES{M}_2\oplus A{K}_{iz}$ and verifies $Si{g}_{s{k}_z}\left(HIF\right)$ using $G{S}_z$’s public key. If the signature is valid, $E{S}_i$ records $Si{g}_{s{k}_z}\left(HIF\right)$ in $V{C}_{rsv}^{*}$ and transmits vehicular energy and $price$ to $G{S}_z$.
• Step 4: $G{S}_z$ stores $\{Com,price\}$ in a database and energy in battery storage.

5.5.2. $E{P}_j$ Charging

When $E{P}_j$ arrives at the entrusted charging station $C{S}_z$, $E{P}_j$ creates a commitment and submits it to $C{S}_z$. $C{S}_z$ verifies the integrity of the message and validates the legitimacy of the commitment through a handshake with $E{P}_j$. If the commitment is valid, $C{S}_z$ transfers the entrusted energy and signature to $E{P}_j$. $E{P}_j$ adds the received signature to the $VC{t}_{rsv}^{*}$ to complete it. Figure 8 depicts the $E{P}_j$ charging phase.

• Step 1: $E{P}_j$ generates random numbers $m_j$, $l_j\in Z_j$ and timestamps $T_7$ and computes $M_j=m_j·G$, $L_j=l_j·H$, $EP{M}_1=M_j+L_j$, $A{K}_{jz}=m_j·P{K}_z$, $HIF=h\left(Inf\right|\left|pay\right)$, $Co{m}^{*}=Sym{K}_{E{S}_i-E{P}_j}·G+HIF·H$, $EP{M}_2=A{K}_{jz}\oplus \left(HIF\right||Co{m}^{*}\left|\right|EP{M}_1)$, $EP{M}_3=h\left(HIF\right||Co{m}^{*}\left|\right|EP{M}_1\left|\right|T_7\left|\right|M_j)$. Then, $E{P}_j$ sends $\{EP{M}_2,EP{M}_3,M_j,T_7\}$ to $C{S}_z$.
• Step 2: After receiving the message from $E{P}_j$, $C{S}_z$ verifies the freshness of the message. $C{S}_z$ calculates $A{K}_{jz}=M_j·S{K}_z$, $\left(HIF\right||Co{m}^{*}\left|\right|EP{M}_1)=EP{M}_2\oplus A{K}_{iz}$, $EP{M}_3^{*}=h\left(HIF\right|\left|Com\right||EP{M}_1\left|\right|T_7\left|\right|M_j)$ and checks whether $EP{M}_3\stackrel{?}{=}EP{M}_3^{*}$ is correct. If it is correct, $C{S}_z$ retrieves $Com$ and sends a random number $e_z\in Z_p$ to $E{P}_j$.
• Step 3: $E{P}_j$ computes $\alpha =m_j+e·Sym{K}_{E{S}_i-E{P}_j}$, $\beta =l_j+e·HIF$ and submits $\{\alpha ,\beta \}$ to $C{S}_z$
• Step 4: If $\alpha ·G+\beta ·H\stackrel{?}{=}EP{M}_1+Com$ is correct, $C{S}_z$ generates $Si{g}_{s{k}_z}\left(HIF\right)$, $EP{M}_4=A{K}_{iz}\oplus Si{g}_{s{k}_z}\left(HIF\right)$ and transfers $\left\{EP{M}_4\right\},Energy$ to $E{P}_j$.
• Step 5: $E{P}_j$ calculates $Si{g}_{s{k}_z}\left(HIF\right)=EP{M}_4\oplus A{K}_{jz}$ and verifies $Si{g}_{s{k}_z}\left(HIF\right)$ using $G{S}_z$’s public key. If the signature is valid, $E{P}_j$ records $Si{g}_{s{k}_z}\left(HIF\right)$ in $V{C}_{rsv}^{*}$.

6. Security Analysis

We carry out informal and formal analyses to verify the security of the proposed scheme. We utilize the real-or-random (ROR) oracle model to ensure the security of session keys and employ Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation [42] to assess resilience against several security attacks.

6.1. Informal Analysis

In this section, we carry out an informal analysis to verify that the proposed scheme resists various attacks and achieves security features such as confidentiality, reliability, and mutual authentication.

• Impersonation attack: Malicious attackers can attempt to impersonate a legitimate vehicle. However, as mentioned in Section 3.1, due to ECDLP and ECDDHP, attackers find it challenging to compute the vehicle’s private key $S{K}_x$ and session key $Sym{K}_{E{S}_i-E{P}_j}$, making it difficult to impersonate a legitimate vehicle. Therefore, the proposed scheme is secure against an impersonation attack.
• Replay attack: Attackers can intercept messages transmitted over a public channel and resend or delay them to obtain sensitive information or to execute other security attacks. However, since messages transmitted over the public channel include timestamps and random numbers, recipients can verify the freshness of the message. Therefore, the proposed scheme is secure against replay attacks.
• Man-in-the-middle (MITM) attack: Attackers can participate in communication between two legitimate vehicles during the reservation phase to collect valuable information about the users and to later attempt to forge messages using this information. However, due to the use of one-way hash functions, random numbers, and timestamps, the integrity and freshness of the message is ensured. Additionally, since signatures ${\delta }_x$ are generated using private keys $S{K}_x$, attackers cannot create valid authentication messages. Therefore, the proposed scheme is secure against a man-in-the-middle attack.
• Confidentiality: In the proposed scheme, the DID of the energy purchaser is not exposed in order to conceal transactions between the energy seller and purchaser. However, the DID of the energy seller is exposed to publicly verify the legitimacy of the seller and invoices. Additionally, the charging station, which manages the energy received from the energy seller, provides energy only to vehicles that present the correct commitment $Com$, thus not requiring information about the energy purchaser. Moreover, only the parties involved in the energy transaction possess verifiable credentials to prove their participation.
• Reliability: To ensure the reliability of energy transactions between two vehicles in the proposed scheme, both vehicles share verifiable credentials during the reservation phase. These credentials are not valid until they obtain the signature from the charging station. As both vehicles successfully delegate and accept energy through the charging station, they can complete their credentials by obtaining the signature value from the charging station. Therefore, the proposed scheme provides reliability to energy traders so that they can proceed with the normal energy trading process.
• Mutual authentication: $E{S}_i$ and $E{P}_j$ authenticate each other. $E{S}_i$ authenticates $E{P}_j$ by checking whether ${\delta }_j·G\stackrel{?}{=}{Y}_j+HM{P}_1^{*}·P{K}_j$ is correct during the reservation phase. $E{P}_j$ authenticates $E{S}_i$ by verifying whether ${\delta }_i·G\stackrel{?}{=}{X}_i+HM{S}_1^{*}·P{K}_i$ is correct during the submitting bids phase. Therefore, the proposed scheme ensures mutual authentication.

6.2. Formal Analysis

We conduct a formal security proof by using the AVISPA simulation and the ROR oracle model.

6.2.1. ROR model

The ROR model, which is based on probabilistic game theory, is utilized for analyzing the semantic security of an authenticated key agreement. We utilize the ROR oracle model to evaluate the session key security for the proposed scheme. We briefly introduce the ROR oracle model.

In the ROR model, there are three parties: the energy seller ${\mathcal{P}}_{ES}^{t1}$ and the energy purchaser ${\mathcal{P}}_{EP}^{t2}$, where ${\mathcal{P}}_{ES}^{t1}$ and ${\mathcal{P}}_{EP}^{t2}$ are the instances of $E{S}_i$ and $E{P}_j$. In

Table 1. Various queries and descriptions.

Query	Description
$Execute({\mathcal{P}}_{ES}^{t1},{\mathcal{P}}_{EP}^{t2})$	Under this query, $\mathcal{A}$ performs an eavesdropping attack between ${\mathcal{P}}_{ES}^t$ and ${\mathcal{P}}_{EP}^t$ over a public channel.
$Send({\mathcal{P}}^t,Msg)$	Under this query, $\mathcal{A}$ can send the messages $Msg$ to the participant ${\mathcal{P}}^t$ and get the response message accordingly.
$Reveal({\mathcal{P}}_{ES}^{t1},{\mathcal{P}}_{EP}^{t2})$	Under this query, $\mathcal{A}$ compromises a current session key between ${\mathcal{P}}_{ES}^{t1}$ and ${\mathcal{P}}_{EP}^{t2}$.
$Test\left({\mathcal{P}}^t\right)$	An unbiased coin c is tossed prior to the start of the game, and the result is used to decide the output of the $Test$ query. If $\mathcal{A}$ receives $C=0$, the session key among ${\mathcal{P}}_{ES}^{t1}$ and ${\mathcal{P}}_{EP}^{t2}$ is fresh. If $\mathcal{A}$ receives $C\ne 0$, the session key is not fresh; otherwise, $\mathcal{A}$ obtains a null value (⊥).

, we define queries for the ROR oracle model, such as $Execute$, $Send$, $Reveal$, and $Test$. In addition, we use a collision-resistant one-way hash function $Hash$ as a random oracle. We use Zipf’s law to evaluate session key security.

Theorem 1. 

$Ad{v}_{\mathcal{A}}\left(t\right)$ is assumed that the advantage function of adversary $\mathcal{A}$ in order to break the session key security of the proposed scheme. Then, we derive the following:

$$Ad{v}_{\mathcal{A}}\left(t\right)\le \frac{q_{hash}^2}{\left|Hash\right|}+2Ad{v}_{\mathcal{A}}^{ECDDHP}\left(t\right).$$

(1)

where $q_{hash}$ is the number of $Hash$, $\left|Hash\right|$ is the range space of the hash function, and $Ad{v}_{\mathcal{A}}^{ECDDHP}\left(t\right)$ is the $\mathcal{A}$’s advantage for breaching ECDDHP.

Proof. 

We indicate the four games with $G_i,i=[0,3]$, and the probability of $\mathcal{A}$ for winning game $G_i$ is denoted as $Pr\left[Suc{c}_{G_i}\right]$.

• Game 0: $G_0$ is considered to be $\mathcal{A}$’s real attacks in our proposed scheme. $\mathcal{A}$ picks a random bit c at the beginning of $G_0$. Then, we obtain the following equation:

  $$Ad{v}_{\mathcal{A}}\left(t\right)=|2Pr\left[Suc{c}_{G_0}\right]-1|.$$

  (2)
• Game 1: $G_1$ indicates that $\mathcal{A}$ executes an eavesdropping attack, in which the transmitted messages are intercepted between ${\mathcal{P}}_{ES}^{t1}$ and ${\mathcal{P}}_{EP}^{t2}$. For this game, $\mathcal{A}$ executes a $Execute({\mathcal{P}}_{ES}^t,{\mathcal{P}}_{EP}^t)$ query to obtain the communicated messages. After the end of this game, $\mathcal{A}$ carries out $Reveal$, and $Test$ queries to compromise session key $Sym{K}_{E{S}_i-E{P}_j}$. To derive $Sym{K}_{E{S}_i-E{P}_j}$, $\mathcal{A}$ needs the short-term secret values $x_i$ and $y_j$ and private keys $S{K}_i$ and $S{K}_j$. Hence, $\mathcal{A}$’s probability of winning $G_1$ by eavesdropping on the messages does not increase. Therefore, we obtain the result as follows:

  $$Pr\left[Suc{c}_{G_1}\right]=Pr\left[Suc{c}_{G_0}\right].$$

  (3)
• Game 2: $G_2$ is considered to be active/passive attacks by executing $Send$ and $Hash$ queries to find hash collision. $\mathcal{A}$ can intercept the transmitted messages from the submitting bids phase to the reservation phase. The intercepted messages are safeguarded by the collision-resistant one-way hash function $h(·)$. Furthermore, $\mathcal{A}$ tries to derive $Sym{K}_{E{S}_i-E{P}_j}=h(x_i·P{K}_j\left|\right|Y_j·S{K}_i)=h(X_i·s{k}_j\left|\right|y_j·P{K}_i)$ by using intercepted messages. However, $\mathcal{A}$ needs to break the ECDDHP (defined in Section 3.1) in polynomial time t, which is a computationally infeasible problem for $\mathcal{A}$ to derive $Sym{K}_{E{S}_i-E{P}_j}$. By applying the ECDDHP and the birthday paradox result, we obtain the inequality

  $$|Pr\left[Suc{c}_{G_1}\right]-Pr\left[Suc{c}_{G_2}\right]|\le \frac{q_{hash}^2}{2\left|Hash\right|}+Ad{v}_{\mathcal{A}}^{ECDDHP}\left(t\right).$$

  (4)

After executing all the games, $\mathcal{A}$ tries to guess the exact bit c to win the game using the $Test$ query. Thus, we obtain the following:

$$Pr\left[Suc{c}_{G_2}\right]=\frac{1}{2}.$$

(5)

Equations (2) and (3) help to derive

$$\begin{array}{cc}\hfill \frac{1}{2}Ad{v}_{\mathcal{A}}\left(t\right)& =|Pr\left[Suc{c}_{G_0}\right]-\frac{1}{2}|\hfill \\ & =|Pr\left[Suc{c}_{G_1}\right]-\frac{1}{2}|.\hfill \end{array}$$

(6)

Furthermore, using Equations (4)–(6), we obtain the following inequality:

$$\begin{array}{cc}\hfill \frac{1}{2}Ad{v}_{\mathcal{A}}\left(t\right)& =|Pr\left[Suc{c}_{G_1}\right]-Pr\left[Suc{c}_{G_2}\right]|\hfill \\ \hfill & \le \frac{q_{hash}^2}{2|Hash|}+Ad{v}_{\mathcal{A}}^{ECDDHP}\left(t\right).\hfill \end{array}$$

(7)

Finally, by multiplying both sides of Equation (7), we obtain the stipulated result $Ad{v}_{\mathcal{A}}\left(t\right)$:

$$Ad{v}_{\mathcal{A}}\left(t\right)\le \frac{q_{hash}^2}{|Hash|}+2Ad{v}_{\mathcal{A}}^{ECDDHP}\left(t\right).$$

□

6.2.2. AVISPA Simulation

This simulation proves the formal security robustness of the cryptographic protocol against MITM and replay attacks. We implement the security simulation and demonstrate the security result. The AVISPA simulation tool is implemented using “High-Level Protocol Specification Language (HLPSL) to generate input format (IF)” and is linked to four backends, including the on-the-fly mode checker (OFMC), the Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP), the SAT-based model checker (SATMC), and the Constraint-Logic-based Attack Searcher (CL-AtSe). Only the CL-AtSe and OFMC provide the operation of bitwise exclusive-or (XOR) in these backends. AVISPA supports the DY model and can verify MITM and replay attacks.

The roles of the energy seller and energy purchaser nodes are described in Figure 9 and Figure 10, respectively. The goals and the roles of the session and environment of the proposed scheme are indicated in Figure 11. The simulation results for the OFMC and CL-ATse backends are presented in Figure 12, which show that the proposed scheme is secure against MITM and replay attacks.

7. Performance Analysis

We compare the proposed scheme with related schemes suggested for vehicular energy trading environments. We show that the proposed scheme has comparable or better performances compared to the existing schemes in this section. We perform testbed experiments on cryptographic computation by leveraging MIRACL on PC. The detailed specifications of the PC are as follows: 8 GB memory, Intel Core i7-4790 at 3.60 GHz frequency, and Linux Ubuntu 18.04.4 LTS with 64 bits.

7.1. Security Features

We present the security properties of the proposed scheme and existing schemes [33,34,35,36]. As shown in

Table 2. Security and function properties comparison.

Security and Function Properties	Xia et al. [33]	Baza et al. [34]	Li et al. [35]	Yahaya et al. [36]	Proposed
$S{F}_1$	∘	∘	∘	∘	∘
$S{F}_2$	∘	∘	∘	∘	∘
$S{F}_3$	∘	∘	∘	∘	∘
$S{F}_4$	∘	×	×	∘	∘
$S{F}_5$	−	∘	∘	∘	∘
$S{F}_6$	∘	∘	∘	∘	∘
$S{F}_7$	×	×	×	×	∘
$S{F}_8$	−	×	×	−	∘

∘: provides security feature, ×: does not provide security feature, −: not considered, $S{F}_1$: impersonation attack, $S{F}_2$: replay attack, $S{F}_3$: MITM attack, $S{F}_4$: confidentiality, $S{F}_5$: reliability, $S{F}_6$: mutual authentication, $S{F}_7$: temporal constraint of trading, and $S{F}_8$: high scalability.

, the related schemes [33,34,35,36] are subject to temporal constraints, as transactions can only occur at the same time. Furthermore, our scheme only utilizes the blockchain to retrieve information for authentication (except for the DID generation phase, which is recorded on the blockchain). However, other papers record transactions on the blockchain during the energy trading process, leading to increased costs over time. This can create scalability issues. Therefore, our scheme provides more security features compared to related schemes.

7.2. Computation Cost Analysis

We compare the computation costs of the energy trading process (from the authentication phase among EVs to the charging phase) between the proposed scheme and related works [33,34,35,36].

Table 3. The notation of each operation and computation costs.

Notation	Depiction	Computation Cost
$T_{hash}$	one-way hash function	0.003 ms
$T_{ecc}^{add}$	point addition operation on elliptic curve	0.013 ms
$T_{ecc}^{mul}$	scalar point multiplication operation on elliptic curve	2.373 ms
$T_{ecc}^{exp}$	exponentiation operation on elliptic curve	0.819 ms
$T_{pair}$	bilinear pairing operation	6.575 ms
$T_{sym}^{enc}$	symmetric key encryption (e.g., AES-256)	0.001 ms
$T_{sym}^{dec}$	symmetric key decryption	0.001 ms
$T_{asym}^{enc}$	asymmetric key encryption (e.g., RSA)	0.304 ms
$T_{asym}^{dec}$	asymmetric key decryption	2.405 ms
$T_{sig}^{gen}$	signature generation	0.173 ms
$T_{sig}^{ver}$	signature verification	4.194 ms

shows the notation of each operation and the average cost calculated 100 times for each operator in the set environment.

Furthermore, the computation costs of “generating authentication proof” in [34] is similar to $T_{sig}^{gen}$. The computational costs comparison of the proposed scheme and the existing schemes are summarized in

Table 4. Computation costs comparison.

Schemes	${\mathbf{EP}}_{\mathit{j}}$	${\mathbf{ES}}_{\mathit{i}}$	RSU/Energy Broker	Total Costs
[33]	$T_{asym}^{enc}$	$T_{asym}^{enc}$	$2T_{Dec-Asym}$	$\approx 26.734$ ms
	$+T_{sig}^{gen}$	$+T_{sig}^{gen}$	$+4T_{sig}^{ver}$
		$+T_{sig}^{ver}$
	$\approx 0.477$ ms	$\approx 4.671$ ms	$\approx 21.586$ ms
[34]	$2T_{ecc}^{exp}+T_{sym}^{enc}$	$2T_{ecc}^{exp}+2T_{sym}^{enc}$	$N/A$	$\approx 3.626$ ms
	$+T_{sym}^{dec}$	$+T_{sig}^{gen}$
	$+T_{sig}^{gen}$
	$\approx 1.813$ ms	$\approx 1.813$ ms
[35]	$T_{hash}+T_{ecc}^{add}$	$2T_{hash}+2T_{ecc}^{add}$	$2T_{hash}+T_{ecc}^{add}$	≈ 82.451 ms
	$+2T_{ecc}^{mul}+4T_{ecc}^{exp}$	$+T_{ecc}^{mul}+7T_{ecc}^{exp}$	$+3T_{ecc}^{mul}+16T_{ecc}^{exp}$
		$+4T_{sym}^{dec}+7T_{pair}$	$+4T_{sym}^{enc}$
	$\approx 8.038$ ms	$\approx 54.167$ ms	$\approx 20.246$ ms
[36]	$4T_{hash}+3T_{ecc}^{mul}$	$4T_{hash}+3T_{ecc}^{mul}$	$N/A$	$\approx 52.028$ ms
	$+7T_{ecc}^{exp}+2T_{pair}$	$+7T_{ecc}^{exp}+2T_{pair}$
	$\approx 26.014$ ms	$\approx 26.014$ ms
Proposed scheme	$9T_{hash}+10T_{ecc}^{mul}+T_{ecc}^{add}$	$9T_{hash}+11T_{ecc}^{mul}+1T_{ecc}^{add}$	$2T_{hash}+6T_{ecc}^{mul}+3T_{ecc}^{add}$	$\approx 81.668$ ms
	$+T_{sym}^{enc}+T_{sym}^{dec}$	$+T_{sym}^{enc}+T_{sym}^{dec}$	$+2T_{sig}^{gen}$
	$+T_{sig}^{gen}+2T_{sig}^{ver}$	$+T_{sig}^{gen}+2T_{sig}^{ver}$
	$\approx 32.333$ ms	$\approx 34.706$ ms	$\approx 14.629$ ms

. The computational cost of our system is lower than that of [35] but higher than that of [33,34,36]. However, [33] has the drawback of relying on intermediaries to authenticate vehicles, and [34,36] incurs additional gas costs as it requires running Ethereum smart contracts. Therefore, our scheme is more efficient than other schemes in a decentralized energy trading system for vehicles.

7.3. Communication Cost Analysis

We evaluate the communication costs of the proposed scheme compared to related schemes [33,34,35,36] during the authentication phase, during which the messages are exchanged by the registered vehicles. We first define that the bit lengths of the timestamp, random number, identity, hash output, symmetric encryption, elliptic curve point, and asymmetric encryption to be 32 bits, 160 bits, 160 bits, 160 bits, 256 bits, 320 bits, and 320 bits, respectively. Moreover, the bit length of request information is defined to be 160 bits. The bit length of authentication proof is defined to be 729 bytes [34].

Table 5. Communication costs comparison.

Scheme	Total Cost
Xia et al. [33]	2144 bits
Baza et al. [34]	12,560 bits
Li et al. [35]	3840 bits
Yahaya et al. [36]	2304 bits
Proposed scheme	5440 bits

shows an analysis of the communication costs of the proposed scheme compared to related protocols. As a result of the comparison, our scheme has similar or slightly higher costs compared to others in terms of performance, but it can be suitable for achieving a reliable and privacy-preserving energy trading environment because it provides more security and functions.

8. Conclusions

Despite the rapid growth of the electric vehicle market, the problem of insufficient charging infrastructure persists. To address this issue, various technologies are being researched to enable EV charging from diverse energy sources, such as battery energy storage systems. However, vehicles in these systems are vulnerable to various security attacks because they exchange information over public channels. This paper proposes a vehicle energy trading mechanism that addresses the limitations of recent distributed energy trading schemes while ensuring reliability and privacy preservation. In the proposed scheme, only the authentication materials required for the energy transaction are stored in the blockchain, and the transaction results are recorded in verifiable credentials, thereby reducing the storage burden on the blockchain. User privacy is also protected by not storing users’ personal data on the blockchain. We conducted an informal analysis and a formal analysis to include using the AVISPA and ROR oracle models to evaluate the security of the proposed method and ensure that it ensures confidentiality, reliability, and mutual authentication. Finally, we compared the performance and security features of the proposed scheme with related schemes to demonstrate that our proposed scheme provides more security functions without a loss of performance compared to related schemes in a vehicular energy trading environment.